ISO/IEC2700 1, a practical rule for information security management, was formerly the British BS7799 standard, which was put forward by the British Standards Institute (BSI) in February 1995 and revised in May/995. 1999 BSI revised the standard again. BS7799 is divided into two parts: BS7799- 1, detailed rules for the implementation of information security management BS7799-2, and information security management system specification. The first part provides suggestions on information security management for those who are responsible for starting, implementing or maintaining security in their organizations. The second part explains the requirements for establishing, implementing and recording the Information Security Management System (ISMS), and specifies the requirements for implementing security control according to the needs of independent organizations.
Steps/methods
1 Establish the framework according to ISO 2700 1 (BS 7799-2: 2005).
2. Assessment fees and formal audit time of certification bodies.
Submit a formal application to the certification body.
4 (Optional) The certification body will conduct pre-examination, eliminate some major mistakes before the formal audit, and make customers familiar with the audit methods, risk assessment, audit policies, scope and procedures adopted. Check the omissions and trivialities that need to be modified in the system.
5 (Optional) The certification body will conduct pre-examination, eliminate some major mistakes before the formal audit, and make customers familiar with the audit methods, risk assessment, audit policies, scope and procedures adopted. Check the omissions and trivialities that need to be modified in the system.
The certification body will carry out the second stage audit, mainly to implement the audit and check the implementation of the program. Certification bodies generally conduct on-site audits and give suggestions.
7. If the audit can be successfully completed, the information security system certificate will be issued after the certification scope is clear. In the case of continuous audit, the validity period is three years.
Matters needing attention
ISMS O2700 1 consulting operation process. Precautionary measures-release information security management system documents in a targeted manner. The training of system documents is the primary task of system operation, and the quality of training directly affects the result of system operation. The organization shall train all employees according to the arrangement of training work plan and the requirements of training procedures. Through training, all employees realize that the newly established or improved information security management system is a reform of the past information security management system, so as to reach the international advanced information security management standards. In order to adapt to this change and the operation of the new management system, we must seriously study and implement the information security management system documents.
Isms Ф o27001Consultation-The notes in the operation process strengthen the management of related system operation information, which is not only the need of the information security management system, but also the key to the success of the trial operation. All personnel related to information security management system activities should do a good job in information collection, analysis, transmission, feedback, processing and archiving of information security according to the requirements of system documents. Information security system documents belong to the information assets of the organization, including all sensitive information about the organization's security management. The organization should classify information according to the principle of information classification, mark the security level, and implement strict security control. No unauthorized copying or borrowing is allowed.
Isms ф o27001consulting operation process. Matters needing attention-coordinate and improve the problems exposed in the trial operation of the system, such as imperfect system design and incomplete projects. The operation of information security management system involves all departments within the scope of organizational system. In the process of operation, various activities often deviate from the standard. Therefore, the organization should establish an information feedback and information security coordination mechanism, feed back and handle abnormal information according to the principles of strictness, coordination, efficiency, simplification and unification, improve the problems, and ensure the continuous normal operation of the system.
Isms+0Consulting-Notes-Practice is the only criterion for checking truth. There are bound to be some problems in the trial operation of system documents, and all employees should truthfully feedback the problems and improvement suggestions in practice to relevant departments so as to take corrective measures.