Planning and preparation 1 and ISO2700 1 certification
Mainly to do a good job in the preparations for establishing an information security management system. The contents include education and training, making plans, investigating the development of safety management and the distribution and management of human resources.
2. ф o27001authentication determines the applicable scope of the information security management system.
The scope of information security management system is a security field that needs to be managed emphatically. Organizations need to implement it in the whole organization or individual departments or fields according to their own actual conditions. At this stage, the organization should be divided into different information security control fields, which is convenient for the organization to carry out appropriate information security management in different fields.
When defining the scope of application, we should focus on the applicable environment, applicable personnel, existing IT technology and existing information assets of the organization.
3. Investigation and risk assessment of ISO 27001certification.
According to the relevant information security technologies and management standards, this paper investigates and evaluates the security attributes of the information system and the information it processes, transmits and stores, such as confidentiality, integrity, availability, etc., evaluates the threats faced by information assets and the possibility of causing security incidents, and judges the impact on the organization in the event of security incidents.
4. ISO2700 1 Certification establishes an information security management framework.
To establish an information security management system, it is necessary to plan and establish a reasonable information security management framework, and carry out overall security construction from all levels of the information system from the overall situation and global perspective;
Starting from the information system itself, according to the business nature, organizational characteristics, information asset status and technical conditions, an information asset list is established, risk analysis, demand analysis and security control selection are carried out, a statement of applicability is compiled, a security system is established, and security solutions are proposed.
5. preparation of iso 27001certification system documents
Establishing and maintaining a documented information security management system is the general requirement of ISO/IEC2700 1:2005 standard. Compiling information security management system documents is the basic work of establishing information security management system, and it is also an indispensable basis for an organization to realize risk control, evaluation, improvement and continuous improvement of information security management system.
The documents established in the information security management system shall include: security policy documents, scope of application documents, risk assessment documents, implementation and control documents, and applicability statement documents.
6. Operation and improvement of ISO 27001certification system
After the information security management system documents are compiled, the organization shall review and approve them according to the control requirements of the documents, and issue them for implementation. At this point, the information security management system will enter the operation stage.
During this period, the organization should strengthen the operation, give full play to the functions of the system itself, find out the problems existing in the system planning in time, find out the root causes of the problems, take corrective measures, make changes to the system according to the requirements of the change control procedures, and further improve the information security management system.
7. Audit of ISO2700 1 Certification System
System audit is a systematic, independent and documented inspection process to obtain audit evidence, objectively evaluate the system and determine the degree of compliance with audit criteria. System audit includes internal audit and external audit (third-party audit).
Internal audit is generally carried out in the name of the organization, which can be used as the basis for self-qualification inspection of the organization; External audit is conducted by an external independent organization, which can provide certification or registration that meets the requirements. As for which control method should be adopted, it needs careful planning and attention to control details.
Information security management requires the participation of all employees in the organization. For example, in order to prevent the third party outside the organization from illegally entering the office area of the organization to obtain the technical secrets of the organization, in addition to physical control, it is necessary to organize all employees to participate and strengthen control. In addition, suppliers, customers or shareholders need to participate, and external expert opinions need to be organized.
Information, information processing, information systems and information networks supporting information are all important commercial assets. The confidentiality, integrity and availability of information are very important for maintaining competitive advantage, capital flow, efficiency, legal compliance and business image.