International Standard for Information Security （国际信息安全标准）.pdf

International Standard for Information Security (ISO 27001) Designated Official: Time Period: 14:34:17 Monday, January 29, 2007 Introduction to ISO 27001*1 What is ISO 27001? ISO 27001 is an International Standard for information security that requires organizations to implement security controls to accomplish certain objectives. The standard should be used as a model to build an Information Security Management System (ISMS). What is an ISMS? An ISMS is part of an organizations system that manages networks and systems. It aims to “establish, implement, operate, monitor, review, maintain, and improve information security” commensurate with the perceived security risks to the business of the organization. Who and what is affected by ISO 27001 As a model for information security, ISO 27001 is a generic standard designed for all sizes and types of organizations including governmental, non-governmental, and non-profit organizations. It requires the managing body of an organization to plan, implement, maintain, and improve an ISMS. *2 The ISMS model ensures the selection of adequate security controls based on organizational objectives to protect all information assets, including both wireline and wireless assets. When is ISO 27001 effective? ISO 27001 was published and came into effect on October 15, 2005. 1. The ISO 27001 standard is cited as ISO/IEC 27001:2005 International Standard. The ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) are international bodies whose members participate in developing international standards through techical committees. The ISO/IEC 27001 was prepared by the Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC27, IT Security techniques. For more information see /iso-27001.htm. 2. In the United Kingdom, ISO 27001 is a direct replacement for BS7799-2:2002. It is also