ISO 27001

出于各种原因, 越来越多的美国组织正在考虑ISO认证,以向客户和商业伙伴展示他们的信息安全敏锐度. 在大多数情况下, 这些组织已经获得了一个或多个认证和/或认证,只是希望进一步提高他们的组织资格,并满足任何询问的第三方. 虽然值得称赞, 如果认为ISO只是现有策略所针对的另一个安全框架,则可能会阻碍这种努力, 程序, 并且可以应用控件. 简单的事实是,如果您认为其他合规努力的成功提供了ISO认证的一些保证, 那你需要再考虑一下.

For any organization considering ISO certification, LBMC在这里回答常见的问题, 破除常见误解, and, 最重要的是, equip readers with valuable information for initiating a successful ISO certification journey.

什么是ISO 27001?

国际标准组织是一个独立的机构,其目标是为任何组织发布标准, 无论行业如何, 遵循. 正如他们在网站上定义的那样,标准是“描述做某事的最佳方式的公式.” These include quality and environmental management standards, 健康和安全标准, 食物安全标准及, 当然, 资讯保安标准. 标准以编号的系列发布,每个系列包含与主题的某些方面相关的多个单独的文档. 在大多数情况下, the “01” document in each series, e.g. 9001, 14001, 27001, is the standard against which organizations can be certified. All other documents in the series are supporting documents for the certification standards.

The ISO 27000 series is the established series for Information Security Management Systems.  管理制度就是政策, 程序, and resources implemented to preserve confidentiality, 完整性, 以及信息的可用性. ISO / IEC 27001:2022 is the standard against which organizations can be certified. 该ISO认证向相关方展示了组织对有效管理风险和关键信息系统安全的奉献精神.

顺便说一下, IEC 在文档中,标题指的是 国际电工委员会一个类似的标准组织,为涉及技术活动的ISO标准做出贡献.

为什么ISO 27001很重要?

而总部位于美国的组织则受到许多行业和监管框架的约束,这些框架指导着网络安全和合规工作, ISO 27001 is the de facto information security standard outside the US. For organizations engaging customers and other business relationships outside the US, 通常期望ISO认证证明组织对有效风险管理和信息安全的承诺. ISO标准的核心是围绕ISMS建立正式的管理结构,以确保其持续有效. This effectiveness must be demonstrated to earn and maintain certification. ISO不是一个“复选框安全性”框架.

组织经常利用为ISO认证建立的信息安全管理系统来管理其他合规性计划,例如SOC, PCI, 和HITRUST. 例如, while they are conducting their annual ISO internal audit, 他们利用这个机会验证控制是否仍然满足其他遵从性标准的要求. Then, as part of the management review program for ISO certification, they take the opportunity to review their other compliance programs to identify changes in scope, 风险或威胁环境的变化, 以及任何相关的内部审计结果. For security managers seeking approval from upper management to pursue ISO certification, 这是一个有效的工具,证明建立和维护ISO合规计划所需的资源是合理的.

ISO 27001的要求是什么?

ISO standard documents follow a common format whereby content is divided into numbered clauses. Clauses define the scope of a given standard, provide references to other supporting or dependent standards, define terms and definitions used in the standard, and establish requirements or expectations of the standard. 标准通常包括附件或附录,为上述条款中包含的要求和期望提供支持指南.

The ISO 27001 standard is comprised of 7 clauses and 93 control requirements. 这些条款建立了信息安全管理体系(ISMS)的基本要素,组织必须具备这些要素来管理风险和保护信息. These requirements are unique to the ISO 27001 standard. Unlike other information security compliance frameworks, the clauses establish requirements for ongoing direction and oversight of the ISMS. These include activities such as organizational risk assessment and treatment analyses, regular executive management review of the ISMS, annual internal 对ISMS进行审核,并对安全控制的有效性进行持续的监视和度量.

标准的后半部分,标题为 Annex A, is comprised of the ISO 27001 control requirements. 控制需求对于信息安全从业者来说更为熟悉,因为它们是组织用来处理安全风险和威胁的战术需求. 这包括访问和身份验证, logging, 加密, 事件响应, 以及组织作为其各种安全性和遵从性计划的一部分实现的其他控制类别. Unlike some cybersecurity frameworks, ISO control requirements are not prescriptive. 换句话说, ISO 27001 does not establish minimum password settings, 日志保留期, 或加密密钥长度.  Instead, ISO establishes the controls that must be 被认为是 按组织划分. 然后,组织确定哪些控制措施适用于环境,并充分处理已识别的风险. 审计师的角色, 因此, 是确定控制措施是否按照定义实施,是否充分处理了实施控制措施的风险.

ISO 27001是法律要求吗? ISO 27001本身并不是法律要求. 组织可能, however, 建立获得和/或维护ISO 27001认证的合同义务,作为其业务关系的一部分. ISO 27001认证可以被组织利用和/或接受,作为证明遵守行业和法规信息安全要求的一种手段.

What three aspects of information does ISO 27001 focus on?

而组织的ISMS解决了组织硬件的多个方面的安全性, software, 数据资产, the ISO 27001 standard is focused on the confidentiality, 完整性, 以及信息的可用性.

  1. Confidentiality is the protection of information from unauthorized access.
  2. Integrity is the protection of information from unauthorized modification.
  3. Availability is the assurance that information is accessible as needed.

The end result of achieving ISO 27001 certification is that an organization assures its customers, 业务合作伙伴, 和其他利益相关方确保组织负责的信息被泄露的风险最小.

现行的ISO 27001标准是什么?

ISO / IEC 27001:2022是信息安全管理系统27000系列中的众多标准和支持文件之一. 该系列包括27001和27701等认证标准,以及27002和27003等指南和支持文件.

 

如何获得ISO 27001认证?

Organizations must be audited by an independent third party. Any auditor can issue a certification, but it is recommended to engage an 认证 ISO 27001 Certifying Body to conduct the audit. 认可核证机构本身须定期接受独立审核,以证实其信誉良好, 主管, 和值得信赖. 这为组织提供了保证, 任何有兴趣的人, 审计已经进行了, and certificate issued in accordance with all associated ISO standards.

To successfully pass an initial ISO 27001 certification audit, an organization must demonstrate that their ISMS is fully implemented and effective. 要做到这一点, 组织将需要实施ISO 27001条款和附件A控制中建立的所有要求. 为了证明这种有效性, ISO auditors will commonly look for a full iteration of the PDCA (Plan-Do-Check-Act) Cycle. For mature organizations with ISMS components and controls already well-established, this may take as little as four to six months to prepare for initial certification. 为他人, 至少需要一年的时间来建立ISMS和相关的控制,为他们的初始认证审核做好准备.

Due to the significant effort needed to prepare for initial audit, many organizations engage a third party to assist with establishing their ISMS. Third parties may simply oversee and provide guidance while the organization implements their ISMS, or they may become fully or partially involved in the effort. Regardless of how involved they are in the effort, a third party who provides implementation assistance should not and, 根据一些认证机构, cannot also conduct the organizations’ certification audits. This helps avoid conflict of interest between implementation and auditing entities.

明升体育app下载

布莱恩·威利斯, CISSP, CCSK, PCI QSA, ISO 27001高级首席审核员, is a Senior Manager in the 网络安全 department at LBMC, PC. 可以联系到他 brian.willis@LBMC.com or (615) 309-2607.