2 ISO/IEC 27001:2005(E)
0 简介
0.1 总则
本国际标准的目的是提供建立、实施、运作、
监控、评审、维护和改进信息安全管理体系
(ISMS)的 模 型 。采 用 ISMS 应是一个组织
的战略决定。组织 ISMS 的设计和实施受业
务需求和目标、安全需求、应用的过程及组
织的规模、结构的影响。上述因素和他们的
支持系统预计会随事件而变化。希望根据组
织的需要去扩充 ISMS 的实施,如,简单的
环境是用简单的 ISMS 解决方案。
本国际标准可以用于内部、外部评估其符合
性。
0.2 过程方法
本国际标准鼓励采用过程的方法建立、实
施、运作、监控、评审、维护和改进一个组
织的 ISMS 的有效性。
一个组织必须识别和管理许多活动使其有
效地运行。通过利用资源和管理,将输入转
换为输出的活动,可以被认为是一个过程。
通常,一个过程的输出直接形成了下一个过
程的输入。
组织内过程体系的应用,连同这些过程的识
别和相互作用及管理,可以称之这“过程的
方法”。
在本国际标准中,信息安全管理的过程方法
鼓励用户强调以下方面的重要性:
a) 了解组织信息安全需求和建立信息安
全策略和目标的需求;
b) 在组织的整体业务风险框架下,通过
实施及运作控制措施管理组织的信息
安全风险;
c) 监控和评审 ISMS 的执行和有效性;
d) 基于客观测量的持续改进。
本国际标准采用了“计划-实施-检查-改进”
(PDCA)模型去构架全部 ISMS 流程。图 1
显示 ISMS 如何输入相关方的信息安全需求
和期望,经过必要的处理,产生满足需求和
期望的产品信息安全输出,图 1 阐明与条款
4、5、6、7、8 相关。
采用 PDCA 模型将影响 OECD《信息系统和
网络的安全治理》(2002)中陈述的原则,
0 Introduction
0.1 General
This International Standard has been prepared to provide a model for
establishing, implementing, operating, monitoring, reviewing, maintaining and
improving an Information Security Management System (ISMS). The adoption
of an ISMS should be a strategic decision for an organization. The design and
implementation of an organization’s ISMS is influenced by their needs and
objectives, security requirements, the processes employed and the size and
structure of the organization. These and their supporting systems are expected
to change over time. It is expected that an ISMS implementation will be scaled
in accordance with the needs of the organization, e.g. a simple situation
requires a simple ISMS solution.
This International Standard can be used in order to assess conformance by
interested internal and external parties.
0.2 Process approach
This International Standard adopts a process approach for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an
organization's ISMS.
An organization needs to identify and manage many activities in order to functio
effectively. Any activity using resources and managed in order to enable the
transformation of inputs into outputs can be considered to be a process. Often
the output from one process directly forms the input to the next process.
The application of a system of processes within an organization, together with
the identification and interactions of these processes, and their management,
can be referred to as a “process approach”.
The process approach for information security management presented in this
International Standard encourages its users to emphasize the importance of:
a) understanding an organization’s information security requirements and the
need to establish policy and objectives for information security;
b) implementing and operating controls to manage an organization's
information security risks in the context of the organization’s overall business
risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS;
and
d) continual improvement based on objective measurement.
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model,
which is applied to structure all ISMS processes. Figure 1 illustrates how an
ISMS takes as input the information security requirements and expectations of
the interested parties and through the necessary actions and processes
produces information security outcomes that meets those requirements and
expectations. Figure 1 also illustrates the links in the processes presented in
Clauses 4, 5, 6, 7 and 8.
The adoption of the PDCA model will also reflect the principles as set out in the
© ISO/IEC 2005 – All rights reserved
