(혹시 나중에 잊을까봐 따로 등록해 둡니다.)
ISO 27001/27000 Control Objective Checklist and Statement of Applicability
ISO27kSOAsample.xls추가로 ISO 27001에 대한 간단한 소개글을 참조해 보세요.
Who can adopt the ISO/ IEC 27001:2005 standard?
ISO/
IEC 27001:2005 can be used by any organization. The standard is meant
for any organization that uses internal or external computer systems,
possesses confidential data and/or depends on information systems to
carry out its business activities. In simple terms, it can be used by
any organization that deals with information and recognizes the
importance of securing that information in an appropriate manner
relevant to that business. In a broad sense ISMS (Information Security
Management Systems) forms an integral part of any business strategy in
corporate warfare.
Control Objectives and Controls in ISO 27001
The
basic intent of ISO 27001 is to ensure the "Confidentiality",
"Integrity" and "Availability" of information within an organization.
The standard recommends a fairly long list of 134 controls to support
the 39 control objectives to achieve this. The organization is free to
choose the controls as applicable to their business and justify the
same. However it is possible that there may be additional controls that
are not included here that the organization may choose to implement.
The accompanying standard ISO 17799:2005 is prescriptive in nature and
provides guidelines for implementation of the controls.
| ISO 27001 Control Domain | Objectives | Controls |
| Security policy | 1 | 2 |
| Organization of informaiont security | 2 | 11 |
| Asset management | 2 | 5 |
| Human resources security | 3 | 9 |
| Physical and environmental security | 2 | 13 |
| Communication and operational management | 10 | 33 |
| Access control | 7 | 25 |
| Systems development and maintenance | 6 | 16 |
| Information security and incident management | 2 | 5 |
| Business Continuity Plan | 1 | 5 |
| Compliance | 3 | 10 |
| 39 | 134 |
Structure of ISO 27001:2005
The standard is developed around the famous "Plan-Do-Check-Act Cycle" (PDCA) of Dr. Edward Deming. First published in October 2005, it replaces the popular British Standard BS 7799-2:2002 that served as a well-accepted standard for ISMS.
I. PLAN
The most important part in Plan is to define the scope or area to be covered. It can be:
- A full organization spanning across multiple facilities, or
- A single facility, or
- A particular service in a multi-service provider company.
What company wants to achieve in terms of confidentiality, integrity and availability? What is an acceptable level of risk? Are there any constraints, such as laws and regulations, or particular ways in which you wish to do things? It should be a short document but signed by the CEO. The controls flow from top to bottom.
Risk assessment: Depending upon the information we want to protect and what is acceptable level of risk, what is actual risk? Evaluate the risks. If you plot the likelihood of the impact occurring against the magnitude of the impact, you may consider that there are risks that of not of any great concern.
After completing the Risk assessment the organization needs to decide how to treat that risk.
Statement of Applicability (SOA): Identify all the security controls, which are applicable to an organization and justify why they are appropriate, and show why those BS7799 controls that have not been chosen are not relevant. The control sets are required to relate the selection of the controls back to the risk assessment.
II. DO
The Do part of the cycle requires you to operate the controls. The organization will need a procedure, as mentioned above, to ensure the prompt detection and response to incidents. You will also need to ensure that all staff are security aware, and are appropriately trained and are competent to carry out their respective security tasks. To ensure all of this is carried out you will need to manage the necessary resources.
III. CHECK
The purpose of the Check phase is to ensure that the controls are in place and are achieving their objectives. There are a variety of possible check activities, but only internal ISMS audit and management review are mandatory requirements.
IV. ACT
The outcomes of the Check activity are actions. There are three varieties:
- Corrective action
- Preventive action
- Improvements
Conclusion
ISO 27001:2005 provides organizations in any line of business a tool to help prevent information security lapses and mitigate risks associated with the same. A formal implementation of the same followed by certification has the following benefits (not all-inclusive):
- Confidence that suitable controls in line with International Standards have been put in place to minimize information security lapses in an organization
- Systematic approach to address legal compliance — reduce risk exposure to legal liability
- Systematic approach to plan and manage business continuity
- Assurance to customers, partners and stakeholders
- Increase revenue and business opportunities.
'Working > IT Security' 카테고리의 다른 글
| 아이핀 의무도입에 따른 생각 (0) | 2008.12.24 |
|---|---|
| 정 익스플로러를 쓰셔야 한다면 보안은 이렇게... (0) | 2008.12.18 |
| Remote File Inclusion 취약점 분석 및 대책 (0) | 2008.10.17 |
| 무선랜 WEP 인증 해킹시연 및 방어대책 (1) | 2008.03.19 |
| Security Checklists (0) | 2008.03.02 |