본문 바로가기

Working/IT Security

ISO27001 Control Objective Checklist

국제 표준 및 국내법에 따르는 보안 정책 및 지침서를 보완하고자 자료를 조사하는 중에 찾은 자료를 등록합니다.
(혹시 나중에 잊을까봐 따로 등록해 둡니다.)

ISO 27001/27000 Control Objective Checklist and Statement of Applicability
ISO27kSOAsample.xls

정확한 출처는 모르겠으나 http://www.compliancesforum.com에서 구한 ISO27001 통제항목에 대한 체크리스트 샘플파일입니다. 

추가로 ISO 27001에 대한 간단한 소개글을 참조해 보세요.

Who can adopt the ISO/ IEC 27001:2005 standard?
ISO/ IEC 27001:2005 can be used by any organization. The standard is meant for any organization that uses internal or external computer systems, possesses confidential data and/or depends on information systems to carry out its business activities. In simple terms, it can be used by any organization that deals with information and recognizes the importance of securing that information in an appropriate manner relevant to that business. In a broad sense ISMS (Information Security Management Systems) forms an integral part of any business strategy in corporate warfare.

Control Objectives and Controls in ISO 27001
The basic intent of ISO 27001 is to ensure the "Confidentiality", "Integrity" and "Availability" of information within an organization. The standard recommends a fairly long list of 134 controls to support the 39 control objectives to achieve this. The organization is free to choose the controls as applicable to their business and justify the same. However it is possible that there may be additional controls that are not included here that the organization may choose to implement. The accompanying standard ISO 17799:2005 is prescriptive in nature and provides guidelines for implementation of the controls.

ISO 27001 Control Domain Objectives Controls
Security policy 1 2
Organization of informaiont security 2 11
Asset management 2 5
Human resources security 3 9
Physical and environmental security 2 13
Communication and operational management 10 33
Access control 7 25
Systems development and maintenance 6 16
Information security and incident management 2 5
Business Continuity Plan 1 5
Compliance 3 10
  39 134


Structure of ISO 27001:2005
The standard is developed around the famous "Plan-Do-Check-Act Cycle" (PDCA) of Dr. Edward Deming. First published in October 2005, it replaces the popular British Standard BS 7799-2:2002 that served as a well-accepted standard for ISMS.

I. PLAN
The most important part in Plan is to define the scope or area to be covered. It can be:

  • A full organization spanning across multiple facilities, or
  • A single facility, or
  • A particular service in a multi-service provider company.
The important tasks of Planning include ISMS, risk assessment, risk management, risk treatment and statement of applicability.

What company wants to achieve in terms of confidentiality, integrity and availability? What is an acceptable level of risk? Are there any constraints, such as laws and regulations, or particular ways in which you wish to do things? It should be a short document but signed by the CEO. The controls flow from top to bottom.

Risk assessment: Depending upon the information we want to protect and what is acceptable level of risk, what is actual risk? Evaluate the risks. If you plot the likelihood of the impact occurring against the magnitude of the impact, you may consider that there are risks that of not of any great concern.

Risk management/ Risk treatment:
After completing the Risk assessment the organization needs to decide how to treat that risk.

Statement of Applicability (SOA): Identify all the security controls, which are applicable to an organization and justify why they are appropriate, and show why those BS7799 controls that have not been chosen are not relevant. The control sets are required to relate the selection of the controls back to the risk assessment.

II. DO
The Do part of the cycle requires you to operate the controls. The organization will need a procedure, as mentioned above, to ensure the prompt detection and response to incidents. You will also need to ensure that all staff are security aware, and are appropriately trained and are competent to carry out their respective security tasks. To ensure all of this is carried out you will need to manage the necessary resources.

III. CHECK
The purpose of the Check phase is to ensure that the controls are in place and are achieving their objectives. There are a variety of possible check activities, but only internal ISMS audit and management review are mandatory requirements.

IV. ACT
The outcomes of the Check activity are actions. There are three varieties:

  • Corrective action
  • Preventive action
  • Improvements

Conclusion
ISO 27001:2005 provides organizations in any line of business a tool to help prevent information security lapses and mitigate risks associated with the same. A formal implementation of the same followed by certification has the following benefits (not all-inclusive):

  • Confidence that suitable controls in line with International Standards have been put in place to minimize information security lapses in an organization
  • Systematic approach to address legal compliance — reduce risk exposure to legal liability
  • Systematic approach to plan and manage business continuity
  • Assurance to customers, partners and stakeholders
  • Increase revenue and business opportunities.
원문보기 : http://www.ul-asia.com/news_nl/2006-Issue17/page6.htm