1 ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved ISO标准——IEC 27001:2005 信息安全管理体系信息安全管理体系信息安全管理体系信息安全管理体系 ———————— 要求 Reference number ISO/IEC 27001:2005(E) 2 ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved 0简简 简简介介 介介 0.1总则总则总则总则 本国际标准的目的是提供建立 、 实施、 运作、 监控、评审、维护 和改进ISMS（ISMS）的 模型。 采用ISMS应是一个组织的战略决定 。 组织ISMS的设计和实施受业务需 求和目 标、安全需求 、应用的过 程及组织的 规模、 结构的影响 。上述因素和他们的支持 系统应 随时间变化 而变化。希望根据组织的需要去 扩充ISMS的实施，如，简单的 环境是用简 单的ISMS解决方案 。 本国际标准可以 用于内部、外部评估其符合 性。 0.2过程方法过程方法过程方法过程方法 本国际标准鼓励采用过程的方法 建立、实 施、运作 、监控、评审、维护和改进 一个组 织的ISMS的有效性 。 一个组织必须识别和管理许多活动使其有 效地运行 。通过利 用资源和管理 ，将输入转 换为输出 的活动，可以被认为是一个过程 。 通常，一个过程的输出直接形成了下一个过 程的输入 。 组织内过程体系的 应用，连同这些过程 的识 别和相互作用及管理 ，可以称之这“过程的 方法” 。 在本国际标准中 ，信息安全管理的 过程方法 鼓励用户强调以下方面的 重要性： a) 了解组织 信息安全需求和建立信息安 全策略和目标的需求 ； b) 在组织的整体业务风险 框架下，通过 实施及运作控制措施 管理组织的信息 安全风险 ； c) 监控和评审 ISMS的执行和有效性 ； d) 基于客观测量的持续改进 。 本国际标准采用了 “计划-实施-检查-改进” （PDCA）模型去构架全部 ISMS流程。图1 显示ISMS如何输入相关方的 信息安全需求 和期望，经过必要的处理 ，产生满足需求和 期望的产品信息安全输出 ，图1阐明与条款 4、5、6、7、8相关。 采用PDCA模型将影响 OECD《信息系统和 网络的安全治理》 （2002）中陈述的原则 ， 0 Introduction 0.1 General This International Standard has been prepared to pr ovide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an or ganization. The design and implementation of an organization’s ISMS is influen ced by their needs and objectives, security requirements, the processes em ployed and the size and structure of the organization. These and their supp orting systems are expected to change over time. It is expected that an ISMS im plementation will be scaled in accordance with the needs of the organization, e .g. a simple situation requires a simple ISMS solution. This International Standard can be used in order to assess conformance by interested internal and external parties. 0.2 Process approach This International Standard adopts a process approa ch for establishing, implementing, operating, monitoring, reviewing, mai ntaining and improving an organization's ISMS. An organization needs to i dentify and manage many activities in order to func tion effectively. Any activity using resources and manag ed in order to enable the transformation of inputs into outputs can be consid ered to be a process. Often the output from one process directly forms the inpu t to the next process. The application of a system of processes within an organization, together with the identification and interactions of these proces ses, and their management, can be referred to as a “process approach”. The process approach for information security manag ement presented in this International Standard encourages its users to emph asize the importance of: a) understanding an organization’s information secu rity requirements and the need to establish policy and objectives for informa tion security; b) implementing and operating controls to manage an organization's information security risks in the context of the or ganization’s overall business risks; c) monitoring and reviewing the performance and eff ectiveness of the ISMS; and d) continual improvement based on objective measure ment. This International Standard adopts the "Plan-Do-Che ck-Act" (PDCA) model, which is applied to structure all ISMS processes. F igure 1 illustrates how an ISMS takes as input the information security requir ements and expectations of the interested parties and through the necessary ac tions and processes produces information security outcomes that meets t hose requirements and expectations. Figure 1 also illustrates the links i n the processes presented in Clauses 4, 5, 6, 7 and 8. The adoption of the PDCA model will also reflect th e principles as set out in the 3 ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved 本国际标准提供一个健壮的模型去实施指 南中的控制风险评估 、安全设计和实施 、安 全管理