In an increasingly networked world, "information" plays a pivotal role in building competitive advantage. But it is also a double-edged sword. When information is accidentally or deliberately passed on to a malicious recipient, the same information can lead to the failure of an institution. In today's information age, technology has undoubtedly solved many problems for us.

In response to such needs, the International Organization for Standardization (ISO) developed the ISO27001:2005 standard to provide assistance on how to establish, implement, maintain and improve an information security management system. An Information Security Management System (ISMS) is a system used by top management to monitor and control information security, reduce business risks and ensure that security systems continue to meet corporate, customer and legal requirements. ISO/IEC 27001:2005 can help organizations protect patent information, and at the same time build a platform for the formulation of unified organizational security standards, which is also helpful to improve the practical performance of security management and enhance the confidence and trust of inter-organizational business transactions.

Who can adopt the ISO/IEC 27001:2005 standard?

ISO/IEC 27001:2005 can be used by any organization that uses internal or external computer systems, possesses confidential information and/or relies on information systems for its business activities. Simply put, those institutions that need to process information and recognize the importance of information protection.

Control objectives and measures of ISO/IEC 27001

The purpose of ISO/IEC 27001 is to ensure the confidentiality, integrity and availability of institutional information. To achieve the above purpose, the standard proposes 39 control objectives and 134 control measures. Organizations implementing ISO/IEC 27001 can It selects the controls that apply to its business, and can add other controls as well. The ISO 17799:2005 standard, which complements ISO/IEC 27001, is a code of practice for information security management that provides guidance on how to implement controls.

Structure of ISO/IEC 27001:2005

The ISO/IEC 27001:2005 standard was published in October 2005, and at the same time banned the British standard BS 7799-2:2002 adopted by many countries, but the requirements of the old and new standards are not much different. The ISO/IEC 27001:2005 standard uses the "Plan-Do-Verify-Act" cycle proposed by Dr. Edward Deming as a blueprint to achieve the goal of continuous improvement.

I. Planning

The most important part of the plan is to set the scope and area to be covered, which can be:

Offices and/or plants that cover the entire organization and involve multiple locations

Only one office or factory involved

Involves only one of the businesses of a diverse service provider

The main work of the program includes information security management system, risk assessment, risk management, risk treatment measures and suitability report.

An information security management system is part of an overall management system for operational risk, with the purpose of establishing, implementing, implementing, reviewing, maintaining and improving information security.

What are the agency's goals in terms of confidentiality, integrity, and availability of information? What level of risk is acceptable? Are there any restrictions, such as laws, regulations or internal agency procedures? The Information Security Policy should be a document endorsed by the Executive Director. Control measures should be implemented in a top-down manner.

Risk assessment identifies real risks based on the information that needs to be protected and the acceptable level of risk, and evaluates the likelihood of these risks and the severity of their impact, so as to identify the risks that the organization needs to manage, as shown in the red part of the figure below. risks of.

Risk Management / Risk Treatment

After completing the risk assessment, it is time to decide how to deal with those risks.

Statement of Applicability

Identify all security measures, indicate which are applicable or not applicable to the organization, and explain why. Control measures must be selected based on the results of the risk assessment.

II. Implementation

Once controls have been selected, they need to be implemented, with procedures in place to ensure that incidents are quickly detected and responded to, and that all employees are aware of the importance of information security and that they are properly trained , and have the ability to perform the security tasks for which they are responsible. In addition, the required resources must be properly managed.

III. Verification

The purpose of the verification is to ensure that the control measures are implemented and that the stated objectives are achieved. Although there are various verification methods available, only internal audits and management reviews are mandatory requirements.

IV. Take action

Finally, appropriate action needs to be taken on the verification results, which can be:

fix

prevention

improve

Summarize

The ISO/IEC 27001:2005 standard provides organizations in all industries with a set of business tools to help them avoid information security failures, thereby reducing the associated risks. Organizations that formally implement ISO/IEC 27001:2005 and obtain relevant accreditation will benefit greatly, a few of which are listed below:

Organizations are empowered to minimise information security failures by implementing appropriate controls in accordance with international standards

Address legal compliance issues in a systematic way, thereby reducing the risk of legal liability

Plan and manage the continuity of operations in a systematic way

Increase the confidence of clients, partners and stakeholders in the institution

Increase operating income and bring more business opportunities to the organization