ISO27001 certification system construction is divided into four stages: implementing security risk assessment, planning system construction plan, establishing information security management system, system operation and improvement. It also complies with the PDCA (Plan-Do-Check-Action) model of information security management cycle and the requirements of ISO27001, that is, to effectively protect the security of enterprise information systems and ensure the sustainable development of information security.

  1. Establish scope

   The first is to establish the scope of the project, and divide the scope from the two dimensions of the institutional level and the system level. From the institutional level, internal institutions can be considered: it needs to cover all departments of the company, including headquarters, business departments, manufacturing headquarters, technology headquarters, etc.; external institutions: include external institutions connected to the company's information system, including suppliers, intermediary business partners, and other partners.

   From the system level, it can be based on the physical environment: that is, the site supporting the information system, the surrounding environment, and the facilities in the site that ensure the normal operation of the computer system. Including the computer room environment, access control, monitoring, etc.; network system: the line medium, equipment and software that constitute the network transmission environment of the information system; server platform system: the server, network equipment, client and its operating system, database, intermediate supporting all information systems software platform systems such as software and Web systems; application systems: application systems that support business, office and management applications; data: data transmitted and stored in the entire information system; security management: including security policies, rules and regulations, personnel organization, development security , project security management and system administrators' security compliance and security audits in the daily operation and maintenance process.

  2. Security risk assessment

  Enterprise information security refers to ensuring that enterprise business systems are not illegally accessed, utilized and tampered with, providing safe and credible services for enterprise employees, and ensuring the availability, integrity and confidentiality of information systems.

   The security assessment conducted this time mainly includes two aspects:

  2.1. Evaluation of enterprise security management

Through the company's security control status survey, interviews, document study and ISO27001 best practice comparison, as well as "gap analysis" based on industry experience, we can check the weaknesses of the company's security control level, so as to choose security measures. Provide evidence.

The assessment content includes 11 aspects related to information security management system covered by ISO27001, including information security strategy, security organization, asset classification and control, personnel security, physical and environmental security, communication and operations management, access control, system development and control. Maintenance, Security Incident Management, Business Continuity Management, Compliance.

  2.2. Enterprise security technology assessment

   Based on the classification of asset security levels, through the security scan of information equipment and the configuration of security equipment, check and analyze the security status and weaknesses of existing network equipment, server systems, terminals, and network security architecture, and provide a basis for security reinforcement.

   Conduct security assessments for representative key applications of the enterprise. The evaluation method of key applications adopts the method of penetration testing. In the application evaluation, the threats and weaknesses of the application system will be identified, and the gap between them and the security objectives of the application system will be analyzed to provide a basis for later transformation.

   When it comes to security assessment, there must be a methodology. We take ISO27001 as the core, and draw on the advantages of several commonly used assessment models in the world. At the same time, we combine the characteristics of the enterprise to establish a risk assessment model:

  In the risk assessment model, it mainly includes four elements: information assets, weaknesses, threats and risks. Each element has its own attributes. The attribute of the information asset is the asset value, and the attribute of the weakness is the possibility of being exploited under the protection of the existing control measures, and the severity of the impact on the asset after being exploited by the threat. The attribute of the threat is the possibility of the occurrence of the threat and the severity of its harm, and the attribute of the risk is the level of the risk. Risk assessment adopts qualitative risk assessment method and assigns value by grading.

  3. Planning system construction plan

  The root causes of enterprise information security problems are distributed at multiple levels such as technology, personnel and management. It is necessary to uniformly plan and establish an enterprise information security system, and finally implement management measures and technical measures to ensure information security.

The    planning system construction plan is to put forward security suggestions for the security risks existing in the enterprise on the basis of risk assessment, and enhance the security and anti-attack of the system.

  In the next 1-2 years, through the establishment and implementation of the information security system, the establishment of a security organization, the technical security audit, the transformation of internal and external network isolation, and the deployment of security products, to achieve a process-oriented transformation. In the next 3-5 years, through a complete information security system and corresponding physical environment transformation and the construction of business continuity projects, the enterprise will be built into an advanced enterprise that focuses on management, focuses on prevention, and combines prevention and control.

  4. Construction of enterprise information security system

The enterprise information security system is established on the basis of the information security model and enterprise informatization. The establishment of the core of the information security management system can better exert six aspects of capabilities: namely, early warning (Warn), protection (Protect), detection (Detect), response (Response), recovery (Recover) and counter-attack (Counter-attack), the system should take into account the functions of external and internal security.

The construction of the    security system involves firstly the improvement of the safety management system; secondly, it involves information security technology. First of all, the main content involved in the security management system includes the overall security policy, security technology strategy and security management strategy of the enterprise information system. The overall safety policy involves safety systems in terms of safety organization, safety management system, personnel safety management, and safe operation and maintenance. The security technology strategy involves the division of information domains, the security level of business applications, security protection ideas, and further requirements for unified management, system classification, network interconnection, disaster recovery, and centralized monitoring.

Secondly, information security technology can be divided into physical security technology, network security technology, system security technology, application security technology, and security infrastructure platform according to the information system level; There are three types of technologies: protection, detection and tracking, and response and recovery. Combined with mainstream security technologies and the requirements of future information system development, planning information security technologies include: