Enterprises need a systematic information security management system to ensure the security and normal operation of enterprise information systems and businesses from the perspective of preventive control. As the most widely used and typical information security management standard in the world, the British standard ISO27000:2005 can help many enterprises build information security systems and realize information security prevention.

  The ISO/IEC27001:2005 standard takes the “Plan-Do-Verify-Act” cycle proposed by Dr. Edward Deming as a blueprint to achieve the goal of continuous improvement. The ISO/IEC 27001:2005 standard provides organizations in all industries with a set of business tools to help them avoid information security failures, thereby reducing the associated risks. Organizations that formally implement ISO/IEC27001:2005 and obtain relevant certification will benefit greatly.

  ISO27001 Origin and Development

  Practical rules for information security management ISO/IEC27001 was formerly the British BS7799 standard, which was proposed by the British Standards Institute (BSI) in February 1995 and revised in May 1995. In 1999, BSI revised the standard again. BS7799 is divided into two parts:

  BS7799-1, Information Security Management Implementation Rules

  BS7799-2, Information Security Management System Specification.

The first part gives recommendations on the management of information security for use by those responsible for initiating, implementing or maintaining security in their organization; the second part describes the requirements for establishing, implementing and documenting an information security management system (ISMS), specifying The needs of the organization should be as required by the implementation of security controls.

  Information security is achieved by implementing a suitable set of controls. Controls can be policies, routines, procedures, organizational structures, and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met.

  ISO27001 Origin

  With the continuous development of the level of informatization in the world, information security has gradually become the focus of people's attention, and various institutions, organizations and individuals around the world are exploring the issue of how to ensure information security. The United Kingdom, the United States, Norway, Sweden, Finland, Australia and other countries have formulated national standards for information security, and the International Organization for Standardization (ISO) has also released ISO17799, ISO13335, ISO15408 and other international standards and technical reports related to information security. At present, in terms of information security management, the British standard ISO27000:2005 has become the most widely used and typical information security management standard in the world. It was formulated under the guidance of the BDD/2 Information Security Management Committee of BSI/DISC.

The ISO27001 standard was established by the UK Department of Trade and Industry in 1993, and BS 7799-1: 1995 "Implementation Rules for Information Security Management" was first published in the UK in 1995, which provides a comprehensive set of implementation rules consisting of information security best practices , which is intended to serve as the sole reference for determining the extent of control required by business information systems in most situations, and is applicable to large, medium and small organizations.

The second part of the standard published in the United Kingdom in 1998, "Information Security Management System Specification", which stipulates information security management system requirements and information security control requirements, it is the basis for an organization's comprehensive or partial information security management system assessment, and it can be used as a The basis for a formal certification scheme. BS 7799-1 and BS 7799-2 were revised and republished in 1999. The 1999 edition takes into account the recent development of information processing technology, especially in the field of networking and communication, and also places great emphasis on information security and information related to business. responsibility for safety.

   In December 2000, BS 7799-1: 1999 "Information Security Management Implementation Rules" was approved by the International Organization for Standardization ISO and officially became an international standard - ISO/IEC17799: 2000 "Information Technology-Information Security Management Implementation Rules". On September 5, 2002, after extensive discussion, the draft BS 7799-2:2002 was finally released as a formal standard, and BS 7799-2:1999 was repealed. On September 5, 2004, BS 7799-2:2002 was officially released.

  In 2005, BS 7799-2:2002 was finally adopted by the ISO organization, and ISO/IEC 27001:2005 was launched in October of the same year.

   In June 2005, ISO/IEC 17799:2000 was revised to form a new ISO/IEC 17799:2005. The new version has been greatly enhanced and improved in terms of organization and content integrity compared to the old version. ISO/IEC 17799:2005 has been updated and officially released as ISO/IEC 27002:2005 on July 1, 2007. This update is only the number on the standard, and the content has not changed.

   Now, the ISO27000:2005 standard has been recognized by many countries and is an international representative information security management system standard. At present, in addition to the United Kingdom, countries such as the Netherlands, Denmark, Australia, and Brazil have agreed to use the standard; Japan, Switzerland, Luxembourg and other countries have also expressed interest in the ISO27000:2005 standard, and Taiwan and Hong Kong in my country are also promoting the standard. . Government agencies, banks, securities, insurance companies, telecom operators, network companies and many multinational companies in many countries have adopted this standard to manage their own information security systematically. As of September 2002, a total of 142 organizations of various types around the world have passed the ISO27000:2005 information security management system certification.

  ISO27001 Development

   In 2000, the International Organization for Standardization (ISO) formulated and passed the ISO 17799 standard on the basis of BS7799-1. BS7799-2 was also revised by BSI in 2002. The ISO organization revised ISO 17799 again in 2005, and BS7799-2 was also adopted as ISO27001:2005 in 2005.

  The benefits of ISO27001 certification

  Information security management system standard (ISO27001) can effectively protect information resources and protect the healthy, orderly and sustainable development of the informatization process. ISO27001 is a management system standard in the field of information security, similar to the ISO9000 standard for quality management system certification. When your organization has passed the ISO27001 certification, it is equivalent to passing the ISO9000 quality certification. It means that your organization's information security management has established a scientific and effective management system as a guarantee. Accrediting your information security management system according to ISO27001 offers several benefits:

   The introduction of an information security management system can coordinate all aspects of information management, thereby making management more effective. Ensuring information security is not something that can be achieved by just having a firewall or finding a company that provides information security services 24 hours a day. It requires comprehensive integrated management.

Through ISO27001 information security management system certification, the credibility of electronic e-commerce transactions between organizations can be improved, and mutual trust between websites and trading partners can be established. With the increase of electronic communication between organizations, the records of information security management can be seen To the obvious benefits of information security management, and to provide a basic device management for the majority of users and service providers. At the same time, minimize the interference factors of the organization and create greater benefits.

   Accreditation guarantees and demonstrates the commitment of all departments of the organization to information security.

   Accreditation improves overall performance and eliminates mistrust.

   Accreditation from an internationally recognized organization can gain international recognition and expand your business.

   Establishing an information security management system can reduce this risk, and third-party certification can enhance the investment confidence of investors and other stakeholders.

  Organizing the establishment of an information security management system in accordance with the ISO27001 standard will require a certain amount of investment, but if it can pass the audit of the certification body and obtain the certification, it will get valuable returns. Businesses through certification will be able to demonstrate to their customers, competitors, suppliers, employees and investors their leadership within their peers; regular surveillance audits will ensure that the organization's information systems are constantly being monitored and improved, and as an enhancement The basis of information security, trust, credit and confidence, makes customers and stakeholders feel the organization's commitment to information security.

   Certification can prove to the government and industry authorities that the organization complies with relevant laws and regulations