ISO20000-1:2011标准 6.6信息安全管理
添加时间:2012-12-29 09:42:07 浏览:
ISO20000新旧版标准差异概述
| 差异点 | 说明 |
| 新增部分 | 在信息安全方针的控制上,ISO20000:2011 版新增部分要求。 进一步明确和新增了信息安全方针方面的内容,包括安全需求、法律法规和合同要求。 详细描述了授权管理者的具体职责,并特别强调了要“定期执行信息安全风险评估”的要求。 ISO20000:2011 版新增了服务提供者应对信息安全控制的有效性进行检查,并采取必要的改进续措施的要求。 ISO20000:2011 版新增了信息安全风险应进行优先级划分。 |
| 优化与完善部分 |
ISO20000:2011 版进一步明确了信息安全应从物理、管理、技术三个维度进行控制。 |
ISO20000新旧版标准变化度
| ISO20000:2011 版本 | 控制点 | ISO20000:2005 版本 | 控制点 | 变化度 |
| 6.6 信息安全管理 | 13 | 6.6 信息安全管理 | 11 | 3 |
说明:变化度是指新版标准该条款相对旧版标准要求的变化程度,按分值计量,5 分指变化程度最大,0 分指没有变化。
ISO20000新旧版标准差异分析
| ISO20000:2011版 | ISO20000:2005版 | 差异分析 | ||
| 信息安全方针 | Management with appropriate authority shall approve an information security policy taking into consideration the service requirements, statutory and regulatory requirements and contractual obligations. Management shall: a) communicate the information security policy and the importance of conforming to the policy to appropriate personnel within the service provider, customer and suppliers; b) ensure that information security management objectives are established; c) define the approach to be taken for the management of information security risks and the criteria for accepting risks; d) ensure that information security risk assessments are conducted at planned intervals; e) ensure that internal information security audits are conducted; f) ensure that audit results are reviewed to identify opportunities for improvement. |
具有适当授权的管理者应在考虑服务需求、法律法规要求和合同要求的基础上审批信息安全方针。 管理者应: a) 与服务提供者、客户和供应商等相关人员沟通信息安全方针和人员遵守方针的重要性; b) 确保信息安全管理目标被确立; c) 定义信息安全风险管理和风险接受原则所采用的方法; d) 确保定期执行信息安全风险评估; e) 确保执行信息安全内部审计; f) 确保对审计结果进行回顾以识别改进的机会。 |
Management with appropriate authority shall approve an information security policy that shall be communicated to all relevant personnel and customers where appropriate. | ISO20000:2011版进一步明确和新增了信息安全方针方面的内容,包括安全需求、法律法规和合同要求。 ISO20000:2011版新增了授权管理者具体的管理职责,并特别强调了要“定期执行信息安全风险评估”。 |
| 信息安全控制 | The service provider shall implement and operate physical, administrative and technical information security controls in order to: a) preserve Confidentiality, integrity and accessibility of information assets; b) fulfil the requirements of the information security policy; c) achieve information security management objectives; d) manage risks related to information security. These information security controls shall be documented and shall describe the risks to which the controls relate, their operation and maintenance. The service provider shall review the effectiveness of information security controls. The service provider shall take necessary actions and report on the actions taken. The service provider shall identify external organizations that have a need to access, use or manage the service provider's information or services. The service provider shall document, agree and implement information security controls withthese external organizations. |
服务提供者应实施和运行物理的、管理的和技术的信息安全控制以: a) 保护信息资产的机密性、完整性和可访问性; b) 履行信息安全方针的要求; c) 实现信息安全管理目标; d) 管理信息安全相关风险。 信息安全控制措施应文件化,同时应描述控制措施相关的风险,以及控制措施的运行和维护。 服务提供者应对信息安全控制的有效性进行评估。同时,应采取必要的改进措施,并报告所采取的措施。 服务提供者应识别具有访问、使用或管理服务提供者信息或服务需要的外部组织。 服务提供者应记录、协商和实施对外部组织的信息安全控制。 |
Appropriate security controls shall operate to: a) implement the requirements of the information security policy; b) manage risks associated with access to the service or systems. Security controls shall be documented. The documentation shall describe the risks to which the controls relate, and the manner of operation and maintenance of the controls. Arrangements that involve external organizations having access to information systems and services shall be based on a formal agreement that defines all necessary security requirements. |
ISO20000:2011版进一步明确了信息安全要从物理、管理、技术三个维度进行控制。 |
| 信息安全变更和事件 | Requests for change shall be assessed to identify: a) new or changed information security risks; b) potential impact on the existing information security policy and controls. Information security incidents shall be managed using the incident management procedures, with a priority appropriate to the information security risks. The service provider shall analyse the types, volumes and impacts of information security incidents. Information security incidents shall be reported and reviewed to identify opportunities for improvement. |
应对变更请求进行评估,以识别: a) 新的或变更的服务的信息安全风险; b) 对现有信息安全方针和控制的潜在影响。 信息安全事件应通过事件管理程序进行管理,并对信息安全风险进行适当的优先级排序。 服务提供者应分析安全事件的类型、数量和影响。同时,信息安全事件应被报告和检查,以识别改进的机会。 |
The impact of changes on controls shall be assessed before changes are implemented. Security incidents shall be reported and recorded in line with the incident management procedure as soon as possible. Procedures shall be in place to ensure that all security incidents are investigated, and management action taken. Mechanisms shall be in place to enable the types, volumes and impacts of security incidents and malfunctions to be quantified and monitored. |
ISO20000:2011版在ISO20000:2005版的基础上,进一步细化了评估变更请求的风险与影响的要求。 ISO20000:2011版新增了信息安全风险应进行优先级划分的要求。 ISO20000:2011版明确了信息安全事件应通过事件管理程序进行管理。 |
| 流程改进 | 无 | 无 | Actions for improvements identified during this process shall be recorded and provide input into a plan for improving the service. | ISO20000:2005版要求应记录本流程定义的改进措施,并输入服务改进计划,但ISO20000:2011版删除了此要求。分析原因是:在ISO20000:2011版的引言部分已经明确了“将PDCA方法应用于SMS中,包括服务管理流程和服务”,故在此无需重复要求。 |
