The origin and development of standards

Information security management practical rules ISO/IEC27001 for the predecessor of the British BS7799 standard, the standard by the British Standards Institute (BSI) in February 1995, and in May 1995 revised and become.
The standard was revised by BSI in 1999.
BS7799 is divided into two parts:

BS7799-1 information security management implementation rules

BS7799-2 information security management system specification

In 2000, the International Organization for Standardization (ISO) developed and passed the ISO 17799 standard on the basis of BS7799-1.
BS7799-2 was also revised by BSI in 2002.
ISO organization in 2005 to ISO 17799 revised again, BS7799-2 also in 2005 was adopted as ISO27001:2005.

 

Establishing the information security management system of ISO27001 certification

ISO27001 certification system construction is divided into four stages: the implementation of security risk assessment, planning system construction scheme, the establishment of information security management system, system operation and improvement.
It also conforms to the information security management cycle PDCA(Plan-Do-Check-Action) model and ISO27001 requirements, that is, effectively protect the security of enterprise information system, to ensure the sustainable development of information security.

1. Establish scope

The first is to establish the project scope, from the organization level and system level two dimensions of the scope of the division.
From the organizational level, internal organization can be considered: it needs to cover all departments of the company, including the headquarters, business division, manufacturing department, technology department, etc.;
External agencies: include external agencies connected to the company's information system, including suppliers, intermediate business partners, and other partners.

2. Safety risk assessment

Enterprise information security refers to the protection of enterprise business systems from illegal access, use and tampering, to provide safe and credible services for enterprise employees, and to ensure the availability, integrity and confidentiality of information systems.

The security assessment of this time mainly includes two aspects:

1) Assessment of enterprise security management

Evaluation content includes ISO27001 covered by 11 aspects related to information security management system, including the information security policy, security organization, asset classification and control, personnel security, physical and environmental security, communications, and operations management, access control, system development and maintenance, security event management, business continuity management, and compliance.

2) Enterprise safety technology assessment

Based on the classification of the security level of assets, through the security scanning and configuration of the information equipment, the security status and weaknesses of the existing network equipment, server system, terminal and network security architecture are examined and analyzed, so as to provide a basis for security reinforcement.

3. Planning system construction scheme

Enterprise information security problems root in technology, personnel and management and other levels, must be unified planning and establish enterprise information security system, and the final implementation of management measures and technical measures, in order to ensure information security.

On the basis of risk assessment, the planning system construction program puts forward safety suggestions for the security risks existing in the enterprise, so as to enhance the security of the system and resist aggression.

4. Construction of enterprise information security system

Enterprise information security system is established on the basis of information security model and enterprise information, the establishment of information security management system core can better play the ability of six aspects: warning, Protect, Detect, Response, Recover and Counter-attack, the system should take into account the functions of external and internal security.

 

The basic conditions of applying for ISO27001 certification

A Chinese enterprise holds an Enterprise Legal Person Business License, a Production License or an equivalent document issued by the administrative department for industry and commerce;
The foreign enterprise shall bear the registration certificate of the relevant institution.

The information security management system of the applicant has been established according to the requirements of ISO/IEC 27001:2005 standard, and has been in operation for more than 3 months.

Complete at least one internal audit and conduct a management review.

During the operation of the information security management system and within one year before the establishment of the system, it has not been subject to administrative punishment by the competent authorities.

 

Application for ISO27001 certification should be submitted documents and materials

Organize legal documents, such as copies of business license and annual inspection certificate (with official seal)

Copy of Organization Code Certificate, Copy of Tax Registration Certificate (with official seal)

Application for certification of the organization's information security management system effective operation of the proof of documents (such as system document release control sheet, time-marked records, etc.)

Profile of the applicant organization

Application organization's system documents

The application organization system documents and GB/T22080-2008/ISO/IEC 27001:2005 required documents comparison explanation

Documents supporting the application for internal audit and management review

Request a confidentiality or sensitivity statement of organization records

Other supplementary information requested by the certifying body from the applicant organization

▇ Advantages of standard measurement certification ▇

Standard testing and certification work closely with the US TCB organization to help companies complete the one-stop service from organizing data to obtaining certification. Short issuance time, preferential price, and time-saving is the best choice for enterprise certification

Standard Testing and Certification is a professional, comprehensive and experienced certification service organization. The senior professional team has been providing products with certification experience in countries all over the world for more than ten years.

☆Service Hotline: 198-6771-2682☆