Active Edition from 27.12.2006
| Document name | "INFORMATION TECHNOLOGY. SECURITY METHODS AND MEANS. INFORMATION SECURITY MANAGEMENT SYSTEMS. REQUIREMENTS. GOST R ISO/IEC 27001-2006" |
| Type of document | order, standard, gost, iso |
| Host body | Rostekhregulirovanie |
| Document Number | ISO/IEC 27001-2006 |
| Acceptance date | 01.01.1970 |
| Revision date | 27.12.2006 |
| Date of registration in the Ministry of Justice | 01.01.1970 |
| Status | valid |
| Publication |
|
| Navigator | Notes |
"INFORMATION TECHNOLOGY. SECURITY METHODS AND MEANS. INFORMATION SECURITY MANAGEMENT SYSTEMS. REQUIREMENTS. GOST R ISO/IEC 27001-2006"
8. Improvement of the management system information security
8.1. Continuous Improvement
The organization shall continually improve the effectiveness of the ISMS by refining the information security policy, information security objectives, using the results of audits, analyzing controlled events, corrective and preventive actions, and using the results of the ISMS review by management (see Clause 7).
8.2. Corrective actions
The organization shall take measures to eliminate the causes of nonconformities with the requirements of the ISMS in order to prevent their recurrence. A documented corrective action procedure shall establish requirements for:
a) identification of nonconformities;
b) determining the causes of nonconformities;
C) evaluating the need for action to avoid recurrence of nonconformities;
d) determining and implementing the necessary corrective actions;
e) maintaining records of the results of actions taken (see 4.3.3);
f) reviewing the corrective action taken.
8.3. Preventive actions
The organization shall determine the actions necessary to eliminate the causes of potential nonconformities with ISMS requirements in order to prevent their recurrence. The preventive actions taken should be commensurate with the consequences of potential problems. The documented procedure for the preventive action taken shall specify the requirements for:
a) identifying potential nonconformities and their causes;
b) evaluating the need for action to prevent the occurrence of nonconformities;
c) determining and implementing the necessary preventive action;
d) records of the results of the action taken (see 4.3.3);
e) reviewing the results of the action taken.
The organization shall identify changes in risk assessments and establish requirements for preventive action, with particular attention to significantly changed risk quantifications.
Priorities regarding the implementation of preventive actions should be determined based on the results of the risk assessment.
NOTE In general, the cost of taking action to prevent nonconformities is more economical than corrective action.
In the world of information technology, the issue of ensuring the integrity, reliability and confidentiality of information becomes a priority. Therefore, recognizing the need for an information security management system (ISMS) in an organization is a strategic decision.
Designed to create, implement, maintain and continuous improvement ISMS at the enterprise. Also, thanks to the application of this Standard, it becomes obvious to external partners the ability of the organization to meet its own requirements for information security. This article will discuss the main requirements of the Standard and discuss its structure.
(ADV31)
Main objectives of the ISO 27001 Standard
Before proceeding to the description of the structure of the Standard, let us specify its main tasks and consider the history of the emergence of the Standard in Russia.
Objectives of the Standard:
- establishing uniform requirements for all organizations to create, implement and improve ISMS;
- ensuring the interaction of senior management and employees;
- maintaining the confidentiality, integrity and availability of information.
At the same time, the requirements established by the Standard are general and are intended to be applied by any organization, regardless of their type, size or nature.
History of the Standard:
- In 1995, the British Standards Institute (BSI) adopted the Information Security Management Code as a UK national standard and registered it under the number BS 7799 - Part 1.
- In 1998, BSI publishes BS7799-2, which consists of two parts, one of which included a code of practice, and the other - requirements for information security management systems.
- In the course of subsequent revisions, the first part was published as BS 7799:1999, Part 1. In 1999, this version of the standard was submitted to the International Certification Organization.
- This document was approved in 2000 as the international standard ISO/IEC 17799:2000 (BS 7799-1:2000). The latest version of this standard, adopted in 2005, is ISO/IEC 17799:2005.
- In September 2002, the second part of BS 7799 "Information Security Management System Specification" came into force. The second part of BS 7799 was revised in 2002, and at the end of 2005 was adopted by ISO as the international standard ISO/IEC 27001:2005 "Information technology - Security practices - Information security management systems - Requirements".
- In 2005, the ISO/IEC 17799 standard was included in the 27th series of standards and received new number- ISO/IEC 27002:2005.
- On September 25, 2013, the updated standard ISO/IEC 27001:2013 “Information Security Management Systems. Requirements". Currently, organizations are being certified according to this version of the Standard.
Structure of the Standard
One of the advantages of this Standard is the similarity of its structure with ISO 9001, as it contains identical subsection headings, identical text, common terms and basic definitions. This circumstance saves time and money, since part of the documentation has already been developed during certification according to ISO 9001.
If we talk about the structure of the Standard, it is a list of ISMS requirements that are mandatory for certification and consists of the following sections:
| Main sections | Annex A |
|---|---|
| 0. Introduction | A.5 Information security policies |
| 1 area of use | A.6 Organization of information security |
| 2. Regulatory references | A.7 Safety of human resources (personnel) |
| 3. Terms and definitions | A.8 Asset management |
| 4. Context of the organization | A.9 Access control |
| 5. Leadership | A.10 Cryptography |
| 6. Planning | A.11 Physical security and environmental protection |
| 7. Support | A.12 Operational security |
| 8. Operations (Operation) | A.13 Communications security |
| 9. Evaluation (Measurement) of performance | A.14 Acquisition, development and maintenance of information systems |
| 10. Improvement (Improvement) | A.15 Supplier relationships |
| A.16 Incident management | |
| A.17 Ensuring business continuity | |
| A.18 Legal Compliance |
The requirements of "Appendix A" are mandatory, but the standard allows you to exclude areas that cannot be applied at the enterprise.
When implementing the Standard at an enterprise for further certification, it is worth remembering that exceptions to the requirements established in sections 4 - 10 are not allowed. These sections will be discussed further.
Let's Start with Section 4 - Organizational Context
Organization context
In this section, the Standard requires an organization to identify external and internal issues that are relevant to its objectives and that affect the ability of its ISMS to achieve expected results. This should take into account legal and regulatory requirements and contractual obligations regarding information security. The organization should also define and document the scope and applicability of the ISMS to establish its scope.
Leadership
Top management should demonstrate leadership and commitment to the information security management system by, for example, ensuring that the information security policy and information security objectives are established and consistent with the organization's strategy. Also, top management should ensure that all necessary resources for the ISMS are provided. In other words, it should be obvious to employees that management is involved in information security issues.
The information security policy must be documented and communicated to employees. This document resembles the ISO 9001 quality policy. It should also be consistent with the purpose of the organization and include information security objectives. Well, if these are real goals, such as maintaining the confidentiality and integrity of information.
Management is also expected to distribute functions and responsibilities related to information security among employees.
Planning
In this section, we come to the first stage of the PDCA (Plan - Do - Check - Act) management principle - plan, do, check, act.
When planning the information security management system, the organization shall take into account the issues mentioned in Clause 4 and identify the risks and opportunities that need to be taken into account to ensure that the ISMS can achieve expected results, prevent unwanted effects and achieve continual improvement.
When planning how to achieve its information security objectives, an organization should determine:
- what will be done;
- what resources will be required;
- who will be responsible;
- when the goals will be achieved;
- how the results will be evaluated.
In addition, the organization should retain data on information security objectives as documented information.
Security
The organization shall determine and provide the resources necessary to develop, implement, maintain and continuously improve the ISMS, this includes both personnel and documentation. In terms of personnel, the organization is expected to recruit qualified and competent information security personnel. The qualifications of employees must be confirmed by certificates, diplomas, etc. It is possible to attract third-party specialists under the contract, or to train your own employees. In terms of documentation, it should include:
- documented information required by the Standard;
- documented information determined by the organization to be necessary for the effectiveness of the information security management system.
The documented information required by the ISMS and the Standard shall be controlled to ensure that it:
- available and usable where and when needed, and
- appropriately protected (for example, against loss of confidentiality, misuse, or loss of integrity).
Functioning
This section talks about the second step of the PDCA governance principle - the need for an organization to manage processes to ensure compliance, and to carry out the activities identified in the Planning section. It also states that an organization should perform an information security risk assessment at scheduled intervals or when significant changes are proposed or occur. The organization shall retain the results of the information security risk assessment as documented information.
Performance evaluation
The third stage is verification. The organization shall evaluate the functioning and effectiveness of the ISMS. For example, it should carry out an internal audit to obtain information about
- whether the information security management system complies with
- the organization's own requirements for its information security management system;
- the requirements of the Standard;
- that the information security management system is effectively implemented and operational.
Of course, the volume and timing of audits should be planned in advance. All results must be documented and retained.
Improvement
The purpose of this section is to define the course of action when a nonconformity is identified. The organization needs to correct the discrepancy, the consequences and conduct an analysis of the situation so that this does not happen in the future. All nonconformities and corrective actions shall be documented.
This concludes the main sections of the Standard. Appendix A provides more specific requirements that an organization must meet. For example, in terms of access control, use mobile devices and information carriers.
Benefits of Implementing and Certifying ISO 27001
- raising the status of the organization and, accordingly, the trust of partners;
- increasing the stability of the functioning of the organization;
- increasing the level of protection against information security threats;
- ensuring the necessary level of confidentiality of information of interested parties;
- expanding opportunities for the organization to participate in major contracts.
The economic benefits are:
- independent confirmation by the certification body of the presence in the organization high level information security controlled by competent personnel;
- proof of compliance with applicable laws and regulations (compliance with the system of mandatory requirements);
- demonstration of a certain high level of management systems to ensure the proper level of service to customers and partners of the organization;
- Demonstration of conducting regular audits of management systems, performance evaluation and continual improvement.
Certification
An organization can be certified by accredited agencies in accordance with this standard. The certification process consists of three stages:
- Stage 1 - studying by the auditor of the key ISMS documents for compliance with the requirements of the Standard - can be performed both on the territory of the organization and by transferring these documents to an external auditor;
- Stage 2 - detailed audit, including testing of implemented measures, and evaluation of their effectiveness. Includes a full study of the documents required by the standard;
- Stage 3 - performance of a surveillance audit to confirm that the certified organization meets the stated requirements. Performed on a periodic basis.
Outcome
As you can see, the use of this standard in an enterprise will allow a qualitative increase in the level of information security, which is worth a lot in the conditions of modern realities. The standard contains a lot of requirements, but the most important requirement is to do what is written! Without real application of the requirements of the standard, it turns into an empty set of pieces of paper.
(ISMS)- that part of the overall management system, which is based on the approach of business risks in the creation, implementation, operation, monitoring, analysis, support and improvement of information security.In the case of building in accordance with the requirements of ISO / IEC_27001, it is based on the PDCA model:
- plan(Planning) - the phase of creating an ISMS, creating a list of assets, assessing risks and choosing measures;
- Do(Action) - the stage of implementation and implementation of relevant measures;
- Check(Verification) - the phase of assessing the effectiveness and performance of the ISMS. Usually performed by internal auditors.
- act(Improvements) - implementation of preventive and corrective actions;
The concept of information security
The ISO 27001 standard defines information security as: “preserving the confidentiality, integrity and availability of information; in addition, other properties may be included, such as authenticity, non-repudiation, credibility."
Confidentiality – ensuring that information is available only to those who have the appropriate authority (authorized users).
Integrity – ensuring the accuracy and completeness of information, as well as methods of its processing.
Availability – providing access to information to authorized users when necessary (on demand).
4 Information security management system
4.1 General requirements
The organization shall establish, implement, use, control, review, maintain and improve the documented provisions of the ISMS throughout the organization's business activities and the risks it faces. For the practical benefit of this International Standard the process used is based on the PDCA model shown in fig. one.
4.2 Creation and management of the ISMS
4.2.1 Establishing an ISMS
The organization must do the following.
a) Considering the characteristics of the organization’s activities, the organization itself, its location, assets and technology, determine the scope and boundaries of the ISMS, including details and justifications for exclusions of any provisions of the document from the draft ISMS (see 1.2).
b) Taking into account the characteristics of the organization's activities, the organization itself, its location, assets and technology, develop an ISMS policy that:
1) includes a system for setting goals (tasks) and establishes the general direction of management and principles of action regarding information security;
2) takes into account business and legal or regulatory requirements, contractual security obligations;
3) connected to the strategic risk management environment in which the creation and maintenance of the ISMS takes place;
4) establishes the criteria against which the risk will be assessed (see 4.2.1 c)); and
5) approved by management.
NOTE: For the purposes of this International Standard, an ISMS policy is considered to be an extended set of information security policies. These policies can be described in one document.
c) Develop the concept of risk assessment in the organization.
1) Determine a risk assessment methodology that suits the ISMS and established business information security, legal and regulatory requirements.
2) Develop risk acceptance criteria and determine acceptable levels of risk (see 5.1f).
The chosen risk assessment methodology should ensure that the risk assessment produces comparable and reproducible results.
NOTE: There are various risk assessment methodologies. Examples of risk assessment methodologies are discussed in ISO/IEC TR 13335-3, Information Technology - Recommendations for ManagementITSecurity - Management MethodsITSecurity.
d) Identify risks.
1) Define assets within the provisions of the ISMS, and owners2 (2 The term “owner” is identified with an individual or entity that is approved to be responsible for the control of production, development, Maintenance, application and asset security. The term "owner" does not mean that the person actually has any ownership rights to the asset) of those assets.
2) Identify the dangers to these assets.
3) Identify vulnerabilities in the protection system.
4) Identify impacts that destroy the confidentiality, integrity and availability of assets.
e) Analyze and assess risks.
1) Assess the damage to the organization's business that may be caused by the failure of the protection system, as well as a consequence of a violation of the confidentiality, integrity, or availability of assets.
2) Determine the likelihood of security failure in light of prevailing hazards and vulnerabilities, asset-related strikes, and currently implemented controls.
3) Assess risk levels.
4) Determine risk acceptability, or require risk reduction, using the risk acceptability criteria set out in 4.2.1c-2).
f) Identify and evaluate risk reduction tools.
Possible actions include:
1) Application of suitable controls;
2) Conscious and objective acceptance of risks, ensuring that they unconditionally meet the requirements of the organization's policy and risk acceptability criteria (see 4.2.1c-2));
3) Risk avoidance; and
4) Transfer of relevant business risks to another party, eg insurance companies, suppliers.
g) Select tasks and controls to reduce risks.
Tasks and controls should be selected and implemented in accordance with the requirements established by the risk assessment and risk reduction process. This choice must take into account both the risk tolerance criteria (see 4.2.1c-2)) and legal, regulatory and contractual requirements.
Tasks and controls from Appendix A should be selected as part of this process and meet the specified requirements.
Since not all tasks and controls are listed in Appendix A, additional ones may be selected.
NOTE: Appendix A contains a comprehensive list of control objectives that have been identified as the most relevant to organizations. In order not to miss any important point of the control options, users of this International Standard should refer to Annex A as a starting point for sampling control.
h) Achieve approval for the management of perceived residual risks.
4) facilitate the detection of security events and thus, using certain indicators, prevent security incidents; and
5) determine the effectiveness of the actions taken to prevent a breach of security.
b) Conduct regular reviews of the effectiveness of the ISMS (including discussion of the ISMS policy and its objectives, review of security controls), taking into account the results of audits, incidents, results of performance measurements, suggestions and recommendations from all interested parties.
c) Evaluate the effectiveness of controls to determine if safety requirements are being met.
d) Check the risk assessment for the planned periods and check the residual risks and tolerable risk levels, taking into account changes in:
1) organizations;
2) technology;
3) business goals and processes;
4) identified threats;
5) the effectiveness of the implemented controls; and
6) external events such as changes in the legal and management environment, changed contractual obligations, changes in the social climate.
e) Conduct internal audits ISMS during scheduled periods (see 6)
NOTE: Internal audits, sometimes referred to as primary audits, are conducted on behalf of the organization itself for its own purposes.
f) Review the management of the ISMS on a regular basis to ensure that the situation remains fit and the ISMS is improved.
g) Update security plans based on findings from monitoring and review.
h) Record actions and events that may affect the effectiveness or performance of the ISMS (see 4.3.3).
4.2.4 Maintenance and improvement of the ISMS
The organization must continually do the following.
a) Implement specific corrections to the ISMS.
b) Take appropriate corrective and preventive action in accordance with 8.2 and 8.3. To apply the knowledge accumulated by the organization itself and obtained from the experience of other organizations.
c) Communicate your actions and improvements to everyone stakeholders in the degree of detail appropriate to the situation; and, accordingly, to coordinate their actions.
d) Ensure that the improvements achieve their intended purpose.
4.3 Documentation requirements
4.3.1 General
Documentation must include protocols (records) management decisions, to convince that the need for action is due to the decisions and policies of management; and assure the reproducibility of the recorded results.
It is important to be able to demonstrate feedback selected controls with the results of the risk assessment and mitigation processes, and further with the ISMS policy and its objectives.
The ISMS documentation should include:
a) documented statements of the ISMS policy and objectives (see 4.2.1b));
b) provision of the ISMS (see 4.2.1a));
c) the concept and controls to support the ISMS;
d) a description of the risk assessment methodology (see 4.2.1c));
e) risk assessment report (see 4.2.1c) to 4.2.1g));
f) risk reduction plan (see 4.2.2b));
g) a documented concept, necessary organization to ensure the effectiveness of the planning, operation and management of its information security processes and describe how to measure the effectiveness of controls (see 4.2.3c));
h) documents required by this International Standard (see 4.3.3); and
i) Statement of Applicability.
NOTE 1: For the purposes of this International Standard, the term "documented concept" means that the concept is implemented, documented, performed and followed.
NOTE 2: The size of the ISMS documentation in different organizations may vary depending on:
The size of the organization and the type of its assets; and
The scale and complexity of the security requirements and the managed system.
NOTE 3: Documents and reports may be provided in any form.
4.3.2 Document control
Documents required by the ISMS need to be protected and managed. It is necessary to approve the documentation procedure necessary to describe the management actions for:
a) establishing the compliance of documents with certain standards before they are published;
b) verification and updating of documents as necessary, re-approval of documents;
c) ensuring that the changes are consistent with the current state of the revised documents;
d) making important versions of current documents available;
e) ensuring that documents are understandable and readable;
f) making documents available to those who need them; as well as their transfer, storage and finally destruction in accordance with the procedures applicable depending on their classification;
g) authenticating documents from external sources;
h) controlling the distribution of documents;
i) preventing the unintentional use of obsolete documents; and
j) applying an appropriate method of identification to them if they are kept just in case.
4.3.3 Record control
Records should be created and maintained to ensure compliance with the requirements and effective operation of the ISMS. Records must be protected and verified. The ISMS should take into account any legal and regulatory requirements and contractual obligations. Records should be understandable, easily identifiable and retrievable. The controls needed to identify, store, protect, retrieve, retain, and destroy records should be documented and put in place.
Records should include information on the implementation of the activities described in 4.2 and on all incidents and safety significant incidents related to the ISMS.
Examples of entries are a guestbook, audit trails, and completed access authorization forms.
Right, it's awkward. We reported about the imminent release of the ISO 45001 standard, which should replace the current labor protection management standard OHSAS 18001, they said that we should wait for it at the end of 2016 ... Midnight is approaching, but Herman is still gone. It's time to admit - ISO 45001 is delayed. True, for good reasons. The expert community had too many questions for him. […]
A dual article is planned. international organization on standardization has clearly expressed its position on the use of labeling of its standards on products - ISO says "no". However, entrepreneurs want to still want to do it. How can they be? Why not, really? The background of the question is this. As you understand, ISO standards are not directly related to products manufactured by enterprises certified according to them. […]
Let's get the topic. In the last article, we started talking about the eight principles of QMS. The principles on which any quality management system is built. Our goal is to translate these principles from the language of business coaches into human language. So that you can really benefit from them. We talked about consumer orientation. They talked about how to produce not “something […]
Many people talk about quality management. But for some reason they say it in such a way that nothing is clear in the end. So, quality management remains words. Too clever words. Let's translate them into normal language and understand how the principles of quality management really help to improve the company's performance. Let's do without long preludes. In total, the current quality management systems, the most popular of which […]
Project management... I'm sure there are many people who have been talking to all sorts of business consultants for too long - and now they begin to feel a little nausea from one such phrase. What to do? Let's just put business consultants out of our heads and put the matter in layman's terms. Project management is not necessarily a person in a white shirt who draws complex diagrams and flowcharts with a […]
GOST R ISO / IEC 27001-2006 " Information technology. Methods and means of ensuring security. Information security management systems. Requirements"
The developers of the standard note that it was prepared as a model for the development, implementation, operation, monitoring, analysis, maintenance and improvement of an information security management system (ISMS). ISMS (English - information security management system; ISMS) is defined as part of an overall management system based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support and improvement of information security. The management system includes organizational structure, policies, planning activities, allocation of responsibilities, practical activities, procedures, processes and resources.
The standard assumes the use of a process approach for developing, implementing, maintaining, monitoring, analyzing, maintaining and improving an organization's ISMS. It is based on the Plan - Do - Check - Act (PDCA) model, which can be applied in structuring all ISMS processes. On fig. Figure 4.4 shows how the ISMS, using information security requirements and stakeholder expected results as input, produces information security outputs that meet those requirements and expected results through the necessary activities and processes.
Rice. 4.4.
At the stage "Development of an information security management system" the organization must do the following:
- - determine the scope and boundaries of the ISMS;
- — define the ISMS policy based on the characteristics of the business, organization, location, assets and technology;
- — determine the approach to risk assessment in the organization;
- - identify risks;
- - analyze and assess risks;
- — identify and evaluate various risk treatment options;
- — select objectives and controls for risk treatment;
- - Obtain management's approval of anticipated residual risks;
- - obtain management permission to implement and operate the ISMS;
- - prepare Regulations on applicability.
Stage " Implementation and functioning of the information security management system” requires an organization to:
- — develop a risk treatment plan that defines appropriate management actions, resources, responsibilities and priorities for information security risk management;
- - implement a risk treatment plan to achieve the intended management objectives, including funding issues, as well as the distribution of functions and responsibilities;
- - implement the selected management measures;
- — determine how the effectiveness of the selected control measures will be measured;
- - implement training and professional development programs for employees;
- - manage the work of the ISMS;
- - manage ISMS resources;
- — implement procedures and other management measures to ensure rapid detection of IS events and response to IS incidents.
The third stage Monitoring and analysis of the information security management system” requires:
- - carry out monitoring and analysis procedures;
- - conduct regular analysis of the effectiveness of the ISMS;
- - measure the effectiveness of control measures to verify compliance with information security requirements;
- — review risk assessments at specified intervals, review residual risks and established acceptable risk levels, taking into account changes;
- — conduct internal ISMS audits at specified intervals;
- - regularly conduct an analysis of the ISMS by the management of the organization in order to confirm the adequacy of the functioning of the system and determine areas for improvement;
- - update information security plans taking into account the results of analysis and monitoring;
- - record actions and events that can affect the effectiveness or functioning of the ISMS.
And finally, the stage "Support and improvement of the information security management system" suggests that the organization should regularly carry out the following activities:
- - identify opportunities for improving the ISMS;
- - take the necessary corrective and preventive actions, use in practice the experience in ensuring information security obtained both in their own organization and in other organizations;
- - communicate detailed information on actions to improve the ISMS to all interested parties, while the level of detail should correspond to the circumstances and, if necessary, agree on further actions;
- — ensure that ISMS improvements are implemented to achieve planned goals.
Further, the standard provides requirements for documentation, which should include the provisions of the ISMS policy and a description of the scope of operation, a description of the methodology and a risk assessment report, a risk treatment plan, and documentation of related procedures. An ISMS document management process should also be defined, including updating, use, storage and destruction.
The ISMS must be maintained and maintained in order to provide evidence of compliance with the requirements and the effectiveness of the functioning of the ISMS. Accounts and records of process execution. Examples are visitor logs, audit reports, etc.
The standard specifies that the management of an organization is responsible for providing and managing the resources necessary to establish an ISMS, as well as organizing the training of personnel.
As previously noted, the organization must, in accordance with the approved schedule, conduct internal ISMS audits to assess its functionality and compliance with the standard. And management should review the information security management system.
Also, work should be carried out to improve the information security management system: to increase its effectiveness and the level of compliance with the current state of the system and the requirements for it.
How to disable ads on Android: remove pop-up ads
The Russian received a term and a million fine for "piracy Negative consequences of the law
Identification of key factors
The criteria for classifying organizations and individual entrepreneurs as small and medium-sized businesses have changed
See what "Royalty" is in other dictionaries Pitfalls of legislation