ISO/IEC 27001:2005 信息技术 - 安全技术 - 信息安全管理系统 - 要求

标准编号：ISO/IEC 27001:2005

中文名称：信息技术 - 安全技术 - 信息安全管理系统 - 要求

英文名称：Information technology — Security techniques — Information security management systems — Requirements

发布日期：2005-10-14

标准范围

ISO/IEC 27001:2005涵盖所有类型的组织（如商业企业、政府机构、非营利组织）。ISO/IEC 27001:2005规定了在组织整体业务风险的背景下建立、实施、操作、监控、审查、维护和改进文件化的信息安全管理系统的要求。它规定了根据单个组织或其部分的需要定制的安全控制的实施要求。ISO/IEC 27001:2005旨在确保选择适当且相称的安全控制措施，以保护信息资产并给予相关方信心。ISO/IEC 27001:2005旨在适用于几种不同类型的用途，包括以下用途:在组织内用于制定安全要求和目标；在组织内使用，作为确保经济高效地管理安全风险的一种方式；在组织内使用，以确保遵守法律法规；在组织内用作实施和管理控制措施的过程框架，以确保满足组织的特定安全目标；定义新的信息安全管理流程；识别和澄清现有的信息安全管理流程；由组织的管理层用于确定信息安全管理活动的状态；由组织的内部和外部审计员用来确定对组织采用的政策、指令和标准的遵守程度；组织用于向贸易伙伴和出于运营或商业原因与其互动的其他组织提供有关信息安全政策、指令、标准和程序的相关信息；实施支持业务的信息安全；由组织用于向客户提供有关信息安全的相关信息。

ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following:

• use within organizations to formulate security requirements and objectives;
• use within organizations as a way to ensure that security risks are cost effectively managed;
• use within organizations to ensure compliance with laws and regulations;
• use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
• definition of new information security management processes;
• identification and clarification of existing information security management processes;
• use by the management of organizations to determine the status of information security management activities;
• use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
• use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
• implementation of business-enabling information security;
• use by organizations to provide relevant information about information security to customers.

标准预览图