Information technology — Security techniques — Information security management systems — Requirements
- This publication does not purport to include all the necessary provisions of a contract.
- 安全无边界,永远不会有绝对的最佳实践。
1 Scope
1.1 General
This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
强调该标准使用于所有企业,所有组织。且强调所有ISMS的设计与建设都应该在业务风险范围内,即只考虑我们可能存在的风险。
NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence.
此处,特意解释和本标准中bussiness的含义:对于一个组织来说最核心的那些活动。比如互联网金融的在线支付流程等。
1.2 Application
在这里强调,不能为了通过标准而排出风险以及风险的对应控制措施。除非该风险对组织没有影响。
2 Normative references
略
3 Terms and definitions
这一章主要为术语定义。简单的就不解释了。
3.1 asset
anything that has value to the organization
3.2 availability
the property of being accessible and usable upon demand by an authorized entity
这里强调授权实体,授权实体可根据要求访问和使用的属性就是可用性。换言之,可用是建立在授权的基础上的。
3.3 confidentiality
the property that information is not made available or disclosed to unauthorized individuals, entities, or processes
不向任何未经授权的实体泄露信息。
3.4 information security
preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved
3.5 information security event
an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant
3.6 information security incident
a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security
这里定义的information security event和information security incident的两个概念中前者指的是违反安全策略的或者绕过策略的影响网络、服务或者系统的事件,后者指的是一件或者多个前者造成的危及业务运营并威胁信息安全。
3.7 information security management system(ISMS)
that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
NOTE: The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
整个管理系统中基于业务风险方法的部分,用于建立,实施,操作,监视,审查,维护和改善信息安全的就是ISMS。
3.8 integrity
the property of safeguarding the accuracy and completeness of assets
资产的准确性和完整性
3.9 residual risk
the risk remaining after risk treatment
风险处理后剩余的风险
3.10 risk acceptance
decision to accept a risk
3.11 risk analysis
systematic use of information to identify sources and to estimate the risk
3.12 risk assessment
overall process of risk analysis and risk evaluation
风险分析和风险评估的整个过程
3.13 risk evaluation
process of comparing the estimated risk against given risk criteria to determine the significance of the risk
主要为确定风险的风险程度。
3.14 risk management
coordinated activities to direct and control an organization with regard to risk
协调活动以指导和控制组织的风险
3.15 risk treatment
process of selection and implementation of measures to modify risk
NOTE: In this International Standard the term ‘control’ is used as a synonym for ‘measure’.
选择和实施风险修正措施的过程
3.16 statement of applicability
documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS.
NOTE: Control objectives and controls are based on the results and conclusions of the risk assessment and risk treatment processes, legal or regulatory requirements, contractual obligations and the organization’s business requirements for information security.
