标准摘要
[中文适用范围]: 1 总则 本标准适用于所有类型的组织(例如,商业企业、政府机构、非赢利组织)。本标准从组织的整体业 务风险的角度,为建立、实施、运行、监视、评审、保持和改进文件化的信息安全管理体系(ISMS)规定了 要求。它规定了为适应不同组织或其部门的需要而定制的安全控制措施的实施要求。 ISMS的设计应确保选择适当和相宜的安全控制措施,以充分保护信息资产并给予相关方信心。 注1:本标准中的“业务”一词应广义的解释为关系一个组织生存的核心活动。 注2:GB/T 22081 2008提供了设计控制措施时可使用的实施指南。 2 应用 本标准规定的要求是通用的,适用于各种类型、规模和特性的组织。组织声称符合本标准时,对于 第4章、第5章、第6章、第7章和第8章的要求不能删减。 为了满足风险接受准则必要的进行的任何控制措施的删减,必须证明是合理的,且需要提供证据证 明相关风险已被负责人员接受。除非删减不影响组织满足由风险评估和适用法律法规要求所确定的安 全要求的能力和/或责任,否则不能声称符合本标准。 注:如果一个组织已经有一个运转着的业务过程管理体系(例如,与GB/T、19001—2000或者GB/T 24001—2004 相关的),那么在大多数情况下,更可取的是在这个现有的管理体系内满足本标准的要求。 [外文原描述]: ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following: use within organizations to formulate security requirements and objectives;use within organizations as a way to ensure that security risks are cost effectively managed;use within organizations to ensure compliance with laws and regulations;use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;definition of new information security management processes;identification and clarification of existing information security management processes;use by the management of organizations to determine the status of information security management activities;use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons; implementation of business-enabling information security;use by organizations to provide relevant information about information security to customers.
英文名称Information technology - Security techniques - Information security management systems - Requirements