7 4. 資訊安全管理系統 (Information security management system) 4.1 一般要求(General Requirements) 4.2 資訊安全管理系統建立與管理 (Establishing and managing the ISMS) 4.3文件化要求 (Documentation requirements)
8 4.2 資訊安全管理系統建立與管理 (Establishing and managing the ISMS) 4.2.1 建立資訊安全管理系統(Establish the ISMS) 實施與操作資訊安全管理系統(Implement and operate the ISMS) 監控和審查資訊安全管理系統(Monitor and review the ISMS) 維持與改進資訊安全管理系統(Maintain and improve the ISMS) 。
10 4.2.1 建立資訊安全管理系統與管理(2) (Establishing the ISMS) 定義組織的風險評鑑方法鑑別一風險評鑑方法，且可適合其資訊安全管理系統及已鑑別之營運資訊安全、法律與法規要求。發展可承受風險的準則與鑑別可接受風險的程度。所選擇的風險評鑑方法應確保風險評鑑可產生可比較的與可再產生（reproducible）的結果。 鑑別風險鑑別在資訊安全管理系統範圍內的資產和資產的擁有者；鑑別這些資產所受到的威脅；鑑別可能被這些威脅利用的脆弱性；鑑別對資產失去機密性、完整性和可用性的衝擊。
11 4.2.1 建立資訊安全管理系統與管理(3) (Establishing the ISMS) 分析與評估風險評鑑安全失效時可能對組織營運之衝擊，並將資產喪失機密性、完整性及可用性之後果列入考慮；根據與這些資產有關之威脅、脆弱性及衝擊，以及現行所實施的控制措施，評鑑安全失效實際發生的可能性；估計風險的等級；決定風險是否可接受或要求使用第4.2.1c)2)節所建立之風險承受準則來處理。
12 4.2.1 建立資訊安全管理系統與管理(4) (Establishing the ISMS) 鑑別並評估風險處理之選項作法可能的作法包括：採用適當的控制措施；若提供風險明顯的符合組織的政策與風險承受準則(參閱第4.2.1c)，則可在掌握狀況下客觀的接受此等風險；廻避風險；將相關之營運風險轉移至其他機構，如：保險公司，供應商。選擇控制目標及控制措施以處理風險。 應選擇Annex A所列之各項控制目標與控制措施，作為恰當涵蓋所鑑別各項要求之過程的一部份。
13 4.2.1 建立資訊安全管理系統與管理(5) (Establishing the ISMS) 取得管理階層對所提議殘餘風險的核准。取得管理階層對實施和操作資訊安全管理系統的授權。擬定一份適用性聲明書。 適用性聲明書應準備包含下列事項：在4.2.1 g)中被選擇的控制目標和控制措施及選擇的理由；目前已經實施的控制目標和控制措施；附錄Ａ中任何排除的控制目標和控制措施其排除的理由；
14 4.2.2 實施與操作資訊安全管理系統(1) (Implement and operate the ISMS) 組織應執行下列事項 ：架構一項風險處理計畫以鑑別適當管理措施、資源、職責及優先順序，以便管理資訊安全風險(參閱第5節)；實施風險處理計畫，以達到所鑑別的控制目標，計畫內容包括資金的考慮以及角色與職責的分派；實施第4.2.1 g)節所選擇的控制措施，以符合控制目標；
15 4.2.2 實施與操作資訊安全管理系統(2) (Implement and operate the ISMS) 界定如何量測所選擇控制措施或控制措施群組的有效性，並規定如何使用這些量測去評核控制措施的有效性，以產生可比較與可再產生的結果(參閱第4.2.3c) 節)；實施訓練與認知的計畫（參閱第5.2.2節）;管理資訊安全管理系統的作業；管理資訊安全管理系統之資源（參閱第5節）；實施能立即偵測安全事件與回應安全事故之程序以及其他控制措施(參閱第4.2.3 節)。
16 4.2.3 監控和審查資訊安全管理系統(1) (Monitor and review the ISMS) 組織應執行下列事項 ：執行監督與審查程序，以及其他控制措施，以便：立即偵測處理結果之錯誤；立即鑑別有意圖的與成功的安全危害和事故；促使管理階層決定是否所委任的人員或藉由資訊技術所實施的各項安全活動，均已如預期般實行；藉由使用各項指標，以協助偵測安全事件，並預防安全事故；決定所採取的措施是否有效解決安全危害。
17 4.2.3 監控和審查資訊安全管理系統(2) (Monitor and review the ISMS) 定期審查資訊安全管理系統的有效性(包含符合資訊安全管理系統政策與目標，以及安全控制措施的審查)，並考慮安全稽核的結果、事故、來自有效性量測的結果、以及來自所有利害相關者之建議與回饋。量測控制措施的有效性，以查證各項安全要求皆已符合。
18 4.2.3 監控和審查資訊安全管理系統(3) (Monitor and review the ISMS) 在規劃的期間審查風險評鑑，並審查殘餘風險與已鑑別可接受風險的等級，並考慮下列之變化：組織；技術；業務目標和過程；已識別的威脅；已實施控制措施的有效性；外部事件，如法律或法規環境的變化、合約責任的變化、和社會環境的變化。
19 4.2.3 監控和審查資訊安全管理系統(4) (Monitor and review the ISMS) 在已規劃的期間對於資訊安全管理系統進行內部稽核。定期執行資訊安全管理系統之管理階層審查，以確保其範圍維持適當，且資訊安全管理系統過程之各項改進均已鑑別(參閱第7.1節)。考量監督與審查活動的發現以更新安全計畫。記錄對資訊安全管理系統有效性或表現有衝擊的措施與事件（參閱第4.3.3節）。
20 4.2.4 維持與改進資訊安全管理系統(Maintain and improve the ISMS) 組織應定期執行下列事項 ：實施資訊安全管理系統所鑑別之改進活動。依據第8.2及8.3節採取適當矯正與預防措施。採用從其他組織及組織本身之安全經驗吸取教訓。以適切於情況的詳盡程度，與所有利害相關者就各項措施與改進進行溝通，適當時並協議如何進行。確保各項改進措施達到其預期目標
21 4.3文件化要求 (Documentation requirements) 4.3.1 一般要求(General) 文件管制(Control of documents) 紀錄管制(Control of records)
44 Clause 0: IntroductionThis is a much shorter clause than its predecessor. In particular thesection on the PDCA model has been removed. The reason for this isthat the requirement is for continual improvement (see Clause 10)and PDCA is just one approach to meeting that requirement. Thereare other approaches, and organizations are now free to use them ifthey wish.The introduction also draws attention to the order in whichrequirements are presented, stating that the order does not reflecttheir importance or imply the order in which they are to beimplemented.
45 Clause 1: ScopeThis, too, is a much shorter clause. In particular there is no reference to the exclusion of controls in Annex A.
46 Clause 2: Normative references The only normative reference is to ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary.
47 Clause 3: Terms and definitions There are no longer any terms or definitions in ISO/IEC 27001:2013. Instead, readers are referred to ISO/IEC However, please ensure that you use a version of ISO/IEC that was published after ISO/IEC 27001:2013 otherwise it will not contain the correct terms or definitions.This is an important document to read. Many definitions, for example ‘management system’ and ‘control’ have been changed and now conform to the definitions given in the new ISO directives and ISO If a term is not defined in ISO/IEC 27000, please use the definition given in the Oxford English Dictionary. This is important, otherwise confusion and misunderstanding may be the result.
48 Clause 4: Context of the organization This is a new clause that in part addresses the depreciated concept of preventive action and in part establishes the context for the ISMS. It meets these objectives by drawing together relevant external and internal issues (i.e. those that affect the organization’s ability to achieve the intended outcome(s) of its ISMS) with the requirements of interested parties to determine the scope of the ISMS.It should be noted that the term ‘issue’ covers not only problems, which would have been the subject of preventive action in the previous standard, but also important topics for the ISMS to address, such as any market assurance and governance goals that the organization might set for the ISMS. Further guidance is given in Clause 5.3 of ISO 31000:2009.Note that the term ‘requirement’ is a ‘need or expectation that is stated, generally implied or obligatory’. Combined with Clause 4.2, this in itself can be thought of as a governance requirement, as strictly speaking an ISMS that did not conform to generally-accepted public expectations could now be ruled nonconformant with the standard.The final requirement (Clause 4.4) is to establish, implement, maintain and continually improve the ISMS in accordance with the requirements the standard.
49 Clause 5: LeadershipThis clause places requirements on ‘top management’ which is the person or group of people who directs and controls the organization at the highest level. Note that if the organization that is the subject of the ISMS is part of a larger organization, then the term ‘top management’ refers to the smaller organization. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top.A particular responsibility of top management is to establish the information security policy, and the standard defines the characteristics and properties that the policy is to include.Finally, the clause places requirements on top management to assign information security relevant responsibilities and authorities, highlighting two particular roles concerning ISMS conformance to ISO/IEC and reporting on ISMS performance
50 Clause 6: Planning Clause 6.1.1, General: This clause works with Clauses 4.1 and 4.2 to complete the new way of dealing with preventive actions. The first part of this clause (i.e. down to and including c)) concerns risk assessment whilst Clause d) concerns risk treatment. As the assessment and treatment of information security risk is dealt with in Clauses and 6.1.3, then organizations could use this clause to consider ISMS risks and opportunities.
51 Clause 6.1.2, Information security risk assessment: This clause specifically concerns the assessment of information security risk. In aligning with the principles and guidance given in ISO 31000, this clause removes the identification of assets, threats and vulnerabilities as a prerequisite to risk identification. This widens the choice of risk assessment methods that an organization may use and still conforms to the standard. The clause also refers to ‘risk assessment acceptance criteria’, which allows criteria other than just a single level of risk. Risk acceptance criteria can now be expressed in terms other than levels, for example, the types of control used to treat risk.The clause refers to ‘risk owners’ rather than ‘asset owners’ and later (in Clause f)) requires their approval of the risk treatment plan and residual risks.In other ways the clause closely resembles its counterpart in ISO/IEC 27001:2005 by requiring organizations to assess consequence, likelihood and levels of risk
52 Clause 6.1.3, Information security risk treatment: This clause concerns the treatment of information security risk. It is similar to its counterpart in ISO/IEC 27001:2005, however, it refers to the ‘determination’ of necessary controls rather than selecting controls from Annex A. Nevertheless, the standard retains the use of Annex A as a cross-check to make sure that no necessary control has been overlooked, and organizations are still required to produce a Statement of Applicability (SOA). The formulation and approval of the risk treatment plan is now part of this clause.
53 Clause 6.2, Information security objectives and planning to achieve them: This clause concerns information security objectives. It uses the phrase “relevant functions and levels”, where here, the term ‘function’ refers to the functions of the organization, and the term ‘level’, its levels of management, of which ‘top management’ is the highest. The clause defines the properties that an organization’s information security objectives must possess.
54 Clause 7: SupportThis clause begins with a requirement that organizations shall determine and provide the necessary resources to establish, implement, maintain and continually improve the ISMS. Simply expressed, this is a very powerful requirement covering all ISMS resource needs.The clause continues with requirements for competence, awareness and communication, which are similar to their counterparts in ISO/IEC 27001:2005.Finally, there are the requirements for ‘documented information’. ‘Documented information’ is a new term that replaces the references in the 2005 standard to ‘documents’ and ‘records’. These requirements relate to the creation and updating of documented information and to their control. The requirements are similar to their counterparts in ISO/IEC 27001:2005 for the control of documents and for the control of records.Note that the requirements for documented information are presented in the clause to that they refer to. They are not summarized in a clause of their own, as they are in ISO/IEC 27001:2005.
55 Clause 8: OperationThis clause deals with the execution of the plans and processes that are the subject of previous clauses.Clause 8.1 deals with the execution of the actions determined in Clause 6.1, the achievement of the information security objectives and outsourced processes;Clause 8.2 deals with the performance of information security risk assessments at planned intervals, or when significant changes are proposed or occur; andClause 8.3 deals with the implementation of the risk treatment plan.
56 Clause 9: Performance evaluation Clause 9.1, Monitoring, measurement, analysis and evaluation:The first paragraph of Clause 9.1 states the overall goals of the clause. As a general recommendation, determine what information you need to evaluate the information security performance and the effectiveness of your ISMS. Work backwards from this ‘information need’ to determine what to measure and monitor, when, who and how. There is little point in monitoring and making measurements just because your organization has the capability of doing so. Only monitor and measure if it supports the requirement to evaluate information security performance and ISMS effectiveness.Note that an organization may have several information needs, and these needs may change over time. For example, when an ISMS is relatively new, it may be important just to monitor the attendance at, say, information security awareness events. Once the intended rate has been achieved, the organization might look more towards the quality of the awareness event. It might do this by setting specific awareness objectives and determining the extent to which the attendees have understood what they have learnt. Later still, the information need may extend to determine what impact this level of awareness has on information security for the organization.
57 Clause 9.2, Internal audit: This clause is similar to its counterpart in ISO/IEC 27001:2005. However, the requirement holding management responsible for ensuring that audit actions are taken without undue delay has been removed, as it is effectively covered by the requirements in Clause 10.1 (in particular 10.1 a), c) and d)). The requirement that auditors shall not audit their own work has also been removed, as it is covered by the requirement to ensure objectivity and impartiality (Clause 9.2 e)).Clause 9.3, Management review:Rather than specify precise inputs and outputs, this clause now places requirements on the topics for consideration during the review. The requirement for reviews to be held at planned intervals remains but the requirement to hold the reviews at least once per year has been dropped.
58 Clause 10: ImprovementDue to the new way of handling preventive actions, there are no preventive action requirements in this clause. However, there are some new corrective action requirements. The first is to react to nonconformities and take action, as applicable, to control and correct the nonconformity and deal with the consequences. The second is to determine whether similar nonconformities exist, or could potentially occur. Although the concept of preventive action has evolved there is still a need to consider potential nonconformities, albeit as a consequence of an actual nonconformity. There is also a new requirement to ensure that corrective actions are appropriate to the effects of the nonconformities encountered.The requirement for continual improvement has been extended to cover the suitability and adequacy of the ISMS as well as its effectiveness, but it no longer specifies how an organization achieves this.
59 Annex AThe title of Annex A is now “reference control objectives and controls” and the introduction is simplified. It states that the control objectives and controls are directly derived from ISO/IEC 27002:2013 and that the Annex is to be used in the context of ClauseDuring the revision of ISO/IEC the number of controls has been reduced from 133 controls to 114 controls, and the number of major clauses has been expanded from 11 to 14. Some controls are identical or otherwise very similar; some have been merged together; some have been deleted and some are new. For example:A.5.1.1, Policies for information security is very similar to the original A.5.1.1, Information security policy document.The old A , Audit logging, A , Monitoring of system use, and A , Fault logging, have been merged together to form the new A , Event logging.The old A , Sensitive system isolation, has been removed on the grounds that in an interconnected world, such a control defeats the objective of being interconnected.A , Availability of information processing facilities is a new control.
60 It is important to appreciate that the usefulness of a control to an organization should not change because it has been removed from Annex A. In accordance with Clause 6.1.3, controls are now determined on the basis of risk treatment. If an organization wishes to treat particular risks by deliberately not connecting a computer to the Internet or other networks, then it will need to use a control like the old A regardless of whether it is in Annex A or not.Annex A remains as a ‘normative annex’. This is not because Annex A contains normative requirements but because, by ISO rules, it is referenced from a normative requirement, i.e. in this case, Clauses c) and d).
61 Other annexesThe original Annex B, OECD principles and this international standard, has been dropped as it is now an old reference, which refers to PDCA.The old Annex C, Correspondence between ISO 9001:2000, ISO 14001:2004 and this international standard, has also been dropped because both of these standards are being revised and will use the same high level structure and identical core text as ISO/IEC 27001:2013.Annex B, Bibliography, of ISO/IEC 27001:2013 is an updated version of its counterpart, Annex D in ISO/IEC 27001:2005.