==>> 点击下载文档 |
This part of BS 7799 specifies requirements for establishing, implementing and documenting information security management systems (ISMSs). It specifies requirements for security controls to be implemented according to the needs of individual organizations.
NOTE Part 1 gives recommendations for best practice in support of the requirements of this specification. The control objectives and controls given in clause 4 of this part of BS 7799 are derived from and aligned with the objectives and controls listed in BS 7799-1:1999.
2 Terms and definitions
For the purposes of this part of BS 7799, the definitions given in BS 7799-1 apply, together with the following.
2.1 statement of applicability
Critique of the objectives and controls applicable to the needs of the organization
3 Information security management system requirements
General
The organization shall establish and maintain a documented ISMS. This shall address the assets to be protected, the organization’s approach to risk management, the control objectives and controls, and the degree of assurance required.
Establishing a management framework
The following steps shall be undertaken to identify and document the control objectives and controls (see Figure 1).
The information security policy shall be defined.
The scope of the information security management system shall be defined. The boundaries shall be defined in terms of the characteristics of the organization, its location, assets and technology.
An appropriate risk assessment shall be undertaken. The risk assessment shall identify the threats to assets, vulnerabilities and impacts on the organization and shall determine the degree of risk.
The areas of risk to be managed shall be identified based on the organization’s information security policy and the degree of assurance required.
Appropriate control objectives and controls shall be selected from clause 4 for implementation by the organization, and the selection shall be justified.
NOTE: Guidance on the selection of control objectives and controls can be found in BS 7799-1. The control objectives and controls listed in clause 4 of this part of BS 7799 are not exhaustive and additional controls may also be selected.
A statement of applicability shall be prepared.The selected control objectives and controls, and the reasons for their selection shall be documented in the statement of applicability. This statement shall also record the exclusion of any controls listed in clause 4.
These steps shall be reviewed at appropriately defined intervals as required.