DAY 27

ISO 27001:2013 與ISO 27001:2005差異比較系列 第 27

ISO 27001:2013 與ISO 27001:2005差異比較#27

上次已提及新版ISO 27001對政策之要求, 沒有再區分 "Information security policies 資訊安全政策" 及"ISMS policies 資訊安全管理系統政策", 僅保留"Information security policies 資訊安全政策", 也述及本文的要求, 以下將述及控制措施的要求與實作指引
A.5.1.1 Policies for information security
Control 控制措施
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

At the highest level, organizations should define an "information security policy" which is approved by management (thus demonstrating its commitment to the policy) and which sets out the organization’s approach to managing its information security objectives.
Information security policies should address requirements created by:
a) business strategy;
b) regulations, legislation and contracts;
c) the current and projected information security threat environment.
The information security policy should contain statements concerning:
a) definition of information security, objectives and principles to guide all activities relating to information security;
b) assignment of general and specific responsibilities for information security management to defined roles;
c) processes for handling deviations and exceptions.
At a lower level, the information security policy should be supported by topic-specific policies, which further mandate the implementation of information security control objectives and are typically structured to address the needs of certain target groups within an organization or to cover certain topics.
Examples of such detailed policy topics include:
a) access control (see clause 9);
b) information classification (and handling) (see 8.2);
c) physical and environmental security (see clause 11);
d) end user oriented topics such as:

  1. acceptable use of assets (see 8.1.3);
  2. clear desk and clear screen (see 11.2.9);
  3. information transfer policies and procedures (see 13.2.1);
  4. mobile devices and teleworking (see 6.2);
  5. restrictions on software installations and use (see 12.6.2);
    e) backup & recovery (see 12.3);
    f) information transfer (see 13.2);
    g) protection from malware (see 12.2);
    h) management of technical vulnerabilities (see 12.6.1);
    i) cryptographic controls (see clause 10);
    j) communications security (see clause 13);
    k) privacy and protection of personally identifiable information (see 18.2.4);
    l) supplier relationships (see clause 15).
    These policies should be communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an “Information security awareness, education and training programme” (see 7.2.2).
    Other Information
    The need for internal policies for information security varies across organizations. Internal policies are especially useful in larger and more complex organizations where those defining and approving the expected levels of control are segregated from those implementing the controls or in situations where a policy applies to many different people or functions in the organization. Policies for information security can be issued in a single "information security policy" document or as a set of individual but related documents.
    If any of the policies for information security policy is distributed outside the organization, care should be taken not to disclose confidential information.
    Some organizations use other terms for these policy documents, such as “Standards”, “Directives” or “Rules”.

ISO 27001:2013 與ISO 27001:2005差異比較#26
ISO 27001:2013 與ISO 27001:2005差異比較#28
ISO 27001:2013 與ISO 27001:2005差異比較31