去年因為 烏龍事件, 造成連續參加的鐵人賽中斷, 今年原本沒打算參賽, 但剛好新版的ISO 27001公布, 所以就想到將相關研讀心得與大家分享, 也就在最後一天報名參賽.
最後一篇, 再與大家說新版ISO 27001在本文的部份增加的一項要求[7.4Communication 溝通]; 以及說明新版ISO 27001的管理審查有那些不同, 與大家的分享也就告一段落.
新版ISO 27001要求組織要說明有那些內部/外部溝通的要求, 包括有那些議題要溝通 何時溝通, 與誰溝通, 誰來溝通, 有那些流程與溝通有關.
標準原文要求如后:
The organization shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected

新版ISO 27001的管理審查要求不再是9入5出, 而是改為6入2出, 相關事項比以前精實許多, 實作上也較容易理解.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in:

1. nonconformities and corrective actions;
2. monitoring and measurement results;
3. audit results; and
4. fulfilment of information security objectives;
   d) feedback from interested parties;
   e) results of risk assessment and status of risk treatment plan; and
   f ) opportunities for continual improvement.
   The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.