iT邦幫忙

DAY 30
8

ISO 27001:2013 與ISO 27001:2005差異比較系列 第 30

ISO 27001:2013 與ISO 27001:2005差異比較#30

去年因為 烏龍事件, 造成連續參加的鐵人賽中斷, 今年原本沒打算參賽, 但剛好新版的ISO 27001公布, 所以就想到將相關研讀心得與大家分享, 也就在最後一天報名參賽.
最後一篇, 再與大家說新版ISO 27001在本文的部份增加的一項要求[7.4Communication 溝通]; 以及說明新版ISO 27001的管理審查有那些不同, 與大家的分享也就告一段落.
新版ISO 27001要求組織要說明有那些內部/外部溝通的要求, 包括有那些議題要溝通 何時溝通, 與誰溝通, 誰來溝通, 有那些流程與溝通有關.
標準原文要求如后:
The organization shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected

新版ISO 27001的管理審查要求不再是9入5出, 而是改為6入2出, 相關事項比以前精實許多, 實作上也較容易理解.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in:

  1. nonconformities and corrective actions;
  2. monitoring and measurement results;
  3. audit results; and
  4. fulfilment of information security objectives;
    d) feedback from interested parties;
    e) results of risk assessment and status of risk treatment plan; and
    f ) opportunities for continual improvement.
    The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

上一篇
ISO 27001:2013 與ISO 27001:2005差異比較#29
下一篇
ISO 27001:2013 與ISO 27001:2005差異比較#31 之意外插曲篇
系列文
ISO 27001:2013 與ISO 27001:2005差異比較31

尚未有邦友留言

立即登入留言