Scribd
Upload
4 views31 pages

ISO 27001: Information Security Standards

Uploaded by

Haneen Ibrahim
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views31 pages

ISO 27001: Information Security Standards

Uploaded by

Haneen Ibrahim
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

 International information security standardization began in the middle of the 1970s,

rapidly developed in the 1980s, and drew global attention in the 1990s. At present, there
are nearly 300 international and regional organizations establishing standards or
technical rules.

 ISO is a global non-governmental organization and plays a crucial role in international


standardization. It has published international standards and related documents for most
fields (including monopolized industries such as military, oil, and shipping).

 IEC was the first international organization established for the preparation and
publication of international standards for all electrical, electronic and related
technologies.

 ITU is the United Nations specialized agency for information and communication
technologies. It allocates global radio spectrum and satellite orbits, develops global
telecommunication standards, works to improve telecommunication infrastructure in the
developing world, and promotes global telecommunication development.

 IETF is a large open international community of network designers, operators, vendors,


and researchers concerned with the evolution of the Internet architecture and the
smooth operation of the Internet.
 Plan: ISMS planning and preparation

 Establish security policy, objectives, processes and procedures relevant to


managing risks and improving information security to deliver results in accordance
with an organization's overall policies and objectives.

 Do: ISMS document development

 Implement and operate the ISMS policy, controls, processes and procedures.

 Check: ISMS operation

 Assess and, where applicable, measure process performance against ISMS policy,
objectives and practical experience and report the results to management for review.

 Action: ISMS examination, review, and continuous improvement

 Take corrective and preventive actions, based on the results of the internal ISMS audit
and management review or other relevant information, to achieve continual
improvement of the ISMS.
 ISO/IEC 27001 and ISO/IEC 27002, released in 2013, are the currently used standards.
 Any company can implement an ISMS, but how? What requirements must be met? ISO
27000 provides detailed requirements which organizations can use to establish ISMSs.

 ISO 27001 is to manage information security risks based on risk assessments and to
comprehensively, systematically, and continuously improve information security
management using the Plan, Do, Check, Action (PDCA) cycle. It can be used to establish
and implement ISMSs and ensure information security of organizations.

 ISO 27001, an overall information security management framework based on the PDCA
cycle, focuses on the establishment of a continuous-cyclic long-term management
mechanism. Only certification to ISO/IEC 27001 is possible. Other ISO/IEC standards are
the specific clauses and operation guides for the certification. For example, ISO 27002
defines a specific information security management process under the guidance of ISO
27001.
 The key check points in the ISO 27001 certification process are as follows:

 Document review:

 Risk assessment reports

 Security principles

 Statement of Applicability (SoA)

 Other ISMS documents

 Formal review:

 Check records, including account and permission assignment, training, business


continuity drill, access control, and media usage records.

 Check the information asset identification and processing, and risk assessment and
handling forms.

 Perform terminal security check, including the screen saver, screen lock, and
antivirus software installation and upgrade status.

 Carry out the physical environment survey, including the field observation and
inquiry of equipment rooms and office environments.
 Graded protection of information security refers to: graded security protection of crucial
government information, private and public information of legal
persons/organizations/citizens, and information systems that store, transmit, and
process the information; graded management of information security products in
information systems; graded response to and handling of information security incidents
in information systems.
 Legal liabilities of graded protection:

 A corporate sector that does not carry out assessment for graded protection will be
rectified according to relevant regulations. If it violates the provisions of China's
Cybersecurity Law enforced in June 2017, it will be punished according to relevant
laws and regulations. Article 21 of the Cybersecurity Law: The State implements a
tiered cybersecurity protection system. Article 59: Where network operators do not
perform cybersecurity protection duties provided for in Articles 21 and 25 of this
Law, the administrative department shall order corrections and give warnings;
where corrections are refused or it leads to endangerment of cybersecurity or other
such consequences, a fine of between 10,000RMB and 100,000RMB shall be
imposed, and persons who are directly in charge shall be fined between RMB
5,000RMB and 50,000RMB.
 Development timeline:

 February 18, 1994, Decree No. 147 of the State Council, Regulations of the People's
Republic of China for Safety Protection of Computer Information Systems

 September 2003, No. 27 [2003] of the General Office of the CPC Central Committee,
Opinions for Strengthening Information Security Assurance Work

 November 2004, No. 66 [2004] of the Ministry of Public Security, Notice of the
Ministry of Public Security, the State Secrecy Bureau, the State Cipher Code
Administration and the Information Office of the State Council on Issuing the
Implementation Opinions on the Graded Protection of Information Security

 September 2005, No. 25 [2004] of the State Council Information Office, Notice on
Forwarding the Guide for Implementing Graded Protection of e-Government
Information Security

 January 2006, No. 7 [2006] of the Ministry of Public Security, Notice of the Ministry
of Public Security, the State Secrecy Bureau, the State Cipher Code Administration
and the Information Office of the State Council on Issuing the Administrative
Measures for the Graded Protection of Information Security (for Trial
Implementation)
 June 2007, No. 43 [2007] of the Ministry of Public Security, Notice of the Ministry of
Public Security, the State Secrecy Bureau, the State Cipher Code Administration and
the Information Office of the State Council on Issuing the Administrative Measures
for the Graded Protection of Information Security

 2008, GB/T 22239-2008 Baseline for classified protection of information system


security and GB/T 22240-2008 Classification guide for classified protection of
information system security

 2009, No. 1429 [2009] of the Ministry of Public Security, Guiding Opinions on the
Building and Improvement of Graded Protection of Information Systems

 March 2010, No. 303 [2010] of the Ministry of Public Security, Notice on Promoting
the Assessment System Construction and Grade Assessment for Graded Protection
of Information Security
 Grade I: Destruction of the information system would cause damage to the legitimate
rights and interests of citizens, legal persons and other organizations, but would cause
no damage to national security, social order or public interests.

 Grade II: Destruction of the information system would cause severe damage to the
legitimate rights and interests of citizens, legal persons and other organizations or cause
damage to social order and public interests, but would not damage national security.

 Grade III: Destruction of the information system would cause severe damage to social
order and public interests or would cause damage to national security.

 Grade IV: Destruction of the information system would cause particularly severe damage
to social order and public interests or would cause severe damage to national security.

 Grade V: Destruction of the information system would cause particularly severe damage
to national security.
 The legislation in the Sarbanes-Oxley Act (SOX) stems from a December 2001 securities
scandal involving Enron, then one of the largest energy companies in the United States.
The company hid massive debts that, when revealed, sent stock prices tumbling. With
investor confidence "thoroughly destroyed", the United States Congress and government
rapidly introduced the SOX Act. The act promised "to protect investors by improving the
accuracy and reliability of corporate disclosures made pursuant to the securities laws,
and for other purposes."

 The act contains the following:

 Setting up the Public Company Accounting Oversight Board (PCAOB) to supervise


registered public accounting firms

 Strengthening auditor independence

 Increasing the corporate responsibility for financial reports

 Enhancing financial disclosures

 Increasing criminal penalties


 SOX ACT’s impact on corporate governance:

 Responsibilities of board members: The board members and audit commission


must undertake self-assessment and follow-up education.

 Professional ethics and corporate law-abiding: The act requires companies to


develop written provisions on employees' professional ethics and the audit
committee to establish an internal report incentive mechanism.

 Transparency and information disclosure: The Securities & Exchange Commission


recommended the establishment of the Information Disclosure Committee to
strengthen the responsibilities of internal audit departments.

 Risk management and control: Establish an internal control system and process.
 Answers:

 AB

 PDCA (Plan, Do, Check, Action)

Common questions

Powered by AI

China's graded protection system aligns with international standards by adopting a structured, risk-based approach similar to frameworks like ISO/IEC 27001. Both systems emphasize systematic risk assessment, categorization of assets, and implementation of security measures tailored to risk levels. While ISO offers a global framework adaptable across regions, China's system incorporates tiered protection strategies according to the severity of impact on national security and public interests, reflecting both international best practices and national legal requirements .

The timeline of regulatory developments in China for the graded protection of information security started with Decree No. 147 in 1994, focusing on the safety protection of computer information systems. This evolved over time with key policies introduced in 2003 for strengthening information assurance and continuous regulatory updates. Notable developments include the implementation opinions in 2004 and administrative measures in 2007 and 2008, defining guidelines and baseline standards for graded protection. These have collectively structured the systematic approach towards information security in China .

ISO/IEC 27001 outlines the framework and requirements for establishing an ISMS using a continuous management mechanism based on the PDCA cycle. It allows organizations to systematically improve information security management. ISO/IEC 27002 supports ISO/IEC 27001 by providing specific operational details and guidelines for best practices in information security management, facilitating implementation. Together, they offer a comprehensive approach to manage, protect, and improve information security within organizations .

The Sarbanes-Oxley Act significantly impacted corporate governance by introducing extensive reforms to improve financial accuracy and reliability in response to the Enron scandal. It established the PCAOB to oversee accounting firms, strengthened auditor independence, increased corporate responsibility for financial reports, and enhanced disclosures. It imposed heavier criminal penalties to deter fraudulent activities. SOX also required companies to improve their internal controls and transparency, reshaping governance to prevent similar securities violations in the future .

International information security standardization began in the 1970s and rapidly developed in the 1980s, drawing global attention in the 1990s. Today, nearly 300 international and regional organizations are involved in establishing standards or technical rules. ISO is a crucial global non-governmental organization that has published international standards for most fields. IEC focuses on electrical and electronic technologies, while ITU, a UN specialized agency, manages global telecommunication standards and infrastructure. The IETF contributes to the Internet architecture's evolution and operation. These bodies ensure systematic development and implementation of international information security standards .

ISO is vital in international standardization because it provides universally accepted frameworks that ensure consistency, quality, safety, and efficiency in various industries, including information security. It publishes comprehensive standards applicable globally, influencing regulations and practices across sectors like military, oil, and shipping. This role serves to harmonize different national practices into a cohesive global system, facilitating international trade, communication, and technological advancements .

Implementing the PDCA cycle within ISO/IEC 27001 benefits organizations by providing a structured approach to risk management, ensuring a continuous process for assessing, measuring, and improving information security. The cycle promotes setting clear security objectives, establishing detailed procedures, and systematically reviewing outcomes to inform improvements, thereby enhancing overall security posture. This iterative loop fosters adaptability, timely corrections, and proactive adjustments to emerging threats, ultimately securing sensitive information while aligning with organizational goals .

Graded protection in China involves classifying the security risks of information systems and responding accordingly. It includes graded security protection of government, private, and public information systems, grading of security products, and responses to security incidents. Non-compliance with these regulations leads to penalties under China’s Cybersecurity Law, including rectification orders, warnings, and fines from 10,000 RMB to 100,000 RMB for corporate sectors, with personal fines for responsible individuals ranging from 5,000 RMB to 50,000 RMB .

The key components and phases in implementing the ISO/IEC 27001 standard revolve around the PDCA (Plan, Do, Check, Action) cycle. The implementation process includes: 1. Plan: Establish security policies, objectives, and processes relevant to managing risks and improving information security. 2. Do: Develop the ISMS documentation and implement the policies, controls, and procedures. 3. Check: Assess process performance against ISMS policies and objectives, reporting results to management. 4. Action: Take corrective and preventive actions based on reviews to achieve continual improvement of the ISMS .

China's graded protection system categorizes information systems based on the severity of damage their destruction could cause, ranging from Grade I to Grade V. - Grade I: Damages legitimate rights and interests of individuals but not national security or public interests. - Grade II: Causes severe damage to legitimate rights and interests or public interests. - Grade III: Leads to severe damage to social order and public interests or national security. - Grade IV: Causes particularly severe damage to public interests or severe damage to national security. - Grade V: Results in particularly severe damage to national security .

You might also like