|
| |
 Implementation modes |
| |
In accordance with the mode of “planning—enforcement—inspection—operation” stipulated in BS7799 -2 : 2002, develop,
maintain and improve the documented information security management system.
The management shall offer relevant resources in order to develop and manage the information security management system,
which includes the following steps: |
| |
 The establishment of an information security management system |
| |
I. |
Define the implementation scope. See Chapter Five for the application scope. |
| |
Ⅱ. |
Define information security policies, which shall be examined and approved by the Information Security Guiding Committee and then issued for enforcement. |
| |
Ⅲ. |
Define systematic risk evaluation and management mechanism. See 2.1, “Risk management” of “Information security procedures”,I-ISMS2201-XX and “Methods for evaluating risks concerning information assets”, I-ISMS2302-XX. |
| |
Ⅳ. |
Carrying out risk evaluation and management, including: identifying risks, evaluating risks, responses to risk identification and evaluation, and choosing controlling objects and points. |
| |
Ⅴ. |
Prepare the declaration of application, which includes applicable controlling points and the reasons why controlling points are applicable or not applicable in A.3~A.12,BS 7799- 2:2002. See “Declaration of application concerning information security”, I-ISMS2103-XX. |
| |
|
| |
Implementation and operation of information security management system |
| |
∣. |
According to risk treatment plans generated as the result of the above-mentioned risk identification and evaluation procedures, implement corresponding information security management measures and prepare relevant documents. |
| |
Ⅱ. |
After the examination and approval by the information security guiding committee, use the information security management system and arrange specialized personnel for its operation and maintenance. |
| |
Ⅲ. |
Personnel responsible for information security shall receive proper training. Other personnel shall acquire some knowledge of information security. |
| |
Ⅳ. |
See [CNS17800 clauses and ISMS document relationship” for the document architecture and clauses of the information security management system. |
| |
The monitoring and examination of the information security management system |
| |
A monitoring and examination mechanisms are needed to ensure that the information security management system operates as expected.
The monitoring and examination mechanisms include regular risk evaluation, system operation status monitoring, the inspection on the use of legal software, internal audit, examinations conducted by the management and irregular treatment of information security accidents. |
| |
See the following for details. |
| |
(I) Information security procedures (I-ISMS2201-XX) |
| |
|
1.2.1 Risk management |
| |
|
2.2.4 Management of information security accidents |
| |
|
3.2.8 Monitoring of the use of the system |
| |
|
4.2.11 Management of the use of intellectual assets |
| |
|
5.2.12 Security check on internal information |
| |
|
6.2.13 Preventive measures and improvements |
| |
(II) Methods for evaluating risks concerning information assets I-ISMS2302-XX |
| |
(III) Methods for treating information security accidents I-ISMS2304-XX |
| |
(IV) Methods for the security check on internal information I-ISMS2306-XX |
| |
(V) Management system for computerized information system I-ISMS2311-XX |
| |
(VI) Computer resources management I-ISMS2312-XX |
| |
(VII) Security inspection and access control I-ISMS2322-XX |
| |
(VIII) Rules for personnel management?I-ISMS2331-XX |
| |
See 4.2.3, “the monitoring and auditing of ISMS” in “CNS 17800 clauses and ISMS documents relationship (I-ISMS2401-XX)”. |
| |
|
| |
Maintain and improve the information security management system |
| |
Find items needing to be improved according to the above-mentioned monitoring and examination mechanism and take corrective and preventive measures, for continuously improving the information security management system. The corrective and preventive mechanism includes: |
| |
(I) Corrective measures |
| |
|
1. Information security procedures (I-ISMS2201-XX) |
| |
|
(1)2.1 Risk management
(2)2.4 Management of information security accidents
(3)2.8 Monitoring of the use of the system
(4)2.11 Management of the use of intellectual assets
(5)2.12 Security check on internal information |
| |
|
2. Methods for evaluating risks concerning information assets I-ISMS2302-XX |
| |
|
3. Methods for treating information security accidents I-ISMS2304-XX |
| |
|
4. Methods for the security check on internal information I-ISMS2306-XX |
| |
|
5. Management system for computerized information system I-ISMS2311-XX |
| |
|
6. Computer resources management I-ISMS2312-XX |
| |
|
7. Security inspection and access control I-ISMS2322-XX |
| |
|
8. Rules for personnel management I-ISMS2331-XX |
| |
(II) Preventive measures |
| |
|
1. Information on security procedures (I-ISMS2201-XX) |
| |
|
(1)2.13 Preventive and corrective measures |
| |
|
| |
Management of documents and records |
| |
|
Take proper measures to safe-keep and maintain results related to the above four steps which shall be accessible to relevant personnel, to ensure that the regulations are observed.
See 2.2, “management of documents and records” and “methods for documents and records management”,
I-ISMS2307-XX of information security procedures (I-ISMS2201-XX) for detailed information about the management mechanism. |
|
