Basic Search / Detailed Display

Author: 張勝豐
Shen-Feng Chang
Thesis Title: ISO27001:2013新版對企業現行資安建置影響之研究
Studying on the Impact of New Version ISO27001:2013 on the existing ISMS on the existing ISMS
Advisor: 黃世禎
Sun-Jen Huang
Committee: 王有禮
Yue-Li Wang
劉俞志
Yu-Chih Liu
Degree: 碩士
Master
Department: 管理學院 - 管理研究所
Graduate Institute of Management
Thesis Publication Year: 2014
Graduation Academic Year: 103
Language: 中文
Pages: 77
Keywords (in Chinese): ISO/IEC27001ISMS資訊安全管理系統風險管理
Keywords (in other languages): ISO/IEC 27001, ISMS, Information Security Management System, Risk Management
Reference times: Clicks: 554Downloads: 7
Share:
School Collection Retrieve National Library Collection Retrieve Error Report
  • 國際標準化組織(International Organization for Standardization, ISO)在2013年9月25日發布ISO/IEC 27001:2013資訊科技安全管理(Information Security Management System, ISMS)標準。依ISO官方規定原2005年版認證效期,可持續至2015年9月30日止。本研究探討之個案公司為已通過ISO/IEC 27001:2005 ISMS認證,但有效期將於2014年10月底終止,因此個案公司期望於該期限前通過ISO/IEC 27001:2013 ISMS新版的認證。
    由於2013年版與2005年版本間有諸多差異,且新版本在要求事項的描述上,雖為導入作法保留更多選擇空間,但亦使個案公司在版本轉換時,對於資訊安全管理系統運作能力的建立,面臨許多困難抉擇及來自內部的挑戰;另外在新版本的附錄A中,亦提出對於安全工程及專案管理相關控制措施,此措施對於個案公司負責資訊軟體發展之部門,亦產生相當大之衝擊。
    本論文透過對資訊安全相關文獻與標準探討及實際訪談,先比較彙整出ISO ISMS 2013年版與2005年版之間的差異,再分析個案公司在進行轉版時遭遇之困難與解決方案,並分析個案公司如何將資訊安全融入企業的營運過程,使資訊安全目標與企業的營運目標能夠互相呼應。


    ISO/IEC 27001:2013 is an Information Technology Security Management (ISMS) standard that was published on the 25th September 2013 by the International Organization for Standardization (ISO). According to ISO official regulation, ISO/IEC 27001:2005 will be expired on 30th September 2015. The case study company has passed the ISO/IEC 27001:2005 ISMS certification, but will be expired until the end of October this year. Therefore, the case company expects to pass the ISO/ IEC 27001: 2013 ISMS new version certification before the deadline.
    The significant difference exists on two versions of ISO/IEC 27001 ISMS. The new version provides more flexibility for the implementation practices on the new requirements, but this also gives the case company difficult choices and challenges on the transition of ISMS to the new version of the standard. Meanwhile, appendix A of the new version asks more control on the issues of safety engineering and project management. This also causes more impacts and challenges for the management information system department of the case company.
    This thesis first conducted the related information security literature survey and interviews, and then identified and summarized the differences in the two versions of ISO ISMS standards. It also analyzed the difficulties on the transition to the new version and further proposed their possible solutions. This thesis also analyzed how to integrate the information security into the operation process of business to ensure that its information security management system can align to the business objectives.

    摘 要.................................. I ABSTRACT................................II 誌 謝.................................. III 第1章 緒論..............................1 1.1 研究背景與動機.........................1 1.2 研究目的...............................2 1.3 研究流程...............................3 第2章 文獻探討...........................5 2.1 資訊安全...............................6 2.2 資訊安全治理...........................11 2.3 資訊安全的管理系統......................15 2.4 ISO 27001資訊安全管理系統標準 ...........16 2.5 資訊安全相關標準之彙整..................29 第3章 ISO27001新舊版標準差異分析..........33 3.1 標準根本之差異事項......................33 3.2 標準要求事項差異分析....................33 3.3 標準控制措施差異分析....................47 第4章 個案導入實例.......................57 4.1 個案公司簡介...........................57 4.2 資訊安全管理系統現況....................57 4.3 資訊安全管理系統改版流程................62 4.4 導入ISO27001:2013之困難與挑戰 ..........64 4.5 導入ISO27001:2013之解決方案............66 第5章 結論與未來研究方向....................74 5.1 研究結論...............................74 5.2 研究限制...............................75 5.3 後續研究建議...........................75 參考文獻...................................76

    中文文獻:
    [1] 國際標準化組織(International Organization for Standardization, ISO)2012年統計資料。
    [2] 中華民國經濟部標準檢驗局於2014年所發行之CNS 27001第二版
    英文文獻:
    [3] ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements(2013)
    [4] ISO/IEC 27000:2014 Information technology -- Security techniques -- Information security management systems – Overview and Vocabulary (2014)
    [5] ISO Directives Part 1, Consolidated ISO Supplement (ISO Guide 83)
    [6] ISO/IEC 27000:2009 Information technology -- Security techniques -- Information security management systems – Overview and Vocabulary (2009)
    [7] IDEAL: A User’s Guide for Software Process Improvement, Bob McFeeley, CMU/SEI-96-HB-001, Feb, 1996
    [8] The certified quality engineer Handbook, third edition, ed. Connie M. Borror, ASQ Quality Press, 2009, pp. 321-322.
    [9] ISO 31000:2009 Risk management – Principles and Guidelines (2009)
    [10] ISO/IEC 27014:2013 Information technology – Security techniques—Governance of information security (2013)
    [11] ISO/IEC 15939:2007 Systems and software engineering-Measurement Process
    [12] ISO/IEC 27002:2013 Information technology -- Security techniques – Code of Practice for information security controls (2013).
    [13] ISO/IEC 27004:2009 Information technology -- Security techniques – Information security management--Measurement (2009).
    [14] ISO/IEC 27005:2011 Information technology -- Security techniques – Information security risk management (2011).

    無法下載圖示 Full text public date 2019/12/30 (Intranet public)
    Full text public date This full text is not authorized to be published. (Internet public)
    Full text public date This full text is not authorized to be published. (National library)
    QR CODE