研究生: |
張勝豐 Shen-Feng Chang |
---|---|
論文名稱: |
ISO27001:2013新版對企業現行資安建置影響之研究 Studying on the Impact of New Version ISO27001:2013 on the existing ISMS on the existing ISMS |
指導教授: |
黃世禎
Sun-Jen Huang |
口試委員: |
王有禮
Yue-Li Wang 劉俞志 Yu-Chih Liu |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 管理研究所 Graduate Institute of Management |
論文出版年: | 2014 |
畢業學年度: | 103 |
語文別: | 中文 |
論文頁數: | 77 |
中文關鍵詞: | ISO/IEC27001 、ISMS 、資訊安全管理系統 、風險管理 |
外文關鍵詞: | ISO/IEC 27001, ISMS, Information Security Management System, Risk Management |
相關次數: | 點閱:467 下載:7 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
國際標準化組織(International Organization for Standardization, ISO)在2013年9月25日發布ISO/IEC 27001:2013資訊科技安全管理(Information Security Management System, ISMS)標準。依ISO官方規定原2005年版認證效期,可持續至2015年9月30日止。本研究探討之個案公司為已通過ISO/IEC 27001:2005 ISMS認證,但有效期將於2014年10月底終止,因此個案公司期望於該期限前通過ISO/IEC 27001:2013 ISMS新版的認證。
由於2013年版與2005年版本間有諸多差異,且新版本在要求事項的描述上,雖為導入作法保留更多選擇空間,但亦使個案公司在版本轉換時,對於資訊安全管理系統運作能力的建立,面臨許多困難抉擇及來自內部的挑戰;另外在新版本的附錄A中,亦提出對於安全工程及專案管理相關控制措施,此措施對於個案公司負責資訊軟體發展之部門,亦產生相當大之衝擊。
本論文透過對資訊安全相關文獻與標準探討及實際訪談,先比較彙整出ISO ISMS 2013年版與2005年版之間的差異,再分析個案公司在進行轉版時遭遇之困難與解決方案,並分析個案公司如何將資訊安全融入企業的營運過程,使資訊安全目標與企業的營運目標能夠互相呼應。
ISO/IEC 27001:2013 is an Information Technology Security Management (ISMS) standard that was published on the 25th September 2013 by the International Organization for Standardization (ISO). According to ISO official regulation, ISO/IEC 27001:2005 will be expired on 30th September 2015. The case study company has passed the ISO/IEC 27001:2005 ISMS certification, but will be expired until the end of October this year. Therefore, the case company expects to pass the ISO/ IEC 27001: 2013 ISMS new version certification before the deadline.
The significant difference exists on two versions of ISO/IEC 27001 ISMS. The new version provides more flexibility for the implementation practices on the new requirements, but this also gives the case company difficult choices and challenges on the transition of ISMS to the new version of the standard. Meanwhile, appendix A of the new version asks more control on the issues of safety engineering and project management. This also causes more impacts and challenges for the management information system department of the case company.
This thesis first conducted the related information security literature survey and interviews, and then identified and summarized the differences in the two versions of ISO ISMS standards. It also analyzed the difficulties on the transition to the new version and further proposed their possible solutions. This thesis also analyzed how to integrate the information security into the operation process of business to ensure that its information security management system can align to the business objectives.
中文文獻:
[1] 國際標準化組織(International Organization for Standardization, ISO)2012年統計資料。
[2] 中華民國經濟部標準檢驗局於2014年所發行之CNS 27001第二版
英文文獻:
[3] ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements(2013)
[4] ISO/IEC 27000:2014 Information technology -- Security techniques -- Information security management systems – Overview and Vocabulary (2014)
[5] ISO Directives Part 1, Consolidated ISO Supplement (ISO Guide 83)
[6] ISO/IEC 27000:2009 Information technology -- Security techniques -- Information security management systems – Overview and Vocabulary (2009)
[7] IDEAL: A User’s Guide for Software Process Improvement, Bob McFeeley, CMU/SEI-96-HB-001, Feb, 1996
[8] The certified quality engineer Handbook, third edition, ed. Connie M. Borror, ASQ Quality Press, 2009, pp. 321-322.
[9] ISO 31000:2009 Risk management – Principles and Guidelines (2009)
[10] ISO/IEC 27014:2013 Information technology – Security techniques—Governance of information security (2013)
[11] ISO/IEC 15939:2007 Systems and software engineering-Measurement Process
[12] ISO/IEC 27002:2013 Information technology -- Security techniques – Code of Practice for information security controls (2013).
[13] ISO/IEC 27004:2009 Information technology -- Security techniques – Information security management--Measurement (2009).
[14] ISO/IEC 27005:2011 Information technology -- Security techniques – Information security risk management (2011).