标准2025对一个组织来说,最大的风险之一就是网络攻击。因此在当今这个数字时代,正确使用标准和系统来确保信息安全变得尤为重要。这也是ISO/IEC 27000 关于信息技术安全技术系列标准修订,为组织带来附加值和信心的原因。
由国际信息系统审计协会(ISACA)进行的一项全球调查表明,在129个国家中,只有38%的国家认为他们为应对网络攻击做好了准备,但是83%的国家认为网络攻击是当今组织面临的三大威胁之一。许多人员资料和重要信息都存在电脑里,一旦遭到入侵,损失会非常严重。
ISO/IEC JTC1/SC27 WG1信息技术管理体系(ISMS)召集人爱德华.汉弗莱斯(Edward Humphreys)教授强调:“为了在如今的数字情况下确保安全,所有组织,无论大小,都应该先制定一个管理框架来应对网络攻击。ISO/IEC 27001 就是为了帮助组织制定管理框架而制定的。对评估、应对信息类风险而言,这项标准就好像一套全球‘通用语’。”
以下是2015年发布的ISO/IEC 27000 系列标准最新修订版,是ISO/IEC 27001“网络风险工具包”中的一部分,用来防范风险。
一、云端信息保护标准(ISO/IEC 27017)
最新发布的ISO/IEC 27017是一项针对云端服务的信息安全规范。云端技术作为最炙手可热的创新技术,在如今快速发展的商业领域应用十分广泛。随着云端服务逐渐开始收费,用户对云端技术下的数据储存加工提出了更高的要求。因为云端服务的市场已经遍布全球,世界各地都有其供应商,使得信息数据实现跨国传递。因此制定一个国际指南至关重要。
山崎悟(Satoru Yamasaki)是ISO/IEC 27017标准的制定人员之一,他介绍道:“ISO/IEC 27017将会帮助服务供应商与客户就安全控制和实施指南达成一致意见,促进云计算机系统安全的发展和扩大。”
此新指南由国际标准主要制定方IEC, ISO和ITU联合制定,以保证指南发挥最大的作用。
二、针对服务的综合解决方案(ISO/IEC 27013)
越来越多的组织将信息安全管理体系(ISO/IEC 27001)与服务管理体系(ISO/IEC 20000-1)合二为一。整合后的综合体系能有效提高组织的服务质量、管控客户反馈、处理问题的同时,还能保证信息安全。ISO/IEC 27013是一个系统性方案,为服务管理体系提供了信息安全管理体系,为供应商寻求认证降低了实施成本,避免重复审查。
三、领域间和组织间的交流(ISO/IEC 27010)
当两个组织机构共享信息时,如何确保各自数据的安全性?ISO/IEC 27010是对ISO/IEC 27000具体领域的补充,用于指导组织间和领域间交流时信息安全的启动、执行、维护和改进。该标准包含了如何通过运用现有信息传送和其他技术方法达到相关要求的一般原则,希望以此促进全球信息共享共同体的发展。
就如ISO/IEC 27010编写者麦克.纳什(Mike Nash)所言:“ISO/IEC27010主要为ISO/IEC 27001和ISO/IEC 27002量身制定,用于组织机构间的沟通交流。该标准将提高组织机构与其他机构信息共享的安全性。”
该标准尤其适用于需要交换机密信息的国家基础设施建设,同时也广泛应用于安全事件响应小组。
四、网络攻击的检测与预防(ISO/IEC 27039)
组织机构如何检测防御自己的网络、系统和应用程序以免遭到入侵?最好的做法是了解网络、系统和应用程序何时以及如何被入侵的,同时还需要确认被利用的安全隐患在哪里,应如何采取防御措施以防类似入侵。入侵探测及防御系统(IDPS)是解决此类问题的其中一种办法。
ISO/IEC27039为制定和部署IDPS提供指导,涵盖了诸如选择、开发和操作的各个关键方面。该国际标准特别适用于当今市场,因为如今以此类技术和方法为基础的众多开源IDPS产品和服务已投放到市场,同时ISO/IEC 27039将引导组织机构防御入侵。
五、审核与认证(ISO/IEC 27006)
越来越多的组织机构开始转向第三方认证审核以证明自身信息安全管理系统(ISMS)符合ISO/IEC 27001的要求。ISO/IEC 27006规定了认证机构和注册机构需达到认可要求后,才能提供ISO/IEC 27001认证服务。
“认证机构想要提供ISO/IEC 27001认证服务,ISO/IEC 27006对他们来说就是一道认可门槛。” 汉弗莱斯教授解释说,“ISO/IEC 27006之所以如此重要,是因为认证机构获得的认可提高了审核过程的可信度,同时也提高了他们认证资格的含金量。”
JTC1 ISO/IEC简介
JTC 1创立于1987年,是IEC 和 ISO为国际信息技术标准设立的联合技术委员会。目前,JTC 1下设20个分委员会、1个研究组和3个工作组,已经发布2800多个国际标准。JTC 1是一个以共识为基础,具有全球视野的非盈利国际标准机构。自1987年起,JTC 1为各个领域带去了一系列成功的信息通信技术(ICT)国际标准,包括IC卡(智能卡)技术、自动识别和数据获取(AIDC)技术、信息安全、生物识别技术、云计算、多媒体(MPEG)、数据库查询、计算机语言和字符集等。
Security toolbox protects organizations from cyber-attacks
Geneva, Switzerland, 2015-12-17 – Cyber-attacks are among the greatest risks an organization can face. Having standards and systems in place to keep information safe has therefore never been more important than in today’s digital world. This is why the ISO/IEC 27000 series on security techniques for information technology has been updated to provide organizations with that added value and confidence.
In a global survey conducted by ISACA in 129 countries, only 38 % of respondents felt they were prepared for a cyber-attack – even though 83 % believed these are among the top three threats facing organizations today. With so much personal and sensitive information being handled electronically, there is a lot at stake if it were to be compromised.
Prof. Edward Humphreys, convenor of ISO/IEC Joint Technical Committee (JTC) 1 SC 27: IT security techniques, WG 1: Information security management systems (ISMS), emphasizes, “To ensure security in today’s digital landscape, all organizations, irrespective of size, should put in place a management framework as a starting point to manage cyber risks. ISO/IEC 27001 was designed to help organizations do just that. The Standard is the world’s ‘common language’ when it comes to assessing, treating and managing information-related risks.”
Below are the latest revisions and additions to the ISO/IEC 27000 series – all published in 2015 – which form part of the ISO/IEC 27001 “cyber risk toolbox”, to help keep these risks in check.
Protecting information in the cloud (ISO/IEC 27017)
A new code of practice for information security controls for cloud services, ISO/IEC 27017, has just been published. The cloud is one of the most widely used innovations in today’s fast-paced world of commerce and business. As the service gains currency, users are demanding assurances that data stored and processed in the cloud is safe. Because of its very nature, the marketplace for cloud services is global, with providers dispersed across wide geographical areas, and data is routinely transferred across national boundaries. International guidance is therefore key.
According to Satoru Yamasaki, one of editors who worked on the Standard, “ISO/IEC 27017 will help service providers come to a common understanding with their customers regarding adequate security controls and their implementation guidance. This International Standard for cloud security controls will facilitate the development and expansion of secure cloud computing systems.”
The new guidelines are the result of a joint initiative by the world’s main developers of International Standards – IEC, ISO, and ITU – to guarantee maximum outreach.
Integrated solutions for services (ISO/IEC 27013)
More organizations are choosing to combine an information security management system (ISO/IEC 27001) with a service management system (ISO/IEC 20000-1). An integrated system means an organization can efficiently manage the quality of its services, handle customer feedback and solve problems, while keeping information safe. ISO/IEC 27013 offers a systematic approach to facilitate the integration of an information security management system with a service management system, which results in lower implementation costs and avoids duplication efforts as only one audit, instead of two, is needed when seeking certification.
Inter-sector and inter-organizational communications (ISO/IEC 27010)
When an organization shares information with another organization, how can they be sure that their data will be kept safe? ISO/IEC 27010 is a sector-specific addition to the ISO/IEC 27000 toolbox, which guides the initiation, implementation, maintenance and improvement of information security in inter-organizational and inter-sector communications. It includes general principles on how to meet these requirements using established messaging and other technical methods. The Standard is expected to encourage the growth of global information-sharing communities.
As Dr. Mike Nash, an editor of ISO/IEC 27010, explains, “ISO/IEC 27010 basically customizes and applies ISO/IEC 27001 and ISO/IEC 27002 to communication between organizations. Having the Standard in place gives an organization confidence that the information it has shared with another organization will not be inadvertently disclosed.”
The Standard is particularly relevant for the protection of critical national infrastructure, where exchanging sensitive information securely is of utmost importance. It is also widely used by security incident response teams.
Detecting and preventing cyber-attacks (ISO/IEC 27039)
How can organizations detect and prevent cyber intrusions to their networks, systems and applications? Best practice shows that they have to be able to know when, if and how an intrusion into their network, system or application occurs. They should also be ready to identify what vulnerability was exploited and what controls should be implemented to prevent similar intrusions from taking place in the future. One way to do this is through an Intrusion Detection and Prevention Systems (IDPS).
ISO/IEC 27039 gives guidelines to prepare and deploy an IDPS, covering such crucial aspects as selection, deployment and operation. The Standard is particularly useful in today’s market where there are many commercially available and open-source IDPS products and services based on different technologies and approaches. ISO/IEC 27039 will guide organizations throughout the process.
Audit and certification (ISO/IEC 27006)
More and more organizations are turning to third-party certification audits to demonstrate that they have in place a solid information security management system (ISMS) that conforms to the requirements of ISO/IEC 27001. ISO/IEC 27006 gives the requirements that certification and registration bodies need to meet to be accredited, so they can offer ISO/IEC 27001 certification services.
“ISO/IEC 27006 is an accreditation benchmark for certification bodies that offer ISO/IEC 27001 services,” explains Prof. Humphreys, adding, “This is important because accreditation of certification bodies provides added confidence in the audit process and credibility in the certificate they award.”
About JTC1 ISO/IEC
JTC 1 is the Joint Technical Committee of IEC and ISO for International Information Technology Standards. Created in 1987, JTC 1 currently has 20 Subcommittees, one Study Group and three Working Groups. It has published more than 2800 International Standards. JTC 1 is a consensus-based, globally relevant, voluntary International Standards group. Since 1987, it has brought about a number of very successful and relevant information and communication technologies (ICT) International Standards in many fields: IC cards (smart cards), automatic identification and data capture (AIDC) technologies, information security, biometrics, cloud computing, multimedia (MPEG), database query and programming languages as well as character sets, to name just a few.