1. What are the standards for information security management system certification?
The concept of the Information Security Management System (ISMS) was originally derived from the BS7799 standard developed by the British Standards Institute and was widely accepted as an international standard for its publication and popularity. ISO/IEC JTC1 SC27/WG1 (International Organization for Standardization/International Electrotechnical Commission Information Technology Committee Safety Technology Subcommittee/First Working Group) is an international organization that develops and revise ISMS standards.
ISO/IEC 27001:2005 (Information Security Management System Requirements) is the standard used by ISMS certification. At present, China has converted its equivalent into Chinese national standard GB/T 22080-2008/ISO/IEC 27001:2005.
2. What are the main members of the ISO/IEC 27000 family?
The ISO/IEC 27000 family is a general term for a series of related standards reserved by the International Organization for Standardization for the ISMS. The membership criteria included are:
1. ISO/IEC 27000 ISMS Overview and Terminology IS
2. ISO/IEC 27001 Information Security Management System Requirements IS
3. ISO/IEC 27002 Information Security Management System Practical Rules IS
4. ISO/IEC 27003 Information Security Management System Implementation Guide FDIS
5. ISO/IEC 27004 Information Security Management Metrics FDIS
6. ISO/IEC 27005 Information Security Risk Management IS
7. ISO/IEC 27006 ISMS certification body accreditation requirements IS
8. ISO/IEC 27007 Information Security Management System Audit Guide CD
9. ISO/IEC 27008 ISMS Control Measures Auditor's Guide WD
10. ISO/IEC 27010 Information Security Management for Inter-Departmental Communications NP
11. ISO/IEC 27011 Information Security Management Guide for the Telecommunications Industry IS
......
At present, the International Organization for Standardization (ISO) is continuously expanding and perfecting the ISMS series of standards, making it a family of standards consisting of multiple member standards.
3. What are the qualifications for the China Information Security Certification Center to carry out ISMS certification?
According to the "Regulations of the People's Republic of China on Certification and Accreditation", the certification business in China shall be subject to the approval of the National Certification and Accreditation Administration and the issuance of qualification certificates.
The China Information Security Certification Center is a formal institution that can be engaged in information security management system certification after being approved by the National Certification and Accreditation Administration and issuing qualification certificates. The certification authority's information security management system certification qualification can be found at the following website: http://www.cnca.gov.cn/cnca/cxzq/rkcx/4424.shtml
At the same time, China Information Security Certification Center is the first ISMS certification body in China that has passed the China National Accreditation Service for Conformity Assessment.
4. Has the information security management system certificate achieved international mutual recognition?
a. Information Security Management System (ISMS) certification is a voluntary, market-based third-party certification. Its role is to prove the organization's level and ability in information security management to customers, partners and other stakeholders through certification. Provide trust and confidence. The prerequisites and conditions for achieving ISMS international mutual recognition are unified certification standards. At present, the accreditation bodies of all countries recognize the accreditation bodies that apply for accreditation according to the national accreditation system. Under different national certification and accreditation systems, the information security management system certification issued by an accredited certification body has the same effect because the certification standards are based on the ISO/IEC 27001:2005 international standard.
b. The International Accreditation Forum (IAF) is a multilateral cooperation organization involving national accreditation bodies (including China CNAS, UKAS, ANAB, RVA, etc.). Its main objective is to coordinate national accreditation systems and standardize the various member units. The auditor qualification requirements, certification standards and management system certification body's assessment and certification procedures make it consistent in technical operation, thus ensuring effective international mutual recognition. At present, China has signed mutual recognition agreements with the IAF members in the quality management system (QMS) and environmental management system (EMS) certification systems. However, the Information Security Management System (ISMS) involves sensitive issues such as security. The accreditation bodies of various countries have not joined the IAF in the ISMS field, so they have not yet achieved international mutual recognition. Strictly speaking, ISMS certificates with CNAS, UKAS, ANAB and other marks are not international certifications, and they do not have international mutual recognition. Any certificate issued by a certification body cannot be called international certification.
c. The China National Accreditation Center for Conformity Assessment (CNAS), as one of the 17 sponsors of the IAF, has a number of responsibilities. At present, CNAS, as the main coordination unit, is actively organizing the international mutual recognition of the information security management system. However, it will take time for countries to sign mutual recognition agreements and join the IAF.
In summary, only the member units in the IAF sign the multilateral mutual recognition agreement on the ISMS, and the relevant certification body is authorized to attach the IAF logo to the issued ISMS certificate, the ISMS certificate has international mutual recognition. .
5. Which of the ISO/IEC 27000 standards have been translated into Chinese national standards?
ISO/IEC 27001:2005
Has been equivalent to translate into Chinese national standard GB/T 22080-2008/ISO/IEC 27001:2005
Information Technology Security Technology Information Security Management System Requirements (released on 2008-06-19, implemented on 2008-11-01)
ISO/IEC 27002:2005
Has been equivalent to translate into Chinese national standard GB/T 22081-2008/ISO/IEC 27002:2005
Information Technology Security Technology Practical Rules for Information Security Management (released on 2008-06-19, implemented on 2008-11-01)
At present, the National Information Security Standardization Technical Committee (TC260) Information Security Management Working Group (WG7) is continuously promoting the preparation and transformation of national standards for information security management systems.
6. What are the benefits of establishing an information security management system for the organization?
Regular monitoring and review will ensure that the organization's system is continuously monitored and improved as a basis for enhancing information security;
Enhance the investment confidence of investors and other stakeholders through third-party certification;
Through certification, the government and industry authorities can prove the organization's compliance with relevant laws and regulations;
Certification can guarantee and demonstrate the organization's commitment to information security;
Certification can improve an organization's performance, expand its business, and eliminate distrust.
Establishing an information security management system can effectively improve the organization's information security management level, improve the information security awareness of all employees, reduce information security risks, and ensure the confidentiality, integrity and availability of information. In particular, through third-party certification, it is more able to prove its information security management capabilities to other parties, so more and more organizations establish an information security management system. As of September 2009, 5,941 organizations worldwide have obtained information security management system certification, and this number is growing rapidly.
7. What are the advantages of China Information Security Certification Center in the certification of information security management system?
a.National authority
The China Information Security Certification Center is jointly established by eight ministries and commissions. It is affiliated to the AQSIQ and is the most authoritative information security certification and training institution in China. It has been awarded the China National Accreditation Center for Conformity Assessment (CNAS). The accreditation review and the certification body of the CNAS accreditation mark can be added to the certificate.
b.Deep experience accumulation
It has emerged in the history of China's certification industry for more than ten years and has rich management experience. The advantages in understanding and applying the domestic and international information security certification standards are unparalleled:
Familiar with all aspects of certification services, proficient in domestic and international information security standards and laws and regulations;
Engaged in international--the transformation of domestic information security certification standards;
Participate in the preparation and formulation of information security standards in China;
Participate in the development of national information security projects.
c.Excellent talent team
The first prize winner of the National Science and Technology Progress Award;
Key employees are selected from relevant national ministries, including the heads and main participants of national key scientific research projects;
The technical backbone has a doctoral degree and is selected as a “100 million talent project”.
d.Sophisticated technical strength
Proficient in the most advanced information security technology at home and abroad;
Familiar with the operation rules of various types of organizations in China;
Hosted the test, evaluation, certification and acceptance of national key information security projects.
e.Senior review team
It has dozens of senior auditors and auditors, including 11 nationally recognized information security management system certification auditors certified by the China Certification and Accreditation Association (CCAA);
Review expert of China Conformity Assessment and Accreditation Committee;
Senior staff in information security projects and information systems assessment.
