A Study on Execution of Information Security Management System Self-Assessment Mechanism

• Main Authors: Tu, Shen-Wen, 涂昇文
• Other Authors: Wu, Tsung-Li
• Format: Others
• Language: zh-TW
• Published: 2013
• Online Access: http://ndltd.ncl.edu.tw/handle/18588219195958169523

碩士 === 國防大學管理學院 === 資訊管理學系 === 101 === Abstract ISO/IEC 27001 is an information security management system (ISMS) standard published by the International Organization for Standardization (ISO) in 2005. Based on this standard, Taiwan’s Bureau of Standards, Ministry of Economic Affairs has in 2007 laid down and announced the CNS 27001 national standards. Nonetheless, ISO/IEC 27001 is just implementation guidance and strategies to maintain an organization’s security. Once an organization obtained the certificate after going through all kinds of paper works and procedures, it doesn’t necessarily mean that the accredited organization will be protected from attacks forever. In order to achieve solid security within an organization, continuous and persistent execution of ISMS is a must. However, the seemingly simple “execution” is in fact “a black hole of business management” (quotes from Dr. Tang, Ming-Je), i.e., execution is not as easy as it sounds. This paper devised a self-assessment mechanism on ISMS execution, and the corresponding software tool was created as well. By following the principle of Plan-Do-Check-Act(PDCA) while tracking the execution of ISO27001’s 11 areas and 133 controls, this tool provides an easy way for an organization being able to improve its ISMS performance effectively. Keywords：Execution、ISMS、ISO/CNS 27001