A Case Study of Information Security Management System

• Main Authors: Ching-Hui Kuo, 郭晴慧
• Other Authors: Yi-Chuan Lu
• Format: Others
• Language: zh-TW
• Online Access: http://ndltd.ncl.edu.tw/handle/45446173468095668855

碩士 === 元智大學 === 資訊管理學系 === 103 === In October 2013, the ISO/IEC 27001:2013 was published by the International Organization for Standardization. All certificates to ISO/IEC 27001:2005 have to be renewed prior to September 2015, otherwise they were expired automatically. Conducting documentary analysis and case study methods, this study attempted to explore how one government agency transited to the new version with limited budget and time, and analyzed the actual implement procedures. The staffs in the government agency and information security consultants participated in the in-depth interview. The findings of the study show that the scope of the original information security management system did not include core activities. Based on the ISO/IEC 27001:2013, the agency reviewed the current system documents, added revised standard procedures, carried out the risk assessments, and conducted internal audit checks and training sessions. In order to draw continuous attention, and obtain support and assistance from the executives, the implement progress was reported in the executive meetings. In addition, bulletin announcements and training sessions were organized to earn the recognition of colleagues. The goal of the information security was achieved in the management dimension and in the technical dimension. Security and convenience always stand on the both sides of the scale, and it is planners’ importance task to keep them balance. To plan and promote the information security management, manpower, resources, time and budgets are all crucial.