友情提示:本平台主要功能已迁移至全国标准信息公共服务平台,请访问 http://www.std.gov.cn
收藏本站   设为首页
当前位置:国际标准化动态 > ISO > 正文

ISO发布旨在加强数据保护的信息安全控制评估国际标准

发布时间: 2019-03-04 09:35:53   审校:睿智  

软件攻击、知识产权窃取、信息破坏等诸多信息安全风险会带来严重后果,而这些风险只是许多组织所面临问题的冰山一隅。大多数组织都已经制定了控制措施来保护数据安全,但我们如何能够确保这些控制措施足够有效?ISO刚刚发布的关于安全控制措施评估国际标准可以提供帮助。

 

对于任何组织而言,信息都是其最为宝贵的资产之一,数据泄露可能会使公司蒙受巨大的业务损失,挽回损失也将付出巨大的代价。因此,必须加强现有的控制措施,以保护数据安全,同时定期进行数据监控,以应对不断变化的风险。

 ISO/IEC TS 27008 信息技术-安全技术-信息安全控制评估指南是由ISO 和国际电工委员会(IEC)共同制定,旨在为现有控制措施提供了评估指南,以确保他们发挥应有作用、有力并高效,且契合公司目标。

 

       这项新近修订的技术规范(TS),旨在与ISO/IEC 27000(概述和词汇)、ISO/IEC 27001(要求)和 ISO/IEC 27002(信息安全控制规程)等其他关于信息安全管理标准的新版本。这些补充标准均在更新的技术规范中得到引用。

       制定这项标准的工作组负责人爱德华•汉弗莱斯(Edward Humphreys)表示,ISO/IEC 27001标准将帮助各组织评估和审查相应的控制措施, 通过实施ISO/IEC TS 27008 将有助于这些措施的评估与审核。

       Edward Humphreys教授表示:“在当今世界,网络攻击不仅更加频繁,而且越来越难以检测和预防。应该对现有安全控制措施进行定期评估和审核,使之成为组织业务流程的一个重要方面。”

       “ISO/IEC TS 27008 有助于增进组织自信,确保其控制措施的有效性、充分性和适当性,降低组织面临的信息风险。”

       ISO/IEC TS 27008 有益于所有类型和规模的组织,无论是公立组织、私立组织亦或非营利组织,皆可获益。该项标准是对ISO/IEC 27001 中所定义的信息安全管理体系的补充。

       该项标准是由 ISO/IEC JTC 1 信息安全技术委员会的SC 27 IT安全技术分技术委员会制定,其秘书处是由ISO的德国成员 DIN承担 。想获悉更多的国内外标准信息,请访问中国标准信息服务网(<https://www.sacinfo.cn>)。

Stronger data protection with updated guidelines on assessing information security controls

Software attacks, theft of intellectual property or sabotage are just some of the many information security risks that organizations face. And the consequences can be huge. Most organizations have controls in place to protect them, but how can we ensure those controls are enough? The international reference guidelines for assessing information security controls have just been updated to help.

       For any organization, information is one of its most valuable assets and data breaches can cost heavily in terms of lost business and cleaning up the damage. Thus, controls in place need to be rigorous enough to protect it, and monitored regularly to keep up with changing risks.

       Developed by ISO and the International Electrotechnical Commission (IEC), ISO/IEC TS 27008, Information technology – Security techniques – Guidelines for the assessment of information security controls, provides guidance on assessing the controls in place to ensure they are fit for purpose, effective and efficient, and in line with company objectives.

       The technical specification (TS) has recently been updated to align with new editions of other complementary standards on information security management, namely ISO/IEC 27000 (overview and vocabulary), ISO/IEC 27001 (requirements) and ISO/IEC 27002 (code of practice for information security controls), all of which are referenced within.

       Prof. Edward Humphreys, leader of the working group that developed the standard, said ISO/IEC TS 27008 will help organizations to assess and review their current controls that are being managed through the implementation of ISO/IEC 27001.

       “In a world where cyber-attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organization’s business processes,” he said.

       “ISO/IEC TS 27008 can help give organizations confidence that their controls are effective, adequate and appropriate to mitigate the information risks the organization faces.”

       ISO/IEC TS 27008 is of benefit to organizations of all types and sizes, be they public, private or not-for-profit, and complements the information security management system defined in ISO/IEC 27001.

       It was developed by ISO technical committee ISO/IEC JTC 1, Information security, subcommittee SC 27, IT security techniques, the secretariat of which is held by DIN, ISO’s member for Germany. 


来源: ISO 官网
京ICP备09001239号
网站管理:国家标准化管理委员会标准信息中心
地址:北京海淀区马甸东路9号 邮编:100088 邮箱:info@sac.gov.cn
客服热线:010-82261056 QQ号:3433774297
  • 版权所有 侵权必究
  • 主管:国家标准化管理委员会
  • 主办:国家标准化管理委员会标准信息中心
  • 运营:北京中标赛宇科技有限公司
  • 经营许可证编号 京ICP证 号
  • 盗版侵权 举报热线:400-650-6190
  • 关于我们
  • 技术团队
  • 合作伙伴
  • 法律声明
  • 知识产权