ISO 27001 Certifcation

ISO27001認證顧問服務

什麼是 ISO 27001 : 2013 資訊保安管理系統

ISO 27001是用於管理公司資訊保安管理系統,以(計劃-執行-檢查-改進)思維執行。

ISO27001基於風險評估和公司的風險定義級別,旨在有效地處理和管理風險。它是一個架框,當執行ISO27001時,首先考慮Annex A的14個導向的控制目標。

ISO 27001資訊保安管理系統可以幫助您的公司更好地管理您的資訊資產並實施控制措施,以保護您公司的信息資產免遭訊息安全漏洞的侵害。

公司實施ISO 27001 ISMS時,要求貴公司建立文件(政策,程序,指引),並分配相關資源並安排活動來保護其信息資產。

ISO 27001 好處

  • 通過認可ISO 27001信息安全管理系統來增強企業信譽
  • 證明信息的有效性以及對維護信息安全的真正承諾
  • 在整個工作場所提高員工的道德操守和保密概念
  • 使公司能夠加強信息安全並減少欺詐,信息丟失和洩露的可能風險

ISO 27001 有什麼用

  • 履行招標和資格預審要求
  • 提前線安全意識
  • 提升企業形象和安全的工作場所
  • 特別是對於處理大量機密信息的服務提供商而言,軟件開發人員

與我們的團隊討論如何協助您公司取得ISO 27001認證

優點

節省時間和金錢

無隱藏費用。 在預算和時間內完成。

易於跟進

簡單直接的ISO文件。 需要最少的工作量

精簡訓練

精確的簡報/培訓給客戶,以便快速瀏覽

時間彈性

根據客戶要求安排會議時間表

讚揚及客戶留言

部份客戶

聯絡我們

常見問題

費用取決於公司規模,地點數量,業務性質和運營複雜性。

對於公司(員工人數約為50),平均需要7-9個月。
對於公司(員工人數約100),平均需要9-12個月。

您可以採取以下步驟:

1)ISO27001差距分析
2)建立ISO27001文件
3)參加ISO27001培訓
4)實施ISO27001系統
5)安排內部審核
6)認證機構進行的外部ISO27001審核

有兩個主要費用。
1)由認可的認證機構(例如SGS,Lloyds,BV,BSI..)收取的ISO27001認證費。
2)我們收取的顧問費。
費用取決於公司規模,地點數量,業務性質和運營複雜性

絕對可以。 您可以參加一系列培訓課程,起草文件。…如果您有足夠的時間並掌握ISO27001要求,請與認證機構聯繫

否。由於利益衝突。 認證機構只能提供ISO27001標准通用培訓,但不能告訴您如何在公司中實施ISO27001系統。

絕對沒錯。 通常,ISO顧問會起草文檔,指導您的公司實施ISO27001系統,直到通過ISO27001認證審核為止。

通常,公司在收到ISO27001證書後,可以使用ISO27001商標在網站,名片和信紙上。

ISO 27001內14個領域等控制目標

A.5.1 Information security policy

Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

A.6.1 Internal organization

Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

A.6.2 Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices.

A.7.1-7.3 Prior to, during and termination of employment/p>

Objective: To ensure that employees and contractors are aware of, fulfil and understand their responsibilities and are suitable for the roles for which they are considered.

To protect the organization’s interests as part of the process of changing or terminating employment.

A.8.1 Responsibility for assets

Objective: To identify organizational assets and define appropriate protection responsibilities. Information Classification

A.8.2 Information classification

Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

A.8.3 Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.9.1 Business requirements of access control

Objective: To limit access to information and information processing facilities.

A.9.2 User access management

Objective: To ensure authorized user access and to prevent unauthorized access to systems and ser- vices.

A.9.3 User responsibilities

Objective: To make users accountable for safeguarding their authentication information.

A.9.4 System and application access control

Objective: To prevent unauthorized access to systems and applications.

A.10.1 Cryptographic controls

Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authen- ticity and/or integrity of information.

A.11.1 Secure areas

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.11.2 Equipment

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.12.1 Operational procedures and responsibilities

Objective: To ensure correct and secure operations of information processing facilities.

A.12.2 Protection from malware

Objective: To ensure that information and information processing facilities are protected against malware

A.12.3 Backup

Objective: To protect against loss of data.

A.12.4 Logging and monitoring

Objective: To record events and generate evidence.

A.12.5 Control of operational software

Objective: To ensure the integrity of operational systems.

A.12.6 Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities.

A.12.7 Information systems audit considerations

Objective: To minimise the impact of audit activities on operational systems.

 

A.13.1 Network security management

Objective: To ensure the protection of information in networks and its supporting information pro- cessing facilities.

A.13.2 Information transfer

Objective: To maintain the security of information transferred within an organization and with any external entity.

A.14.1 Security requirements of information systems

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

A.14.3 Test data

Objective: To ensure the protection of data used for testing.

A.15.1 Information security in supplier relationships

Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.2 Supplier service delivery management

Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.16.1 Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

A.17.1 Information security continuity

Objective: Information security continuity shall be embedded in the organization’s business continu- ity management systems.

A.17.2 Redundancies

Objective: To ensure availability of information processing facilities.

A.18.1 Compliance with legal and contractual requirements

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to infor- mation security and of any security requirements.

A.18.2 Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

Scroll to Top