ISO 27001 Certifcation

ISO 27001認證顧問服務

ISO 27001:2013 什麼?

ISO 27001標準是一種資訊保安管理手法,透過110多個管理原則提供一個管理框架及風險導向思維協助公司安全地管理。

ISO 27001:2013資訊保安管理系統幫助企業更安全地及系統地管理整體業務風險和資訊。

ISO27001標準建基於機密性(Confidentiality)、完整性(Integrity)、可用性(availability)的原則所建立。

ISO 27001:2013 資訊保安管理系統可以幫助公司更好地管理資訊資產並實施控制措施,以保護您公司的資訊資產免遭資訊安全漏洞的侵害。

ISO/IEC 27001:2013基於系統性風險評估定義公司的風險級別,繼而有效地處理和管理風險。在當執行ISO 27001標準時,首先考慮ISO27001:2013內Annex A的14個導向的控制目標。

公司實施ISO 27001:2013 ISMS時,要求貴公司建立文件(政策,程序,指引),並分配相關資源並安排活動來保護其資訊資產。

適用於各種行業

ISO 27001:2013 資訊保安管理系統可應用各種大小企業 、政府機構、非牟利機機等。ISO 27001:2013資訊保安管理系統透過建立、操作、監察及改善運作之要求。
因此,通過ISO 27001:2013認證除了加強企業管控風險外,可同時增加客戶對您資訊安全的信心,並務實的滿足組織持續營運需求。

ISO 27001:2013 效益

  • 通過認可ISO 27001: 2013 資訊保安管理系統來增強企業信譽
  • 證明資訊的有效性以及對維護資訊安全的真正承諾
  • 在整個工作場所提高員工的道德操守和保密概念
  • 使公司能夠加強資訊安全並減少欺詐,資訊丟失和洩露的可能風險

ISO 27001:2013有什麼用

  • 符合招標和資格預審要求
  • 提前線資訊安全意識
  • 提升企業形象和資訊安全的工作場所
  • 特別是對於處理大量機密資訊的服務供應商而言,軟件開發人員

與我們的團隊討論如何協助您公司取得ISO 27001:2013認證

優點

節省時間和金錢

無隱藏費用。 在預算和時間內完成。

易於跟進

簡單直接的ISO 27001文件。 需要最少的工作量

精簡訓練

精確的簡報/培訓給客戶,以便快速瀏覽

時間彈性

根據客戶要求安排會議時間表

讚揚及客戶留言

部份客戶名單

聯絡我們

常見問題

費用取決於公司規模,地點數量,業務性質和運營複雜性。

對於公司(員工人數約為50),平均需要7-9個月。
對於公司(員工人數約100),平均需要9-12個月。

您可以採取以下步驟:

1)ISO 27001:2013差距分析
2)建立ISO 27001:2013文件
3)參加ISO 27001:2013培訓
4)實施ISO 27001:2013系統
5)安排內部審核
6)認證機構進行的外部ISO 27001:2013審核

有兩個主要費用。
1)由認可的ISO 27001認證機構(例如SGS,Lloyds,BV,BSI..)收取的ISO 27001:2013認證費。
2)我們收取的顧問費。
費用取決於公司規模,地點數量,業務性質和運營複雜性

絕對可以。 您可以參加一系列培訓課程,起草文件。…如果您有足夠的時間並掌握ISO 27001要求,請與認證機構聯繫

否。由於利益衝突。 認證機構只能提供ISO 27001:2013標準通用培訓,但不能告訴您如何在公司中實施ISO 27001 :2013系統。

絕對沒錯。 通常,ISO顧問會起草文檔,指導您的公司實施ISO 27001:2013系統,直到通過ISO 27001:2013認證審核為止。

通常,公司在收到ISO 27001:2013證書後,可以使用ISO 27001:2013商標在網站,名片和信紙上。

ISO 27001標準內14個領域控制目標

A.5.1 Information security policy

Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

A.6.1 Internal organization

Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

A.6.2 Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices.

A.7.1-7.3 Prior to, during and termination of employment/p>

Objective: To ensure that employees and contractors are aware of, fulfil and understand their responsibilities and are suitable for the roles for which they are considered.

To protect the organization’s interests as part of the process of changing or terminating employment.

A.8.1 Responsibility for assets

Objective: To identify organizational assets and define appropriate protection responsibilities. Information Classification

A.8.2 Information classification

Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

A.8.3 Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.9.1 Business requirements of access control

Objective: To limit access to information and information processing facilities.

A.9.2 User access management

Objective: To ensure authorized user access and to prevent unauthorized access to systems and ser- vices.

A.9.3 User responsibilities

Objective: To make users accountable for safeguarding their authentication information.

A.9.4 System and application access control

Objective: To prevent unauthorized access to systems and applications.

A.10.1 Cryptographic controls

Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authen- ticity and/or integrity of information.

A.11.1 Secure areas

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.11.2 Equipment

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.12.1 Operational procedures and responsibilities

Objective: To ensure correct and secure operations of information processing facilities.

A.12.2 Protection from malware

Objective: To ensure that information and information processing facilities are protected against malware

A.12.3 Backup

Objective: To protect against loss of data.

A.12.4 Logging and monitoring

Objective: To record events and generate evidence.

A.12.5 Control of operational software

Objective: To ensure the integrity of operational systems.

A.12.6 Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities.

A.12.7 Information systems audit considerations

Objective: To minimise the impact of audit activities on operational systems.

 

A.13.1 Network security management

Objective: To ensure the protection of information in networks and its supporting information pro- cessing facilities.

A.13.2 Information transfer

Objective: To maintain the security of information transferred within an organization and with any external entity.

A.14.1 Security requirements of information systems

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

A.14.3 Test data

Objective: To ensure the protection of data used for testing.

A.15.1 Information security in supplier relationships

Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.2 Supplier service delivery management

Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.16.1 Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

A.17.1 Information security continuity

Objective: Information security continuity shall be embedded in the organization’s business continu- ity management systems.

A.17.2 Redundancies

Objective: To ensure availability of information processing facilities.

A.18.1 Compliance with legal and contractual requirements

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to infor- mation security and of any security requirements.

A.18.2 Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

Scroll to Top