信息风险管理流程.pdf

Internal Auditor ISO 27001 Information risk management process 信息风险管理流程 Information risk assessment, treatment and management 信息安全风险评估,风险处置和管理 Together we will cover包含内容 What is the basis of defining scope and boundaries of ISMS for an organization? - 组织信息安全管理体系的范围和边界定义基础是什么? How do we define the ISMS policy? - 如何定义ISMS策略? What should be the approach to information risk assessment and how should risk be managed? - 什么是必须的信息安全风险评估方法和如何管理风险? How should security incidents be handled? - 如何管理信息安全事故? How do we plan for business continuity? - 如何计划业务连续性? Internal Auditor ISO27001 Information risk management process DNV Training 2005© Slide 2, rev 0 An intergalactic communication center What is the scope and boundary for ISMS? Internal Auditor ISO27001 Information risk management process DNV Training 2005© Slide 3, rev 0 Scope and boundary for ISMS ISMS 的范围和边界 Description of the business Location address, physical boundary Logical boundary Technologies used Major assets used Major software used Justification if you want to exclude some areas in the purview of ISMS - 业务描述 - 地址和物理边界 - 逻辑边界 - 使用的技术 - 使用的主要资产 - 使用的主要软件 - ISMS中排除部分的正当说明 Internal Auditor ISO27001 Information risk management process DNV Training 2005© Slide 4, rev 0 Reflection: Contents of ISMS policy 思考:ISMS策略内容 Why do we need ISMS policy? - 为什么我们需要ISMS策略 What should the ISMS policy protect? - ISMS策略需要保护什么? How should the ISMS policy protect? - ISMS策略是如何保护保护对象的? What is the level of protection to be provided? - 应该提供什么层面的保护? How does the ISMS policy reflect management commitment? - ISMS策略如何反映管理承诺? Internal Auditor ISO27001 Information risk management process DNV Training 2005© Slide 5, rev 0 范围和方针练习：练习一 分组 各小组自己设计一个虚拟的组织，描述组织的 提供的业务、组织架构、职能、物理边界、逻 辑边界、人员、设施设备、重要信息等 为自己的组织编写一个范围 为自己的组织确定一个安全方针 练习一个小时，每个小组10分钟演讲 Internal A