|
US$744.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 28450-2020: Information technology. Security techniques. Guidelines for information security management systems auditing
Status: Valid GB/T 28450: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 28450-2020 | English | 744 |
Add to Cart
|
4 days [Need to translate]
|
Information technology. Security techniques. Guidelines for information security management systems auditing
| Valid |
GB/T 28450-2020
|
| GB/T 28450-2012 | English | RFQ |
ASK
|
6 days [Need to translate]
|
Information security technology -- Guidelines for information security management system auditing
| Obsolete |
GB/T 28450-2012
|
PDF similar to GB/T 28450-2020
Basic data | Standard ID | GB/T 28450-2020 (GB/T28450-2020) | | Description (Translated English) | Information technology. Security techniques. Guidelines for information security management systems auditing | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L08 | | Classification of International Standard | 35.040 | | Word Count Estimation | 39,316 | | Date of Issue | 2020-12-14 | | Date of Implementation | 2021-07-01 | | Older Standard (superseded by this standard) | GB/T 28450-2012 | | Quoted Standard | GB/T 19011-2013; GB/T 22080-2016; GB/T 29246-2017 | | Adopted Standard | ISO/IEC 27007-2017, IDT | | Regulation (derived from) | National Standard Announcement No. 28 of 2020 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | | Summary | This standard specifies guidelines and guidelines for evaluation of ISMS auditor competence. This standard applies to all organizations that need to understand or implement ISMS internal or external audits, or need to manage ISMS audit programs. | GB/T 28450-2020: Information technology. Security techniques. Guidelines for information security management systems auditing
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
(Information Technology Security Technology Information Security Management System Audit Guidelines)
ICS 35:040
L80
National Standards of People's Republic of China
Replace GB/T 28450-2012
Information Technology Security Technology
Information Security Management System Audit Guidelines
(ISO /IEC 27007:2017, IDT)
2020-12-14 release
2021-07-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Preface Ⅲ
Introduction Ⅴ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Audit Principle 1
5 Management of the audit plan 1
5:1 General 1
5:2 Establish the objectives of the audit plan 1
5:3 Establish an audit plan 2
5:4 Implementation of the audit plan 3
5:5 Monitoring audit plan 4
5:6 Review and improve the audit plan 4
6 Implementation audit 4
6:1 General 4
6:2 Initiation of the audit 4
6:3 Preparation for audit activities 5
6:4 Implementation of audit activities 5
6:5 Preparation and distribution of audit reports 6
6:6 Completion of the audit 7
6:7 Implementation of audit follow-up activities 7
7 Competence and evaluation of auditors 7
7:1 General 7
7:2 Determine the ability of auditors to meet the requirements of the audit program 7
7:3 Establishment of auditor evaluation criteria 8
7:4 Selection of appropriate auditor evaluation method 8
7:5 Conduct auditor evaluation 8
7:6 Maintain and improve auditor competence 8
Appendix A (Informative Appendix) ISMS Audit Practice Guide 9
References 34
Foreword
This standard was drafted in accordance with the rules given in GB/T 1:1-2009:
This standard replaces GB/T 28450-2012 "Guidelines for the Audit of Information Security Technology Information Security Management System", and is compatible with GB/T 28450-2012
Compared with:2012, the main technical changes are as follows:
--- Deleted the content of ISMS specific audit principles (see 4:2 of the:2012 edition);
--- Deleted the audit program management flowchart (see 5:1 in the:2012 edition);
---The content of the audit plan has been deleted (see 5:2:2 of the:2012 edition);
---Added the content of the ability of the management personnel of the audit plan (see 5:3:2);
---Added the scope and detailed content of the audit plan (see 5:3:3);
---Added the content of risk identification and assessment of the audit plan (see 5:3:4);
---Modified the content of the implementation of the audit plan (see 5:4, 5:4 of the:2012 edition);
--- Deleted the content of the audit plan record (see 5:5 in the:2012 edition);
---Deleted the content specified by the audit team leader (see 6:2:1 of the:2012 edition);
---Practical help is deleted---Information collection precautions (see 6:5:4:1 of the:2012 edition);
--- Deleted the content approved by the audit report (see 6:6:2 of the:2012 edition);
--- Deleted the capability concept map (see 7:1:1 in the:2012 edition);
---Deleted the content of personal qualities (see 7:2 of the:2012 edition);
---Added the content of personal behavior (see 7:2:2);
--- Deleted the content of ISMS specific and related professional knowledge and skills (see 7:3:3 of the:2012 edition);
---Added the content of specific fields and professional knowledge and skills of management system auditors (see 7:2:3:3);
---Added the content of multi-domain management system audit knowledge and skills (see 7:2:3:5);
--- Deleted the content of education, work experience, auditor training and audit experience (see 7:4 in the:2012 edition);
---Added the content of the auditor's ability acquisition (see 7:2:4);
---Modified the content of the auditor's evaluation (see 7:3, 7:4, 7:5, 7:6 in the:2012 edition);
---Reorganized the content of the appendices, deleted the five appendices of the original standard, and added Appendix A: ISMS Audit Practice Guide, and
ISO /IEC 27007:2017 Appendix A is consistent:
The translation method used in this standard is equivalent to the ISO /IEC 27007:2017 "Information Technology Security Technology Information Security Management System Audit Guidelines"
south":
The Chinese documents that have a consistent correspondence with the international documents cited in this standard are as follows:
---GB/T 19011-2013 Management System Audit Guidelines (ISO 19011:2011, IDT)
---GB/T 22080-2016 Information technology security technology information security management system requirements (ISO /IEC 27001:
2013, IDT)
---GB/T 29246-2017 Information Technology Security Technology Information Security Management System Overview and Vocabulary (ISO /IEC 27000:
2016, IDT)
This standard has made the following editorial changes:
---In the introduction, some terms and definitions involved in this standard are explained in relation to other standards related content;
---The international document ISO /IEC 27017 has been added to the references:
Please note that certain contents of this document may involve patents: The issuing agency of this document is not responsible for identifying these patents:
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260):
Drafting organizations of this standard: Beijing Times Xinwei Information Technology Co:, Ltd:, China Network Security Review Technology and Certification Center, China Electronics
The Technical Standardization Research Institute and the National Organizations Unified Social Credit Code Data Service Center:
The main drafters of this standard: Wang Xinjie, Wang Lianqiang, Zhang Jian, Shangguan Xiaoli, Sun Zhen, Zhao Jie, Zheng Wei, Chen Jianbo, Guo Leyu, Wang Yang, Cao Yu,
Cheng Yuqi, Wang Jiao, Sun Tai, Li Shengfei:
The previous versions of the standard replaced by this standard are as follows:
---GB/T 28450-2012:
Introduction
This standard provides the following guidelines:
---Management of the information security management system (ISMS) audit program;
--- Follow GB/T 22080-2016 to implement internal and external audits;
--- Ability and evaluation of ISMS auditors:
This standard should be used in conjunction with the guidelines contained in GB/T 19011-2013:
This standard follows the structure of GB/T 19011-2013: ISMS specific guidelines required for ISMS audits are identified with the letter "IS":
When conducting ISMS audits, the new ISMS specific guidelines added to this standard should be used in conjunction with GB/T 19011-2013, using the letters "IS"
To identify":
GB/T 19011-2013 provides information on audit program management, internal or external audit implementation of management system, and management system audit
Guidelines for the competence and evaluation of personnel:
This standard does not state the organization size requirements, which can be applied to all users, including small and medium-sized organizations:
Some terms and definitions involved in this standard, and the relationship with other standards related content are explained as follows;
---"Procedure" in the international standard is translated as "procedure" in GB/T 19011-2013, and in GB/T 22080-2016
Chinese translated as "Regulations", because this standard also quotes the original text of these two standards, so this standard uses the term wherever it appears
Use the definition in the original standard;
---"Implement" in the international standard is translated as "implementation" in GB/T 19011-2013, and in GB/T 22080-2016
Chinese is translated as "realization": Because this standard also quotes the original text of these two standards, the term is used wherever it appears in this standard:
Use the definition in the original standard;
--- "Maintain" in the international standard is translated as "Maintain" in GB/T 19011-2013, and in GB/T 22080-2016
Chinese is translated as "maintenance": Because this standard also quotes the original text of these two standards, the term in this standard is used wherever it appears:
Use the definition in the original standard;
---"Documentedinformation" in the international standard is translated as "documented information" in GB/T 29246-2017, and
Translated as "documented information" in GB/T 22080-2016, because this standard quotes the original text of GB/T 22080-2016,
Therefore, where this term appears in this standard, the definition in GB/T 22080-2016 is adopted;
--- "Context" in the international standard is translated as "Context" in GB/T 29246-2017, and in GB/T 22080-2016
Translated as "environment", because this standard quotes the original text of GB/T 22080-2016, so the term appears in this standard
Adopt the definition in GB/T 22080-2016;
---"Continuity" in the international standard is translated as "continuity" in GB/T 29246-2017, and in GB/T 22080-
In:2016, it is translated as "continuity": Because this standard quotes the original text of GB/T 22080-2016, this technique appears in this standard:
Where the language is used, the definition in GB/T 22080-2016 is adopted:
Information Technology Security Technology
Information Security Management System Audit Guidelines
1 Scope
On the basis of GB/T 19011-2013, this standard is an information security management system (hereinafter referred to as ISMS) audit program management and review
Nuclear implementation provides guidance and evaluation guidance for ISMS auditor ability:
This standard applies to all organizations that need to understand or implement ISMS internal or external audits, or need to manage ISMS audit programs:
2 Normative references
The following documents are indispensable for the application of this document: For dated reference documents, only the dated version applies to this article
Pieces: For undated references, the latest version (including all amendments) applies to this document:
GB/T 19011-2013 Management System Audit Guidelines (ISO 19011:2011, IDT)
GB/T 22080-2016 Information technology security technology information security management system requirements (ISO /IEC 27001:2013,
IDT)
GB/T 29246-2017 Information Technology Security Technology Information Security Management System Overview and Vocabulary (ISO /IEC 27000:
2016, IDT)
3 Terms and definitions
The terms and definitions defined in GB/T 19011-2013 and GB/T 29246-2017 apply to this document:
4 Review principles
The audit principles in Chapter 4 of GB/T 19011-2013 apply:
5 Management of the audit plan
5:1 General
The guidelines of 5:1 of GB/T 19011-2013 apply: Also, the following ISMS-specific guidelines apply:
5:1:1 IS5:1 General Rules
Organizations that need to conduct audits should establish an audit plan and consider the risks and opportunities identified when planning the ISMS:
5:2 Establish the objectives of the audit program
The guidelines in 5:2 of GB/T 19011-2013 apply: Also, the following ISMS-specific guidelines apply:
5:2:1 IS5:2 establishes the objectives of the audit program
When establishing the objectives of the audit program, ISMS should also consider the following:
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 28450-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 28450-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 28450-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 28450-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version GB/T 28450-2020?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 28450-2020 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|