GB/T 25067-2020 English PDFUS$774.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 25067-2020: Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems Status: Valid GB/T 25067: Historical versions
Basic dataStandard ID: GB/T 25067-2020 (GB/T25067-2020)Description (Translated English): Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 41,472 Date of Issue: 2020-04-28 Date of Implementation: 2020-11-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 25067-2020: Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems ICS 35.040 L80 National Standards of People's Republic of China Replace GB/T 25067-2016 Information technology security technology information security management system audit and certification body requirements 2020-04-28 released 2020-11-01 implementation State Administration for Market Regulation Issued by the National Standardization Management Committee Table of contentsPreface Ⅲ Introduction Ⅳ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Principle 1 5 General requirements 1 5.1 Legal and contractual matters1 5.2 Fair management 1 5.3 Responsibility and financial resources 2 6 Structural requirements 2 7 Resource requirements 2 7.1 Personnel capacity 2 7.2 Personnel involved in certification activities 5 7.3 Use of external auditors and external technical experts 6 7.4 Personnel records 6 7.5 Outsourcing 6 8 Information requirements 6 8.1 Public information 6 8.2 Certification documents 6 8.3 Reference to certification and use of mark 6 8.4 Confidentiality 7 8.5 Information exchange between the certification body and its clients 7 9 Process requirements 7 9.1 Pre-certification activities 7 9.2 Planning audit 9 9.3 Initial certification 10 9.4 Conduct audit 11 9.5 Certification decision 12 9.6 Maintain certification 12 9.7 Appeal 13 9.8 Complaints 13 9.9 Customer records 13 10 Management system requirements for certification bodies 14 10.1 Optional method 14 10.2 Method A. General management system requirements 14 10.3 Method B. Management system requirements consistent with GB/T 19001 14 Appendix A (informative appendix) ISMS audit and certification knowledge and skills 15 Appendix B (Normative Appendix) Audit Time 17 Appendix C (informative appendix) Audit time calculation method 21 Appendix D (informative appendix) Guidelines for the review of the implemented controls in Appendix A of GB/T 22080-2016 25 Reference 36 Information Technology Security Technology Information Security Management System Audit and certification agency requirements1 ScopeThis standard, on the basis of GB/T 27021.1-2017 and GB/T 22080-2016, provides for organizations that implement ISMS audit and certification The requirements are specified and guidelines are provided. The main purpose of this standard is to provide support for the accreditation of ISMS certification bodies. Any organization that provides ISMS certification needs to prove that it meets the requirements of this standard in terms of capability and reliability. In this standard The guide provides further explanation of these requirements. Note. This standard can be used as a standard document for accreditation, peer review or other review processes.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001.2013, IDT) GB/T 27021.1-2017 Conformity Assessment Management System Audit and Certification Bodies Requirements Part 1.Requirements (ISO /IEC 17021-1.2015, IDT) ISO /IEC 27000 Information Technology Security Technology Information Security Management System Overview and Vocabulary3 Terms and definitionsThe following terms and definitions defined by GB/T 27021.1-2017 and ISO /IEC 27000 apply to this document. 3.1 Certification documents A class of documents indicating that the customer’s ISMS complies with the specified ISMS standards and any supplementary documents required by the ISMS.4 principlesThe principles in Chapter 4 of GB/T 27021.1-2017 apply.5 General requirements5.1 Legal and contract matters The requirements of 5.1 in GB/T 27021.1-2017 apply. 5.2 Fair management The requirements of 5.2 in GB/T 27021.1-2017 apply. Also, the following requirements and guidelines apply. 5.2.1 IS5.2 Conflict of Interest The certification body can perform the following tasks and will not be considered as consulting or having a potential conflict of interest. a) Arrange training courses and participate in teaching. If these courses involve information security management, related management systems or audits, certification The organization should be limited to providing publicly available general information and advice, that is, the certification body should not provide Counter the suggestion required by b) below. b) Upon request, provide or publish explanatory information (see 9.1.3.6) required by the certification body for certification audit standards. c) Pre-audit activities are only for the purpose of determining whether the certification audit is ready, but these activities should not lead to the provision of advice that violates this clause. Discussions and opinions. The certification body shall be able to verify that these activities do not violate the requirements of this clause and that these activities are not considered to be reduced Reasons for the final certification audit time. d) Implement second-party audits or third-party audits in accordance with standards or regulations outside the scope of accreditation. e) Value-added activities in the certification audit and supervisory audit process, for example, in the audit process, when opportunities for improvement are obvious, identify improvements Opportunities but do not recommend specific solutions. Certification bodies should not provide internal information security reviews for ISMS clients seeking certification. In addition, the certification body should be independent of providing ISMS internal audit organization (including any individual). 5.3 Responsibility and financial resources The requirements of 5.3 in GB/T 27021.1-2017 apply.6 Structural requirementsThe requirements of Chapter 6 in GB/T 27021.1-2017 apply.7 Resource requirements7.1 Personnel ability The requirements of 7.1 in GB/T 27021.1-2017 apply. Also, the following requirements and guidelines apply. 7.1.1 IS7.1.1 General considerations 7.1.1.1 General capability requirements The certification body shall ensure that it has the latest technical knowledge and knowledge of laws and regulations related to the assessed customer ISMS. The certification body shall determine the competence requirements for each certification function in accordance with Table A.1 of GB/T 27021.1-2017.The certification body should consider GB/T 27021.1-2017 and 7.1.2 and 7.2.1, related to the ISMS technical field determined by the certification body All requirements. Appendix A summarizes the competence requirements of personnel for specific certification functions. 7.1.2 IS7.1.2 Determination of competence criteria 7.1.2.1 Capability requirements for ISMS audit 7.1.2.1.1 General requirements The certification body shall have criteria for verifying the background experience, specific training or description of the audit team members to ensure that the audit team has at least. a) Knowledge of information security; b) Technical knowledge related to the audited activity; c) Knowledge of the management system; d) Knowledge of audit principles; Note. For further information on audit principles, see ISO 19011. e) Knowledge of ISMS monitoring, measurement, analysis and evaluation. Except for b) that can be shared among auditors who are members of the audit team, the above a) ~ e) apply to all auditors who are members of the audit team. The audit team shall be able to trace the signs of information security incidents in the customer’s ISMS to the corresponding elements of the ISMS. The audit team should have appropriate work experience on the above knowledge items and have actually applied these knowledge items (this does not mean that an auditor needs to It must have comprehensive experience in all areas of information security, but the audit team as a whole should have sufficient knowledge and experience in the area being audited). 7.1.2.1.2 Information security management terms, principles, practices and technologies All members of the audit team as a whole should have the following knowledge. a) The structure, hierarchy and interrelationship of ISMS specific documents; b) Tools, methods, techniques and applications related to information security management; c) Information security risk assessment and risk management; d) ISMS applicable process; e) Current technologies that may be related to information security or may face information security issues. Each auditor should meet a), c) and d). 7.1.2.1.3 Information security management system standards and normative documents Auditors participating in ISMS audits should have the following knowledge. a) All requirements of GB/T 22080-2016; All members of the audit team as a whole should have the following knowledge. b) All controls and their implementation in GB/T 22081 (if necessary, it can also be derived from specific industry standards). These controls are divided into the following categories. 1) Information security strategy; 2) Information security organization; 3) Human resource security; 4) Asset management; 5) Access control, including authorization; 6) Password; 7) Physical and environmental safety; 8) Operational safety, including IT services; 9) Communication security, including network security management and information transmission; 10) System acquisition, development and maintenance; 11) Supplier relationships, including outsourcing services; 12) Information security incident management; 13) Information security aspects of business continuity management, including redundancy; 14) Compliance, including information security review. 7.1.2.1.4 Business management practices Auditors participating in ISMS audits should have the following knowledge. a) Information security best practices and information security regulations of the industry; b) Information security strategy and business requirements; c) The concept and practice of general business management, as well as the interrelationship between policies, goals and results; d) Management process and related terms. Note. These processes also include human resource management, internal communication, external communication and other related support processes. 7.1.2.1.5 Customer’s business areas Auditors participating in ISMS audits should have the following knowledge. a) The legal and regulatory requirements for specific information security fields, regions and jurisdictions; Note. Having the knowledge required by laws and regulations does not mean having a deep legal background. b) Information security risks related to business areas; c) General terminology, process and technology related to the customer's business area; d) Practice in related business areas. Among them, a) can be shared within the audit group. 7.1.2.1.6 Customer's products, processes and organization All members of the audit team as a whole should have the following knowledge. a) The impact of organization type, size, governance, structure, functions and relationships on the development and implementation of ISMS and certification activities, including outsourcing; b) Complex operations in a broad sense; c) The legal and regulatory requirements applicable to the product or service. 7.1.2.2 Competence requirements for leading the ISMS audit team In addition to the requirements in 7.1.2.1, the audit team leader should also meet the following requirements, and they should be included in the audit with guidance and supervision Confirm. a) Have the knowledge and skills to manage the certification audit process and the audit team; b) Possess effective oral and written communication skills. 7.1.2.3 Ability requirements for implementing application review 7.1.2.3.1 Information security management system standards and normative documents The personnel who conduct the application review to determine the required audit team capabilities, select the audit team members and determine the audit time should have the following knowledge. a) Related ISMS standards and other normative documents used in the certification process. 7.1.2.3.2 Customer's business areas The personnel who conduct the application review to determine the required audit team capabilities, select the audit team members and determine the audit time should have the following knowledge. a) General terms, processes, technologies and risks related to the customer's business area. 7.1.2.3.3 Customer's products, processes and organization The personnel who conduct the application review to determine the required audit team capabilities, select the audit team members and determine the audit time should have the following knowledge. a) The relationship between customer products, processes, organizational types, scale, governance, structure, functions, and the development and implementation of ISMS and certification activities, including outsourced functions. 7.1.2.4 Ability requirements for reviewing audit reports and making certification decisions 7.1.2.4.1 General The personnel who review the audit report and make certification decisions should have the knowledge to enable them to verify the suitability of the certification scope and the scope of changes to And the impact of changes on the effectiveness of the audit, especially the continued effectiveness and corresponding risks of identifying interfaces and dependencies. In addition, the person who reviews the audit report and makes a certification decision should have the following knowledge. a) General management system; b) Audit process and procedures; c) Audit principles, practices and techniques. 7.1.2.4.2 Information security management terms, principles, practices and technologies The person who reviews the audit report and makes a certification decision should have the following knowledge. a) Items listed in a), c), and d) in 7.1.2.1.2; b) Legal and regulatory requirements related to information security. 7.1.2.4.3 Information security management system standards and normative documents The person who reviews the audit report and makes a certification decision should have the following knowledge. a) Related ISMS standards and other normative documents used in the certification process. 7.1.2.4.4 Customer's business areas The person who reviews the audit report and makes a certification decision should have the following knowledge. a) General terminology and risks related to practices in related business areas. 7.1.2.4.5 Customer's products, processes and organization The person who reviews the audit report and makes a certification decision should have the following knowledge. a) The customer's product, process, organization type, scale, governance, structure, function and relationship. 7.2 People involved in certification activities The requirements of 7.2 in GB/T 27021.1-2017 apply. Also, the following requirements and guidelines apply. 7.2.1 IS7.2 confirms the auditor’s knowledge and experience The certification body shall verify the auditor's knowledge and experience through the following aspects. a) Recognized ISMS specific qualifications; b) Register as an auditor when applicable; c) Participate in ISMS training courses and obtain relevant personal certificates; d) The latest continuous professional development record; e) Witness the ISMS audit by another ISMS auditor. 7.2.1.1 Selection of auditors In addition to 7.1.2.1, the criteria for selecting auditors should ensure that each auditor. a) Possess professional education or training equivalent to university education. b) Have at least 4 years of full-time practical work experience in information technology, of which at least 2 years of work experience All related duties or functions. c) Successfully complete at least 5 days of training, the scope of training includes ISMS audit and audit management. d) Have gained experience in the entire information security assessment process before being assigned auditor responsibilities. Should participate in at least 4 times, total days ISMS certification audits (including recertification audits and surveillance audits) for at least 20 days (of which up to 5 days can be Nuclear) to gain this experience. When participating in the audit, it should include review documents and risk assessment, assess the implementation status and report the audit Happening. e) Have relevant and timely experience. f) Through continuous professional development, keep current knowledge and skills in information security and auditing up to date. Technical experts should meet criteria a), b) and e). 7.2.1.2 Selection of auditors to lead the audit team In addition to 7.1.2.2 and 7.2.1.1, the criteria for selecting the auditor to lead the audit team should ensure that the auditor. a) Have actively participated in all stages of at least 3 ISMS audits. When participating in the audit, the initial scope identification and strategy should be included. Plan, review documents and risk assessment, evaluate implementation status and formally report audit status. 7.3 Use of external auditors and external technical experts The requirements of 7.3 in GB/T 27021.1-2017 apply. Also, the following requirements and guidelines apply. 7.3.1 IS7.3 Use external auditors or external technical experts as part of the audit team Technical experts should work under the supervision of auditors. 7.2.1.1 lists the minimum requirements for technical experts. 7.4 Personnel records The requirements of 7.4 in GB/T 27021.1-2017 apply. 7.5 Outsourcing The requirements of 7.5 in GB/T 27021.1-2017 apply.8 Information requirements8.1 Public information The requirements of 8.1 in GB/T 27021.1-2017 apply. 8.2 Certification documents The requirements of 8.2 in GB/T 27021.1-2017 apply. Also, the following requirements and guidelines apply. 8.2.1 IS8.2 IS8.2 ISMS certification documents The certification document should be signed by the person responsible for this responsibility. The certification document shall include the version of the applicability statement. Note. If the change in the applicability statement does not change the scope of control in the scope of certification, the certification certificate is not required to be updated. Certification documents can also include identification of specific industry standards used. 8.3 Reference to certification and use of logo The requirements of 8.3 in GB/T 27021.1-2017 apply. 8.4 Confidentiality The requirements of 8.4 in GB/T 27021.1-2017 apply. Also, the following requirements and guidelines apply. 8.4.1 IS8.4 Acquisition of organization records Before the certification audit, the certification body shall require the client to report whether there is any information that cannot be provided due to the confidentiality or sensitive information. ISMS-related information (such as ISMS records or information about the design and effectiveness of controls) for the audit team to check. The certification body shall confirm Determine whether the ISMS can be adequately audited in the absence of this information. I......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 25067-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 25067-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 25067-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 25067-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 25067-2020?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 25067-2020 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |
