GB/T 31496-2023 English PDFUS$764.00 ยท In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 31496-2023: Information technology - Security techniques - Information security management systems - Guidance Status: Valid GB/T 31496: Historical versions
Basic dataStandard ID: GB/T 31496-2023 (GB/T31496-2023)Description (Translated English): Information technology - Security techniques - Information security management systems - Guidance Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.030 Word Count Estimation: 41,485 Date of Issue: 2023-05-23 Date of Implementation: 2023-12-01 Older Standard (superseded by this standard): GB/T 31496-2015 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 31496-2023: Information technology - Security techniques - Information security management systems - Guidance---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. ICS 35:030 CCSL80 National Standards of People's Republic of China Replacing GB/T 31496-2015 Information Technology Security Technology Information Security Management System Guidelines (ISO /IEC 27003:2017, IDT) Released on 2023-05-23 2023-12-01 Implementation State Administration for Market Regulation Released by the National Standardization Management Committee table of contentsPreface III Introduction IV 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Organizational context 1 4:1 Understanding organizations and their contexts1 4:2 Understanding the needs and expectations of stakeholders3 4:3 Determine the scope of the information security management system4 4:4 Information Security Management System 5 5 leadership 5 5:1 Leadership and commitment5 5:2 Policy 6 5:3 Organizational roles, responsibilities and authorities7 6 Planning 8 6:1 Measures to address risks and opportunities8 6:2 Information security goals and their realization plan 14 7 supports 16 7:1 Resources 16 7:2 Competencies17 7:3 Consciousness 17 7:4 Communication 18 7:5 Documented information 19 8 run 22 8:1 Operational planning and control 22 8:2 Information Security Risk Assessment 23 8:3 Information security risk treatment 23 9 Performance Evaluation 24 9:1 Monitoring, measurement, analysis and evaluation 24 9:2 Internal Audit 25 9:3 Management review 27 10 Improvement 28 10:1 Non-conformities and corrective measures 28 10:2 Continuous Improvement 30 APPENDIX A (INFORMATIVE) STRATEGIC FRAMEWORK32 Reference 34forewordThis document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents" drafting: This document replaces GB/T 31496-2015 "Information Technology Security Technology Information Security Management System Implementation Guide", and Compared with GB/T 31496-2015, except for structural adjustment and editorial changes, the main technical changes are as follows: ---Changed the scope, explained and provided guidance in accordance with the requirements of GB/T 22080-2016; ---The previous edition adopted a project approach, and each project contained a series of activities: The project method is no longer adopted in the revised version, but instead Guidance is provided for each requirement, regardless of the order in which the requirements are implemented: This document is equivalent to ISO /IEC 27003:2017 "Information Technology Security Technology Information Security Management System Guidelines": The following minimal editorial changes have been made to this document: --- Added note to 4:2: Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents: This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260): This document was drafted by: China Electronics Standardization Research Institute, China Network Security Review Technology and Certification Center, China Conformity Assessment National Accreditation Center, Hangzhou Anheng Information Technology Co:, Ltd:, PetroChina Changqing Petrochemical Branch, Tencent Cloud Computing (Beijing) Co:, Ltd:, China Power Great Wall Internet System Application Co:, Ltd:, Shanghai 30 Guardian Information Security Co:, Ltd:, Beijing Saixi Certification Co:, Ltd:, Xidian University, Heilongjiang Cyberspace Research Center, Beijing Information Security Evaluation Center, China Institute of Software, Academy of Sciences, Chongqing University of Posts and Telecommunications, Anhui Institute of Science and Technology, Beijing Shenzhou NSFOCUS Technology Co:, Ltd:, China Comservice Consulting Design Institute Co:, Ltd:, Beijing Zhongke Weilan Technology Co:, Ltd: The main drafters of this document: Wang Huili, Shangguan Xiaoli, Xu Yuna, Fu Zhigao, Ren Zejun, You Qi, Zhou Yachao, Zhao Lihua, Fan Bo, Min Jinghua, Zhang Dongju, Ma Wenping, Gan Lu, Li Yuan, Fang Zhou, Zhang Liwu, Liang Wei, Huang Yonghong, Zhang Heng, Cao Hao, Yin Xiaopeng, Song Xue, Gao Lifen, Chen Hong, Yang Mutian, Pei Xinping: The release status of previous versions of this document and the documents it replaces are as follows: ---First published as GB/T 31496-2015 in:2015; --- This is the first revision:IntroductionThis document provides guidance on the information security management system (ISMS) requirements specified in GB/T 22080, and provides relevant recommendations ("should"), possibilities ("may") and permissibility ("may"): It is not the purpose of this document to provide a general overview of all aspects of information security guide: Chapters 4 to 10 of this document reflect the structure of GB/T 22080-2016: This document does not add any new requirements for ISMS and its related terms and definitions: Organizations should refer to the requirements of GB/T 22080 and Definition of GB/T 29246: Organizations implementing an ISMS are under no obligation to follow the guidance in this document: The ISMS emphasizes the importance of the following stages: --- Understand the needs of the organization and the necessity of establishing information security policy and information security objectives; --- Assess the organization's risks related to information security; ---Implement and operate information security processes, controls and other risk treatment measures; --- Monitor and review the performance and effectiveness of the ISMS; ---Continuous improvement: Similar to other types of management systems, an ISMS includes the following key components: a) Policy: b) Personnel with defined responsibilities: c) Associated management processes: 1) Policy establishment; 2) provision of awareness and competence; 3) Planning; 4) Realize; 5) run; 6) Performance evaluation; 7) Management review; 8) Improvement: d) Documented Information: An ISMS also has other key components, such as: e) information security risk assessment; f) information security risk treatment, including the identification and implementation of controls: This document is generic and intended to be applicable to all organizations, regardless of type, size or nature: Organizations should, according to their specific organizational context Identify the applicable parts of this document (see Chapter 4 in GB/T 22080-2016): For example, some guidelines may be more appropriate for large organizations, but for very small organizations (e:g:, less than 10 people), some of these guidelines Content may be unnecessary or inappropriate: The description structure of Chapters 4 to 10 is as follows: ---Required activities: put forward the key activities required by the corresponding clauses of GB/T 22080; --- Explanation: explain the meaning of GB/T 22080 requirements; ---Guide: Provide more detailed or supporting information to achieve the "required activities", including examples of implementation; --- Other information: Provides information that may be further considered: GB/T 31496, GB/T 31497 and GB/T 31722 form a set of documents to support GB/T 22080-2016 and provide guidance South: Among them, GB/T 31496 is a basic and comprehensive document that provides guidance for all requirements of GB/T 22080, but it does not A detailed description of "monitoring, measurement, analysis and evaluation" and information security risk management: GB/T 31497 and GB/T 31722 focus on Specific content, and provides more detailed guidance on "monitoring, measurement, analysis and evaluation" and information security risk management respectively: There are many places in GB/T 22080 that explicitly mention documented information: Nonetheless, organizations may still determine that they hold Additional documented information required for system validity, and as part of 7:5:1b) in response to GB/T 22080-2016: in these cases hereinafter, this document uses "documentation about that activity and its results only to the extent and form and extent necessary for the organization to determine the effectiveness of its management system": The information is mandatory [see 7:5:1b) in GB/T 22080-2016]": Information Technology Security Technology Information Security Management System Guidelines1 ScopeThis document provides explanations and guidance for GB/T 22080-2016:2 Normative referencesThe contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to this document: GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001:2013, IDT) GB/T 29246-2017 Information Technology Security Technical Information Security Management System Overview and Vocabulary (ISO /IEC 27000: 2016, IDT) ISO /IEC 27001 Information technology, network security and privacy protection information security management system requirements (Information ments)3 Terms and DefinitionsThe terms and definitions defined in GB/T 29246-2017 apply to this document:4 Organizational context4:1 Understanding the organization and its context required activity The organization determines those external and internal factors that are relevant to its intentions and affect its ability to achieve the intended outcomes of its information security management system (ISMS): question: explain As a component function of an ISMS, an organization continuously analyzes itself and its environment: This analysis focuses on internal and external issues, which These issues affect information security and how it is managed in some way, and are relevant to the objectives of the organization: Analyzing these questions serves three purposes: --- Understand the context to determine the scope of the ISMS; ---Analyze the context to determine risks and opportunities; ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 31496-2023_English be delivered?Answer: Upon your order, we will start to translate GB/T 31496-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 31496-2023_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 31496-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 31496-2023?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 31496-2023 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |
