Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 38631-2020 English PDF

US$259.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38631-2020: Information technology - Security techniques - Sector-specific application of GB/T 22080 - Requirements
Status: Valid
Standard IDUSDBUY PDFLead-DaysStandard Title (Description)Status
GB/T 38631-2020259 Add to Cart 3 days Information technology - Security techniques - Sector-specific application of GB/T 22080 - Requirements Valid

Similar standards

GB/T 38638   GB/T 38671   GB/T 38626   GB/T 38625   

Basic data

Standard ID: GB/T 38631-2020 (GB/T38631-2020)
Description (Translated English): Information technology - Security techniques - Sector-specific application of GB/T 22080 - Requirements
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.040
Word Count Estimation: 14,136
Date of Issue: 2020-04-28
Date of Implementation: 2020-11-01
Quoted Standard: GB/T 22080-2016; GB/T 22081-2016; GB/T 29246-2017
Adopted Standard: ISO/IEC 27009-2016, MOD
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration
Summary: This standard specifies the requirements when GB/T 22080 is applied to specific industries (fields, applications). This standard explains how to include supplementary requirements on the requirements of GB/T 22080, how to refine the requirements of GB/T 22080, and how to include controls or sets of controls outside of Appendix A of GB/T 22080-2016. This standard ensures that supplementary or detailed requirements do not conflict with the requirements of GB/T 22080. This standard applies to the formulation of specific industry standards related to GB/T 22080.

GB/T 38631-2020: Information technology - Security techniques - Sector-specific application of GB/T 22080 - Requirements


---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information technology - Security techniques - Sector-specific application of GB/T 22080 - Requirements ICS 35.040 L80 National Standards of People's Republic of China Information Technology Security Technology GB/T 22080 specific industry application requirements 2020-04-28 released 2020-11-01 implementation State Administration for Market Regulation Issued by the National Standardization Management Committee

Table of contents

Foreword Ⅰ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Overview 1 4.1 General 1 4.2 Structure of this standard 2 4.3 Expand GB/T 22080 requirements or GB/T 22081 control 2 5 Supplement, refine or explain GB/T 22080 requirements 2 5.1 General 2 5.2 Supplementary requirements 3 5.3 Detailed requirements 3 5.4 Interpretation requirements 3 6 Supplement or modify GB/T 22081 Guidelines 3 6.1 General 3 6.2 Supplementary Guidelines 4 6.3 Revised Guidelines 4 Appendix A (Normative Appendix) Formulation of specific industry standards related to GB/T 22080-2016 or GB/T 22081-2016 5 Appendix B (informative appendix) Example 8 of information security management system guidelines for the medical industry Reference 11 Information Technology Security Technology GB/T 22080 specific industry application requirements

1 Scope

This standard specifies the requirements when GB/T 22080 is applied to specific industries (fields, applications). This standard explains how to GB/T 22080 requirements include supplementary requirements, how to refine the requirements of GB/T 22080, and how to include GB/T 22080-2016 Record a control or control set other than A. This standard ensures that the supplementary or detailed requirements do not conflict with the requirements of GB/T 22080. This standard is applicable to the formulation of specific industry standards related to GB/T 22080.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document. For undated references, the latest version (including all amendments) applies to this document. GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001.2013, IDT) GB/T 22081-2016 Information Technology Security Technology Information Security Control Practice Guide (ISO /IEC 27002.2013, IDT) GB/T 29246-2017 Information Technology Security Technology Information Security Management System Overview and Vocabulary (ISO /IEC 27000.2016, IDT)

3 Terms and definitions

The following terms and definitions defined in GB/T 29246-2017 apply to this document. 3.1 Explanation A description of the requirements of GB/T 22080 in the context of a specific industry (in the form of requirements or guidelines). The request is invalid. 3.2 Refine GB/T 22080 requires a detailed description in a specific industry. The detailed description will not delete or invalidate any requirement of GB/T 22080.

4 overview

4.1 General GB/T 22080 specifies the requirements for establishing, implementing, maintaining and continuously improving an information security management system. These requirements are generic, Applicable to institutions of various types, sizes or natures. Note. The establishment of the ISO management system standard is based on the JTC1 Supplement (2016) integrated with the ISO /IEC Guide Part 1. GB/T 22081 provides guidelines for information security management practices, considering the selection, implementation and management of control in an organization's information security risk environment. The guide uses a hierarchical structure, including chapters, control objectives, controls, implementation guidelines and other information. The guidelines are general and suitable Used for institutions of various types, sizes or natures. The control objectives and controls of GB/T 22081 are listed in Appendix A of GB/T 22080-2016 in the form of a normative appendix. GB/T 22080-2016 requires organizations to determine all controls necessary for information security risk treatment options [see 6.1.3b)], and 6.1.3b) Compare the determined control with the control in Appendix A and verify that the necessary control is not ignored [see 6.1.3c)]. With the wide application of GB/T 22080 and GB/T 22081 in enterprises, government agencies and non-profit organizations, it is necessary to develop Some industry-specific standards, the main completed standards include. ---GB/T 32920, Information Security Management of Information Technology Security Technology Inter-industry and Inter-organization Communication; ---ISO /IEC 27011, a guide for information security management of telecommunications organizations based on ISO /IEC 27002; ---ISO /IEC 27017, a practical guide for cloud service information security control based on ISO /IEC 27002; ---ISO /IEC 27018, a practical guide for identifiable personal information (PII) processors to protect identifiable personal information in the public cloud. Specific industry standards need to be consistent with the requirements of the information security management system. This standard mainly stipulates relevant requirements from the following two aspects. ---How to supplement, refine or explain the requirements of GB/T 22080 for specific industries; ---How to supplement or modify the guidelines of GB/T 22081 for specific industries. This standard assumes that all unrefined or unexplained requirements from GB/T 22080, and all unspecified or unexplained requirements from GB/T 22081 The modification control will be applied to the specific industry environment without modification. 4.2 Structure of this standard Chapter 5 provides requirements and guidelines, and gives how to determine supplementary requirements, refine requirements or make explanations on GB/T 22080 requirements. Chapter 6 provides requirements and guidelines, how to supplement or modify the control objectives, control, implementation guidelines or other information on the GB/T 22081 content. Appendix A provides templates that can be used in specific industry standards with GB/T 22080 and/or GB/T 22081. According to Appendix A, see Appendix B for examples of information security management system guidelines for the medical industry. This standard uses the following concepts to adapt the requirements of GB/T 22080 to specific industries. ---Supplement. see 5.2 ---Refinement. see 5.3 ---Explanation. see 5.4 This standard uses the following concepts to make GB/T 22081 guidelines applicable to specific industries. ---Supplement. see 6.2 ---Modification. see 6.3 Note. Specific industry guidelines formulated in accordance with the requirements and guidelines of this standard cannot be included in the technical report. The ISO /IEC guidelines define technical reports as documents that do not contain requirements. Any specific industry standard developed based on this standard, especially Appendix A, will contain at least a minimum set of requirements (see 4.1) of the template in A.2. 4.3 Expand GB/T 22080 requirements or GB/T 22081 control Specific industry standards related to GB/T 22080 can supplement GB/T 22080 or GB/T 22081, which can improve information security Other requirements or guidelines are incorporated into specific industries. Example. ISO /IEC 27018.2014 Annex A contains a set of controls designed to protect identifiable personal information, thereby eliminating the scope of ISO /IEC 27018 Information security also covers the protection of identifiable personal information. 5 Supplement, refine or explain the requirements of GB/T 22080 5.1 General Figure 1 illustrates how to construct specific industry requirements related to GB/T 22080. Explanation of the reasonableness of control deletion. Only one "should" is used in the control description to clarify the scope of control. 6.2 Supplementary Guidelines It is allowed to supplement GB/T 22081 chapters, control objectives, control, implementation guidelines and other information. The GB/T 22081 supplementary chapters, control objectives, control, implementation guidelines and other information should be carried out in accordance with the requirements and guidelines given in Appendix A. Before specifying supplementary chapters, control objectives or controls, organizations that develop specific industry standards related to GB/T 22080 should consider whether Is there a more effective way to modify the existing content of GB/T 22081, or whether there is a more effective method on top of the existing content of GB/T 22081 Supplement specific industry control objectives, controls, implementation guidelines and other information to achieve the desired results. 6.3 Modification Guidelines It is allowed to modify GB/T 22081 chapters, control objectives, control, implementation guidelines and other information. Any modification shall not delete, invalidate or weaken the control of GB/T 22081. Modifications to GB/T 22081 chapters, control objectives, control, implementation guidelines and other information should be carried out in accordance with the requirements and guidelines given in Appendix A.

Appendix A

(Normative appendix) Develop a template for specific industry standards related to GB/T 22080-2016 or GB/T 22081-2016 A.1 Drafting instructions The following format rules are used in A.2. ---The text in angle brackets < > needs to be replaced with appropriate industry-specific text; Example. For the telecommunications industry, the title of Chapter 4 in the template A.2, "< industry>-specific requirements.." should be changed to "specific requirements for the telecommunications industry..". ---The italicized text in curly braces () indicates how to use this part of the template; this part of the text needs to be deleted in the release of specific industry standards; ---Text without special format can be copied verbatim. A.2 Template 0 Preface {Include. how the requirements and/or guidelines in this standard are related to the requirements specified in GB/T 22080 and the guidelines in GB/T 22081.}

1 Scope

{Include. A statement of the scope of application, which includes the relationship between this standard and GB/T 22080 and GB/T 22081.}

2 Normative references

{Insert relevant normative references, including GB/T 22080 and GB/T 22081.}

3 Terms and definitions

{Make sure to include GB/T 29246.} 4 < Industry> specific requirements related to GB/T 22080 {Insert the following text. } 4.1 Structure of this standard This standard is an < industry> standard related to GB/T 22080. {If the specific industry standard has specific industry chapters, control objectives or controls that are supplemented or modified on the basis of GB/T 22081, insert The following text. } < Industry> Refer to Appendix A for specific reference control objectives and control. {If yes, insert a subsection describing ISMS issues for specific industries. } 4.2 < Industry> Specific requirements {In appropriate circumstances, insert one of the following two paragraphs of text. } All requirements in Chapter 4 to Chapter 10 of GB/T 22080-2016 still apply. {or} All the requirements of GB/T 22080-2016 Chapter 4 to Chapter 10, which are not listed below, still apply. {Add specific industry requirements. For supplementary requirements, use the chapter (sub-chapter) number in the same format as GB/T 22080-2016, and The industry uses the name of the national economy industry (see GB/T 4754-2017) as the prefix. When adding a requirement, first check whether it Related to existing requirements in GB/T 22080-2016.If it is relevant, add the new requirements to the relevant chapters and give proper order. number. If it is not relevant, place the supplementary requirements after the relevant requirements of GB/T 22080-2016, and introduce an appropriate new subsection number in the chapter. } {By inserting the following text to indicate the specific industry requirements added to the requirements of GB/T 22080-2016.} GB/T 22080-2016 requires < Chapter (Sub-Chapter) Number> to be supplemented as follows. {Insert the following text to indicate the specific industry requirements that refine the requirements of GB/T 22080-2016.} GB/T 22080-2016 requirements < Chapter (Sub-Chapter) Number> are detailed as follows. {Insert the following text to indicate the specific industry requirements that explain the requirements of GB/T 22080-2016.} GB/T 22080-2016 requirements < Chapter (Sub-Chapter) Number> are explained as follows. {If possible, please use italics to indicate supplement, refinement or explanation. } {If specific industry standards have controls for specific industries, insert the following text. } The requirements of 6.1.3c) in GB/T 22080-2016 are detailed as follows. Compare the control determined in 6.1.3b), Appendix A in GB/T 22080-2016 and the control in Appendix A of this document, and verify The certificate did not neglect the necessary controls. The requirements of 6.1.3d) in GB/T 22080-2016 are detailed as follows. Develop an applicability statement that includes. --- Necessary control [see GB/T 22080-2016, 6.1.3b) and c)]; ---The rationale for choosing these controls (regardless of whether these necessary controls have been achieved); --- Explanation of the rationality of the control deletions in Appendix A of GB/T 22080-2016 or Appendix A of this document. (To force the application of certain specific controls, please insert the following text after GB/T 22080-2016, 6.1.3d), and use the appropriate method It is recommended to use (mandatory) as the prefix of the control number. } The organization shall implement mandatory controls identified by < industry>. 5 < Industry> specific guidelines related to GB/T 22081-2016 {If the specific industry standard has specific industry chapters, control objectives, control, and implementations supplemented or modified on the basis of GB/T 22081-2016 Now guides or other information, insert them in this chapter. Supplementary chapters, control objectives or control serial numbers are the same as those adopted in GB/T 22081-2016 The same format, and use the name of the national economy industry (see GB/T 4754-2017) as the prefix for the industry. When controlling GB/T 22081-2016 When supplementing or modifying the control objectives, control, implementation guidelines, and/or other information, first check whether it is consistent with the existing control in GB/T 22081-2016. Goals, controls, implementation guidelines and/or other information related. If it is relevant, supplement or modify the new control objectives, control, implementation guidelines and (Or) For other information, go to the relevant chapters of GB/T 22081-2016 and number them accordingly. If not relevant, place the supplementary entry in GB/T 22081-2016 has chapters, control targets or after control. } {Insert the following text. } For all chapters, control objectives, control, implementation guidelines and other information of GB/T 22081-2016 that are not listed below, still Be applicable. {By inserting the following text to indicate the supplement to the specific industry chapters of GB/T 22081-2016.} The chapters of GB/T 22081-2016 are supplemented as follows. {By inserting the following text after the appropriate section to indicate the specific industry control objectives supplemented to GB/T 22081-2016.} The control objectives of GB/T 22081-2016< Chapter Number>[< Chapter Title>] are supplemented as follows. {By inserting the following text after the appropriate control target to indicate the specific industry control supplemented to GB/T 22081-2016; Ensure that the control objectives reflect the supplementary specific industry controls and ensure that the supplement will not invalidate any existing controls. } The control supplement to GB/T 22081-2016 < Control target number> [< Control target title>] is as follows. (When modifying control objectives, controls, implementation guidelines or other information (for example, by modifying or adding to existing text), according to GB/T 22081-2016 requires a new understanding. Insert any of the following items as needed to indicate the control of GB/T 22081-2016 The specific industry modification of the control target or control. } < Control target number>[< Control target title>] amended as follows. {or} < Control Number>[< Control Title>] amended as follows. {If the existing control has not been modified, only supplementary guidelines are given, and one of the following headings is inserted as necessary. } The implementation guide for GB/T 22081-2016< Control Number>[< Control Title>] is supplemented as follows. Other information of GB/T 22081-2016< Control Number>[< Control Title>] is supplemented as follows. {It is recommended to use italics to indicate supplementary or modified text. } {If the specific industry standard has specific industry chapters, control objectives or control added or modified in accordance with GB/T 22081-2016 In the same way as GB/T 22081-2016 Appendix A, construct the normative Appendix A, and use "shall" instead of "should" when applicable. appendix The name and title are as follows. }

Appendix A

(Normative appendix) < Industry>-Specific reference to control objectives and control {Table A.1 is introduced below. } The supplementary or modified control objectives and controls listed in Table A.1 are directly derived from and corresponding to this standard, and are used in this standard Quasi-refined GB/T 22080-2016, 6.1.3 environment. ......
Image     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 38631-2020_English be delivered?

Answer: Upon your order, we will start to translate GB/T 38631-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 38631-2020_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 38631-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.