GB/T 31496-2023_English: PDF (GB/T31496-2023)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 31496-2023 | English | 764 |
Add to Cart
|
6 days [Need to translate]
|
Information technology -- Security techniques -- Information security management systems -- Guidance
| Valid |
GB/T 31496-2023
|
GB/T 31496-2015 | English | RFQ |
ASK
|
7 days [Need to translate]
|
Information technology -- Security techniques -- Information security management system implementation guidance
| Obsolete |
GB/T 31496-2015
|
Standard ID | GB/T 31496-2023 (GB/T31496-2023) | Description (Translated English) | Information technology -- Security techniques -- Information security management systems -- Guidance | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.030 | Word Count Estimation | 41,492 | Date of Issue | 2023-05-23 | Date of Implementation | 2023-12-01 | Older Standard (superseded by this standard) | GB/T 31496-2015 | Drafting Organization | China Electronics Standardization Research Institute, China Network Security Review Technology and Certification Center, China National Accreditation Center for Conformity Assessment, Hangzhou Anheng Information Technology Co., Ltd., PetroChina Changqing Petrochemical Branch, Tencent Cloud Computing (Beijing) Co., Ltd. Liability Company, CLP Great Wall Internet System Application Co., Ltd., Shanghai 30Guard Information Security Co., Ltd., Beijing Saixi Certification Co., Ltd., Xidian University, Heilongjiang Cyberspace Research Center, Beijing Information Security Evaluation Center, Chinese Academy of Sciences Software Institute, Chongqing University of Posts and Telecommunications, Anhui University of Science and Technology, Beijing Shenzhou Green League Technology Co., Ltd., China Comservice Consulting Design Research Institute Co., Ltd., Beijing Zhongke Weilan Technology Co., Ltd. | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Management Committee | Standard ID | GB/T 31496-2015 (GB/T31496-2015) | Description (Translated English) | Information technology -- Security techniques -- Information security management system implementation guidance | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 56,559 | Date of Issue | 2015-05-15 | Date of Implementation | 2016-01-01 | Quoted Standard | GB/T 22080-2008; GB/T 29246-2012 | Adopted Standard | ISO/IEC 27003-2010, IDT | Drafting Organization | China Electronics Standardization Academy | Administrative Organization | National Information Security Standardization Technical Committee | Regulation (derived from) | National Standard Announcement 2015 No. 15 | Proposing organization | National Safety Standardization Technical Committee (SAC/TC 260) | Issuing agency(ies) | Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China; Standardization Administration of China | Summary | This Standard applies to ISMS specification and design process, from start to produce an implementation plan. This Standard describes the process for the implementation of ISMS managers obtain approval for the implementation of a project is defined ISMS (referred to in this standard ISMS project), and on how to plan the ISMS project provides appropriate guidance, resulting in a final ISMS project implementation plan. |
GB/T 31496-2023: Guidelines for information technology security technology information security management system
ICS 35:030
CCSL80
National Standards of People's Republic of China
Replacing GB/T 31496-2015
Information Technology Security Technology
Information Security Management System Guidelines
(ISO /IEC 27003:2017, IDT)
Released on 2023-05-23
2023-12-01 Implementation
State Administration for Market Regulation
Released by the National Standardization Management Committee
table of contents
Preface III
Introduction IV
1 Range 1
2 Normative references 1
3 Terms and Definitions 1
4 Organizational context 1
4:1 Understanding organizations and their contexts1
4:2 Understanding the needs and expectations of stakeholders3
4:3 Determine the scope of the information security management system4
4:4 Information Security Management System 5
5 leadership 5
5:1 Leadership and commitment5
5:2 Policy 6
5:3 Organizational roles, responsibilities and authorities7
6 Planning 8
6:1 Measures to address risks and opportunities8
6:2 Information security goals and their realization plan 14
7 supports 16
7:1 Resources 16
7:2 Competencies17
7:3 Consciousness 17
7:4 Communication 18
7:5 Documented information 19
8 run 22
8:1 Operational planning and control 22
8:2 Information Security Risk Assessment 23
8:3 Information security risk treatment 23
9 Performance Evaluation 24
9:1 Monitoring, measurement, analysis and evaluation 24
9:2 Internal Audit 25
9:3 Management review 27
10 Improvement 28
10:1 Non-conformities and corrective measures 28
10:2 Continuous Improvement 30
APPENDIX A (INFORMATIVE) STRATEGIC FRAMEWORK32
Reference 34
foreword
This document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents"
drafting:
This document replaces GB/T 31496-2015 "Information Technology Security Technology Information Security Management System Implementation Guide", and
Compared with GB/T 31496-2015, except for structural adjustment and editorial changes, the main technical changes are as follows:
---Changed the scope, explained and provided guidance in accordance with the requirements of GB/T 22080-2016;
---The previous edition adopted a project approach, and each project contained a series of activities: The project method is no longer adopted in the revised version, but instead
Guidance is provided for each requirement, regardless of the order in which the requirements are implemented:
This document is equivalent to ISO /IEC 27003:2017 "Information Technology Security Technology Information Security Management System Guidelines":
The following minimal editorial changes have been made to this document:
--- Added note to 4:2:
Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents:
This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260):
This document was drafted by: China Electronics Standardization Research Institute, China Network Security Review Technology and Certification Center, China Conformity Assessment
National Accreditation Center, Hangzhou Anheng Information Technology Co:, Ltd:, PetroChina Changqing Petrochemical Branch, Tencent
Cloud Computing (Beijing) Co:, Ltd:, China Power Great Wall Internet System Application Co:, Ltd:, Shanghai 30 Guardian Information Security Co:, Ltd:, Beijing
Saixi Certification Co:, Ltd:, Xidian University, Heilongjiang Cyberspace Research Center, Beijing Information Security Evaluation Center, China
Institute of Software, Academy of Sciences, Chongqing University of Posts and Telecommunications, Anhui Institute of Science and Technology, Beijing Shenzhou NSFOCUS Technology Co:, Ltd:, China Comservice Consulting Design Institute
Co:, Ltd:, Beijing Zhongke Weilan Technology Co:, Ltd:
The main drafters of this document: Wang Huili, Shangguan Xiaoli, Xu Yuna, Fu Zhigao, Ren Zejun, You Qi, Zhou Yachao, Zhao Lihua, Fan Bo,
Min Jinghua, Zhang Dongju, Ma Wenping, Gan Lu, Li Yuan, Fang Zhou, Zhang Liwu, Liang Wei, Huang Yonghong, Zhang Heng, Cao Hao, Yin Xiaopeng, Song Xue, Gao Lifen,
Chen Hong, Yang Mutian, Pei Xinping:
The release status of previous versions of this document and the documents it replaces are as follows:
---First published as GB/T 31496-2015 in:2015;
--- This is the first revision:
introduction
This document provides guidance on the information security management system (ISMS) requirements specified in GB/T 22080, and provides relevant
recommendations ("should"), possibilities ("may") and permissibility ("may"): It is not the purpose of this document to provide a general overview of all aspects of information security
guide:
Chapters 4 to 10 of this document reflect the structure of GB/T 22080-2016:
This document does not add any new requirements for ISMS and its related terms and definitions: Organizations should refer to the requirements of GB/T 22080 and
Definition of GB/T 29246: Organizations implementing an ISMS are under no obligation to follow the guidance in this document:
The ISMS emphasizes the importance of the following stages:
--- Understand the needs of the organization and the necessity of establishing information security policy and information security objectives;
--- Assess the organization's risks related to information security;
---Implement and operate information security processes, controls and other risk treatment measures;
--- Monitor and review the performance and effectiveness of the ISMS;
---Continuous improvement:
Similar to other types of management systems, an ISMS includes the following key components:
a) Policy:
b) Personnel with defined responsibilities:
c) Associated management processes:
1) Policy establishment;
2) provision of awareness and competence;
3) Planning;
4) Realize;
5) run;
6) Performance evaluation;
7) Management review;
8) Improvement:
d) Documented Information:
An ISMS also has other key components, such as:
e) information security risk assessment;
f) information security risk treatment, including the identification and implementation of controls:
This document is generic and intended to be applicable to all organizations, regardless of type, size or nature: Organizations should, according to their specific organizational context
Identify the applicable parts of this document (see Chapter 4 in GB/T 22080-2016):
For example, some guidelines may be more appropriate for large organizations, but for very small organizations (e:g:, less than 10 people), some of these guidelines
Content may be unnecessary or inappropriate:
The description structure of Chapters 4 to 10 is as follows:
---Required activities: put forward the key activities required by the corresponding clauses of GB/T 22080;
--- Explanation: explain the meaning of GB/T 22080 requirements;
---Guide: Provide more detailed or supporting information to achieve the "required activities", including examples of implementation;
--- Other information: Provides information that may be further considered:
GB/T 31496, GB/T 31497 and GB/T 31722 form a set of documents to support GB/T 22080-2016 and provide guidance
South: Among them, GB/T 31496 is a basic and comprehensive document that provides guidance for all requirements of GB/T 22080, but it does not
A detailed description of "monitoring, measurement, analysis and evaluation" and information security risk management: GB/T 31497 and GB/T 31722 focus on
Specific content, and provides more detailed guidance on "monitoring, measurement, analysis and evaluation" and information security risk management respectively:
There are many places in GB/T 22080 that explicitly mention documented information: Nonetheless, organizations may still determine that they hold
Additional documented information required for system validity, and as part of 7:5:1b) in response to GB/T 22080-2016: in these cases
hereinafter, this document uses "documentation about that activity and its results only to the extent and form and extent necessary for the organization to determine the effectiveness of its management system":
The information is mandatory [see 7:5:1b) in GB/T 22080-2016]":
Information Technology Security Technology
Information Security Management System Guidelines
1 Scope
This document provides explanations and guidance for GB/T 22080-2016:
2 Normative references
The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references
For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to
this document:
GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001:2013,
IDT)
GB/T 29246-2017 Information Technology Security Technical Information Security Management System Overview and Vocabulary (ISO /IEC 27000:
2016, IDT)
ISO /IEC 27001 Information technology, network security and privacy protection information security management system requirements (Information
ments)
3 Terms and Definitions
The terms and definitions defined in GB/T 29246-2017 apply to this document:
4 Organizational context
4:1 Understanding the organization and its context
required activity
The organization determines those external and internal factors that are relevant to its intentions and affect its ability to achieve the intended outcomes of its information security management system (ISMS):
question:
explain
As a component function of an ISMS, an organization continuously analyzes itself and its environment: This analysis focuses on internal and external issues, which
These issues affect information security and how it is managed in some way, and are relevant to the objectives of the organization:
Analyzing these questions serves three purposes:
--- Understand the context to determine the scope of the ISMS;
---Analyze the context to determine risks and opportunities;
......
GB/T 31496-2015
Information technology. Security techniques. Information securitymanagement system implementation guidance
ICS 35.040
L80
National Standards of People's Republic of China
Information technology - Security techniques
Information Security Management System Implementation Guide
(ISO /IEC 27003.2010, IDT)
Issued on. 2015-05-15
2016-01-01 implementation
Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
Standardization Administration of China released
Table of Contents
Introduction Ⅲ
Introduction Ⅳ
1 Scope 1
2 Normative references 1
3 Terms and definitions
4 standard structure 1
Chapter 4.1 of the total structure 1
The general structure of each chapter 2 4.2
Chart 3 4.3
5 Get started ISMS project manager for approval. 4
5.1 approved managers to start ISMS project summary 4
5.2 ISMS clarify organizational development Priority 5
5.3 Preliminary definition of the ISMS scope 7
5.3.1 to develop a preliminary ISMS scope 7
5.3.2 the definition of roles and responsibilities within the preliminary ISMS scope 8
5.4 To approve the manager and create business cases and project plans 8
6 Define ISMS scope, boundaries and ISMS policy guidelines 10
Overview 6.1 Defining ISMS scope, boundaries and ISMS policy guidelines 10
6.2 Defining the scope and boundaries of the organization 11
6.3 definition of information and communication technology (ICT) scope and boundaries 12
6.4 define the physical scope and boundaries 13
6.5 Integration each scope and boundaries to obtain the ISMS scope and boundaries 14
6.6 ISMS policy formulation and strategy managers to obtain the approval of 14
7 of 15 information security requirements
7.1 Overview of information security requirements analysis 15
7.2 Information Security ISMS process defined in claim 17
7.3 identifies the scope of the ISMS assets 17
7.4 Information Security Evaluation 18
8 Disposal 19 risk assessment and planning risk
8.1 Overview of risk assessment and risk management plan 19
8.2 Risk Assessment 21
8.3 Select control objectives and controls 21
8.4 managers get authorization to implement and operate the ISMS 22
9 Design ISMS 23
Overview 9.1 Design ISMS 23
9.2 Design organization's information security 25
9.2.1 Design of the final organizational structure of information security 25
9.2.2 Design ISMS framework document 26
9.2.3 Design of Information Security Policy Strategy 27
9.2.4 the development of information security standards and regulations 28
9.3 Design of ICT security and physical safety information 29
9.4 Design ISMS specific information security 31
9.4.1 Management review plan 31
9.4.2 Design of information security awareness, training and education programs 32
9.5 to produce the final ISMS project 33
Described in Appendix A (informative) Checklist 34
Annex B (informative) information security roles and responsibilities 37
Annex C (informative) information about internal audit 40
Structure Appendix D (informative) policy guidelines 41
Appendix E (normative) monitoring and measurement 45
References 49
Foreword
This standard was drafted in accordance with GB/T 1.1-2009 given rules.
This standard uses the translation method identical with ISO /IEC 27003.2010 "implementation of IT Security techniques - Information security management system
guide".
The Standard made the following editorial changes.
--- In the introduction to increase the introduction of information security management system standard family situations.
Some elements of this document may involve patents. Release mechanism of the present document does not assume responsibility for the identification of these patents.
This standard by the National Safety Standardization Technical Committee (SAC/TC260) and focal points.
This standard was drafted. China Electronics Standardization Institute, Shanghai 30 defenders Information Security Ltd., Shandong Computer Science Center,
Heilongjiang Province Electronic Information Products Supervision and Inspection Institute, Beijing Information Security Evaluation Center, the Great Wall Electric System Limited Internet.
The main drafters of this standard. Shang Xiaoli, Xu Yuna, fire Min Dong, Min Beijing, Zhao Zhang sector, Zhou Ming music, ark, Li Gang.
introduction
Information Security Management System family of standards (InformationSecurityManagementSystem, referred to as the ISMS family of standards) is an international
Information Security Technology Organization for Standardization (ISO /IEC JTC1SC27) information security management system developed by a series of international standards. ISMS standard
Family is designed to help all types and sizes of organizations to develop and implement a framework for managing the security of their information assets, and to protect organizational information (such as,
Financial information, independent assessment of intellectual property rights, employee details, or a third party commissioned by the customer or information) ISMS preparation.
ISMS family of standards include criteria. a) define the requirements for an ISMS requirements and certification bodies; b) providing for the whole "Planning - Implementation - check
Charles - disposal "direct support (PDCA) processes and requirements, detailed guidelines and (or) interpretation; c) set forth the specific industry guidelines ISMS; d) explain
Said the conformity assessment of the ISMS.
Currently, ISMS family of standards consists of the following standard components.
--- GB/T 29246-2012/ISO /IEC 27000.2009 Information technology - Security techniques - Information Security Management System Overview
And vocabulary
--- GB/T 22080-2008/ISO /IEC 27001.2005 Information technology - Security techniques - Information security management systems - Requirements
--- GB/T 22081-2008/ISO /IEC 27002.2005 Information technology - Security techniques - Information security management utility rules
guide
--- GB/T 31497-2015/ISO /IEC 27004.2009 Information technology - Security techniques - Information security management measurement
--- GB/T 31722-2015/ISO /IEC 27005.2008 Information technology - Security techniques - Information security risk management
--- GB/T 25067-2010/ISO /IEC 27006.2007 Information technology - Security techniques - Information security management system audit identified
Requires certification body
--- ISO /IEC 27007 Information technology - Security techniques - Information security management systems auditing
Information 2008 Information technology - Security techniques based on ISO /IEC 27002 in the telecommunications industry organizations. --- ISO /IEC 27011
Security Administration Guide
--- ISO /IEC 27013.2012 Information technology - Security techniques ISO /IEC 27001 and ISO /IEC 20000-1 Integration Implementation Guide
--- ISO /IEC 27014.2013 Information technology - Security techniques - Information security management
--- ISO /IEC TR27015.2012 Information technology - Security techniques Financial Services Information Security Management Guide
This standard is one of ISMS family of standards, for the purpose of the organization in accordance with GB/T 22080-2008 development of information security management system
(ISMS) implementation plan, provide practical guidance. Under actual conditions, ISMS implementation is usually performed as a project.
The standard procedure described is intended to provide for the implementation of GB T 22080-2008/support; Chapter 4, Chapter 5 and Chapter 7 contains
And relevant parts of the file can be used to.
a) preparing to launch the organization ISMS implementation plan, the definition of the organizational structure of the project, and approved by the manager;
b) The key activities of the ISMS project;
c) Implementation Examples GB/T 22080-2008 requirements.
By using this standard, the organization will be able to develop information security management process, and to ensure stakeholder risk information assets can be
Continued to maintain within the organization to define acceptable information security boundary.
This standard does not involve operational activities and other ISMS activities, but these activities involve how to design concepts, these activities are at the beginning of
After running ISMS generated. These concepts led to the final ISMS project implementation plan. Organization-specific portion of the ISMS project
The actual implementation is not within the scope of this standard.
Project implementation should use the standard project management methods ISMS school to perform (for more information, see the ISO and ISO /IEC related items
Standard project management).
Information technology - Security techniques
Information Security Management System Implementation Guide
1 Scope
This standard is based on GB/T 22080-2008, attention to design and implement a successful information security management system (ISMS) needed
Key aspects. This standard describes the ISMS specification and design process, from start to produce an implementation plan. The standard for the implementation of ISMS
Describes the process of obtaining manager approval for the implementation of ISMS define a project (called this standard ISMS project), and on how to plan
The ISMS project provides appropriate guidance, to produce the final ISMS project implementation plan.
Organization of this standard for ISMS implementation of a use for a variety of sizes and types of organizations (eg commercial enterprises, government
Agencies, non-profit organizations). Complexity and risks of each organization is unique, and its specific requirements will drive the ISMS implementation. small
Organizations will find that this standard is applicable to the activities referred to in them, and can be simplified. Large organizations or complex organization may send
Now, in order to effectively manage the standard activities that require hierarchical organizational structure or management system. However, whether large organizations or
Small organizations, this standard can be applied to plan-related activities.
The standard proposed a number of recommendations and instructions, but does not impose any requirements. The standards and expectations of the GB/T 22080-2008
And GB/T 22081-2008 used together, but do not expect to modify and/or reduce the requirements specified in the 27001 GB/T , or repair
Modifications and/or recommendations for reducing GB/T 22081-2008 offer. Therefore, it should not claim compliance with this standard.
2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version suitable for use herein
Member. For undated references, the latest edition (including any amendments) applies to this document.
GB/T 22080-2008 Information technology - Security techniques - Information security management systems - Requirements (ISO /IEC 27001.2005,
IDT)
GB/T 29246-2012 Information technology - Security techniques - Information Security Management System Overview and vocabulary (ISO /IEC 27000.
2009, IDT)
3 Terms and Definitions
GB/T 29246-2012 and GB/T 22080-2008 define the following terms and definitions apply to this document.
3.1
ISMS project ISMSproject
Organizational structure for the implementation of activities carried out by a ISMS.
4 standard structure
Chapter 4.1 of the total structure
ISMS implementation is an important activity, usually as a project organization to perform. By focusing on this standard to start the project,
......
|