GB/T 22080-2025 (GB/T 22080-2016) PDF EnglishUS$150.00 · In stock · Download in 9 seconds
GB/T 22080-2016: Information technology -- Security techniques -- Information security management systems -- Requirements Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid GB/T 22080: Historical versions
Similar standardsGB/T 22080-2016: Information technology -- Security techniques -- Information security management systems -- Requirements---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT22080-2016 Information technology - Security techniques - Information security management systems - Requirements ICS 35.040 L80 National Standards of People's Republic of China Replacing GB/T 22080-2008 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001..2013, IDT) 2016-08-29 released 2017-03-01 Implementation General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China China National Standardization Administration released Directory Foreword Ⅲ Introduction IV 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 Organizational Environment 1 4.1 Understand the organization and its environment 4.2 Understand the needs and expectations of stakeholders 1 4.3 to determine the scope of information security management system 1 4.4 Information Security Management System 2 5 leadership 2 5.1 Leadership and commitment 2 5.2 Policy 2 5.3 Organizational Roles, Responsibilities and Competencies 2 6 Planning 2 6.1 Measures to Address Risks and Opportunities 2 6.2 Information Security Objectives and Its Implementation Plan 4 7 support 4 7.1 Resources 4 7.2 ability 4 7.3 awareness 4 7.4 Communication 4 7.5 document information 5 8 run 5 8.1 Operation Planning and Control 5 8.2 Information Security Risk Assessment 5 8.3 Information Security Risk Management 6 9 Performance Evaluation 6 9.1 Surveillance, measurement, analysis and evaluation 6 9.2 Internal Audit 6 9.3 Management Review 6 Improvements 7 10.1 Non-compliance and corrective measures 7 10.2 Continuous Improvement 7 Appendix A (Normative) Reference Control Objectives and Controls 8 References 21 ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard replaces GB/T 22080-2008 "Information Technology Security Technology Information Security Management System Requirements." Compared with GB/T 22080-2008, the main technical changes are as follows. --- Structural changes in Appendix NA; --- The term changes in Appendix NB. This standard uses the translation method identical with ISO /IEC 27001..2013 "Information Technology Security Technology Information Security Management System begging". The documents of our country that are consistent with the corresponding international documents that are normative references in this standard are as follows. --- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Vocabulary (ISO /IEC 27000..2009, IDT) This standard made the following editorial changes. --- Increased information appendix NA; --- Added information appendix NB. Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents. This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point. This standard was drafted. China Electronics Standardization Institute, CLP Great Wall Internet System Application Co., Ltd., China Information Security Card Center, Shandong Provincial Institute of Standardization, Guangzhou 赛 Po Certification Center Services Ltd., Beijing Jiangnan Tian An Technology Co., Ltd., Shanghai three zero Guardian Information Security Co., Ltd., China National Accreditation Service for Conformity Assessment, Beijing Sunway Information Technology Co., Ltd., Heilongjiang E-mail Products Surveillance and Inspection Institute, Zhejiang Yuanwang Electronics Co., Ltd., Hangzhou letter Technology Co., Ltd. The main drafters of this standard. Shangguan Xiaoli, Xu Yuna, Min Jinghua, in particular, Wei, Lu Lvwen, Ni Wenjing, Wang Lianqiang, Yu Jingtao, Fu Zhi Gao, Zhao Yingqing, Lu Pu Ming, Wang Shuguang, Yu Zhonghua, Han Shuoxiang, Wei Jun, Cheng Yuqi, Kong Xianglin, Wu Minhua, Li Hua, Li Yang. This standard replaces the standards previously issued as follows. --- GB/T 22080-2008.introduction0.1 General This standard provides the establishment, implementation, maintenance and continuous improvement of information security management system requirements. Using information security management system is the organization A strategic decision. The establishment and realization of organization information security management system is affected by the needs and goals of the organization, security requirements, and the organization The process, size and structure of the impact. All of these influencing factors may change over time. Information security management systems maintain the confidentiality, integrity and availability of information through the application of risk management processes and set the stage for stakeholders Risk is fully managed with confidence. Importantly, an information security management system is part of and integrated with the organization's process and overall management structure, and in the process, Information systems and controls should be designed with information security in mind. The expectation is that the information security management system to achieve the degree and the needs of the organization To be consistent. This standard can be used by internal and external parties to assess the organization's ability to meet its own information security requirements. The order of the requirements expressed in this standard does not reflect the significance of the requirements or implies the order in which these requirements are to be achieved. Article number only For ease of reference. ISO /IEC 27000 describes the outline and vocabulary of an information security management system, cites the standard family of information security management systems (including ISO /IEC 27003 [2], ISO /IEC 27004 [3], ISO /IEC 27005 [4]), and related terms and definitions. 0.2 and other management system standards compatibility This standard applies to ISO /IEC Consolidation Guide Appendix SL defined in the high-level structure, the same terms and conditions, the same text, common terminology and Core definition, thus maintaining compatibility with other standards that use the management system of Appendix SL. General approach as defined in Annex SL For groups that choose to run a single management system to meet the requirements of two or more management system standards Weaving is useful. Information Technology Security Technology Information Security Management System Requirements1 ScopeThis standard specifies the requirements for establishing, implementing, maintaining and continuously improving the information security management system in an organizational environment. This standard also includes According to organizational needs tailored information security risk assessment and disposal requirements. The requirements specified in this standard are general and apply to organizations of all types, sizes or qualities. When the organization claims compliance with this standard, no It excludes any requirement from Chapter 4 to Chapter 10.2 Normative referencesThe following documents for the application of this document is essential. For dated references, only the dated version applies to this article Pieces. For undated references, the latest edition (including all amendments) applies to this document. ISO /IEC 27000 Information Technology Security Technology Information Security Management System Overview and Vocabulary (Informationtechnolo- gy-Security technologies-Information security systems systems-Overview and vocabulary)3 Terms and definitionsISO /IEC 27000 defined terms and definitions apply to this document.4 organizational environment4.1 Understand the organization and its environment The organization should identify external and internal matters that are relevant to its intentions and that affect its ability to achieve the expected results of an information security management system. Note. For the determination of these matters, see ISO 31000..2009 [5], 5.3 for the establishment of the external and internal environment. 4.2 Understand the needs and expectations of the parties involved The organization should determine. a) Information security management system stakeholders; b) Requirements related to information security for these parties. Note. Stakeholders' requirements may include laws, regulatory requirements and contractual obligations. 4.3 to determine the scope of information security management system The organization shall determine the boundaries of ISMS and their applicability to establish their scope. In determining the scope, the organization should consider. a) External and internal matters referred to in 4.1; b) the requirements mentioned in 4.2; c) The interface and dependencies between the activities implemented by the organization and those implemented by the other organizations. This range should be documented and available. 4.4 Information Security Management System The organization shall establish, realize, maintain and continuously improve the information security management system in accordance with the requirements of this standard.5 leadership5.1 Leadership and commitment Top management should confirm the leadership and commitment to the information security management system through the following activities. a) ensure that the goals of information security and information security are established and aligned with the strategic direction of the organization; b) ensure the integration of information security management system requirements into the organizational process; c) ensure that the resources required for the ISM are available; d) the importance of communicating effective information security management and meeting the requirements of an information security management system; e) ensure that the information security management system achieves the expected results; f) To guide and support relevant personnel in contributing to the effectiveness of the information security management system; g) promote continuous improvement; h) Support other related management roles to confirm that their leadership is applied by role to their responsibility. 5.2 policy Top management should establish an information security policy that should. a) appropriate to the organization's purpose; b) Include information security objectives (see 6.2) or provide a framework for setting information security goals; c) Include commitments to meet applicable information security requirements; d) Include commitments to continuously improve the information security management system. Information security policy should. e) Documented information is made available; f) communicate within the organization; g) Available to interested parties, as appropriate. 5.3 The organization's role, responsibility and authority Top management should ensure that responsibilities and authorities for roles related to information security are allocated and communicated. Top management should assign responsibilities and authorities to. a) to ensure that the information security management system meets the requirements of this standard; b) Report to top management information security management system performance. Note. Top management also assigns responsibilities and authorities for reporting information management system performance within the organization.6 planning6.1 Measures to Address Risks and Opportunities 6.1.1 General When planning an information security management system, the organization should consider the matters mentioned in 4.1 and the requirements mentioned in 4.2 and determine the need to respond The risks and opportunities to. a) ensure that the information security management system can achieve the expected results; b) prevent or reduce adverse effects; c) achieve continuous improvement. Organization should plan. d) measures to address these risks and opportunities; e) How to. 1) integrate these measures into the information security management system and implement them; 2) evaluate the effectiveness of these measures. 6.1.2 Information Security Risk Assessment The organization should define and apply an information security risk assessment process to. a) Establish and maintain information security risk guidelines, including. 1) risk acceptance criteria 2) Information Security Risk Assessment Implementation Guidelines. b) ensure that consistent information security risk assessments produce consistent, valid and comparable results. c) Identify information security risks. 1) Application of information security risk assessment process to identify information security management system within the confidentiality of information, integrity and Risks related to sexual loss; 2) Identify the risk owner. d) Analysis of information security risks. 1) Assessment 6.1.2c) Potential consequences that may result from the risk identified in 1); 2) assess the likelihood that the risk identified in 6.1.2c) 1) will actually occur; 3) Determine the level of risk. e) Evaluation of information security risks. 1) compare the risk analysis results with the risk criteria established in 6.1.2a); 2) Prioritize the risk analyzed for risk handling. The organization should maintain documented documentation of the information security risk assessment process. 6.1.3 Information security risk disposal The organization shall define and apply the information security risk handling process to. a) Based on the results of the risk assessment, select the appropriate information security risk disposal options; b) identify all controls necessary to implement the selected information security risk options; Note 1. When needed, organizations can design controls or identify controls from any source. c) Compare the controls identified in 6.1.3b) with the controls in Appendix A and verify that the necessary controls have not been omitted; Note 2. Appendix A contains a comprehensive list of control objectives and controls. The standard user can be under the guidance of Appendix A, to ensure that no necessary controls have been omitted. Note 3. Control objectives are implicit in the selected controls. The control objectives and controls listed in Appendix A are not complete and may require additional control objectives And control. d) Develop a statement of applicability, containing the necessary controls [see 6.1.3b) and c)] and the rationale for their choice (whether the control Whether it has been achieved), and a justification for the deletion of controls in Appendix A; e) develop a formal information security risk disposal plan; f) Obtain the risk owner's approval of the information security risk disposal plan and acceptance of the residual risk of information security. The organization should keep documented information about the process of disposing of information security risks. Note 4. The information security risk assessment and disposal procedures in this standard are consistent with the principles and general guidelines given in ISO 31000 [5]. 6.2 information security goals and their realization planning Organizations should establish information security goals at related functions and levels. Information security objectives should. a) consistent with the information security policy; b) Measurable (if applicable); c) consider the applicable information security requirements and the results of the risk assessment and risk management; d) get communication; e) updated as appropriate. Organizations should keep documented information about the goals of information security. When planning how to achieve the goals of information security, the organization should determine. f) what to do g) what resources are needed h) who is responsible; i) when will it finish? j) How to evaluate the result.7 support7.1 Resources The organization should identify and provide the resources needed to establish, implement, maintain, and continually improve the information security management system. 7.2 ability The organization should. a) Determine the necessary capacity under the control of the organization to carry out staff that will impact the organization's information security performance; b) ensure that the above persons are competent for their work on the basis of appropriate education, training or experience; c) Where appropriate, measures to obtain the necessary capabilities and assess the effectiveness of the measures taken; d) Retain appropriate documented information as evidence of competency. Note. Applicable measures may include, for example, providing training, mentoring or reallocation to existing employees and hiring or contracting competent personnel. 7.3 awareness People who work under the control of the organization should understand. a) Information Security Policy; b) its contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; c) Does not meet the requirements of the information security management system. 7.4 communication The organization should identify the internal and external communication needs related to the ISMS, including. a) what to communicate b) when to communicate c) who to communicate with d) who will communicate e) affect the communication process. 7.5 Documented information 7.5.1 General The organization's information security management system should include. a) documented information required by this standard; b) The necessary documented information identified by the organization for the effectiveness of the information security management system. Note. The level of detail that different organizations have about documenting information security management systems can be different because. 1) the size of the organization and its activities, processes, types of products and services; 2) the complexity of the process and its interactions; 3) the ability of personnel. 7.5.2 Create and update When creating and updating documented information, organizations should ensure that. a) identification and description (eg title, date, author or reference number); b) formats (eg languages, software versions, charts) and media (eg paper, electronic); c) Evaluation and approval of suitability and adequacy. 7.5.3 Control of documented information The information security management system and the documented information required by this standard shall be controlled to ensure that. a) is available and suitable at the place and time of need; b) adequate protection (such as avoiding loss of confidentiality, improper use, loss of completeness, etc.). To control documented information, the organization should emphasize the following activities, as applicable. c) distribute, access, search and use; d) Storage and protection, including readability; e) Control changes (eg version control); f) Reserved and processed. The external documented information identified by the organization as necessary for the planning and operation of an information security management system shall be properly identified and given To control. Note. Access implies the decision to allow access to only documented information, to permit and authorize browsing, and to change the file's information.8 operation8.1 Operation planning and control In order to meet the information security requirements and to achieve the measures identified in 6.1, the organization should plan, implement and control the processes required. organization A series of plans to achieve the information security objectives identified in 6.2 should also be implemented. The organization should maintain the level of documented information necessary to ensure that these processes are implemented as planned. The organization should control the changes in the plan and review the consequences of unintended changes, and take steps to mitigate any negative effects, if necessary. The organization should ensure that the outsourcing process is defined and controlled. 8.2 Information Security Risk Assessment The organization should consider the guidelines established in 6.1.2a) to implement information security at planned intervals or when major changes are proposed or occurring Risk assessment. The organization should maintain documentary information on the results of the information security risk assessment. 8.3 Information Security Risk Disposal The organization shall implement the information security risk disposal plan. The organization should maintain documented information on the results of the information security risk disposal.9 Performance Evaluation9.1 Surveillance, measurement, analysis and evaluation Organizations should evaluate the effectiveness of information security performance and information security management systems. The organization should determine. a) What needs to be monitored and measured, including information security processes and controls; b) methods of surveillance, measurement, analysis and evaluation that are applicable to ensure that effective results are obtained; Note. The method chosen should yield valid and reproducible results. c) when monitoring and measurement should be performed; d) who should monitor and measure; e) When should the results of surveillance and measurement be analyzed and evaluated; f) Who should analyze and evaluate these results. The organization shall maintain proper documented information as evidence of surveillance and measurement. 9.2 Internal Audit The organization shall carry out internal audits at planned intervals to provide information to establish an information security management system. a) Compliance. 1) the organization's own requirements for information security management system; 2) the requirements of this standard. b) Whether it is effectively implemented and maintained. The organization should. c) Plan, establish, implement and maintain audit program (s), including audit frequency, methodology, responsibilities, planning requirements and reports. The audit plan should consider the importance of the relevant process and the results of previous audits. d) Define audit criteria and scope for each audit. e) Select auditors and conduct audits to ensure the objectivity and impartiality of the audit process. f) Ensure that the audit results are reported to the relevant management. g) Keep documented information as evidence of audit program and audit findings. 9.3 Management Review Top management reviews the organization's information security management system at planned intervals to ensure its continued suitability, adequacy and Effectiveness. Management review should consider. a) the status of the measures proposed in past management reviews; b) changes in external and internal matters related to the information security management system; c) Feedback on information security performance, including trends in. 1) nonconformity and corrective action 2) monitoring and measurement results; 3) audit results; 4) completion of information security goals; d) Stakeholder feedback; e) the risk assessment results and the status of the risk treatment plan; f) opportunities for continuous improvement. The output of the management review should include decisions regarding continual improvement opportunities and any need to change the information security management system. Organizations should maintain documented information as evidence of management review. 10 improvements 10.1 Non-compliance and corrective measures When a nonconformity occurs, the organization should. a) Respond to a nonconformity, if applicable. 1) take measures to control and correct it; 2) the consequences of treatment; b) evaluate the need to take measures to eliminate non-conformities through the following activities to prevent non-recurrences or elsewhere occur. 1) Review does not meet; 2) determine the reasons for nonconformity; 3) Determine if similar nonconformities exist or may occur; c) implement any needed measures; d) review the effectiveness of any corrective action taken; e) If necessary, change the information security management system. Corrective measures should be appropriate to the effects of any nonconformities encountered. The organization shall maintain documented information as evidence of. f) the nature of the nonconformity and any subsequent steps taken; g) the result of any corrective action. 10.2 Continuous Improvement Organizations should continue to improve the suitability, adequacy and effectiveness of the information security management system. Appendix A. (Normative) Reference control objectives and controls The control objectives and controls listed in Table A.1 are derived directly from and correspond to GB/T 22081-2016 [1] Chapters 5 to 18 and Used in 6.1.3 environment. Table A.1 Control objectives and controls A.5 Information Security Policy A.5.1 Information Security Management Guidance Objectives. To provide management guidance and support for information security based on business requirements and relevant laws and regulations A.5.1.1 Information Security Policy control Information security policy set should be defined, approved by the manager and published to all employees And external parties. A.5.1.2 Information Security Strategy Review control Information security strategy reviews should be conducted at planned intervals or when major changes occur, To ensure its continued suitability, adequacy and effectiveness. A.6 Information Security Organization A.6.1 Internal organization Objective. To establish a management framework to initiate and control the implementation and operation of information security within the organization. A.6.1.1 Information Security Role and Responsibilities control All information security responsibilities should be defined and assigned. A.6.1.2 separation of duties control The duties and responsibilities of the conflict should be separated to reduce unauthorized or unintentional changes or Improper use of organizational assets opportunities. A.6.1.3 Contact with functional agencies control Appropriate links with relevant functional agencies should be maintained. A.6.1.4 Contact with specific stakeholders control Appropriate links with specific stakeholders, other professional security forums and professional associations should be maintained. A.6.1.5 Information Security in Project Management control Project management should focus on information security issues, no matter what type of project. A.6.2 mobile devices and remote work Objective. To ensure the safety of mobile devices working remotely and their use. A.6.2.1 Mobile device strategy control Appropriate strategies and their supporting security measures should be adopted to manage the use of mobile devices Prepared to bring the risk. A.6.2.2 Remote wo... ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. |
