Search result: GB/T 32916-2023
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 32916-2023 | English | 1799 |
Add to Cart
|
10 days [Need to translate]
|
Information security techniques - Guidelines for the assessment of information security controls
| Valid |
GB/T 32916-2023
|
| Standard ID | GB/T 32916-2023 (GB/T32916-2023) | | Description (Translated English) | Information security techniques - Guidelines for the assessment of information security controls | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 90,967 | | Date of Issue | 2023-09-07 | | Date of Implementation | 2024-04-01 | | Older Standard (superseded by this standard) | GB/Z 32916-2016 | | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Administration |
GB/T 32916-2023. Information security technology information security control assessment guide
ICS 35.030
CCSL80
National Standards of People's Republic of China
Replace GB /Z 32916-2016
Information security technology
Information Security Control Assessment Guide
Published on 2023-09-07
2024-04-01 Implementation
State Administration for Market Regulation
Released by the National Standardization Administration Committee
Table of contents
Preface III
Introduction IV
1 range 1
2 Normative reference documents 1
3 Terms and Definitions 1
4 Structure of this document 1
5 background 1
6 Overview of information security control assessment 2
6.1 Assessment process 2
6.2 Resources and Capabilities4
7 Assessment Methods 5
7.1 General 5
7.2 Process Analysis 6
7.3 Check 6
7.4 Testing and Validation 7
7.5 Sampling 8
8 Control Measures Assessment Process8
8.1 Preparation 8
8.2 Planning and evaluation 9
8.3 Implementation Assessment13
8.4 Analyzing and reporting results14
Appendix A (Informative) Initial Information Collection (Except Information Technology) 15
Appendix B (Informative) Technical Security Assessment Practical Guide 18
Appendix C (Informative) Cloud Service (Infrastructure as a Service) Technical Assessment Guide50
Appendix NA (informative) Correspondence between GB/T 22081-2016 and ISO /IEC 27002.2022 control measures 79
Reference 84
Preface
This document complies with the provisions of GB/T 1.1-2020 "Standardization Work Guidelines Part 1.Structure and Drafting Rules of Standardization Documents"
Drafting.
This document replaces GB /Z 32916-2016 "Information Technology Security Technology Information Security Control Measures Auditor's Guide" and is consistent with GB /Z 32916-
Compared with.2016, in addition to structural adjustments and editorial changes, the main technical changes are as follows.
---An introduction to sampling has been added to the evaluation method (see 7.5).
This document is equivalent to ISO /IEC TS27008.2019 "Information Technology Security Technology Information Security Control Assessment Guide", document
The type is adjusted from ISO /IEC technical specifications to my country's national standards.
This document has made the following minimal editorial changes.
a) In order to coordinate with existing standards, the name of the standard is changed to "Information Security Technology Information Security Control Assessment Guide";
b) Added Appendix NA.
Please note that some content in this document may be subject to patents. The publisher of this document assumes no responsibility for identifying patents.
This document is proposed and coordinated by the National Information Security Standardization Technical Committee (SAC/TC260).
This document was drafted by. Beijing Saixi Certification Co., Ltd., China Electronics Technology Standardization Institute, China National Accreditation Service for Conformity Assessment
Can Center, Beijing Times Xinwei Information Technology Co., Ltd., Huawei Technologies Co., Ltd., Changyang Technology (Beijing) Co., Ltd., Beijing Shenzhou
NSFOCUS Technology Co., Ltd., Shenzhen Hongtu Technology Co., Ltd., Midea Group Co., Ltd., China Software Evaluation Center (Industrial and Information Technology
Ministry of Software and Integrated Circuit Promotion Center), Hangzhou Anheng Information Technology Co., Ltd., National Computer Network Emergency Response Technology Coordination Center
Center, State Grid Xinjiang Electric Power Co., Ltd. Electric Power Research Institute, Xi'an Jiaotong University Jiepu Network Technology Co., Ltd., Beijing Tiandi Hexing Technology Co., Ltd.
Company, Hangzhou Qulian Technology Co., Ltd., Zhejiang Electronic Information Products Inspection Institute, Yuanjiang Shengbang (Beijing) Network Security Technology Co., Ltd.
Co., Ltd., Shaanxi Provincial Network and Information Security Evaluation Center, Beijing Kingsoft Cloud Network Technology Co., Ltd., Shanghai Guanan Information Technology Co., Ltd.
The company, Beijing University of Posts and Telecommunications, Hangzhou Zhongzheng Testing Technology Co., Ltd., Ma Ma Consumer Finance Co., Ltd., Information Engineering Research Institute of the Chinese Academy of Sciences
Research Institute, Zhiwang Anyun (Wuhan) Information Technology Co., Ltd., Venus Information Technology Group Co., Ltd., and Xi'an University of Posts and Telecommunications.
The main drafters of this document. Han Shuoxiang, Zhao Lihua, Fu Zhigao, Huang Junmei, Wang Huili, Zhou Xiaoyu, Liu Haijun, Zhao Hua, Wang Ling, Liu Fengsong,
Ye Jianwei, Huang Pengcheng, Zhang Liangliang, Li Chunqi, Yu Zhengchen, Li Haotian, Liang Wei, Zhang Shijie, He Chuangxin, Zhang Jie, Xiong Weijun, Wang Bingzheng, Cai Beifang,
Wang Wenlei, Zou Zhenwan, Yang Kun, He Jianfeng, Liu Lenong, Wei Zunbo, Yin Xiaodong, Wang Jing, Hang Xiao, Yu Lifang, Xie Jiang, Wang Dongbin, Cao Yu, Liu Zhiqiang,
Han Dongxu, Wang Yanqing, Wang Hongliang, Zhu Zhixiang, Zheng Kun, Zhang Qiang, Gao Zhenzhen, Lu Yueming, Tian Lidan, Quan Xiaowen.
The release status of this document and the previous versions it replaces are.
---First released in.2016 as GB /Z 32916-2016;
---This is the first revision.
introduction
This document supports the information security risk management process given in GB/T 22080-2016, as well as the relevant information security identified
Set of control measures.
Information security controls should be applicable, effective and efficient. This document describes how to evaluate information security risks and other objectives.
Evaluate the organization's information security controls to confirm that they are appropriate, effective, and efficient, or to identify the need for changes (improvement opportunities). information
The ultimate goal of security controls as a whole is to adequately mitigate what the organization considers to be undesirable issues in a cost-effective and business-consistent manner.
Acceptable and unavoidable information security risks. Based on business mission and objectives, organizational policies and requirements, identified threats and vulnerabilities, operational
This document provides the flexibility needed to tailor the necessary assessment to operational considerations, information system and platform dependencies, and organizational risk considerations.
active.
For information security management system audit guidelines, see GB/T 28450-2020, and for information security management system audit and certification agencies
See GB/T 25067-2020 for the requirements.
Note. “Information security control measures” and “information security controls” can be used interchangeably in this document. For the definition of “control”, see GB/T 29246-2017.
Information security technology
Information Security Control Assessment Guide
1 Scope
This document provides guidance on the implementation and operation of information security controls and the assessment process, including information system control measures.
Technical assessment, which is based on the information security requirements and technical assessment criteria established by the organization.
This document explains how to evaluate information security controls managed by an information security management system specified in ISO /IEC 27001.
Provide guidance.
This document is suitable for organizations of all types and sizes conducting information security assessments and technical compliance checks.
2 Normative reference documents
The contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, the dated quotations
For undated referenced documents, only the version corresponding to that date applies to this document; for undated referenced documents, the latest version (including all amendments) applies to
this document.
Note. GB/T 29246-2017 Information technology security technology information security management system overview and vocabulary (ISO /IEC 27000.2016, IDT)
3 Terms and definitions
The terms and definitions defined in ISO /IEC 27000 apply to this document.
4 Structure of this document
This document describes the process for evaluating information security controls, including technical assessments.
Chapter 5 provides background information.
Chapter 6 provides an overview of information security control assessment.
Chapter 7 introduces evaluation methods.
Chapter 8 introduces the information security control assessment process.
Appendix A guides initial information collection.
Appendix B guides technical assessment.
Appendix C guides the technical evaluation of cloud services.
Appendix NA gives the correspondence between the control measures in GB/T 22081-2016 and ISO /IEC 27002.2022.
5 background
Information security controls are the main means of dealing with unacceptable information security risks and keeping them within the acceptable risk level of the organization.
means.
......
|