1
/
of
5
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 22080-2016 English PDF (GB/T22080-2016)
GB/T 22080-2016 English PDF (GB/T22080-2016)
Regular price
$150.00 USD
Regular price
Sale price
$150.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get Quotation: Click GB/T 22080-2016 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 22080-2016
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 22080-2016: Information technology -- Security techniques -- Information security management systems -- Requirements
GB/T 22080-2016
Information technology - Security techniques - Information security management systems - Requirements
ICS 35.040
L80
National Standards of People's Republic of China
Replacing GB/T 22080-2008
Information Technology Security Technology
Information Security Management System Requirements
(ISO /IEC 27001..2013, IDT)
2016-08-29 released
2017-03-01 Implementation
General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
China National Standardization Administration released
Directory
Foreword Ⅲ
Introduction IV
1 range 1
2 Normative references 1
3 Terms and definitions 1
Organizational Environment 1
4.1 Understand the organization and its environment
4.2 Understand the needs and expectations of stakeholders 1
4.3 to determine the scope of information security management system 1
4.4 Information Security Management System 2
5 leadership 2
5.1 Leadership and commitment 2
5.2 Policy 2
5.3 Organizational Roles, Responsibilities and Competencies 2
6 Planning 2
6.1 Measures to Address Risks and Opportunities 2
6.2 Information Security Objectives and Its Implementation Plan 4
7 support 4
7.1 Resources 4
7.2 ability 4
7.3 awareness 4
7.4 Communication 4
7.5 document information 5
8 run 5
8.1 Operation Planning and Control 5
8.2 Information Security Risk Assessment 5
8.3 Information Security Risk Management 6
9 Performance Evaluation 6
9.1 Surveillance, measurement, analysis and evaluation 6
9.2 Internal Audit 6
9.3 Management Review 6
Improvements 7
10.1 Non-compliance and corrective measures 7
10.2 Continuous Improvement 7
Appendix A (Normative) Reference Control Objectives and Controls 8
References 21
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22080-2008 "Information Technology Security Technology Information Security Management System Requirements."
Compared with GB/T 22080-2008, the main technical changes are as follows.
--- Structural changes in Appendix NA;
--- The term changes in Appendix NB.
This standard uses the translation method identical with ISO /IEC 27001..2013 "Information Technology Security Technology Information Security Management System
begging".
The documents of our country that are consistent with the corresponding international documents that are normative references in this standard are as follows.
--- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Vocabulary
(ISO /IEC 27000..2009, IDT)
This standard made the following editorial changes.
--- Increased information appendix NA;
--- Added information appendix NB.
Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents.
This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point.
This standard was drafted. China Electronics Standardization Institute, CLP Great Wall Internet System Application Co., Ltd., China Information Security
Card Center, Shandong Provincial Institute of Standardization, Guangzhou 赛 Po Certification Center Services Ltd., Beijing Jiangnan Tian An Technology Co., Ltd., Shanghai three zero
Guardian Information Security Co., Ltd., China National Accreditation Service for Conformity Assessment, Beijing Sunway Information Technology Co., Ltd., Heilongjiang E-mail
Products Surveillance and Inspection Institute, Zhejiang Yuanwang Electronics Co., Ltd., Hangzhou letter Technology Co., Ltd.
The main drafters of this standard. Shangguan Xiaoli, Xu Yuna, Min Jinghua, in particular, Wei, Lu Lvwen, Ni Wenjing, Wang Lianqiang,
Yu Jingtao, Fu Zhi Gao, Zhao Yingqing, Lu Pu Ming, Wang Shuguang, Yu Zhonghua, Han Shuoxiang, Wei Jun, Cheng Yuqi, Kong Xianglin, Wu Minhua, Li Hua, Li Yang.
This standard replaces the standards previously issued as follows.
--- GB/T 22080-2008.
introduction
0.1 General
This standard provides the establishment, implementation, maintenance and continuous improvement of information security management system requirements. Using information security management system is the organization
A strategic decision. The establishment and realization of organization information security management system is affected by the needs and goals of the organization, security requirements, and the organization
The process, size and structure of the impact. All of these influencing factors may change over time.
Information security management systems maintain the confidentiality, integrity and availability of information through the application of risk management processes and set the stage for stakeholders
Risk is fully managed with confidence.
Importantly, an information security management system is part of and integrated with the organization's process and overall management structure, and in the process,
Information systems and controls should be designed with information security in mind. The expectation is that the information security management system to achieve the degree and the needs of the organization
To be consistent.
This standard can be used by internal and external parties to assess the organization's ability to meet its own information security requirements.
The order of the requirements expressed in this standard does not reflect the significance of the requirements or implies the order in which these requirements are to be achieved. Article number only
For ease of reference.
ISO /IEC 27000 describes the outline and vocabulary of an information security management system, cites the standard family of information security management systems (including
ISO /IEC 27003 [2], ISO /IEC 27004 [3], ISO /IEC 27005 [4]), and related terms and definitions.
0.2 and other management system standards compatibility
This standard applies to ISO /IEC Consolidation Guide Appendix SL defined in the high-level structure, the same terms and conditions, the same text, common terminology and
Core definition, thus maintaining compatibility with other standards that use the management system of Appendix SL.
General approach as defined in Annex SL For groups that choose to run a single management system to meet the requirements of two or more management system standards
Weaving is useful.
Information Technology Security Technology
Information Security Management System Requirements
1 Scope
This standard specifies the requirements for establishing, implementing, maintaining and continuously improving the information security management system in an organizational environment. This standard also includes
According to organizational needs tailored information security risk assessment and disposal requirements.
The requirements specified in this standard are general and apply to organizations of all types, sizes or qualities. When the organization claims compliance with this standard, no
It excludes any requirement from Chapter 4 to Chapter 10.
2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version applies to this article
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
ISO /IEC 27000 Information Technology Security Technology Information Security Management System Overview and Vocabulary (Informationtechnolo-
gy-Security technologies-Information security systems systems-Overview and vocabulary)
3 Terms and definitions
ISO /IEC 27000 defined terms and definitions apply to this document.
4 organizational environment
4.1 Understand the organization and its environment
The organization should identify external and internal matters that are relevant to its intentions and that affect its ability to achieve the expected results of an information security management system.
Note. For the determination of these matters, see ISO 31000..2009 [5], 5.3 for the establishment of the external and internal environment.
4.2 Understand the needs and expectations of the parties involved
The organization should determine.
a) Information security management system stakeholders;
b) Requirements related to information security for these parties.
Note. Stakeholders' requirements may include laws, regulatory requirements and contractual obligations.
4.3 to determine the scope of information security management system
The organization shall determine the boundaries of ISMS and their applicability to establish their scope.
In determining the scope, the organization should consider.
a) External and internal matters referred to in 4.1;
b) the requirements mentioned in 4.2;
c) The interface and dependencies between the activities implemented by the organization and those implemented by the other organizations.
This range should be documented and available.
4.4 Information Security Management System
The organization shall establish, realize, maintain and continuously improve the information security management system in accordance with the requirements of this standard.
5 leadership
5.1 Leadership and commitment
Top management should confirm the leadership and commitment to the information security management system through the following activities.
a) ensure that the goals of information security and information security are established and aligned with the strategic direction of the organization;
b) ensure the integration of information security management system requirements into the organizational process;
c) ensure that the resources required for the ISM are available;
d) the importance of communicating effective information security management and meeting the requirements of an information security management system;
e) ensure that the information security management system achieves the expected results;
f) To guide and support relevant personnel in contributing to the effectiveness of the information security management system;
g) promote continuous improvement;
h) Support other related management roles to confirm that their leadership is applied by role to their responsibility.
5.2 policy
Top management should establish an information security policy that should.
a) appropriate to the organization's purpose;
b) Include information security objectives (see 6.2) or provide a framework for setting information security goals;
c) Include commitments to meet applicable information security requirements;
d) Include commitments to continuously improve the information security management system.
Information security policy should.
e) Documented information is made available;
f) communicate within the organization;
g) Available to interested parties, as appropriate.
5.3 The organization's role, responsibility and authority
Top management should ensure that responsibilities and authorities for roles related to information security are allocated and communicated.
Top management should assign responsibilities and authorities to.
a) to ensure that the information security management system meets the requirements of this standard;
b) Report to top management information security management system performance.
Note. Top management also assigns responsibilities and authorities for reporting information management system performance within the organization.
6 planning
6.1 Measures to Address Risks and Opportunities
6.1.1 General
When planning an information security management system, the organization should consider the matters mentioned in 4.1 and the requirements mentioned in 4.2 and determine the need to respond
The risks and opportunities to.
a) ensure that the information security management system can achieve the expected results;
b) prevent or reduce adverse effects;
c) achieve continuous improvement.
Organization should plan.
d) measures to address these risks and opportunities;
e) How to.
1) integrate these measures into the information security management system and implement them;
2) evaluate the effectiveness of these measures.
6.1.2 Information Security Risk Assessment
The organization should define and apply an information security risk assessment process to.
a) Establish and maintain information security risk guidelines, including.
1) risk acceptance criteria
2) Information Security Risk Assessment Implementation Guidelines.
b) ensure that consistent information security risk assessments produce consistent, valid and comparable results.
c) Identify information security risks.
1) Application of information security risk assessment process to identify information security management system within the confidentiality of information, integrity and
Risks related to sexual loss;
2) Identify the risk owner.
d) Analysis of information security risks.
1) Assessment 6.1.2c) Potential consequences that may result from the risk identified in 1);
2) assess the likelihood that the risk identified in 6.1.2c) 1) will actually occur;
3) Determine the level of risk.
e) Evaluation of information security risks.
1) compare the risk analysis results with the risk criteria established in 6.1.2a);
2) Prioritize the risk analyzed for risk handling.
The organization should maintain documented documentation of the information security risk assessment process.
6.1.3 Information security risk disposal
The organization shall define and apply the information security risk handling process to.
a) Based on the results of the risk assessment, select the appropriate information security risk disposal options;
b) identify all controls necessary to implement the selected information security risk options;
Note 1. When needed, organizations can design controls or identify controls from any source.
c) Compare the controls identified in 6.1.3b) with the controls in Appendix A and verify that the necessary controls have not been omitted;
Note 2. Appendix A contains a comprehensive list of control objectives and controls. The standard user can be under the guidance of Appendix A, to ensure that no necessary controls have been omitted.
Note 3. Control objectives are implicit in the selected controls....
Get Quotation: Click GB/T 22080-2016 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 22080-2016
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 22080-2016: Information technology -- Security techniques -- Information security management systems -- Requirements
GB/T 22080-2016
Information technology - Security techniques - Information security management systems - Requirements
ICS 35.040
L80
National Standards of People's Republic of China
Replacing GB/T 22080-2008
Information Technology Security Technology
Information Security Management System Requirements
(ISO /IEC 27001..2013, IDT)
2016-08-29 released
2017-03-01 Implementation
General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
China National Standardization Administration released
Directory
Foreword Ⅲ
Introduction IV
1 range 1
2 Normative references 1
3 Terms and definitions 1
Organizational Environment 1
4.1 Understand the organization and its environment
4.2 Understand the needs and expectations of stakeholders 1
4.3 to determine the scope of information security management system 1
4.4 Information Security Management System 2
5 leadership 2
5.1 Leadership and commitment 2
5.2 Policy 2
5.3 Organizational Roles, Responsibilities and Competencies 2
6 Planning 2
6.1 Measures to Address Risks and Opportunities 2
6.2 Information Security Objectives and Its Implementation Plan 4
7 support 4
7.1 Resources 4
7.2 ability 4
7.3 awareness 4
7.4 Communication 4
7.5 document information 5
8 run 5
8.1 Operation Planning and Control 5
8.2 Information Security Risk Assessment 5
8.3 Information Security Risk Management 6
9 Performance Evaluation 6
9.1 Surveillance, measurement, analysis and evaluation 6
9.2 Internal Audit 6
9.3 Management Review 6
Improvements 7
10.1 Non-compliance and corrective measures 7
10.2 Continuous Improvement 7
Appendix A (Normative) Reference Control Objectives and Controls 8
References 21
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22080-2008 "Information Technology Security Technology Information Security Management System Requirements."
Compared with GB/T 22080-2008, the main technical changes are as follows.
--- Structural changes in Appendix NA;
--- The term changes in Appendix NB.
This standard uses the translation method identical with ISO /IEC 27001..2013 "Information Technology Security Technology Information Security Management System
begging".
The documents of our country that are consistent with the corresponding international documents that are normative references in this standard are as follows.
--- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Vocabulary
(ISO /IEC 27000..2009, IDT)
This standard made the following editorial changes.
--- Increased information appendix NA;
--- Added information appendix NB.
Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents.
This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point.
This standard was drafted. China Electronics Standardization Institute, CLP Great Wall Internet System Application Co., Ltd., China Information Security
Card Center, Shandong Provincial Institute of Standardization, Guangzhou 赛 Po Certification Center Services Ltd., Beijing Jiangnan Tian An Technology Co., Ltd., Shanghai three zero
Guardian Information Security Co., Ltd., China National Accreditation Service for Conformity Assessment, Beijing Sunway Information Technology Co., Ltd., Heilongjiang E-mail
Products Surveillance and Inspection Institute, Zhejiang Yuanwang Electronics Co., Ltd., Hangzhou letter Technology Co., Ltd.
The main drafters of this standard. Shangguan Xiaoli, Xu Yuna, Min Jinghua, in particular, Wei, Lu Lvwen, Ni Wenjing, Wang Lianqiang,
Yu Jingtao, Fu Zhi Gao, Zhao Yingqing, Lu Pu Ming, Wang Shuguang, Yu Zhonghua, Han Shuoxiang, Wei Jun, Cheng Yuqi, Kong Xianglin, Wu Minhua, Li Hua, Li Yang.
This standard replaces the standards previously issued as follows.
--- GB/T 22080-2008.
introduction
0.1 General
This standard provides the establishment, implementation, maintenance and continuous improvement of information security management system requirements. Using information security management system is the organization
A strategic decision. The establishment and realization of organization information security management system is affected by the needs and goals of the organization, security requirements, and the organization
The process, size and structure of the impact. All of these influencing factors may change over time.
Information security management systems maintain the confidentiality, integrity and availability of information through the application of risk management processes and set the stage for stakeholders
Risk is fully managed with confidence.
Importantly, an information security management system is part of and integrated with the organization's process and overall management structure, and in the process,
Information systems and controls should be designed with information security in mind. The expectation is that the information security management system to achieve the degree and the needs of the organization
To be consistent.
This standard can be used by internal and external parties to assess the organization's ability to meet its own information security requirements.
The order of the requirements expressed in this standard does not reflect the significance of the requirements or implies the order in which these requirements are to be achieved. Article number only
For ease of reference.
ISO /IEC 27000 describes the outline and vocabulary of an information security management system, cites the standard family of information security management systems (including
ISO /IEC 27003 [2], ISO /IEC 27004 [3], ISO /IEC 27005 [4]), and related terms and definitions.
0.2 and other management system standards compatibility
This standard applies to ISO /IEC Consolidation Guide Appendix SL defined in the high-level structure, the same terms and conditions, the same text, common terminology and
Core definition, thus maintaining compatibility with other standards that use the management system of Appendix SL.
General approach as defined in Annex SL For groups that choose to run a single management system to meet the requirements of two or more management system standards
Weaving is useful.
Information Technology Security Technology
Information Security Management System Requirements
1 Scope
This standard specifies the requirements for establishing, implementing, maintaining and continuously improving the information security management system in an organizational environment. This standard also includes
According to organizational needs tailored information security risk assessment and disposal requirements.
The requirements specified in this standard are general and apply to organizations of all types, sizes or qualities. When the organization claims compliance with this standard, no
It excludes any requirement from Chapter 4 to Chapter 10.
2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version applies to this article
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
ISO /IEC 27000 Information Technology Security Technology Information Security Management System Overview and Vocabulary (Informationtechnolo-
gy-Security technologies-Information security systems systems-Overview and vocabulary)
3 Terms and definitions
ISO /IEC 27000 defined terms and definitions apply to this document.
4 organizational environment
4.1 Understand the organization and its environment
The organization should identify external and internal matters that are relevant to its intentions and that affect its ability to achieve the expected results of an information security management system.
Note. For the determination of these matters, see ISO 31000..2009 [5], 5.3 for the establishment of the external and internal environment.
4.2 Understand the needs and expectations of the parties involved
The organization should determine.
a) Information security management system stakeholders;
b) Requirements related to information security for these parties.
Note. Stakeholders' requirements may include laws, regulatory requirements and contractual obligations.
4.3 to determine the scope of information security management system
The organization shall determine the boundaries of ISMS and their applicability to establish their scope.
In determining the scope, the organization should consider.
a) External and internal matters referred to in 4.1;
b) the requirements mentioned in 4.2;
c) The interface and dependencies between the activities implemented by the organization and those implemented by the other organizations.
This range should be documented and available.
4.4 Information Security Management System
The organization shall establish, realize, maintain and continuously improve the information security management system in accordance with the requirements of this standard.
5 leadership
5.1 Leadership and commitment
Top management should confirm the leadership and commitment to the information security management system through the following activities.
a) ensure that the goals of information security and information security are established and aligned with the strategic direction of the organization;
b) ensure the integration of information security management system requirements into the organizational process;
c) ensure that the resources required for the ISM are available;
d) the importance of communicating effective information security management and meeting the requirements of an information security management system;
e) ensure that the information security management system achieves the expected results;
f) To guide and support relevant personnel in contributing to the effectiveness of the information security management system;
g) promote continuous improvement;
h) Support other related management roles to confirm that their leadership is applied by role to their responsibility.
5.2 policy
Top management should establish an information security policy that should.
a) appropriate to the organization's purpose;
b) Include information security objectives (see 6.2) or provide a framework for setting information security goals;
c) Include commitments to meet applicable information security requirements;
d) Include commitments to continuously improve the information security management system.
Information security policy should.
e) Documented information is made available;
f) communicate within the organization;
g) Available to interested parties, as appropriate.
5.3 The organization's role, responsibility and authority
Top management should ensure that responsibilities and authorities for roles related to information security are allocated and communicated.
Top management should assign responsibilities and authorities to.
a) to ensure that the information security management system meets the requirements of this standard;
b) Report to top management information security management system performance.
Note. Top management also assigns responsibilities and authorities for reporting information management system performance within the organization.
6 planning
6.1 Measures to Address Risks and Opportunities
6.1.1 General
When planning an information security management system, the organization should consider the matters mentioned in 4.1 and the requirements mentioned in 4.2 and determine the need to respond
The risks and opportunities to.
a) ensure that the information security management system can achieve the expected results;
b) prevent or reduce adverse effects;
c) achieve continuous improvement.
Organization should plan.
d) measures to address these risks and opportunities;
e) How to.
1) integrate these measures into the information security management system and implement them;
2) evaluate the effectiveness of these measures.
6.1.2 Information Security Risk Assessment
The organization should define and apply an information security risk assessment process to.
a) Establish and maintain information security risk guidelines, including.
1) risk acceptance criteria
2) Information Security Risk Assessment Implementation Guidelines.
b) ensure that consistent information security risk assessments produce consistent, valid and comparable results.
c) Identify information security risks.
1) Application of information security risk assessment process to identify information security management system within the confidentiality of information, integrity and
Risks related to sexual loss;
2) Identify the risk owner.
d) Analysis of information security risks.
1) Assessment 6.1.2c) Potential consequences that may result from the risk identified in 1);
2) assess the likelihood that the risk identified in 6.1.2c) 1) will actually occur;
3) Determine the level of risk.
e) Evaluation of information security risks.
1) compare the risk analysis results with the risk criteria established in 6.1.2a);
2) Prioritize the risk analyzed for risk handling.
The organization should maintain documented documentation of the information security risk assessment process.
6.1.3 Information security risk disposal
The organization shall define and apply the information security risk handling process to.
a) Based on the results of the risk assessment, select the appropriate information security risk disposal options;
b) identify all controls necessary to implement the selected information security risk options;
Note 1. When needed, organizations can design controls or identify controls from any source.
c) Compare the controls identified in 6.1.3b) with the controls in Appendix A and verify that the necessary controls have not been omitted;
Note 2. Appendix A contains a comprehensive list of control objectives and controls. The standard user can be under the guidance of Appendix A, to ensure that no necessary controls have been omitted.
Note 3. Control objectives are implicit in the selected controls....
Share
