|Abstract: ||ISO/IEC 27001國際標準（以下簡稱ISO 27001）為目前國際上廣為各國採用的資訊安全管理系統驗證標準，隨著資訊科技的快速發展，如社群網站的普及、雲端應用的發展、行動商務的活絡等資訊應用型態不斷推陳出新，企業組織所要面對的資訊安全威脅也日趨複雜而多變，國際標準組織（International Standards Organization, ISO）為利各組織能因應資訊安全的變化，修正更新ISO 27001的內容並於2013年10月1日正式發行，對於已導入ISO 27001:2005的機關則需於2年緩衝期內完成ISMS轉版作業，以維持ISMS認證之持續有效性。|
本研究以通過ISO 27001:2013轉版之政府機關為例，從個案研究角度分析ISO 27001新舊標準之差異性及實務資安控制作為，找出轉版過程中組織所面對的管理問題及解決方法，期能提供各組織實施轉版時之作業參考，協助組織持續維護有效的ISMS認證資格，共同打造完善的政府資訊安全防護網。
個案研究結果發現，在標準架構上，個案機關採行的新版標準ISO Annex SL，有利於未來各國際標準間整合，本次轉版在控制領域上，由舊版標準的11個控制領域、39個控制目標、133個控制措施，調整成14個控制領域、35個控制目標、114個控制措施，其中組織全景評鑑要求為重大變革。個案機關先前已導入之ISO 27001:2005組織，需重新從組織風險角度，整體性評估內、外部議題及關注方資安需求，以分析出真正符合組織資訊安全要求的範圍。在轉版過程中，認證機關、資安顧問及個案機關對新版標準的做法見解不盡相同，唯有不斷的溝通、討論才能找出真正適合組織的做法，而導入ISMS並不代表不會再發生資安事件，當資安事件發生，應面對它、處理它、紀錄它，將資安事件處理經驗傳承下去，才能持續有效強化組織資安防護機制。
;ISO/IEC 27001 International Standardization (referring to ISO 27001 as below) is currently the mostly used for information security management system verification standard in every country. Following with the rapid development of information technology, the patterns of information application is constantly innovating, for example, the popularity of social network, development of cloud application and the vividness of mobile business etc. The threat of information security which we are about to face is becoming much more complicated and multiple. International Standards Organization (ISO) revised and renewed the content of ISO 27001 and then officially published on October, 10, 2013. Therefore, every organization could deal with the change of information security. Regarding to the organizations which have been implemented ISO 27001:2005, they need to complete the version transferring operation of ISMS to maintain the continuing effectiveness of ISMS certification.
This research is using the government organization which passed ISO 27001:2013 version transferring as an example to analyze the difference of new and old ISO 27001 and the actual operation of information security from the angle of case study. Finding the management problem and solution that the organization is facing in the process of version transferring, I hope I can provide to every organization as an operation reference when they are implementing the version transferring. And then it can help the organizations to maintain the qualification of effective ISMS certification so we can build a completed safety net of government information security together.
The result of the research turned out that in the structure of standard, new version of standard using ISO Annex SL is beneficial to the integration of each international standard in the future. In the field of control, from 11 control fields, 39 categories, 133 controls turned into 14 control fields, 35 categories, 114 controls. Among them, the request of organization panoramic evaluation is the significant change. The organizations that already implemented ISO 27001:2005 need to reassess internal, external issues and the information security demand of interested parties overall from the angle of organization risk so that they can analyze the scope of information security request which really suits the organization. In the process of version transferring, the opinions for the operation of new version standard between the certification body, information security consultant and the organization in this case are different from each other. Only constant communication, discussion could find the best way that really suits for the organization. In addition, implementing ISMS is not representing that the event of information security will not happen. When the information security event happens, we should face it, deal with it and record it and then pass the experience of dealing the information security event so that we can constantly force the information security protection system of organization effectively.