資訊科技快速進步,雲端、大數據、物聯網等技術已經成為企業提升競爭力的利器。企業組織的資訊安全管理,是否跟上科技進步腳步進而升級,顯得格外重要。 本研究依據國際化標準組織(International Organization for Standardization,ISO)27001資訊安全管理系統(Information Security Management System,ISMS),以個案研究法,選擇以石化業個案公司之ISO 27001:2005升級轉版至ISO 27001:2013過程為例,透過文獻、檔案記錄、長期直接觀察與參與性觀察,深入瞭解資訊安全風險控管流程,可經由ISO 27001轉版升級達到何種改善精進的效果為研究目的。為此研究目的,研究首先彙整比較「個案公司對於舊版標準與新版標準ISMS之間作法差異」,接著分析「個案公司因應新版標準ISMS的風險管理施作流程」,最後再分析「個案公司轉版認證後,是否提升企業之資訊安全績效」。研究發現,轉版後的ISMS流程,加入外部及內部議題,可以刺激思考新的弱點與威脅,有助於提升企業資訊安全管理績效。建立可以量測之量化ISMS績效管理指標,能夠落實資安日常管理。 資訊安全管理是企業風險管理之一,透過ISMS制度,從制度面的管理著手,結合工作簽核流程,輔以技術面並進,更能有效強化資安防護能力。;An enterprise can be more competitive by utilizing the rapidly advanced information technologies including Cloud, Big Data and Internet of Things (IoT). To keep up with the modern technology for information security management is crucial to the future of the company. This study is based on the ISO (International Organization for Standardization) 27001 Information Security Management System (ISMS) and uses the case study method to examine the upgrade from the ISO 27001: 2005 version to the ISO 27001: 2013 one of the targeted petrochemical company. With data collected from literature reviews, archival records, long-term direct observations and participatory observations, we can understand more about the information security risk control process in order to improve ISMS. This study first, compared the differences between the old and the new version of ISMS, and then analyzed the case management process in response to the new ISMS version of risk management. The study finally analyzed whether the case company has enhanced its information security performance after the revision upgrade. The results show that the upgraded ISMS adding both external and internal issues can help identifying new weaknesses and threats to improve the performance of the information security management. The established measurable ISMS performance management indicators are also useful for daily management of the information security. Information security management is one critical aspect of the risk management of an enterprise. By implementing the ISMS system, combined with the work approval process and supplemented by technical advances, we can enhance our security capability more effectively.