| dc.description.abstract | ISO/IEC 27001 International Standardization (referring to ISO 27001 as below) is currently the mostly used for information security management system verification standard in every country. Following with the rapid development of information technology, the patterns of information application is constantly innovating, for example, the popularity of social network, development of cloud application and the vividness of mobile business etc. The threat of information security which we are about to face is becoming much more complicated and multiple. International Standards Organization (ISO) revised and renewed the content of ISO 27001 and then officially published on October, 10, 2013. Therefore, every organization could deal with the change of information security. Regarding to the organizations which have been implemented ISO 27001:2005, they need to complete the version transferring operation of ISMS to maintain the continuing effectiveness of ISMS certification.
This research is using the government organization which passed ISO 27001:2013 version transferring as an example to analyze the difference of new and old ISO 27001 and the actual operation of information security from the angle of case study. Finding the management problem and solution that the organization is facing in the process of version transferring, I hope I can provide to every organization as an operation reference when they are implementing the version transferring. And then it can help the organizations to maintain the qualification of effective ISMS certification so we can build a completed safety net of government information security together.
The result of the research turned out that in the structure of standard, new version of standard using ISO Annex SL is beneficial to the integration of each international standard in the future. In the field of control, from 11 control fields, 39 categories, 133 controls turned into 14 control fields, 35 categories, 114 controls. Among them, the request of organization panoramic evaluation is the significant change. The organizations that already implemented ISO 27001:2005 need to reassess internal, external issues and the information security demand of interested parties overall from the angle of organization risk so that they can analyze the scope of information security request which really suits the organization. In the process of version transferring, the opinions for the operation of new version standard between the certification body, information security consultant and the organization in this case are different from each other. Only constant communication, discussion could find the best way that really suits for the organization. In addition, implementing ISMS is not representing that the event of information security will not happen. When the information security event happens, we should face it, deal with it and record it and then pass the experience of dealing the information security event so that we can constantly force the information security protection system of organization effectively.
| en_US |