Lista standardelor aplicabile unui sistem de management al securitatii informatiei (ISO 27001)

Adaugat la data de 30.10.2012

Familia de ISO 27000 cuprinde mai multe standarde toate avand legatura intre ele. Acestea sunt:

1. ISO/IEC 27000:2009
“Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary”
Standard de vocabular

2. ISO/IEC 27001:2005
“Information technology -- Security techniques -- Information security management systems – Requirements”
Standard utilizat in auditarea modului de implementare a masurilor descrise in ISO/IEC 27002:2008. Aceste doua standarde sunt obligatorii pentru a implementa, audita si certifica un SMSI. O implementare corecta insa trebuie sa tina seama si de restul standardelor din aceeasi familie, deoarece acestea detaliaza unele aspecte legate de cerintele ISO 27001/27002.

3. ISO/IEC 27002:2008
“Information technology -- Security techniques -- Code of practice for information security management”
Standard ce defineste obiectivele de securitate ce trebuie atinse intr-o organizatie prin aplicarea a 133 de masuri concrete de securitate. Este standardul utilizat in implementarea SMSI.
4
ISO/IEC 27005:2008
“Information technology -- Security techniques -- Information security risk management”
Standard ce provine din familia ISO 13335 si cateva din metodologiile de calcul al riscurilor, identifica o lista de vulnerabiitati si amenintari posibile
5. ISO/IEC FCD 27003
“Information technology -- Security techniques -- Information security management system implementation guidance”;
Standard (nefinalizat inca] ce se doreste a fi un ghid de implementare a SMSI

6. ISO/IEC 27006:2007
“Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems”
Standard utilizat in acreditarea organismelor de certificare

Pe langa familia ISO 27000 mai exista o serie de standarde specifice, care detaliaza fiecare cate o masura sau un grup de masuri descrise in ISO/IEC 27002. Printre acestea enumar aici doar :
- ISO/IEC TR 18044:2004 – Security Techniques – Information security incident management
- ISO/IEC 18028-1:2006 -- IT network security -- Part 1: Network security management
- ISO/IEC 18028-2:2006 – IT network security -- Part 2: Network security architecture
- ISO/IEC 18028-3:2005 – IT Network security -- Part 3: Securing communications between networks using security gateways
- ISO/IEC 18028-4:2005 - IT network security -- Part 4: Securing remote access
- ISO/IEC 18028-5:2006 - IT network security -- Part 5: Securing communications across networks using virtual private networks
- ISO/IEC 24762:2008 - Security techniques -- Guidelines for information and communications technology disaster recovery services

Note.
Pentru anumite domenii critice (conform definirii din ISO/IEC 27006) exista elaborate standarde specifice aplicarii masurilor de securitate a informatiei in acel domeniu:
- ISO/IEC 27011:2008 -- Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
- ISO/ TR 13569:2005 – Financial Services – Information security guidelines
- ISO 27799:2008 – Health informatics – Information security management in health using ISO/IEC 27002.