ISO/IEC 27001:2022 變更及可能的衝擊


1. 背景

隨著 ISO/IEC 27001:2022 在 2022 年 10 月 25 日的發佈,為組織的資訊安全管理帶了許多資訊安全風險管控的新思維與作法。




2. 主要變更

ISO/IEC 27001:2022 並不是一個全面的改版

主要的變更,包含下列:

附錄 A 引用了ISO/IEC 27002:2022 中的資訊安全控制措施,其中包括控制措施標題和控制措施資訊

• 對 6.1.3 c) 條註釋進行了文字編輯修改,包括刪除控制目標,並用“資訊安全控制措施”代替“控制措施”

• 重新組織第 6.1.3 d) 條的措辭以消除潛在的歧義。


備註 1. 與舊版相比,ISO/IEC 27001:2022 附錄 A 有下列的改變:

    • 資訊安全控制措施數量改變:資訊安全控制措施數量從 14 條的 114 項減少到 4 條的 93 項。對於 ISO/IEC 27001:2022 附錄 A 中的資訊安全控制措施,新增了 11 個控制措施,從現有控制措施中合併了 24 個控制措施,更新了 58 個控制措施。

    • 資訊安全控制措施結構改變:為每個資訊安全控制措施引入了“屬性”和“目的”,不再為一組控制使用“目標”。




以下根據條款順序,逐條列出了 ISO/IEC 27001:2013 與 ISO/IEC 27001:2022 之間的所有更改。

clauses Changes 變更
Clause 1 Scope

適用範圍
The three references to ‘International Standard’ appearing in ISO/IEC 27001:2013 have been replaced by ‘document’. Otherwise, the wording is unchanged. ISO/IEC 27001:2013 中出現個對 “國際標準 (International Standard)”的引用,已被變更為使用 “文件 (document) ”取代。 其餘不變。
Clause 2 Normative references

引用標準
The first sentence of this section has been rewritten.

Was: ‘The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application’.

Now: ‘The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document.

The remainder of the paragraph is unchanged. 
本節第一句已改寫。

2013 年版:“以下文件全部或部分在本文件中被規範引用,對其應用是必不可少的”。

2022 年版:“以下文件在文本中的引用方式使其部分或全部內容構成本文件的要求。

該段的其餘部分保持不變。
Clause 3 Terms and definitions

用語及定義
New text has been added at the end of existing clause 3 as follows:

ISO and IEC maintain terminology databases for use in standardization at the following addresses:  

-  ISO Online browsing platform: available at https://www.iso.org/obp  

-  IEC Electropedia: available at https://www.electropedia.org/ 

在現有第 3 條末尾添加瞭如下新文本:

ISO 和 IEC 在以下地址可以找到用於標準化的詞彙資料庫:

-  ISO Online browsing platform: available at https://www.iso.org/obp  

-  IEC Electropedia: available at https://www.electropedia.org/ 
Clause 4 Context of the organization
 
組織全景
 
4.1 Understanding the organization and its context

暸解組織及其全景 
Note – it is changed to reflect the revised structure of the latest edition of ISO 31000.  

Was: Determining these issues refers to establishing the external and internal context of the organization considered in clause 5.3 of ISO 31000:2009.  

Now: Clause 5.4.1 of ISO 31000:2018. 
備註 – 它已更改以反映最新版 ISO 31000 的修訂結構。

2013 年版:確定這些問題是指建立 ISO 31000:20095.3 條中考慮的組織的外部和內部環境。

現在:ISO 31000:20185.4.1 條, “瞭解組織及其全景”。

在設計管理系統風險架構時,組織宜檢查並瞭解其外部及內部全景。

檢查組織的外部全景可包括但不限於:
-無論是國際、國家、區域或地方的社會、文化、政治、法律、法規、財務、技術、經濟及環境因素。
-影響組織的目標之關鍵驅動因素與趨勢。
-外部利害相關方的關係、感受、價值觀、需求及期望。
-合約關係與承諾。
-網路與依存性的複雜性。

檢查組織的內部全景可包括但不限於:
-願景、使命及價值觀。
-治理、組織的結構、角色及當責。
-策略、目標及政策。
-組織之文化。
-組織所採用的標準、指導綱要及模式。
-依據資源與知識 (例:資金、時間、人員、智慧財產權、過程、系統及技術) 的觀點所瞭解之能力。
-資料、資訊系統及資訊流。
-與內部利害相關方之關係,將其感受與價值觀納入考量。
-合約關係與承諾。
-相互依存性與相互連結性。

4.2 Understanding the needs and expectations of interested parties

暸解利益相關方之需要及期望
Existing bullet b) has been divided into two bullets b) and c)

Was:
b) the requirements of these interested parties relevant to information security

Now:
b) the relevant requirements of interested parties;

c) which of these requirements will be addressed through the information security management system.  

In the note to 4.2 ‘may include legal and regulatory requirements’ becomes ‘can include legal and regulatory requirements. 
現有的項目符號 b) 已分為兩個項目符號 b) 和 c)

2013 年版:

b) 這些利益相關方對資訊安全的要求


2022 年版:

b) 利益相關方的相關要求;

c) 這些要求中的哪些將通過資訊安全管理系統得到解決。

在 4.2 的註釋中 “可能 (may) 包括法律和監管要求”變為“可以 (can) 包括法律和監管要求。
4.3 Determining the scope of the information security management system

決定資訊安全管理系統之範圍
 No change.  保持不變
4.4 Information security management system

資訊安全管理系統
Additional text included <in brackets> to more explicitly reference the need for a process approach.

The organization shall establish, implement, maintain and continually improve an information security management system, <including the processes needed and their interactions>, in accordance with the requirements of this document.
附加文本包括在 <括號中>,以更明確地提及對過程方法的需要。

組織應按照本文件的要求,建立、實施、維護和持續改進資訊安全管理系統,<包括所需的過程及其相互作用>
Clause 5 Leadership

領導作為

 
5.1 Leadership and Commitment

領導及承諾
Requirements unchanged, new note added below

Note – Reference to business in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence. 
要求不變,添加了下面新註釋

備註 – 本文件中提及的業務,可以廣義地解釋為那些對組織存在的目的具有核心意義的活動。
5.2 Policy

政策
No changes other than ‘; and’ is removed at the end of bullets c) and f)
除了" ‘; 及" 在項目符號 c) 和 f) 的末尾被刪除。其餘不變。
5.3 Organizational roles, responsibilities and authorities

組織角色、責任及權限
Para 1 – ‘assigned and communicated’ now becomes ‘assigned and communicated within the organization’.

In bullet a) this ‘international standard’ is replaced by this ‘document’.

In the note ‘top management may also’ becomes ‘top management can also’. 
第 1 段—“指派和溝通” 現在變為 “在組織內指派和溝通”。

在項目 a) 中,這個 “國際標準” 被這個 “文件” 取代。

在註釋中,“最高管理階層也可能 (may)”變成“最高管理階層也可以 (can)”。
Clause 6 Planning

規劃

 
6.1 Actions to address risks and opportunities

因應風險及機會之行動

 
6.1.1 General

一般
No change 
保持不變
6.1.2 Information security risk assessment

資訊安全風險評鑑
No change
保持不變
6.1.3 Information security risk treatment 

資訊安全風險處理
The note under bullet b) in the 2013 edition is unchanged but renamed as NOTE 1

The existing NOTE 1 under bullet c in the 2013 edition is changed from: ‘Annex A contains a comprehensive list of control objectives and controls. Users of this international standard are directed to Annex A to ensure that no necessary controls are overlooked’

to

‘NOTE 2 – Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure no necessary information security controls are overlooked.

The existing NOTE 2 under bullet c in the 2013 edition is changed from:

‘Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed’

to

‘NOTE 3 – The information security objectives listed in Annex A are not exhaustive and additional information security controls can be included if needed’.  

Bullet d – ‘Statement of Applicability’ is amended

Was: ‘Produce a Statement of Applicability that contains the necessary controls (see 6.1.3b) and c)) and justification for inclusions; whether they are implemented or not, and the justification for exclusion of controls from Annex A’.

Now: Produce a statement of applicability that contains:  

-  the necessary controls (see 6.1.3 b) and c))

-  justification for their inclusion

-  whether the necessary controls are implemented or not; and

-  the justification for excluding any Annex A controls  

In NOTE 4 this ‘International Standard’ is replaced by this ‘document’ 
2013 年版中 b) 項下的註釋未更改,但重命名為 NOTE 1

2013 年版中項目 c 項下的現有備註 1

由 2013 年版以下內容:
“ 附件 A 包含控制目標和控制措施的綜合列表。本國際標準的用戶請參閱附錄 A,以確保不會忽略任何必要的控制措施”

更改至

2022 年版:‘備註 2 – 附件 A 包含可能的資訊安全控制措施列表。本文件的用戶請參閱附件 A,以確保不會忽略任何必要的資訊安全控制措施。

2013 年版中項目 c 項下的現有備註 2

由以下內容:
“控制目標隱含在所選擇的控制措施中。附件 A 中列出的控制目標和控制措施並非詳盡無遺,可能需要額外的控制目標和控制措施’

更改至

2022 年版:“備註注 3 – 附件 A 中列出的資訊安全目標並非詳盡無遺,如果需要,可以包括額外的資訊安全控制措施”。



項目符號 d “適用性聲明”已修改

2013 年版:“製作一份包含必要控制(見 6.1.3b)和 c))和適用理由的適用性聲明;是否實施,以及從附件 A’中排除控制措施的理由。

2022 年版:
製作一份適用性聲明,其中包含:
- 必要的控制(見 6.1.3 b)和 c))
- 將其納入的理由
- 是否已實施必要的控制措施;和
- 排除任何附件 A 控制的理由

在備註 4 中,本“國際標準”被本“文件”取代

6.2 Information security objectives and planning to achieve them

資訊安全目標及其達成之規劃
New bullet d) be monitored

Existing bullet d) ‘be communicated; and’ becomes ‘e) be communicated’

Existing bullet e) ‘be updated as appropriate.’ becomes ‘f) be updated as appropriate’

New bullet g) added ‘ be available as documented information ’

The text of the 2013 bullets f) to j) is unchanged but the bullets become h) to l) because of the insertion of two new bullets as set out above. 
新項目符號 d) 被監督

現有項目符號 d)‘被傳達; 和' 變成'e)被溝通'

現有項目符號 e) “於適當時, 更新之。”變為“f) 於適當時, 更新之”

新的項目符號 g) 添加了“備妥文件化資訊

2013 年版項目符號 f) 至 j) 的文本未更改,但項目符號變為 h) 至 l),因為插入了上述兩個新項目符號。
6.3 Planning of changes

變更規劃
This is a new subclause.

It does not appear in the 2013 edition. 6.3 states ‘When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.’ 
這是一個新的子條款

它沒有出現在 2013 版中。

 6.3 規定“當組織確定需要對資訊安全管理系統進行變更時,應以有計劃的方式進行變更。”
Clause 7 Support 

支持

 
7.1 Resources

資源
No change
保持不變
7.2 Competence

能力
In the NOTE – ‘applicable action may include’ becomes ‘applicable action can include’. No other changes. 
在備註中  “適用的行動可能 (may) 包括”變成了“適用的行動可以 (can) 包括”。 沒有其他變化。
7.3 Awareness 

認知
No change
保持不變
7.4 Communication

溝通
Existing bullets ‘d) who shall communicate;’ and ’e) the processes by which communication shall be effected’ are deleted. These are replaced by a new bullet d) ‘how to communicate’. 
 
7.5 Documented information

文件化資訊

 
7.5.1 General

一般
In bullet a) this ‘International Standard’ is replaced by ‘this document’ Remainder unchanged. 
 
7.5.2 Creating and updating

建立與更新
No change
保持不變
7.5.3 Control of documented information

文件化資訊管制
Opening sentence - this ‘International Standard’ is replaced by this ‘document’


In the NOTE – ‘Access implies a decision’ becomes ‘Access can imply a decision’.

No other changes

Clause 8 Operation

運作
   

8.1 Operational Planning and control


運作之規劃及控制

Reworded but maintaining original intent.  


Was – ‘the organization shall plan, implement and control the processes needed to meet information security requirements and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2.  

Now – ‘the organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: 

-  establishing specification for the processes; 

-  implementing control of the processes in accordance with the specification. 

Was – ‘The organization shall keep documented specification to the extent necessary to have confidence that the processes have been carried out as planned.’ 

Now – Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. 


Text relating to control of planned changes is unchanged. 

Was – ‘The organization shall ensure that outsourced processes are determined and controlled’  

Now – The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.’ 

改寫但保持原意。


2013 年版:

組織應策劃、實施和控制滿足資訊安全要求和實施 6.1 中確定的控制措施所需的過程。組織還應實施計劃以實現 6.2 中確定的資訊安全目標。


2022 年版:

組織應計劃、實施和控制滿足要求所需的過程,並實施條款 6 中確定的控制措施,方法是:

- 建立過程規範;

- 根據規範實施過程控制。


2013 年版:

組織應在必要的範圍內保持形成文件的規範,以確信過程已按計劃執行。”


2022 年版:

文件化資訊應在必要的範圍內可用,以確信過程已按計劃進行。


與計劃變更控制相關的文字沒有改變。


2013 年版:

組織應確保外包過程得到確定和控制


2022 年版:

組織應確保與資訊安全管理系統系相關且由外部提供的過程、產品或服務受到控制。

8.2 Information security risk assessment 

運作資訊安全風險評鑑
No change 保持不變
8.3 Information security risk treatment

運作資訊安全風險處理
No change
保持不變
9 Performance evaluation 

績效評估

 
9.1 Monitoring, measurement, analysis and evaluation

監督、量測、分析、評估
The 2013 edition paragraph ‘the organization shall evaluate the information security performance and effectiveness of the information security management system’ is relocated at the end of 9.1.

The 2013 edition note to bullet b) ‘the methods selected should produce comparable and reproducible results to be considered valid’ is now deleted as a note, with the text being appended ‘as is’ to the end of bullet b) to form an enhanced requirement. 

The 2013 edition statement ‘the organization shall retain appropriate documented information as evidence of monitoring and measurement results is deleted and replaced by new text ‘Documented information shall be available as evidence of the results.
2013年版:“組織應評估資訊安全管理系統的資訊安全績效和有效性”段落移至9.1末尾。

2013 版:對項目符號 b) 的註釋“所選擇的方法應產生可比較和可重複的結果以被認為是有效的”現在作為註釋被刪除,文本被“按原樣”附加到項目符號 b) 的末尾以形成增強的要求。

2013 版:聲明“組織應保留適當的文件化資訊,作為監督和測量結果的證據”已刪除,並替換為新文本“文件化資訊應作為結果的證據可用。
9.2 Internal audit

內部稽核
The 2022 edition divides the 2013 edition 9.2 requirements across two new subclauses ‘9.2.1 general’ and ‘9.2.2 internal audit programme’.  

The 2013 edition bullets a (including a1 and a2) plus b) move to the new 9.2.1. Apart from the wording for a2) being changed from ‘this international standard’ to ‘this document’ there are no differences in text between the editions.  

The text from the 2013 edition bullet c) now forms an introduction to 9.2.2. The second sentence of the bullet is reworded from:  

‘The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits’  

To
‘When establishing the internal audit programme(s) the organization shall consider the importance of the processes concerned and the results of previous audits’

Underneath this the text ‘The organization shall:’ is added and the 2013 bullets d) to f) are taken across as new bullets a) to c).  

The 2013 edition bullet g) ‘retain documented information as evidence of the audit programme(s) and the audit result(s) is deleted and replaced with a statement at the end of 9.2.2 ‘Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. 
2022 版將 2013 版 9.2 的要求分為兩個新的子條款 “9.2.1 通用” 和 “9.2.2 內部稽核方案管理”。

2013 版項目符號 a(包括 a1 和 a2)加上 b) 移至新的 9.2.1。除了 a2) 的措辭從“本國際標準”更改為“本文件”外,各版本之間的文本沒有差異。

2013 版項目符號 c) 中的文本現在構成了對 9.2.2 的介紹。第二句話下的項目改寫:

“稽核方案應考慮相關過程的重要性和前次稽核的結果”



“在建立內部稽核方案時,組織應考慮相關過程的重要性和前次稽核的結果”

在此下方添加了“組織應:”文本,並將 2013 年項目符號 d) 至 f) 視為新項目符號 a) 至 c)。

2013 版項目符號 g) 保留文件化資訊作為稽核方案的證據,稽核結果被刪除並替換為 9.2.2 末尾的聲明 "應有文件化資訊作為稽核程序的證據及稽核方案的實施和稽核結果"。
9.3 Management review

管理審查
The 2013 edition clause 9.3 is subdivided into clauses 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review outputs in the 2022 edition. 
2013 版第 9.3 條在 2022 版中細分為第 9.3.1 條總則、9.3.2 管理審查輸入和 9.3.3 管理審查輸出。
9.3.1 General

一般
This subclause contains the unchanged text of the first paragraph of the existing 2013 edition. 
本條包含現有 2013 版第一段的未更改文本。
9.3.2 Management review inputs

管理審查輸入
The bullet list of items top management is required to review under the 2013 edition is migrated with no changes in the requirement text to 9.3.2, with the insertion of a new bullet into the existing list - c) ‘changes in the needs and expectations of interested parties that are relevant to the information security management system’.

This means that the 2013 edition bullet c) now becomes bullet d), d) becomes e), e) becomes f) and f) becomes g).

The text appearing after the bullet list in the 2013 version is revised and included in the new subclause 9.3.3. ‘The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.  

The organization shall retain documented information as evidence of the results of management reviews.

Becomes:  ‘The results of management reviews shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

Documented information shall be available as evidence of the results of management reviews.’ 
在 2013 版中要求最高管理階層審查的項目項目符號列表遷移到 9.3.2 的要求文本沒有變化,在現有列表中插入一個新項目符號 - c) '需求和期望的變化與資訊安全管理系統相關的利益相關方”。

這意味著 2013 年版的項目符號 c) 現在變成了項目符號 d),d) 變成了 e),e) 變成了 f),f) 變成了 g)。

2013 版項目符號列表後出現的文本進行了修訂,並包含在新的 9.3.3 子條款中。 “管理審查的輸出應包括與持續改進機會相關的決策以及對資訊安全管理系統變更的任何需求。

組織應保留文件化資訊作為管理審查結果的證據。

變為:“管理審查的結果應包括與持續改進機會相關的決策以及對資訊安全管理系統的任何變更需求。

文件化資訊應作為管理審查結果的證據。

Clause 10 Improvement

改善 
There has been a reordering of the 2013 edition subclauses 10.1 Nonconformity and corrective action and 10.2 Continual improvement.  

In the 2022 edition 10.1 is now Continual Improvement and 10.2 is Nonconformity and corrective action.  

2013 – 10.1 Nonconformity and corrective action.  

The contents of the 2013 edition subclause 10.1 are taken across to the 2022 subclause 10.2 with no changes to the bulleted requirements a) to g). The only amendment in this section is that ‘The organization shall retain documented information as evidence of’ which appears before bullet f) has become ‘Documented information shall be available as evidence of’.  

2013 – 10.2 Continual improvement  

The text of the 2013 edition sub clause 10.2 is taken across unchanged to become the 2022 edition sub clause 10.1.  
對 2013 版的第 10.1 條不符合和矯正措施以及 10.2 持續改進進行了重新排序。

在 2022 版中,10.1 現在是持續改進,10.2 是不合格和糾正措施。

2013 – 10.1 不符合和矯正措施。

2013 版第 10.1 條的內容與 2022 年第 10.2 條的內容一致,但項目符號要求 a) 至 g) 沒有變化。

本節中唯一的修改是“組織應保留文件化資訊作為證據”,它出現在 f) 項之前已變為“文件化資訊應作為證據可用”。

2013 – 10.2 持續改進

2013 版子條款 10.2 的文本被更改為 2022 版子條款 10.1。
Annex A 

附錄 A
This remains a normative annex but is renamed from ‘Reference control objectives and controls’ to ‘Information Security Controls Reference’ in the 2022 edition

Control objectives are removed from the 2022 list of controls.  

There have been extensive changes to the content of this Annex, echoing the significant changes made in ISO/IEC 27002:2021. 

The 14 categories of control – Information security policies, Organization of information security, Human Resource Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operations Security, Communications Security, System Acquisition, development and maintenance, Supplier relationships, Information Security Incident Management, Information security aspects of Business Continuity and Compliance.

Have been replaced by 4 new ‘themes’: Organizational controls, People Controls, Physical Controls, and Technological Controls. 

The control objectives associated with the 2013 edition’s 13 categories have all been deleted.

The third edition of ISO/IEC 27002 also

-  classifies controls as ‘corrective’ ‘preventive’ or ‘detective’

-  identifies whether the control seeks to support ‘confidentiality’, ‘integrity’ or ‘availability or a combination of these

-  whether the control exists to ‘identify’, ‘protect’, ‘detect’, ‘respond’ or ‘recover’.

-  whether the controls relate to Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, threat and vulnerability management, Continuity, Supplier relationships security, Legal and Compliance, Information security event management or Information security assurance.

-  whether the control is linked to Governance and Ecosystem, Protection, Defence and Resilience

The number of controls is reduced from 114 to 93. Some existing 2013 controls have been merged, some deleted, and some taken across ‘as is’. Collectively, these changes account for 82 of the 93 controls in the 2022 edition. To this, 11 brand new controls have been added.

-  Threat Intelligence
  
-  Information security for use of cloud services

-  ICT readiness for business continuity

-  Physical security monitoring

-  Configuration management

-  Information deletion

-  Data masking

-  Data leakage prevention

-  Monitoring activities

-  Web filtering

-  Secure coding

ISO/IEC 27002:2022 annex B contains 2 useful tables mapping the 2022 controls to the 2013 controls and vice versa. 
這仍然是一個規範性附件,但在 2022 年版中從“參考控制目標和控制措施”重命名為“資訊安全控制措施參考”

控制目標從 2022 年控制列表中刪除。

本附件的內容發生了廣泛的變化,與 ISO/IEC 27002:2021 中的重大變化相呼應。

14 類控制:資訊安全政策、資訊安全組織、人力資源安全、資產管理、存取控制、密碼學、實體和環境安全、運營安全、通信安全、系統採購、開發和維護、供應商關係、資訊安全事件管理、營運持續性和合規性的資訊安全方面。

已被 4 個新的“主題”取代
    - 組織控制措施
    - 人員控制措施
    - 實體控制措施和
    - 技術控制措施。

2013年版13個大類的控制目標全部刪除

ISO/IEC 27002 第三版也

- 將控制措施分類為“矯正性”、“預防性”或“偵測性”

- 確定控制措施是否尋求支持“機密性”、“完整性”或“可用性”或這些的組合

- 控制措施是否存在以“識別”、“保護”、“檢測”、“回應”或“恢復”。

- 控制措施是否涉及組織治理、資產管理、資訊保護、人力資源安全、實體安全、系統和網絡安全、應用程序安全、安全配置、身份和存取管理、威脅和漏洞管理、連續性、供應商關係安全、法律和合規性、資訊安全事件管理或資訊安全保證。

- 控制措施是否與治理和生態系統、保護、防禦和彈性相關聯


控制措施的數量從 114 個減少到 93 個。一些現有的 2013 控制措施已被合併,一些被刪除,一些被“按原樣”保留。總體而言,這些更改佔 2022 版中 93 個控制措施中的 82 個。為此,添加了 11 個全新的控制措施

  1. 威脅情報  
  2. 使用雲服務的資訊安全
  3. 資訊通信技術為業務連續性做好準備
  4. 實體安全監控
  5. 配置管理
  6. 資訊刪除
  7. 數據屏蔽
  8. 數據洩露預防
  9. 監督活動
  10. 網頁過濾
  11. 安全編碼

ISO/IEC 27002:2022 附錄 B 包含 2 個有用的表格,將 2022 控制映射到 2013 控制,反之亦然。
Bibliography

參考資料
The bibliography has been updated to reflect the latest editions of referenced standards. The list of referenced standards is however unchanged.
參考書目已更新,以反映參考標準的最新版本。 然而,參考標準列表沒有改變。 


3. 對組織可能衝擊

ISO/IEC 27001:2022 變更的影響,僅限於引入新的附錄 A,因為:

1) ISO/IEC 27001:2013/COR 2:2015 已經發布並實施;

2) 附錄 A 是規範性的.




ISO/IEC 27001 使用附錄 A 資訊安全控制措施參考的要求,指的是將組織確定的 “資訊安全控制措施” 與 “附錄 A 中的資訊安全控制措施” 之間的比對過程 (6.1.3 c)),以及產生適用性聲明 (statment of applicability, SoA) (6.1.3 d)) 

通過將必要的資訊安全控制措施與附件 A 中的控制進行比對,組織可以確認所有附錄 A 中必要的資訊安全控制措施不會被疏忽、遺漏。比對過程中,如果發現無意中遺漏了必要的資訊安全控制措施,組織應更新其風險處理計劃 (risk treatment plan, RTPs),以適應額外的必要資訊安全控制措施,並實施它們。


如上所述,ISO/IEC 27001:2022 對已實施 ISMS 的組織的影響並不大。


4. 對個人可能衝擊
對於曾經參加過任何 ISO/IEC 27001:2013 訓練課程的專業人士,包含經理人、顧問、稽核員等,建議可以依照 CQI / IRCA 對註冊稽核員知識與技術的專業持續進修 (continuing professional development, CPD) 要求,保持每年至少 10 ~ 15 小時的進修時數,以維護稽核員註冊資格的有效性。


由於此次管理系統標準內容的變動並未造成顯著的影響,所以 CQI / IRCA  於 2022 年 10 月 25 日 針對  ISO/IEC 27001:2022 新版標準發布的認證課程標準中, 僅提供下列 4 種的認證課程。其中,沒有稽核員轉版 ( Auditor Transition ) 認證課程的要求

  1. FD134 ISMS ISO/IEC 27001:2022 Foundation, 7 hours, 基礎課程
  2. PT220 ISMS ISO/IEC 27001:2022 Internal Auditor,  14 hours, 內部稽核員
  3. PR374 ISMS ISO/IEC 27001:2022 Auditor Conversion,  24 hours, 稽核員轉換領域課程 (例如 ISO 9001 —> ISO/IEC 27001)
  4. PR373 ISMS ISO/IEC 27001:2022 Lead Auditor,  40 hours, 主導稽核員課程


對於台灣地區曾經參加過任何 ISO/IEC 27001:2013 訓練課程的專業人士,我們提供下列課程,協助維護 CQI / IRCA 對註冊稽核員知識與技術的專業持續進修 (Continuing professional development (CPD)) 要求:

  1. ISO/IEC 27001:2022 (ISMS, 資訊安全管理系統) 改版持續專業進修 (CPD) 課程  (1 天) 
  2. ISO/IEC 27001:2022 (ISMS, 資訊安全管理系統) 改版稽核員持續專業進修 (CPD) 課程 (2 天) ( 近期即將推出)


或者,您可以直接參加下列課程:

  1. ISO/IEC 27001:2022 (ISMS, 資訊安全管理系統) 基礎課程 (3 天)
  2. CQI / IRCA ISO/IEC 27001:2022 主導稽核員 (ISMS, 資訊安全管理系統) 訓練課程 (5 天)


如果有任何其他需求,歡迎您與我們聯繫:info@tksg.global


Last modified: Wednesday, 7 December 2022, 1:50 PM