Tiu chun H thng Qun l An ninh Thng tin u tin p dng c ban hnh bi vin Tiu Chun Anh

Quc (BSI) vi 2 phn chnh: Phn 1: l tiu chun BS 7799-1 l cc quy tc thc hnh an ninh thng tin ban hnh nm 1995, sa i ln 1 vo nm 1999. Tiu chun ny c pht trin thnh Tiu chun Quc t m hiu ISO/ IEC 17799: 2000 v pht trin vo thng 6/ 2005 thnh tiu chun ISO/ IEC 17799: 2005. n thng 11 Tiu chun ny c sa i thnh ISO/IEC 27002: 2005: Cng ngh thng tin - Cc k thut an ninh - Quy tc thc hnh qun l an ninh thng tin(Information technology Security techniques Code of practice for infomation security management). Ni dung ISO/IEC 17799:2005 nay l tiu chun ISO 27002:2005 bao gm 134 bin php cho an ninh thng tin v c chia thnh 11 nhm mc tiu nh sau: Chnh sch an ninh thng tin (Information security policy): ch th v hng dn v an ninh thng tin T chc an ninh thng tin (Organization of information security): t chc bin php an ninh v qui trnh qun l. Qun l ti sn (Asset management): trch nhim v phn loi gi tr thng tin An ninh ti nguyn con ngi (Human resource security) : bo m an ninh An ninh vt l v mi trng (Physical and environmental security) Qun l vn hnh v trao i thng tin (Communications and operations management) Kim sot truy cp (Access control) Thu nhn, pht trin v bo qun cc h thng thng tin (Information systems acquisition, development and maintenance) Qun l s c mt an ninh thng tin (Information security incident management) Qun l duy tr kh nng tn ti ca doanh nghip (Business continuity management) Tun th cc quy nh php lut (Compliance) Phn 2: l tiu chun BS 7799-2 ban hnh nm 1998 v c sa i vo nm 1999 v c BSI tip tc iu chnh nm 2002 thnh tiu chun BS 7799-2: 2002. n thng 10/ 2005, tiu chun ny c pht trin thnh Tiu chun Quc t ISO/ IEC 27001: 2005: Cng ngh thng tin - H thng qun l an ninh thng(Information technology Information Security Management System) Tiu chun ISO/ IEC 27001: 2005 quy nh cc yu cu i vi mt h thng qun l an ninh thng tin v tng t nh ISO 9001 l mt tiu chun v h thng qun qun l v c th c cp giy chng nhn.

Tiu chun ISO/ IEC 27001: 2005 tng t nh ISO 9001 c th p dng cho mi lnh vc, khng phn bit quy m, phm vi p dng hng ti mt H thng Qun l An ninh Thng tin mt cch hiu qu, m bo an ninh thng tin ph hp v y bo v cc ti sn thng tin v em li s tin tng ca cc bn lin quan nh i tc, khch hng Gii thiu B tiu chun quc t ISO/ IEC 27000 H thng qun l an ninh thng tin Bn cnh tiu chun ISO/ IEC 27001: 2005 v ISO/IEC 27002: 2005 , Nhng tiu chun ca h thng qun l an ninh thng tin c vin BSI cng vi t chc tiu chun ho quc t bin son v ban hnh nhm h tr cc t chc thuc mi lnh vc, mi quy m, p dng v vn hnh h thng Qun l An ninh Thng tin mt cch hiu qu. Bao gm cc tiu chun sau: ISO/IEC 27000: 2009: Ban hnh ngy nm 2009, tiu Cng ngh thng tin - K thut an ninh - H thng qun l an ninh thng tin - Tng quan v t vng(Information technology Security techniques Information security management systems Overview and vocabulary.) - nhng nh ngha ca cc iu khon c s dng, thut ng s dng trong Tiu chun ISO 27001. ISO/ IEC 27001: 2005 ban hnh nm 2005 Cng ngh thng tin Cc phng php bo mt H thng qun l an ninh thng tin Cc yu cu (Information Technology Security techniques Information security management system Requirements) - nhng yu cu ca h thng Qun l An ninh Thng tin ph hp vi nhng t chc cn chng minh kh nng cung cp sn phm v dch v p ng yu cu ca khch hng v lut nh. ISO/IEC 27002:2005 ban hnh ngy 15/06/2005 Cng ngh thng tin - Cc k thut an ninh - Quy tc thc hnh qun l an ninh thng tin (Information technology Security techniques Code of practice for infomation security management) ISO/IEC 27003: 2010 Cng ngh thng tin- K thut an ninh- Hng dn thc hin H thng qun l an ninh thng tin(ISMS) ( Information technology Security techniques Information security management system implementation guidance) ISO/IEC 27004:2009 Cng ngh thng tin- K thut an ninh- o lng qun l an ninh thng tin (Information technology Security techniques Information security management Measurement) ISO/IEC 27005:2008 ban hnh nm 2008 Cng ngh thng tin- K thut an ninh- qun l ri ro an ninh thng tin(Information technology Security techniques Information security risk management) - p dng ISO / IEC 27005:2008 cn phi c Kin thc v, khi nim cc m hnh, quy trnh, thut ng m t trong ISO / IEC 27001 v ISO / IEC 27002 - ISO / IEC 27005:2008 c p dng cho tt c cc loi ca cc t chc (v d nh cc doanh nghip thng mi, cc c quan chnh ph, phi li nhun t chc) m c nh qun l ri ro c th tha hip bo mt thng tin ca t chc. " ISO/IEC 27006:2007 Ban hnh 2007 Tiu : Cng ngh thng tin- K thut an ninh- yu cu i vi cng nhn ca cc t chc nh gi v chng nhn h thng an ninh thng tin(Information technology Security techniques Requirements for the accreditation of bodies providing audit and certification of information security management systems).

ISO/IEC 27007 ang d tho. Tiu d tho : Cng ngh thng tin - K thut an ninh Hng dn nh gi bo mt h thng thng tin qun l (FCD)(Information technology Security techniques Guidelines for information security management systems auditing (FCD)ISO/IEC TR 27008 Hin ang d tho. Tiu d tho Cng ngh thng tin - Bo mt k thut - Hng dn chuyn gia nh gi kim sot h thng an ninh thng tin (Information technology Security techniques Guidelines for auditors on information security management systems controls) ISO/IEC 27010 Hin ang d tho. Tiu d tho: Cng ngh thng tin - K thut an ninh - an ninh thng tin qun l cho truyn thng lin ngnh v lin t chc(Information technology Security techniques Information security management for intersector and inter-organisational communications) ISO/IEC 27011: 2008 ban hnh 2008, tiu Cng ngh thng tin - K thut an ninh Hng dn qun l an ninh thng tin cho cc t chc vin thng da trn tiu chun ISO / IEC 27002 (Information technology Security techniques Information security management guidelines for telecommunications organizations based on ISO/IEC 27002) ISO/IEC 27013 Hin ang d tho. Tiu d tho: Cng ngh thng tin - K thut an ninh - Hng dn qun l an ninh thng tin - Hng dn thc hin tch hp p dng tiu chun ISO / IEC 20000-1 v ISO / IEC 27001 (Information technology Security techniques Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001) ISO/IEC 27031: 2011: ban hnh nm 2011, Tiu : Cng ngh thng tin - K thut an ninhHng dn lin tc kinh doanh hng v cng ngh thng tin v truyn thng (Information technology Security techniques Guidelines for information and communications technology readiness for business continuity ) ISO/IEC 27032 Hin ang d tho. Tiu d tho: Cng ngh thng tin - K thut an ninhHng dn v an ninh mng(.Information technology Security techniques Guidelines for cybersecurity ) ISO/IEC 27033: Hin ang d tho 2 phn, Cng ngh thng tin - K thut an ninh - an ninh mng(Information technology Security techniques Network security ) s thay th Tiu chun ISO/IEC 18028 v an ninh mng IT. Chia lm 2 phn: o Phn 1- ISO / IEC 27033-1:2009: ban hnh nm 2009 tiu tng quan v bo mt mng v cc khi nim( network security overview and concepts) o Phn 2: ISO / IEC 27033-2 : Hin ang tho, tiu d tho Hng dn thit k v thc hin an ninh mng(Guidelines for the design and implementation of network security ) o Phn 3: ISO / IEC 27033-3 : Hin ang tho, tiu d tho tham kho cc kch bn mng - mi e da, cng ngh thit k v vn kim sot(Reference networking scenarios threats, design techniques and control issues) o Phn 4: ISO / IEC 27033-4: Hin ang tho, tiu d tho Bo mt thng tin lin lc gia cc mng bng cch s dng cc cng an ninh - mi e da, cng ngh thit k v vn kim sot (Securing communications between networks using security gateways -- threats, design techniques and control issues)

o Phn 5: ISO / IEC 27033-5: Hin ang tho, tiu d tho Bo mt mng ring o mi e da, cng ngh thit k v vn kim sot(Securing Virtual Private Networks -threats, design techniques and control issues ) o Phn 6: ISO / IEC 27033-6: Hin ang tho, tiu d tho. Mc tiu: " xc nh nhng ri ro c th, thit k k thut v cc vn kim sot bo v v pht thanh mng khng dy o Phn 7: ISO / IEC 27033-7 :Hin ang tho, tiu d tho.Hng dn bo mt mng khng dy - Cc ri ro, cc k thut thit k v vn kim sot Guidelines for securing wireless networking -- Risks, design techniques and control issues o Phn 8: ISO / IEC 27033-8 :Hin ang tho, tiu d tho."Hng dn bo m an ninh - Nhng ri ro, cc cng ngh thit k v vn kim sot (Guidelines for securing Risks, design techniques and control issues (possible additional parts) ISO/IEC 27034 - Hin ang d tho. Tiu d tho Cng ngh thng tin - K thut an ninh an ninh ng dng.(Information technology Security techniques Application security ) ISO/IEC 27035 Hin ang d tho. Tiu d tho Cng ngh thng tin - K thut an ninh-Qun l x c an ninh thng tin( Information technology Security techniques Information security incident management)s thay th ISO TR 18044 v qun l s c an ninh ISO/IEC 27036 Hin ang d tho. Tiu d tho Cng ngh thng tin - K thut an ninhBo mt Thng tin cho cc mi quan h nh cung cp(IT Security Security techniques Information security for supplier relationships ISO 27799:2008: ban hnh 2008, Thng tin y t - Qun l an ninh thng tin trong y t s dng tiu chun ISO / IEC 27002 (Health informatics Information security management in health using ISO/IEC 27002)

Tu van ISO 27000, T vn ISO 27001 - Gii thiu chung v H thng qun l An Ninh Thng Tin

Nhm h tr thng tin cho khch hng thun li khi s dng dch v t vn v o to v H thng Qun l an ninh theo tiu chun quc t ISO 27001: 2005 ca VINTECOM, chng ti gii thiu mt s thng tin lin quan n nhm cc tiu chun lin quan n H thng Qun l an ninh thng tin.

I. Lch s hnh thnh cc tiu chun lin quan H thng Qun l An ninh Thng tin Tiu chun H thng Qun l An ninh Thng tin u tin p dng c ban hnh bi vin Tiu Chun Anh Quc (BSI) vi 2 phn chnh: Phn 1: l tiu chun BS 7799-1 l cc quy tc thc hnh an ninh thng tin ban hnh nm 1995, sa i ln 1 vo nm 1999. Tiu chun ny c pht trin thnh Tiu chun Quc t m hiu ISO/ IEC 17799: 2000 v pht trin vo thng 6/ 2005 thnh tiu chun ISO/ IEC 17799: 2005. n thng 11 Tiu chun ny c sa i thnh ISO/IEC 27002: 2005: Cng ngh thng tin - Cc k thut an ninh - Quy tc thc hnh qun l an ninh thng tin(Information technology Security techniques Code of practice for infomation security management). Ni dung ISO/IEC 17799:2005 nay l tiu chun ISO 27002:2005 bao gm 134 bin php cho an ninh thng tin v c chia thnh 11 nhm mc tiu nh sau:

Chnh sch an ninh thng tin (Information security policy): ch th v hng dn v an ninh thng tin

T chc an ninh thng tin (Organization of information security): t chc bin php an ninh v qui trnh qun l.

Qun l ti sn (Asset management): trch nhim v phn loi gi tr thng tin An ninh ti nguyn con ngi (Human resource security) : bo m an ninh

An ninh vt l v mi trng (Physical and environmental security) Qun l vn hnh v trao i thng tin ( Communications and operations management)

Kim sot truy cp (Access control) Thu nhn, pht trin v bo qun cc h thng thng tin ( Information systems acquisition, development and maintenance)

Qun l s c mt an ninh thng tin ( Information security incident management)

Qun l duy tr kh nng tn ti ca doanh nghip ( Business continuity management)

Tun th cc quy nh php lut (Compliance)

Phn 2: l tiu chun BS 7799-2 ban hnh nm 1998 v c sa i vo nm 1999 v c BSI tip tc iu chnh nm 2002 thnh tiu chun BS 7799-2: 2002. n thng 10/ 2005, tiu chun ny c pht trin thnh Tiu chun Quc t ISO/ IEC 27001: 2005: Cng ngh thng tin - H thng qun l an ninh thng( Information technology Information Security Management System) Tiu chun ISO/ IEC 27001: 2005 quy nh cc yu cu i vi mt h thng qun l an ninh thng tin v tng t nh th c cp giy chng nhn. Tiu chun ISO/ IEC 27001: 2005 tng t nh ISO 9001 c th p dng cho mi lnh vc, khng phn bit quy m, phm vi p dng hng ti mt H thng Qun l An ninh Thng tin mt cch hiu qu, m bo an ninh thng tin ph hp v y bo v cc ti sn thng tin v em li s tin tng ca cc bn lin quan nh i tc, khch hng
ISO 9001

l mt tiu chun v h thng qun qun l v c

II. Gii thiu B tiu chun quc t ISO/ IEC 27000 H thng qun l an ninh thng tin Bn cnh tiu chun ISO/ IEC 27001: 2005 v ISO/IEC 27002: 2005 , Nhng tiu chun ca

h thng qun l an ninh thng tin c vin BSI cng vi t chc tiu chun ho quc t bin son v ban hnh nhm h tr cc t chc thuc mi lnh vc, mi quy m, p dng v vn hnh h thng Qun l An ninh Thng tin mt cch hiu qu. Bao gm cc tiu chun sau: ISO/IEC 27000: 2009: Ban hanh ngay nm 2009, tiu Cng ngh thng tin - K thut an ninh - H thng qun l an ninh thng tin - Tng quan v t vng( Information technology Security techniques Information security management systems Overview and vocabulary.) Mc ch: a ra nhng nh ngha ca cc iu khon c s dng, thut ng s dng trong Tiu chun ISO 27001. ISO/ IEC 27001: 2005 ban hanh nm 2005 Cng ngh thng tin Cc phng php bo mt H thng qun l an ninh thng tin Cc yu cu (Information Technology Security techniques Information security management system Requirements) Mc ch: a ra nhng yu cu ca h thng Qun l An ninh Thng tin ph hp vi nhng t chc cn chng minh kh nng cung cp sn phm v dch v p ng yu cu ca khch hng v lut nh. ISO/IEC 27002:2005 ban hanh ngay 15/06/2005 Cng ngh thng tin - Cc k thut an ninh - Quy tc thc hnh qun l an ninh thng tin ( Information technology Security techniques Code of practice for infomation security management). Mc ch: a ra quy tc Thc hnh An ninh Thng tin, a ra 134 bin php nhm kim sot chia lm 11 mc tiu thc hnh kim sot an ninh thng tin c chp thun rng ri. ISO/IEC 27003: 2010 Cng ngh thng tin- K thut an ninh- Hng dn thc hin H thng qun l an ninh thng tin(ISMS) ( Information technology Security techniques Information security management system implementation guidance) Mc ch: a ra Hng dn thc hin H thng qun l an ninh thng tin(ISMS) theo ISO/IEC 27001 ISO/IEC 27004:2009 Cng ngh thng tin- K thut an ninh- o lng qun l an ninh thng tin (Information technology Security techniques Information security

management Measurement) Mc ch: a ra cch thc o lng gip ci tin tnh hiu lc ca H thng qun l an ninh thng tin ISMS. ISO/IEC 27005:2008 ban hanh nm 2008 Cng ngh thng tin- K thut an ninh- qun l ri ro an ninh thng tin( Information technology Security techniques Information security risk management) Mc ch ISO / IEC 27005:2008 hng dn qun l ri ro an ninh thng tin, It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. c thit k nhm h tr vic thc hin an ninh thng tin trn c s tip cn v quan ly rui ro. N h tr cc khi nim chung quy nh trong ISO / IEC 27001, a ra cc phng php nh gi nh lng v nh tnh ri ro, v c bn xut m ngi s dng la chn phng php ph hp, tt nht. p dng ISO / IEC 27005:2008 cn phi c Kin thc v, khi nim cc m hnh, quy trnh, thut ng m t trong ISO / IEC 27001 v ISO / IEC 27002 ISO / IEC 27005:2008 c p dng cho tt c cc loi ca cc t chc (v d nh cc doanh nghip thng mi, cc c quan chnh ph, phi li nhun t chc) m c nh qun l ri ro c th tha hip bo mt thng tin ca t chc. " ISO/IEC 27006:2007 Ban hanh 2007 Tiu : Cng ngh thng tin- K thut an ninh- yu cu i vi cng nhn ca cc t chc nh gi v chng nhn h thng an ninh thng tin(Information technology Security techniques Requirements for the accreditation of bodies providing audit and certification of information security management systems). Mc ch: Quy inh cac yu cu va a ra hng dn chng nhn hoc ng k cho vic cng nhn Chng ch HTQL ANTT hoc cng nhn T chc Chng nhn.cp chng chi H thng Quan ly ANTT (ISMS), b sung cho cac yu cu cua ISO/IEC 17021 va ISO/IEC 27001, h tr vic cng nhn cac t chc chng nhn ISMS.

 ISO/IEC 27007 ang d tho. Tiu d tho : Cng ngh thng tin - K thut an ninh - Hng dn nh gi bo mt h thng thng tin qun l (FCD)( Information technology Security techniques Guidelines for information security management systems auditing (FCD) Mc ch: s l tiu chun Hng dn nh gi H thng qun l an ninh thng tin ISMS ISO/IEC TR 27008 Hin ang d tho. Tiu d tho Cng ngh thng tin - Bo mt k thut - Hng dn chuyn gia nh gi kim sot h thng an ninh thng tin (Information technology Security techniques Guidelines for auditors on information security management systems controls) Mc ch: s a ra Hng dn cho cc chuyn gia nh gi kim sot H thng an ninh thng tin ISO/IEC 27010 Hin ang d tho. Tiu d tho: Cng ngh thng tin - K thut an ninh - an ninh thng tin qun l cho truyn thng lin ngnh v lin t chc(Information technology Security techniques Information security management for intersector and inter-organisational communications) Mc ch: s l Hng dn Qun l An ninh thng tin trong lnh vc vin thng ISO/IEC 27011: 2008 ban hanh 2008, tiu Cng ngh thng tin - K thut an ninh Hng dn qun l an ninh thng tin cho cc t chc vin thng da trn tiu chun ISO / IEC 27002 (Information technology Security techniques Information security management guidelines for telecommunications organizations based on ISO/IEC 27002) Mc ch: l hng dn Qun l an ninh thng tin v Vin thng, nhm hng dn h tr cho vic thc hin quan ly an ninh thng tin i vi cac t chc vin thng. Vic ap dung tiu chun nay cho phep cac t chc vin thng ap ng cac yu cu quan ly an ninh thng tin ISO/IEC 27013 Hin ang d tho. Tiu d tho: Cng ngh thng tin - K thut an ninh - Hng dn qun l an ninh thng tin - Hng dn thc hin tch hp p dng tiu chun ISO / IEC 20000-1 v ISO / IEC 27001 (Information technology Security techniques Guideline on the integrated implementation of ISO/IEC 20000-1 and

ISO/IEC 27001) Mc ch: s l Hng dn p dng tch hp tiu chun ISO / IEC 20000-1 v ISO / IEC 27001 ISO/IEC 27031: 2011: ban hnh nm 2011, Tiu : Cng ngh thng tin - K thut an ninh- Hng dn lin tc kinh doanh hng v cng ngh thng tin v truyn thng (Information technology Security techniques Guidelines for information and communications technology readiness for business continuity ) Mc ch: l Tiu chun hng dn lin tc kinh doanh hng v Cng ngh thng tin v truyn thng ISO/IEC 27032 Hin ang d tho. Tiu d tho: Cng ngh thng tin - K thut an ninhHng dn v an ninh mng(.Information technology Security techniques Guidelines for cybersecurity ) Mc ch: s cung cp mt tng quan v cc thch thc an ninh mng, an ninh trong "nhng khng gian o", ISO/IEC 27033: Hin ang d tho 2 phn, Cng ngh thng tin - K thut an ninh an ninh mng(Information technology Security techniques Network security ) s thay th Tiu chun ISO/IEC 18028 v an ninh mng IT. Chia lm 2 phn: o Phn 1ISO / IEC 27033-1:2009:

ban hnh nm 2009 tiu tng quan v

bo mt mng v cc khi nim( network security overview and concepts) o Phn 2: ISO / IEC 27033-2 : Hin ang tho, tiu d tho Hng dn thit k v thc hin an ninh mng(Guidelines for the design and implementation of network security ) o Phn 3: ISO / IEC 27033-3 : Hin ang tho, tiu d tho tham kho cc kch bn mng - mi e da, cng ngh thit k v vn kim sot(Reference networking scenarios - threats, design techniques and control issues) o Phn 4: ISO / IEC 27033-4: Hin ang tho, tiu d tho Bo mt

thng tin lin lc gia cc mng bng cch s dng cc cng an ninh - mi e da, cng ngh thit k v vn kim sot (Securing communications between networks using security gateways -- threats, design techniques and control issues) o Phn 5: ISO / IEC 27033-5: Hin ang tho, tiu d tho Bo mt mng ring o - mi e da, cng ngh thit k v vn kim sot(Securing Virtual Private Networks -- threats, design techniques and control issues ) o Phn 6: ISO / IEC 27033-6: Hin ang tho, tiu d tho. Mc tiu: " xc nh nhng ri ro c th, thit k k thut v cc vn kim sot bo v v pht thanh mng khng dy o Phn 7: ISO / IEC 27033-7 :Hin ang tho, tiu d tho.Hng dn bo mt mng khng dy - Cc ri ro, cc k thut thit k v vn kim sot Guidelines for securing wireless networking -- Risks, design techniques and control issues o Phn 8: ISO / IEC 27033-8 :Hin ang tho, tiu d tho."Hng dn bo m an ninh - Nhng ri ro, cc cng ngh thit k v vn kim sot (Guidelines for securing Risks, design techniques and control issues (possible additional parts) ISO/IEC 27034 - Hin ang d tho. Tiu d tho Cng ngh thng tin - K thut an ninh an ninh ng dng.(Information technology Security techniques Application security ) Mc ch: s l cc hng dn v an ninh ng dng. ISO/IEC 27035 Hin ang d tho. Tiu d tho Cng ngh thng tin - K thut an ninh-Qun l x c an ninh thng tin( I nformation technology Security techniques Information security incident management)s thay th ISO TR 18044 v qun l s c an ninh ISO/IEC 27036 Hin ang d tho. Tiu d tho Cng ngh thng tin - K thut an ninh-Bo mt Thng tin cho cc mi quan h nh cung cp( IT Security Security

techniques Information security for supplier relationships ISO 27799:2008: ban hnh 2008, Thng tin y t - Qun l an ninh thng tin trong y t s dng tiu chun ISO / IEC 27002 (Health informatics Information security management in health using ISO/IEC 27002)