( 2.5)
2550
0 0101010
01 01 101
0
1
10
101
101010101010
112
0101
12120
0101010
02-564-6900
02-564-6901..2
0
0
National Electronics and Computer Technology Center
1
1
0
0
National Science and Technology Development Agency
10
01
1 10
Ministry of Science and Technology 101
112 Thailand Science Park, Phahon Yothin Road,
0101010101010
Klong Luang, Pathumthani 12120, THAILAND.
Tel. +66-2-564-6900
Fax. +66-2-564-6901..2
http://www.thaicert.nectec.or.th
e-mail: thaicert@nectec.or.th
( 2.5)
2550
( 2.5) 2550
ISBN: 978-974-229-584-4
1 ( 2550)
1,000
112 . . . 12120
02-564-6900 02-564-6901..2
URL: http://thaicert.nectec.or.th/ e-mail: thaicert@nectec.or.th
ISO/IEC 27001:2005 ISO/IEC 17799:2005
4,000
( )
..................................................................................................... 9
1 ............................................. 10
2 .................................................... 18
3 .............. 20
4 ........ 21
5 .......................... 23
.................... 25
1. (Security policy) ............................................ 26
1.1 (Information security
policy) ................................................................................................ 26
2. (Organization of
information security) ................................................................................. 26
2.1 (Internal
organization) ...................................................................................... 26
2.2
(External parties) ................................................................ 28
3. (Asset management) ....................... 29
3.1
(Responsibility for assets) ................................................................. 29
3.2 (Information classification) ........................ 30
4. (Human resources security).... 30
4.1 (Prior to employment) .... 30
4.2 (During
employment) ........................................................................................ 31
4.3 (Termination or change of
employment) ........................................................................................ 32
5. (Physical and
environmental security) ............................................................................ 33
5.1 (Secure areas) ............... 33
5.2 (Equipment security)........................ 34
6.
(Communications and operations management) ................... 35
6.1 (Operational
procedures and responsibilities) ......................................................... 35
6.2 (Third party service
delivery management) ......................................................................... 36
6.3 (System planning and
acceptance) ......................................................................................... 37
6.4 (Protection against malicious and
mobile code)........................................................................................ 38
6.5 (Back-up) ................................................................... 38
6.6
(Network security management).......................................................... 38
6.7 (Media handling) ........................ 39
6.8 (Exchange of information) ........................... 40
6.9
(Electronic commerce services)........................................................... 41
6.10 (Monitoring) ........................ 41
7. (Access control)........................................................ 42
7.1 (Business
requirements for access control) ........................................................ 42
7.2 (User access management) ......... 43
7.3 (User responsibilities) .................... 43
7.4 (Network access control) ..................... 44
7.5 (Operating system access
control)................................................................................................ 45
7.6 (Application and
information access control) ................................................................ 46
7.7
(Mobile computing and teleworking) ...................................... 46
8. (Information systems
acquisition, development and maintenance) ............................................ 47
8.1 (Security
requirements of information systems)................................................. 47
8.2 (Correct processing in
applications) ....................................................................................... 47
8.3 (Cryptographic controls) ............................ 48
8.4 (Security of
system files) ........................................................................................ 48
8.5
(Security in development and support
processes) .......................................................................................... 49
8.6 (Technical Vulnerability
Management)...................................................................................... 50
9.
(Information security incident management) ............................................. 51
9.1
(Reporting information security events and weaknesses) ................. 51
9.2
(Management of information security incidents
and improvements) ............................................................................. 51
10. (Business continuity
management) .......................................................................................... 52
10.1
(Information security aspects of business continuity
management) ................................................................................. 52
11. (Compliance) ................................................... 53
11.1 (Compliance with legal
requirements) ................................................................................. 53
11.2
(Compliance with security policies and standards, and
technical compliance) .................................................................... 55
11.3 (Information systems audit
considerations) ............................................................................... 55
.................................................................................................. 57
.................................................................................................. 61
1
( ISO/IEC 27001)
1
1.1
Plan-Do-Check-Act P-D-C-A
1
1
Plan-Do-Check-Act
1.2
1.2.1 (Plan)
10
a)
b)
b.1
b.2
b.3
b.4 ( 1.2.1 c)
b.5
c)
c.1
c.2
d)
d.1
d.2
d.3
d.4
e)
e.1
11
( 2.5) 2550
e.2
e.3
e.4
1.2.1) c.2)
f)
f.1
f.2
1.2.1) c.2)
f.3
f.4
g)
h)
i)
j) SoA (Statement of Applicability)
12
j.1
1.2.1) g)
j.2
j.3
1.2.2
(Do)
a)
b) -
c) 1.1.2) g)
d)
e)
( 2.2.2)
f)
g)
( 2.2)
13
( 2.5) 2550
h)
( 1.2.3 a)
1.2.3
(Check)
a)
a.1
a.2
a.3
a.4
a.5
b)
c)
14
d)
d.1
d.2
d.3
d.4
d.5
d.6
e)
( 3)
f)
( 4.1)
g)
h)
( 1.3.3)
1.2.4
(Act)
a)
15
( 2.5) 2550
b) 5.2 5.3
c)
d)
1.3
1.3.1
a) 1.2.1 b
b)
c)
d) 1.2.1 c
e) 1.2.1 c to 1.2.1 g
f) 1.2.2 b
g)
1.2.3 c
h) ( 1.3.3)
i) Statement of Aplicability
(SoA)
16
1.3.2
a)
b)
c)
d)
e)
f)
g)
h)
i) ()
j)
1.3.3
1.2
17
( 2.5) 2550
-
-
-
2
2.1
a)
b)
c)
d)
e)
( 2.2.1)
f)
g)
h)
18
2.2
2.2.1
a)
b)
c)
d)
e)
f)
2.2.2
a)
b) (
)
c) b)
19
( 2.5) 2550
d)
(
1.3.3)
a)
b)
c)
d)
( 1.3.3)
20
( 5)
4
4.1
( 1 )
( 1.3.3)
4.2
a)
b)
c)
d)
e)
21
( 2.5) 2550
f)
g)
h)
i)
4.3
a)
b)
c)
c.1
c.2
c.3
c.4
c.5
c.6 /
d)
e)
22
5
5.1
-
-
-
-
-
-
5.2
a)
b)
c)
d)
e) ( 1.3.3)
f)
5.3
23
( 2.5) 2550
a)
b)
c)
d) ( 1.3.3)
e)
24
2
( ISO/IEC 27001 Annex A
ISO/IEC 17799:2005)
25
( 2.5) 2550
1. (Security policy)
2. (Organization
of information security)
26
2.1.1
(Management commitment to information security)
()
2.1.2 (Information
security coordination)
()
2.1.3
(Allocation of information security responsibilities)
()
2.1.4
(Authorization process for information processing facilities)
()
2.1.5 (Confidentiality
agreements)
()
(
)
27
( 2.5) 2550
2.1.6 (Contact with
authorities)
( )
. .
. (Internet Service Provider)
(ThaiCERT)
2.1.7
(Contact with special interest groups)
()
2.1.8
(Independent review of information security)
()
2.2
(External parties)
2.2.1
(Identification of risks related to external parties)
28
()
2.2.2
(Addressing security when
dealing with customers)
()
2.2.3
(Addressing security in third party
agreements)
()
3. (Asset management)
29
( 2.5) 2550
()
()
4. (Human resources
security)
30
4.1.2 (Screening)
( )
(
)
4.1.3 (Terms and conditions of employment)
()
(
)
31
( 2.5) 2550
4.2.1 (Management
responsibilities)
()
4.2.2
(Information security awareness, education, and training)
( )
32
()
5. (Physical
and environmental security)
5.1.5 (Working in
secure areas)
()
5.1.6
(Public access, delivery, and loading areas)
( )
34
( )
6.
(Communications and operations
management)
6.1 (Operational
procedures and responsibilities)
35
( 2.5) 2550
6.1.4
(Separation of development, test, and operational facilities)
( )
36
37
( 2.5) 2550
6.4 (Protection against malicious and
mobile code)
6.5 (Back-up)
6.6
(Network security management)
38
( )
6.6.2 (Security of network
services)
()
39
( 2.5) 2550
6.7.4 (Security of system
documentation)
()
40
6.9 (Electronic
commerce services)
6.9.2 (On-line transactions)
()
-
-
6.10 (Monitoring)
6.10.1 (Audit
logging)
()
41
( 2.5) 2550
()
6.10.3 (Protection of log information)
()
6.10.4
(Administrator and operator logs)
()
7. (Access control)
7.1 (Business
requirements for access control)
7.1.1 (Access control policy)
()
42
7.2 (User access management)
43
( 2.5) 2550
7.3.3
(Clear desk and clear screen policy)
()
7.4.4 (Remote
diagnostic and configuration port protection)
()
44
7.4.6 (Network connection control)
()
7.4.7 (Network routing control)
()
45
( 2.5) 2550
7.5.6 (Limitation of connection
time)
( )
7.7
(Mobile computing and teleworking)
7.7.2 (Teleworking)
46
()
8. (Information
systems acquisition, development and maintenance)
8.1 (Security
requirements of information systems)
8.1.1
(Security requirements analysis and specification)
( )
8.4 (Security of
system files)
8.4.1 (Control of
operational software)
48
()
8.4.2 (Protection of system test
data)
( )
8.5
(Security in development and support processes)
8.5.1 (Change
control procedures)
()
8.5.2
(Technical review of applications after operating system changes)
49
( 2.5) 2550
()
8.5.3 (Restrictions
on changes to software packages)
()
50
9.
(Information security incident management)
9.1
(Reporting information security events and weaknesses)
9.1.1 (Reporting
information security events)
(
)
9.1.2
(Reporting security weaknesses)
(
)
9.2
(Management of information security incidents and
improvements)
51
( 2.5) 2550
()
9.2.2 (Learning
from security incidents)
( )
9.2.3 (Collection of evidence)
()
10. (Business
continuity management)
10.1
(Information security aspects of business continuity management)
52
10.1.2 (Business
continuity and risk assessment)
()
11. (Compliance)
11.1.3 (Protection of
organizational records)
()
11.1.4 (Data protection and privacy of personal
information)
( )
11.1.5
(Prevention of misuse of information processing facilities)
()
54
11.1.6 (Regulation of
cryptographic controls)
()
11.2
(Compliance with security policies and standards, and technical
compliance)
11.2.1 (Compliance
with security policies and standards)
()
11.2.2 (Technical
compliance checking)
()
56
57
( 2.5) 2550
(User Account)
(Email Account)
58
/
59
( 2.5) 2550
Critical Infrastructure
= 1
= 1 - 100
= 100
= 10,000
= 10,000 - 100,000
= 100,000
=
= 1
= 1
0 =
1 =
(Incidental Damage)
60
61
( 2.5) 2550
62
1. .
2. .
3. .
4.
5. .
1. .
2. .
3. ..
4. ..
5.
63
( 2.5) 2550
6. ..
7. ..
8.
9.
10.
11.
1. ..
2. ..
64