66 lines
2.2 KiB
Markdown
66 lines
2.2 KiB
Markdown
---
|
||
title: "ISO 27001"
|
||
type: entity
|
||
tags: [security, compliance, standard]
|
||
date: 2025-03-02
|
||
---
|
||
|
||
# ISO 27001
|
||
|
||
**ISO 27001**(ISO/IEC 27001)是国际公认的信息安全管理体系(ISMS)标准,由国际标准化组织(ISO)和国际电工委员会(IEC)联合发布。
|
||
|
||
## Overview
|
||
|
||
ISO 27001 是信息安全领域最权威的管理体系认证之一,云服务商普遍通过该认证以证明其安全能力。
|
||
|
||
## Key Requirements
|
||
|
||
- **信息资产清单**:识别和分类所有信息资产
|
||
- **风险评估**:系统性地识别、分析和评估信息安全风险
|
||
- **控制措施**:从 114 项控制措施中选择适用的控制
|
||
- **持续改进**:PDCA(Plan-Do-Check-Act)循环
|
||
- **管理承诺**:领导层对信息安全的承诺和支持
|
||
|
||
## Control Domains (14 Domains)
|
||
|
||
1. Information Security Policies
|
||
2. Organization of Information Security
|
||
3. Human Resource Security
|
||
4. Asset Management
|
||
5. Access Control
|
||
6. Cryptography
|
||
7. Physical and Environmental Security
|
||
8. Operations Security
|
||
9. Communications Security
|
||
10. System Acquisition, Development and Maintenance
|
||
11. Supplier Relationships
|
||
12. Information Security Incident Management
|
||
13. Business Continuity Management
|
||
14. Compliance
|
||
|
||
## Cloud Context
|
||
|
||
主流云服务商(AWS、Azure、Google Cloud)均通过了 ISO 27001 认证,作为其安全成熟度的核心证明:
|
||
|
||
- **AWS**: ISO 27001, 27017, 27018 认证
|
||
- **Azure**: SOC 1/2/3, ISO 27001, HIPAA, FedRAMP
|
||
- **Google Cloud**: ISO 27001, ISO 27017, ISO 27018, SOC 2/3
|
||
|
||
## Relevance to Cloud Myths
|
||
|
||
ISO 27001 认证是反驳"云不安全"误解的关键证据:
|
||
- 云服务商通过 ISO 27001 认证 = 其安全管理体系达到国际标准
|
||
- 传统本地部署往往缺乏同等级别的安全投入和认证
|
||
|
||
## Related Standards
|
||
|
||
- [[ISO-27001]] ← self-reference
|
||
- [[HIPAA]] — 医疗健康数据标准
|
||
- [[GDPR]] — 欧盟数据保护条例
|
||
- [[SOC-2]] — 服务组织控制报告
|
||
- [[FedRAMP]] — 美国政府云安全标准
|
||
|
||
## Sources
|
||
|
||
- [[The Myths and Misconceptions About Cloud Computing (LinkedIn)|sources/the-myths-and-misconceptions-about-cloud-computing-linkedin]]
|