isopolicyvkpc isms manual v科威特石油总公司信息安全管理体系手册.doc

Content: Information Security Management System Manual Originator: Fahad Al-Ansari Version: 1.0 Date: 09 May 2007 Confidentiality: Confidential Reference: ISMS Manual Date Approved: Kuwait Petroleum Corporation Petroleum Training Centre Career Development Information Security Management System Manual Confidentiality Statement All information contained in this document is confidential and is controlled under a signed Non Disclosure Agreement. Distribution Role Name Organisation Location No of Copies Consultant Neil Lunniss Red Island Consulting London, UK 1 Project Manager Nick Roberts Red Island Consulting London, UK 1 Security Lead Fahad Al-Ansari KPC Ahmadi, Kuwait 1 Project Manager Hussain Sanasiri KPC Ahmadi, Kuwait 1 Amendment Record Issue Status Version Date Actioned By Description Draft 0.1 24/09/2006 Neil Lunniss Initial draft Draft 0.2 04/12/2006 Neil Lunniss Updated draft based on Risk Assessment results Authorised 1.0 09/05/2007 Neil Lunniss Authorised version References Nr Reference Document Ref Version 1 Information Technology – Security Techniques – Information Security Management Systems – Requirements ISO/IEC 27001 2005 2 Code of Practice for Information Security Management ISO/IEC 17799 2005 Table of Contents 1 Information Security Policy Statement 4 2 ISO/IEC 27001:2005 ISMS Overview 5 2.1 General Requirements 5 2.2 Establish the ISMS 5 2.3 ISMS Policy 5 2.4 Management Framework 6 2.5 Security Coordination 6 2.6 Department Management Error! Bookmark not defined. 2.7 Legal Requirements 7 3 Risk Assessment 8 3.1 Risk Assessment Approach 8 3.2 Identify the risks 8 3.3 Analyse and evaluate the risks 9 3.3.1 Business Impact Analysis (BIA) 9 3.3.2 Threat Level 9 3.3.3 Vulnerability and Probability Assessment. 10 3.3.4 Risk Calculation 10 3.3.5 Risk Score 11 3.3.6 Risk Treatment 11 3.3.7 Control Objectives and Control Selection 12 3.3.8 Residual Risk 12 3.3.9 Continued Assessment 12 4 S