Back to Details

information-security-manager-iso27001

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Information Security Manager - ISO 27001

信息安全管理专员 - ISO 27001

Implement and manage Information Security Management Systems (ISMS) aligned with ISO 27001:2022 and healthcare regulatory requirements.
实施并管理符合ISO 27001:2022及医疗行业监管要求的信息安全管理体系(ISMS)。

Table of Contents

目录

Trigger Phrases

触发短语

Use this skill when you hear:
  • "implement ISO 27001"
  • "ISMS implementation"
  • "security risk assessment"
  • "information security policy"
  • "ISO 27001 certification"
  • "security controls implementation"
  • "incident response plan"
  • "healthcare data security"
  • "medical device cybersecurity"
  • "security compliance audit"
当你听到以下内容时,使用本技能:
  • "实施ISO 27001"
  • "ISMS实施"
  • "安全风险评估"
  • "信息安全政策"
  • "ISO 27001认证"
  • "安全控制措施实施"
  • "事件响应计划"
  • "医疗健康数据安全"
  • "医疗设备网络安全"
  • "安全合规审计"

Quick Start

快速入门

Run Security Risk Assessment

执行安全风险评估

bash
python scripts/risk_assessment.py --scope "patient-data-system" --output risk_register.json
bash
python scripts/risk_assessment.py --scope "patient-data-system" --output risk_register.json

Check Compliance Status

检查合规状态

bash
python scripts/compliance_checker.py --standard iso27001 --controls-file controls.csv
bash
python scripts/compliance_checker.py --standard iso27001 --controls-file controls.csv

Generate Gap Analysis Report

生成差距分析报告

bash
python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output gaps.md
bash
python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output gaps.md

Tools

工具

risk_assessment.py

risk_assessment.py

Automated security risk assessment following ISO 27001 Clause 6.1.2 methodology.
Usage:
bash
undefined
遵循ISO 27001第6.1.2条款方法论的自动化安全风险评估工具。
使用方法:
bash
undefined

Full risk assessment

完整风险评估

python scripts/risk_assessment.py --scope "cloud-infrastructure" --output risks.json
python scripts/risk_assessment.py --scope "cloud-infrastructure" --output risks.json

Healthcare-specific assessment

医疗健康专项评估

python scripts/risk_assessment.py --scope "ehr-system" --template healthcare --output risks.json
python scripts/risk_assessment.py --scope "ehr-system" --template healthcare --output risks.json

Quick asset-based assessment

快速基于资产的评估

python scripts/risk_assessment.py --assets assets.csv --output risks.json

**Parameters:**

| Parameter | Required | Description |
|-----------|----------|-------------|
| `--scope` | Yes | System or area to assess |
| `--template` | No | Assessment template: `general`, `healthcare`, `cloud` |
| `--assets` | No | CSV file with asset inventory |
| `--output` | No | Output file (default: stdout) |
| `--format` | No | Output format: `json`, `csv`, `markdown` |

**Output:**
- Asset inventory with classification
- Threat and vulnerability mapping
- Risk scores (likelihood × impact)
- Treatment recommendations
- Residual risk calculations
python scripts/risk_assessment.py --assets assets.csv --output risks.json

**参数:**

| 参数 | 必填 | 描述 |
|-----------|----------|-------------|
| `--scope` | 是 | 待评估的系统或区域 |
| `--template` | 否 | 评估模板:`general`(通用)、`healthcare`(医疗健康)、`cloud`(云) |
| `--assets` | 否 | 包含资产清单的CSV文件 |
| `--output` | 否 | 输出文件(默认:标准输出) |
| `--format` | 否 | 输出格式:`json`、`csv`、`markdown` |

**输出内容:**
- 带分类的资产清单
- 威胁与漏洞映射
- 风险评分(可能性×影响)
- 处置建议
- 残余风险计算

compliance_checker.py

compliance_checker.py

Verify ISO 27001/27002 control implementation status.
Usage:
bash
undefined
验证ISO 27001/27002控制措施的实施状态。
使用方法:
bash
undefined

Check all ISO 27001 controls

检查所有ISO 27001控制措施

python scripts/compliance_checker.py --standard iso27001
python scripts/compliance_checker.py --standard iso27001

Gap analysis with recommendations

带改进建议的差距分析

python scripts/compliance_checker.py --standard iso27001 --gap-analysis
python scripts/compliance_checker.py --standard iso27001 --gap-analysis

Check specific control domains

检查特定控制域

python scripts/compliance_checker.py --standard iso27001 --domains "access-control,cryptography"
python scripts/compliance_checker.py --standard iso27001 --domains "access-control,cryptography"

Export compliance report

导出合规报告

python scripts/compliance_checker.py --standard iso27001 --output compliance_report.md

**Parameters:**

| Parameter | Required | Description |
|-----------|----------|-------------|
| `--standard` | Yes | Standard to check: `iso27001`, `iso27002`, `hipaa` |
| `--controls-file` | No | CSV with current control status |
| `--gap-analysis` | No | Include remediation recommendations |
| `--domains` | No | Specific control domains to check |
| `--output` | No | Output file path |

**Output:**
- Control implementation status
- Compliance percentage by domain
- Gap analysis with priorities
- Remediation recommendations

---
python scripts/compliance_checker.py --standard iso27001 --output compliance_report.md

**参数:**

| 参数 | 必填 | 描述 |
|-----------|----------|-------------|
| `--standard` | 是 | 待检查的标准:`iso27001`、`iso27002`、`hipaa` |
| `--controls-file` | 否 | 包含当前控制措施状态的CSV文件 |
| `--gap-analysis` | 否 | 包含整改建议 |
| `--domains` | 否 | 待检查的特定控制域 |
| `--output` | 否 | 输出文件路径 |

**输出内容:**
- 控制措施实施状态
- 各控制域的合规百分比
- 带优先级的差距分析
- 整改建议

---

Workflows

工作流

Workflow 1: ISMS Implementation

工作流1:ISMS实施

Step 1: Define Scope and Context
Document organizational context and ISMS boundaries:
  • Identify interested parties and requirements
  • Define ISMS scope and boundaries
  • Document internal/external issues
Validation: Scope statement reviewed and approved by management.
Step 2: Conduct Risk Assessment
bash
python scripts/risk_assessment.py --scope "full-organization" --template general --output initial_risks.json
  • Identify information assets
  • Assess threats and vulnerabilities
  • Calculate risk levels
  • Determine risk treatment options
Validation: Risk register contains all critical assets with assigned owners.
Step 3: Select and Implement Controls
Map risks to ISO 27002 controls:
bash
python scripts/compliance_checker.py --standard iso27002 --gap-analysis --output control_gaps.md
Control categories:
  • Organizational (policies, roles, responsibilities)
  • People (screening, awareness, training)
  • Physical (perimeters, equipment, media)
  • Technological (access, crypto, network, application)
Validation: Statement of Applicability (SoA) documents all controls with justification.
Step 4: Establish Monitoring
Define security metrics:
  • Incident count and severity trends
  • Control effectiveness scores
  • Training completion rates
  • Audit findings closure rate
Validation: Dashboard shows real-time compliance status.
步骤1:定义范围与环境
记录组织环境与ISMS边界:
  • 识别相关方及其要求
  • 定义ISMS范围与边界
  • 记录内外部影响因素
验证: 范围说明书已通过管理层审核并批准。
步骤2:开展风险评估
bash
python scripts/risk_assessment.py --scope "full-organization" --template general --output initial_risks.json
  • 识别信息资产
  • 评估威胁与漏洞
  • 计算风险等级
  • 确定风险处置方案
验证: 风险登记册包含所有关键资产并已分配责任人。
步骤3:选择并实施控制措施
将风险映射至ISO 27002控制措施:
bash
python scripts/compliance_checker.py --standard iso27002 --gap-analysis --output control_gaps.md
控制措施类别:
  • 组织类(政策、角色、职责)
  • 人员类(背景调查、意识培养、培训)
  • 物理类(边界防护、设备、介质)
  • 技术类(访问控制、加密、网络、应用)
验证: 适用性声明(SoA)已记录所有控制措施及选用理由。
步骤4:建立监控机制
定义安全指标:
  • 事件数量与严重程度趋势
  • 控制措施有效性评分
  • 培训完成率
  • 审计发现闭环率
验证: 仪表盘可展示实时合规状态。

Workflow 2: Security Risk Assessment

工作流2:安全风险评估

Step 1: Asset Identification
Create asset inventory:
Asset TypeExamplesClassification
InformationPatient records, source codeConfidential
SoftwareEHR system, APIsCritical
HardwareServers, medical devicesHigh
ServicesCloud hosting, backupHigh
PeopleAdmin accounts, developersVaries
Validation: All assets have assigned owners and classifications.
Step 2: Threat Analysis
Identify threats per asset category:
AssetThreatsLikelihood
Patient dataUnauthorized access, breachHigh
Medical devicesMalware, tamperingMedium
Cloud servicesMisconfiguration, outageMedium
CredentialsPhishing, brute forceHigh
Validation: Threat model covers top-10 industry threats.
Step 3: Vulnerability Assessment
bash
python scripts/risk_assessment.py --scope "network-infrastructure" --output vuln_risks.json
Document vulnerabilities:
  • Technical (unpatched systems, weak configs)
  • Process (missing procedures, gaps)
  • People (lack of training, insider risk)
Validation: Vulnerability scan results mapped to risk register.
Step 4: Risk Evaluation and Treatment
Calculate risk: 
Risk = Likelihood × Impact
Risk LevelScoreTreatment
Critical20-25Immediate action required
High15-19Treatment plan within 30 days
Medium10-14Treatment plan within 90 days
Low5-9Accept or monitor
Minimal1-4Accept
Validation: All high/critical risks have approved treatment plans.
步骤1:资产识别
创建资产清单:
资产类型示例分类
信息患者记录、源代码机密
软件EHR系统、API关键
硬件服务器、医疗设备
服务云托管、备份
人员管理员账号、开发人员可变
验证: 所有资产均已分配责任人与分类。
步骤2:威胁分析
按资产类别识别威胁:
资产威胁可能性
患者数据未授权访问、数据泄露
医疗设备恶意软件、篡改
云服务配置错误、服务中断
凭证钓鱼攻击、暴力破解
验证: 威胁模型覆盖行业前10大威胁。
步骤3:漏洞评估
bash
python scripts/risk_assessment.py --scope "network-infrastructure" --output vuln_risks.json
记录漏洞:
  • 技术类(未打补丁系统、弱配置)
  • 流程类(缺失流程、存在差距)
  • 人员类(培训不足、内部风险)
验证: 漏洞扫描结果已映射至风险登记册。
步骤4:风险评估与处置
风险计算公式:
风险 = 可能性 × 影响
风险等级分数处置方式
关键20-25需立即采取行动
15-1930天内制定处置计划
10-1490天内制定处置计划
5-9接受或监控
极小1-4接受
验证: 所有高/关键风险均已获得批准的处置计划。

Workflow 3: Incident Response

工作流3:事件响应

Step 1: Detection and Reporting
Incident categories:
  • Security breach (unauthorized access)
  • Malware infection
  • Data leakage
  • System compromise
  • Policy violation
Validation: Incident logged within 15 minutes of detection.
Step 2: Triage and Classification
SeverityCriteriaResponse Time
CriticalData breach, system downImmediate
HighActive threat, significant risk1 hour
MediumContained threat, limited impact4 hours
LowMinor violation, no impact24 hours
Validation: Severity assigned and escalation triggered if needed.
Step 3: Containment and Eradication
Immediate actions:
  1. Isolate affected systems
  2. Preserve evidence
  3. Block threat vectors
  4. Remove malicious artifacts
Validation: Containment confirmed, no ongoing compromise.
Step 4: Recovery and Lessons Learned
Post-incident activities:
  1. Restore systems from clean backups
  2. Verify integrity before reconnection
  3. Document timeline and actions
  4. Conduct post-incident review
  5. Update controls and procedures
Validation: Post-incident report completed within 5 business days.
步骤1:检测与上报
事件类别:
  • 安全 breach(未授权访问)
  • 恶意软件感染
  • 数据泄露
  • 系统被攻陷
  • 政策违规
验证: 事件在检测后15分钟内完成记录。
步骤2:分类与分级
严重程度判定标准响应时间
关键数据泄露、系统宕机立即响应
活跃威胁、重大风险1小时内
已遏制威胁、影响有限4小时内
轻微违规、无影响24小时内
验证: 已分配严重程度,必要时触发升级流程。
步骤3:遏制与根除
立即行动:
  1. 隔离受影响系统
  2. 保留证据
  3. 阻断威胁载体
  4. 清除恶意组件
验证: 已确认威胁被遏制,无持续入侵。
步骤4:恢复与经验总结
事件后活动:
  1. 从干净备份恢复系统
  2. 重新连接前验证完整性
  3. 记录时间线与行动
  4. 开展事件后复盘
  5. 更新控制措施与流程
验证: 事件后报告在5个工作日内完成。

Reference Guides

参考指南

When to Use Each Reference

各参考文档的适用场景

references/iso27001-controls.md
  • Control selection for SoA
  • Implementation guidance
  • Evidence requirements
  • Audit preparation
references/risk-assessment-guide.md
  • Risk methodology selection
  • Asset classification criteria
  • Threat modeling approaches
  • Risk calculation methods
references/incident-response.md
  • Response procedures
  • Escalation matrices
  • Communication templates
  • Recovery checklists
references/iso27001-controls.md
  • 为SoA选择控制措施
  • 实施指导
  • 证据要求
  • 审计准备
references/risk-assessment-guide.md
  • 风险方法论选择
  • 资产分类标准
  • 威胁建模方法
  • 风险计算方式
references/incident-response.md
  • 响应流程
  • 升级矩阵
  • 沟通模板
  • 恢复检查清单

Validation Checkpoints

验证检查点

ISMS Implementation Validation

ISMS实施验证

PhaseCheckpointEvidence Required
ScopeScope approvedSigned scope document
RiskRegister completeRisk register with owners
ControlsSoA approvedStatement of Applicability
OperationMetrics activeDashboard screenshots
AuditInternal audit doneAudit report
阶段检查点所需证据
范围范围已批准签署的范围文档
风险登记册完整已分配责任人的风险登记册
控制措施SoA已批准适用性声明(SoA)
运行指标已激活仪表盘截图
审计内部审计完成审计报告

Certification Readiness

认证准备

Before Stage 1 audit:
  • ISMS scope documented and approved
  • Information security policy published
  • Risk assessment completed
  • Statement of Applicability finalized
  • Internal audit conducted
  • Management review completed
  • Nonconformities addressed
Before Stage 2 audit:
  • Controls implemented and operational
  • Evidence of effectiveness available
  • Staff trained and aware
  • Incidents logged and managed
  • Metrics collected for 3+ months
第一阶段审计前:
  • ISMS范围已记录并批准
  • 信息安全政策已发布
  • 风险评估已完成
  • 适用性声明(SoA)已最终确定
  • 内部审计已开展
  • 管理层评审已完成
  • 不符合项已整改
第二阶段审计前:
  • 控制措施已实施并投入运行
  • 有效性证据可获取
  • 员工已接受培训并具备安全意识
  • 事件已记录并管理
  • 指标已收集3个月以上

Compliance Verification

合规验证

Run periodic checks:
bash
undefined
定期执行检查:
bash
undefined

Monthly compliance check

月度合规检查

python scripts/compliance_checker.py --standard iso27001 --output monthly_$(date +%Y%m).md
python scripts/compliance_checker.py --standard iso27001 --output monthly_$(date +%Y%m).md

Quarterly gap analysis

季度差距分析

python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output quarterly_gaps.md

---
python scripts/compliance_checker.py --standard iso27001 --gap-analysis --output quarterly_gaps.md

---

Worked Example: Healthcare Risk Assessment

实操示例:医疗健康风险评估

Scenario: Assess security risks for a patient data management system.
场景: 评估患者数据管理系统的安全风险。

Step 1: Define Assets

步骤1:定义资产

bash
python scripts/risk_assessment.py --scope "patient-data-system" --template healthcare
Asset inventory output:
Asset IDAssetTypeOwnerClassification
A001Patient databaseInformationDBA TeamConfidential
A002EHR applicationSoftwareApp TeamCritical
A003Database serverHardwareInfra TeamHigh
A004Admin credentialsAccessSecurityCritical
bash
python scripts/risk_assessment.py --scope "patient-data-system" --template healthcare
资产清单输出:
资产ID资产类型责任人分类
A001患者数据库信息DBA团队机密
A002EHR应用软件应用团队关键
A003数据库服务器硬件基础设施团队
A004管理员凭证访问权限安全团队关键

Step 2: Identify Risks

步骤2:识别风险

Risk register output:
Risk IDAssetThreatVulnerabilityLIScore
R001A001Data breachWeak encryption3515
R002A002SQL injectionInput validation4416
R003A004Credential theftNo MFA4520
风险登记册输出:
风险ID资产威胁漏洞可能性影响分数
R001A001数据泄露弱加密3515
R002A002SQL注入输入验证缺失4416
R003A004凭证窃取未启用MFA4520

Step 3: Determine Treatment

步骤3:确定处置方案

RiskTreatmentControlTimeline
R001MitigateImplement AES-256 encryption30 days
R002MitigateAdd input validation, WAF14 days
R003MitigateEnforce MFA for all admins7 days
风险处置方式控制措施时间线
R001缓解实施AES-256加密30天
R002缓解添加输入验证、WAF14天
R003缓解强制所有管理员启用MFA7天

Step 4: Verify Implementation

步骤4:验证实施情况

bash
python scripts/compliance_checker.py --controls-file implemented_controls.csv
Verification output:
Control Implementation Status
=============================
Cryptography (A.8.24): IMPLEMENTED
  - AES-256 at rest: YES
  - TLS 1.3 in transit: YES

Access Control (A.8.5): IMPLEMENTED
  - MFA enabled: YES
  - Admin accounts: 100% coverage

Application Security (A.8.26): PARTIAL
  - Input validation: YES
  - WAF deployed: PENDING

Overall Compliance: 87%
bash
python scripts/compliance_checker.py --controls-file implemented_controls.csv
验证输出:
控制措施实施状态
=============================
加密(A.8.24):已实施
  - 静态数据AES-256加密:是
  - 传输数据TLS 1.3加密:是

访问控制(A.8.5):已实施
  - MFA已启用:是
  - 管理员账号:100%覆盖

应用安全(A.8.26):部分实施
  - 输入验证:是
  - WAF已部署:待完成

整体合规率:87%