Iso27000 Series Of Standards For Rating Protection Contrast

Information security is an important part of the national security and provides crucial guarantee for its political security, economic security, cultural security and military security. The development of information technology and the extensive application of internet promote the development of informatization, economy and society worldwide. At the same time, it brings many problems which threaten the information security in countries, society and the public networks. China pays high attention to the information security when developing its informatization. The information strategy has become the cornerstone and core of the national security strategy.The information standards play important role in standardizing the information security construction and implementing the protective measures of information security. More than twenty years have past since the first information security assessment standard (TCSEC) in 1983 from America, and now there are a series of information standards in technology and management which promote the standardization and development of information security. Because information security involves the national secret information, we should develop our own information security standards by learning the advanced standards from foreign countries. We have a late development of information security standards although we developed a series of standards including the Classified Protection standards by absorbing and transforming some international standards. Certain disparity still exists comparing to the international research.As a famous international information security management standard, ISO27001 has been widely used all over the world and has become one of the main standards in ISO27000 series. The comparative research between ISO27000 and the Classified Protection standards in this paper provides some advice for the complementation of each other, which is beneficial to the development of establishing standards by ourselves and the improvement of the Classified Protection standards. The study objects mainly include ISO27001, ISO27002, ISO27005, and the Computer Classified Protection Dividing Criteria, the grading guide, the implementation guide and the evaluation standard. At the beginning, this paper researches the content of the two series of standards. The implementing procedure of ISO27000 includes establishing ISMS, implementing and operating, monitoring and evaluation, maintaining and improving with the key procedure of the determination of ISMS policy and target, asset and vulnerability recognition, the choice of control measures, internal check, persistent improving. The implementing procedure of The Classified Protection Standard includes the ranking determination of information system, the whole safety program, the designing and implementing of safety program, operating and maintaining the program, safety check and the end of the information system.According to the comparing research of the two series standards in producing background, standards system, structure, implementing procedure, coverage and application status, this paper provides some advice for their complementary. In the part of producing background, ISO27000 was established because of the information security certification between the trade partners and the Classified Protection Standard was established because the information security need of the whole nation. ISO27000 series include several standards and some of them are still being researched such as ISO27003,ISO27004. Only ISO27001 and ISO27002 are widely used at present. The Classified Protection Standards have a relative entire system including the Computer Classified Protection Dividing Criteria, the grading guide, the implementation guide, the evaluation standard and other detailed standards in technological requirements. The difference of the implementing procedure mainly lies in the analysis of the information security needs. The information security needs in ISO27000 is determined through risk assessment, while in the classified protection standards, the rank of the information system should be determined first by the influence when the information system is destructed, then the information security needs are determined by the certain rank in the requirement standard. Finally this paper finds that ISO27000 has advantages in risk assessment, the best control practice and comprehensive management, while the classified protection standards highlight the key point in information security implementation and reflect the principle of key protection. Thus the two series of standards can be combined in structure, content and implementing procedure.