許多中小企業往往因預算、人力或技術的考量,無法在蒐集及彙整落實資訊安全管理系統(ISMS)控制措施之相關資訊這方面,取得有效的解決方法,站在協助其內部管理的角度,本研究整合資訊系統內之相關資訊,致力於發展一套適用於中小企業之檢測工具,輔助其內部對於ISMS控制措施之管理與查核。本研究採用系統發展研究方法,以發展ISMS技術性檢測工具之雛型系統並配合專家深入訪談的方式,探討ISO 27001內可以工具蒐集資訊系統內相關資訊做檢測之控制措施應具備之特性,及ISMS技術性檢測工具應具備的架構及需求。 研究結果發現,ISO 27001內可以工具蒐集資訊系統內相關資訊做檢測之控制措施,必須是執行控制措施時,系統會自動產生相關紀錄者,而檢測工具的功能架構應分為政策管理、檢測資料蒐集、檢測資料分析及檢測資料呈現四大部份,應具備的需求則包括顯示及設定組織安全政策的能力、自動蒐集及彙整相關佐證資料的能力、工具須提供彈性的資料分析功能與圖表的資料呈現方式及工具操作上之設計勿過於繁雜。 Many SMEs(Small and Medium-sized Enterprises) often confront difficulties of collecting and integrating related information of the implementation of ISMS controls due to budget, human resource or technology insufficiency. With the view to assisting SMEs, this research aims at developing a testing tool which is suitable for SMEs by integrating the related information in information systems for managing ISMS controls and internal auditing. This research implements “system development research methodology” based on developing a prototype system of technical testing tool of ISMS refining with depth personal interviews so as to explore the controls, which can be checked by using tool to gather related information in information systems within ISO 27001, and the needs as well as architectures of technical testing tool of ISMS. The outcome of the depth personal interviews indicated that the controls, which can be checked by using tool to gather related information in information systems within ISO 27001, must have the feature that the systems should automatically generate records during the implementation of the controls. The architecture of a technical testing tool of ISMS can be divided into four sections: organization’s security policies, collection of testing data, analysis of testing data, and display of testing data. On one hand, the needs of technical testing tool of ISMS should comprise the capability of displaying and adjusting the organization’s security policies, on the other hand, the tool should automatically collect as well as integrate related information. The basic requirement of testing tool contains data analysis flexibility, present data graphically, and the best possible simplicity.
