目前不論是在政府推動、法規要求或是企業基於客戶的期望之下,ISO/IEC 27001 之資訊安全管理系統(Information Security Management Systems,ISMS)的標準已經廣 泛的被企業及資訊安全等級較高的政府單位所建置並取得驗證。依據標準的規定,這些 取得驗證的組織必須定期執行標準之內部及外部的稽核,以驗證其標準之遵循性 (Compliance)。然而目前稽核員在執行稽核工作時,主要都只能藉由組織提供的書面文 件紀錄來做為查核控制措施的依據,稽核員必須花費大部分的時間來檢視這些數量龐大 的文件紀錄,同時卻也降低了稽核的效率。在相關文獻的探討中,研究者發現藉由輔助 工具的使用,或許能使稽核的工作進行的更加順利。 本研究探討建置與實證輔助工具擷取蒐集出組織內部資訊系統的相關資訊(如日誌 檔、封包),以驗證組織ISO/IEC 27001 的控制措施標準要求之遵循性,以提升以往大多 只檢閱組織提供之書面文件紀錄的驗證性,並觀察是否對稽核工作的效率能有顯著的提 升,及以此方式進行稽核的可行性與適用性。 At present, regardless of the government driving, regulatory requirements or meeting the expectations of enterprise customers, the ISO/IEC 27001 Information Security Management Systems (ISMS) standards has been widely built and certified by most enterprise and the government units with higher information security levels. In accordance with the provisions of the standards, these organizations which have obtained the ISO/IEC 27001 certificate have to periodically perform the internal and external audit of their compliances with ISMS standards. However, now the auditors usually can only check the control objectives and controls according to the written documentation provided by the organizations when performing the audit activities. Auditors must spend most of time viewing these large numbers of documentation, and at the same time, it also reduces the efficiency of the audit activities. During the discussion of relevant literature, we find that it possibly can be much more successful when performing audit activities by the use of testing tools. This study probes the implementation and examination the prototype of ISMS compliance assistant tools by collecting related information from the information systems in organization (e.g. log files, packets). To exam the compliance of ISO/IEC 27001 certification and to observe whether the efficiency and accuracy of the audit activities could have a significant improvement and it is feasible and appropriate to proceed in this manner.
