Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
<Confidential> eBaoTech Corporation
<Confidential>
eBao ISO/IEC 27001:2013
Information Security Management Manual eBaoTech-ISMS-01-001
eBaoTech Corporation
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation i
Copyright and Confidentiality Notice
© Copyright eBaoTech Corporation
All rights reserved. Reproduction in whole or in parts is prohibited without the
prior written consent of the copyright owner.
The information contained in this document is strictly confidential and must not
be disclosed to any other person by the client or by any of its employees without
the prior written consent of the copyright owner.
Client is permitted to disclose the information only to those of its employees
and/or professional advisors who need to have access to it and client shall notify
such employees and/or professional advisors of the terms of this notice.
For any questions or remarks on this document, please contact eBaoTech
Corporation +86 (21) -61407777.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 1
Contents 1. General .......................................................................................................................................................... 1
1.1. Manual Promulgation Decree .................................................................................................................... 1 1.2. Letter of Authorization ................................................................................................................................. 1 1.3. Purpose ................................................................................................................................................................ 2 1.4. Statement of Applicability ........................................................................................................................... 2
2. Normative References ............................................................................................................................. 2
3. Terms and Definitions ............................................................................................................................. 3
4. Organization Environment .................................................................................................................... 3
4.1. Organization Status Quo and Background ........................................................................................... 3 4.1.1 External Context ............................................................................................................................. 3 4.1.2 Internal Context .............................................................................................................................. 3
4.2. Needs and Eexpectations of Relevant Parties ................................................................................... 4 4.3. Scope of Information Security Management System ....................................................................... 4 4.4. Information Security Management System ......................................................................................... 5
5. Leadership ................................................................................................................................................... 6
5.1. Leadership and Commitments .................................................................................................................. 6 5.2. Information Security Policy ........................................................................................................................ 7 5.3. Organizational Roles, Responsibilities and Authorities ................................................................. 7
6. Planning ........................................................................................................................................................ 7
6.1. Measures of Addressing Risks and Opportunities ............................................................................ 7 6.1.1 General ............................................................................................................................................... 7 6.1.2 Information Security Risk Evaluation .................................................................................. 8 6.1.3 Information Security Risk Treatment ................................................................................... 8
6.2. Information Security Goal and Implementation Plan ..................................................................... 9
7. Support .......................................................................................................................................................... 9
7.1. Resources ............................................................................................................................................................ 9 7.2. Competence ..................................................................................................................................................... 10 7.3. Awareness ........................................................................................................................................................ 10 7.4. Communication .............................................................................................................................................. 10 7.5. Documented Information .......................................................................................................................... 11
7.5.1 General ............................................................................................................................................. 11 7.5.2 Setting up and Update .............................................................................................................. 12 7.5.3 Control of Documented Information .................................................................................. 12
8. Operation .................................................................................................................................................... 13
8.1. Operation Planning and Control ............................................................................................................. 13 8.2. Information Security Risk Assessment and Treatment ................................................................ 13
9. Performance evaluation ....................................................................................................................... 13
9.1. Monitoring, Measurement, Analysis and Evaluation ..................................................................... 13 9.2. Internal Audit .................................................................................................................................................. 14
9.2.1 Management Review .................................................................................................................. 14
10. Improvement ............................................................................................................................................ 15
10.1. Non-conformance Terms and Corrective Measures ...................................................................... 15 10.2. Continual Improvement ............................................................................................................................. 15
Appendix I. Information Security Management Committee Organizational Framework
Chart ..................................................................................................................................................................... 16
Appendix II. Company Organizational Structure Chart ..................................................................... 17
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 1
1. General
1.1. Manual Promulgation Decree
eBaoTech Corporation (hereinafter referred to as “the Company”) carried out the
operation of implementing the standards issued in GB/T22080-2016/ISO/IEC
27001:2013 Information Technology-Security Techniques-Information Security
Management System, establishing documented information security management
system and developing “Information Security Management Manual” (hereinafter
referred to as “the Manual”) to improve the management of the Company information
security, to ensure the regular proceeding of production, operation, service and normal
managerial activities, and to avoid the interruption or loss of business due to
information system failure, data loss or the sensitive information leakage.
The Manual is the guiding document for the management of information security of the
Company, which guides the Company in setting up and implementing the guidelines and
codes of conduct in the system to realize the effective running and continual
improvement of the system.
All employees shall strictly follow the guidelines in the Manual and carry out operations
as required in the Manual to realize the goal of the information security management of
the Company.
All the terms in the Manual shall come into force and be executed upon promulgation.
1.2. Letter of Authorization
The Company hereby appointed Li Yuanhang as the representative of the managers of
the Information Security Management System of the Company to supervise the thorough
execution of the term in the system and the conformity to requirements in the
GB/T22080-2016/ISO/IEC 27001:2013 Information Technology-Security Techniques-
Information Security Management System and to enhance the leading force in the
building and continual operation of the information security management system.
The responsibility and authority of the representative of the managers of the
Information Security Management System of the Company are as follows:
a) Approve the release of information security management system documents and
set the constructive goal for the information security management system;
b) Ensure the full obtainment and effective allocation of the resources needed for the
establishment and improvement of information security management system;
c) Manage the risk assessment and internal audit of the Company. Examine and
approve the Company risk assessment report, resolution plan, and internal audit
report;
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 2
d) Assist the top management in hosting the management review meeting on
information security management system. Ensure the applicability, sufficiency and
effectiveness of the system;
e) Report to the top management on the execution of the system and the need of
improvement.
This letter of authorization shall come into force and be executed as of the date of
appointment.
Manager:
______ (Year) _____ (Month) _____ (Day)
1.3. Purpose
The Manual provides guidance for building and executing the information security
management system of the Company and ensures its conformity to the requirements in
the GB/T22080-2016/ISO/IEC 27001:2013 Information Technology-Security Techniques-
Information Security Management System, the ultimate objective of which is to protect
the information asset of the Company and guarantee the continuality of various
businesses and ensure the achievement of the goal set for the system.
1.4. Statement of Applicability
For details on the applied relation of the terms of GB/T22080-2016/ISO/IEC 27001: 2013
Information Technology-Security Techniques-Information Security Management System to
the Company information security management system, please see the “Statement of
Applicability (SOA)”.
2. Normative References
The provisions in the Manual are based on the following documents. For details see the
“Management on the Compliance with Legal and Legislative Requirements”. For dated
references, all the revised versions are not applicable to the Manual, but system
management group shall study on the applicability of the latest versions of such
references. For the references with no dates, their latest versions apply to the Manual.
a) Laws and Regulations: refers to the relevant laws and regulations issued by the
state for constraint and guidance.
b) International Practices: refers to the international common practices for
constraint and guidance that the Company must conform to in the operation of
businesses and the establishment of information security.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 3
c) Standards:
GB/T22080-2016/ISO/IEC 27001:2013 Information Technology-Security
Techniques-Information Security Management System-Requirements;
GB/T22081-2016/ISO/IEC 27002:2013 Information Technology & Security
Technology& Information Security Management –Implementation Guidance.
3. Terms and Definitions
All the definitions and terms in GB/T22080-2016/ISO/IEC 27001:2013 Information
Technology-Security Techniques-Information Security Management System-Requirements
and GB/T22081-2016/ISO/IEC 27002:2013 Information Technology& Security
Technology& Information Security Management–Implementation Guidance shall apply to
the Manual.
4. Organization Environment
4.1. Organization Status Quo and Background
4.1.1 External Context
The Company has fully understood the external context before setting up information
security management system. The following aspects of the external context can have a
great impact on the Company business:
a) Politics, laws and regulations, finance, information technology and competition
environment;
b) Laws and regulations in different countries; The restriction on data transmission;
c) The security needs of external stakeholders.
4.1.2 Internal Context
[Note: The introduction to the Company in the original manual]
The Company has also fully understood the internal context before setting up information
security management system, which mainly includes:
a) Company Profile
eBaoTech was founded in the year 2000 with nearly thousands of employees
dedicated to the development of core software system for the insurance
products and providing implementation and maintenance service of such system
for clients;
eBaoTech is committed to promoting the innovation and improvement of its
products through continual research investment.
eBaoTech has set up localized groups in its branches in over 10 countries.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 4
With over 100 online projects in nearly 30 countries globally, eBaoTech
provides its services distributed in Asia-Pacific, Europe, Middle East, Africa and
America.
b) Resource Provision
The Company has set up an Information Security Management Committee to
formulate, release and implement the information security management system. It
has professional advisors providing training and consultation on information
security to improve the management of its information security. The top
management attaches great importance to the information security of the Company
and provides efficient resources to meet the information security needs.
c) Our Vision and Mission
eBaoTech aims to make insurance easy by making it faster, better and more
economical, therefore benefiting every aspect of the insurance ecosphere
including the consumers, brokers, insurance companies, service providers and
regulatory authorities, etc. Digital revolution is the main theme of the insurance
industry in the coming years. Committed to leading the insurance technology field,
eBaoTech is committed to promoting the smooth development of global insurance
industry in a digitalized ecological environment. eBaoTech’s belief is to realize
rapid customer success (RCS) and to focus on delivering the commercial value of
products to customers quickly. Thanks to our extraordinary creativity, quality and
excellent employees, we are now the leading insurance technology company with
over 150 online projects in more than 35 countries.
4.2. Needs and Expectations of Relevant Parties
When deciding the terms of the information security management system, the
Information Security Management Committee shall take the needs and expectations of
relevant parties into consideration. The relevant parties include but are not limited to
Company leaders, internal staffs, clients, superior supervision units and service providers,
etc.
The relevant parties mentioned above and related laws and regulations shall be taken
into consideration when implementing the causes in the system. For details please see
the “Management on the Compliance with Legal and Legislative Requirements”.
4.3. Scope of Information Security Management System
For the research, development, implementation of application software and other
relevant information security management activities, the terms of the system in this
Manual shall apply.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 5
The Company information security management system covers the research,
development and implementation of application software, and the management of
service-providing information technology processing facility, the development,
acquisition and operational maintenance of information technology system, the
personnel information security, the data security and other information security
management activities.
4.4. Information Security Management System
According to the requirements of GB/T22080-2016/ISO/IEC 27001:2013 Information
Technology-Security Techniques-Information Security Management System and
concerning on the characteristics of the industry, the Company, based on the demand of
its business, follows the philosophy of risk management, pays attention to process
management, establishes and carries out the terms of the information security
management system, makes sure that the resources, technology, management and other
elements related to information security are in control, formulates documents,
implementing, keeping and continually improving them accordingly as well as takes
effective measures against various security accidents and other intentional destructive
incidents to ensure the confidentiality, integrity and usability of Company information
and the continuality of its businesses.
The Company adopts the process method by taking the resources and activities related
to information security as a process for management, which is called the PDCA process
method for continual improvement of the system, in its efforts to set up and implement
the information security management system. The PDCA process method includes:
a) Identify and make sure the strategy, goal, process and application related to
Company information security management system, and improve information
security to reach expected results;
b) Confirm the sequence and relations of the processes mentioned above based on
the “process model”;
c) Fully develop the process, define the information security control points, and form
Information security management system documents ;
d) Allocate appropriate resources, provide necessary support and information to
ensure the effective process operation; continually measure, monitor and analyze
the processes and make necessary improvements.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 6
5. Leadership
5.1. Leadership and Commitments
The Company makes commitments on the establishment, implementation, monitoring,
maintenance and continual improvement of its information security management
system. The details are as follows:
a) Set up information security management goals to ensure the aims and the
direction of the development of its information security management;
b) Keep communicating with clients and relevant parties to reach agreements on the
Company information security management goals. Develop scheme to realize the
goals and keep improving the scheme;
c) Establish information security management framework, ensure the correct and
clear understanding of client needs to effectively meet their expectations and
improve their satisfaction level;
d) Set up Information Security Management Committee; specify the responsibilities
for each member. Carry out the task for the system building and establish related
system for its operation supervision and quality monitoring.
e) Establish and safeguard the related administrative methods, management system,
and enforcement regulations for information security management according to
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 7
the Company specific conditions. Specify the roles and responsibilities for each
department and employee.
f) Ensure the full obtainment and effective allocation of the resources needed for the
establishment and improvement of information security management system;
g) Carry out management audit to ensure the adaptability, comprehensiveness,
completeness and effectiveness of the information security management system.
For details see the “Management Review Control Process”.
5.2. Information Security Policy
The information security policy: put precaution first, classified protection,
decentralization of responsibility and continual improvement.
a) Put precaution first: To put precaution first is the main theme guiding the
information security protection work. The Company shall take active precautions,
establish information security and operational risk prevention systems, enhance
staff awareness of security, improve emergency mechanism, strengthen internal
security inspection to realize effective precaution against potential risks;
b) Classified protection: Rank the information assets based on their importance
degree and take relevant protective measures according to the ranking of
information asset to ensure appropriate protection of eBaoTech information
assets;
c) Decentralization of responsibility: set up hierarchical information security
organization to ensure the decentralization and implementation of responsibility;
d) Continual improvement: Conduct continual improvement of information security
management based on PDCA model to ensure the comprehensive protection of
Company information asset in the dynamic change process.
5.3. Organizational Roles, Responsibilities and Authorities
The general manager of eBaoTech is the top manager for information security
management, who appoints the manager representatives. For the roles and
responsibilities of the manager representatives, see “1.2 Authorization“. The top
manager also determines other roles and responsibilities for information security
management, see “3 Roles and Responsibility” in the “Information Security Policy”.
6. Planning
6.1. Measures of Addressing Risks and Opportunities
6.1.1 General
To ensure that the management system can reach its expected achievements, to prevent
or reduce undesired effects and to realize continual improvement, the Company has
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 8
arranged lots of activities for dealing with risks and opportunities and incorporated these
activities into the information management system during the plan phase.
The Company has taken the internal and external conditions into consideration during
plan phase and evaluated the effectiveness of these activities on a regular basis when
running the system.
6.1.2 Information Security Risk Evaluation
The Information Security Management Committee is responsible for formulating the
“Risk Assessment Management Policy”, establishing risk assessment methods for the
information security of the management system and the identified businesses, for the
identification, analysis and evaluation of risks as required by the laws and regulations,
and establishing the criteria for accepting the risks and identifying the acceptable level of
risks.
6.1.3 Information Security Risk Treatment
The Information Security Management Committee is responsible for organizing relevant
departments to compile the risk treatment plans based on the risk assessment results.
The plan specifies the department responsible for risk treatment, the persons in charge,
the treatment methods and the starting and ending time.
The balance between control methods and costs shall be taken into consideration when
dealing with information security risks. Appropriate methods that may be adopted are
as follows:
a) Control the risks by taking appropriate internal control methods;
b) Accept risks (zero-risk is impossible);
c) Avoid risks ( such as physical isolation);
d) Transfer risks (transfer the risks to insurer, supplier, subcontractor, etc.).
The Information Security Management Committee shall organize relevant departments to
set the goals for management and allocate the goals to each department based on the
management policy, business development requirements and risk assessment results:
a) The goal for controlling has gained the approval from the top manager of the
information security.
b) The selection principles for setting the control goal and methods originated from
the main body and appendix of ISO/IEC 27001: 2013 Information Technology-
Security techniques-Information Security Management System-Requirements.
Other control methods can be adopted if needed for the management of the Company.
The residual risks from the risk treatment shall get the approval from the risk owner.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 9
6.2. Information Security Goal and Implementation Plan
The general goal for the Company information security management includes:
a) No more than 1 information security accident per year;
b) No more than 1 complaint from the clients on information security;
c) All employees must sign confidentiality agreement;
d) The percentage of pass for Company staff training on information security shall be
no less than 95% ;
e) The percentage of employees who violate information security policy shall be
lower than 1% of the whole staff number;
f) Realize the security assurance as the confidentiality, integrity and usability of
Company information asset;
g) The establishment and operation of Company information security management
system shall comply with the relevant laws and regulations of the country, the
mandatory provisions, rules, conventions, principles and agreements of relevant
regulatory bodies and competent departments.
To achieve the above goals, the Company shall scheme for realizing the goals at the
beginning of every year as required in the system.
7. Support
7.1. Resources
The management representative shall ensure the supply and reasonable allocation of
needed resources and the competency and skills of relevant personnel to guarantee the
establishment, implementation, operation, monitoring, auditing and maintenance of the
information security management system. The requirement details are as follows:
a) Organization
The Company shall establish hierarchical Information Security Management
Committee and the policy for managing relevant documents, specify the personnel
working at the management of Company information security to ensure the
effective operation of the information security management system. For Company
Information Security Management Committee organizational framework, see
“Appendix1: Information Security Management System Framework Chart”.
b) Roles and Responsibilities
The Company shall ensure the effective definition and classification of information
roles, responsibilities and privileges to see to the effective operation of Company
information security management system.
c) Training, Awareness and Competence
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 10
The Company shall ensure the capability of personnel working for the
management of information security, provide the necessary education and
training, comment on the effectiveness of measures adopted, and ensure the
employees are aware of the importance of the activities engaged and the measures
they need to take to realize the information security management goals.
To ensure the capability of relevant personnel, the Company needs to:
a) Ensure the necessary capability of personnel working for the information security
management system through internal audit;
b) Provide necessary vocational education and skill training and other services to
meet these requirements;
c) Evaluate the effectiveness of measures adopted;
d) Keep the records of staff education, training, skills, experiences, and qualifications.
7.2. Competence
The human resources management department shall set and implement the “Human
Resources Control Process” and ensure the competence of all personnel assigned with
the information security management tasks. To achieve this, the following measures may
be adopted:
a) Ensure the personnel are suitable for the job they are assigned to in the
information security management system;
b) Provide vocational education and skill training and other services to meet these
requirements;
c) Evaluate the effectiveness of measures adopted;
d) Keep the records of staff education, training, skills, experiences, and qualifications.
7.3. Awareness
The Company shall ensure the staff understand the information security policy and are
aware of the relevance and importance of the information security activities they engaged
in, the impact of violation on the system requirements and the measures they need to
take to make contributions to realizing the system goals.
7.4. Communication
Each department shall set the plan for communication related to the information
security management system, which includes but is not limited to:
a) Contents for communication;
b) When to communicate;
c) Who participates in the communication;
d) Who to communicate;
e) Effective communication methods;
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 11
The records of the communication shall be kept for later check.
7.5. Documented Information
7.5.1 General
The Company information security management system documents include:
a) The management manual as required in GB/T22080-2016/ISO/IEC 27001:2013
Requirements for Information Technology& Security Technology& Information
Security Management System;
b) The program documents and operation instructions as required in GB/T22080-
2016/ISO/IEC 27001:2013 Information technology-Security techniques-Information
security management system-Requirements, i.e. management methods for various
processes, management provisions, implementation rules, etc.
c) The various records and logs as required in GB/T22080-2016/ISO/IEC 27001:2013
Information technology-Security techniques-Information security management
system;
d) Other documents as required by the information security management system.
The Company information security management system documents include four levels
of documents, i.e. information security management manuals, management
methods/programmatic documents, management provisions/implementation
rules/operation guidelines, records/logs. As shown below:
(Diagram 1 information security system document framework)
The focuses of the documents on each level are as follows:
First Level Documents
Second Level Documents
Third Level Documents
Fourth Level Document
Management Methods
Management Provisions
Implementation Rules
Operation Guidelines
Records and Logs
Management
Manual
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 12
a) First level documents: refer to the strategy document of the system, i.e. the system
management manuals;
b) Second level documents: refer to the standard documents in each control domain
as required by the standards in GB/T22080-2016/ISO/IEC 27001:2013 Information
Technology-Security Techniques-Information Security Management System;
c) Third level documents: refer to the provisions on specific information security
problems, which manifest the control of specific information security risk points
and the security management requirements of specific businesses;
d) Fourth level documents: refer to the various records and reports on information
security system operation, which demonstrate the effective proceeding of each
business in a specific manner as required by the documents.
7.5.2 Setting up and Update
When setting up and updating documented information, the Company shall identify and
describe the Position, date, and author of the documents based on Document Control
Processes” and “Records Control Process”. The documents shall be unified in form and be
reviewed and approved.
7.5.3 Control of Documented Information
The Company shall take full control of the documents relevant to the information
security management system to meet the requirements in GB/T22080-2016/ISO/IEC
27001:2013 Information Technology-Security Techniques-Information Security
Management System and such requirements include:
a) Ensure the effective control of the editing, review, approval, delegation,
implementation, revise, and disposal of documents;
b) Ensure the documents are clear and distinguishable and the edition labels are
clear for recognition and retrieval;
c) Ensure access to suitable documents of the latest and effective edition;
d) Ensure the external documents are identified and the delegation of documents is
under control;
e) Take corresponding control on different media and different types of documents;
f) Prevent unauthorized usage of invalid documents. Specific labels are needed when
keeping invalid documents.
The Company shall make stipulations on the editing, revise, review, delegation and
storage of information security management system documents, demand that the latest
system documents shall be obtained from specified departments. For related control
requirements see “Document Control Process” and “Records Control Process”.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 13
To provide evidence complying with the information security management system
requirements and show the effective proceeding of the system to guarantee the
traceability of the management process, the Company shall set and implemented
relevant provisions to ensure the completeness, easy-identifiability and retrieval of
relevant records by stipulating the recognition, collection, archiving, storage, borrowing,
disposal and check of the information security management records.
Set up corresponding information records control list and specify the department in
charge, the storage life and archiving requirements. For relevant control requirements
see “Records Control Process”.
8. Operation
8.1. Operation Planning and Control
Information Security Management Committee is responsible for writing all documents
meeting the GB/T22080-2016/ISO/IEC 27001:2013 Information Technology -Security
Technology-Information Security Management System –Requirements standards and the
system goals and implementing them within the organization. To realize the measures
specified in 6.1, the Information Security Management Committee shall make the plan
and implement the measures according to the plan within the organization.
8.2. Information Security Risk Assessment and Treatment
The Information Security Management Committee is the centralized management
department for risk assessment and treatment which carries out risk assessment and
treatment based on “Risk Assessment Control Process” in combination with Company
feature.
The Company shall form documented information of the risk assessment and treatment
for keeping the results of risk assessment.
9. Performance evaluation
9.1. Monitoring, Measurement, Analysis and Evaluation
The Information Security Management Committee is responsible for the centralized
management of the monitoring and measurement of the Company information security,
detecting the problem in the system in a timely manner and adopting effective solutions
by establishing effective mechanisms for improvement based on the ISO27001:2013
requirements. The Company monitors, measures, analyzes and evaluates the information
security with 3 control programs and 2 management regulations.
a) “Risk Assessment Control Process” stipulates the planned time interval for risk
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 14
assessment;
b) “Internal Audit Control Process” stipulates the internal audit of the information
security within the planned time interval;
c) “Management Review Control Process” stipulates the management audit of the
information security within the planned time interval;
d) “Information Security Incident Management Policy” stipulates the treatment
procedure for dealing with the Company information security incidents.
e) “System Effectiveness Measurement Management Policy” stipulates the contents
and basis, check methods, periods, and procedures of the information security
check.
9.2. Internal Audit
The Company stipulates the principles, frequency, implementation procedures for the
internal audit of the information security management system with the aim to discover
the problems which might arise in the aspect of the conformity or validity of the system,
to adopt remedial actions in a timely manner, and to keep the applicability,
comprehensiveness, completeness and effectiveness of the Company information
security management system.
Internal audit applies to all activities related to information security within the
Company. For details see “Internal Audit Control Process”.
9.2.1 Management Review
The Company general manager shall host the management review meeting every year
(with the interval not over 12 months) to evaluate the applicability, sufficiency and
effectiveness of the information security management system. The organization and
implementation of specific activities are based on the terms in “Management Review
Control Process”.
The documents needed for the management review include but are not limited to
internal audit report, corrective the preventive measures demands and implementation
report, business analysis report, the implementation of last management review
agreements, information security management policy, and the revise need of the goal
shall be prepared and provided by each department.
The participants of the management review meeting include the Company top
management and the principal person in charge of each department.
The results of the meeting, which shall be delegated as resolutions, minutes of meeting
or other appropriate forms shall be learned and implemented by each department in a
timely manner.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 15
The relevant records of the management review activities shall be kept by the principal
persons in charge.
10. Improvement
10.1. Non-conformance Terms and Corrective Measures
Correction and prevention apply to non-conformance terms and potential non-
conformance terms in the Company information security management activities. Set up
and implement the corrective and preventive measures to prevent the reoccurrence of
potential non-conformance terms and existing non-conformance terms for continual
improvement of information security management system in an effective manner. For
details see “Corrective and Preventive Control Process.”
10.2. Continual Improvement
Provide input for the continual improvement of the system by analyzing the results of
internal audit and other monitoring activities and collecting internal and external
information related to information security management.
Identify the improvement needs of the management system and the reason for deviating
from the information security goal or the inadequate capability of the existing system in
fitting into the environment, set up specific measures for improvement, search for
opportunities form improvement and specify the improvement plan in details by means
of management review.
Implement the improvement measures and verify the results. Keep the records of the
implementation process and results.
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 16
Appendix I. Information Security Management
Committee Organizational Framework Chart
Information Security Management Commttee
Information Security Management Group
Each Department
Information Security Officer
Decision
Monitoring
Implementation
All Staff
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 17
Appendix II. Company Organizational Structure Chart
Information Security Management Manual ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 18