분야별 정보보호 경영시스템 인증 동향

  • 발행 : 2016.08.31


올 6월 약 4년간의 표준화 활동의 결과로 ISO/IEC 27009 "ISO/IEC 27001의 분야별 응용 - 요구사항"이 국제 표준으로 발표되었다. 이 표준은 ISO/IEC 27001을 어떤 특정 분야에 적용하고자 할 때 필요한 요구사항을 정의한 것으로서, 분야별 정보보호 경영체계 인증제도의 국제적 상호 인정의 기반을 마련하기 위한 것이다. 본 논문에서는 이 표준의 개발 배경, 내용과 의미, 그리고 관련 현황을 소개하고 국내 정보보호 경영시스템 전문가들의 대응 방향을 제시한다.



  1. ISO/IEC 27018:2014 Information security - Security techniques - Information security management systems - Code of practice for Information security controls based on ISO/IEC 27002 for protection of personally identifiable information (PII) in public cloud acting as PII processors, ISO, 2014
  2. ISO/IEC 27017:2015 Information security - Security techniques - Information security management systems - Code of practice for Information security controls based on ISO/IEC 27002 for cloud services, ISO, 2015
  3. ITU-T X.1051ISO/IEC 27011:2016 Information security - Security techniques - Information security management systems - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunication organizatons, ISO, 2016
  4. ISO/IEC TR 27019:2013 Information security - Security techniques - Information security management guidelines on ISO/IEC 27002 for process control systems specific to the energy utility industry, ISO, 2013
  5. ISO/IEC DIS 29151, Information security - Security techniques - Information security management systems - Code of practice for personally identifiable information protection, ISO, 2016
  6. ISO/IEC 27002:2013, Information security - Security techniques - Information security management systems - Code of practice for information security controls, ISO, 2013
  7. ISO/IEC 27009:2016, Information security - Security techniques - Sector-specific application of ISO/IEC 27001 - Requirements, ISO, 2016
  8. ISO/IEC 27001:2013, Information security - Security techniques - Information security management systems - Requirements, ISO, 2013
  9. ISO/IEC 27000:2016 Information security - Security techniques - Information security management systems - Overview and vocabulary, ISO, 2016
  10. ISO/IEC 27799:2016 Health informatics - Information security management in health using ISO/IEC 27002, ISO, 2016
  11. CSA Security, Trust & Assurance Registry (STAR) : Cloud Security Alliance, https://cloudsecurityalliance.org/star/
  12. Terms of reference for the study period on development use case examples for the application of ISO/IEC 27009, ISO, 2015
  13. Results of the expert CfC for the SP on the Development of Use Case Examples for the Application of ISO/IEC 27009, ISO, 2016
  14. ISMSクラウドセキュリティ認証に関する説明会資料, http://www.isms.jipdec.or.jp/seminar/cloud/shiryou20160426.html
  15. "KISA, 클라우드서비스 정보보호 수준 평가.인증한다", 보도자료, KISA, 2016
  16. ISO/IEC DIS 29134, Information technology - Security techniques - Privacy impact assessment - Guidelines, ISO, 2016