ISO 27001

🔥 Vibe Prompt

"Implement ISO 27001 ISMS: scope definition, risk assessment, SoA, internal audit."

ISO 27001 Clauses

| Clause | Title | Description |
|--------|-------|-------------|
| 4      | Context | Internal/external issues, interested parties, scope |
| 5      | Leadership | Top management commitment, policy, roles |
| 6      | Planning | Risk assessment, risk treatment, SoA, objectives |
| 7      | Support | Resources, competence, awareness, communication |
| 8      | Operation | Risk treatment plan, change management |
| 9      | Evaluation | Monitoring, internal audit, management review |
| 10     | Improvement | Nonconformity, corrective action, continual improvement |

ISMS Scope Example

# ISMS Scope

## Organization:
MyApp Inc. - SaaS platform for project management

## In-Scope:
- Cloud infrastructure (AWS us-west-2)
- Web application (app.myapp.com)
- Mobile apps (iOS, Android)
- Engineering team (25 people)

## Out-of-Scope:
- Corporate finance system (QuickBooks)
- HR system (BambooHR) - partially (SSO only)
- Physical office (leased, landlord managed)

## Justification:
Our main service is SaaS. Customer data security is our top priority.
Corporate systems are out of scope as they don't process customer data.

Risk Assessment Template

| ID | Risk | Likelihood | Impact | Score | Owner | Treatment |
|----|------|-----------|--------|-------|-------|-----------|
| R01 | Data breach | 2 (Low) | 4 (Critical) | 8 | CISO | Encryption, WAF, IDS |
| R02 | Service outage | 3 (Med) | 3 (High) | 9 | VP Eng | HA, multi-AZ, backup |
| R03 | Insider threat | 2 (Low) | 3 (High) | 6 | HR | Access review, logging |
| R04 | Compliance fail | 2 (Low) | 4 (Critical) | 8 | Legal | Automated compliance |
| R05 | Vendor lock-in | 3 (Med) | 2 (Med) | 6 | CTO | Multi-cloud strategy |

Statement of Applicability (SoA)

| Annex A Control | Applicable | Rationale |
|----------------|------------|-----------|
| A.5 - Security Policy | Yes | Required for governance |
| A.6 - Organization | Yes | Clear roles and responsibilities |
| A.7 - HR Security | Yes | Background checks, training |
| A.8 - Asset Management | Yes | Inventory, classification |
| A.9 - Access Control | Yes | RBAC, MFA, review |
| A.10 - Cryptography | Yes | Encryption at rest + transit |
| A.11 - Physical Security | No | Cloud infra (AWS responsible) |
| A.12 - Operations Security | Yes | Change mgmt, backup, monitoring |
| A.13 - Communications | Yes | Network security, firewall |
| A.14 - System Acquisition | Yes | SDLC, security requirements |
| A.15 - Supplier Relations | Yes | Vendor assessment, DPA |
| A.16 - Incident Management | Yes | Response plan, testing |
| A.17 - Business Continuity | Yes | DR plan, backup |
| A.18 - Compliance | Yes | Legal, regulatory requirements |

Internal Audit Checklist

# Internal Audit - Access Control (A.9)

## Checklist
- [ ] 9.1.1 - Access control policy documented and approved?
- [ ] 9.1.2 - Network access restricted per policy?
- [ ] 9.2.1 - User registration and de-registration process?
- [ ] 9.2.2 - Privilege allocation approved by manager?
- [ ] 9.2.3 - Privilege review every 90 days?
- [ ] 9.2.4 - Removal of access upon termination?
- [ ] 9.3.1 - Password policy enforced?
- [ ] 9.3.1 - MFA implemented for privileged users?
- [ ] 9.4.1 - Session timeout after 15 minutes idle?
- [ ] 9.4.2 - Information access restriction per classification?

## Sample Evidence
- Screenshot of IAM user list (active vs disabled)
- Password policy config (min 12 chars, special chars)
- MFA enforcement config
- Session timeout config (15 min)
- Last access review date and findings

ISO 27001 Certification Process

Month 1-2: Gap analysis & scope definition
Month 3-4: Risk assessment & SoA
Month 5-6: Policy & control implementation
Month 7-8: Awareness training & documentation
Month 9: Internal audit & management review
Month 10: Corrective actions
Month 11: Stage 1 audit (documentation review)
Month 12: Stage 2 audit (implementation audit)
→ Certificate valid for 3 years (surveillance audits annually)

PDCA Cycle

Plan:   Establish ISMS (scope, policy, risk assessment)
Do:     Implement controls (policies, training, technology)
Check:  Monitor, measure, audit (internal audit, metrics)
Act:    Corrective actions, continual improvement

Best Practices

  • Start with a clear scope (don't try to cover everything)
  • Use a risk assessment tool (vs manual spreadsheets)
  • Get buy-in from top management (Clause 5)
  • Write policies that are actually followed
  • Internal audit before certification audit
  • Use PDCA: Plan → Do → Check → Act
  • Automate evidence collection where possible


為什麼要學ISO 27001 認證?

ISO 27001 認證 是 security-compliance 課程的核心章節之一。

在真實世界中

ISO 27001 認證 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。

你將從本章獲得

  • 🎯 完整的知識體系:從核心原理到實作細節,條理分明
  • 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
  • 🔍 除錯技巧:常見錯誤的分析與解決方案
  • 🚀 下一步指引:學完後該往哪個方向繼續深入

銜接下一章

本章為你建立了 ISO 27001 認證 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!