Standard No.:	GB/T 20274.3-2008
Chinese Name:	信息安全技术 信息系统安全保障评估框架 第3部分：管理保障
English Name:	Information security technology Evaluation framework for information systems security assurance Part 3: Management assurance
Professional Classification:	L80 Data encryption
Professional Classification:	GB National Standard
ICS Classification:	35.040
Issued by:
Issued on:	2008-07-18
Implemented on:	2008-12-01
Status:	VALID
Language:	English
File Format:	PDF
Word Count:	32000 words
Price(USD):	960 (USD)
Delivery:	via email in 1-8 business day

1 Scope

This part of GB/T 20274 establishes the framework for information systems security management assurance and the guideline & general principle for the organization starting, implementing, maintaining, evaluating and improving information security management. This part defines and explains the security management capability level that reflects the information security management assurance capability of the organization in the information system security management assurance work and provides the security management assurance control class requirements of the organization's information security management assurance contents.
This part is applicable to all of the organization’s users, developers and evaluation personnel involved in the information system security management.

2 Normative References

The following documents contain provisions which, through reference in this text, constitute provisions of this part. For dated reference, subsequent amendments to (excluding any corrigendum), or revisions of, any of these publications do not apply. However, parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies.
GB/T 20274.1 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 1: Introduction and General Model

3 Terms and Definitions

For the purposes of this part of GB/T 20274, the terms and definitions specified in GB/T 20274.1 and the following ones apply.
3.1
Control
The methods to manage risks include policy, procedure, guide, practice or the structure of the organization and control may be management, technology or engineering control.
Note 1: "control" is synonymous with "control measures" and "protective measures".
Note 2: in this part, the control of management methods for managing risks will be mainly discussed, i.e. management control.
3.2
Information processing facility
Information processing facility refers to all services or infrastructure or the physical location to place them.

4 Structure of This Part

The organization structure of this part of GB/T 20274 is as follows:
a) Chapter 1 introduces the range of this part;
b) Chapter 2 introduces the normative references of this part;
c) Chapter 3 describes the terms and definitions applicable to this part;
d) Chapter 4 describes the organization structure of this part;
e) Chapter 5 describes the framework for information systems security management assurance and further summarizes the control class and capability level of management assurance.