進入資訊時代,數位空間已成為繼陸、海、空、太空之後,引發又一次國際競爭的第五維戰略空間。人們在享受資訊與資訊系統帶來之巨大利益的同時,也面臨著資訊安全之挑戰。遵循標準建立資訊安全管理系統(Information Security Management System,簡稱ISMS)已成為我國資訊安全國家政策之一;風險管理乃建立ISMS的核心工作已是共識,惟在已通過ISMS驗證之機關(構)中,ISMS政策欠缺與組織之策略性風險管理的整合脈絡,仍是常態。根基於此,本文探討ISMS政策的應然並就個案闡明ISMS政策於建立ISMS之攸關性與提供整合ISMS與資訊安全治理的框架以及方法。
With the coming of the information era, cyberspace has become the fifth dimensional strategic space following land, sea, sky and outer space. Moreover, it has resulted in another international competition. While people are enjoying the great benefit from information and information system, they have faced the challenge of information security as well. Establishing Information Security Management System (ISMS) via standards has become one of the information security policies in our country. The conclusion that risk management is the top priority in establishing ISMS has been reached. However, ISMS policies seem to lack risk management, and so do the organizations that get the certification of ISMS. Therefore, this paper focuses on investigating the necessity of ISMS policies, elaborating the importance of ISMS policies while establishing ISMS case by case, and providing the frameworks as well as approaches that integrate ISMS with information security governance.