Iso 27001 Li

‫‪By Mohammed AlSubayt‬‬
‫‪ISO 27001 Lead Implementer‬‬

‫ﻣﻠﺨﺺ ‪Summary‬‬
‫‪Linkedin : Mohammed AlSubayt‬‬
‫ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪ (ISMS‬ھﻮ ﺟﺰء أﺳﺎﺳﻲ ﻣﻦ ﻣﻌﯿﺎر‪ ، ISO 27001‬وھﻮ ﻣﺼﻤﻢ ﻟﻀﻤﺎن ﺣﻤﺎﯾﺔ‬
‫اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ واﻟﺜﻤﯿﻨﺔ ﻟﻠﺸﺮﻛﺔ ﻣﻦ اﻟﺘﮭﺪﯾﺪات اﻟﻤﺤﺘﻤﻠﺔ واﻟﺤﻔﺎظ ﻋﻠﯿﮭﺎ آﻣﻨﺔ‪ .‬ﯾﺴﺎﻋﺪ ‪ ISMS‬اﻟﻤﺆﺳﺴﺎت ﻋﻠﻰ‬
‫إدارة أﻣﻦ ﻣﻌﻠﻮﻣﺎﺗﮭﺎ ﻣﻦ ﺧﻼل ﻋﻤﻠﯿﺎت ﻣﻨﻈﻤﺔ وﻣﻮﺣﺪة‪.‬‬
‫؟ ﻣﺎ ھﻮ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪(ISMS‬؟‬
‫ﻧﻈﺮة ﻋﺎﻣﺔ ‪:‬‬ ‫•‬
‫‪ ISMS‬ھﻮ إطﺎر ﻋﻤﻞ ﯾﺘﺄﻟﻒ ﻣﻦ ﺳﯿﺎﺳﺎت وإﺟﺮاءات ﯾﺤﺘﺎﺟﮭﺎ أي ﻧﻮع ﻣﻦ اﻟﻤﻨﻈﻤﺎت ﻟﺤﻤﺎﯾﺔ وإدارة أﺻﻮل‬
‫اﻟﻤﻌﻠﻮﻣﺎت اﻟﺨﺎﺻﺔ ﺑﮭﺎ‪ .‬ﯾﺸﻤﻞ اﻟﻨﻈﺎم ﺟﻤﯿﻊ اﻟﺠﻮاﻧﺐ اﻟﻘﺎﻧﻮﻧﯿﺔ‪ ،‬اﻟﻔﯿﺰﯾﺎﺋﯿﺔ‪ ،‬واﻟﺘﻘﻨﯿﺔ اﻟﺘﻲ ﺗﺘﻌﻠﻖ ﺑﻌﻤﻠﯿﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬
‫ﻓﻲ اﻟﻤﻨﻈﻤﺔ‪.‬‬
‫• اﻟﮭﺪف ﻣﻦ ‪: ISMS‬‬
‫اﻟﮭﺪف اﻷﺳﺎﺳﻲ ﻣﻦ ‪ ISMS‬ھﻮ ﺣﻤﺎﯾﺔ وﺿﻤﺎن ﺳﻼﻣﺔ اﻟﺒﯿﺎﻧﺎت واﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻷﺿﺮار‪ ،‬اﻟﻔﻘﺪان أو اﻟﺘﻌﺪﯾﻞ ﻏﯿﺮ‬
‫اﻟﻤﺼﺮح ﺑﮫ‪ ،‬واﻟﻮﺻﻮل ﻏﯿﺮ اﻟﻤﺼﺮح ﺑﮫ‪ ،‬ﺳﻮاء ﻛﺎن ذﻟﻚ ﻋﻦ طﺮﯾﻖ اﻟﺤﻮادث أو اﻟﻌﻤﻠﯿﺎت اﻟﺨﺒﯿﺜﺔ‪.‬‬
‫• اﻟﻌﻨﺎﺻﺮ اﻷﺳﺎﺳﯿﺔ ﻟـ‪: ISMS‬‬
‫‪. 1‬ﺗﻘﯿﯿﻢ اﻟﻤﺨﺎطﺮ واﻹدارة ‪:‬‬

‫ﯾﺠﺐ ﺗﺤﺪﯾﺪ اﻟﻤﺨﺎطﺮ اﻟﻤﺮﺗﺒﻄﺔ ﺑﺎﻟﻤﻌﻠﻮﻣﺎت وإدارﺗﮭﺎ ﺑﻔﻌﺎﻟﯿﺔ‪ .‬ھﺬا ﯾﺸﻤﻞ ﺗﺤﺪﯾﺪ اﻟﻤﺨﺎطﺮ‪ ،‬ﺗﻘﯿﯿﻢ ﺷﺪﺗﮭﺎ‪ ،‬وﺗﻨﻔﯿﺬ‬
‫اﻟﻀﻮاﺑﻂ اﻟﻤﻨﺎﺳﺒﺔ ﻟﻠﺘﻘﻠﯿﻞ ﻣﻦ ھﺬه اﻟﻤﺨﺎطﺮ أو اﻟﻘﻀﺎء ﻋﻠﯿﮭﺎ‪.‬‬
‫‪. 2‬اﻟﺴﯿﺎﺳﺎت واﻹﺟﺮاءات ‪:‬‬

‫ﯾﺠﺐ وﺿﻊ ﺳﯿﺎﺳﺎت وإﺟﺮاءات أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻟﺘﻮﺟﯿﮫ وﻣﺮاﻗﺒﺔ اﻷﻧﺸﻄﺔ اﻟﻤﺘﻌﻠﻘﺔ ﺑﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﻨﻈﻤﺔ‪.‬‬
‫‪. 3‬اﻟﺘﺪرﯾﺐ واﻟﻮﻋﻲ ‪:‬‬

‫ﯾﺠﺐ ﺗﺪرﯾﺐ اﻟﻤﻮظﻔﯿﻦ وزﯾﺎدة وﻋﯿﮭﻢ ﺑﺄھﻤﯿﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت واﻹﺟﺮاءات اﻟﻮاﺟﺐ اﺗﺒﺎﻋﮭﺎ ﻟﺤﻤﺎﯾﺔ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪. 4‬اﻟﻤﺮاﺟﻌﺔ واﻟﻤﺘﺎﺑﻌﺔ ‪:‬‬

‫ﯾﺠﺐ ﻣﺮاﻗﺒﺔ اﻟﻨﻈﺎم وﻣﺮاﺟﻌﺘﮫ ﺑﺎﻧﺘﻈﺎم ﻟﻀﻤﺎن ﻓﻌﺎﻟﯿﺘﮫ وﺗﺤﺪﯾﺜﮫ وﻓﻘًﺎ ﻟﻠﺘﻐﯿﺮات اﻟﺘﻲ ﺗﻄﺮأ ﻋﻠﻰ اﻟﻤﺨﺎطﺮ أو اﻟﻌﻤﻠﯿﺎت‬
‫اﻟﺘﺠﺎرﯾﺔ‪.‬‬
‫ﻣﺜﺎل ﻋﻠﻰ ﺗﻄﺒﯿﻖ ‪: ISMS‬‬ ‫•‬

‫ﺷﺮﻛﺔ ﺗﻜﻨﻮﻟﻮﺟﯿﺎ ﺗﻄﺒﻖ ‪ ISMS‬ﻟﺤﻤﺎﯾﺔ ﺑﯿﺎﻧﺎت اﻟﻌﻤﻼء اﻟﺤﺴﺎﺳﺔ‪ .‬ﺗﺒﺪأ اﻟﻌﻤﻠﯿﺔ ﺑﺘﺤﺪﯾﺪ وﺗﺼﻨﯿﻒ اﻟﺒﯿﺎﻧﺎت واﻷﺻﻮل‪ ،‬ﺛﻢ‬
‫ﺗﻘﯿﯿﻢ اﻟﻤﺨﺎطﺮ اﻟﻤﺤﺘﻤﻠﺔ وﺗﻄﻮﯾﺮ ﺿﻮاﺑﻂ ﻟﺤﻤﺎﯾﺔ ھﺬه اﻷﺻﻮل‪ ،‬ﻣﺜﻞ ﺗﺸﻔﯿﺮ اﻟﺒﯿﺎﻧﺎت و‬
‫ﺗﻘﯿﯿﺪ اﻟﻮﺻﻮل ﺑﻨﺎًء ﻋﻠﻰ اﻷدوار‪ .‬ﺗﺘﻢ ﻣﺮاﻗﺒﺔ اﻟﻨﻈﺎم وﺗﺤﺪﯾﺜﮫ ﺑﺎﺳﺘﻤﺮار ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺘﮭﺪﯾﺪات اﻟﺠﺪﯾﺪة وﺿﻤﺎن اﻻﻣﺘﺜﺎل‬
‫ﻟﻠﻮاﺋﺢ اﻟﺼﻨﺎﻋﯿﺔ‪.‬‬
‫‪ ISMS‬ھﻮ ﺟﺰء ﺣﯿﻮي ﻣﻦ إدارة اﻟﻤﺆﺳﺴﺔ اﻟﺤﺪﯾﺜﺔ‪ ،‬وﯾﺴﺎﻋﺪ ﻓﻲ ﺗﺤﻘﯿﻖ اﻟﺘﻮازن ﺑﯿﻦ ﺗﻤﻜﯿﻦ اﺳﺘﺨﺪام اﻟﻤﻌﻠﻮﻣﺎت‬
‫وﺣﻤﺎﯾﺘﮭﺎ ﻣﻦ اﻷﺧﻄﺎر‪.‬‬
‫• ﺗﻌ‪$#‬ﻒ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪: (ISMS‬‬
‫ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت )‪ (ISMS‬ھو ﺟزء ﻣن اﻟﻌﻣﻠﯾﺎت اﻟﻌﺎﻣﺔ ﻟﻠﻣﻧظﻣﺔ‪ ،‬اﺳﺗﻧﺎدًا إﻟﻰ ﻧﮭﺞ ﯾﻘوم ﻋﻠﻰ ﺗﻘﯾﯾم‬
‫ا ﻟ ﻣ ﺧ ﺎ ط ر ‪ ،‬و ھ و ﻣ ﺻ ﻣ م ﻟ ﺿ ﻣ ﺎ ن ا ﺧ ﺗ ﯾ ﺎ ر ا ﻟ ﺿ و ا ﺑ ط ا ﻷ ﻣ ﻧ ﯾ ﺔ ا ﻟ ﻣ ﻧ ﺎ ﺳ ﺑ ﺔ و ا ﻟ ﻛ ﺎ ﻓ ﯾ ﺔ ا ﻟ ﺗ ﻲ ﺗ ﺣ ﻣ ﻲ ﻣ ﻌ ﻠو ﻣ ﺎ ت ا ﻟ ﻣ ﻧ ظ ﻣ ﺔ ﻣ ن‬
‫اﻟﺗﮭدﯾدات وﺗﺿﻣن ﺗوﻓرھﺎ ﻋﻧد اﻟﺣﺎﺟﺔ‪ .‬ﯾﺟب أن ﯾﻛون ‪ ISMS‬ﻗﺎدًرا ﻋﻠﻰ اﻟﺗﻛﯾف ﻣﻊ اﻟﺗﻐﯾﯾرات ﻓﻲ اﻟﺑﯾﺋﺔ‬
‫ا ﻷ ﻣ ﻧ ﯾ ﺔ ‪ ،‬و اﻟﺗﮭ د ﯾ د ا ت ‪ ،‬و اﻟﻣ ﺗط ﻠﺑ ﺎ ت ا ﻟ ﺗ ﺟ ﺎ ر ﯾ ﺔ و اﻟﺗﻧظ ﯾﻣ ﯾﺔ ‪.‬‬
‫‪F‬‬
‫• اﻟﻤ?ﺎدئ اﻷﺳﺎﺳ‪C‬ﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪: ISO 27001 EG‬‬
‫اﻟﺳرﯾﺔ‪(Confidentiality):‬‬
‫ا ﻟ ﮭ د ف ﻣ ن ا ﻟ ﺳ ر ﯾ ﺔ ھ و ا ﻟ ﺗ ﺄ ﻛ د ﻣ ن أ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ﻻ ﺗ ﻛ و ن ﻣ ﺗ ﺎ ﺣ ﺔ أ و ﻣ ﻛ ﺷ و ﻓ ﺔ ﻟﻸ ﻓر ا د ‪ ،‬ا ﻟ ﻛ ﯾ ﺎ ﻧ ﺎ ت ‪ ،‬أ و ا ﻟ ﻌ ﻣ ﻠ ﯾ ﺎ ت ﻏ ﯾ ر‬
‫اﻟﻣ ﺻ ر ح ﻟﮭ ﺎ ‪.‬‬
‫ﻣ ﺛ ﺎ ل ‪ :‬اﺳ ﺗﺧ د ام ﺗﻘ ﻧﯾ ﺎ ت ا ﻟ ﺗ ﺷ ﻔ ﯾ ر ﻟﺣ ﻣ ﺎﯾﺔ ﺑ ﯾ ﺎ ﻧ ﺎ ت ا ﻟ ﻌ ﻣ ﻼ ء ا ﻟ ﺣ ﺳ ﺎ ﺳ ﺔ ﻣ ن ا ﻟ و ﺻ و ل ﻏ ﯾ ر ا ﻟ ﻣ ﺻ ر ح ﺑ ﮫ ‪.‬‬
‫اﻟﺳﻼﻣﺔ‪(Integrity):‬‬
‫ا ﻟ ﮭ د ف ﻣ ن ا ﻟ ﺳ ﻼ ﻣ ﺔ ھ و ا ﻟ ﻣ ﺣ ﺎ ﻓ ظ ﺔ ﻋ ﻠ ﻰ د ﻗ ﺔ و ﻛ ﻣ ﺎ ل ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت و أ ﺳ ﺎ ﻟ ﯾ ب ﻣ ﻌ ﺎﻟﺟ ﺗﮭ ﺎ ‪.‬‬
‫ﻣ ﺛ ﺎ ل ‪ :‬ﺗط ﺑ ﯾق ا ﻟ ﺳ ﯾ ط ر ا ت ﻣ ﺛ ل ا ﻟ و ﺻ و ل ا ﻟ ﻣ ﺣ ﻛ م و ﺗ ﻘ ﻧ ﯾ ﺎ ت ا ﻟ ﺗ ﺣ ﻘ ق ﻣ ن ا ﻟ ﺑ ﯾ ﺎ ﻧ ﺎ ت ﻟ ﻣ ﻧ ﻊ ا ﻟ ﺗ ﻌ د ﯾ ل ﻏ ﯾ ر ا ﻟ ﻣ ﺻ ر ح ﺑ ﮫ‬
‫ﻟﻠﻣ ﻌ ﻠو ﻣ ﺎت ‪.‬‬
‫اﻟﺗوﻓر‪(Availability):‬‬
‫ا ﻟ ﮭ د ف ﻣ ن ا ﻟ ﺗ و ﻓ ر ھ و ا ﻟ ﺗ ﺄ ﻛ د ﻣ ن أ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ﻣ ﺗ ﺎ ﺣ ﺔ و ﻗ ﺎ ﺑ ﻠ ﺔ ﻟﻼ ﺳ ﺗﺧ د ام ﻣ ن ﻗ ﺑ ل ا ﻷ ﻓ ر ا د ا ﻟ ﻣ ﺻ ر ح ﻟ ﮭ م ﻋ ﻧ د ا ﻟ ﺣ ﺎ ﺟ ﺔ ‪.‬‬
‫ﻣ ﺛ ﺎ ل ‪ :‬اﺳ ﺗﺧ د ام ﺣ ﻠ و ل ا ﻟ ﻧ ﺳ ﺦ ا ﻻ ﺣ ﺗ ﯾ ﺎ ط ﻲ و اﻻ ﺳ ﺗر ﺟ ﺎع ﻟ ﺿ ﻣ ﺎ ن ﺗ و ﻓ ر ا ﻟ ﺑ ﯾ ﺎ ﻧ ﺎ ت ﺑ ﻌ د ا ﻟ ﺣ و ا د ث ﻣ ﺛ ل ا ﻟ ﮭ ﺟ ﻣ ﺎ ت ا ﻟ ﺳ ﯾ ﺑ ر ا ﻧ ﯾ ﺔ‬
‫أو اﻟﻛ و ار ث اﻟط ﺑﯾﻌ ﯾﺔ ‪.‬‬
‫‪CONFIDENTIALITY‬‬
‫‪ty‬‬
‫‪itali‬‬
‫‪Int‬‬
‫‪den‬‬
‫‪eg‬‬
‫‪rity‬‬
‫‪nfi‬‬
‫‪Co‬‬
‫‪AVAILABILITY‬‬ ‫‪INTEGRITY‬‬
‫‪Availability‬‬
‫• ﺗﻄ ﺒﻴ ﻖ ﻧﻬ ﺞ اﻟ ﻌ ﻤ ﻠ‪ C‬ﺔ ‪:‬‬
‫ً‬
‫اﻟﺘﺨﻄ‪:‬ﻂ‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻷﻫﺪاف واﻟﻌﻤﻠ‪7‬ﺎت اﻟﻼزﻣﺔ ﻟﺘﺤﻘﻴﻖ اﻟﻨﺘﺎﺋﺞ وﻓﻘﺎ ﻟﺴ‪7‬ﺎﺳﺔ ‪ ISMS‬وأﻫﺪاف‬ ‫‪-‬‬
‫اﻟﻤﻨﻈ ﻤﺔ ‪.‬‬
‫ا ﻟ ﺘ ﻨ ﻔ ‪ :‬ﺬ ‪ :‬ﺗﻨ ﻔ ‪ 7‬ﺬ ا ﻟ ﻌ ﻤ ﻠ‪ 7‬ﺎ ت ‪ M‬ﻤ ﺎ ﻫ ﻮ ﻣ ﺨ ﻄ ﻂ ﻟ ﻬ ﺎ ‪.‬‬ ‫‪-‬‬
‫ً‬
‫اﻟﻔﺤﺺ‪ :‬ﻣﺮاﻗ‪U‬ﺔ وﻗ‪7‬ﺎس اﻟﻌﻤﻠ‪7‬ﺎت وﻓﻘﺎ ﻟﺴ‪7‬ﺎﺳﺔ ‪ ISMS‬واﻷﻫﺪاف واﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ‬ ‫‪-‬‬
‫واﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‪ ،‬وﺗﻘﺪ‪-‬ﻢ ﺗﻘﺎر[ﺮ \ﺎﻟﻨﺘﺎﺋﺞ‪.‬‬
‫‪ a‬أداء ‪e ISMS‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ‪.‬‬ ‫اﻟﺘﺤﺮك‪ :‬اﺗﺨﺎذ إﺟﺮاءات ﻟﺘﺤﺴ ‪c b‬‬ ‫‪-‬‬
‫• ﺗﻄﺒﻴﻖ ﻋﻤ‪ TG‬ﻟﻠﻤﺜﺎل ‪:‬‬
‫‪c‬‬
‫ﻟﻨﻔ‪ij‬ض أن ﻫﻨﺎك ‪no‬ﻛﺔ ﺗﺤﺘﺎج إ‪ r‬ﺗﻌ‪[s‬ﺰ ﻋﻤﻠ‪7‬ﺎت ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﻟﺪﻳﻬﺎ‪ yz .‬إﻃﺎر ﻧﻬﺞ اﻟﻌﻤﻠ‪7‬ﺔ‪ ،‬ﺳﺘﻘﻮم‬
‫اﻟ‪}o‬ﻛﺔ \ﻤﺎ ‪:~z-‬‬
‫‪c‬‬
‫‪ -‬اﻟﺘﺨﻄ‪:‬ﻂ‪ :‬ﺗﺤﺪ‪-‬ﺪ ﻣﺎ ‪-‬ﺠﺐ ﺗﺤﻘ‪7‬ﻘﻪ ‪ yz‬ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت‪ ،‬وﺿﻊ أﻫﺪاف واﺿﺤﺔ‪ ،‬وﺗﺨﻄ‪7‬ﻂ‬
‫‪c‬‬
‫اﻟﻌﻤﻠ‪7‬ﺎت اﻟ ‪Ö Ñz j‬ﺸﻤﻞ ‪Ö‬ﺸﻔ‪ ib‬اﻟﺒ‪7‬ﺎﻧﺎت‪ ،‬اﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻮﺻﻮل‪ ،‬و‪à‬ﺟﺮاء اﻟﺘﺪﻗ‪7‬ﻘﺎت \ﺎﻧﺘﻈﺎم‪.‬‬
‫‪ -‬اﻟﺘﻨﻔ‪:‬ﺬ‪ :‬ﺗﻨﻔ‪7‬ﺬ ﻫﺬە اﻟﻌﻤﻠ‪7‬ﺎت‪ ،‬ﻣﻊ اﻟﺘﺄ ‪ã‬ﺪ ﻣﻦ ﺗﺪر[ﺐ ﺟﻤﻴﻊ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬ﻋ ~ أ ﻫ ﻤ ‪ 7‬ﺔ ﺣ ﻤ ﺎ ‪ -‬ﺔ ا ﻟﺒ ‪ 7‬ﺎ ﻧ ﺎ ت‬
‫وﻣﻌﺮﻓﺘﻬﻢ \ﻜ‪7‬ﻔ‪7‬ﺔ اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ \ﺄﻣﺎن‪.‬‬
‫‪ -‬اﻟﻔﺤﺺ‪ :‬ﻣﺮاﺟﻌﺔ ﺳﺠﻼت اﻟﻮﺻﻮل وﻧﺘﺎﺋﺞ اﻟﺘﺪﻗﻴﻖ وﺗﻘﺎر[ﺮ اﻟﺤﻮادث \ﺎﻧﺘﻈﺎم ﻟﻘ‪7‬ﺎس ﻣﺪى ﻓﻌﺎﻟ‪7‬ﺔ‬
‫ﻋﻤﻠ‪7‬ﺎت ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬
‫‪c‬‬
‫‪ -‬اﻟﺘﺤﺮك‪ :‬ﺑﻨﺎًء ﻋ~ اﻟﻨﺘﺎﺋﺞ‪ ،‬إﺟﺮاء ﺗﻌﺪ‪-‬ﻼت ﻣﺜﻞ ‪Ö‬ﺸﺪ‪-‬ﺪ إﺟﺮاءات اﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻮﺻﻮل‪ ،‬ﺗﺤﺪ‪-‬ﺚ‬
‫ﻃﺮق اﻟ‪ï‬ﺸﻔ‪ ،ib‬أو إﺟﺮاء ﺟﻠﺴﺎت ﺗﺪر[ﺐ إﺿﺎﻓ‪7‬ﺔ ﻟﻤﻌﺎﻟﺠﺔ أي ﺿﻌﻒ ﺗﻢ ﺗﺤﺪ‪-‬ﺪە‪.‬‬
‫• ﻣﻠﺨﺺ إﻃﻼق ‪. ISMS‬ﻤﻮﺟﺐ ‪: ISO 27001‬‬
‫‪ .1‬ﺗﺤﺪ‪G‬ﺪ اﻟﺴ‪:‬ﺎق واﻟﻨﻄﺎق‪:‬‬

‫‪j‬‬
‫• اﻟﺴ‪:‬ﺎق‪- :‬ﺠﺐ ﻋ~ اﻟﻤﻨﻔﺬﻳﻦ ﻓﻬﻢ اﻟﻌﻮاﻣﻞ اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ اﻟ ‪- Ñz‬ﻤﻜﻦ أن ﺗﺆﺛﺮ ﻋ~ ‪ISMS.‬‬
‫ﻳﺘﻀﻤﻦ ذﻟﻚ ﺗﺤﻠ‪7‬ﻞ اﻟﺒ‪û‬ﺌﺔ اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ‪ ،‬اﻟﺴﻮﻗ‪7‬ﺔ‪ ،‬اﻟﺘﻘﻨ‪7‬ﺔ واﻻﺟﺘﻤﺎﻋ‪7‬ﺔ اﻟ ‪ Ñz j‬ﺗﻌﻤﻞ ﻓﻴﻬﺎ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫• اﻟﻨﻄﺎق‪ :‬ﺗﺤﺪ‪-‬ﺪ ﻧﻄﺎق‪ ISMS‬ﺑﻮﺿ‪°‬ح ‪-‬ﻀﻤﻦ ﺗﻐﻄ‪7‬ﺔ ﺟﻤﻴﻊ اﻟﻤﻨﺎﻃﻖ واﻷﺻﻮل اﻟ ‪ Ñz j‬ﺗﺤﺘﺎج إ‪r‬‬
‫§‬
‫ﺣﻤﺎ‪-‬ﺔ‪- .‬ﺠﺐ أن ‪-‬ﻜﻮن اﻟﻨﻄﺎق ﻣﺤﺪدا ‪e‬ﺸ‪g‬ﻞ ‪-‬ﻤﻜﻦ اﻟﻤﺆﺳﺴﺔ ﻣﻦ إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ‪7‬ﺔ‪.‬‬
‫‪ .2‬اﻟﺤﺼﻮل ﻋ‪ Q‬اﻻﻟ ‪SU T‬ام اﻟﺘﻨﻔ‪:‬ﺬي‪:‬‬
‫• ﻟﺘ ﺄ ﻣ ‪c b‬‬
‫‪ a‬اﻟﺪﻋﻢ واﻟﻤﻮارد اﻟﻼزﻣﺔ ﻣﻦ اﻹدارة اﻟﻌﻠ‪7‬ﺎ‪- ،‬ﺠﺐ ﺗﻘﺪ‪-‬ﻢ ﻓﻮاﺋﺪ وأﻫﻤ‪7‬ﺔ ‪e ISMS‬ﺸ‪g‬ﻞ واﺿﺢ‪.‬‬
‫® ﻟﻠﻨﺠﺎح اﻟﻤﺴﺘﻤﺮ ﻟﻠﻨﻈﺎم‪.‬‬ ‫‪cj‬‬
‫اﻻﻟ‪i‬ام اﻟﺘﻨﻔ‪7‬ﺬي أﺳﺎ ‪z‬‬
‫‪ .3‬ﺗﻘﻴ‪:‬ﻢ اﻟﻤﺨﺎﻃﺮ‪:‬‬
‫• ﻗ‪U‬ﻞ ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ‪- ،‬ﺠﺐ إﺟﺮاء ﺗﻘﻴ‪7‬ﻢ ﺷﺎﻣﻞ ﻟﻠﻤﺨﺎﻃﺮ ﻟﺘﺤﺪ‪-‬ﺪ اﻟﺘﻬﺪ‪-‬ﺪات واﻟﻀﻌﻔ‪7‬ﺎت اﻟ ‪ Ñz j‬ﻗﺪ‬
‫‪c‬‬ ‫‪c‬‬
‫ﺗﺆﺛﺮ ﻋ~ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ‪™ .‬ﺴﺎﻋﺪ ﻫﺬا اﻟﺘﻘﻴ‪7‬ﻢ ‪ yz‬ﺗﺤﺪ‪-‬ﺪ اﻟﻀﻮا\ﻂ اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻟﺘﻄﺒ‪7‬ﻘﻬﺎ ‪yz‬‬
‫إﻃﺎر‪ISMS.‬‬
‫‪ .4‬ﺗﺤﺪ‪G‬ﺪ اﻷ`ﺪاف واﻟﻀﻮا‪c‬ﻂ‪:‬‬
‫• ﺗﺤﺪ‪-‬ﺪ اﻷﻫﺪاف اﻷﻣﻨ‪7‬ﺔ ﻳﻮﺟﻪ اﻟﺠﻬﻮد و[ﻀﻤﻦ ﺗﻮﺟ‪7‬ﻪ اﻟﻤﻮارد ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل‪ .‬اﻟﻀﻮا\ﻂ‪ ،‬اﻟ ‪ Ñz j‬ﺗﻢ‬
‫ُ‬
‫اﺧﺘ‪7‬ﺎرﻫﺎ ﺑﻨﺎًء ﻋ~ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‪ ،‬ﺗﻄﺒﻖ ﻟﻤﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‪.‬‬
‫‪ .5‬اﻟﺘﻮﺛﻴﻖ‪:‬‬
‫• ﺗﻮﺛﻴﻖ اﻟﺴ‪7‬ﺎﺳﺎت‪ ،‬اﻹﺟﺮاءات‪ ،‬واﻟﻌﻤﻠ‪7‬ﺎت أﻣﺮ ‪¨c‬وري ﻟﻀﻤﺎن اﻟﻔﻬﻢ اﻟﻮاﺿﺢ واﻟﺘﻄﺒﻴﻖ اﻟﻤ‪ï‬ﺴﻖ‬
‫ﻟﻤﺘﻄﻠ‪U‬ﺎت‪. ISMS.‬‬
‫ﻣﺜﺎل ﻋ= إﻃﻼق ‪: ISMS‬‬

‫‪no‬ﻛﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﺗﻘﺮر ﺗﻨﻔ‪7‬ﺬ ‪ ISMS‬ﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬ﺣﻤﺎ‪-‬ﺔ ﺑ‪7‬ﺎﻧﺎﺗﻬﺎ و≠‪7‬ﺎﻧﺎت ﻋﻤﻼﺋﻬﺎ‪ .‬ﺗ‪U‬ﺪأ ﺑ‪ï‬ﺸﻜ‪7‬ﻞ ﻓ‪[Æ‬ﻖ‬
‫‪c‬‬
‫‪ a‬ﻣﻦ ﺟﻤﻴﻊ اﻷﻗﺴﺎم اﻟﺮﺋ∞ﺴ‪7‬ﺔ‪- .‬ﻌﻤﻞ اﻟﻔ‪[Æ‬ﻖ ﻋ~ ﺗﺤﺪ‪-‬ﺪ اﻟﺴ‪7‬ﺎق اﻟﻘﺎﻧﻮ ‪ ±z‬واﻟﺘﺠﺎري‬ ‫ﻣ‪}o‬وع ‪-‬ﻀﻢ ﻣﻤﺜﻠ ‪c b‬‬
‫ﻟﻠﻤﺆﺳﺴﺔ وﺗﺤﺪ‪-‬ﺪ ﻧﻄﺎق ‪ ISMS‬ﻟ∞ﺸﻤﻞ ﺟﻤﻴﻊ اﻟﻌﻤﻠ‪7‬ﺎت اﻟ ‪ Ñz j‬ﺗﺘﻌﺎﻣﻞ ﻣﻊ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ‪ .‬ﻳﺘﻢ \ﻌﺪ‬
‫ذﻟﻚ إﺟﺮاء ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ ووﺿﻊ اﻟﻀﻮا\ﻂ اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‪.‬‬
‫ﺗﻨﻔ‪7‬ﺬ ﻧﻬﺞ ﻣﻤﻨﻬﺞ ﻹﻃﻼق ‪- ISMS‬ﻀﻤﻦ ﻟﻠﻤﺆﺳﺴﺎت اﻟﺘﺤ‪g‬ﻢ اﻟﻔﻌﺎل ‪ yc‬أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت و[ﻌﺰز ﻣﻦ اﻟﺜﻘﺔ ﺑ‪cab‬‬
‫‪z‬‬
‫اﻟ‪M}o‬ﺎء واﻟﻌﻤﻼء‪.‬‬
‫ﺳ?ﺎق اﻟﻤﻨﻈﻤﺔ ‪: ISO 27001 EG F‬‬
‫اﻟﺘﻌ‪ih‬ﻒ‪:‬‬
‫‪c‬‬ ‫‪j‬‬
‫ﺳ‪7‬ﺎق اﻟﻤﻨﻈﻤﺔ ™ﺸﻤﻞ اﻟﻈﺮوف اﻟ ‪ Ñz‬ﺗﻌﻤﻞ ﻓﻴﻬﺎ اﻟﻤﻨﻈﻤﺔ‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ اﻟﻌﻮاﻣﻞ اﻟﺪاﺧﻠ‪7‬ﺔ ﻣﺜﻞ اﻟﺜﻘﺎﻓﺔ‬
‫اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ واﻷﻫﺪاف واﻟﻘﺪرات‪ ،‬واﻟﻌﻮاﻣﻞ اﻟﺨﺎرﺟ‪7‬ﺔ ﻣﺜﻞ اﻟﺒ‪û‬ﺌﺔ اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ واﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ واﻟﺴﻮﻗ‪7‬ﺔ‪.‬‬
‫اﻟﺨﻄﻮات اﻟﺮﺋ‪m‬ﺴ‪:‬ﺔ ﻟﺘﺤﺪ‪G‬ﺪ ﺳ‪:‬ﺎق اﻟﻤﻨﻈﻤﺔ‪:‬‬

‫ﺗﺤﻠ‪:‬ﻞ اﻟﻌﻮاﻣﻞ اﻟﺪاﺧﻠ‪:‬ﺔ‪:‬‬ ‫•‬
‫≤‪ ،‬اﻟﺜﻘﺎﻓﺔ‪ ،‬اﻟﻌﻤﻠ‪7‬ﺎت‪ ،‬واﻟﻤﻮارد‪.‬‬
‫‪ Ö‬ﺸ ﻤ ﻞ ا ﻟ ﻬ ‪ g 7‬ﻞ ا ﻟﺘ ﻨ ﻈ ‪z 7‬‬
‫ﺗﻘﻴ‪7‬ﻢ اﻷﻫﺪاف اﻻﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺔ وﻛ‪7‬ﻒ ‪-‬ﻤﻜﻦ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت أن ‪-‬ﺪﻋﻢ ﺗﺤﻘﻴﻖ ﻫﺬە اﻷﻫﺪاف‪.‬‬
‫ﺗﺤﻠ‪:‬ﻞ اﻟﻌﻮاﻣﻞ اﻟﺨﺎرﺟ‪:‬ﺔ‪:‬‬ ‫•‬
‫‪j‬‬ ‫‪o‬‬ ‫‪c‬‬
‫ﺗﺤﺪ‪-‬ﺪ اﻟﻘﻮاﻧ‪ ab‬واﻟ‪[}ï‬ﻌﺎت اﻟﻤﻌﻤﻮل ﺑﻬﺎ اﻟ ‪ Ñz‬ﺗﺆﺛﺮ ﻋ~ اﻟﻨﻈﺎم‪.‬‬
‫‪c‬‬ ‫‪c‬‬
‫اﻟﻨﻈﺮ ‪ yz‬اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﺘﺎﺣﺔ‪ ،‬اﻟﻈﺮوف اﻻﻗﺘﺼﺎد‪-‬ﺔ‪ ،‬واﻟﺘﻬﺪ‪-‬ﺪات اﻷﻣﻨ‪7‬ﺔ ‪ yz‬اﻟﺼﻨﺎﻋﺔ‪.‬‬
‫ﺗﺤﺪ‪G‬ﺪ اﻷﻃﺮاف اﻟﻤﻌﻨ‪:‬ﺔ‪:‬‬ ‫•‬
‫‪c‬‬ ‫‪c‬‬
‫ﺗﺤﺪ‪-‬ﺪ ﻣﻦ ﻟﻬﻢ ﻣﺼﻠﺤﺔ ‪ yz‬أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ اﻟﻌﻤﻼء‪ ،‬اﻟﻤﻮردﻳﻦ‪ ،‬اﻟ‪M}o‬ﺎء‪ ،‬واﻟﺠﻬﺎت اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‪.‬‬
‫ﻓﻬﻢ اﺣﺘ‪7‬ﺎﺟﺎت وﺗﻮﻗﻌﺎت ﻫﺆﻻء اﻷﻃﺮاف وﻛ‪7‬ﻒ ‪-‬ﻤﻜﻦ ﻟﻠﻤﻨﻈﻤﺔ ﻣﻌﺎﻟﺠﺘﻬﺎ ﻣﻦ ﺧﻼل‪ISMS.‬‬
‫ﺗﻘﻴ‪:‬ﻢ اﻟﻤﺨﺎﻃﺮ واﻟﻔﺮص‪:‬‬ ‫•‬
‫ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺨﺎﻃﺮ واﻟﻔﺮص اﻟ ‪- Ñz j‬ﻤﻜﻦ أن ﺗﺆﺛﺮ ﻋ~ ﻓﻌﺎﻟ‪7‬ﺔ وﻧﺠﺎح‪ISMS.‬‬
‫‪ a‬أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫ﺗﻄ‪[°‬ﺮ اﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺎت ﻟﻤﻌﺎﻟﺠﺔ ﻫﺬە اﻟﻤﺨﺎﻃﺮ واﺳﺘﻐﻼل اﻟﻔﺮص ﻟﺘﺤﺴ ‪c b‬‬
‫ﻣﺜﺎل ﻋ= ﺗﻄﺒﻴﻖ ﺳ?ﺎق اﻟﻤﻨﻈﻤﺔ ‪:‬‬
‫‪ a‬إﺟﺮاء ﺗﻘﻴ‪7‬ﻢ‬‫‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﻣﻌﻠﻮﻣﺎت ﺗﺮﻏﺐ ‪ yc‬ﺗﺤﺪ‪-‬ﺚ ‪ ISMS‬اﻟﺨﺎص ﺑﻬﺎ ‪-‬ﺠﺐ ﻋ~ اﻟﻤﻨﻔﺬﻳﻦ اﻟﺮﺋ∞ﺴﻴ ‪c b‬‬
‫‪z‬‬ ‫‪c‬‬
‫ﺷﺎﻣﻞ ﻟﻠﺘﻐ‪ib‬ات اﻷﺧ‪ib‬ة ‪ yz‬اﻟ‪[}oï‬ﻌﺎت اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ‪ ،‬ﻣﺜﻞ اﻟﻠﻮاﺋﺢ اﻟﻌﺎﻣﺔ ﻟﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت )‪ ،(GDPR‬وﺗﺄﺛ‪ib‬ﻫﺎ‬
‫ً‬
‫ﻋ~ اﻟﻌﻤﻠ‪7‬ﺎت اﻟﺘﺠﺎر[ﺔ‪ .‬ﻳ∫‪ ªz c U‬أ‪-‬ﻀﺎ ﺗﺤﺪ‪-‬ﺚ اﻟﺴ‪7‬ﺎﺳﺎت ﻟﻌﻜﺲ ﻫﺬە اﻟﺘﻐﻴ‪ib‬ات وﺿﻤﺎن اﻻﻣﺘﺜﺎل اﻟﻤﺴﺘﻤﺮ‬
‫ﻟﻠﻤﻌﺎﻳ‪ ib‬اﻟﺪوﻟ‪7‬ﺔ‪.‬‬
‫‪c‬‬
‫® ‪ ISMS yz‬ﺣ‪7‬ﺚ ﻳﻮﻓﺮ اﻷﺳﺎس ﻟﺘﺨﻄ‪7‬ﻂ وﺗﻨﻔ‪7‬ﺬ وﻣﺮاﻗ‪U‬ﺔ إدارة أﻣﻦ‬ ‫ﺳ‪7‬ﺎق اﻟﻤﻨﻈﻤﺔ ﻫﻮ ﻣﻜﻮن أﺳﺎ ‪z‬‬
‫اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل‪™ .‬ﺴﻤﺢ ﻓﻬﻢ اﻟﺴ‪7‬ﺎق ﺑﺘﻜﻴ‪7‬ﻒ ‪ ISMS‬ﻟﻴ‪ï‬ﻨﺎﺳﺐ ﻣﻊ اﻻﺣﺘ‪7‬ﺎﺟﺎت اﻟﻔ‪[Æ‬ﺪة واﻟﺘﺤﺪ‪-‬ﺎت‬
‫اﻟ ‪ Ñz j‬ﺗﻮاﺟﻬﻬﺎ اﻟﻤﻨﻈﻤﺔ‪ ،‬ﻣﻤﺎ ‪-‬ﻌﺰز ﻣﻦ ﻓﻌﺎﻟ‪7‬ﺔ اﻟﻨﻈﺎم وﻗﺪرﺗﻪ ﻋ~ ﺣﻤﺎ‪-‬ﺔ اﻷﺻﻮل اﻟﺤﻴ‪[°‬ﺔ‪.‬‬
‫‪ ) Clauses 4 – 10‬اﻟﺒﻨﻮد (‬
‫اﻟﺒﻨﺪ ‪ :4‬ﺳ*ﺎق اﻟﻤﻨﻈﻤﺔ ‪:‬‬
‫‪ 4.1‬ﻓﻬﻢ اﻟﻤﻨﻈﻤﺔ وﺳ‪:‬ﺎﻗﻬﺎ‪:‬‬

‫‪j‬‬
‫اﻟﻬﺪف‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻟﻌﻮاﻣﻞ اﻟﺨﺎرﺟ‪7‬ﺔ واﻟﺪاﺧﻠ‪7‬ﺔ اﻟ ‪- Ñz‬ﻤﻜﻦ أن ﺗﺆﺛﺮ ﻋ~ أﻫﺪاف اﻟﻤﻨﻈﻤﺔ وﺗﺨﻄ‪7‬ﻄﻬﺎ‬ ‫•‬
‫ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ﺗﻔﺎﺻ‪:‬ﻞ‪- :‬ﺠﺐ ﻋ~ اﻟﻤﻨﻈﻤﺔ ﺗﻘﻴ‪7‬ﻢ ‪M‬ﻞ ﻣﻦ اﻟﻈﺮوف اﻟﺪاﺧﻠ‪7‬ﺔ ﻣﺜﻞ اﻟﺜﻘﺎﻓﺔ اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ واﻟﻘﺪرات‬ ‫•‬
‫واﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‪ ،‬واﻟﻈﺮوف اﻟﺨﺎرﺟ‪7‬ﺔ ﻣﺜﻞ اﻟﻠﻮاﺋﺢ اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ واﻻﻗﺘﺼﺎد‪-‬ﺔ واﻻﺟﺘﻤﺎﻋ‪7‬ﺔ‬
‫واﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ‪.‬‬
‫‪c‬‬ ‫ﻣ ﺜ ﺎل ‪o :‬‬
‫‪ Ω‬اﻟﻠﻮاﺋﺢ اﻟﺠﺪ‪-‬ﺪة ﻟﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﻣﺜﻞ ‪yz GDPR‬‬ ‫‪z‬‬ ‫ا‬
‫ﺮ‬ ‫ﺗ‬ ‫ﺪ‬ ‫ﻗ‬ ‫ت‬ ‫ﺎ‬ ‫ﻣ‬‫ﻮ‬ ‫ﻠ‬ ‫ﻌ‬ ‫ﻤ‬ ‫ﻟ‬ ‫ا‬ ‫ﺎ‬ ‫‪7‬‬ ‫ﺟ‬ ‫ﻮ‬ ‫ﻟ‬‫ﻮ‬ ‫ﻨ‬ ‫ﻜ‬ ‫ﺗ‬ ‫ﺔ‬ ‫ﻛ‬
‫‪n‬‬ ‫•‬
‫ﺗﺤﺪ‪-‬ﺪ ﺳ‪7‬ﺎﻗﻬﺎ‪.‬‬
‫‪ 4.2‬ﻓﻬﻢ اﺣﺘ‪:‬ﺎﺟﺎت وﺗﻮﻗﻌﺎت اﻷﻃﺮاف اﻟﻤﻌﻨ‪:‬ﺔ ‪:‬‬

‫اﻟﻬﺪف‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ وﻣﺘﻄﻠ‪U‬ﺎﺗﻬﺎ اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫•‬
‫‪o‬‬
‫ﺗﻔﺎﺻ‪:‬ﻞ ‪-‬ﺠﺐ اﻟﺘﻌﺮف ﻋ~ اﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ ﻣﺜﻞ اﻟﻌﻤﻼء‪ ،‬اﻟﻤﻮردﻳﻦ‪ ،‬اﻟ}‪M‬ﺎء‪ ،‬واﻟﺴﻠﻄﺎت‬‫‪:‬‬ ‫•‬
‫اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‪ ،‬وﻓﻬﻢ ﺗﻮﻗﻌﺎﺗﻬﻢ وﻣﺘﻄﻠ‪U‬ﺎﺗﻬﻢ اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ واﻟﺘﺠﺎر[ﺔ‪.‬‬
‫‪c‬‬
‫ﻣﺜﺎل‪ :‬اﻟﺘﻌﺮف ﻋ~ ﻣﺘﻄﻠ‪U‬ﺎت اﻟﻌﻤﻼء اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﻦ اﻟﺒ‪7‬ﺎﻧﺎت ‪ yz‬ﻋﻘﻮد اﻟﺨﺪﻣﺔ‪.‬‬ ‫•‬
‫‪ 4.3‬ﺗﺤﺪ‪G‬ﺪ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪:‬‬

‫اﻟﻬﺪف‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻟﺤﺪود وﻗﺎ\ﻠ‪7‬ﺔ ﺗﻄﺒﻴﻖ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫•‬
‫ﺗﻔﺎﺻ‪:‬ﻞ‪- :‬ﺠﺐ ﻋ~ اﻟﻤﻨﻈﻤﺔ ﺗﺤﺪ‪-‬ﺪ اﻟﺤﺪود اﻟﻮاﺿﺤﺔ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ ﺧﻼل‬ ‫•‬
‫ﺗﺤﺪ‪-‬ﺪ ﻣﺎ ﻳﺘﻢ ﺗﻀﻤﻴﻨﻪ وﻣﺎ ُ™ﺴ‪ï‬ﺜ‪ Ñc‬ﻣﻦ اﻟﻨﻈﺎم‪.‬‬
‫‪c‬‬
‫‪ æ‬ﺟﻤﻴﻊ اﻟﺒ‪7‬ﺎﻧﺎت واﻷﻧﻈﻤﺔ اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ داﺧﻞ اﻟ‪}o‬ﻛﺔ \ﻤﺎ ‪ yz‬ذﻟﻚ‬‫ﻣﺜﺎل‪ :‬ﺗﺤﺪ‪-‬ﺪ أن ‪ ISMS‬ﺳ‪7‬ﻐ ‪z‬‬ ‫•‬
‫اﻟﻔﺮوع اﻟﻌﺎﻟﻤ‪7‬ﺔ‪.‬‬
‫‪ 4.4‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪:‬‬
‫اﻟﻬﺪف‪ :‬إ‪ø‬ﺸﺎء‪ ،‬ﺗﻨﻔ‪7‬ﺬ‪Ö ،‬ﺸﻐ‪7‬ﻞ‪ ،‬ﻣﺮاﻗ‪U‬ﺔ‪ ،‬ﻣﺮاﺟﻌﺔ‪ ،‬ﺻ‪7‬ﺎﻧﺔ وﺗﺤﺴ ‪c b‬‬

‫‪ a‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫•‬
‫ﺗﻔﺎﺻ‪:‬ﻞ‪- :‬ﺠﺐ ﻋ~ اﻟﻤﻨﻈﻤﺔ ﺗﻮﺛﻴﻖ اﻟﻨﻈﺎم وﻣﺮاﺟﻌﺘﻪ ‪e‬ﺸ‪g‬ﻞ دوري ﻟﻀﻤﺎن اﺳﺘﻤﺮار ﻓﻌﺎﻟﻴﺘﻪ‬ ‫•‬
‫وﻛﻔﺎءﺗﻪ‪.‬‬
‫ﻣﺜﺎل‪ :‬إ‪ø‬ﺸﺎء ﺳ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات ﻹدارة اﻟﻮﺻﻮل إ‪ r‬اﻟﺒ‪7‬ﺎﻧﺎت وﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪e a‬ﺸ ‪ g‬ﻞ ﻣ ﻨ ﺘ ﻈ ﻢ‬ ‫•‬
‫ﻋ ~ ﻫ ﺬ ە اﻟﺴ ‪ 7‬ﺎﺳ ﺎت ‪.‬‬
‫ﺗﺗطﻠب ھذه اﻟﺧطوات ﻣن اﻟﻣﻧﻔذ اﻟرﺋﯾﺳﻲ ﻟـ ‪ ISO 27001‬اﻻﻧﺗﺑﺎه اﻟﺷدﯾد واﻟﻔﮭم اﻟﻌﻣﯾق ﻟﻛل ﺟواﻧب اﻟﻣﻧظﻣﺔ‬
‫ﻟﺿﻣﺎن إﻧﺷﺎء ‪ ISMS‬ﻓﻌﺎل وﺷﺎﻣل ﯾﻠﺑﻲ ﺟﻣﯾﻊ اﻟﻣﺗطﻠﺑﺎت اﻟﺗﻧظﯾﻣﯾﺔ واﻟﺗﺟﺎرﯾﺔ‪.‬‬
‫اﻟﺒﻨﺪ ‪ :5‬اﻟﻘ*ﺎدة‬
‫‪ 5.1‬اﻟﻘ‪C‬ﺎدة واﻻﻟ ] ‪\F‬ام ﻣﻦ اﻹدارة اﻟﻌﻠ‪C‬ﺎ ‪:‬‬
‫‪ a‬ﻧﻈﺎم إدارة أﻣﺎن‬ ‫اﻻﻟ ‪SU T‬ام‪ :‬اﻹدارة اﻟﻌﻠ‪7‬ﺎ ‪-‬ﺠﺐ أن ﺗﻈﻬﺮ اﻟﻘ‪7‬ﺎدة واﻻﻟ ‪ic j‬ام ﺑﺘﺄﺳ∞ﺲ وﺗﺤﺴ ‪c b‬‬ ‫•‬
‫‪c‬‬ ‫ً‬
‫اﻟﻤﻌﻠﻮﻣﺎت‪ .‬ﻣﺜﻼ‪ ،‬اﻟﺮﺋ∞ﺲ اﻟﺘﻨﻔ‪7‬ﺬي ‪-‬ﻤﻜﻦ أن ‪-‬ﺤ‪ ≈c‬و∆ﺸﺎرك ‪ yz‬اﻻﺟﺘﻤﺎﻋﺎت اﻟﺨﺎﺻﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫ﻹﻇﻬﺎر اﻟﺪﻋﻢ‪.‬‬
‫‪:‬‬
‫ﺗﺤﺪ‪G‬ﺪ اﻷ`ﺪاف واﻟﺘﻮﺟﻴﻬﺎت ‪-‬ﺠﺐ ﻋ~ اﻹدارة اﻟﻌﻠ‪7‬ﺎ اﻟﺘﺄ ‪ã‬ﺪ ﻣﻦ أن أﻫﺪاف أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬ ‫•‬
‫… ﺗﻮﺳﻴﻊ‬ ‫ﺔ‬ ‫ﻛ‬
‫}‬ ‫ﻣﺘﻮاﻓﻘﺔ ﻣﻊ أﻫﺪاف اﻟ‪}o‬ﻛﺔ اﻻﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺔ‪ .‬ﻋ~ ﺳ«‪7‬ﻞ اﻟﻤﺜﺎل‪ ،‬إذا ‪M‬ﺎﻧﺖ إﺣﺪى أﻫﺪاف اﻟ ‪o‬‬
‫‪c‬‬ ‫‪z‬‬ ‫‪c‬‬
‫اﻟﻨﻄﺎق اﻟﺠﻐﺮا ‪ yz‬ﻟﺨﺪﻣﺎﺗﻬﺎ‪ ،‬ﻓ‪7‬ﺠﺐ أن ﺗﻌﻜﺲ أﻫﺪاف أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ذﻟﻚ ﺑﺘﻌ‪[s‬ﺰ اﻹﺟﺮاءات اﻷﻣﻨ‪7‬ﺔ ‪yz‬‬
‫اﻟﺒ‪7‬ﺎﻧﺎت ﻋ‪ i‬اﻟﺤﺪود‪.‬‬
‫ً‬
‫ﻼ‪ ،‬ﺗﻌﻴ ‪c b‬‬ ‫اﻟﻤﺴﺆوﻟ‪:‬ﺔ واﻟﺴﻠﻄﺔ‪- :‬ﺠﺐ ﺗﻌﻴ ‪c b‬‬
‫‪ a‬ﻣﺪﻳﺮ أﻣﻦ‬ ‫‪ a‬أدوار وﻣﺴﺆوﻟ‪7‬ﺎت واﺿﺤﺔ ﻹدارة اﻷﻣﻦ‪ .‬ﻣﺜ‬ ‫•‬
‫‪o‬‬
‫اﻟﻤﻌﻠﻮﻣﺎت )‪ (CISO‬اﻟﺬي ﻳﺘﺤﻤﻞ اﻟﻤﺴﺆوﻟ‪7‬ﺔ اﻟ‪Ã‬ﺎﻣﻠﺔ ﻋﻦ اﻹ‪n‬اف ﻋ~ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ 5.2‬اﻟﺴ‪C‬ﺎﺳﺔ ‪:‬‬
‫ﺗﻮﻓﺮ ﺳ‪:‬ﺎﺳﺔ‪- :‬ﺠﺐ ﺗﻄ‪[°‬ﺮ ﺳ‪7‬ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺗﻌﻜﺲ اﻟ ‪ic j‬ام اﻟﻤﺆﺳﺴﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬ ‫•‬
‫وﺗﻮﺿﺢ ﻣﺘﻄﻠ‪U‬ﺎت و‪à‬ﻃﺎر اﻟﻌﻤﻞ ﻟﺘﺤﻘ‪7‬ﻘﻬﺎ‪ .‬ﻋ~ ﺳ«‪7‬ﻞ اﻟﻤﺜﺎل‪- ،‬ﻤﻜﻦ أن ﺗﺤﺘﻮي اﻟﺴ‪7‬ﺎﺳﺔ ﻋ~ ﻣﻌﺎﻳ‪ib‬‬
‫ﻟﺘﺼ∫‪7‬ﻒ اﻟﺒ‪7‬ﺎﻧﺎت وﻣﺘﻄﻠ‪U‬ﺎت ﻟﺤﻤﺎ‪-‬ﺔ ‪M‬ﻞ ﻓﺌﺔ ﻣﻦ اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬
‫اﻟﺘﻮاﺻﻞ‪ :‬ﺳ‪7‬ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪-‬ﺠﺐ أن ﺗﻜﻮن ﻣﺘﺎﺣﺔ وﻣﻔﻬﻮﻣﺔ ﻟﺠﻤﻴﻊ اﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ‬ ‫•‬
‫‪c‬‬ ‫‪j‬‬ ‫‪c‬‬ ‫ً‬
‫داﺧﻞ وﺧﺎرج اﻟﻤﺆﺳﺴﺔ‪ .‬ﻣﺜﻼ‪- ،‬ﻤﻜﻦ ﺗﻮز[ـ ـﻊ اﻟﺴ‪7‬ﺎﺳﺔ ﻋ~ ﺟﻤﻴﻊ اﻟﻤﻮﻇﻔ‪ ab‬ﻋ‪ i‬اﻟ‪[i‬ﺪ اﻹﻟ‪iŒ‬و ‪ ±z‬وﺗﻀﻤﻴﻨﻬﺎ‬
‫‪c‬‬
‫‪ yz‬اﻟﺘﺪر[‪U‬ﺎت اﻟﺪور[ﺔ‪.‬‬
‫•‬
‫ا ﻟ ﺑ ﻧ د ‪ 5‬ﯾ ﻌ ﻛ س أ ھ ﻣ ﯾ ﺔ ا ﻟ د و ر ا ﻟ ذ ي ﺗ ﻠ ﻌ ﺑ ﮫ اﻹ دار ة ا ﻟ ﻌ ﻠ ﯾ ﺎ ﻓ ﻲ ﺗ و ﺟ ﯾ ﮫ و د ﻋ م ﺟ ﮭ و د أ ﻣ ﺎ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ‪ ،‬ﻣ ﻣ ﺎ ﯾ ؤ ﻛ د ﻋ ﻠ ﻰ أن‬
‫أﻣﺎن اﻟﻣﻌﻠوﻣﺎت ﯾﻌﺗﺑر ﻣﺳؤوﻟﯾﺔ إدارﯾﺔ ﻗﺑل أن ﯾﻛون ﻣﺳؤوﻟﯾﺔ ﺗﻘﻧﯾﺔ‪.‬‬
‫اﻟﺒﻨﺪ ‪ :6‬اﻟﺘﺨﻄ*ﻂ‬
‫‪ 6.1‬ﺗﻘﻴ‪:‬ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ‬

‫‪ 6.1.1‬ﺗﺤﺪ‪G‬ﺪ ﻣﺘﻄﻠ‪à‬ﺎت اﻟﻤﺨﺎﻃﺮ‬ ‫•‬
‫‪j‬‬
‫اﻟﻬﺪف‪ :‬ﺗﺤﺪ‪-‬ﺪ ﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﺨﺎﻃﺮ اﻟﻤﺮﺗ‪U‬ﻄﺔ \ﺎﻟﻤﻌﻠﻮﻣﺎت اﻟ ‪- Ñz‬ﺠﺐ أن ﻳﺘﻢ ﺣﻤﺎﻳﺘﻬﺎ‪.‬‬
‫ﻣﺜﺎل‪no :‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﺗﺤﺪد ﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﺨﺎﻃﺮ ﺑﻨﺎًء ﻋ~ أﻫﻤ‪7‬ﺔ ﺑ‪7‬ﺎﻧﺎت اﻟﻌﻤﻼء وﻣﺘﻄﻠ‪U‬ﺎت اﻻﻣﺘﺜﺎل اﻟﻘﺎﻧﻮ ‪±z c‬‬
‫ﻟﺤﻤﺎ‪-‬ﺔ ﻫﺬە اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬
‫‪ 6.1.2‬ﺗﻘﻴ‪:‬ﻢ اﻟﻤﺨﺎﻃﺮ‬ ‫•‬

‫اﻟﻬﺪف‪ :‬ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ ﻟﺘﺤﺪ‪-‬ﺪ ﻣﺼﺎدر وﺗﺄﺛ‪ib‬ات اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺘﻤﻠﺔ ﻋ~ اﻷﺻﻮل‪.‬‬
‫ﻣﺜﺎل‪ :‬اﻟﻤﺴ‪ï‬ﺸ‪- –c‬ﻘﻮم ﺑﺘﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ ﻋﻦ ﻃ‪[Æ‬ﻖ ﺗﺤﺪ‪-‬ﺪ اﻟﺒ‪7‬ﺎﻧﺎت اﻷ ‪ i—ã‬ﺣﺴﺎﺳ‪7‬ﺔ ﻣﺜﻞ اﻟﺴﺠﻼت اﻟﻄﺒ‪7‬ﺔ‪،‬‬
‫§‬
‫وﺗﺤﻠ‪7‬ﻞ ﻛ‪7‬ﻒ ‪-‬ﻤﻜﻦ أن ﺗﺘﺄﺛﺮ ﻫﺬە اﻟﺒ‪7‬ﺎﻧﺎت ﺳﻠ‪U‬ﺎ ‪e‬ﺴ“ﺐ اﻟﻬﺠﻤﺎت اﻟﺴﻴ‪i‬اﻧ‪7‬ﺔ أو اﻷﺧﻄﺎء اﻟ“‪[}o‬ﺔ‪.‬‬
‫‪ 6.1.3‬ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ‬ ‫•‬

‫ً‬
‫اﻟﻬﺪف‪ :‬ﺗﻄﺒﻴﻖ إﺟﺮاءات ﻣﻼﺋﻤﺔ ﻟﻤﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ﺑﻨﺎء ﻋ~ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫ﻣﺜﺎل‪no :‬ﻛﺔ ﺗﻄ‪[°‬ﺮ ﺑﺮﻣﺠ‪7‬ﺎت ﺗﻘﺮر ﺗﻄﺒﻴﻖ ‪Ö‬ﺸﻔ‪ ib‬ﻗﻮي ﻟﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺨﺰﻧﺔ واﻟﻤﻨﻘﻮﻟﺔ‪\ ،‬ﺎﻹﺿﺎﻓﺔ إ‪r‬‬
‫‪ a‬ﻋ~ اﻟﺘﻌﺎﻣﻞ اﻵﻣﻦ ﻣﻊ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻛﺠﺰء ﻣﻦ إﺟﺮاءات ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ﻟﻠﺘﻘﻠ‪7‬ﻞ ﻣﻦ‬ ‫ﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫ﻣﺨﺎﻃﺮ ﻓﻘﺪان أو ‪}Ö‬ب اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬
‫‪ 6.2‬اﻷ`ﺪاف اﻷﻣﻨ‪:‬ﺔ واﻟﺘﺨﻄ‪:‬ﻂ ﻟﺘﺤﻘ‪:‬ﻘﻬﺎ‬

‫ﺗﺤﺪ‪G‬ﺪ اﻷ`ﺪاف اﻷﻣﻨ‪:‬ﺔ‪- :‬ﺠﺐ ﺗﺤﺪ‪-‬ﺪ أﻫﺪاف واﺿﺤﺔ وﻗﺎ\ﻠﺔ ﻟﻠﻘ‪7‬ﺎس ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺗﻌﻜﺲ‬ ‫•‬
‫أوﻟ‪[°‬ﺎت وﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫اﻟﺘﺨﻄ‪:‬ﻂ ﻟﺘﺤﻘﻴﻖ اﻷ`ﺪاف‪- :‬ﺠﺐ ﻋ~ اﻟﻤﺆﺳﺴﺔ ﺗﻄ‪[°‬ﺮ ﺧﻄﻂ ﺗﻔﺼ‪7‬ﻠ‪7‬ﺔ ﻟ‪7Œ‬ﻔ‪7‬ﺔ ﺗﺤﻘﻴﻖ‬ ‫•‬
‫‪c‬‬
‫اﻷﻫﺪاف اﻷﻣﻨ‪7‬ﺔ‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ ﺗﺤﺪ‪-‬ﺪ اﻟﻤﻮارد اﻟﻼزﻣﺔ واﻟﻤﺴﺆوﻟ‪7‬ﺎت‪.‬‬
‫§‬ ‫§‬
‫ﻣﺜﺎل‪ :‬ﻣﺴ‪ï‬ﺸ‪- –c‬ﻀﻊ ﻫﺪﻓﺎ أﻣﻨ‪7‬ﺎ ﻟﺤﻤﺎ‪-‬ﺔ ﺑ‪7‬ﺎﻧﺎت اﻟﻤﺮ‪ ’c‬ﻣﻦ اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ‪ .‬ﻳﺘﻢ‬ ‫•‬
‫ﺗﺨﻄ‪7‬ﻂ ﺗﺤﻘﻴﻖ ﻫﺬا اﻟﻬﺪف ﻣﻦ ﺧﻼل ﺗﻄﺒﻴﻖ ﺳ‪7‬ﺎﺳﺎت ﺻﺎرﻣﺔ ﻟﻠﺘﺤ‪g‬ﻢ ‪ yc‬اﻟﻮﺻﻮل وﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ‪cab‬‬
‫‪z‬‬
‫ﻋ~ أﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫ﺧﻼﺻﺔ‬
‫ﯾؤﻛد اﻟﺑﻧد ‪ 6‬ﻣن ‪ ISO 27001‬ﻋﻠﻰ أھﻣﯾﺔ اﻟﺗﺧطﯾط اﻟدﻗﯾق واﻟﻣﻧﮭﺟﻲ ﻹدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ﻋﺑر ﺗﻘﯾﯾم‬
‫و ﻣ ﻌ ﺎﻟﺟ ﺔ ا ﻟ ﻣ ﺧ ﺎ ط ر ﺑﺷ ﻛ ل ﻓ ﻌ ﺎ ل ‪ .‬ﻣ ن ﺧ ﻼ ل ھ ذ ه ا ﻟ ﻌ ﻣ ﻠ ﯾ ﺔ ‪ ،‬ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ؤ ﺳ ﺳ ﺎ ت أن ﺗﺣ د د ا ﻷ ﺻ و ل ا ﻟ ﺣ ﺳ ﺎ ﺳ ﺔ و اﻟﺗﮭ د ﯾ د ا ت‬
‫ا ﻟ ﻣ ﺣ ﺗ ﻣ ﻠ ﺔ و ﺗط ﺑق ا ﻹ ﺟ ر ا ء ا ت ا ﻟ ﻣ ﻧ ﺎ ﺳ ﺑ ﺔ ﻟ ﺿ ﻣ ﺎ ن ا ﻟ ﺣ ﻣ ﺎ ﯾ ﺔ ا ﻟ ﻣ ﻧ ﺎ ﺳ ﺑ ﺔ و اﺳ ﺗﻣ ر ار ﯾﺔ ا ﻟ ﻌ ﻣ ﻠ ﯾ ﺎ ت ا ﻟ ﺗ ﺟ ﺎ ر ﯾ ﺔ ‪.‬‬
‫اﻟﺒﻨﺪ ‪ :7‬دﻋﻢ‬
‫‪ 7.1‬اﻟﻤﻮارد‬
‫اﻟﻬﺪف‪ :‬ﺗﻮﻓ‪ ib‬اﻟﻤﻮارد اﻟﻼزﻣﺔ ﻹ‪ø‬ﺸﺎء‪ ،‬ﺗﻨﻔ‪7‬ﺬ‪ ،‬اﻟﺤﻔﺎظ ﻋ~‪ ،‬وﺗﺤﺴ ‪c b‬‬
‫‪ a‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫•‬
‫‪o‬‬ ‫‪c‬‬
‫ﻣﺜﺎل‪n :‬ﻛﺔ ﺗﻘﻮم ﺑﺘﺨﺼ‪7‬ﺺ ﻣ‪ib‬اﻧ‪7‬ﺔ ﺧﺎﺻﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪Ö‬ﺸﻤﻞ ‪n‬اء ﺑﺮﻣﺠ‪7‬ﺎت اﻷﻣﺎن‪،‬‬ ‫‪o‬‬ ‫•‬
‫‪ yc a‬أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬وﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪e a‬ﺸ‪g‬ﻞ دوري‪.‬‬ ‫وﺗﻮﻇ‪7‬ﻒ ﻣﺘﺨﺼﺼ ‪c b‬‬
‫‪z‬‬
‫‪ 7.2‬اﻟ‪ä‬ﻔﺎءة‬
‫اﻟﻬﺪف‪ :‬ﺿﻤﺎن ﺣﺼﻮل ﺟﻤﻴﻊ اﻷﺷﺨﺎص اﻟﺬﻳﻦ ‪-‬ﻌﻤﻠﻮن ﺗﺤﺖ ﺗﺄﺛ‪ ib‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻋ~‬ ‫•‬
‫اﻟ‪Œ‬ﻔﺎءة اﻟﻤﻄﻠ‪≠°‬ﺔ‪.‬‬
‫‪c‬‬ ‫‪c‬‬
‫ﻣﺜﺎل‪ :‬ﺗﻘﻴ‪7‬ﻢ ﻣﻬﺎرات اﻟﻤﻮﻇﻔ‪ ab‬واﻟﺤﺎﺟﺔ إ‪ r‬اﻟﺘﺪر[ﺐ ‪ yz‬ﻣﺠﺎل أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬وﺗﻘﺪ‪-‬ﻢ دورات‬ ‫•‬
‫ﺗﺪر[«‪7‬ﺔ ﻟﺮﻓﻊ ﻛﻔﺎءﺗﻬﻢ \ﻤﺎ ﻳﺘﻮاﻓﻖ ﻣﻊ ﻣﺘﻄﻠ‪U‬ﺎت اﻷﻣﻦ‪.‬‬
‫‪å‬‬‫‪ 7.3‬اﻟﻮ ‪ç‬‬

‫‪j‬‬ ‫‪c‬‬
‫‪ Ω‬ﺟﻤﻴﻊ اﻟﻤﻮﻇﻔ‪e ab‬ﺴ‪7‬ﺎﺳﺔ اﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎ ‪ ±z‬ﻟﻠﻤﻨﻈﻤﺔ وﻛ‪7‬ﻔ‪7‬ﺔ ﺗﺄﺛ‪ib‬اﺗﻬﺎ ﻋ~‬ ‫اﻟﻬ ﺪ ف ‪ :‬ﺿ ﻤ ﺎ ن و ‪z‬‬ ‫•‬
‫أدوارﻫﻢ وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ‪.‬‬
‫‪e a‬ﺴ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات أﻣﻦ‬ ‫ﻣﺜﺎل‪ :‬ﺗﻨﻈ‪7‬ﻢ ﺣﻤﻼت ﺗﻮﻋ‪7‬ﺔ داﺧﻠ‪7‬ﺔ وورش ﻋﻤﻞ ﻟﺘﻌ‪[Æ‬ﻒ اﻟﻤﻮﻇﻔ ‪c b‬‬ ‫•‬
‫اﻟﻤﻌﻠﻮﻣﺎت وأﻫﻤ‪7‬ﺔ ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬
‫‪ 7.4‬اﻟﺘﻮاﺻﻞ‬
‫ّ‬
‫اﻟﻬﺪف‪ :‬ﺿﻤﺎن اﻟﺘﻮاﺻﻞ اﻟﻔﻌﺎل ﺣﻮل أﻣﻮر أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ وﺧﺎرج اﻟﻤﻨﻈﻤﺔ \ﻄ‪[Æ‬ﻘﺔ ﻣﻨﺎﺳ‪U‬ﺔ‪.‬‬ ‫•‬
‫‪a‬‬‫ﻣﺜﺎل‪ :‬اﺳﺘﺨﺪام اﻟ∫‪}o‬ات اﻹﻟ‪ijŒ‬وﻧ‪7‬ﺔ‪ ،‬اﻟ‪[i‬ﺪ اﻹﻟ‪ijŒ‬و‪ ،±c‬واﻻﺟﺘﻤﺎﻋﺎت اﻟﺪور[ﺔ ﻟﺘﺤﺪ‪-‬ﺚ اﻟﻤﻮﻇﻔ ‪c b‬‬ ‫•‬
‫‪z‬‬ ‫‪c‬‬
‫واﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ ﻋﻦ اﻟﺘﻄﻮرات اﻟﺠﺪ‪-‬ﺪة ‪ yz‬أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫•‬
‫‪ 7.5‬اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ‬
‫اﻟﻬﺪف‪ :‬إدارة اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ ‪e‬ﺸ‪g‬ﻞ ‪-‬ﻀﻤﻦ ﺳﻬﻮﻟﺔ اﻟﻮﺻﻮل‪ ،‬اﻟﺪﻗﺔ‪ ،‬واﻟﺤﻔﺎظ ﻋﻠﻴﻬﺎ‪.‬‬ ‫•‬
‫ﻣﺜﺎل إ‪ø‬ﺸﺎء‪ ،‬ﺻ‪7‬ﺎﻧﺔ‪ ،‬وﻣﺮاﺟﻌﺔ وﺛﺎﺋﻖ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ ﻣﻨﺘﻈﻢ ﻟﻀﻤﺎن ﺗﺤﺪﻳﺜﻬﺎ‬ ‫‪:‬‬ ‫•‬
‫وﺗﻮاﻓﻘﻬﺎ ﻣﻊ ﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﻌ‪7‬ﺎر‪ISO 27001.‬‬
‫‪ 7.5.1‬اﻟﻌﺎﻣﺔ‬
‫اﻟﻬﺪف‪ :‬ﺿﻤﺎن إدارة اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ \ﻄ‪[Æ‬ﻘﺔ ﺗﺪﻋﻢ ﻋﻤﻠ‪7‬ﺔ ﻧﻈﺎم إدارة اﻷﻣﻦ‪.‬‬ ‫•‬
‫‪c‬‬ ‫‪j‬‬ ‫‪o‬‬
‫ﻣﺜﺎل‪n :‬ﻛﺔ ﺗﻄ‪[°‬ﺮ ﺑﺮﻣﺠ‪7‬ﺎت ‪Ö‬ﺴﺘﺨﺪم ﻧﻈﺎم إدارة وﺛﺎﺋﻖ إﻟ‪iŒ‬و ‪ ±z‬ﻟﻠﺤﻔﺎظ ﻋ~ ﺟﻤﻴﻊ اﻟﻮﺛﺎﺋﻖ‬ ‫•‬
‫اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﺜﻞ اﻟﺴ‪7‬ﺎﺳﺎت‪ ،‬اﻹﺟﺮاءات‪ ،‬وﻧﺘﺎﺋﺞ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫•‬
‫‪ 7.5.2‬إ‪é‬ﺸﺎء وﺗﺤﺪ‪G‬ﺚ‬
‫اﻟﻬﺪف‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻟﻌﻤﻠ‪7‬ﺎت اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻹ‪ø‬ﺸﺎء وﺗﺤﺪ‪-‬ﺚ اﻟﻮﺛﺎﺋﻖ‪\ ،‬ﻤﺎ ‪-‬ﻀﻤﻦ ﺻﺤﺘﻬﺎ وﻣﻼءﻣﺘﻬﺎ‬ ‫•‬
‫ﻟﻸﻏﺮاض‪.‬‬
‫ﻣﺜﺎل‪ :‬ﻗ‪U‬ﻞ إﺻﺪار أي وﺛ‪7‬ﻘﺔ ﺟﺪ‪-‬ﺪة‪- ،‬ﺠﺐ أن ﺗﺨﻀﻊ ﻟﻌﻤﻠ‪7‬ﺔ ﻣﺮاﺟﻌﺔ ‪Ö‬ﺸﻤﻞ اﻟﺘﺤﻘﻖ ﻣﻦ ﺻﺤﺔ‬ ‫•‬
‫ً‬
‫اﻟﻤﻌﻠﻮﻣﺎت وﻣﻄﺎ\ﻘﺘﻬﺎ ﻟﻠﺴ‪7‬ﺎﺳﺎت اﻟﻌﻠ‪7‬ﺎ‪ .‬ﻣﺜﻼ‪ ،‬ﻣﺮاﺟﻌﺔ وﺛﺎﺋﻖ ﺳ‪7‬ﺎﺳﺔ اﻷﻣﺎن ﺑﻮاﺳﻄﺔ ﻣﺪﻳﺮ اﻷﻣﻦ ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ‬
‫ً‬
‫أﻧﻬﺎ ﺗﺘﻀﻤﻦ ﺟﻤﻴﻊ اﻟﻌﻨﺎ¨ اﻷﺳﺎﺳ‪7‬ﺔ وﺗﻢ ﺗﺤﺪﻳﺜﻬﺎ وﻓﻘﺎ ﻷﺣﺪث اﻟﻤﺘﻄﻠ‪U‬ﺎت اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫‪U‬‬
‫‪ 7.5.3‬اﻟﺘﺤ‪ë‬ﻢ ‪ íç‬اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ‬
‫‪c‬‬
‫اﻟﻬﺪف‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻹﺟﺮاءات اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻟﻠﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ \ﻤﺎ ‪-‬ﻀﻤﻦ إﻣ‪g‬ﺎﻧ‪7‬ﺔ اﻟﻮﺻﻮل‬ ‫•‬
‫إﻟﻴﻬﺎ وﺣﻤﺎﻳﺘﻬﺎ ﻣﻦ اﻟﻀ‪7‬ﺎع أو اﻟﺪﻣﺎر أو اﻻﺳﺘﺨﺪام أو اﻹﻓﺸﺎء ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ‪.‬‬
‫ﻣ ﺛ ﺎ ل ‪ :‬ﺗﻘ ﯾﯾ د ا ﻟ و ﺻ و ل إ ﻟ ﻰ ا ﻟ و ﺛ ﺎ ﺋ ق ا ﻷ ﻣ ﻧ ﯾ ﺔ ا ﻟ ﺣ ﺳ ﺎ ﺳ ﺔ ﻟ ﻠ ﻣ و ظ ﻔ ﯾ ن ا ﻟ ﻣ ﺧ و ﻟ ﯾ ن ﻓﻘط و اﺳ ﺗﺧ د ام ﺗﻘ ﻧﯾ ﺎ ت ا ﻟ ﺗ ﺷ ﻔ ﯾ ر‬ ‫•‬
‫ﻟﺣﻣﺎﯾﺔ اﻟوﺛﺎﺋق اﻟﻣﺧزﻧﺔ إﻟﻛﺗروﻧﯾﺎ ً‪ .‬ﺗطﺑﯾق إﺟراءات دﻗﯾﻘﺔ ﻟﻠﻧﺳﺦ اﻻﺣﺗﯾﺎطﻲ ﻟﺿﻣﺎن اﺳﺗﻌﺎدة اﻟوﺛﺎﺋق ﻓﻲ ﺣﺎﻟﺔ‬
‫ﻓﻘ د ان ا ﻟ ﺑ ﯾ ﺎ ﻧ ﺎ ت ‪.‬‬
‫ﺧﻼﺻﺔ‬
‫اﻟﺑﻧد ‪ 7‬ﻣن ‪ ISO 27001‬ﯾرﻛز ﻋﻠﻰ اﻟﻌﻧﺎﺻر اﻟﺿرورﯾﺔ ﻟدﻋم ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت‪ ،‬ﻣن ﺧﻼل ﺗوﻓﯾر‬
‫ا ﻟ ﻣ و ا ر د ‪ ،‬ا ﻟ ﻛ ﻔ ﺎ ء ا ت ‪ ،‬ا ﻟ و ﻋ ﻲ ‪ ،‬ا ﻟ ﺗ و ا ﺻ ل ‪ ،‬و ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ا ﻟ ﻣ و ﺛ ﻘ ﺔ ا ﻟ ﻼ ز ﻣ ﺔ ﻹ د ار ﺗ ﮫ ﺑ ﻔ ﻌ ﺎ ﻟ ﯾ ﺔ ‪ .‬ھ ذ ه ا ﻟ ﻌ ﻧ ﺎ ﺻ ر ﻣ ﮭ ﻣ ﺔ ﻟ ﻠ ﺣ ﻔ ﺎ ظ‬
‫ﻋﻠﻰ ﻧظﺎم أﻣن ﻣﻌﻠوﻣﺎت ﻣﺗﻛﺎﻣل وﻓﻌّﺎل ﯾﻠﺑﻲ اﻻﺣﺗﯾﺎﺟﺎت اﻟﺗﻧظﯾﻣﯾﺔ واﻻﻣﺗﺛﺎل ﻟﻠﻣﻌﺎﯾﯾر اﻟدوﻟﯾﺔ‪.‬‬
‫اﻟﺒﻨﺪ ‪ :8‬اﻟ=ﺸﻐ*ﻞ‬
‫‪ 8.1‬ﺗﺨﻄ‪:‬ﻂ وﺗﻨﻔ‪:‬ﺬ ﻋﻤﻠ‪:‬ﺎت اﻟﺘﻘﻴ‪:‬ﻢ واﻟﻤﻌﺎﻟﺠﺔ‬

‫اﻟﻬﺪف‪ :‬ﺗﺨﻄ‪7‬ﻂ وﺗﻨﻔ‪7‬ﺬ اﻟﻌﻤﻠ‪7‬ﺎت اﻟ‪≈c‬ور[ﺔ ﻟﺘﺤﻘﻴﻖ أﻫﺪاف وﻧﺘﺎﺋﺞ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫•‬
‫ﻣﺜﺎل‪n :‬ﻛﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﺗﺨﻄﻂ ﻟﻌﻤﻠ‪7‬ﺎت ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ‪7‬ﺔ \ﺎﻧﺘﻈﺎم وﺗﻨﻔﺬ‬‫‪o‬‬ ‫•‬
‫إﺟﺮاءات ﻣﻌﻴﻨﺔ ﻟﻠﺘﺨﻔ‪7‬ﻒ ﻣﻦ ﺗﺄﺛ‪ ib‬ﻫﺬە اﻟﻤﺨﺎﻃﺮ‪ ،‬ﻣﺜﻞ ﺗﺤﺪ‪-‬ﺚ اﻟ‪i‬ﻣﺠ‪7‬ﺎت واﻷﻧﻈﻤﺔ اﻷﻣﻨ‪7‬ﺔ و‪à‬ﺟﺮاء‬
‫اﺧﺘ‪U‬ﺎرات اﻻﺧ‪ij‬اق‪.‬‬
‫‪ 8.2‬ﺗﻘﻴ‪:‬ﻢ وﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ‪:‬ﺔ‬
‫اﻟﻬﺪف‪ :‬ﺗﻨﻔ‪7‬ﺬ ﻋﻤﻠ‪7‬ﺎت ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ ﻛﺠﺰء ﻣﻦ ﻋﻤﻠ‪7‬ﺔ اﻟ‪ï‬ﺸﻐ‪7‬ﻞ اﻟﻴﻮ‪ ‹z‬ﻟـ‪ISMS.‬‬ ‫•‬
‫‪c‬‬
‫ﻣﺜﺎل‪ :‬اﻟﻤﺴ‪ï‬ﺸﻔ‪7‬ﺎت ﺗﻘﻮم ﺑﺘﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺮﺗ‪U‬ﻄﺔ ﺑ«‪7‬ﺎﻧﺎت اﻟﻤﺮ’ وﺗﻨﻔﺬ ﺿﻮا\ﻂ ﻣﺜﻞ اﻟ‪ï‬ﺸﻔ‪ib‬‬ ‫•‬
‫‪c‬‬
‫واﻟﺘﺤﻘﻖ ﻣﻦ اﻟﻬ‪[°‬ﺔ ﻣﺘﻌﺪد اﻟﻌﻮاﻣﻞ ﻟﺘﺤﺴ‪ ab‬أﻣﺎن ﻫﺬە اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬
‫‪ï 8.3‬ﺸﻐ‪:‬ﻞ ﺗﺪاﺑ‪ Sò‬اﻟﺤﻤﺎ‪G‬ﺔ‬
‫اﻟﻬﺪف‪ :‬ﺿﻤﺎن ﺗﻨﻔ‪7‬ﺬ ﺗﺪاﺑ‪ ib‬اﻟﺤﻤﺎ‪-‬ﺔ اﻟﻤﻮﺿﻮﻋﺔ ﻟﺤﻤﺎ‪-‬ﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺿﻤﻦ ﻋﻤﻠ‪7‬ﺎت‬ ‫•‬
‫اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫ﻣﺜﺎل‪ :‬ﺑﻨﻚ ‪-‬ﻘﻮم ﺑ‪ï‬ﺸﻐ‪7‬ﻞ ﺗﺪاﺑ‪ ib‬ﺣﻤﺎ‪-‬ﺔ ﻣﺜﻞ ﺟﺪران اﻟﺤﻤﺎ‪-‬ﺔ‪ ،‬أﻧﻈﻤﺔ اﻟ‪Œ‬ﺸﻒ ﻋﻦ اﻻﺧ‪ij‬اﻗﺎت‪،‬‬ ‫•‬
‫واﻟﺮﻗﺎ\ﺔ اﻟﻤﺴﺘﻤﺮة ﻋ~ اﻟﺸ‪U‬ﻜﺔ ﻟﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺎﻟ‪7‬ﺔ ﻟﻠﻌﻤﻼء‪.‬‬
‫‪ 8.4‬اﻟﺘﻮﺛﻴﻖ ﻟﻌﻤﻠ‪:‬ﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬
‫اﻟﻬﺪف‪ :‬ﺿﻤﺎن ﺗﻮﺛﻴﻖ ﺟﻤﻴﻊ اﻟﻌﻤﻠ‪7‬ﺎت اﻷﻣﻨ‪7‬ﺔ ‪e‬ﺸ‪g‬ﻞ ™ﺴﻤﺢ \ﺎﻟﻤﺮاﺟﻌﺔ واﻟﻤﺘﺎ\ﻌﺔ اﻟﻤﺴﺘﻤﺮة‪.‬‬ ‫•‬
‫ﻣﺜﺎل ‪n‬ﻛﺔ ﺗﻮﻓﺮ ﺧﺪﻣﺎت اﻟﺴﺤﺎ\ﺔ ﺗﻘﻮم ﺑﺘﻮﺛﻴﻖ ﺟﻤﻴﻊ اﻟﻌﻤﻠ‪7‬ﺎت واﻟﺘﺤﻘﻘﺎت اﻷﻣﻨ‪7‬ﺔ واﻻﺣﺘﻔﺎظ‬ ‫‪o‬‬ ‫‪:‬‬ ‫•‬
‫‪e‬ﺴﺠﻼت اﻟﺪﺧﻮل واﻟﺘﺪﻗﻴﻖ ﻟ‪ï‬ﺴﻬ‪7‬ﻞ ﻋﻤﻠ‪7‬ﺔ اﻟﻤﺮاﺟﻌﺔ اﻷﻣﻨ‪7‬ﺔ واﻟﺘﺤﻘﻖ ﻣﻦ اﻻﻣﺘﺜﺎل ﻟﻠﻤﻌﺎﻳ‪.ib‬‬
‫ﺧﻼﺻﺔ‬
‫اﻟﺒﻨﺪ ‪ 8‬ﻣﻦ ‪ ISO 27001‬ﻳﺘﻌﻠﻖ ﺑ‪ï‬ﻨﻔ‪7‬ﺬ و‪Ö‬ﺸﻐ‪7‬ﻞ اﻟﻌﻤﻠ‪7‬ﺎت اﻟ ‪ Ñz j‬ﺗﻀﻤﻦ ﺗﺤﻘﻴﻖ أﻫﺪاف أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪c‬‬
‫اﻟﻤﻨﺼﻮص ﻋﻠﻴﻬﺎ ‪ yz‬اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات اﻷﻣﻨ‪7‬ﺔ‪™ .‬ﺴﺎﻋﺪ ﻫﺬا اﻟﺒﻨﺪ اﻟﻤﺆﺳﺴﺎت ﻋ~ ﺗﺤﻘﻴﻖ اﻟ‪ï‬ﺸﻐ‪7‬ﻞ‬
‫اﻟﻔﻌﺎل واﻟ‪Œ‬ﻒء ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻤﺎ ‪-‬ﻌﺰز ﻣﻦ دﻓﺎﻋﺎﺗﻬﺎ ﺿﺪ اﻟﺘﻬﺪ‪-‬ﺪات اﻷﻣﻨ‪7‬ﺔ و[ﺤﺴﻦ ﻣﻦ‬
‫ﻗﺪرﺗﻬﺎ ﻋ~ اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫اﻟﺒﻨﺪ ‪ :9‬ﺗﻘﻴ*ﻢ اﻷداء‬
‫‪ 9.1‬ﻣﺮاﻗ‪à‬ﺔ‪ ،‬ﻗ‪:‬ﺎس‪ ،‬ﺗﺤﻠ‪:‬ﻞ وﺗﻘﻴ‪:‬ﻢ‬

‫اﻟﻬﺪف‪ :‬ﺿﻤﺎن اﻟﻤﺮاﻗ‪U‬ﺔ واﻟﻘ‪7‬ﺎس اﻟﻤﺴﺘﻤﺮ ﻷداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫•‬
‫ﻣﺜﺎل‪n :‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت ‪Ö‬ﺴﺘﺨﺪم ﺑﺮاﻣﺞ ﻣﺘﺨﺼﺼﺔ ﻟﻤﺮاﻗ‪U‬ﺔ ﺣﺮﻛﺔ اﻟﺸ‪U‬ﻜﺔ وﺗﻘﻴ‪7‬ﻢ ﻣﺴﺘ‪[°‬ﺎت‬‫‪o‬‬ ‫•‬
‫‪.‬‬
‫اﻷﻣﺎن ﻳﺘﻢ ﺗﺤﻠ‪7‬ﻞ ﻫﺬە اﻟﺒ‪7‬ﺎﻧﺎت ‪e‬ﺸ‪g‬ﻞ دوري ﻟﺘﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ اﻹﺟﺮاءات اﻷﻣﻨ‪7‬ﺔ اﻟﻤﻄ‪U‬ﻘﺔ وﺗﺤﺪ‪-‬ﺪ أ‪-‬ﺔ‬
‫ﺿ ﻌﻒ ‪.‬‬
‫‪ 9.2‬اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪Qç‬‬
‫اﻟﻬﺪف‪ :‬ﺗﻘﻴ‪7‬ﻢ ﻣﺪى ﺗﻮاﻓﻖ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻊ اﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ وﻣﻌﺎﻳ‪ISO ib‬‬ ‫•‬
‫‪27001.‬‬
‫ﻣﺜﺎل‪ :‬ﺗﻨﻔ‪7‬ﺬ اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ اﻟﻤﻨﺘﻈﻤﺔ ﻟﻔﺤﺺ اﻟ ‪ic j‬ام اﻷﻗﺴﺎم اﻟﻤﺨﺘﻠﻔﺔ ‪e‬ﺴ‪7‬ﺎﺳﺎت اﻷﻣﻦ‬ ‫•‬
‫واﻟﺘﺤﻘﻖ ﻣﻦ ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ ‪e‬ﺸ‪g‬ﻞ ﺳﻠ‪7‬ﻢ‪.‬‬
‫‪ 9.3‬ﻣﺮاﺟﻌﺔ اﻹدارة‬
‫اﻟﻬﺪف‪ :‬ﺿﻤﺎن ﻣﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﺑﻮاﺳﻄﺔ اﻹدارة اﻟﻌﻠ‪7‬ﺎ ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ ﻓﻌﺎﻟﻴﺘﻪ‬ ‫•‬
‫وﻣﻼءﻣﺘﻪ اﻟﻤﺴﺘﻤﺮة‪.‬‬
‫ﻣﺜﺎل‪ :‬اﻹدارة اﻟﻌﻠ‪7‬ﺎ ﺗﻌﻘﺪ اﺟﺘﻤﺎﻋﺎت دور[ﺔ ﻟﻤﺮاﺟﻌﺔ ﺗﻘﺎر[ﺮ اﻷداء اﻷﻣ ‪ ،Ñz c‬ﻧﺘﺎﺋﺞ اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪،~z‬‬ ‫•‬
‫واﻟﺘﺤﺪ‪-‬ﺎت اﻷﻣﻨ‪7‬ﺔ اﻟﺤﺎﻟ‪7‬ﺔ ﻻﺗﺨﺎذ ﻗﺮارات ﺗﺤﺴ‪û‬ﻨ‪7‬ﺔ‪.‬‬
‫•‬
‫ﺧﻼﺻﺔ‬
‫اﻟﺑﻧد ‪ 9‬ﻣن ‪ ISO 27001‬ﯾؤﻛد ﻋﻠﻰ اﻟﺣﺎﺟﺔ إﻟﻰ اﻟﺗﻘﯾﯾم اﻟﻣﻧﺗظم ﻷداء ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ﻟﺿﻣﺎن ﻓﻌﺎﻟﯾﺗﮫ‬
‫وﺗﺣدﯾﺛﮫ ﺑﻣﺎ ﯾﺗواﻓق ﻣﻊ اﻟﺗﻐﯾﯾرات ﻓﻲ اﻟﺑﯾﺋﺔ اﻟﺗﻛﻧوﻟوﺟﯾﺔ واﻟﺗﮭدﯾدات اﻷﻣﻧﯾﺔ‪ .‬ﻣن ﺧﻼل ﻣراﻗﺑﺔ اﻷداء واﻟﺗدﻗﯾق‬
‫ا ﻟ د ا ﺧ ﻠ ﻲ و ﻣ ر ا ﺟ ﻌ ﺎ ت ا ﻹ د ا ر ة ‪ ،‬ﺗ ﺳ ﺗ ط ﯾ ﻊ ا ﻟ ﻣ ؤ ﺳ ﺳ ﺎ ت ﺗ ﺣ ﺳ ﯾ ن أ ﻣ ﺎ ﻧ ﮭ ﺎ ﺑ ﺷ ﻛ ل ﻣ ﺳ ﺗ ﻣ ر و ا ﻟ ﺗ ﺄ ﻛ د ﻣ ن ﺗ ط ﺑ ﯾ ق ﻧ ظ ﺎ م إ د ار ة أ ﻣ ن‬
‫ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ﺑﺷ ﻛ ل ﻓ ﻌ ﺎ ل ‪.‬‬
‫اﻟﺒﻨﺪ ‪ :10‬اﻟﺘﺤﺴ ‪L K‬‬
‫‪J‬‬
‫‪ 10.1‬اﻻﺳﺘﻤﺮار‪i‬ﺔ واﻟﺘﺤﺴ ‪U ò‬‬
‫‪ û‬اﻟﻤ ﺴ ﺘﻤ ﺮ‬
‫‪c‬‬
‫اﻟﻬﺪف‪ :‬ﺗﺤﺪ‪-‬ﺪ وﺗﻨﻔ‪7‬ﺬ اﻟﻔﺮص ﻟﺘﺤﺴ‪ ab‬اﻷداء اﻟﻌﺎم ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ‪.‬‬ ‫•‬
‫ﻣﺜﺎل‪n :‬ﻛﺔ ﺑﺮﻣﺠ‪7‬ﺎت ﺗﻘﻮم ﺑ‪fl‬ﺟﺮاء ﻣﺮاﺟﻌﺎت دور[ﺔ ﻟﺘﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ اﻟﺘﺪاﺑ‪ ib‬اﻷﻣﻨ‪7‬ﺔ اﻟﺤﺎﻟ‪7‬ﺔ‬‫‪o‬‬ ‫•‬
‫و‪Ö‬ﺴﺘﺨﺪم ﻣﺆ‪no‬ات أداء رﺋ∞ﺴ‪7‬ﺔ ﻟﻘ‪7‬ﺎس ﻧﺠﺎح ﻫﺬە اﻟﺘﺪاﺑ‪ .ib‬ﺑﻨﺎًء ﻋ~ ﻧﺘﺎﺋﺞ ﻫﺬە اﻟﻤﺮاﺟﻌﺎت‪ ،‬ﺗﻘﻮم اﻟ‪}o‬ﻛﺔ‬
‫‪ a‬ﻋ~ أﺣﺪث اﻷﺳﺎﻟ‪7‬ﺐ اﻷﻣﻨ‪7‬ﺔ‪.‬‬ ‫ﺑﺘﺤﺪ‪-‬ﺚ ﺑﺮوﺗﻮﻛﻮﻻت اﻷﻣﺎن وﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ 10.2‬اﻟﺘﻌﺎﻣﻞ ﻣﻊ ﻋﺪم اﻟﻤﻄﺎ‪c‬ﻘﺔ واﻟﺘﺼﺤﻴﺢ‬

‫§‬
‫اﻟﻬﺪف‪ :‬ﺗﺤﺪ‪-‬ﺪ وﺗﺼﺤﻴﺢ أي ﻋﺪم ﻣﻄﺎ\ﻘﺎت واﺗﺨﺎذ إﺟﺮاء ﻟﻠﺘﺨﻔ‪7‬ﻒ ﻣﻦ ﺣﺪوﺛﻬﺎ ﻣﺠﺪدا‪.‬‬ ‫•‬
‫‪o‬‬ ‫‪c c‬‬ ‫‪:‬‬
‫ﻣﺜﺎل \ﻌﺪ ا‪ïã‬ﺸﺎف ﺧﺮق أﻣ ‪ yz Ñz‬ﻧﻈﺎم ﺗﺨ‪[s‬ﻦ اﻟﺒ‪7‬ﺎﻧﺎت‪ ،‬ﺗﻘﻮم اﻟ}ﻛﺔ ﺑ‪fl‬ﺟﺮاء ﺗﺤﻘﻴﻖ ﻟﺘﺤﺪ‪-‬ﺪ‬ ‫•‬
‫اﻟﺴ“ﺐ اﻟﺠﺬري ﻟﻠﺨﺮق‪ .‬ﺑﻨﺎًء ﻋ~ ﻧﺘﺎﺋﺞ اﻟﺘﺤﻘﻴﻖ‪ ،‬ﺗﺘﺨﺬ اﻟ‪}o‬ﻛﺔ إﺟﺮاءات ﺗﺼﺤ‪7‬ﺤ‪7‬ﺔ ﻹﺻﻼح اﻟﻀﻌﻒ‬
‫اﻷﻣ ‪ Ñz c‬وﺗﻘﻮم ﺑﺘﻌﺪ‪-‬ﻞ اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات ﻟﻤﻨﻊ ﺗﻜﺮار ﻣﺜﻞ ﻫﺬە اﻟﺤﻮادث‪.‬‬
‫‪ û‬اﻟﻤ ﺴ ﺘﻤ ﺮ‬ ‫‪ 10.3‬اﻟﺘﺤﺴ ‪U ò‬‬

‫‪ a‬اﻟﻤﺴﺘﻤﺮ ﻟﻤﻼءﻣﺔ‪ ،‬ﻛﻔﺎءة‪ ،‬وﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫ا ﻟ ﻬ ﺪ ف ‪ :‬ا ﻟ ﻌ ﻤ ﻞ ﻋ ~ ا ﻟﺘ ﺤ ﺴ ‪c b‬‬ ‫•‬
‫‪c c‬‬ ‫‪o‬‬ ‫‪:‬‬
‫‪e Ω‬ﺸ‪g‬ﻞ ﻣﻨﺘﻈﻢ ﻟﺘﺤﺪ‪-‬ﺪ ﻓﺮص اﻟﺘﺤﺴ‪yz ab‬‬ ‫‪z‬‬ ‫ﺎ‬ ‫ﻤ‬ ‫ﺟ‬ ‫‪i‬‬‫‪b‬‬ ‫ﻜ‬ ‫ﻔ‬ ‫ﺗ‬ ‫ت‬ ‫ﺎ‬ ‫ﺴ‬ ‫ﻠ‬ ‫ﺟ‬ ‫ﺬ‬ ‫‪7‬‬ ‫ﻔ‬ ‫ﻨ‬ ‫‪ï‬‬ ‫ﺑ‬ ‫م‬ ‫ﻮ‬ ‫ﻘ‬ ‫ﺗ‬ ‫ﺔ‬ ‫‪7‬‬ ‫ﻨ‬ ‫ﻘ‬ ‫ﺗ‬ ‫ﺔ‬ ‫ﻛ‬
‫‪n‬‬ ‫ل‬ ‫ﺎ‬ ‫ﺜ‬ ‫ﻣ‬ ‫•‬
‫‪j‬‬
‫ﻧﻈﺎم اﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎ ‪Ö .±z‬ﺴﺘﺨﺪم اﻷﻓ‪g‬ﺎر اﻟ ‪ Ñz‬ﺗﻢ ﺟﻤﻌﻬﺎ ﻟﺘﻄ‪[°‬ﺮ ﻣﺸﺎر[ـ ـﻊ ﺗﺠ‪7«[Æ‬ﺔ ﺗﻬﺪف إ‪ r‬اﺧﺘ‪U‬ﺎر ﺣﻠﻮل‬ ‫‪j‬‬
‫ﺟﺪ‪-‬ﺪة ﻟﺘﻌ‪[s‬ﺰ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ﺧﻼﺻﺔ‬
‫اﻟﺑﻧد ‪ 10‬ﻣن ‪ ISO 27001‬ﯾؤﻛد ﻋﻠﻰ أھﻣﯾﺔ اﻟﺗﺣﺳﯾن اﻟﻣﺳﺗﻣر ﻓﻲ ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت‪ .‬ﻣن ﺧﻼل اﻟﺗﻘﯾﯾم‬
‫اﻟﻣﺳﺗﻣر وﺗﺻﺣﯾﺢ اﻷﺧطﺎء وﺗﻧﻔﯾذ اﻟﺗﺣﺳﯾﻧﺎت‪ ،‬ﺗﺳﺗطﯾﻊ اﻟﻣؤﺳﺳﺎت اﻟﺣﻔﺎظ ﻋﻠﻰ ﻣروﻧﺔ أﻧظﻣﺗﮭﺎ اﻷﻣﻧﯾﺔ وﺗﻌزﯾز‬
‫ﻗ د ر ﺗ ﮭ ﺎ ﻋ ﻠ ﻰ ا ﻟ ﺗ ﻛ ﯾ ف ﻣ ﻊ ا ﻟ ﺗ ﮭ د ﯾ د ا ت ا ﻟ ﻣ ﺗ ﻐ ﯾ ر ة و اﻟﺣ ﻔ ﺎظ ﻋ ﻠ ﻰ ﻓ ﻌ ﺎ ﻟ ﯾ ﺔ ا ﻟ ﻧ ظ ﺎ م ‪.‬‬
‫‪c‬‬
‫ﺗﺤﻠ‪7‬ﻞ اﻟﻨﻈﺎم اﻹداري اﻟﻘﺎﺋﻢ ﻫﻮ ﺧﻄﻮة أﺳﺎﺳ‪7‬ﺔ ‪ yz‬ﻋﻤﻠ‪7‬ﺔ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ،ISO 27001‬واﻟﺬي ‪-‬ﻌ‪ Ñc‬ﺑﻨﻈﺎم‬
‫‪ a‬ﻣﻤﺎرﺳﺎﺗﻬﺎ‬‫إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪ .(ISMS‬ﻫﺬا اﻟﺘﺤﻠ‪7‬ﻞ ™ﺴﺎﻋﺪ اﻟﻤﻨﻈﻤﺎت ﻋ~ ﺗﺤﺪ‪-‬ﺪ اﻟﻔﺠﻮات ﺑ ‪c b‬‬
‫اﻟﺤﺎﻟ‪7‬ﺔ وﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﻌ‪7‬ﺎر ‪ ،ISO 27001‬و≠ﺎﻟﺘﺎ‪ rz‬ﺗﻘﺪ‪-‬ﻢ اﻷﺳﺎس ﻟﺘﺨﻄ‪7‬ﻂ اﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟﻼزﻣﺔ ﻟﺘﻠﺒ‪7‬ﺔ‬
‫اﻟﻤﻌﺎﻳ‪ ib‬اﻟﺪوﻟ‪7‬ﺔ‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﺳﺄﻗﺪم ﻣﻠﺨًﺼﺎ ﻋﻦ ﻛ‪7‬ﻔ‪7‬ﺔ إﺟﺮاء ﻫﺬا اﻟﺘﺤﻠ‪7‬ﻞ‪:‬‬
‫ﺧﻄﻮات ﺗﺤﻠ?ﻞ اﻟﻨﻈﺎم اﻹداري اﻟﻘﺎﺋﻢ‪:‬‬
‫‪c‬‬
‫ﺟﻤﻊ اﻟﺒ‪:‬ﺎﻧﺎت‪ :‬ﻳ‪U‬ﺪأ اﻟﺘﺤﻠ‪7‬ﻞ \ﺠﻤﻊ ﺑ‪7‬ﺎﻧﺎت ﺣﻮل اﻟﻨﻈﺎم اﻹداري اﻟﺤﺎ‪\ ،rz‬ﻤﺎ ‪ yz‬ذﻟﻚ اﻟﺴ‪7‬ﺎﺳﺎت‪،‬‬ ‫•‬
‫§‬
‫اﻹﺟﺮاءات‪ ،‬واﻟﻤﻤﺎرﺳﺎت اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ .‬ﻫﺬە اﻟﺒ‪7‬ﺎﻧﺎت ‪Ö‬ﺸﻤﻞ أ‪-‬ﻀﺎ ﻣﺮاﺟﻌﺔ اﻟﻮﺛﺎﺋﻖ‪ ،‬اﻷﻧﻈﻤﺔ‬
‫اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ اﻟﻤﺴﺘﺨﺪﻣﺔ‪ ،‬وآﻟ‪7‬ﺎت اﻟﺘﺤ‪g‬ﻢ اﻷﻣ ‪ Ñz c‬اﻟﻤﻄ‪U‬ﻘﺔ‪.‬‬
‫ﺗﺤﺪ‪G‬ﺪ اﻟﻔﺠﻮات‪\ :‬ﻌﺪ ﺟﻤﻊ اﻟﺒ‪7‬ﺎﻧﺎت‪ ،‬ﻳﺘﻢ ﺗﺤﻠ‪7‬ﻠﻬﺎ ﻟﺘﺤﺪ‪-‬ﺪ اﻟﻔﺠﻮات ﺑ ‪c b‬‬
‫‪ a‬اﻹﺟﺮاءات اﻟﺤﺎﻟ‪7‬ﺔ‬ ‫•‬
‫وﻣﺘﻄﻠ‪U‬ﺎت ‪ ISO 27001.‬ﻫﺬا ™ﺸﻤﻞ ﺗﻘﻴ‪7‬ﻢ ﻣﺪى ا‪ã‬ﺘﻤﺎل اﻟﺴ‪7‬ﺎﺳﺎت اﻷﻣﻨ‪7‬ﺔ‪ ،‬ﻛﻔﺎءة اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ‪،‬‬
‫وﻓﻌﺎﻟ‪7‬ﺔ اﻹﺟﺮاءات اﻟﻤﻨﻔﺬة‪.‬‬
‫ﺗﻘﻴ‪:‬ﻢ اﻟﻤﺨﺎﻃﺮ‪ :‬ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺮﺗ‪U‬ﻄﺔ \ﺎﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ ﺟﺰء ﻻ ﻳﺘﺠﺰأ ﻣﻦ ﺗﺤﻠ‪7‬ﻞ اﻟﻨﻈﺎم‬ ‫•‬
‫اﻹداري‪ .‬ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ‪ ،‬ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺘﻤﻠﺔ ﻟ‪Ã‬ﻞ أﺻﻞ‪ ،‬وﺗﺤﺪ‪-‬ﺪ ﻣﺪى ﻛﻔﺎءة‬
‫‪c‬‬
‫اﻟﻀﻮا\ﻂ اﻟﺤﺎﻟ‪7‬ﺔ ‪ yz‬اﻟﺘﺨﻔ‪7‬ﻒ ﻣﻦ ﻫﺬە اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫‪ :û‬ﺑﻨﺎًء ﻋ~ ﻧﺘﺎﺋﺞ اﻟﺘﺤﻠ‪7‬ﻞ‪ ،‬ﻳﺘﻢ ﺗﻘﺪ‪-‬ﻢ ﺗﻮﺻ‪7‬ﺎت ﻟﻤﻌﺎﻟﺠﺔ اﻟﻔﺠﻮات‬

‫ﺗﻘﺪ‪G‬ﻢ ﺗﻮﺻ‪:‬ﺎت ﻟﻠﺘﺤﺴ ‪U ò‬‬ ‫•‬
‫‪ a‬اﻟﻨﻈﺎم اﻹداري ﻟﻴﺘﻮاﻓﻖ ﻣﻊ ﻣﺘﻄﻠ‪U‬ﺎت ‪- ISO 27001.‬ﻤﻜﻦ أن ‪Ö‬ﺸﻤﻞ ﻫﺬە اﻟﺘﻮﺻ‪7‬ﺎت ﺗﺤﺪ‪-‬ﺚ‬ ‫وﺗﺤﺴ ‪c b‬‬
‫‪ a‬اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ‪ ،‬أو ﺗﻨﻔ‪7‬ﺬ أﻧﻈﻤﺔ ﺟﺪ‪-‬ﺪة ﻟﻠﺤﻤﺎ‪-‬ﺔ‪.‬‬ ‫اﻟﺴ ‪ 7‬ﺎﺳ ﺎت ‪ ،‬ﺗ ﺤ ﺴ ‪c b‬‬
‫‪:Z‬‬ ‫[‬
‫ً‬ ‫ﻣﺜﺎل ﺗﻄﺒ? ‪G‬‬
‫‪no‬ﻛﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ ﺗﺠﺮي ﺗﺤﻠ‪7‬ﻼ ﻟﻨﻈﺎﻣﻬﺎ اﻹداري اﻟﻘﺎﺋﻢ ﻟﺘﺤﺪ‪-‬ﺪ اﻟﺘﻮاﻓﻖ ﻣﻊ ‪ .ISO 27001‬اﻟﻨﺘﺎﺋﺞ ﺗﻈﻬﺮ أن‬
‫اﻟ‪}o‬ﻛﺔ ﺗﻔﺘﻘﺮ إ‪ r‬ﺿﻮا\ﻂ أﻣﻨ‪7‬ﺔ ‪M‬ﺎﻓ‪7‬ﺔ ﻟﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺴﺤﺎﺑ‪7‬ﺔ‪ .‬اﻟﺘﻮﺻ‪7‬ﺎت ‪Ö‬ﺸﻤﻞ ﺗﻨﻔ‪7‬ﺬ ﺗﻘﻨ‪7‬ﺎت اﻟ‪ï‬ﺸﻔ‪ib‬‬
‫‪ a‬ﻋ~ اﻷﻣﻦ اﻟﺴﻴ‪i‬ا ‪ ±z c‬ﻟﺘﻌ‪[s‬ﺰ اﻟﺤﻤﺎ‪-‬ﺔ‪.‬‬ ‫اﻟﻤﺘﻘﺪﻣﺔ وﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫ﺧﻼﺻﺔ‪:‬‬
‫·‬ ‫‪c‬‬
‫ﺗﺤﻠ‪7‬ﻞ اﻟﻨﻈﺎم اﻹداري اﻟﻘﺎﺋﻢ ‪-‬ﻌﺘ‪ i‬ﺧﻄﻮة ﺣﻴ‪[°‬ﺔ ‪ yz‬ﻋﻤﻠ‪7‬ﺔ ﺗﻄﺒﻴﻖ ‪ ،ISO 27001‬ﺣ‪7‬ﺚ ‪-‬ﻤﻜﻦ اﻟﻤﻨﻈﻤﺎت‬
‫‪c‬‬
‫ﻣﻦ ﺗﺤﺪ‪-‬ﺪ ﻧﻘﺎط اﻟﻀﻌﻒ ‪ yz‬أﻧﻈﻤﺘﻬﺎ ووﺿﻊ ﺧﻄﻂ ﻓﻌﺎﻟﺔ ﻟﺘﻌ‪[s‬ﺰ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ .‬ﻫﺬا اﻟﻨﻬﺞ ‪-‬ﻀﻤﻦ‬
‫‪ a‬اﻷداء اﻷﻣ ‪ Ñz c‬ﻟﻠﻤﻨﻈﻤﺔ‪.‬‬
‫ﺗﺤﻘﻴﻖ اﻟﺘﻮاﻓﻖ ﻣﻊ اﻟﻤﻌﺎﻳ‪ ib‬اﻟﺪوﻟ‪7‬ﺔ وﺗﺤﺴ ‪c b‬‬
‫ﻣﻌ‪7‬ﺎر ‪™ ISO 27001‬ﺸﻤﻞ ﻋﺪة ﺟﻮاﻧﺐ رﺋ∞ﺴ‪7‬ﺔ ﺗﺘﻌﻠﻖ ﺑ‪ï‬ﻨﻔ‪7‬ﺬ وﻗ‪7‬ﺎدة ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪(ISMS).‬‬
‫ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻸﺟﺰاء اﻟﺮﺋ∞ﺴ‪7‬ﺔ اﻟ ‪Ö Ñz j‬ﺸﻤﻞ ﻗ‪7‬ﺎدة وﻣﻮاﻓﻘﺔ اﻟﻤ‪}o‬وع‪ ،‬ﻧﻄﺎق ‪ ، ISMS‬ﺳ‪7‬ﺎﺳﺎت أﻣﻦ‬
‫≤ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬و≠‪7‬ﺎن ﻗﺎ\ﻠ‪7‬ﺔ اﻟﺘﻄﺒﻴﻖ‪(SOA):‬‬ ‫اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻋﻤﻠ‪7‬ﺔ إدارة اﻟﻤﺨﺎﻃﺮ‪ ،‬اﻟﻬ‪g7‬ﻞ اﻟﺘﻨﻈ‪z 7‬‬
‫‪1.‬ﻗ‪:‬ﺎدة وﻣﻮاﻓﻘﺔ ﻣ‪¢£‬وع ‪: ISMS‬‬
‫‪c‬‬ ‫‪j‬‬
‫اﻟﻘ‪:‬ﺎدة‪ :‬اﻹدارة اﻟﻌﻠ‪7‬ﺎ ‪-‬ﺠﺐ أن ﺗﻈﻬﺮ اﻻﻟ‪i‬ام واﻟﺪﻋﻢ ﻟﻤ‪U‬ﺎدرة ‪ ISMS.‬ﻫﺬا ™ﺸﻤﻞ ﺗﻮﻓ‪ ib‬اﻟﻤﻮارد اﻟﻼزﻣﺔ‬ ‫•‬
‫وﺗﺤﺪ‪-‬ﺪ اﻷدوار واﻟﻤﺴﺆوﻟ‪7‬ﺎت‪.‬‬
‫اﻟﻤﻮاﻓﻘﺔ‪- :‬ﺠﺐ ﻋ~ اﻹدارة اﻟﻌﻠ‪7‬ﺎ اﻟﻤﻮاﻓﻘﺔ ﻋ~ ﻧﻄﺎق ‪ ISMS‬واﻟﺴ‪7‬ﺎﺳﺎت اﻷﻣﻨ‪7‬ﺔ ﻟﻀﻤﺎن أﻧﻬﺎ‬ ‫•‬
‫ﺗﺘﻮاﻓﻖ ﻣﻊ اﻷﻫﺪاف اﻻﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺔ ﻟﻠﻤﻨﻈﻤﺔ‪.‬‬
‫‪ .2‬ﻧﻄﺎق ‪: ISMS‬‬
‫‪j‬‬ ‫ً‬
‫ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ ﻧﻄﺎق ‪ ISMS‬ﺑﻨﺎء ﻋ~ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ اﻟ ‪ Ñz‬ﺗﺤﺘﺎج إ‪ r‬ﺣﻤﺎ‪-‬ﺔ‪ ،‬واﻟﻤﺘﻄﻠ‪U‬ﺎت‬ ‫•‬
‫ً‬ ‫ً‬
‫اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‪ ،‬واﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ‪- .‬ﺠﺐ أن ‪-‬ﻜﻮن اﻟﻨﻄﺎق واﺿﺤﺎ وﻣﺤﺪدا ﻟ‪ï‬ﺴﻬ‪7‬ﻞ ﺗﻨﻔ‪7‬ﺬ و‪à‬دارة اﻟﻨﻈﺎم‪.‬‬
‫‪ .3‬ﺳ‪:‬ﺎﺳﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪:‬‬

‫‪.‬‬ ‫‪c‬‬ ‫‪j‬‬ ‫‪c‬‬
‫اﻟﺴ‪7‬ﺎﺳﺎت ﺗﻮﻓﺮ اﻹﻃﺎر اﻟﻌﺎم ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪ yz‬اﻟﻤﻨﻈﻤﺔ وﺗﻌ‪ i‬ﻋﻦ اﻟ‪i‬ام اﻹدارة اﻟﻌﻠ‪7‬ﺎ ‪-‬ﺠﺐ أن‬ ‫•‬
‫‪ æ‬ﺟﻤﻴﻊ ﺟﻮاﻧﺐ اﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎ ‪ ±z j‬وأن ﺗﻜﻮن ﻣﻔﻬﻮﻣﺔ وﻣﺘﺎﺣﺔ ﻟﺠﻤﻴﻊ‬ ‫‪z‬‬ ‫ﻐ‬ ‫ﺗ‬‫و‬ ‫ﺔ‬ ‫ﻠ‬ ‫ﻣ‬ ‫ﺎ‬ ‫ﺷ‬ ‫ت‬ ‫ﺎ‬ ‫ﺳ‬ ‫ﺎ‬ ‫‪7‬‬ ‫ﺴ‬ ‫ﻟ‬ ‫ا‬ ‫ن‬‫ﻮ‬ ‫ﻜ‬ ‫ﺗ‬
‫‪c‬‬
‫اﻟﻤﻮﻇﻔ‪.ab‬‬
‫‪ .4‬ﻋﻤﻠ‪:‬ﺔ إدارة اﻟﻤﺨﺎﻃﺮ‪:‬‬
‫ﺗﺘﻀﻤﻦ ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺘﻤﻠﺔ ﻟﻸﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ وﺗﺤﻠ‪7‬ﻠﻬﺎ وﻣﻌﺎﻟﺠﺘﻬﺎ‪- .‬ﺠﺐ إﺟﺮاء ﺗﻘﻴ‪7‬ﻤﺎت‬ ‫•‬
‫اﻟﻤﺨﺎﻃﺮ ‪e‬ﺸ‪g‬ﻞ دوري ﻟﻀﻤﺎن ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ \ﻄ‪[Æ‬ﻘﺔ ﻣﻨﺎﺳ‪U‬ﺔ وﺗﺤﺪ‪-‬ﺚ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫‪ ß‬ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪:‬‬ ‫‪ .5‬ا ﻟ ﻬ ‪ ë :‬ﻞ ا ﻟ ﺘ ﻨ ﻈ ‪ç :‬‬

‫‪.‬‬
‫™ﺸﻤﻞ ﺗﻌ‪[Æ‬ﻒ اﻷدوار واﻟﻤﺴﺆوﻟ‪7‬ﺎت ﺿﻤﻦ اﻟﻤﻨﻈﻤﺔ ﻟﻀﻤﺎن ﻓﻌﺎﻟ‪7‬ﺔ إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪-‬ﺠﺐ أن‬ ‫•‬
‫‪ a‬واﺿﺢ ﻟﻠﻤﺴﺆوﻟ‪7‬ﺎت ﻟﺘﺠﻨﺐ ﺗﻀﺎرب اﻟﻤﻬﺎم وﺿﻤﺎن اﻟﺮﻗﺎ\ﺔ اﻟﻔﻌﺎﻟﺔ‪.‬‬ ‫‪-‬ﻜﻮن ﻫﻨﺎك ﺗﻌﻴ ‪c b‬‬
‫•‬
‫‪ .6‬ﺑ‪:‬ﺎن ﻗﺎ‪c‬ﻠ‪:‬ﺔ اﻟﺘﻄﺒﻴﻖ‪(SOA):‬‬
‫‪c‬‬
‫ﺑ‪7‬ﺎن ﻗﺎ\ﻠ‪7‬ﺔ اﻟﺘﻄﺒﻴﻖ ﻳﻮﺛﻖ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ اﻟﻤﺨﺘﺎرة ﻣﻦ ﻣﻠﺤﻖ ‪\ ISO 27001 yz A‬ﺎﻹﺿﺎﻓﺔ إ‪r‬‬ ‫•‬
‫ً‬
‫‪.‬‬
‫ﺗ‪[i‬ﺮ اﺧﺘ‪7‬ﺎر أو ﻋﺪم اﺧﺘ‪7‬ﺎر ‪M‬ﻞ ﺿﺎ\ﻂ ‪-‬ﺠﺐ أن ‪-‬ﻜﻮن ‪ SOA‬ﻣﻔﺼﻼ و[ﻌﻜﺲ اﻟﻀﻮا\ﻂ اﻟﻼزﻣﺔ ﻟﻤﻌﺎﻟﺠﺔ‬
‫‪c‬‬
‫اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ‪ yz‬ﻋﻤﻠ‪7‬ﺔ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫اﻟﻔﮭم اﻟﺷﺎﻣل ﻟﮭذه اﻟﺟواﻧب ﯾﺳﺎﻋد اﻟﻣﻧظﻣﺎت ﻋﻠﻰ ﺗطوﯾر ‪ ISMS‬ﻓﻌﺎل ﯾﻠﺑﻲ اﻟﻣﺗطﻠﺑﺎت اﻟﺗﻧظﯾﻣﯾﺔ وﯾﺣﻣﻲ اﻷﺻول‬
‫ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ﺗ ﯾ ﺔ ﺑﺷ ﻛ ل ﻛ ﺎ ف ‪ .‬ﺗﺣ د ﯾ د و ﺗﻧﻔﯾ ذ ھ ذ ه ا ﻟ ﻌ ﻧ ﺎ ﺻ ر ﺑﺷ ﻛ ل ﺻ ﺣ ﯾﺢ ﯾ ﺿ ﻣ ن ا ﻟ ﻧ ﺟ ﺎ ح ا ﻟ ط و ﯾ ل ا ﻷ ﻣ د ﻟﺟ ﮭ و د أ ﻣ ن‬
‫اﻟﻣ ﻌ ﻠو ﻣ ﺎت ‪.‬‬
‫‪c‬‬
‫ﺗﺼﻤ‪7‬ﻢ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ )اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات‪ ،‬أو ‪ (P&P‬ﻫﻮ ﺟﺰء ﺣﻴﻮي ‪ yz‬ﺗﻨﻔ‪7‬ﺬ ﻧﻈﺎم إدارة أﻣﻦ‬
‫ً‬
‫اﻟﻤﻌﻠﻮﻣﺎت )‪ (ISMS‬وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ .ISO 27001‬ﻫﺬە اﻟﻌﻤﻠ‪7‬ﺔ ﺗﻀﻤﻦ أن اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات اﻟﻤﺼﻤﻤﺔ‬
‫ﺗﻠ ‪ Ñz‬اﻻﺣﺘ‪7‬ﺎﺟﺎت اﻟﻤﺤﺪدة ﻟﻠﻤﻨﻈﻤﺔ وﺗﻌﺎﻟﺞ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ‪7‬ﺔ \ﻔﻌﺎﻟ‪7‬ﺔ‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ ﺗﺼﻤ‪7‬ﻢ‬
‫اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ‪:‬‬
‫ﺗﺼﻤ‪%‬ﻢ اﻟﻀﻮا‪+‬ﻂ اﻷﻣﻨ‪%‬ﺔ )‪: Design of security controls (P&P‬‬

‫‪ .1‬ﺗﺤﺪ‪-‬ﺪ اﻻﺣﺘ‪7‬ﺎﺟﺎت‪:‬‬
‫‪ -‬ﻳ‪U‬ﺪأ ﺗﺼﻤ‪7‬ﻢ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ ﺑﺘﺤﺪ‪-‬ﺪ اﻻﺣﺘ‪7‬ﺎﺟﺎت اﻷﻣﻨ‪7‬ﺔ اﻟﺨﺎﺻﺔ \ﺎﻟﻤﻨﻈﻤﺔ‪ .‬ﻫﺬە اﻻﺣﺘ‪7‬ﺎﺟﺎت ‪Ö‬ﺴ‪ï‬ﻨﺪ‬
‫إ‪ r‬ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ اﻟﺬي ‪-‬ﺤﺪد اﻟﺘﻬﺪ‪-‬ﺪات واﻟﻀﻌﻔ‪7‬ﺎت اﻟ ‪ Ñz j‬ﻗﺪ ﺗﺆﺛﺮ ﻋ~ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ‪.‬‬
‫‪ .2‬ﺗﺤﺪ‪-‬ﺪ اﻟﻀﻮا\ﻂ‪:‬‬
‫‪c‬‬
‫‪ -‬ﺑﻨﺎًء ﻋ~ اﻻﺣﺘ‪7‬ﺎﺟﺎت اﻟﻤﺤﺪدة‪ ،‬ﻳﺘﻢ اﺧﺘ‪7‬ﺎر اﻟﻀﻮا\ﻂ اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻣﻦ ﻣﻠﺤﻖ ‪- .ISO 27001 yz A‬ﺠﺐ أن‬
‫ﺗﻜﻮن ﻫﺬە اﻟﻀﻮا\ﻂ ‪M‬ﺎﻓ‪7‬ﺔ ﻟﻠﺘﻘﻠ‪7‬ﻞ ﻣﻦ اﻟﻤﺨﺎﻃﺮ إ‪ r‬ﻣﺴﺘﻮى ﻣﻘﺒﻮل‪.‬‬
‫‪ .3‬ﺗ ﺼ ﻤ ‪ 7‬ﻢ ا ﻟ ﺴ ‪ 7‬ﺎ ﺳ ﺎ ت ‪:‬‬

‫‪c‬‬ ‫‪j‬‬
‫‪ -‬اﻟﺴ‪7‬ﺎﺳﺎت ﺗﻮﺿﻊ ﻟﺘﺤﺪ‪-‬ﺪ اﻟﻘﻮاﻋﺪ واﻹرﺷﺎدات اﻟﻌﺎﻣﺔ اﻟ ‪- Ñz‬ﺠﺐ اﺗ‪U‬ﺎﻋﻬﺎ ‪ yz‬اﻟﻤﻨﻈﻤﺔ‪- .‬ﺠﺐ أن ﺗﻜﻮن‬
‫‪.a‬‬‫اﻟﺴ‪7‬ﺎﺳﺎت ﺷﺎﻣﻠﺔ‪ ،‬واﺿﺤﺔ‪ ،‬وﺳﻬﻠﺔ اﻟﻔﻬﻢ ﻟﺠﻤﻴﻊ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ .4‬ﺗﺼﻤ‪7‬ﻢ اﻹﺟﺮاءات‪:‬‬
‫… ﺧﻄﻮات ﻣﺤﺪدة أو ﺗﻌﻠ‪7‬ﻤﺎت ﺗﻨﻔ‪7‬ﺬ‪-‬ﺔ ﺗﻔﺼﻞ ﻛ‪7‬ﻔ‪7‬ﺔ ﺗﻄﺒﻴﻖ اﻟﺴ‪7‬ﺎﺳﺎت ‪e‬ﺸ‪g‬ﻞ ﻳﻮ‪- .‹z‬ﺠﺐ‬ ‫‪ -‬اﻹﺟﺮاءات ‪z‬‬
‫أن ﺗﻜﻮن اﻹﺟﺮاءات دﻗ‪7‬ﻘﺔ وﻣﺤﺪدة ﻟﻀﻤﺎن ﺗﻄﺒﻴﻖ ﻓﻌﺎل ﻟﻠﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫‪ . 5‬ا ﻟ ﺘ ‪ g‬ﺎ ﻣ ﻞ ﻣ ﻊ ا ﻟ ﻌ ﻤ ﻠ ‪ 7‬ﺎ ت ا ﻟ ﺤ ﺎ ﻟ ‪ 7‬ﺔ‪:‬‬

‫‪c‬‬
‫‪ -‬ﻣﻦ اﻟﻤﻬﻢ دﻣﺞ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ ﻣﻊ اﻟﻌﻤﻠ‪7‬ﺎت اﻟﺤﺎﻟ‪7‬ﺔ ‪ yz‬اﻟﻤﻨﻈﻤﺔ ﻟﻀﻤﺎن اﻟﺘﻄﺒﻴﻖ اﻟﺴﻠﺲ واﻟﻔﻌﺎل دون‬
‫ﺗﻌﻄ‪7‬ﻞ اﻟﻌﻤﻠ‪7‬ﺎت اﻟﺠﺎر[ﺔ‪.‬‬
‫‪ .6‬اﻻﺧﺘ‪U‬ﺎر واﻟﻤﺮاﺟﻌﺔ‪:‬‬
‫‪\ -‬ﻌﺪ ﺗﺼﻤ‪7‬ﻢ اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات‪- ،‬ﺠﺐ اﺧﺘ‪U‬ﺎرﻫﺎ ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ ﻓﻌﺎﻟﻴﺘﻬﺎ‪- .‬ﻤﻜﻦ إﺟﺮاء ﺗﻤﺎر[ﻦ اﺧﺘ‪U‬ﺎر أو‬
‫ﻣﺤﺎ‪Á‬ﺎة ﻟﺘﻘﻴ‪7‬ﻢ ﻛ‪7‬ﻔ‪7‬ﺔ ﻋﻤﻞ اﻟﻀﻮا\ﻂ ‪ yz c‬ﺳ‪û‬ﻨﺎر[ﻮﻫﺎت واﻗﻌ‪7‬ﺔ‪.‬‬
‫ﻣﺜﺎل ﺗﻄﺒ‪:–z j 7‬‬

‫‪no‬ﻛﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﺗﻘﻮم ﺑﺘﻄ‪[°‬ﺮ ﺿﻮا\ﻂ أﻣﻨ‪7‬ﺔ ﻟﺤﻤﺎ‪-‬ﺔ ﺑ‪7‬ﺎﻧﺎﺗﻬﺎ اﻟﺴﺤﺎﺑ‪7‬ﺔ‪ .‬ﺗﻘﻮم اﻟ‪}o‬ﻛﺔ ﺑﺘﺤﺪ‪-‬ﺪ‬
‫اﻟﻀﻮا\ﻂ اﻟﻼزﻣﺔ ﻟﺤﻤﺎ‪-‬ﺔ واﺟﻬﺎت ﺑﺮﻣﺠﺔ اﻟﺘﻄﺒ‪7‬ﻘﺎت‬
‫واﻟﺘﺨ‪[s‬ﻦ اﻟﺴﺤﺎ ‪ ،±z‬وﺗﺼﻤﻢ ﺳ‪7‬ﺎﺳﺎت ﻟﻠﺘﺤﻘﻖ ﻣﻦ اﻟﻬ‪[°‬ﺔ واﻟﻮﺻﻮل اﻟﻤﺤﺪود‪ .‬ﺗﻨﻔﺬ اﻟ‪}o‬ﻛﺔ إﺟﺮاءات‬
‫ﺗﻔﺼﻞ ﺧﻄﻮات اﻟﺘﺤﻘﻖ واﻟﺮﺻﺪ اﻷﻣ ‪ ،Ñz c‬وﺗﺪﻣﺞ ﻫﺬە اﻟﻀﻮا\ﻂ ﻣﻊ ﻧﻈﺎﻣﻬﺎ اﻹداري اﻟﻘﺎﺋﻢ دون اﻟﺘﺄﺛ‪ ib‬ﻋ~‬
‫اﻷداء‪.‬‬
‫ﺗﺻﻣﯾم اﻟﺿواﺑط اﻷﻣﻧﯾﺔ ﻓﻲ إطﺎر ‪ ISO 27001‬ﯾﺗطﻠب ﻓﮭًﻣﺎ دﻗﯾﻘًﺎ ﻟﻠﻣﺧﺎطر واﻻﺣﺗﯾﺎﺟﺎت اﻷﻣﻧﯾﺔ ﻟﻠﻣﻧظﻣﺔ‪،‬‬
‫ﺑ ﺎ ﻹ ﺿ ﺎﻓ ﺔ إ ﻟ ﻰ ﺗ ط و ﯾ ر ﺳ ﯾ ﺎ ﺳ ﺎ ت و إ ﺟ ر ا ء ا ت ﻓ ﻌ ﺎ ﻟ ﺔ ﺗ ﺿ ﻣ ن ﺣ ﻣ ﺎ ﯾ ﺔ ا ﻷ ﺻ و ل ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ﺗ ﯾ ﺔ ﺑ ﺷ ﻛ ل ﻣ ﺳ ﺗ ﻣ ر و ﻓ ﻌ ﺎ ل ‪.‬‬
‫ﺗﻨﻔ‪7‬ﺬ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ ﻫﻮ ﺟﺰء ﺣﻴﻮي ‪ yz c‬ﺗﻄﺒﻴﻖ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪.(ISMS‬‬
‫ُ‬
‫ﻫﺬە اﻟﻌﻤﻠ‪7‬ﺔ ﺗﻀﻤﻦ أن اﻟﻀﻮا\ﻂ اﻟﻤﺨﻄﻂ ﻟﻬﺎ ﺗﻨﻔﺬ ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل ﻟﺤﻤﺎ‪-‬ﺔ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ ﻣﻦ‬
‫§‬
‫اﻟﺘﻬﺪ‪-‬ﺪات واﻟﻤﺨﺎﻃﺮ‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ ﺗﻨﻔ‪7‬ﺬ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ وﻓﻘﺎ ل‪:ISO 27001‬‬
‫ﺗﻨﻔ‪%‬ﺬ اﻟﻀﻮا‪+‬ﻂ اﻷﻣﻨ‪%‬ﺔ ‪: Implementation of security controls‬‬

‫‪ .1‬ﺗﺤﺪ‪-‬ﺪ اﻟﻀﻮا\ﻂ‪:‬‬
‫‪c‬‬
‫‪ -‬ﻳ‪U‬ﺪأ ﺗﻨﻔ‪7‬ﺬ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ ﺑﺘﺤﺪ‪-‬ﺪ اﻟﻀﻮا\ﻂ اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻣﻦ ﻣﻠﺤﻖ ‪ ،ISO 27001 yz A‬واﻟ ‪ Ñz j‬ﺗﻢ اﺧﺘ‪7‬ﺎرﻫﺎ‬
‫ﺧﻼل ﻋﻤﻠ‪7‬ﺔ ﺗﺤﻠ‪7‬ﻞ وﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‪- .‬ﺠﺐ أن ﺗﺘﻮاﻓﻖ ﻫﺬە اﻟﻀﻮا\ﻂ ﻣﻊ اﻻﺣﺘ‪7‬ﺎﺟﺎت اﻷﻣﻨ‪7‬ﺔ اﻟﺨﺎﺻﺔ‬
‫≤‪.‬‬ ‫‪c‬‬
‫\ﺎﻟﻤﻨﻈﻤﺔ وﻣﺘﻄﻠ‪U‬ﺎت اﻻﻣﺘﺜﺎل اﻟﻘﺎﻧﻮ ‪ ±z‬واﻟﺘﻨﻈ‪z 7‬‬
‫‪ .2‬اﻟﺘﺨﻄ‪7‬ﻂ ﻟﻠﺘﻨﻔ‪7‬ﺬ‪:‬‬
‫‪.‬‬
‫‪ -‬ﻳﺘﻀﻤﻦ ﺗﺨﻄ‪7‬ﻂ ﺗﻨﻔ‪7‬ﺬ اﻟﻀﻮا\ﻂ ﺗﺤﺪ‪-‬ﺪ اﻟﻤﻮارد اﻟﻼزﻣﺔ‪ ،‬اﻟﺠﺪاول اﻟﺰﻣﻨ‪7‬ﺔ‪ ،‬واﻟﻤﺴﺆوﻟ‪7‬ﺎت ﻣﻦ اﻟﻤﻬﻢ أن‬
‫‪ a‬دورﻫﻢ ‪ yz c‬ﻋﻤﻠ‪7‬ﺔ اﻟﺘﻨﻔ‪7‬ﺬ‪.‬‬
‫ﻳﺘﻢ ﺗﺨﺼ‪7‬ﺺ اﻟﻤﻮارد اﻟ‪Ã‬ﺎﻓ‪7‬ﺔ وأن ‪-‬ﻔﻬﻢ ﺟﻤﻴﻊ اﻟﻤﺸﺎرﻛ ‪c b‬‬
‫‪ .3‬ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ‪:‬‬
‫‪™ -‬ﺸﻤﻞ ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ ﺗﻨﻔ‪7‬ﺬ اﻟﺘﻐﻴ‪ib‬ات اﻟﻔﻨ‪7‬ﺔ واﻹدار[ﺔ اﻟﻼزﻣﺔ‪ .‬ﻗﺪ ﻳﺘﻄﻠﺐ ﻫﺬا ﺗﺮﻛ‪7‬ﺐ أﻧﻈﻤﺔ أﻣﺎن‬
‫ﺟﺪ‪-‬ﺪة‪ ،‬ﺗﺤﺪ‪-‬ﺚ اﻟ‪i‬ﻣﺠ‪7‬ﺎت‪ ،‬ﺗﻌﺪ‪-‬ﻞ اﻟﺴ‪7‬ﺎﺳﺎت‪ ،‬أو إﺟﺮاء ﺗﺪر[‪U‬ﺎت ﻟﻠﻤﻮﻇﻔ ‪c b‬‬
‫‪.a‬‬
‫‪ .4‬اﻟﺘﻮﺛﻴﻖ‪:‬‬
‫‪- -‬ﺠﺐ ﺗﻮﺛﻴﻖ ﺟﻤﻴﻊ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ اﻟﻤﻄ‪U‬ﻘﺔ و‪à‬ﺟﺮاءاﺗﻬﺎ ‪e‬ﺸ‪g‬ﻞ واﺿﺢ ﻟﻀﻤﺎن ‪-‬ﻤﻜﻦ اﻟﺮﺟ‪°‬ع إﻟﻴﻬﺎ‬
‫وﻣﺮاﺟﻌﺘﻬﺎ‪ .‬اﻟﺘﻮﺛﻴﻖ ﻣﻬﻢ ﻟﻠﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ وﻟﻠﻤﺤﺎﻓﻈﺔ ﻋ~ اﻟﺸﻔﺎﻓ‪7‬ﺔ ‪ yz c‬اﻟﻌﻤﻠ‪7‬ﺎت اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫‪ .5‬اﻟﺘﺤﻘﻖ واﻻﺧﺘ‪U‬ﺎر‪:‬‬
‫‪\ -‬ﻌﺪ ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ‪ ،‬ﻣﻦ اﻟﻤﻬﻢ إﺟﺮاء اﻟﺘﺤﻘﻖ واﻻﺧﺘ‪U‬ﺎر ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ أﻧﻬﺎ ﺗﻌﻤﻞ ‪M‬ﻤﺎ ﻫﻮ ﻣﺨﻄﻂ ﻟﻬﺎ‪- .‬ﻤﻜﻦ‬
‫أن ™ﺸﻤﻞ ذﻟﻚ اﺧﺘ‪U‬ﺎرات اﻻﺧ‪ij‬اق‪ ،‬ﻣﺮاﺟﻌﺔ اﻷﻣﺎن‪ ،‬وﺗﻘﻴ‪7‬ﻤﺎت اﻟﺘﻘ‪7‬ﺪ‪.‬‬
‫‪ .6‬اﻟﻤﺮاﺟﻌﺔ واﻟﺘﺤﺪ‪-‬ﺚ‪:‬‬
‫ً‬ ‫‪.‬‬
‫‪ -‬ﺗﻨﻔ‪7‬ﺬ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ ﻫﻮ ﻋﻤﻠ‪7‬ﺔ ﻣﺴﺘﻤﺮة ‪-‬ﺠﺐ ﻣﺮاﺟﻌﺔ اﻟﻀﻮا\ﻂ \ﺎﻧﺘﻈﺎم وﺗﺤﺪﻳﺜﻬﺎ ﺑﻨﺎء ﻋ~ ﺗﻐ‪ib‬‬
‫اﻟﺒ‪û‬ﺌﺔ اﻷﻣﻨ‪7‬ﺔ وﻧﺘﺎﺋﺞ اﻟﺘﺤﻘﻖ واﻻﺧﺘ‪U‬ﺎر‪.‬‬

‫‪no‬ﻛﺔ ﻣﺎﻟ‪7‬ﺔ ﺗﻨﻔﺬ ﺿﻮا\ﻂ أﻣﻨ‪7‬ﺔ ﻟﺤﻤﺎ‪-‬ﺔ ب‬
‫‪-‬ﺎﻧﺎت اﻟﻌﻤﻼء‪ .‬ﻳﺘﻢ ﺗﺮﻛ‪7‬ﺐ ﺟﺪران ﻧﺎر[ﺔ وأﻧﻈﻤﺔ ﻟﻠ‪Œ‬ﺸﻒ ﻋﻦ اﻟ‪ï‬ﺴﻠﻞ‪ ،‬وﺗﺤﺪ‪-‬ﺚ اﻟ‪i‬وﺗﻮﻛﻮﻻت ﻟﺘﺘﻀﻤﻦ‬
‫اﻟﺘﺤﻘﻖ اﻟﻤﺘﻌﺪد اﻟﻌﻮاﻣﻞ ﻟﻠﺪﺧﻮل إ‪ r‬اﻷﻧﻈﻤﺔ‪ .‬ﻳﺘﻢ ﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬ﻋ~ إﺟﺮاءات اﻷﻣﻦ اﻟﺠﺪ‪-‬ﺪة واﺧﺘ‪U‬ﺎر‬
‫اﻟﻨﻈﺎم \ﺎﻧﺘﻈﺎم ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ ﻓﻌﺎﻟ‪7‬ﺔ اﻟﻀﻮا\ﻂ‪.‬‬
‫ﺳﺎ‪ ،‬وﺗﻘﯾﯾًﻣﺎ ﻣﺳﺗﻣًرا‪ .‬ﻣن‬ ‫ً‬ ‫ً‬ ‫ً‬
‫ﺗﻧﻔﯾذ اﻟﺿواﺑط اﻷﻣﻧﯾﺔ ﻓﻲ إطﺎر ‪ ISO 27001‬ﯾﺗطﻠب ﺗﺧطﯾطﺎ دﻗﯾﻘﺎ‪ ،‬ﺗطﺑﯾﻘﺎ ﻣدرو ً‬
‫ﺧ ﻼ ل ﺗ ﺑ ﻧ ﻲ ھ ذ ه ا ﻟ ﻌ ﻣ ﻠ ﯾ ﺔ ‪ ،‬ﺗﺳ ﺗط ﯾﻊ ا ﻟ ﻣ ؤ ﺳ ﺳ ﺎ ت ﺗ ﻌ ز ﯾ ز أ ﻣ ﺎ ﻧ ﮭ ﺎ ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ﺗ ﻲ و اﻟﺣ ﻔ ﺎظ ﻋ ﻠ ﻰ ﻣ ﺳ ﺗ و ﯾ ﺎ ت ﻋ ﺎ ﻟ ﯾ ﺔ ﻣ ن ا ﻟ ﺣ ﻣ ﺎ ﯾ ﺔ‬
‫ﺿ د ا ﻟ ﺗ ﮭ د ﯾ د ا ت و اﻟﻣ ﺧ ﺎط ر ‪.‬‬
‫® ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪.(ISMS‬‬ ‫… ﺟﺰء أﺳﺎ ‪z‬‬
‫ﻋﻤﻠ‪7‬ﺔ إدارة اﻟﻮﺛﺎﺋﻖ ‪z‬‬
‫ﺗﻬﺪف ﻫﺬە اﻟﻌﻤﻠ‪7‬ﺔ إ‪ r‬ﺿﻤﺎن أن ﺟﻤﻴﻊ اﻟﻮﺛﺎﺋﻖ اﻟﻤﺘﻌﻠﻘﺔ \ـ ‪ ISMS‬ﻳﺘﻢ إ‪ø‬ﺸﺎؤﻫﺎ‪ ،‬ﻣﺮاﺟﻌﺘﻬﺎ‪ ،‬اﻟﻤﻮاﻓﻘﺔ ﻋﻠﻴﻬﺎ‪،‬‬
‫‪c‬‬
‫ﺗﺤﺪﻳﺜﻬﺎ‪ ،‬واﻟﺤﻔﺎظ ﻋﻠﻴﻬﺎ \ﻄ‪[Æ‬ﻘﺔ ﻣﻨﻈﻤﺔ وﻣﻨﻬﺠ‪7‬ﺔ‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﺗﻔﺼ‪7‬ﻞ ﻟﻌﻤﻠ‪7‬ﺔ إدارة اﻟﻮﺛﺎﺋﻖ ‪ yz‬إﻃﺎر ‪ISO‬‬
‫‪:27001‬‬
‫ﻋﻤﻠ‪%‬ﺔ إدارة اﻟﻮﺛﺎﺋﻖ ) ‪( Document management‬‬

‫‪ .1‬إ‪ø‬ﺸﺎء اﻟﻮﺛﺎﺋﻖ‪:‬‬
‫‪c‬‬
‫‪ -‬اﻟﺨﻄﻮة اﻷو‪ yz r‬ﻋﻤﻠ‪7‬ﺔ إدارة اﻟﻮﺛﺎﺋﻖ ﺗﺘﻀﻤﻦ ﺗﺤﺪ‪-‬ﺪ اﻟﻮﺛﺎﺋﻖ اﻟ ‪- Ñz j‬ﺤﺘﺎﺟﻬﺎ اﻟﻨﻈﺎم ﺑﻨﺎًء ﻋ~ ﻣﺘﻄﻠ‪U‬ﺎت‬
‫‪ ISO 27001‬واﻻﺣﺘ‪7‬ﺎﺟﺎت اﻟﺨﺎﺻﺔ ﻟﻠﻤﻨﻈﻤﺔ‪- .‬ﺠﺐ أن ﺗﻜﻮن ﻫﺬە اﻟﻮﺛﺎﺋﻖ دﻗ‪7‬ﻘﺔ وﺷﺎﻣﻠﺔ ﻟ‪Ã‬ﻞ ﺟﻮاﻧﺐ‬
‫‪.ISMS‬‬
‫‪ .2‬ﻣﺮاﺟﻌﺔ واﻟﻤﻮاﻓﻘﺔ‪:‬‬
‫‪c‬‬
‫‪-‬ﻗ‪U‬ﻞ أن ﺗﺼﺒﺢ اﻟﻮﺛﺎﺋﻖ ‪ø‬ﺸﻄﺔ‪- ،‬ﺠﺐ ﻣﺮاﺟﻌﺘﻬﺎ واﻟﻤﻮاﻓﻘﺔ ﻋﻠﻴﻬﺎ ﻣﻦ ﻗ‪U‬ﻞ اﻷﺷﺨﺎص اﻟﻤﺨﺘﺼ‪ ab‬داﺧﻞ‬
‫اﻟﻤﻨﻈﻤﺔ‪ .‬ﻫﺬە اﻟﺨﻄﻮة ﺗﻀﻤﻦ أن اﻟﻮﺛﺎﺋﻖ ﺗﻠ ‪ Ñz‬اﻟﻤﻌﺎﻳ‪ ib‬اﻟﻤﻄﻠ‪≠°‬ﺔ وأﻧﻬﺎ ﺻﺎﻟﺤﺔ ﻟﻠﻐﺮض اﻟﻤ∫ﺸﻮد‪.‬‬
‫‪ .3‬اﻟﺘﻮز[ـ ـﻊ واﻟﺘﻨﻔ‪7‬ﺬ‪:‬‬
‫‪\-‬ﻌﺪ اﻟﻤﻮاﻓﻘﺔ‪ ،‬ﻳﺘﻢ ﺗﻮز[ـ ـﻊ اﻟﻮﺛﺎﺋﻖ إ‪ r‬ﺟﻤﻴﻊ اﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ داﺧﻞ اﻟﻤﻨﻈﻤﺔ‪- .‬ﺠﺐ أن ﺗﻜﻮن اﻟﻮﺛﺎﺋﻖ‬
‫ﺳﻬﻠﺔ اﻟﻮﺻﻮل ﻟﻸﺷﺨﺎص اﻟﺬﻳﻦ ‪-‬ﺤﺘﺎﺟﻮن إﻟﻴﻬﺎ ﻟﺘﻨﻔ‪7‬ﺬ ﻣﻬﺎﻣﻬﻢ‪.‬‬
‫‪ .4‬اﻟﺘﺤﺪ‪-‬ﺚ واﻟﺘﺤ‪g‬ﻢ‪:‬‬
‫‪c‬‬ ‫‪c‬‬
‫‪ -‬ﺗﺤﺘﺎج اﻟﻮﺛﺎﺋﻖ إ‪ r‬ﻣﺮاﻗ‪U‬ﺔ وﺗﺤﺪ‪-‬ﺚ دوري ﻟﻀﻤﺎن اﺳﺘﻤﺮارﻫﺎ ‪ yz‬ﺗﻠﺒ‪7‬ﺔ اﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ واﻟﺘﻐ‪ib‬ات ‪yz‬‬
‫اﻟﺒ‪û‬ﺌﺔ اﻷﻣﻨ‪7‬ﺔ‪- .‬ﺠﺐ أن ﻳﺘﻢ ‪Ö‬ﺴﺠ‪7‬ﻞ ﺟﻤﻴﻊ اﻟﺘﻐﻴ‪ib‬ات وﻣﺮاﺟﻌﺘﻬﺎ واﻟﻤﻮاﻓﻘﺔ ﻋﻠﻴﻬﺎ \ﻄ‪[Æ‬ﻘﺔ ﻣﺸﺎﺑﻬﺔ ﻟﻠﻮﺛﺎﺋﻖ‬
‫اﻷﺻﻠ‪7‬ﺔ‪.‬‬
‫‪ .5‬اﻻﺣﺘﻔﺎظ واﻷرﺷﻔﺔ‪:‬‬
‫‪j‬‬
‫‪ -‬ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻤﺘﻄﻠ‪U‬ﺎت اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ واﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‪- ،‬ﺠﺐ ﻋ~ اﻟﻤﻨﻈﻤﺎت اﻻﺣﺘﻔﺎظ \ﺎﻟﻮﺛﺎﺋﻖ ﻟﻔ‪i‬ة زﻣﻨ‪7‬ﺔ‬
‫ﻣﺤﺪدة‪- .‬ﺠﺐ أن ﺗﻜﻮن ﻋﻤﻠ‪7‬ﺎت اﻷرﺷﻔﺔ آﻣﻨﺔ ﻟﻤﻨﻊ اﻟﻔﻘﺪان أو اﻟﺘﻠﻒ‪.‬‬
‫‪ .6‬اﻟﺘﺨﻠﺺ ﻣﻦ اﻟﻮﺛﺎﺋﻖ‪:‬‬
‫‪ -‬ﻋﻨﺪﻣﺎ ﻻ ﺗﻌﻮد اﻟﻮﺛﺎﺋﻖ ‪¨c‬ور[ﺔ‪- ،‬ﺠﺐ اﻟﺘﺨﻠﺺ ﻣﻨﻬﺎ \ﻄ‪[Æ‬ﻘﺔ آﻣﻨﺔ ﺗﻀﻤﻦ ﻋﺪم ﺗﻌﺮض اﻟﻤﻌﻠﻮﻣﺎت‬
‫اﻟﺤﺴﺎﺳﺔ ﻟﻠﺨﻄﺮ‪.‬‬

‫‪c‬‬
‫‪no‬ﻛﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﺗﻨﻔﺬ ‪ ISMS‬وﺗﻘﻮم ﺑ‪øfl‬ﺸﺎء ﺳﻠﺴﻠﺔ ﻣﻦ اﻟﻮﺛﺎﺋﻖ‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ ﺳ‪7‬ﺎﺳﺎت أﻣﻦ‬
‫ُ‬ ‫ُ‬
‫اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬إﺟﺮاءات اﻻﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث‪ ،‬وﺳﺠﻼت ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‪ .‬ﺗﺮاﺟﻊ ﻫﺬە اﻟﻮﺛﺎﺋﻖ وﺗﻮاﻓﻖ ﻋﻠﻴﻬﺎ‬
‫‪ .a‬ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺚ اﻟﻮﺛﺎﺋﻖ \ﺎﻧﺘﻈﺎم ﺑﻨﺎًء ﻋ~ ﻧﺘﺎﺋﺞ اﻟﺘﺪﻗ‪7‬ﻘﺎت‬
‫ﻣﻦ ﻗ‪U‬ﻞ اﻹدارة اﻟﻌﻠ‪7‬ﺎ ﻗ‪U‬ﻞ ﺗﻮز[ﻌﻬﺎ ﻋ~ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺘﻐﻴ‪ib‬ات ‪ yz c‬ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻷﻣﻦ‪.‬‬
‫ﻋﻣﻠﯾﺔ إدارة اﻟوﺛﺎﺋق ﺗﻠﻌب دوًرا أﺳﺎﺳﯾًﺎ ﻓﻲ اﻟﺣﻔﺎظ ﻋﻠﻰ ﻓﻌﺎﻟﯾﺔ ‪ ISMS‬وﺿﻣﺎن اﻟﺗزام اﻟﻣﻧظﻣﺔ ﺑﻣﻌﺎﯾﯾر ‪ISO‬‬
‫‪ .27001‬ﻣن ﺧﻼل ﺗوﺛﯾق ﻣﻧظم وﻣراﺟﻌﺔ دورﯾﺔ‪ ،‬ﺗﺳﺗطﯾﻊ اﻟﻣﻧظﻣﺎت اﻟﺣﻔﺎظ ﻋﻠﻰ أﻣن اﻟﻣﻌﻠوﻣﺎت واﻟﺗﺣﻛم ﻓﯾﮫ‬
‫ﺑﺷ ﻛ ل ﻓ ﻌ ﺎ ل ‪.‬‬
‫® ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪ .(ISMS‬ﺗﻬﺪف‬

‫… ﺟﺰء أﺳﺎ ‪z‬‬
‫ﺧﻄﺔ اﻟﺘﻮاﺻﻞ ‪z‬‬
‫ّ‬
‫ﻫﺬە اﻟﺨﻄﺔ إ‪ r‬ﺗﻮﺟ‪7‬ﻪ اﻻﺗﺼﺎﻻت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ ﻟﻀﻤﺎن ﺗﻔﺎﻋﻞ ﻓﻌﺎل ﻣﻊ ﺟﻤﻴﻊ اﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ‬
‫‪c‬‬
‫ﺑ‪ï‬ﻨﻔ‪7‬ﺬ وﺻ‪7‬ﺎﻧﺔ ‪ .ISMS‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ وﺿﻊ ﺧﻄﺔ اﻻﺗﺼﺎل ‪ yz‬إﻃﺎر ‪:ISO 27001‬‬
‫ﺧﻄﺔ اﻟﺘﻮاﺻﻞ ) ‪: ( Communication plan‬‬

‫‪ .1‬ﺗﺤﺪ‪-‬ﺪ اﻟﺠﻤﺎﻫ‪ ib‬اﻟﻤﺴﺘﻬﺪﻓﺔ‪:‬‬
‫‪c‬‬ ‫‪c‬‬
‫‪ -‬ﻳ‪U‬ﺪأ وﺿﻊ ﺧﻄﺔ اﻻﺗﺼﺎل ﺑﺘﺤﺪ‪-‬ﺪ اﻟﺠﻤﺎﻫ‪ ib‬اﻟﻤﺴﺘﻬﺪﻓﺔ‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ اﻟﻤﻮﻇﻔ‪ ،ab‬اﻹدارة اﻟﻌﻠ‪7‬ﺎ‪ ،‬اﻟﻌﻤﻼء‪،‬‬
‫اﻟﻤﻮردﻳﻦ‪ ،‬واﻷﻃﺮاف اﻷﺧﺮى اﻟﻤﻌﻨ‪7‬ﺔ‪.‬‬
‫‪ .2‬ﺗﺤﺪ‪-‬ﺪ اﻟﺮﺳﺎﺋﻞ اﻟﺮﺋ∞ﺴ‪7‬ﺔ‪:‬‬

‫‪j‬‬
‫‪ -‬ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ اﻟﺮﺳﺎﺋﻞ اﻟﺮﺋ∞ﺴ‪7‬ﺔ اﻟ ‪- Ñz‬ﺠﺐ ﺗﻮﺻ‪7‬ﻠﻬﺎ إ‪M r‬ﻞ ﻓﺌﺔ ﻣﻦ اﻟﺠﻤﺎﻫ‪ ib‬اﻟﻤﺴﺘﻬﺪﻓﺔ‪ ،‬ﻣﺜﻞ أﻫﻤ‪7‬ﺔ أﻣﺎن‬
‫اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬واﻟ ‪ic j‬ام اﻟﻤﻨﻈﻤﺔ \ﻤﻌﺎﻳ‪ ،ISO 27001 ib‬واﻟﺘﺤﺪﻳﺜﺎت واﻟﺘﻐﻴ‪ib‬ات اﻟﺠﺪ‪-‬ﺪة‪.‬‬
‫‪ .3‬اﺧﺘ‪7‬ﺎر وﺳﺎﺋﻞ اﻻﺗﺼﺎل‪:‬‬

‫‪c‬‬ ‫‪j‬‬ ‫‪j‬‬
‫‪ -‬ﻳﺘﻢ اﺧﺘ‪7‬ﺎر وﺳﺎﺋﻞ اﻻﺗﺼﺎل اﻟﻤﻨﺎﺳ‪U‬ﺔ اﻟ ‪ Ñz‬ﺗ‪ï‬ﻨﺎﺳﺐ ﻣﻊ ‪M‬ﻞ ﺟﻤﻬﻮر‪ ،‬ﻣﺜﻞ اﻻﺟﺘﻤﺎﻋﺎت‪ ،‬واﻟ‪[i‬ﺪ اﻹﻟ‪iŒ‬و ‪،±z‬‬
‫واﻟﻤﻮاﻗﻊ اﻹﻟ‪ijŒ‬وﻧ‪7‬ﺔ‪ ،‬واﻟﻤ∫ﺸﻮرات‪ ،‬وورش اﻟﻌﻤﻞ‪ ،‬واﻟﺘﺪر[ﺐ‪.‬‬
‫‪ .4‬ﺗﺤﺪ‪-‬ﺪ ﺟﺪول زﻣ ‪:Ñz c‬‬

‫‪ -‬ﻳﺘﻢ وﺿﻊ ﺟﺪول زﻣ ‪ Ñz c‬ﻟﻼﺗﺼﺎﻻت ﻟﺘﺤﺪ‪-‬ﺪ ﻣﻮاﻋ‪7‬ﺪ وﺗﻮار[ـ ـﺦ ﺗﻮﺻ‪7‬ﻞ اﻟﺮﺳﺎﺋﻞ اﻟﺮﺋ∞ﺴ‪7‬ﺔ إ‪M r‬ﻞ ﺟﻤﻬﻮر‪.‬‬
‫™ﺴﻤﺢ ﻫﺬا ﺑ‪ï‬ﻨﻈ‪7‬ﻢ اﻻﺗﺼﺎﻻت وﺿﻤﺎن ﺗﻮﺻ‪7‬ﻞ اﻟﺮﺳﺎﺋﻞ ‪ yz c‬اﻟﻮﻗﺖ اﻟﻤﻨﺎﺳﺐ‪.‬‬
‫‪ . 5‬ﺗﻨﻔ ‪7‬ﺬ ا ﻟ ﺨ ﻄ ﺔ ‪:‬‬

‫‪c‬‬
‫‪\ -‬ﻌﺪ ﺗﺤﺪ‪-‬ﺪ اﻟﺠﻤﺎﻫ‪ ib‬اﻟﻤﺴﺘﻬﺪﻓﺔ‪ ،‬واﻟﺮﺳﺎﺋﻞ اﻟﺮﺋ∞ﺴ‪7‬ﺔ‪ ،‬ووﺳﺎﺋﻞ اﻻﺗﺼﺎل‪ ،‬واﻟﺠﺪول اﻟﺰﻣ ‪ ،Ñz‬ﻳﺘﻢ ﺗﻨﻔ‪7‬ﺬ‬
‫ً‬
‫ﺧﻄﺔ اﻻﺗﺼﺎل ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل وﺗﻮز[ـ ـﻊ اﻟﺮﺳﺎﺋﻞ وﻓﻘﺎ ﻟﻠﺠﺪول اﻟﺰﻣ ‪.Ñz c‬‬
‫‪ .6‬ﺗﻘﻴ‪7‬ﻢ اﻷداء‪:‬‬
‫‪- -‬ﺠﺐ أن ﻳﺘﻢ ﺗﻘﻴ‪7‬ﻢ أداء ﺧﻄﺔ اﻻﺗﺼﺎل \ﺎﻧﺘﻈﺎم ﻟﺘﺤﺪ‪-‬ﺪ ﻓﻌﺎﻟ‪7‬ﺔ اﻟﺮﺳﺎﺋﻞ وﻣﺴﺘﻮى اﺳﺘﺠﺎ\ﺔ اﻟﺠﻤﺎﻫ‪ib‬‬
‫اﻟﻤﺴﺘﻬﺪﻓﺔ وﺿ‪U‬ﻂ اﻟﻌﻤﻠ‪7‬ﺔ ﺣﺴﺐ اﻟﺤﺎﺟﺔ‪.‬‬

‫ً‬
‫‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﺗﻄﻠﻖ ﻣ‪}o‬وﻋﺎ ﻟﺘﻨﻔ‪7‬ﺬ ‪ ISMS‬وﺗﻄﺒﻖ ﺧﻄﺔ اﺗﺼﺎل ‪Ö‬ﺸﻤﻞ اﺟﺘﻤﺎﻋﺎت دور[ﺔ ﻣﻊ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬ﻟ‪}o‬ح‬
‫أﻫﻤ‪7‬ﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت واﻟ ‪ic j‬ام اﻟﻤﻨﻈﻤﺔ \ﻤﻌﺎﻳ‪\ ،ISO 27001 i‬ﺎﻹﺿﺎﻓﺔ إ‪ r‬إرﺳﺎل رﺳﺎﺋﻞ ﺑ‪[Æ‬ﺪ إﻟ‪ijŒ‬و‪c±‬‬
‫‪z‬‬ ‫‪b‬‬
‫‪.a‬‬‫\ﺎﻟﺘﺤﺪﻳﺜﺎت وورش اﻟﻌﻤﻞ ﻟﺘﺪر[ﺐ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫ﺗﻠﻌب ﺧطﺔ اﻻﺗﺻﺎل دوًرا ﺣﯾوﯾًﺎ ﻓﻲ ﺗﻧﻔﯾذ ‪ ISMS‬وﺿﻣﺎن ﺗﻔﺎﻋل ﻓﻌّﺎل ﻣﻊ ﺟﻣﯾﻊ اﻷطراف اﻟﻣﻌﻧﯾﺔ‪ .‬ﻣن ﺧﻼل‬
‫ﺗوﺟﯾﮫ اﻟرﺳﺎﺋل اﻟﺻﺣﯾﺣﺔ إﻟﻰ اﻟﺟﻣﮭور اﻟﻣﻧﺎﺳب ﺑﺷﻛل ﻣﻧﮭﺟﻲ‪ ،‬ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت ﺿﻣﺎن ﺗﺣﻘﯾق أھداﻓﮭﺎ ﻓﯾﻣﺎ‬
‫ﯾﺗﻌﻠق ﺑﺄﻣﺎن اﻟﻣﻌﻠوﻣﺎت واﻻﻣﺗﺛﺎل ﻟﻣﻌﺎﯾﯾر ‪.ISO 27001‬‬
‫… ﺟﺰء ﺣﻴﻮي ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬

‫ﺧﻄﺔ اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪7‬ﺔ ‪z‬‬
‫)‪ .(ISMS‬ﺗﻬﺪف ﻫﺬە اﻟﺨﻄﺔ إ‪ r‬ﺗﻮﺟ‪7‬ﻪ ﻋﻤﻠ‪7‬ﺎت اﻟﺘﺪر[ﺐ واﻟﺘﺜﻘ‪7‬ﻒ ﻟﻀﻤﺎن ﺗﺤﻘﻴﻖ ﻓﻬﻢ وو‪M Ω‬ﺎﻓﻴ ‪c b‬‬
‫‪ a‬ﻟﺪ ى‬ ‫‪z‬‬
‫‪ a‬واﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﻌ‪7‬ﺎر‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ وﺿﻊ‬ ‫ﺟﻤﻴﻊ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪c‬‬
‫ﺧﻄﺔ اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪7‬ﺔ ‪ yz‬إﻃﺎر ‪:ISO 27001‬‬
‫ﺧﻄﺔ اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪%‬ﺔ ) ‪: ( Training and awareness‬‬

‫‪ .1‬ﺗﺤﻠ‪7‬ﻞ اﻻﺣﺘ‪7‬ﺎﺟﺎت‪:‬‬
‫‪c‬‬
‫‪ -‬ﻳ‪U‬ﺪأ وﺿﻊ ﺧﻄﺔ اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪7‬ﺔ ﺑﺘﺤﻠ‪7‬ﻞ اﺣﺘ‪7‬ﺎﺟﺎت اﻟﺘﺪر[ﺐ ﻟﻠﻤﻮﻇﻔ‪ ab‬واﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ \ﺄﻣﻦ‬
‫اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﺑﻨﺎًء ﻋ~ أدوارﻫﻢ وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ وﻣﺴﺘﻮى اﻟﻤﻌﺮﻓﺔ اﻟﺤﺎ‪.rz‬‬
‫‪ .2‬ﺗﺼﻤ‪7‬ﻢ ﺑﺮﻧﺎﻣﺞ اﻟﺘﺪر[ﺐ‪:‬‬

‫‪c‬‬
‫‪ æ‬ﺟﻤﻴﻊ اﻟﺠﻮاﻧﺐ اﻷﺳﺎﺳ‪7‬ﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ ﻣﻔﺎﻫ‪7‬ﻢ‬ ‫‪ -‬ﻳﺘﻢ ﺗﺼﻤ‪7‬ﻢ ﺑﺮﻧﺎﻣﺞ ﺗﺪر[ﺐ ﺷﺎﻣﻞ ‪-‬ﻐ ‪z‬‬
‫‪ ،ISO 27001‬واﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ‪7‬ﺔ‪ ،‬واﻹﺟﺮاءات اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫‪ .3‬ﺗﻨﻔ‪7‬ﺬ اﻟ‪i‬ﻧﺎﻣﺞ‪:‬‬
‫‪c‬‬ ‫‪c‬‬ ‫ً‬
‫‪ -‬ﻳﺘﻢ ﺗﻨﻔ‪7‬ﺬ ﺑﺮﻧﺎﻣﺞ اﻟﺘﺪر[ﺐ وﻓﻘﺎ ﻟﻠﺠﺪول اﻟﺰﻣ ‪ Ñz‬اﻟﻤﺤﺪد‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ ﺟﻠﺴﺎت اﻟﺘﺪر[ﺐ اﻟﻔﻌﻠ‪7‬ﺔ وورش‬
‫اﻟﻌﻤﻞ واﻟﻤﺤﺎ‪¨c‬ات‪.‬‬
‫‪ .4‬ﺗﻘﻴ‪7‬ﻢ اﻷداء‪:‬‬
‫‪c‬‬
‫‪\ -‬ﻌﺪ اﻧﺘﻬﺎء اﻟ‪i‬ﻧﺎﻣﺞ‪ ،‬ﻳﺘﻢ ﺗﻘﻴ‪7‬ﻢ أداء اﻟﺘﺪر[ﺐ ﻟﺘﺤﺪ‪-‬ﺪ ﻣﺪى ﻓﻌﺎﻟﻴﺘﻪ واﻟﺘﻌﺮف ﻋ~ أي ﻓﺠﻮات ‪ yz‬اﻟﻤﻌﺮﻓﺔ‬
‫أو ا ﻟ ﻔ ﻬ ﻢ ‪.‬‬
‫‪ Ω‬واﻟﺘﺜﻘ‪7‬ﻒ اﻟﻤﺴﺘﻤﺮ‪:‬‬
‫‪ .5‬ا ﻟ ﻮ ‪z‬‬
‫‪ Ω‬واﻟﺘﺜﻘ‪7‬ﻒ اﻟﻤﺴﺘﻤﺮ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ‬ ‫‪c j‬‬ ‫‪Í‬‬
‫‪ -‬ﻳﺘﻀﻤﻦ اﻟﺠﺰء اﻟﻨﻬﺎ ‪ ±z‬ﻣﻦ اﻟﺨﻄﺔ اﻟ‪i‬ﻛ‪ ib‬ﻋ~ اﻟﺤﻔﺎظ ﻋ~ اﻟﻮ ‪z‬‬
‫ﺧﻼل إﺟﺮاءات ﻣﺴﺘﻤﺮة ﻟﻠﺘﺜﻘ‪7‬ﻒ واﻟﺘﺪر[ﺐ‪.‬‬
‫‪ .6‬ﺗﻘﻴ‪7‬ﻢ اﻟﻔﻌﺎﻟ‪7‬ﺔ‪:‬‬
‫ُ‬
‫‪- -‬ﺠﺐ أن ﺗﻘّ‪7‬ﻢ ﺧﻄﺔ اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪7‬ﺔ \ﺎﻧﺘﻈﺎم ﻟﻀﻤﺎن ﺗﺤﻘﻴﻖ اﻷﻫﺪاف اﻟﻤﺤﺪدة وﺗﺤﺴ‪ ab‬اﻟﻌﻤﻠ‪7‬ﺔ‬
‫‪c‬‬
‫\ﻤﺮور اﻟﻮﻗﺖ‪.‬‬

‫ً‬ ‫ً‬
‫‪no‬ﻛﺔ ﺗﻄﻠﻖ ﺑﺮﻧﺎﻣﺠﺎ ﺗﺪر[«‪7‬ﺎ ™ﺸﻤﻞ ورش ﻋﻤﻞ دور[ﺔ ﺣﻮل ﻣﻔﺎﻫ‪7‬ﻢ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت و‪،ISO 27001‬‬
‫‪ a‬اﻟﺠﺪد ﻋﻨﺪ اﻻﻧﻀﻤﺎم إ‪ r‬اﻟ‪}o‬ﻛﺔ‪.‬‬
‫\ﺎﻹﺿﺎﻓﺔ إ‪ r‬ﺟﻠﺴﺎت ﺗﺪر[ﺐ ﻣﻜﺜﻔﺔ ﻟﻠﻤﻮﻇﻔ ‪c b‬‬
‫ﺧطﺔ اﻟﺗدرﯾب واﻟﺗوﻋﯾﺔ ﺗﻠﻌب دوًرا أﺳﺎﺳﯾًﺎ ﻓﻲ ﺗﻌزﯾز ﻓﮭم ووﻋﻲ اﻟﻣوظﻔﯾن ﺑﺄﻣن اﻟﻣﻌﻠوﻣﺎت وﻣﺗطﻠﺑﺎت ﻣﻌﯾﺎر‬
‫‪ .ISO 27001‬ﻣن ﺧﻼل ﺗوﺟﯾﮫ اﻟﺟﮭود اﻟﺗدرﯾﺑﯾﺔ ﺑﺷﻛل ﻣﻧﮭﺟﻲ وﻣﺳﺗﻣر‪ ،‬ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت ﺗﺣﻘﯾق أھداﻓﮭﺎ ﻓﯾﻣﺎ‬
‫ﯾﺗﻌﻠق ﺑﺗﺣﻘﯾق أﻣﺎن اﻟﻣﻌﻠوﻣﺎت واﻻﻣﺗﺛﺎل ﻟﻠﻣﻌﺎﯾﯾر اﻟدوﻟﯾﺔ‪.‬‬
‫® ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪ .(ISMS‬ﺗﺮﻛﺰ‬‫… ﺟﺰء أﺳﺎ ‪z‬‬ ‫إدارة اﻟﻌﻤﻠ‪7‬ﺎت ‪z‬‬
‫ﻫﺬە اﻟﺠﺰء ﻋ~ ﺗﻨﻔ‪7‬ﺬ وﺻ‪7‬ﺎﻧﺔ اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات اﻷﻣﻨ‪7‬ﺔ اﻟﻤﺤﺪدة ﻟﺤﻤﺎ‪-‬ﺔ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ‬
‫‪c‬‬
‫ﻟﻠﻤﻨﻈﻤﺔ ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ إدارة اﻟﻌﻤﻠ‪7‬ﺎت ‪ yz‬إﻃﺎر ‪:ISO 27001‬‬
‫إدارة اﻟﻌﻤﻠ‪%‬ﺎت ) ‪: ( Operations management‬‬

‫‪ .1‬ﺗﻨﻔ‪7‬ﺬ اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات‪:‬‬
‫‪Ö -‬ﺸﻤﻞ ﻫﺬە اﻟﺨﻄﻮة ﺗﻄﺒﻴﻖ وﺗﻨﻔ‪7‬ﺬ اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات اﻷﻣﻨ‪7‬ﺔ اﻟﻤﻌﺘﻤﺪة ﻟﺤﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ‬
‫اﻟﺘﻬﺪ‪-‬ﺪات اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ‪.‬‬
‫‪ .2‬إدارة اﻟﻮﺻﻮل‪:‬‬
‫ً‬
‫‪ -‬ﻳﺘﻢ إدارة اﻟﻮﺻﻮل إ‪ r‬اﻟﺒ‪7‬ﺎﻧﺎت واﻷﻧﻈﻤﺔ ‪e‬ﺸ‪g‬ﻞ ﺻﺎرم وﻓﻘﺎ ﻟﺴ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات اﻟﻮﺻﻮل اﻟﻤﺤﺪدة‬
‫ﻟﻀﻤﺎن اﻟﺤﻔﺎظ ﻋ~ اﻟ}[ﺔ واﻟ ‪ic c‬اﻫﺔ‪.‬‬
‫‪ .3‬إدارة اﻟﺘﻐﻴ‪:ib‬‬
‫‪ -‬ﺗﺘﻀﻤﻦ إدارة اﻟﺘﻐﻴ‪ ib‬ﺗﻘﺪ‪-‬ﻢ ﺗﻐﻴ‪ib‬ات ﻓﻨ‪7‬ﺔ و‪à‬دار[ﺔ \ﻄ‪[Æ‬ﻘﺔ ﻣﻨﻈﻤﺔ ﺗﻀﻤﻦ اﺳﺘﻤﺮار[ﺔ اﻷﻣﻦ واﻷداء ﻟﻠﻨﻈﺎم‪.‬‬
‫‪ .4‬إدارة اﻟﺤﻮادث‪:‬‬
‫ّ‬
‫‪ -‬ﻳﺘﻢ ﺗﻄﺒﻴﻖ وﺗﻨﻔ‪7‬ﺬ إﺟﺮاءات اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻻﻧﺘﻬﺎ‪Á‬ﺎت اﻷﻣﻨ‪7‬ﺔ واﻟﺘﻬﺪ‪-‬ﺪات ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل‬
‫وﻓﻮري‪.‬‬
‫‪ .5‬اﻟﺮﺻﺪ واﻟﺘﻘﻴ‪7‬ﻢ‪:‬‬
‫‪™ -‬ﺸﻤﻞ ﻫﺬا اﻟﺠﺰء ﻣﺮاﻗ‪U‬ﺔ اﻟﻨﻈﺎم ‪e‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ وﺗﻘﻴ‪7‬ﻢ أداﺋﻪ وﻓﻌﺎﻟﻴﺘﻪ ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل اﻟﻤﺴﺘﻤﺮ ﻟﻤﺘﻄﻠ‪U‬ﺎت‬
‫اﻷﻣﺎن واﻟﻤﻌﺎﻳ‪.ib‬‬
‫‪ .6‬ﺗﻘﻴ‪7‬ﻢ اﻷداء‪:‬‬
‫‪ -‬ﻳﺘﻢ ﺗﻘﻴ‪7‬ﻢ أداء ﻋﻤﻠ‪7‬ﺎت اﻷﻣﺎن \ﺎﻧﺘﻈﺎم ﻟﺘﺤﺪ‪-‬ﺪ ﻧﻘﺎط اﻟﻘﻮة واﻟﻀﻌﻒ واﺗﺨﺎذ اﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟﻼزﻣﺔ‪.‬‬

‫‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﺗﻨﻔﺬ ﻋﻤﻠ‪7‬ﺎت إدارة اﻟﻌﻤﻠ‪7‬ﺎت ﺑﺘﻮﻓ‪ ib‬اﻟﻮﺻﻮل اﻟﻤﺤﺪد ﻟﻠﻨﻈﺎم‪ ،‬وﺗﻄﺒﻴﻖ إﺟﺮاءات ﺗﻐﻴ‪ ib‬ﻣﺤﺪدة‬
‫ﻟﻠﺤﻔﺎظ ﻋ~ اﻻﺳﺘﻘﺮار‪ ،‬و‪Ö‬ﺸﺠﻴﻊ ﺗﻘﺎر[ﺮ اﻟﺤﻮادث ﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬اﻻﺳﺘﺠﺎ\ﺔ ﻟﻠﺘﻬﺪ‪-‬ﺪات‪.‬‬
‫إدارة اﻟﻌﻣﻠﯾﺎت ﻓﻲ إطﺎر ‪ ISO 27001‬ﺗرﻛز ﻋﻠﻰ ﺗطﺑﯾق وﺻﯾﺎﻧﺔ اﻟﺳﯾﺎﺳﺎت واﻹﺟراءات اﻷﻣﻧﯾﺔ ﻟﺣﻣﺎﯾﺔ‬
‫اﻟﻣﻌﻠوﻣﺎت ﺑﺷﻛل ﻓﻌّﺎل‪ .‬ﻣن ﺧﻼل ﺗﻧﻔﯾذ ﻋﻣﻠﯾﺎت ﻣﺗﻛﺎﻣﻠﺔ وﺗﻘﯾﯾم ﻣﺳﺗﻣر‪ ،‬ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت ﺗﺣﻘﯾق أﻣﺎن اﻟﻣﻌﻠوﻣﺎت‬
‫واﻻﻣﺗﺛﺎل ﻟﻣﻌﺎﯾﯾر اﻷﻣﺎن ﺑﺷﻛل ﻣﺳﺗدام‪.‬‬
‫® ﻣ ﻦ ﺗﻨﻔ ‪7‬ﺬ ﻣ ﻌ ‪ 7‬ﺎ ر‬‫… ﺟﺰء أﺳﺎ ‪z‬‬

‫‪ (ISMS).‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪ ّISO 27001‬إدارة اﻟﺤﻮادث ‪z‬‬
‫ﺗﻬﺪف إدارة اﻟﺤﻮادث إ‪ r‬ﺗﻄ‪[°‬ﺮ وﺗﻨﻔ‪7‬ﺬ إﺟﺮاءات ﻓﻌﺎﻟﺔ ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ واﻻﻧﺘﻬﺎ‪Á‬ﺎت‬
‫‪c‬‬
‫‪ ISO 27001:‬اﻟﻤﺤﺘﻤﻠﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ إدارة اﻟﺤﻮادث ‪ yz‬إﻃﺎر‬
‫إدارة اﻟﺤﻮادث ) ‪( Incident Management‬‬

‫‪ .1‬ﺗﺤﺪ‪-‬ﺪ اﻟﺤﻮادث‪:‬‬
‫‪c‬‬
‫‪ -‬ﺗﺘﻀﻤﻦ ﻫﺬە اﻟﺨﻄﻮة ﺗﺤﺪ‪-‬ﺪ وﺗﺼ∫‪7‬ﻒ اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ اﻟﻤﺤﺘﻤﻠﺔ‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ اﻻﻧﺘﻬﺎ‪Á‬ﺎت اﻷﻣﻨ‪7‬ﺔ‪،‬‬
‫واﻟﻤﺨ‪ij‬ﻗ ‪c b‬‬
‫‪ ،a‬وﻓﻘﺪان اﻟﺒ‪7‬ﺎﻧﺎت‪ ،‬واﻟﺘﺤﺪ‪-‬ﺎت اﻟﺘﻘﻨ‪7‬ﺔ اﻷﺧﺮى‪.‬‬
‫‪ .2‬اﺳﺘﺠﺎ\ﺔ ‪[n‬ﻌﺔ‪:‬‬
‫‪c‬‬
‫‪- -‬ﺠﺐ أن ﺗﻜﻮن اﻻﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ‪[n‬ﻌﺔ وﻓّﻌﺎﻟﺔ ﻟﻠﺘﺤ‪g‬ﻢ ‪ yz‬اﻟ‪≈c‬ر وﺗﻘﻠ‪7‬ﻞ ﺗﺄﺛ‪ib‬ە ﻋ~ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬
‫وﺳ‪ ib‬اﻟﻌﻤﻞ‪.‬‬
‫‪ .3‬ﺗﻘﻴ‪7‬ﻢ اﻟﺤﻮادث‪:‬‬
‫‪ -‬ﻳﺘﻀﻤﻦ ﺗﻘﻴ‪7‬ﻢ اﻟﺤﻮادث ﺗﺤﻠ‪7‬ﻞ أﺳ‪U‬ﺎﺑﻬﺎ وﺗﺄﺛ‪ib‬ﻫﺎ وﺗﺤﺪ‪-‬ﺪ اﻟﺨﻄﻮات اﻟﻼزﻣﺔ ﻟﻠﺘﻌﺎﻣﻞ ﻣﻌﻬﺎ وﻣﻨﻊ ﺣﺪوﺛﻬﺎ‬
‫ً‬
‫ﻣﺴﺘﻘ‪U‬ﻼ‪.‬‬
‫‪ .4‬ﺗﻮﺛﻴﻖ اﻟﺤﻮادث‪:‬‬
‫‪- -‬ﺠﺐ أن ﻳﺘﻢ ﺗﻮﺛﻴﻖ ﺟﻤﻴﻊ اﻟﺤﻮادث واﻟﺘﺤﻘ‪7‬ﻘﺎت اﻟﻤﺘﻌﻠﻘﺔ ﺑﻬﺎ ‪e‬ﺸ‪g‬ﻞ دﻗﻴﻖ ﻟﺘﻮﻓ‪ ib‬ﺳﺠﻼت ﺷﺎﻣﻠﺔ وﻗﺎ\ﻠﺔ‬
‫ﻟﻠﺘﺪ ﻗﻴﻖ ‪.‬‬
‫‪ .5‬ﺗﻘﻴ‪7‬ﻢ اﻷداء واﻟﺘﺤﺴ ‪c b‬‬

‫‪:a‬‬
‫‪ -‬ﻳﺘﻀﻤﻦ ﻫﺬا اﻟﺠﺰء ﺗﻘﻴ‪7‬ﻢ أداء إدارة اﻟﺤﻮادث \ﺎﻧﺘﻈﺎم وﺗﺤﺪ‪-‬ﺪ اﻟﻔﺮص ﻟﻠﺘﺤﺴ ‪c b‬‬
‫‪ a‬اﻟﻤﺴﺘﻤﺮ ﻟﻌﻤﻠ‪7‬ﺎت‬
‫اﻻﺳﺘﺠﺎ\ﺔ واﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺤﻮادث‪.‬‬

‫‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﺗﻘﻮم ﺑﺘﻄﺒﻴﻖ إﺟﺮاءات إدارة اﻟﺤﻮادث ﺑ‪ï‬ﻨﻔ‪7‬ﺬ ﻧﻈﺎم إﻧﺬار ﻣ‪U‬ﻜﺮ ﻟﻼ ‪ïã‬ﺸﺎف اﻟ}[ـ ـﻊ ﻟﻼﻧﺘﻬﺎ‪Á‬ﺎت‬
‫اﻷﻣﻨ‪7‬ﺔ‪ ،‬وﺗﻨﻔ‪7‬ﺬ ﺧﻄﻂ اﺳﺘﺠﺎ\ﺔ ﻣﺤﺪدة ﻟﻤﻌﺎﻟﺠﺔ اﻟﺤﻮادث ‪}e‬ﻋﺔ وﻓﻌﺎﻟ‪7‬ﺔ‪.‬‬
‫إدارة اﻟﺣوادث ﻓﻲ إطﺎر ‪ ISO 27001‬ﺗﮭدف إﻟﻰ ﺗوﻓﯾر اﺳﺗﺟﺎﺑﺔ ﻓﻌّﺎﻟﺔ ﻟﻼﻧﺗﮭﺎﻛﺎت اﻷﻣﻧﯾﺔ واﻟﺣوادث اﻟﻣﺣﺗﻣﻠﺔ‬
‫ﻷ ﻣ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ‪ .‬ﻣ ن ﺧ ﻼ ل ﺗط ﺑ ﯾق إ ﺟ ر ا ء ا ت ﻣ د ر و ﺳ ﺔ و ﺗ ﻘ ﯾ ﯾ م ﻣ ﺳ ﺗ ﻣ ر ‪ ،‬ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺗ ﺣ ﺳ ﯾ ن ﻗ د ر ﺗ ﮭ ﺎ ﻋ ﻠ ﻰ‬
‫اﻟﺗﻌﺎﻣل ﻣﻊ اﻟﺣوادث ﺑﺷﻛل ﻓﻌّﺎل وﻣﻧﻌﮭﺎ ﻓﻲ اﻟﻣﺳﺗﻘﺑل‪.‬‬
‫…‬‫رﺻﺪ وﻗ‪7‬ﺎس وﺗ ‪c‬ﺤﻠ‪7‬ﻞ وﺗﻘﻴ‪7‬ﻢ )‪z (Monitoring, Measurement, Analysis, and Evaluation‬‬
‫ﻋﻨﺎ¨ أﺳﺎﺳ‪7‬ﺔ ‪ yz‬ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪ .(ISMS‬ﺗﻬﺪف ﻫﺬە اﻟﻌﻨﺎ¨ إ‪r‬‬
‫ﺗﻘﻴ‪7‬ﻢ أداء اﻟﻨﻈﺎم وﻓﻌﺎﻟﻴﺘﻪ‪ ،‬وﺗﺤﻠ‪7‬ﻞ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺠﻤﻌﺔ ﻟﻠﺘﻌﺮف ﻋ~ اﻟﻔﺮص ﻟﻠﺘﺤﺴ ‪c b‬‬
‫‪ a‬وﺗﻘﺪ‪-‬ﻢ ﺗﻘﻴ‪7‬ﻢ ﺷﺎﻣﻞ‬
‫‪c‬‬
‫ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟ‪Ã‬ﻞ ﻋﻨ≈ ﻣﻦ ﻫﺬە اﻟﻌﻨﺎ¨ ‪ yz‬إﻃﺎر ‪:ISO 27001‬‬
‫‪ .1‬اﻟﺮﺻﺪ )‪:(Monitoring‬‬
‫‪c‬‬
‫‪ -‬ﻳﺘﻤﺜﻞ اﻟﺮﺻﺪ ‪ yz‬ﻣﺘﺎ\ﻌﺔ وﻣﺮاﻗ‪U‬ﺔ أداء اﻟﻨﻈﺎم واﻟﻌﻤﻠ‪7‬ﺎت اﻷﻣﻨ‪7‬ﺔ ‪e‬ﺸ‪g‬ﻞ دوري وﻣﺴﺘﻤﺮ‪ .‬ﻳﻬﺪف اﻟﺮﺻﺪ إ‪r‬‬
‫اﻟﺘﺤﻘﻖ ﻣﻦ ﺗﻨﻔ‪7‬ﺬ اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات ‪e‬ﺸ‪g‬ﻞ ﺻﺤﻴﺢ وﻓﻌﺎل‪.‬‬
‫‪ .2‬اﻟﻘ‪7‬ﺎس )‪:(Measurement‬‬
‫‪ -‬ﻳﺘﻀﻤﻦ اﻟﻘ‪7‬ﺎس ﺗﺤﺪ‪-‬ﺪ ﻣﺆ‪no‬ات اﻷداء اﻟﺮﺋ∞ﺴ‪7‬ﺔ وﺗﻄﺒ‪7‬ﻘﻬﺎ ﻟﻘ‪7‬ﺎس أداء اﻟﻨﻈﺎم وﻣﺴﺘﻮى اﻻﻣﺘﺜﺎل‬
‫ﻟﻤﺘﻄﻠ‪U‬ﺎت ‪- .ISO 27001‬ﻤﻜﻦ أن ﺗﺘﻀﻤﻦ ﻫﺬە اﻟﻤﺆ‪no‬ات ﻋﺪد اﻻﻧﺘﻬﺎ‪Á‬ﺎت‪ ،‬وﻣﻌﺪل اﻻﺳﺘﺠﺎ\ﺔ‪ ،‬وﻣﺴﺘﻮى‬
‫ﺗﻄﺒﻴﻖ اﻟﺴ‪7‬ﺎﺳﺎت‪ ،‬وﻏ‪ib‬ﻫﺎ‪.‬‬
‫‪ .3‬اﻟﺘﺤﻠ‪7‬ﻞ )‪:(Analysis‬‬
‫‪ -‬ﻳﻬﺪف اﻟﺘﺤﻠ‪7‬ﻞ إ‪ r‬ﻓﻬﻢ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺠﻤﻌﺔ وﺗﺤﻠ‪7‬ﻠﻬﺎ ‪e‬ﺸ‪g‬ﻞ ﻣﺘﻌﻤﻖ ﻟﺘﺤﺪ‪-‬ﺪ اﻷﺳ‪U‬ﺎب اﻟﺠﺬر[ﺔ ﻟﻠﻤﺸﺎ‪Á‬ﻞ‬
‫واﻟﻔﺮص ﻟﻠﺘﺤﺴ ‪c b‬‬
‫‪- .a‬ﻤﻜﻦ أن ™ﺸﻤﻞ اﻟﺘﺤﻠ‪7‬ﻞ ﺗﻘﻴ‪7‬ﻢ اﻟﻨﺘﺎﺋﺞ وﺗﺤﺪ‪-‬ﺪ اﻻﺗﺠﺎﻫﺎت واﻟﺘﺤﺪ‪-‬ﺎت اﻟﻤﺴﺘﻘ‪U‬ﻠ‪7‬ﺔ‪.‬‬
‫‪ .4‬اﻟﺘﻘﻴ‪7‬ﻢ )‪:(Evaluation‬‬
‫‪.‬‬ ‫ً‬
‫‪ -‬ﻳﺘﻀﻤﻦ اﻟﺘﻘﻴ‪7‬ﻢ ﺗﻘﺪ‪-‬ﻢ ﺗﻘﻴ‪7‬ﻢ ﺷﺎﻣﻞ ﻷداء اﻟﻨﻈﺎم وﻓﻌﺎﻟﻴﺘﻪ ﺑﻨﺎء ﻋ~ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺠﻤﻌﺔ وﺗﺤﻠ‪7‬ﻠﻬﺎ ﻳﻬﺪف‬
‫‪ a‬وﺗﺤﺪ‪-‬ﺪ اﻟﻔﺮص ﻟﺘﻄ‪[°‬ﺮ اﻟﻨﻈﺎم وﺗﻌ‪[s‬ﺰ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫اﻟﺘﻘﻴ‪7‬ﻢ إ‪ r‬ﺗﻘﺪ‪-‬ﻢ ﺗﻮﺻ‪7‬ﺎت ﻟﻠﺘﺤﺴ ‪c b‬‬

‫‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ‪Ö‬ﺴﺘﺨﺪم أدوات اﻟﺮﺻﺪ اﻵ‪ rz‬ﻟﻤﺮاﻗ‪U‬ﺔ أداء أﻧﻈﻤﺘﻬﺎ اﻷﻣﻨ‪7‬ﺔ ‪e‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ‪ ،‬وﺗﺤﻠ‪7‬ﻞ ﺑ‪7‬ﺎﻧﺎت‬
‫اﻟﺴﺠﻼت اﻷﻣﻨ‪7‬ﺔ ﻟﺘﺤﺪ‪-‬ﺪ اﻟﻨﻘﺎط اﻟﻀﻌ‪7‬ﻔﺔ وﺗﻘﺪ‪-‬ﻢ ﺗﻮﺻ‪7‬ﺎت ﻟﻠﺘﺤﺴ ‪c b‬‬
‫‪.a‬‬
‫رﺻد وﻗﯾﺎس وﺗﺣﻠﯾل وﺗﻘﯾﯾم ھﻲ ﻋﻣﻠﯾﺎت ﺣﯾوﯾﺔ ﻓﻲ ﺗﻧﻔﯾذ ﻣﻌﯾﺎر ‪ ISO 27001‬ﻹدارة أﻣن اﻟﻣﻌﻠوﻣﺎت‪ .‬ﻣن ﺧﻼل‬
‫اﺳﺗﺧدام ھذه اﻟﻌﻣﻠﯾﺎت ﺑﺷﻛل ﻣﺗﻛﺎﻣل وﻣﺳﺗﻣر‪ ،‬ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت ﺗﺣﺳﯾن أداء أﻣﺎن اﻟﻣﻌﻠوﻣﺎت وﺿﻣﺎن اﻻﻣﺗﺛﺎل‬
‫ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ﻟ ﻠ ﻣ ﻌ ﺎ ﯾ ﯾ ر و اﻟﻣ ﺗط ﻠﺑ ﺎ ت ‪.‬‬
‫® ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪.(ISMS‬‬ ‫اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪ ~z‬ﻫﻮ ﺟﺰء أﺳﺎ ‪z‬‬
‫ﻳﻬﺪف اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪ ~z‬إ‪ r‬ﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻊ ﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﻌ‪7‬ﺎر‬
‫‪c‬‬
‫وﺳ‪7‬ﺎﺳﺎت اﻟﻤﻨﻈﻤﺔ‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪ yz ~z‬إﻃﺎر ‪:ISO 27001‬‬
‫اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪Internal audit ij‬‬

‫‪ .1‬ا ﻟ ﺘ ﺨ ﻄ ‪ 7‬ﻂ ﻟ ﻠ ﺘ ﺪ ﻗ ﻴ ﻖ ‪:‬‬
‫‪ -‬ﻳ‪U‬ﺪأ اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪ ~z‬ﺑﺘﺤﺪ‪-‬ﺪ ﻧﻄﺎق وأﻫﺪاف اﻟﺘﺪﻗﻴﻖ وﺗﺤﺪ‪-‬ﺪ اﻟﻤﻮارد اﻟﻼزﻣﺔ ﻟﺘﻨﻔ‪7‬ﺬە ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل‪.‬‬
‫‪ .2‬إﺟﺮاء اﻟﺘﺪﻗﻴﻖ‪:‬‬
‫‪ -‬ﻳﺘﻢ ﺗﻨﻔ‪7‬ﺬ اﻟﺘﺪﻗﻴﻖ \ﻤﺮاﺟﻌﺔ وﺗﻘﻴ‪7‬ﻢ ﻋﻤﻠ‪7‬ﺎت ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﺗﻘﺪ‪-‬ﻢ اﻟﺘﻮﺻ‪7‬ﺎت ﻟﺘﺤﺴ‪cab‬‬
‫اﻷداء‪.‬‬
‫‪ .3‬ﺗﻮﺛﻴﻖ اﻟﻨﺘﺎﺋﺞ‪:‬‬
‫‪c‬‬
‫‪ -‬ﻳﺘﻢ ﺗﻮﺛﻴﻖ ﻧﺘﺎﺋﺞ اﻟﺘﺪﻗﻴﻖ ‪e‬ﺸ‪g‬ﻞ دﻗﻴﻖ‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ اﻟﻌﺜﻮر ﻋ~ اﻻﺳ‪ï‬ﺜﻨﺎءات واﻟﻤﺨﺎﻟﻔﺎت وﺗﻮﺻ‪7‬ﺎت‬
‫ا ﻟﺘ ﺤ ﺴ ‪c b‬‬
‫‪.a‬‬
‫‪ .4‬ﻣ ﺘ ﺎ \ ﻌ ﺔ ا ﻟ ﺘ ﺤ ﺴ ‪ û‬ﻨ ﺎ ت ‪:‬‬

‫‪c‬‬ ‫‪j‬‬
‫‪ -‬ﻳﺘﻢ ﻣﺘﺎ\ﻌﺔ ﺗﻨﻔ‪7‬ﺬ اﻟﺘﺤﺴ‪û‬ﻨﺎت واﻟﺘﻮﺻ‪7‬ﺎت اﻟﻤﻘ‪i‬ﺣﺔ ﻟﻀﻤﺎن ﺗﺤﺴ‪ ab‬اﺳﺘﻤﺮاري ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ .5‬ﺗﻘﻴ‪7‬ﻢ اﻷداء‪:‬‬
‫‪ -‬ﻳﺘﻢ ﺗﻘﻴ‪7‬ﻢ أداء ﻋﻤﻠ‪7‬ﺎت اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪\ ~z‬ﺎﻧﺘﻈﺎم ﻟﻀﻤﺎن ﻓﻌﺎﻟ‪7‬ﺔ اﻟﻨﻈﺎم واﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠ‪U‬ﺎت ‪ISO‬‬
‫‪.27001‬‬

‫ً‬ ‫ً‬ ‫ً‬
‫‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﺗﻨﻔﺬ ﺗﺪﻗ‪7‬ﻘﺎ داﺧﻠ‪7‬ﺎ ﺳﻨ‪[°‬ﺎ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﺘﺤﻘﻖ ﻣﻦ ﻣﺪى ﻓﻌﺎﻟ‪7‬ﺔ ﺗﻨﻔ‪7‬ﺬ‬
‫اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫اﻟﺗدﻗﯾق اﻟداﺧﻠﻲ ھو ﻋﻣﻠﯾﺔ ﻣﮭﻣﺔ ﻓﻲ إطﺎر ‪ ISO 27001‬ﻟﺗﻘﯾﯾم وﺗﺣﺳﯾن أداء ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت‪ .‬ﻣن‬
‫ﺧ ﻼ ل ﺗ ﻧ ﻔ ﯾ ذ ا ﻟ ﺗ د ﻗ ﯾ ق ﺑ ﺎ ﻧ ﺗظ ﺎم و ﻣ ﺗ ﺎ ﺑ ﻌ ﺔ ﺗ ﻧ ﻔ ﯾ ذ ا ﻟ ﺗ ﺣ ﺳ ﯾ ﻧ ﺎ ت ‪ ،‬ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺗ ﻌ ز ﯾ ز أ ﻣ ﺎ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت و ﺿ ﻣ ﺎ ن ا ﻻ ﻣ ﺗ ﺛ ﺎ ل‬
‫ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ﻟ ﻠ ﻣ ﻌ ﺎ ﯾ ﯾ ر و اﻟﻣ ﺗط ﻠﺑ ﺎ ت ‪.‬‬
‫ﻣﺮاﺟﻌﺔ اﻹدارة ﻫﻮ ﻋﻤﻠ‪7‬ﺔ أﺳﺎﺳ‪7‬ﺔ ‪ yz c‬ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪.(ISMS‬‬
‫ﻳﻬﺪف اﺳﺘﻌﺮاض اﻹدارة إ‪ r‬ﺗﻘﻴ‪7‬ﻢ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻌﺎﻟﻴﺘﻪ وﻣﺪى ﻣﻼءﻣﺘﻪ ﻣﻊ أﻫﺪاف‬
‫‪c‬‬
‫اﻟﻤﻨﻈﻤﺔ وﺗﻮﺟﻴﻬﺎﺗﻬﺎ اﻻﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺔ‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ اﺳﺘﻌﺮاض اﻹدارة ‪ yz‬إﻃﺎر ‪:ISO 27001‬‬
‫ﻣﺮاﺟﻌﺔ اﻹدارة ‪Management review‬‬

‫‪ .1‬اﻟﺘﺨﻄ‪7‬ﻂ ﻟﻼﺳﺘﻌﺮاض‪:‬‬
‫‪ -‬ﻳ‪U‬ﺪأ اﺳﺘﻌﺮاض اﻹدارة ﺑﻮﺿﻊ ﺟﺪول أﻋﻤﺎل ‪-‬ﺤﺪد اﻟﻤﻮاﺿﻴﻊ اﻟﻤﺮاد اﺳﺘﻌﺮاﺿﻬﺎ واﻷﻫﺪاف اﻟﻤﺮﺟﻮة ﻣﻦ‬
‫اﻻﺳﺘﻌﺮاض‪.‬‬
‫‪ .2‬إﺟﺮاء اﻻﺳﺘﻌﺮاض‪:‬‬
‫‪ -‬ﻳﺘﻢ اﺳﺘﻌﺮاض أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ ﻗ‪U‬ﻞ اﻹدارة اﻟﻌﻠ‪7‬ﺎ ﻟﻠﻤﻨﻈﻤﺔ‪ ،‬وذﻟﻚ ﺑﺘﻘﻴ‪7‬ﻢ اﻟﺒ‪7‬ﺎﻧﺎت‬
‫واﻟﺘﻘﺎر[ﺮ اﻟﻤﺘﺎﺣﺔ ﺣﻮل أداء اﻟﻨﻈﺎم‪.‬‬
‫‪ .3‬ﺗﺤﺪ‪-‬ﺪ اﻹﺟﺮاءات اﻟﺘﺼﺤ‪7‬ﺤ‪7‬ﺔ‪:‬‬

‫‪ -‬ﺑﻨﺎًء ﻋ~ ﻧﺘﺎﺋﺞ اﻻﺳﺘﻌﺮاض‪ ،‬ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ اﻹﺟﺮاءات اﻟﺘﺼﺤ‪7‬ﺤ‪7‬ﺔ اﻟﻤﻄﻠ‪≠°‬ﺔ ﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬أداء ﻧﻈﺎم إدارة أﻣﻦ‬
‫اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ .4‬ﻣ ﺘ ﺎ \ ﻌ ﺔ ا ﻟ ﺘ ﺤ ﺴ ‪ û‬ﻨ ﺎ ت ‪:‬‬

‫‪ -‬ﻳﺘﻢ ﻣﺘﺎ\ﻌﺔ ﺗﻨﻔ‪7‬ﺬ اﻹﺟﺮاءات اﻟﺘﺼﺤ‪7‬ﺤ‪7‬ﺔ وﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟﻴﺘﻬﺎ وﻣﺪى ﺗﺤﻘﻴﻖ اﻷﻫﺪاف اﻟﻤﺮﺟﻮة‪.‬‬
‫‪ .5‬ﺗﻮﺛﻴﻖ اﻟﻨﺘﺎﺋﺞ‪:‬‬
‫‪ -‬ﻳﺘﻢ ﺗﻮﺛﻴﻖ ﻧﺘﺎﺋﺞ اﺳﺘﻌﺮاض اﻹدارة واﻹﺟﺮاءات اﻟﺘﺼﺤ‪7‬ﺤ‪7‬ﺔ اﻟﻤﺘﺨﺬة واﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟ ‪ Ñz j‬ﺗﻢ ﺗﻄﺒ‪7‬ﻘﻬﺎ‪.‬‬

‫ً‬
‫‪ -‬ﺗﻨﻈﻢ ‪no‬ﻛﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﺳﺘﻌﺮاض اﻹدارة ﺳﻨ‪[°‬ﺎ‪ ،‬ﺣ‪7‬ﺚ ‪-‬ﻘﻮم ﻣﺪﻳﺮو اﻹدارة \ﻤﺮاﺟﻌﺔ أداء ﻧﻈﺎم إدارة أﻣﻦ‬
‫اﻟﻤﻌﻠﻮﻣﺎت واﺗﺨﺎذ اﻟﻘﺮارات اﻟﻤﻨﺎﺳ‪U‬ﺔ ﺑﻨﺎًء ﻋ~ اﻟﻨﺘﺎﺋﺞ‪.‬‬
‫‪ -‬اﺳﺗﻌراض اﻹدارة ھو ﻋﻣﻠﯾﺔ ﻣﮭﻣﺔ ﻓﻲ ﺗﻘﯾﯾم وﺗﺣﺳﯾن أداء ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت وﺿﻣﺎن ﺗواﻓﻘﮫ ﻣﻊ‬
‫ﻣ ﺗ ط ﻠ ﺑ ﺎ ت ا ﻟ ﻣ ﻌ ﯾ ﺎ ر و أ ھ د ا ف ا ﻟ ﻣ ﻧ ظ ﻣ ﺔ ‪ .‬ﻣ ن ﺧ ﻼ ل ﺗ ﻧ ﻔ ﯾ ذ ا ﺳ ﺗ ﻌ ر ا ض ا ﻹ د ا ر ة ﺑ ﺎ ﻧ ﺗظ ﺎم و ا ﺗ ﺧ ﺎ ذ ا ﻹ ﺟ ر ا ء ا ت ا ﻟ ﺗ ﺻ ﺣ ﯾ ﺣ ﯾ ﺔ‬
‫ا ﻟ ﻼ ز ﻣ ﺔ ‪ ،‬ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺗ ﻌ ز ﯾ ز أ ﻣ ﺎ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت و ﺗﺣ ﻘﯾق اﻻ ﻣ ﺗﺛ ﺎل ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ‪.‬‬
‫… ﻋﻤﻠ‪7‬ﺔ‬ ‫‪o‬‬
‫® )‪z (Treatment of Problems and Non-conformities‬‬ ‫ﻣﻌﺎﻟﺠﺔ ‪ c‬اﻟﻤﺸﺎ‪Á‬ﻞ وﻋﺪم اﻟﺘﻤﺎ ‪z‬‬
‫ﺣﻴ‪[°‬ﺔ ‪ yz‬ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪ .(ISMS‬ﺗﻬﺪف ﻫﺬە اﻟﻌﻤﻠ‪7‬ﺔ إ‪ r‬اﻟﺘﻌﺎﻣﻞ‬
‫ﻣﻊ اﻟﻤﺸﺎ‪Á‬ﻞ واﻟﻤﺨﺎﻟﻔﺎت اﻟ ‪ Ñz j‬ﻳﺘﻢ ا‪ïã‬ﺸﺎﻓﻬﺎ ﺧﻼل اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ أو اﻟﺨﺎرﺟ‪7‬ﺔ‪ ،‬وﺿﻤﺎن ﺗﺼﺤ‪7‬ﺤﻬﺎ‬
‫‪c o‬‬ ‫‪c‬‬
‫® ‪ yz‬إﻃﺎر‬ ‫وﻣﻨﻊ ﺣﺪوﺛﻬﺎ ﻣﺮة أﺧﺮى ‪ yz‬اﻟﻤﺴﺘﻘ‪U‬ﻞ‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺸﺎ‪Á‬ﻞ وﻋﺪم اﻟﺘﻤﺎ ‪z‬‬
‫‪:ISO 27001‬‬
‫‪Treatment of problems and non- s‬‬ ‫‪t‬‬

‫ﻣﻌﺎﻟﺠﺔ اﻟﻤﺸﺎ‪q‬ﻞ وﻋﺪم اﻟﺘﻤﺎ ‪j‬‬
‫‪conformities‬‬
‫®‪:‬‬ ‫‪o‬‬
‫ً‬ ‫‪ .1‬ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺸﺎ‪Á‬ﻞ وﻋﺪم اﻟﺘﻤﺎ ‪z‬‬
‫® ﻣﻦ ﺧﻼل ﻋﻤﻠ‪7‬ﺎت اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧﻠ‪7‬ﺔ أو اﻟﺨﺎرﺟ‪7‬ﺔ‪ ،‬و∆ﺸﻤﻞ ذﻟﻚ أ‪-‬ﻀﺎ‬ ‫‪o‬‬
‫‪ -‬ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺸﺎ‪Á‬ﻞ وﻋﺪم اﻟﺘﻤﺎ ‪z‬‬
‫‪ a‬أو اﻟﻌﻤﻼء‪.‬‬ ‫اﻟ‪U‬ﻼﻏﺎت ﻣﻦ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ .2‬ﺗﻘﻴ‪7‬ﻢ اﻷﺳ‪U‬ﺎب اﻟﺠﺬر[ﺔ‪:‬‬

‫® ﻟﺘﺤﺪ‪-‬ﺪ اﻷﺳ‪U‬ﺎب اﻟﺠﺬر[ﺔ اﻟ ‪ Ñz j‬أدت إ‪ r‬ﺣﺪوﺛﻬﺎ‪ ،‬ﺳﻮاء ‪M‬ﺎﻧﺖ ﺗﻘﻨ‪7‬ﺔ‪ ،‬أو‬ ‫‪ -‬ﻳﺘﻢ ﺗﺤﻠ‪7‬ﻞ اﻟﻤﺸﺎ‪Á‬ﻞ وﻋﺪم اﻟﺘﻤﺎ ‪o‬‬
‫‪z‬‬
‫إدار[ﺔ‪ ،‬أو إﺟﺮاﺋ‪7‬ﺔ‪.‬‬
‫‪ .3‬ﺗﻄﺒﻴﻖ اﻟﺘﺼﺤ‪7‬ﺤﺎت اﻟﻔﻮر[ﺔ‪:‬‬

‫‪ -‬ﻳﺘﻢ ﺗﻨﻔ‪7‬ﺬ اﻟﺘﺼﺤ‪7‬ﺤﺎت اﻟﻼزﻣﺔ ‪e‬ﺸ‪g‬ﻞ ﻓﻮري ﻟﺘﺼﺤﻴﺢ اﻟﻤﺸﺎ‪Á‬ﻞ واﻟﻤﺨﺎﻟﻔﺎت وﻣﻨﻊ ﺣﺪوث ﺗﺄﺛ‪ib‬ات ﺳﻠﺒ‪7‬ﺔ‬
‫ﻋ~ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ .4‬ﺗﺤﺪ‪-‬ﺪ اﻹﺟﺮاءات اﻟﻮﻗﺎﺋ‪7‬ﺔ‪:‬‬

‫‪\ -‬ﻌﺪ ﺗﺼﺤﻴﺢ اﻟﻤﺸﺎ‪Á‬ﻞ‪ ،‬ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ اﻹﺟﺮاءات اﻟﻮﻗﺎﺋ‪7‬ﺔ ﻟﻤﻨﻊ ﺗﻜﺮارﻫﺎ ‪ yz c‬اﻟﻤﺴﺘﻘ‪U‬ﻞ وﺗﻌ‪[s‬ﺰ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ .5‬ﻣﺘﺎ\ﻌﺔ وﺗﻘﻴ‪7‬ﻢ اﻷداء‪:‬‬

‫‪ -‬ﻳﺘﻢ ﻣﺘﺎ\ﻌﺔ ﺗﻨﻔ‪7‬ﺬ اﻟﺘﺼﺤ‪7‬ﺤﺎت واﻹﺟﺮاءات اﻟﻮﻗﺎﺋ‪7‬ﺔ وﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟﻴﺘﻬﺎ وﻣﺪى ﺗﺤﻘ‪7‬ﻘﻬﺎ ﻟﻸﻫﺪاف اﻟﻤﺤﺪدة‪.‬‬

‫‪c‬‬
‫‪ -‬ﺗﺤﺪد ‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﻣﺸ‪g‬ﻠﺔ ‪ yz‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﺧﻼل ﺗﺪﻗﻴﻖ داﺧ‪ ،~z‬وﺗﻨﻔﺬ ﺗﺼﺤ‪7‬ﺤﺎت ﻓﻮر[ﺔ‬
‫وﺗﺤﺪد إﺟﺮاءات وﻗﺎﺋ‪7‬ﺔ ﻟﻤﻨﻊ ﺗﻜﺮارﻫﺎ‪.‬‬
‫‪.‬‬
‫‪ -‬ﻣﻌﺎﻟﺟﺔ اﻟﻣﺷﺎﻛل وﻋدم اﻟﺗﻣﺎﺷﻲ ھﻲ ﻋﻣﻠﯾﺔ ﻣﮭﻣﺔ ﻓﻲ ﺗﺣﺳﯾن وﺿﻣﺎن ﻓﻌﺎﻟﯾﺔ ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ﻣن‬
‫ﺧ ﻼ ل ﺗﺣ د ﯾ د اﻷ ﺳ ﺑ ﺎ ب ا ﻟ ﺟ ذ ر ﯾ ﺔ و ﺗﻧﻔﯾ ذ ا ﻟ ﺗ ﺻ ﺣ ﯾ ﺣ ﺎ ت ا ﻟ ﻔ و ر ﯾ ﺔ و ﺗﺣ د ﯾ د اﻹ ﺟ ر اء ات ا ﻟ و ﻗ ﺎ ﺋ ﯾ ﺔ ‪ ،‬ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺗ ﻌ ز ﯾ ز‬
‫أ ﻣ ﺎ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت و ﺿ ﻣ ﺎن اﻻ ﻣ ﺗﺛ ﺎل ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ‪.‬‬
‫® ‪ yz c‬ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪.(ISMS‬‬ ‫‪c‬‬

‫اﻟﺘﺤﺴ‪ ab‬اﻟﻤﺴﺘﻤﺮ ﻫﻮ ‪j‬ﻣﻔﻬﻮم أﺳﺎ ‪z‬‬
‫‪-‬ﻌﻜﺲ ﻫﺬا اﻟﻤﻔﻬﻮم اﻟ ‪ic‬ام اﻟﻤﻨﻈﻤﺔ ﺑﺘﺤﺴ ‪c b‬‬
‫‪ a‬أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ ﻣﻦ ﺧﻼل ﺗﻘﻴ‪7‬ﻢ‬
‫‪c‬‬ ‫‪c‬‬
‫اﻷداء وﺗﻄﺒﻴﻖ اﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟﻤﺴﺘﻤﺮة‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻤﻔﻬﻮم اﻟﺘﺤﺴ‪ ab‬اﻟﻤﺴﺘﻤﺮ ‪ yz‬إﻃﺎر ‪:ISO 27001‬‬
‫اﻟﺘﺤﺴ ‪z y‬‬
‫‪ x‬اﻟﻤﺴﺘﻤﺮ ‪Continual improvement‬‬
‫‪ .1‬ﺗﻘﻴ‪7‬ﻢ اﻷداء‪:‬‬
‫‪ -‬ﻳﺘﻀﻤﻦ ﻫﺬا اﻟﺨﻄﻮة ﺗﻘﻴ‪7‬ﻢ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ دوري وﻣﻨﺘﻈﻢ ﻟﺘﺤﺪ‪-‬ﺪ ﻧﻘﺎط اﻟﻘﻮة‬
‫‪.a‬‬‫واﻟﻀﻌﻒ واﻟﻔﺮص ﻟﻠﺘﺤﺴ ‪c b‬‬
‫‪ .2‬ﺗﺤﻠ‪7‬ﻞ اﻟﺒ‪7‬ﺎﻧﺎت‪:‬‬
‫‪j‬‬
‫‪ -‬ﻳﺘﻢ ﺗﺤﻠ‪7‬ﻞ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺠﻤﻌﺔ ﻣﻦ ﻋﻤﻠ‪7‬ﺎت اﻟﺘﻘﻴ‪7‬ﻢ ﻟﻔﻬﻢ اﻻﺗﺠﺎﻫﺎت وﺗﺤﺪ‪-‬ﺪ اﻟﻤﺠﺎﻻت اﻟ ‪ Ñz‬ﺗﺤﺘﺎج إ‪r‬‬
‫ﺗﺤ ﺴ ‪c b‬‬
‫‪.a‬‬
‫‪ .3‬ﺗﻄﺒﻴﻖ اﻟﺘﺤﺴ‪û‬ﻨﺎت‪:‬‬
‫‪ -‬ﺑﻨﺎًء ﻋ~ ﺗﺤﻠ‪7‬ﻞ اﻟﺒ‪7‬ﺎﻧﺎت‪ ،‬ﻳﺘﻢ ﺗﻄﺒﻴﻖ اﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟﻤﺴﺘﻤﺮة ﻟﺘﻌ‪[s‬ﺰ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬
‫وﺗﺤﺴ‪û‬ﻨﻪ‪.‬‬
‫‪ .4‬ﻣﺮاﻗ‪U‬ﺔ اﻷﺛﺮ‪:‬‬
‫‪c‬‬
‫‪ -‬ﻳﺘﻢ ﻣﺮاﻗ‪U‬ﺔ اﻷﺛﺮ واﻟﻔﻌﺎﻟ‪7‬ﺔ ﻟﻠﺘﺤﺴ‪û‬ﻨﺎت اﻟﻤﻄ‪U‬ﻘﺔ ﻟﻀﻤﺎن ﺗﺤﻘﻴﻖ اﻟﻨﺘﺎﺋﺞ اﻟﻤﺮﺟﻮة وﺗﺤﺴ‪ ab‬أﻣﺎن‬
‫‪ .5‬ﻣﺘﺎ\ﻌﺔ اﻷداء‪:‬‬
‫‪ -‬ﻳﺘﻢ ﻣﺘﺎ\ﻌﺔ اﻷداء \ﺎﻧﺘﻈﺎم ﻟﻀﻤﺎن اﺳﺘﻤﺮار ﺗﺤﻘﻴﻖ اﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬اﻟﻤﺴﺘﻤﺮ واﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠ‪U‬ﺎت ‪.ISO 27001‬‬

‫‪ a‬ﻋﻤﻠ‪7‬ﺎت ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ ﻣﻦ ﺧﻼل ﺗﺤﻠ‪7‬ﻞ اﻟﺒ‪7‬ﺎﻧﺎت‬‫‪ -‬ﺗﻘﻮم ‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﺑﺘﺤﺴ ‪c b‬‬
‫وﺗﻄﺒﻴﻖ اﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟﻼزﻣﺔ‪.‬‬
‫‪ -‬اﻟﺗﺣﺳﯾن اﻟﻣﺳﺗﻣر ھو ﺟزء أﺳﺎﺳﻲ ﻓﻲ ﺗﻧﻔﯾذ ‪ ،ISO 27001‬ﺣﯾث ﯾﺳﻣﺢ ﺑﺗﻌزﯾز أﻣﺎن اﻟﻣﻌﻠوﻣﺎت وﺗﺣﺳﯾن أداء‬
‫ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ﺑﺷﻛل داﺋم‪ .‬ﻣن ﺧﻼل دورات اﻟﺗﻘﯾﯾم واﻟﺗﺣﺳﯾن‪ ،‬ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت اﻟﺣﻔﺎظ ﻋﻠﻰ‬
‫ﺗ ﻣ ﯾ ز ھ ﺎ و اﻻ ﻣ ﺗﺛ ﺎ ل ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ﻟ ﻣ ﺗ ط ﻠ ﺑ ﺎ ت ا ﻟ ﻣ ﻌ ﯾ ﺎ ر و ﺗﺣ ﺳ ﯾن أ د ا ﺋ ﮭ ﺎ ﺑﺷ ﻛ ل ﻣ ﺳ ﺗ ﻣ ر ‪.‬‬
‫‪c‬‬
‫اﻻﺳﺘﻌﺪاد ﻟﻠﺘﺪﻗﻴﻖ ﻟﻠﺤﺼﻮل ﻋ~ اﻟﺸﻬﺎدة ﻫﻮ ﺧﻄﻮة ﺣﺎﺳﻤﺔ ‪ yz‬ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ‬
‫‪c‬‬
‫"‬‫اﻟﻤﻌﻠﻮﻣﺎت )‪ .(ISMS‬ﻳﺘﻄﻠﺐ ﻫﺬا اﻻﺳﺘﻌﺪاد اﻟﺘﺄ ‪ã‬ﺪ ﻣﻦ ﺟﺎﻫ‪[s‬ﺔ اﻟﻤﻨﻈﻤﺔ ﻻﺳﺘﻘ‪U‬ﺎل اﻟﺘﺪﻗﻴﻖ اﻟﺨﺎر ‪z‬‬
‫وﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻤﻌ‪7‬ﺎر‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻌﻤﻠ‪7‬ﺔ اﻻﺳﺘﻌﺪاد ﻟﻠﺘﺪﻗﻴﻖ ﻟﻠﺤﺼﻮل ﻋ~ اﻟﺸﻬﺎدة ‪yz‬‬
‫إﻃﺎر ‪:ISO 27001‬‬
‫اﻻﺳﺘﻌﺪاد ﻟﻠﺘﺪﻗﻴﻖ ﻟﻠﺤﺼﻮل ﻋ‪ i‬اﻟﺸﻬﺎدة ‪Preparing for the‬‬

‫‪certification audit‬‬
‫‪ .1‬ﺗﺤﻠ‪7‬ﻞ اﻟﻤﺘﻄﻠ‪U‬ﺎت‪:‬‬
‫‪- -‬ﺠﺐ ﻋ~ اﻟﻤﻨﻈﻤﺔ ﻓﻬﻢ ﻣﺘﻄﻠ‪U‬ﺎت ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬واﻟﺘﺄ ‪ã‬ﺪ ﻣﻦ ﺗﻮاﻓﺮ ﺟﻤﻴﻊ اﻟﻮﺛﺎﺋﻖ واﻟﺴﺠﻼت‬
‫اﻟ‪≈c‬ور[ﺔ‪.‬‬
‫‪ .2‬ﺗﻘﻴ‪7‬ﻢ اﻻﻣﺘﺜﺎل‪:‬‬
‫‪ -‬ﻳﺘﻢ ﺗﻘﻴ‪7‬ﻢ اﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠ‪U‬ﺎت ‪ ISO 27001‬ﻣﻦ ﺧﻼل إﺟﺮاء ﺗﻘﻴ‪7‬ﻢ داﺧ‪ ~z‬ﻟﻠﺘﺤﻘﻖ ﻣﻦ اﺳ‪7ï‬ﻔﺎء ﺟﻤﻴﻊ‬
‫اﻟﻨﻘﺎط اﻟﻤﻄﻠ‪≠°‬ﺔ‪.‬‬
‫‪ .3‬ﺗﺤﻀ‪ ib‬اﻟﻮﺛﺎﺋﻖ‪:‬‬
‫‪ -‬ﻳﺘﻢ إﻋﺪاد وﺛﺎﺋﻖ وﺳﺠﻼت اﻟﺪﻋﻢ اﻟﻼزﻣﺔ ﻟﻠﺘﺄ ‪7ã‬ﺪ ﻋ~ اﻣﺘﺜﺎل اﻟﻤﻨﻈﻤﺔ ﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻤﻌ‪7‬ﺎر‪.‬‬
‫‪ .4‬اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪7‬ﺔ‪:‬‬
‫‪ -‬ﻳﺘﻢ ﺗﻮﺟ‪7‬ﻪ اﻟﻔﺮق اﻟﻌﺎﻣﻠﺔ \ﺎﻟﻤﻨﻈﻤﺔ وﺗﻘﺪ‪-‬ﻢ اﻟﺘﺪر[ﺐ اﻟﻼزم ﺣﻮل ﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﻌ‪7‬ﺎر و‪à‬ﺟﺮاءات اﻟﺘﺪﻗﻴﻖ‪.‬‬
‫‪ .5‬اﻟﻤﺮاﺟﻌﺔ اﻟﻨﻬﺎﺋ‪7‬ﺔ‪:‬‬
‫"‪.‬‬
‫‪ -‬ﻳﺘﻢ إﺟﺮاء ﻣﺮاﺟﻌﺔ ﻧﻬﺎﺋ‪7‬ﺔ ﻟﺠﻤﻴﻊ اﻟﻮﺛﺎﺋﻖ واﻹﺟﺮاءات ﻟﻀﻤﺎن اﺳﺘﻌﺪاد اﻟﻤﻨﻈﻤﺔ ﻟﻠﺘﺪﻗﻴﻖ اﻟﺨﺎر ‪z‬‬
‫‪ .6‬ﺗﻨﻔ‪7‬ﺬ اﻹﺟﺮاءات اﻟﺘﺼﺤ‪7‬ﺤ‪7‬ﺔ‪:‬‬

‫ً‬
‫‪ -‬ﻳﺘﻢ ﺗﻨﻔ‪7‬ﺬ أي ﺗﺼﺤ‪7‬ﺤﺎت ‪¨c‬ور[ﺔ اﺳ‪ï‬ﻨﺎدا إ‪ r‬ﻧﺘﺎﺋﺞ اﻟﻤﺮاﺟﻌﺔ اﻟﻨﻬﺎﺋ‪7‬ﺔ ﻟﻀﻤﺎن اﺳﺘﻤﺮار[ﺔ اﻻﻣﺘﺜﺎل‪.‬‬

‫‪ -‬ﻗﺎﻣﺖ ‪no‬ﻛﺔ ﺗﻘﻨ‪7‬ﺔ ﺑﺘﺤﻠ‪7‬ﻞ ﻣﺘﻄﻠ‪U‬ﺎت ‪ ISO 27001‬و‪à‬ﻋﺪاد ﺟﻤﻴﻊ اﻟﻮﺛﺎﺋﻖ اﻟﻼزﻣﺔ وﺗﺪر[ﺐ ﻓﺮق اﻟﻌﻤﻞ‬
‫"‪.‬‬ ‫ً‬
‫ا ﺳ ﺘ ﻌ ﺪ اد ا ﻟ ﻠ ﺘ ﺪ ﻗ ﻴ ﻖ ا ﻟ ﺨ ﺎ ر ‪z‬‬
‫‪ -‬اﻻﺳﺗﻌداد ﻟﻠﺗدﻗﯾق ﻟﻠﺣﺻول ﻋﻠﻰ اﻟﺷﮭﺎدة ھو ﺧطوة أﺳﺎﺳﯾﺔ ﻟﺿﻣﺎن اﻣﺗﺛﺎل اﻟﻣﻧظﻣﺔ ﻟﻣﻌﺎﯾﯾر ‪ISO 27001‬‬
‫و اﻟﺣ ﺻ و ل ﻋ ﻠ ﻰ ا ﻟ ﺷ ﮭ ﺎ د ة ‪ .‬ﻣ ن ﺧ ﻼ ل ﺗﺣ ﻠﯾ ل ا ﻟ ﻣ ﺗ ط ﻠ ﺑ ﺎ ت و ﺗﻘﯾﯾم ا ﻻ ﻣ ﺗ ﺛ ﺎ ل و إﻋ د ا د ا ﻟ و ﺛ ﺎ ﺋ ق و اﻟﺗ در ﯾ ب و اﻟﻣ ر اﺟ ﻌ ﺔ‬
‫ا ﻟ ﻧ ﮭ ﺎ ﺋ ﯾ ﺔ ‪ ،‬ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺿ ﻣ ﺎ ن ﺟ ﺎ ھ ز ﯾ ﺗ ﮭ ﺎ ﻻ ﺳ ﺗﻘ ﺑ ﺎ ل ا ﻟ ﺗ د ﻗ ﯾ ق ا ﻟ ﺧ ﺎ ر ﺟ ﻲ و ﺗﺣ ﻘﯾق ا ﻻ ﻣ ﺗ ﺛ ﺎ ل ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ‪.‬‬
‫‪c‬‬
‫® ‪ yz‬ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬ ‫… ﺟﺰء أﺳﺎ ‪z‬‬
‫اﻟ‪Œ‬ﻔﺎءة وﺗﻘﻴ‪7‬ﻢ اﻟﻤﻨﻔﺬﻳﻦ ‪z‬‬
‫‪ a‬ﻋﻦ ﺗﻨﻔ‪7‬ﺬ أﻧﻈﻤﺔ اﻷﻣﺎن ﻟﺪﻳﻬﻢ اﻟﻤﻌﺮﻓﺔ‬‫)‪ .(ISMS‬ﻳﻬﺪف ﻫﺬا اﻟﺠﺰء إ‪ r‬ﺿﻤﺎن أن اﻟﻤﻨﻔﺬﻳﻦ اﻟﻤﺴﺆوﻟ ‪c b‬‬
‫واﻟﻤﻬﺎرات اﻟﻼزﻣﺔ ﻟﻀﻤﺎن ﻓﻌﺎﻟ‪7‬ﺔ وﻓﺎﻋﻠ‪7‬ﺔ ﺗﻨﻔ‪7‬ﺬ اﻟﻤﻌﺎﻳ‪ ib‬واﻟﺴ‪7‬ﺎﺳﺎت اﻷﻣﻨ‪7‬ﺔ‪ .‬ﻓ‪7‬ﻤﺎ ‪ ~z-‬ﻣﻠﺨﺺ ﻟﻬﺬا اﻟﺠﺰء‬
‫‪c‬‬
‫‪ yz‬إﻃﺎر ‪:ISO 27001‬‬
‫اﻟ‪Ä‬ﻔﺎءة وﺗﻘﻴ‪%‬ﻢ اﻟﻤﻨﻔﺬﻳﻦ ‪Competence and evaluation of‬‬

‫‪implementers‬‬
‫‪ .1‬ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻼزﻣﺔ‪:‬‬
‫‪c‬‬
‫‪ -‬ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ اﻟﻤﻬﺎرات واﻟﻤﻌﺮﻓﺔ واﻟﺨ‪i‬ة اﻟﻤﻄﻠ‪≠°‬ﺔ ﻟﻠﻤﻨﻔﺬﻳﻦ اﻟﻤﺴﺆوﻟ‪ ab‬ﻋﻦ ﺗﻨﻔ‪7‬ﺬ أﻧﻈﻤﺔ اﻷﻣﺎن‪.‬‬
‫‪ .2‬ﺗﻮﻓ‪ ib‬اﻟﺘﺪر[ﺐ واﻟﺘﻌﻠ‪7‬ﻢ‪:‬‬

‫‪c‬‬
‫‪- -‬ﺠﺐ ﻋ~ اﻟﻤﻨﻈﻤﺔ ﺗﻮﻓ‪ ib‬اﻟﺘﺪر[ﺐ اﻟﻼزم واﻟﻔﺮص اﻟﺘﻌﻠ‪7‬ﻤ‪7‬ﺔ ﻟﻠﻤﻨﻔﺬﻳﻦ ﻟﺘﻄ‪[°‬ﺮ ﻣﻬﺎراﺗﻬﻢ وﻣﻌﺮﻓﺘﻬﻢ ‪yz‬‬
‫ﻣﺠﺎل أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ .3‬اﻟﺘﻘﻴ‪7‬ﻢ واﻻﻋﺘﻤﺎد‪:‬‬
‫ً‬
‫‪ -‬ﻳﺘﻢ ﺗﻘﻴ‪7‬ﻢ ﻛﻔﺎءة اﻟﻤﻨﻔﺬﻳﻦ \ﺎﻧﺘﻈﺎم وﻓﻘﺎ ﻟﻠﻤﻌﺎﻳ‪ ib‬اﻟﻤﺤﺪدة و[ﺘﻢ ﻣﻨﺢ اﻻﻋﺘﻤﺎد ﻷوﻟﺌﻚ اﻟﺬﻳﻦ ‪-‬ﻈﻬﺮون‬
‫ﻛﻔﺎءة ﻋﺎﻟ‪7‬ﺔ ‪ yz c‬ﻣﺠﺎل أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ .4‬ﻣﺘﺎ\ﻌﺔ اﻷداء‪:‬‬
‫‪ -‬ﻳﺘﻢ ﻣﺘﺎ\ﻌﺔ أداء اﻟﻤﻨﻔﺬﻳﻦ وﺗﻘﻴ‪7‬ﻢ اﺳﺘﺠﺎﺑﺘﻬﻢ ﻟﻤﺘﻄﻠ‪U‬ﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﺗﻘﺪ‪-‬ﻢ اﻟﺘﻐﺬ‪-‬ﺔ اﻟﺮاﺟﻌﺔ اﻟﻼزﻣﺔ‬
‫ﻟﺘ ﺤ ﺴ ‪c b‬‬
‫‪ a‬اﻷداء‪.‬‬

‫‪c‬‬
‫‪ -‬ﺗﻮﻓﺮ ‪no‬ﻛﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ ﺑﺮاﻣﺞ ﺗﺪر[ﺐ ﻣﺴﺘﻤﺮة ﻟﻤﻮﻇﻔﻴﻬﺎ ﻟﻀﻤﺎن ﺗﻄ‪[°‬ﺮ ﻣﻬﺎراﺗﻬﻢ وﻣﻌﺮﻓﺘﻬﻢ ‪ yz‬ﻣﺠﺎل أﻣﻦ‬
‫‪ -‬ﺗﻘﯾﯾم ﻛﻔﺎءة اﻟﻣﻧﻔذﯾن وﺗوﻓﯾر اﻟﺗدرﯾب واﻟﺗﻌﻠﯾم اﻟﻣﻧﺎﺳﺑﯾن ﯾﺳﮭﻣﺎن ﻓﻲ ﺿﻣﺎن ﻓﻌﺎﻟﯾﺔ ﺗﻧﻔﯾذ ﻣﻌﯾﺎر ‪ISO 27001‬‬
‫ﻟﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت‪ .‬ﻣن ﺧﻼل ﺗﺣدﯾد اﻟﻣﺗطﻠﺑﺎت وﺗوﻓﯾر اﻟدﻋم اﻟﻼزم وﻣﺗﺎﺑﻌﺔ اﻷداء‪ ،‬ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت‬
‫ﺗﻌزﯾز ﻛﻔﺎءة ﻓرﻗﮭﺎ وﺿﻣﺎن ﺗﺣﻘﯾق اﻻﻣﺗﺛﺎل اﻟﻣﺳﺗﻣر‪.‬‬
‫‪Annex 5 – 18‬‬
‫طﺎ ﻓﻲ اﻟﻣرﻓق ‪ A‬ﻣن ﻣﻌﯾﺎر‪ ، ISO/IEC 27001:2013‬واﻟذي ﯾﻌﺗﺑر إطﺎًرا ﺷﺎﻣﻼ ﻹدارة أﻣﺎن‬ ‫ﺗوﺟد ‪ 114‬ﺿﺎﺑ ً‬
‫ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ﻓ ﻲ ا ﻟ ﻣ ﻧ ظ ﻣ ﺎ ت ‪ .‬ﻓ ﯾ ﻣ ﺎ ﯾ ﻠ ﻲ ﻗ ﺎﺋﻣ ﺔ ﺑ ﺟ ﻣ ﯾ ﻊ ا ﻟ ﺿ و ا ﺑ ط ﻣ ﻊ أ ﻣ ﺛ ﻠ ﺔ و ﺗ ﻔ ﺎ ﺻ ﯾ ل ﻋ ن ﻛ ل و ا ﺣ د ة ‪:‬‬
‫ﻗﺎﺋﻤﺔ \ﺠﻤﻴﻊ اﻟﻀﻮا\ﻂ ﻣﻦ ‪ A.5‬إ‪ A.18 r‬ﻣﻊ اﻟﺘﻔﺎﺻ‪7‬ﻞ و≠ﻌﺾ اﻷﻣﺜﻠﺔ‪:‬‬
‫‪ - A.5‬ﺳ‪%‬ﺎﺳﺎت اﻷﻣﺎن‬
‫‪ - A.5.1.1 .1‬اﻟﺴ‪7‬ﺎﺳﺔ اﻷﻣﻨ‪7‬ﺔ‪ :‬وﺛ‪7‬ﻘﺔ ﺗﺤﺪد اﻟﻬﺪف اﻟﻌﺎم ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪ yz c‬اﻟﻤﻨﻈﻤﺔ واﻻﻟ ‪ic j‬ام \ﻪ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻮﺿﻴﺢ اﻻﻟ ‪ic j‬ام \ﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺸﺨﺼ‪7‬ﺔ وﻋﺪم ﻣﺸﺎرﻛﺘﻬﺎ ﻣﻊ أﻃﺮاف ﺛﺎﻟﺜﺔ \ﺪون ﻣﻮاﻓﻘﺔ‪.‬‬
‫‪ - A.5.1.2 .2‬اﺳﺘﻌﺮاض اﻟﺴ‪7‬ﺎﺳﺔ اﻷﻣﻨ‪7‬ﺔ‪- :‬ﺠﺐ اﺳﺘﻌﺮاض وﺗﺤﺪ‪-‬ﺚ اﻟﺴ‪7‬ﺎﺳﺔ اﻷﻣﻨ‪7‬ﺔ ‪e‬ﺸ‪g‬ﻞ دوري‬
‫ﻟﻀﻤﺎن اﺳﺘﻤﺮار[ﺔ ﻓﻌﺎﻟﻴﺘﻬﺎ وﻣﻼءﻣﺘﻬﺎ ﻟﻠﺒ‪û‬ﺌﺔ اﻟﻤﺘﻐ‪ib‬ة‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬اﺳﺘﻌﺮاض اﻟﺴ‪7‬ﺎﺳﺔ اﻷﻣﻨ‪7‬ﺔ ‪M‬ﻞ ﺳﻨﺔ ﻟﺘﺤﺪﻳﺜﻬﺎ وﻣﺮاﺟﻌﺘﻬﺎ ﻟﺘﻠﺒ‪7‬ﺔ اﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﺠﺪ‪-‬ﺪة‪.‬‬
‫‪ - A.5.1.3 .3‬ﺗﺨﺼ‪7‬ﺺ ﻣﺴﺆوﻟ‪7‬ﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺴﺆوﻟ‪7‬ﺎت اﻟﺨﺎﺻﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪.a‬‬‫‪ a‬ا ﻟ ﻤ ﻌ ﻨﻴ ‪c b‬‬
‫وﺗﻮز[ﻌﻬﺎ ﻋ~ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬ﻣﺴﺆول أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻹدارة ﺳ‪7‬ﺎﺳﺎت اﻷﻣﺎن وﺗﻨﻔ‪7‬ﺬﻫﺎ واﻹ\ﻼغ ﻋﻦ أي ﻣﺨﺎﻃﺮ أﻣﻨ‪7‬ﺔ‪.‬‬ ‫‪-‬ﻣﺜﺎل ‪ :‬ﺗ ﻌﻴ ‪c b‬‬
‫‪ - A.6‬ﺗﻨﻈ‪%‬ﻢ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬

‫‪ a‬ا ﻟ ﻤ ﻌ ﻨﻴ ‪c b‬‬
‫‪a‬‬ ‫‪ a‬أدوار وﻣﺴﺆوﻟ‪7‬ﺎت واﺿﺤﺔ ﻟﻠﻤﻮﻇﻔ ‪c b‬‬ ‫‪ - A.6.1.1 .4‬أدوار وﻣﺴﺆوﻟ‪7‬ﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ :‬ﺗﻌﻴ ‪c b‬‬
‫\ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ a‬ﻣﺴﺆول ﻋﻦ ﺗﻄﺒﻴﻖ ﺳ‪7‬ﺎﺳﺎت اﻷﻣﺎن وﻣﺮاﻗﺒﺘﻬﺎ ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل‪.‬‬ ‫‪ -‬ﻣﺜﺎل ‪ :‬ﺗ ﻌﻴ ‪c b‬‬
‫‪ - A.6.1.2 .5‬ﻓﺼﻞ اﻟﻮﻇﺎﺋﻒ‪ :‬ﺗﻔﺼ‪7‬ﻞ اﻟﻮﻇﺎﺋﻒ ﻟﺘﻘﻠ‪7‬ﻞ ﺧﻄﺮ اﻻﺣﺘ‪7‬ﺎل وﺗﺤﻘﻴﻖ اﻟﺘﺪﻗﻴﻖ واﻟﺘﻮازن‪.‬‬
‫‪ a‬ﻟﻀﻤﺎن اﺳﺘﻘﻼﻟ‪7‬ﺔ اﻟﺘﺤﻘﻖ‪.‬‬ ‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻘﺴ‪7‬ﻢ ﻣﻬﺎم اﻟﺘﻄ‪[°‬ﺮ واﻻﺧﺘ‪U‬ﺎر إ‪ r‬أﺷﺨﺎص ﻣﺨﺘﻠﻔ ‪c b‬‬
‫‪ - A.6.1.3 .6‬اﻻﺗﺼﺎل ﻣﻊ اﻟﺴﻠﻄﺎت‪ :‬وﺿﻊ آﻟ‪7‬ﺎت ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺴﻠﻄﺎت اﻟﻤﺤﻠ‪7‬ﺔ أو اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ ﻓ‪7‬ﻤﺎ ﻳﺘﻌﻠﻖ‬
‫\ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﺤﺪ‪-‬ﺪ ﻣﺴﺆول ﻟﻠﺘﻮاﺻﻞ ﻣﻊ اﻟﻬﻴﺌﺎت اﻟﺮﻗﺎﺑ‪7‬ﺔ ﻟﺘ‪U‬ﺎدل اﻟﻤﻌﻠﻮﻣﺎت اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫‪ - A.7‬أﻣﻦ اﻟﻤﻮارد اﻟ‪[étç‬ﺔ‬

‫‪ - A.7.1.1 .7‬ﻗ‪U‬ﻞ اﻟﺘﻮﻇ‪7‬ﻒ‪ :‬ﺗﺤﺪ‪-‬ﺪ وﺗﻄﺒﻴﻖ إﺟﺮاءات ﻟﻔﺤﺺ ﺧﻠﻔ‪7‬ﺔ اﻟﻤﺘﻘﺪﻣ ‪c b‬‬
‫‪ a‬ﻟﻠﺘﻮﻇ‪7‬ﻒ ﻗ‪U‬ﻞ ﺗﻌﻴ‪û‬ﻨﻬﻢ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬إﺟﺮاء ﻓﺤﺺ ﺧﻠﻔ‪7‬ﺔ ﻋ~ اﻟﻤﺘﻘﺪﻣ ‪c b‬‬
‫‪ a‬ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ ﻋﺪم وﺟﻮد ﺳﻮاﺑﻖ ﺟﻨﺎﺋ‪7‬ﺔ‪.‬‬
‫‪ - A.7.1.2 .8‬أﺛﻨﺎء اﻟﺘﻮﻇ‪7‬ﻒ‪ :‬ﺗﺤﺪ‪-‬ﺪ وﺗﻄﺒﻴﻖ إﺟﺮاءات ﻟﻠﻤﺮاﻗ‪U‬ﺔ واﻟﺘﺤ‪g‬ﻢ ‪ yc‬وﺻﻮل اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬ﻟﻠﻤﻌﻠﻮﻣﺎت‬ ‫‪z‬‬
‫اﻟﺤﺴﺎﺳﺔ أﺛﻨﺎء ﻓ‪ij‬ة اﻟﺘﻮﻇ‪7‬ﻒ‪.‬‬
‫‪ a‬اﻟﺠﺪد ﺣ‪ Ñj‬ﻳﺘﻢ ﺗﺪر[ﺒﻬﻢ ‪e‬ﺸ‪g‬ﻞ ‪M‬ﺎﻣﻞ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻮﻓ‪ ib‬وﺻﻮل ﻣﺤﺪود إ‪ r‬اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ ﻟﻠﻤﻮﻇﻔ ‪c b‬‬
‫‪ - A.7.1.3 .9‬اﻹﻧﻬﺎء وﺗﻐﻴ‪ ib‬اﻟﺘﻮﻇ‪7‬ﻒ‪ :‬ﺗﻄﺒﻴﻖ إﺟﺮاءات ﻟﻀﻤﺎن إزاﻟﺔ وﺻﻮل اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬ا ﻟ ﻤ ﻨ ﺘ ﻬ ‪ 7‬ﺔ ﺧ ﺪ ﻣ ﺎﺗﻬﻢ‬
‫ﻣﻦ اﻷﻧﻈﻤﺔ واﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫§‬ ‫‪c‬‬
‫‪-‬ﻣﺜﺎل‪ :‬إﻟﻐﺎء ﺣﺴﺎ\ﺎت اﻟﻤﻮﻇﻔ‪ ab‬اﻟﺬﻳﻦ ﺗﻢ ﻓﺼﻠﻬﻢ ﻓﻮرا \ﻌﺪ إﻋﻼن ﻓﺼﻠﻬﻢ‪.‬‬
‫‪ - A.7.2.1 .10‬ﻣﺴﺆوﻟ‪7‬ﺎت اﻹدارة‪ :‬ﺗﺤﺪ‪-‬ﺪ ﻣﺴﺆوﻟ‪7‬ﺎت اﻹدارة ﻓ‪7‬ﻤﺎ ﻳﺘﻌﻠﻖ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﺗﻮﻓ‪ ib‬اﻟﺪﻋﻢ‬
‫اﻟﻼزم‪.‬‬
‫‪ a‬ﻣﺪﻳﺮ ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﺘﻨﻔ‪7‬ﺬ اﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺎت اﻷﻣﺎن وﺗ∫ﺴﻴﻖ اﻟﺠﻬﻮد اﻟﻤﺨﺘﻠﻔﺔ‪.‬‬‫‪ -‬ﻣﺜﺎل ‪ :‬ﺗ ﻌﻴ ‪c b‬‬
‫‪ - A.7.2.2 .11‬اﻟﺘﻮﻋ‪7‬ﺔ واﻟﺘﻌﻠ‪7‬ﻢ ‪ yc‬أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ :‬ﺗﻮﻓ‪ ib‬اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪7‬ﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬ ‫‪z‬‬
‫‪ Ω‬واﻟﻤﻌﺮﻓﺔ‪.‬‬‫ﻟﺘﻌ‪[s‬ﺰ اﻟﻮ ‪z‬‬
‫‪c‬‬ ‫‪j‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬إﺟﺮاء دورات ﺗﺪر[«‪7‬ﺔ دور[ﺔ ﺣﻮل ﻣﺨﺎﻃﺮ اﻟ‪[i‬ﺪ اﻹﻟ‪iŒ‬و ‪ ±z‬اﻻﺣﺘ‪7‬ﺎ‪ rz‬وﻛ‪7‬ﻔ‪7‬ﺔ اﻟﺘﻌﺎﻣﻞ ﻣﻌﻬﺎ‪.‬‬
‫‪ - A.7.2.3 .12‬اﻹﺟﺮاءات اﻟﺘﺄدﻳ«‪7‬ﺔ‪ :‬وﺿﻊ وﺗﻄﺒﻴﻖ إﺟﺮاءات ﺗﺄدﻳ«‪7‬ﺔ ﻟﻤﻮاﺟﻬﺔ ﻣﺨﺎﻟﻔﺎت ﺳ‪7‬ﺎﺳﺎت أﻣﺎن‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﻓﺮض ﻋﻘ‪≠°‬ﺎت ﻋ~ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬اﻟﺬﻳﻦ ﻳﺘﺠﺎوزون ﺳ‪7‬ﺎﺳﺎت اﻟﻮﺻﻮل إ‪ r‬اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ‪.‬‬
‫‪ - A.8‬إدارة اﻷﺻﻮل‬
‫‪ - A.8.1.1 .13‬ﻣﺴﺆوﻟ‪7‬ﺔ اﻷﺻﻮل‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺴﺆوﻟ‪7‬ﺔ ﻋﻦ أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت وﺗﻮﻓ‪ ib‬اﻟﺮﻋﺎ‪-‬ﺔ اﻟﻼزﻣﺔ ﻟﻬﺎ‪.‬‬
‫‪ a‬ﻣﻮﻇﻒ ﻣﺴﺆول ﻋﻦ ﻣﺘﺎ\ﻌﺔ اﻷﺻﻮل اﻟﻔﻌﻠ‪7‬ﺔ واﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ وﺗﺤﺪ‪-‬ﺚ ﺳﺠﻼﺗﻬﺎ‪.‬‬ ‫‪ -‬ﻣﺜﺎل ‪ :‬ﺗ ﻌﻴ ‪c b‬‬
‫‪ - A.8.1.2 .14‬ﺟﺮد اﻷﺻﻮل‪ :‬إﺟﺮاء ﺟﺮد دوري ﻟﺠﻤﻴﻊ اﻷﺻﻮل اﻟﻤﺎد‪-‬ﺔ واﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ اﻟ ‪ Ñz j‬ﺗﻤﺘﻠ‪Œ‬ﻬﺎ‬
‫اﻟﻤﻨﻈ ﻤﺔ ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬إ‪ø‬ﺸﺎء ﻗﺎﻋﺪة ﺑ‪7‬ﺎﻧﺎت ﻟﺠﻤﻊ ﻣﻌﻠﻮﻣﺎت ﻋﻦ اﻷﺻﻮل اﻟﻤﺎد‪-‬ﺔ ﻣﺜﻞ اﻷﺟﻬﺰة واﻟﻤﻌﺪات‪.‬‬
‫‪ - A.8.1.3.15‬اﺳﺘﺨﺪام اﻷﺻﻮل ‪e‬ﺸ‪g‬ﻞ ﻣﻘﺒﻮل‪ :‬وﺿﻊ ﺳ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات ﻟﻀﻤﺎن اﺳﺘﺨﺪام اﻷﺻﻮل‬
‫ً‬
‫‪e‬ﺸ‪g‬ﻞ ﻣﻼﺋﻢ وﻓﻘﺎ ﻟﻠﻤﻌﺎﻳ‪ ib‬اﻟﻤﺤﺪدة‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻻﺳﺘﺨﺪاﻣﺎت اﻟﻤﺴﻤ‪°‬ح ﺑﻬﺎ ﻟﻸﺻﻮل ﻣﺜﻞ اﻟ‪Ã‬ﻤﺒﻴﻮﺗﺮات واﻷﺟﻬﺰة اﻷﺧﺮى‪.‬‬
‫‪ - A.8.1.4 .16‬إرﺟﺎع اﻷﺻﻮل‪ :‬ﺗﺤﺪ‪-‬ﺪ إﺟﺮاءات ﻹرﺟﺎع اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ \ﻌﺪ اﻧﺘﻬﺎء اﻻﺳﺘﺨﺪام‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻨﻈ‪7‬ﻢ ﻋﻤﻠ‪7‬ﺔ إزاﻟﺔ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ ﻣﻦ اﻷﺟﻬﺰة ﻗ‪U‬ﻞ إﻋﺎدة اﺳﺘﺨﺪاﻣﻬﺎ أو إﻋﺎدة ﺑ‪7‬ﻌﻬﺎ‪.‬‬
‫‪ - A.8.2.1 .17‬ﺗﺼ∫‪7‬ﻒ اﻟﻤﻌﻠﻮﻣﺎت‪ :‬ﺗﺼ∫‪7‬ﻒ اﻟﻤﻌﻠﻮﻣﺎت ﺑﻨﺎًء ﻋ~ ﻣﺴﺘﻮى اﻟﺤﺴﺎﺳ‪7‬ﺔ واﻷﻫﻤ‪7‬ﺔ ﻟﺤﻤﺎﻳﺘﻬﺎ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﺼ∫‪7‬ﻒ اﻟﺒ‪7‬ﺎﻧﺎت إ‪ r‬ﻣﺴﺘ‪[°‬ﺎت ﻣﺜﻞ اﻟﻌﺎﻣﺔ‪ ،‬واﻟ}[ﺔ‪ ،‬واﻟ}[ﺔ ﻟﻠﻐﺎ‪-‬ﺔ‪.‬‬
‫ً‬
‫‪Ö - A.8.2.2 .18‬ﺴﻤ‪7‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت‪Ö :‬ﺴﻤ‪7‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﺴﺘﻮى ﺗﺼ∫‪7‬ﻔﻬﺎ ﻟﺴﻬﻮﻟﺔ اﻟﺘﻌﺮف ﻋﻠﻴﻬﺎ‬
‫و‪à‬دارﺗﻬﺎ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬وﺿﻊ ﻧﻈﺎم ﻟ‪ï‬ﺴﻤ‪7‬ﺔ اﻟﻮﺛﺎﺋﻖ \ﺎﻟﺘﺼ∫‪7‬ﻒ اﻟﺨﺎص ﺑﻬﺎ ﻣﺜﻞ "‪n‬ي" أو "ﻋﺎم"‪.‬‬
‫‪ - A.8.2.3.19‬اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻷﺻﻮل‪ :‬وﺿﻊ إﺟﺮاءات ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻷﺻﻮل اﻟﻤﺎد‪-‬ﺔ واﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ ‪e‬ﺸ‪g‬ﻞ آﻣﻦ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﺨ‪[s‬ﻦ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ ‪ yz c‬ﻣ‪g‬ﺎن آﻣﻦ ﻣﺜﻞ ﺧﺰﻧﺔ ﻣﻌﻴﻨﺔ أو ﺧﺎدم ﻣﺸﻔﺮ‪.‬‬
‫‪z‬‬
‫‪ - A.9‬اﻟﺘﺤ‪ë‬ﻢ ‪ íj‬اﻟﻮﺻﻮل‬
‫‪ - A.9.1.1 .23‬ﺳ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات اﻟﻮﺻﻮل‪ :‬وﺿﻊ ﺳ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات ﻹدارة اﻟﻮﺻﻮل إ‪ r‬اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻟﺼﻼﺣ‪7‬ﺎت اﻟﻤﻄﻠ‪≠°‬ﺔ ﻟ‪Ã‬ﻞ ﻣﺴﺘﺨﺪم ﺑﻨﺎًء ﻋ~ وﻇ‪7‬ﻔﺘﻪ‪.‬‬
‫‪ a‬واﻟﻌﻤﻠ‪7‬ﺎت اﻟﺨﺎﺻﺔ ﺑﻬﻢ‪ :‬ﺗﻮﻓ‪ ib‬و‪à‬دارة اﻟﻮﺻﻮل ﻟﻠﻤﺴﺘﺨﺪﻣ ‪c b‬‬

‫‪ a‬واﻟﻌﻤﻠ‪7‬ﺎت‬ ‫‪ - A.9.2.1 .24‬اﻟﻤﺴﺘﺨﺪﻣ ‪c b‬‬
‫اﻟﺨ ﺎﺻ ﺔ ﺑ ﻬ ﻢ ‪.‬‬
‫‪ a‬أذوﻧﺎت ﻣﺤﺪدة ﻟﻤﻮﻇﻒ ﻟﻠﻮﺻﻮل إ‪ r‬اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ ﻓﻘﻂ ‪ yz c‬ﻧﻄﺎق ﻋﻤﻠﻪ‪.‬‬ ‫‪ -‬ﻣﺜﺎل ‪ :‬ﺗ ﻌﻴ ‪c b‬‬
‫‪Ö - A.9.2.2 .25‬ﺴﺠ‪7‬ﻞ وﻣﺮاﻗ‪U‬ﺔ اﻟﻮﺻﻮل‪Ö :‬ﺴﺠ‪7‬ﻞ وﻣﺮاﻗ‪U‬ﺔ ﺟﻤﻴﻊ اﻟﻮﺻﻮل إ‪ r‬اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪Ö :‬ﺴﺠ‪7‬ﻞ ﺟﻤﻴﻊ اﻟﻮﺻﻮل إ‪ r‬ﻗﺎﻋﺪة اﻟﺒ‪7‬ﺎﻧﺎت ﻣﻊ ﺗﻮﺛﻴﻖ ﺗﻔﺎﺻ‪7‬ﻞ ‪M‬ﻞ ﻋﻤﻠ‪7‬ﺔ‪.‬‬
‫‪ :a‬إدارة ﺧﺪﻣﺎت اﻟﻮﺻﻮل وﺗﻮﻓ‪ib‬ﻫﺎ ﻟﻠﻤﺴﺘﺨﺪﻣ ‪c b‬‬

‫‪.a‬‬ ‫‪ - A.9.2.3 .26‬إدارة اﻟﺨﺪﻣﺎت اﻟﺨﺎﺻﺔ \ﺎﻟﻤﺴﺘﺨﺪﻣ ‪c b‬‬
‫‪ a‬ﻟﺘﻐﻴ‪M ib‬ﻠﻤﺎت اﻟﻤﺮور اﻟﺨﺎﺻﺔ ﺑﻬﻢ‪.‬‬ ‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻮﻓ‪ ib‬واﺟﻬﺔ ﻣﺴﺘﺨﺪم ﻣﺘﺎﺣﺔ ﻟﻠﻤﻮﻇﻔ ‪c b‬‬
‫‪ - A.9.2.4 .27‬اﻻﻧﻔﺼﺎل أو ﺗﻌﻄ‪7‬ﻞ اﻟﻮﺻﻮل‪ :‬إﺟﺮاءات ﻟﻼﻧﻔﺼﺎل أو ﺗﻌﻄ‪7‬ﻞ اﻟﻮﺻﻮل إ‪ r‬اﻟﻤﻌﻠﻮﻣﺎت ﻋﻨﺪ‬
‫اﻟﺤ ﺎﺟ ﺔ ‪.‬‬
‫§‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻌﻄ‪7‬ﻞ ﺣﺴﺎب ﻣﺴﺘﺨﺪم ﻓﻮرا \ﻌﺪ إﻋﻼن إﻧﻬﺎء ﺧﺪﻣﺎﺗﻪ‪.‬‬
‫‪ - A.10‬اﻟ‪ï‬ﺸﻔ‪ñy‬‬
‫‪ - A.10.1.1 .28‬اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات ﻟﻠ‪ï‬ﺸﻔ‪ :ib‬ﺗﻄ‪[°‬ﺮ ﺳ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات ﻻﺳﺘﺨﺪام اﻟ‪ï‬ﺸﻔ‪.ib‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻮﺿﻴﺢ اﻟﺨﻮارزﻣ‪7‬ﺎت اﻟﻤﺴﺘﺨﺪﻣﺔ وﻃﺮق ﺗ‪U‬ﺎدل اﻟﻤﻔﺎﺗﻴﺢ‪.‬‬
‫‪ - A.10.1.2 .29‬اﻟﺘﺤ‪g‬ﻢ ‪ yz c‬اﻟﻤﻔﺎﺗﻴﺢ‪ :‬ﺗﻨﻈ‪7‬ﻢ إدارة اﻟﻤﻔﺎﺗﻴﺢ وﺗﺤﺪ‪-‬ﺪ اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات اﻟﻤﺘﻌﻠﻘﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﺤﺪ‪-‬ﺪ ﻣﺪة ﺻﻼﺣ‪7‬ﺔ اﻟﻤﻔﺎﺗﻴﺢ وﺗﻐﻴ‪ib‬ﻫﺎ \ﺎﻧﺘﻈﺎم‪.‬‬
‫‪ - A.10.1.3 .30‬اﺳﺘﺨﺪام اﻟ‪ï‬ﺸﻔ‪ :ib‬ﺿﻤﺎن اﺳﺘﺨﺪام اﻟ‪ï‬ﺸﻔ‪ yz c ib‬اﻷﻧﻈﻤﺔ واﻟﺒ‪7‬ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ‪.‬‬

‫‪ -‬ﻣﺜﺎل‪Ö :‬ﺸﻔ‪ ib‬ﺑ‪7‬ﺎﻧﺎت اﻟﻌﻤﻼء اﻟﻤﺎﻟ‪7‬ﺔ أﺛﻨﺎء ﻋﻤﻠ‪7‬ﺔ اﻟﻨﻘﻞ ﻋ‪ i‬اﻹﻧ‪ij‬ﻧﺖ‪.‬‬
‫‪ - A.10.1.4 .31‬ﺧﺪﻣﺎت اﻟ‪ï‬ﺸﻔ‪ :ib‬ﺗﻮﻓ‪ ib‬ﺧﺪﻣﺎت اﻟ‪ï‬ﺸﻔ‪ ib‬ﻟﻠﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ‪.‬‬

‫‪ -‬ﻣﺜﺎل‪ :‬اﺳﺘﺨﺪام ﺧﺪﻣﺔ اﻟ‪ï‬ﺸﻔ‪ ib‬ﻟﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ اﻟﻤﺨﺰﻧﺔ ﻋ~ اﻟﺴﺤﺎ\ﺔ‪.‬‬
‫‪ - A.11‬اﻷﻣﻦ اﻟ‪ó‬ﺪ ‪ òj z‬واﻟﺒﻴ ‪öj õ‬‬

‫‪ - A.11.1.1 .32‬آﻣﻦ اﻟﻤﻮاﻗﻊ‪ :‬ﺗﻄﺒﻴﻖ إﺟﺮاءات ﻟﺤﻤﺎ‪-‬ﺔ اﻟﻤﻮاﻗﻊ اﻟﻔ ‪[ic b‬ﺎﺋ‪7‬ﺔ ﻟﻠﻤﻨﻈﻤﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗ'ﺒ‪7‬ﺖ أﻧﻈﻤﺔ إﻧﺬار وأﻗﻔﺎل \ﺼﻤﺔ اﻹﺻﺒﻊ ﻟﻠﻮﺻﻮل إ‪ r‬ﻣﺮاﻓﻖ اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬
‫‪ - A.11.1.2 .33‬ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﺪات‪ :‬ﺗﺄﻣ ‪c b‬‬

‫‪ a‬اﻟﻤﻌﺪات اﻟﺤﺴﺎﺳﺔ واﻷﺟﻬﺰة ﻣﻦ اﻟﺘﻠﻒ أو اﻟ}ﻗﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﺮﻛ‪7‬ﺐ أﻗﻔﺎل ﻋ~ اﻷﺟﻬﺰة اﻟﺤﺎﺳ‪7≠°‬ﺔ ﻟﻤﻨﻊ اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ‪.‬‬
‫‪ - A.11.1.3 .34‬اﻷﻣﻦ ‪ yc‬ﻣﺮا‪ã‬ﺰ اﻟﺒ‪7‬ﺎﻧﺎت واﻷﻣﺎ‪ã‬ﻦ اﻵﻣﻨﺔ‪ **:‬ﺗﺄﻣ ‪c b‬‬

‫‪ a‬ﻣﺮا‪ã‬ﺰ اﻟﺒ‪7‬ﺎﻧﺎت واﻷﻣﺎ‪ã‬ﻦ اﻵﻣﻨﺔ ‪e‬ﺸ‪g‬ﻞ‬ ‫‪z‬‬
‫ﺟ‪7‬ﺪ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬اﺳﺘﺨﺪام أﻧﻈﻤﺔ إﻧﺬار ورﺻﺪ ﻟﻠ‪Œ‬ﺸﻒ اﻟﻤ‪U‬ﻜﺮ ﻋﻦ أي ‪Ö‬ﺴﻠﻞ‪.‬‬
‫‪ - A.11.1.4 .35‬ﺣﻤﺎ‪-‬ﺔ اﻷﺟﻬﺰة اﻟﻤﺤﻤﻮﻟﺔ‪ :‬ﺗﻮﻓ‪ ib‬ﺣﻤﺎ‪-‬ﺔ ﻟﻸﺟﻬﺰة اﻟﻤﺤﻤﻮﻟﺔ اﻟ ‪ Ñz j‬ﺗﺤﺘﻮي ﻋ~ ﻣﻌﻠﻮﻣﺎت‬
‫ﺣ ﺴ ﺎ ﺳ ﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪Ö :‬ﺸﻔ‪ ib‬أﺟﻬﺰة اﻟ‪Ã‬ﻤﺒﻴﻮﺗﺮ اﻟﻤﺤﻤﻮﻟﺔ ﻟﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﻋﻨﺪ اﻟﻔﻘﺪان أو اﻟ}ﻗﺔ‪.‬‬
‫‪ - A.12‬اﻟ‪ï‬ﺸﻐ‪%‬ﻞ اﻵﻣﻦ‬
‫ً‬
‫‪ - A.12.1.1 .36‬ﻋﻤﻠ‪7‬ﺎت اﻟﻌﻤﻞ اﻟﻤﺘﻮاﻓﻘﺔ ﻣﻊ اﻷﻣﺎن‪ :‬ﺿﻤﺎن أن اﻟﻌﻤﻠ‪7‬ﺎت اﻟ‪ï‬ﺸﻐ‪7‬ﻠ‪7‬ﺔ ﺗﺘﻢ وﻓﻘﺎ ﻟﻤﺘﻄﻠ‪U‬ﺎت‬
‫اﻷﻣﺎن‪.‬‬
‫‪c‬‬ ‫‪j‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻮﺛﻴﻖ اﻹﺟﺮاءات اﻟﻘ‪7‬ﺎﺳ‪7‬ﺔ ﻟ‪ï‬ﺸﻐ‪7‬ﻞ اﻟﻨﻈﺎم ﻣﻊ اﻟ‪i‬ﻛ‪ ib‬ﻋ~ اﻷﻣﺎن‪.‬‬
‫‪ - A.12.1.2 .37‬اﻟﻨﻈﺎم اﻵﻣﻦ ﻟﻠﻤﻌﻠﻮﻣﺎت‪ :‬ﺗﻮﻓ‪ ib‬ﻧﻈﺎم آﻣﻦ ﻟﺠﻤﻴﻊ اﻟﻌﻤﻠ‪7‬ﺎت اﻟ‪ï‬ﺸﻐ‪7‬ﻠ‪7‬ﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗ'ﺒ‪7‬ﺖ ﺑﺮاﻣﺞ ﻣ‪g‬ﺎﻓﺤﺔ اﻟﻔ‪ib‬وﺳﺎت وﺗﺤﺪﻳﺜﻬﺎ \ﺎﻧﺘﻈﺎم ﻟﺤﻤﺎ‪-‬ﺔ اﻷﻧﻈﻤﺔ ﻣﻦ اﻟﻬﺠﻤﺎت اﻟﺴﻴ‪i‬اﻧ‪7‬ﺔ‪.‬‬
‫‪ - A.12.1.3 .38‬ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ‪7‬ﺔ‪ :‬ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ‪7‬ﺔ وﺗﺤﺪ‪-‬ﺪ اﻹﺟﺮاءات اﻟﻮﻗﺎﺋ‪7‬ﺔ اﻟﻤﻨﺎﺳ‪U‬ﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬إﺟﺮاء ﺗﻘﻴ‪7‬ﻢ دوري ﻟﻠﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ وﺗﻄﺒﻴﻖ اﻟﺘﺤﺪﻳﺜﺎت اﻟﻼزﻣﺔ ﻟﺴﺪ اﻟﺜﻐﺮات‪.‬‬
‫‪ - A.13‬اﻟﺘﺤﻘﻖ واﻻﺧﺘ‪ó‬ﺎر واﻟﺘﺪﻗﻴﻖ‬

‫‪ - A.13.1.1 39‬اﻟﺘﺤﻘﻖ ﻣﻦ اﻟ‪ï‬ﺸﻐ‪7‬ﻞ واﻻﻧﺘﻈﺎم‪ :‬ﺿﻤﺎن أن ﻋﻤﻠ‪7‬ﺎت اﻷﻣﺎن ﻣﺘﻮاﺟﺪة وﺗﻌﻤﻞ ‪e‬ﺸ‪g‬ﻞ‬
‫ﻣﻨﺘﻈ ﻢ ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﻓﺤﺺ اﻟﺴﺠﻼت ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ ﺗﻄﺒﻴﻖ اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات \ﺎﻧﺘﻈﺎم‪.‬‬
‫‪c‬‬
‫‪ - A.13.1.2 .40‬ﺣﻤﺎ‪-‬ﺔ ﻣﻦ اﻟﺘﻬﺪ‪-‬ﺪات اﻟﺨﺎرﺟ‪7‬ﺔ‪ :‬ﺗﺤﻘﻖ ﻣﻦ ﻓﻌﺎﻟ‪7‬ﺔ إﺟﺮاءات اﻷﻣﻦ ‪ yz‬ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻨﻈﻤﺔ ﻣﻦ‬
‫اﻟﺘﻬﺪ‪-‬ﺪات اﻟﺨﺎرﺟ‪7‬ﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬إﺟﺮاء اﺧﺘ‪U‬ﺎرات اﺧ‪ij‬اق دور[ﺔ ﻟﺘﻘﻴ‪7‬ﻢ ﻗﻮة اﻟﺪﻓﺎع اﻷﻣ ‪ Ñz c‬ﻟﻠﻤﻨﻈﻤﺔ‪.‬‬
‫‪ - A.13.2.1 .41‬اﻟﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ واﻟﺘﺤﺴ‪û‬ﻨﺎت‪ :‬اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ وﺗﻄﺒﻴﻖ اﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟﻼزﻣﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬إ‪ø‬ﺸﺎء ﺧﻄﺔ ﻋﻤﻞ ﻹﺻﻼح اﻟﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ اﻟﻤﻜ‪ï‬ﺸﻔﺔ ﺧﻼل ﻋﻤﻠ‪7‬ﺔ اﻟﺘﺤﻘﻖ‪.‬‬
‫‪ - A.14‬اﻟﺘﺤﻘﻖ واﻻﺧﺘ‪ó‬ﺎر واﻟﺘﺪﻗﻴﻖ‬

‫‪ - A.14.1.1 .42‬اﻟﺘﺤﻘﻖ ﻣﻦ اﻟ‪ï‬ﺸﻐ‪7‬ﻞ واﻻﻧﺘﻈﺎم‪ :‬ﺗﺄ ‪7ã‬ﺪ أن ﻋﻤﻠ‪7‬ﺎت اﻷﻣﺎن ﻣﺘﻮاﺟﺪة وﺗﻌﻤﻞ ‪e‬ﺸ‪g‬ﻞ ﻣﻨﺘﻈﻢ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﻓﺤﺺ اﻷﻧﻈﻤﺔ ‪e‬ﺸ‪g‬ﻞ دوري ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ أﻧﻬﺎ ﺗﻌﻤﻞ ‪e‬ﺸ‪g‬ﻞ ﺻﺤﻴﺢ‪.‬‬
‫‪c‬‬
‫‪ - A.14.1.2 .43‬ﺣﻤﺎ‪-‬ﺔ ﻣﻦ اﻟﺘﻬﺪ‪-‬ﺪات اﻟﺨﺎرﺟ‪7‬ﺔ‪ :‬ﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ إﺟﺮاءات اﻷﻣﻦ ‪ yz‬ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻨﻈﻤﺔ ﻣﻦ‬
‫اﻟﺘﻬﺪ‪-‬ﺪات اﻟﺨﺎرﺟ‪7‬ﺔ‪.‬‬
‫‪c‬‬ ‫‪j‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻨﻔ‪7‬ﺬ اﺧﺘ‪U‬ﺎرات اﻻﺧ‪i‬اق ﻟﺘﺤﺪ‪-‬ﺪ ﻧﻘﺎط اﻟﻀﻌﻒ ‪ yz‬اﻷﻧﻈﻤﺔ وﺗﻘﻴ‪7‬ﻢ اﺳﺘﺠﺎﺑﺘﻬﺎ‪.‬‬
‫‪ - A.14.2.1 .44‬اﻟﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ واﻟﺘﺤﺴ‪û‬ﻨﺎت‪ :‬اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ وﺗﻄﺒﻴﻖ اﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟﻼزﻣﺔ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﺤﺪ‪-‬ﺚ اﻟ‪i‬اﻣﺞ وﺗﺼﺤﻴﺢ اﻟﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ اﻟﻤﻜ‪ï‬ﺸﻔﺔ ‪ yz c‬اﻟﺘﺤﻘﻖ واﻻﺧﺘ‪U‬ﺎر‪.‬‬
‫‪ - A.15‬ﺗﻮاﺻﻞ اﻟﻤﻌﻠﻮﻣﺎت واﻟﻌﻼﻗﺎت اﻟﺨﺎرﺟ‪%‬ﺔ‬

‫‪ - A.15.1.1 .45‬ﺗﺤﺪ‪-‬ﺪ اﻻﺗﺼﺎﻻت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ‪ :‬ﺗﺤﺪ‪-‬ﺪ اﻻﺗﺼﺎﻻت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ ذات‬
‫اﻟﺼﻠﺔ ﺑﻨﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻮﻓ‪ ib‬وﺳﺎﺋﻞ اﺗﺼﺎل داﺧﻠ‪7‬ﺔ ﻣﺜﻞ اﻟ‪[i‬ﺪ اﻹﻟ‪ijŒ‬و ‪ ±z c‬واﻻﺟﺘﻤﺎﻋﺎت ﻟﺘ‪U‬ﺎدل اﻟﻤﻌﻠﻮﻣﺎت اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫‪ - A.15.1.2 .46‬اﻻﺗﺼﺎل ﻣﻊ اﻷﻃﺮاف اﻟﺨﺎرﺟ‪7‬ﺔ‪ :‬ﺗﺤﺪ‪-‬ﺪ وﺗﻨﻔ‪7‬ﺬ اﻻﺗﺼﺎل ﻣﻊ اﻷﻃﺮاف اﻟﺨﺎرﺟ‪7‬ﺔ ذات‬
‫اﻟﺼﻠﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪j‬‬ ‫‪c‬‬ ‫‪o‬‬
‫‪* -‬ﻣﺜﺎل‪ *:‬ﺗﻮﻗﻴﻊ اﺗﻔﺎﻗ‪7‬ﺎت اﻟ}[ﺔ ﻣﻊ اﻟ}‪M‬ﺎء اﻟﺘﺠﺎر[‪ ab‬ﻟﺤﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ اﻟﻤﺸ‪i‬ﻛﺔ‪.‬‬
‫‪ - A.15.1.3 .47‬اﻟﺤﻤﻼت اﻹﻋﻼﻣ‪7‬ﺔ واﻟﺘﻮﻋ‪7‬ﺔ‪ :‬ﺗﻨﻔ‪7‬ﺬ ﺣﻤﻼت إﻋﻼﻣ‪7‬ﺔ وﺗﻮﻋ‪7‬ﺔ داﺧﻞ اﻟﻤﻨﻈﻤﺔ ‪e‬ﺸﺄن أﻣﻦ‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻘﺪ‪-‬ﻢ دورات ﺗﺪر[«‪7‬ﺔ داﺧﻠ‪7‬ﺔ ﺣﻮل أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت واﻟﺘﻬﺪ‪-‬ﺪات اﻟﺴﻴ‪i‬اﻧ‪7‬ﺔ ﻟﻠﻤﻮﻇﻔ ‪c b‬‬
‫‪.a‬‬
‫‪ - A.16‬اﻟﺘﻮﺛﻴﻖ واﻟﺴﺠﻼت‬
‫‪ - A.16.1.1 .48‬اﻟﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات ﻟﻠﺘﻮﺛﻴﻖ واﻟﺴﺠﻼت‪ **:‬ﺗﻄ‪[°‬ﺮ ﺳ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات ﻹدارة اﻟﺘﻮﺛﻴﻖ‬
‫واﻟﺴﺠﻼت‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬وﺿﻊ إﺟﺮاءات ﻟﺘﻮﺛﻴﻖ اﻟﻮﺛﺎﺋﻖ اﻟﻤﻬﻤﺔ وﺗﺨ‪[s‬ﻨﻬﺎ ‪e‬ﺸ‪g‬ﻞ آﻣﻦ‪.‬‬
‫‪ - A.16.1.2 .49‬اﻟﺴﺠﻼت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ‪ :‬ﺗﺄ ‪7ã‬ﺪ أن اﻟﺴﺠﻼت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ ﺗﺤﺘﻔﻆ‬
‫\ﻤﻌﻠﻮﻣﺎت اﻷﻣﺎن ‪e‬ﺸ‪g‬ﻞ ‪M‬ﺎ ٍف‪.‬‬
‫‪j‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬إ‪ø‬ﺸﺎء ﺳﺠﻼت ﻟﻠﻮﺻﻮل إ‪ r‬اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ و‪Ö‬ﺴﺠ‪7‬ﻞ اﻟﺘﻐﻴ‪ib‬ات اﻟ ‪ Ñz‬ﺗﻄﺮأ ﻋﻠﻴﻬﺎ‪.‬‬
‫‪ - A.16.1.3 .50‬ﺣﻤﺎ‪-‬ﺔ اﻟﺴﺠﻼت‪ :‬ﺿﻤﺎن ﺣﻤﺎ‪-‬ﺔ اﻟﺴﺠﻼت ﻣﻦ اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ واﻟﺘﻼﻋﺐ ﺑﻬﺎ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻄﺒﻴﻖ ﺗﺪاﺑ‪ ib‬أﻣﻨ‪7‬ﺔ ﻣﺜﻞ ‪Ö‬ﺸﻔ‪ ib‬اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺨﺰﻧﺔ ‪ yz c‬اﻟﺴﺠﻼت اﻟﺤﺴﺎﺳﺔ‪.‬‬
‫‪ - A.17‬اﻟﻤﺮاﻗ‪ó‬ﺔ‬
‫‪ - A.17.1.1 .51‬اﻟﻨﻈﺎم اﻟﻤﺮاﻗﺐ‪ :‬ﺗﻄ‪[°‬ﺮ ﻧﻈﺎم ﻟﻤﺮاﻗ‪U‬ﺔ اﻟﻮﺻﻮل إ‪ r‬اﻟﻤﻌﻠﻮﻣﺎت واﺳﺘﺨﺪاﻣﻬﺎ وﻣﻌﺎﻟﺠﺘﻬﺎ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗ'ﺒ‪7‬ﺖ أﻧﻈﻤﺔ ﻣﺮاﻗ‪U‬ﺔ اﻟﻮﺻﻮل ﻟ‪ï‬ﺴﺠ‪7‬ﻞ ﺟﻤﻴﻊ اﻷ‪ø‬ﺸﻄﺔ ذات اﻟﺼﻠﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ - A.17.1.2 .52‬ﺗﻘﻴ‪7‬ﻢ اﻟﻨﻈﺎم اﻟﻤﺮاﻗﺐ‪ :‬ﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ اﻟﻨﻈﺎم اﻟﻤﺮاﻗﺐ وﺗﻄ‪[°‬ﺮە ‪e‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ‪.‬‬
‫ً‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﻣﺮاﺟﻌﺔ اﻟﺴﺠﻼت اﻟﻤﺤﻔﻮﻇﺔ ﻟﻀﻤﺎن أن ﺟﻤﻴﻊ اﻟﻮﺻﻮﻻت ﺗﻤﺖ وﻓﻘﺎ ﻟﻠﺴ‪7‬ﺎﺳﺎت واﻹﺟﺮاءات‪.‬‬
‫‪ - A.17.2.1 .53‬ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﺮاﻗ‪U‬ﺔ‪ :‬ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﺮاﻗ‪U‬ﺔ ﻣﻦ اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ‬
‫واﻟﺘﻼﻋﺐ ﺑﻬﺎ‪.‬‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻄﺒﻴﻖ إﺟﺮاءات اﻟﺤﻤﺎ‪-‬ﺔ ﻣﺜﻞ ‪Ö‬ﺸﻔ‪ ib‬اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺮاﻗ‪U‬ﺔ ﻟﻤﻨﻊ اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ‪.‬‬
‫‪ - A.18‬اﻟﺘﻘﻴ‪%‬ﻢ واﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪ij‬‬

‫‪ - A.18.1.1 .54‬اﺳﺘﻌﺮاض وﺗﻘﻴ‪7‬ﻢ اﻷﻣﺎن‪ :‬اﺳﺘﻌﺮاض وﺗﻘﻴ‪7‬ﻢ اﻷﻣﺎن ‪e‬ﺸ‪g‬ﻞ دوري ﻟﻀﻤﺎن ﻓﻌﺎﻟ‪7‬ﺔ إﺟﺮاءات‬
‫‪ -‬ﻣﺜﺎل‪ :‬ﺗﻨﻈ‪7‬ﻢ ﺟﻠﺴﺎت اﺳﺘﻌﺮاض دور[ﺔ ﻟﺘﻘﻴ‪7‬ﻢ اﻟﺘﻬﺪ‪-‬ﺪات اﻷﻣﻨ‪7‬ﺔ وﺗﺤﺪ‪-‬ﺪ اﻟﺘﺤﺴ‪û‬ﻨﺎت اﻟﻼزﻣﺔ‪.‬‬
‫‪ - A.18.1.2 .55‬ﺗﻘﻴ‪7‬ﻢ اﻷﻣﺎن اﻟﺬا ‪ :±z j‬ﺗﻘﻴ‪7‬ﻢ اﻷﻣﺎن اﻟﺬا ‪ ±z j‬ﻟﻠﺘﺤﻘﻖ ﻣﻦ ﻣﺪى اﻟ ‪ic j‬ام اﻟﻤﻨﻈﻤﺔ \ﻤﺘﻄﻠ‪U‬ﺎت‬
‫‪ -‬ﻣﺜﺎل‪ :‬إﺟﺮاء ﺗﻘﻴ‪7‬ﻢ ﻟﺘﻘﻴ‪7‬ﻢ اﻟﺘﻬﺪ‪-‬ﺪات اﻷﻣﻨ‪7‬ﺔ اﻟﺤﺎﻟ‪7‬ﺔ وﻗﺪرة اﻟﻤﻨﻈﻤﺔ ﻋ~ اﻟﺘﻌﺎﻣﻞ ﻣﻌﻬﺎ‪.‬‬
‫‪ - A.18.2.1 .56‬اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪ :~z‬ﺗﻨﻔ‪7‬ﺬ ﺗﺪﻗﻴﻖ داﺧ‪ ~z‬ﻟﻠﺘﺤﻘﻖ ﻣﻦ ﺗﻨﻔ‪7‬ﺬ وﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن‬
‫‪ -‬ﻣﺜﺎل‪ :‬إﺟﺮاء ﺗﺪﻗﻴﻖ داﺧ‪ ~z‬ﻟﺘﻘﻴ‪7‬ﻢ ﻣﺪى ﻣﻄﺎ\ﻘﺔ ﻋﻤﻠ‪7‬ﺎت اﻷﻣﺎن ﻟﻤﺘﻄﻠ‪U‬ﺎت ﻣﻌ‪7‬ﺎر ‪.ISO/IEC 27001‬‬
By Mohammed AlSubayt
Multiple Choice Questions

67 ‫ﺎﻟﻌﺮ < =; ﺻﻔﺤﺔ‬6 ‫اﻷﺳﺌﻠﺔ‬
1. **What is the primary purpose of ISO 27001?**

A) To provide a standard for quality management.
B) To establish a framework for risk management.
C) To set a standard for environmental management.
D) To provide a framework for an information security management system
(ISMS).
**Answer: D**
**Explanation:** ISO 27001 is designed specifically to help organizations
establish and maintain an effective information security management system,
ensuring that they assess risks and appropriately manage them.
2. **Which of the following is NOT a mandatory document according to ISO

27001?**
A) Scope of the ISMS
B) Information Security Policy
C) Record of data protection impact assessments
D) Risk Assessment and Risk Treatment Methodology
**Answer: C**
**Explanation:** ISO 27001 requires the documentation of the ISMS scope,
Information Security Policy, and the Risk Assessment and Risk Treatment
methodology. However, records of data protection impact assessments are not
mandatory under ISO 27001; these are more relevant to data protection
standards like the GDPR.
3. **What is the role of top management according to ISO 27001?**

A) To implement the ISMS on a day-to-day basis.
B) To provide the resources needed for the ISMS.
C) To conduct the internal audit.
D) To solely take decisions on risk treatment.
**Answer: B**
**Explanation:** Top management is responsible for demonstrating leadership
and commitment to the ISMS by ensuring the availability of necessary resources,
supporting relevant roles, and promoting continual improvement.
4. **Which step in the Plan-Do-Check-Act (PDCA) cycle involves taking actions to

continually improve the performance of the ISMS?**
A) Plan
B) Do
C) Check
D) Act
**Answer: D**
**Explanation:** The 'Act' phase of the PDCA cycle is about taking actions
based on the performance evaluation and audit results to continually improve
the effectiveness of the ISMS.
5. **Which of the following is a true statement about the Statement of

Applicability in ISO 27001?**
A) It is optional.
B) It only lists excluded controls.
C) It details the controls that are implemented and explains why others are
excluded.
D) It should be kept confidential and not be shared with external parties.
**Answer: C**
**Explanation:** The Statement of Applicability is a mandatory document for
ISO 27001 compliance. It details which controls from Annex A of the standard are
applied within the organization, and provides justification for excluding any
controls.
Certainly! Here are more sample multiple choice questions that cover various
aspects of ISO 27001 and are suitable for someone preparing for a Lead
Implementer exam:
### Additional Sample Questions
6. **Which of the following is NOT considered a part of an ISMS scope according

to ISO 27001?**
A) Business objectives
B) Organizational structure
C) IT systems used by the organization
D) Competitors' security practices
**Answer: D**
**Explanation:** The ISMS scope should include internal factors like business
objectives, organizational structure, and IT systems, but it does not typically
include competitors' security practices, as the scope focuses on the organization
itself.
7. **What does risk treatment involve in the context of ISO 27001?**

A) Identifying risks
B) Assessing the impact and likelihood of risks
C) Selecting options to handle risks
D) Monitoring risks
**Answer: C**
**Explanation:** Risk treatment involves selecting risk management options
and determining all the controls necessary to mitigate those risks. This follows
the risk assessment phase where risks are identified and evaluated.
8. **ISO 27001 requires that the results of the risk assessment and risk treatment
are reviewed at planned intervals. What is the primary purpose of this review?**
A) To ensure the accuracy of financial reporting
B) To determine the effectiveness of the implemented controls
C) To prepare for external audits
D) To update the business continuity plans
**Answer: B**
**Explanation:** The primary purpose of reviewing risk assessments and
treatments is to ensure that the controls are effectively mitigating risks as
intended and to identify any areas where the risk management process may need
improvement.
9. **Which of the following best describes the purpose of internal audits as

required by ISO 27001?**
A) To correct non-conformities before external audits
B) To fulfill legal requirements
C) To assess whether the ISMS conforms to planned arrangements and is
properly implemented and maintained
D) To promote the ISMS to stakeholders
**Answer: C**
**Explanation:** Internal audits are a fundamental part of ISO 27001 and serve
to assess whether the ISMS meets the organization's own requirements and
those of the standard itself. They check both conformity with documentation and
effective implementation and maintenance.
10. **What is meant by 'information security continuity' under ISO 27001?**

A) Ensuring that security measures continue to operate during a disruptive
incident
B) The continuation of information security management in organizational daily
routines
C) The uninterrupted availability of information
D) Continuous improvement of the ISMS
**Answer: A**
**Explanation:** Information security continuity refers to the need for
planning and implementing information security measures that continue to
operate effectively during and following a disruptive incident. This is a part of
overall business continuity management.
11. **ISO 27001 is based on a risk management approach. Which document is

essential for recording identified risks, their assessments, and responses?**
A) Risk Assessment Report
B) Information Security Policy
C) Risk Treatment Plan
D) ISMS Review Report
**Answer: C**
**Explanation:** The Risk Treatment Plan is a crucial document that records
identified risks, assessments of these risks, and the actions planned or taken to
manage these risks according to the risk treatment decisions.
12. **What is the purpose of 'access control' in ISO 27001?**

A) To ensure the security of the building facilities
B) To prevent unauthorized access to information
C) To monitor employee behavior
D) To enhance the efficiency of the IT system
**Answer: B**
**Explanation:** In the context of ISO 27001, access control aims to prevent
unauthorized access to information, ensuring that information is accessible only
to those authorized to have access.
13. **What type of security incident needs to be reported according to ISO 27001
requirements?**
A) Only incidents that lead to a financial loss
B) All security incidents
C) Only incidents confirmed by an external audit
D) Incidents that are reported by customers
**Answer: B**
**Explanation:** ISO 27001 requires that all security incidents be reported and
properly logged, regardless of their apparent severity, to ensure that they can be
analyzed and used for improving the ISMS.
14. **Which of the following is not a direct benefit of implementing an ISMS

according to ISO 27001?**
A) Improved reputation with stakeholders
B) Increased sales
C) Legal compliance
D) Guaranteed elimination of all IT risks
**Answer: D**
**Explanation:** While ISO 27001 significantly helps manage and mitigate
information security risks, it does not guarantee the elimination of all IT risks, as
some risks are inherent and cannot be completely removed.
15. **In ISO 27001, which of the following best describes the term 'asset'?**
A) Anything that has a financial value in the market
B) Only physical devices like computers and servers
C) Any resource of value to the organization
D) Only data stored electronically
**Answer: C**
**Explanation:** In the context of ISO 27001, an asset refers to any resource of
value to the organization, including information, physical devices, services, and
personnel.
16. **Which principle of information security does 'encryption' primarily
support?**
A) Availability
B) Integrity
C) Confidentiality
D) Accountability
**Answer: C**
**Explanation:** Encryption is primarily used to support the confidentiality of
information, ensuring that data is inaccessible to unauthorized individuals.
17. **How often should the effectiveness of the ISMS be reviewed according to
ISO 27001?**
A) At least annually
B) Only after a security breach
C) Every two years
D) Whenever there is a major change in the organization
**Answer: A**
**Explanation:** ISO 27001 recommends that the ISMS be reviewed at least
annually to ensure its continuing suitability, adequacy, and effectiveness,
although reviews may also be necessary after significant changes.
18. **What role does 'management review' play in an ISMS?**

A) It's primarily for auditing financial statements
B) It's a technical review of the IT infrastructure
C) It evaluates the performance and suitability of the ISMS
D) It deals with employee compliance with security policies
**Answer: C**
**Explanation:** Management reviews are conducted to evaluate the ISMS's
performance, suitability, and effectiveness, ensuring that it meets the
organization's objectives and identifying areas for improvement.
19. **Which of the following statements about ISO 27001 certification is true?**
A) It requires recertification every 10 years
B) It is granted for life once achieved
C) It requires periodic surveillance audits
D) It can be granted by any consultant
**Answer: C**
**Explanation:** ISO 27001 certification is not permanent and requires
periodic surveillance audits to ensure ongoing compliance, along with a
recertification audit typically every three years.
20. **What is the ultimate goal of implementing ISO 27001 in an organization?**

A) To ensure complete secrecy of all organizational information
B) To protect and secure information assets from all types of threats
C) To increase IT efficiency
D) To comply with international trade laws
**Answer: B**
**Explanation:** The ultimate goal of implementing ISO 27001 is to protect
and secure the organization's information assets from all types of threats,
whether internal or external, deliberate or accidental.
21. **What does the term 'residual risk' refer to in the context of ISO 27001?**
A) The risk remaining after all controls have been applied
B) The initial risk identified before any controls are applied
C) The risk transferred to a third party
D) The risk accepted by management
**Answer: A**
**Explanation:** Residual risk is the amount of risk that remains after all
controls and other treatment methods have been applied. It is the risk that the
organization decides it must live with.
22. **Which ISO 27001 principle supports the concept of ensuring that data,
assets, and resources are safeguarded from unauthorized modifications?**
A) Integrity
B) Confidentiality
C) Availability
D) Authentication
**Answer: A**
**Explanation:** Integrity in information security ensures that information is
accurate and complete, and is protected against unauthorized modification.
23. **What is the primary function of an ISMS audit program according to ISO
27001?**
A) To ensure compliance with legal requirements only
B) To review and improve the technological infrastructure of the organization
C) To provide a systematic approach to assess and improve the effectiveness of
the ISMS
D) To ensure that the ISMS is generating a profit for the organization
**Answer: C**
**Explanation:** The audit program is a systematic approach intended to
assess the effectiveness of the ISMS and to identify areas for improvement in the
security practices of the organization.
24. **Which activity is involved in the 'Do' phase of the PDCA (Plan-Do-Check-
Act) cycle applied in ISO 27001?**
A) Defining the scope and objectives
B) Implementing the risk treatment plan
C) Conducting internal audits
D) Reviewing the ISMS at management reviews
**Answer: B**
**Explanation:** The 'Do' phase involves implementing the risk treatment plan
which includes applying the security controls and procedures outlined in the
'Plan' phase.
25. **What is expected from the communication process as per ISO 27001
requirements?**
A) It should be documented and occur only in formal settings.
B) It should include communicating only with internal stakeholders.
C) It should ensure information security awareness among all relevant parties.
D) It should focus primarily on technical communication between IT staff.
**Answer: C**
**Explanation:** Effective communication as per ISO 27001 should ensure that
all relevant parties are aware of information security requirements, risks, and
controls, thereby promoting an organizational culture of security.
26. **Which statement best describes the 'risk owner' in ISO 27001?**
A) The risk owner is the person responsible for managing the IT department.
B) The risk owner is the person responsible for funding the ISMS.
C) The risk owner is the person accountable for managing a risk and ensuring it
is treated appropriately.
D) The risk owner is always a member of senior management.
**Answer: C**
**Explanation:** The risk owner is the individual who has the accountability
and authority to manage a risk and to ensure that appropriate measures are
taken to treat that risk.
27. **What should be considered when determining the frequency of performing

risk assessments in ISO 27001?**
A) The frequency should be the same for all types of organizations.
B) The frequency depends on the ISMS's performance and external changes.
C) The risk assessment must be conducted weekly.
D) The frequency is regulated by the government.
**Answer: B**
**Explanation:** The frequency of risk assessments should be determined
based on the performance of the ISMS and considering any external or internal
changes that might affect the system.
28. **Which of the following is a correct action during the 'Check' phase of the
PDCA cycle in ISO 27001?**
A) Establishing the ISMS
B) Applying controls
C) Conducting performance measurement and monitoring
D) Modifying policies
**Answer: C**
**Explanation:** The 'Check' phase involves monitoring and reviewing the
performance of the ISMS, which includes regular performance measurement and
auditing.
29. **ISO 27001 requires which type of approach to managing information

security?**
A) Product-based
B) Project-based
C) Process-based
D) Technology-based
**Answer: C**
**Explanation:** ISO 27001 adopts a process-based approach, which involves
establishing, implementing, operating, monitoring, reviewing, maintaining, and
improving an ISMS.
30. **What is an ISMS policy as per ISO 27001?**

A) It is a technical guideline for IT systems only.
B) It is
a detailed manual of all security procedures.

C) It is a high-level document that outlines the organization’s approach to
information security.
D) It is a contract with security service providers.
**Answer: C**
**Explanation:** The ISMS policy is a high-level document that outlines the
organization’s management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
31. **Which of the following best describes 'asset management' in ISO 27001?**
A) Managing the financial assets of the organization.
B) Ensuring physical security of the organization's premises.
C) Identifying, classifying, and protecting information assets.
D) Managing the inventory of IT hardware.
**Answer: C**
**Explanation:** Asset management in ISO 27001 refers to the processes
involved in identifying, classifying, and protecting information assets to ensure
that valuable data is adequately secured against threats.
32. **In ISO 27001, what is the primary purpose of implementing an Information
Security Management System (ISMS)?**
A) To ensure regulatory compliance only.
B) To enhance customer trust and business reputation.
C) To guarantee no information security breaches.
D) To systematically manage information security risks to business information.
**Answer: D**
**Explanation:** The primary purpose of implementing an ISMS is to
systematically manage risks to the organization's information, thereby ensuring
the security of assets, data, and resources.
33. **What role does 'employee training and awareness' play in an ISMS under
ISO 27001?**
A) It is considered unnecessary as long as technical controls are in place.
B) It is pivotal in ensuring that employees understand their roles and
responsibilities towards information security.
C) It only applies to IT staff.
D) It is optional but recommended.
**Answer: B**
**Explanation:** Training and awareness are critical components of an ISMS.
Ensuring that all employees are aware of the information security policies and
their specific security responsibilities is vital to the effectiveness of the ISMS.
34. **Which document outlines how organizational changes should be managed

to ensure ongoing information security according to ISO 27001?**
A) The Information Security Policy
B) The Change Management Policy
C) The Risk Treatment Plan
D) The ISMS Review Report
**Answer: B**
**Explanation:** The Change Management Policy is crucial as it outlines
procedures that ensure security is maintained and risks are reassessed whenever
organizational changes occur.
35. **What is the function of an Information Security Forum within the context
of ISO 27001?**
A) To resolve IT system malfunctions.
B) To discuss and review the information security policies and practices.
C) To handle marketing and public relations.
D) To audit financial transactions.
**Answer: B**
**Explanation:** An Information Security Forum serves as a platform for
discussing and reviewing the organization’s information security policies,
practices, and issues, promoting a robust security culture.
36. **Under ISO 27001, which type of control is used to manage the operation of
the ISMS?**
A) Strategic controls
B) Operational controls
C) Technical controls
D) Organizational controls
**Answer: B**
**Explanation:** Operational controls in ISO 27001 are those directly related to
the management and execution of the ISMS in daily operations, ensuring its
effectiveness.
37. **What is the significance of 'context of the organization' in ISO 27001?**

A) It determines the scope of the marketing strategy.
B) It involves understanding the internal and external issues that can impact the
ISMS.
C) It is about global economic factors only.
D) It focuses on the technical aspects of IT management.
**Answer: B**
**Explanation:** Understanding the context of the organization involves
identifying both internal and external factors that can influence the ISMS’s ability
to achieve its intended outcomes, essential for effective risk management.
38. **Which action should be taken if a risk exceeds the defined risk appetite in
ISO 27001?**
A) It should be ignored as an outlier.
B) It should be immediately transferred to a third party.
C) It should be mitigated to an acceptable level.
D) It should be accepted without mitigation.
**Answer: C**
**Explanation:** If a risk exceeds the organization's risk appetite, it should be
mitigated through appropriate controls to bring it down to an acceptable level,
ensuring it aligns with the organization’s risk strategy.
39. **How often should the effectiveness of implemented controls be reviewed

in an ISMS according to ISO 27001?**
A) Once at implementation.
B) Only when there is a security breach.
C) At regular intervals and as a response to security incidents.
D) Every five years.
**Answer: C**
**Explanation:** Controls should be reviewed at regular intervals and in
response to significant changes or security incidents to ensure they are effective
and continue to protect the organization as intended.
40. **What is the role of a Data Protection Officer (DPO) in relation to ISO
27001?**
A) The DPO is responsible for managing all financial risks.
B) The DPO solely handles customer complaints regarding data breaches.
C) The DPO ensures that data protection requirements are integrated into the
ISMS.
D) The DPO is irrelevant to ISO 27001.
**Answer: C**
**Explanation:** The Data Protection Officer plays a crucial role in ensuring
that data protection laws and policies are integrated into the ISMS, particularly
important in jurisdictions with stringent data protection regulations.
41. **What is the purpose of the 'risk assessment' process in ISO 27001?**
A) To identify security threats and vulnerabilities.
B) To ensure compliance with local laws only.
C) To monitor employee activities.
D) To invest in security technologies.
**Answer: A**
**Explanation:** Risk assessment is critical in ISO 27001 as it helps identify the
organization's security threats and vulnerabilities, allowing for effective planning
of controls to mitigate these risks.
42. **ISO 27001 requires the establishment of security objectives. At which level
should these objectives be set?**
A) Only at the top management level.
B) At relevant functions and levels within the organization.
C) Solely within the IT department.
D) Exclusively at the operational level.
**Answer: B**
**Explanation:** Security objectives should be set at relevant functions and
levels within the organization to ensure comprehensive coverage and integration
of information security into all areas of operation.
43. **Which of the following outcomes is an expected benefit of an effectively

implemented ISMS according to ISO 27001?**
A) Elimination of all IT security risks.
B) Increased organizational profitability.
C) Enhanced resilience against information security threats.
D) Reduction in employee turnover.
**Answer: C**
**Explanation:** An effectively implemented ISMS enhances an organization's
resilience against information security threats by systematically managing risks
associated with information assets.
44. **Which type of analysis is crucial for determining the impact of identified
risks in ISO 27001?**
A) Competitor analysis.
B) Financial analysis.
C) Impact analysis.
D) Performance analysis.
**Answer: C**
**Explanation:** Impact analysis is crucial in the risk assessment process as it
helps determine the potential consequences of identified risks, guiding the
decision on appropriate controls.
45. **In ISO 27001, what is the significance of the 'Statement of Applicability'?**
A) It details all technical specifications of security systems.
B) It is a contract with stakeholders.
C) It documents which controls are applicable and justifies exclusions.
D) It lists only the applicable legal requirements.
**Answer: C**
**Explanation:** The Statement of Applicability is a key document that details
which controls from the ISO 27001 standard have been selected, implemented,
and why, including justifications for any exclusions.
46. **What does 'continuous improvement' in the context of ISO 27001

involve?**
A) Constantly changing security policies.
B) Regularly updating IT equipment.
C) Periodically reviewing and enhancing the ISMS.
D) Continuously hiring security personnel.
**Answer: C**
**Explanation:** Continuous improvement in ISO 27001 involves periodically
reviewing the ISMS to identify opportunities for improvement and making
necessary changes to enhance its overall effectiveness.
47. **How should changes to the ISMS be managed according to ISO 27001?**
A) Changes should be implemented spontaneously as issues arise.
B) Changes must be managed in a controlled manner.
C) Changes are discouraged and should be avoided.
D) Only external changes should be managed.
**Answer: B**
**Explanation:** ISO 27001 emphasizes that changes to the ISMS should be
managed in a controlled manner, ensuring that they do not adversely affect
security or the effectiveness of the system.
48. **What is the role of 'monitoring and measurement' in an ISMS?**

A) To comply with marketing strategies.
B) To check the performance and effectiveness of the ISMS.
C) To monitor only financial performance related to security investments.
D) To measure employee satisfaction.
**Answer: B**
**Explanation:** Monitoring and measurement are important to assess the
performance and effectiveness of the ISMS, helping identify areas that require
attention or improvement.
49. **According to ISO 27001, what should be done when nonconformities are
identified?**
A) They should be ignored unless they cause significant damage.
B) They must be corrected and actions taken to prevent their recurrence.
C) They should be reported only to management.
D) They must be accepted as part of the risk.
**Answer: B**
**Explanation:** When nonconformities are identified, they must be corrected
and actions taken to prevent their recurrence, as part of a proactive approach to
improve the ISMS.
50. **What is meant by 'information security incident management' in ISO

27001?**
A) Planning exclusive social events to discuss incident impacts.
B) Procedures and responsibilities to manage and review security incidents.
C) An annual review of past security incidents.
D) Outsourcing incident handling to third-party services.
**Answer: B**
**Explanation:** Information security incident management involves
establishing procedures and responsibilities to ensure that security incidents are
managed and reviewed effectively, helping minimize the impact of such incidents
on the organization.
51. **Which ISO 27001 control is primarily concerned with protecting data during
transit?**
A) Asset management
B) Cryptographic controls
C) Physical and environmental security
D) Operational security
**Answer: B**
**Explanation:** Cryptographic controls are essential for protecting data
during transit, ensuring that it remains confidential and integral by encrypting the
data as it moves across networks.
52. **What is the role of the internal audit according to ISO 27001?**
A) To correct non-conformities before external audits.
B) To ensure legal compliance.
C) To assess conformity with organizational and regulatory requirements.
D) To handle customer complaints regarding information security.
**Answer: C**
**Explanation:** The role of the internal audit is to assess the ISMS's
conformity with organizational policies and objectives, as well as compliance with
ISO 27001 and other regulatory requirements.
53. **Which ISO 27001 principle ensures that information is available and
accessible to authorized users when needed?**
A) Integrity
B) Confidentiality
C) Availability
D) Authenticity
**Answer: C**
**Explanation:** The principle of availability ensures that information and
related assets are accessible to authorized users whenever required.
54. **What is the purpose of a risk management process in an ISMS according to

ISO 27001?**
A) To eliminate all business risks
B) To identify, assess, and control information security risks
C) To ensure economic stability of the organization
D) To monitor employee performance
**Answer: B**
**Explanation:** The risk management process in ISO 27001 focuses on
identifying, assessing, and controlling risks related to information security,
ensuring that they are within acceptable limits.
55. **Which document provides detailed guidance on implementing ISO 27001

controls?**
A) ISO 27000
B) ISO 27002
C) ISO 27005
D) ISO 27032
**Answer: B**
**Explanation:** ISO 27002 provides guidance on implementing the security
controls listed in ISO 27001, offering best practice recommendations on
information security management.
56. **What is an ISMS performance evaluation used for?**

A) To determine the return on investment for security expenditures
B) To assess how well the ISMS meets security requirements and objectives
C) To compare security practices with competitors
D) To determine employee compliance with security policies
**Answer: B**
**Explanation:** Performance evaluation is used to assess how well the ISMS
meets the organization's information security requirements and objectives.
57. **What is the first step in the risk assessment process according to ISO
27001?**
A) Identifying threats
B) Assessing impact
C) Establishing the context
D) Evaluating likelihood
**Answer: C**
**Explanation:** Establishing the context is the first step in the risk assessment
process, where the parameters for managing risk are defined, including the
organization's external and internal environments.
58. **Why are operational procedures and responsibilities important in ISO

27001?**
A) They solely determine the financial budget for the ISMS.
B) They are necessary for legal and regulatory compliance.
C) They help manage and reduce the complexity of IT operations.
D) They ensure consistent and secure management of information processing
facilities.
**Answer: D**
**Explanation:** Operational procedures and responsibilities are key to
ensuring that information processing facilities are managed securely and
consistently, following predefined practices.
59. **What does 'user access management' entail under ISO 27001?**
A) Monitoring user activities on social media
B) Controlling user access to information systems and services
C) Managing user complaints about system access
D) Ensuring all users have equal access to information
**Answer: B**
**Explanation:** User access management involves controlling access to
information systems and services, ensuring that users have appropriate access
rights based on their roles and responsibilities.
60. **ISO 27001 requires consideration of which aspects when defining the scope
of the ISMS?**
A) The size and structure of the organization
B) The organization’s location and cultural aspects
C) Personal interests of top management
D) All of the above
**Answer: A**
**Explanation:** When defining the scope of the ISMS, it's important to
consider the size and structure of the organization to ensure that the ISMS is
comprehensive and applicable across all relevant areas.
61. **What is the primary goal of incident management in ISO 27001?**

A) To prevent incidents from happening
B) To ensure all incidents are reported to the police
C) To manage and control information security incidents and weaknesses
effectively
D) To record incidents for legal purposes only
**Answer: C**
**Explanation:** Incident management in ISO 27001 aims to effectively
manage and control information security incidents and weaknesses, minimizing
their impact and preventing recurrence.
62. **Which document must specify the responsibilities and authorities for roles
involved with the ISMS?**
A) The Information Security Policy
B) The Scope Document
C) The Risk Assessment Report
D) The Statement of Applicability
**Answer: A**
**Explanation:** The Information Security Policy should clearly specify the
responsibilities and authorities for roles involved with managing the ISMS,
ensuring clarity in accountability.
63. **How should the effectiveness of the controls implemented as part of the
ISMS be measured?**
A) Through internal audits and regular reviews
B) Solely based on the number of security breaches
C) By the speed of IT response teams
D) Based on external audits only
**Answer: A**
**Explanation:** The effectiveness of the controls should be assessed through
internal audits, regular reviews, and performance evaluations to ensure they are
operating as intended and meeting the organization's security objectives.
64. **What does the process of 'risk treatment' involve?**

A) Identifying risks
B) Determining the action to mitigate identified risks
C) Ignoring low-level risks
D) Transferring all risks to a third party
**Answer: B**
**Explanation:** Risk treatment involves determining actions to address
identified risks, which may include mitigating, accepting, transferring, or avoiding
the risks, depending on their severity and impact.
65. **Why is it important for an ISMS to be aligned with organizational

objectives?**
A) To ensure it only serves the IT department's goals
B) To make sure the ISMS supports the overall business objectives and strategy
C) To comply with IT standards only
D) To focus exclusively on external threats
**Answer: B**
**Explanation:** Aligning the ISMS with organizational objectives ensures that
it supports the overall business strategy and adds value, enhancing the
organization's security posture in a way that promotes its goals.
66. **What is the role of a management review in the context of ISO 27001?**
A) To focus on the personal performance of management staff
B) To evaluate the performance, status, and effectiveness of the ISMS
C) To assess customer satisfaction with the organization
D) To provide financial audits
**Answer: B**
**Explanation:** Management reviews are critical as they assess the
performance, status, and effectiveness of the ISMS, identifying opportunities for
improvement and ensuring it remains effective and aligned with the
organizational needs.
67. **How often should the ISMS be updated or reviewed for effectiveness?**
A) Only after a security breach
B) At regular intervals, considering operational feedback and environmental
changes
C) Once every five years
D) When there is a change in IT management
**Answer: B**
**Explanation:** The ISMS should be reviewed and updated at regular
intervals, taking into account operational feedback, environmental changes, and
the results of audits to ensure ongoing suitability, adequacy, and effectiveness.
68. **What should be included in the scope of the ISMS according to ISO
27001?**
A) Only the IT department
B) Every area where information is processed, stored, or transmitted
C) Only customer data
D) The headquarters office only
**Answer: B**
**Explanation:** The scope of the ISMS should include all areas where
information is processed, stored, or transmitted within the organization, ensuring
comprehensive coverage of all potential security risks.
69. **Which of the following is a recommended practice for maintaining
information security during employee termination or change of employment?**
A) Retaining access rights indefinitely
B) Performing an exit interview to ensure awareness of ongoing confidentiality
agreements
C) Allowing continued access to the network for a grace period
D) None of the above
**Answer: B**
**Explanation:** Conducting an exit interview to reinforce confidentiality
agreements and responsibilities is a recommended practice to maintain security
when an employee leaves or changes roles within the organization.
70. **What is the main reason for classifying information in ISO 27001?**
A) To determine the scope of the marketing strategy
B) To ensure appropriate levels of security are applied based on sensitivity and
value
C) To make information publicly accessible
D) To comply with software licensing agreements
**Answer: B**
**Explanation:** Classifying information is important to ensure that
appropriate security controls are applied based on the sensitivity and value of the
information, protecting it according to its importance to the organization.
71. **What is the primary purpose of conducting risk assessments in ISO

27001?**
A) To identify potential security incidents
B) To determine the financial impact of security breaches
C) To identify, evaluate, and prioritize information security risks
D) To allocate budget for security controls
**Answer: C**
**Explanation:** Risk assessments in ISO 27001 aim to systematically identify,
evaluate, and prioritize information security risks to the organization, enabling
informed decision-making about risk treatment.
72. **What does the 'PDCA' cycle represent in ISO 27001?**

A) Plan, Develop, Control, Assess
B) Plan, Do, Check, Act
C) Protect, Detect, Correct, Adapt
D) Prepare, Deploy, Coordinate, Analyze
**Answer: B**
**Explanation:** The PDCA (Plan-Do-Check-Act) cycle is a four-step
management method used for the control and continuous improvement of
processes and products, including those related to information security
management in ISO 27001.
73. **Which document outlines the overall intention and direction of an

organization regarding information security management according to ISO
27001?**
A) Statement of Applicability
B) Risk Assessment Report
C) Information Security Policy
D) Control Objectives Document
**Answer: C**
**Explanation:** The Information Security Policy provides a high-level overview
of the organization's intentions and direction regarding information security
management, including its commitment to protecting information assets.
74. **What is the role of an 'Information Security Steering Committee' in ISO

27001?**
A) To oversee the implementation of security controls
B) To review financial reports
C) To monitor employee productivity
D) To guide and oversee the development and maintenance of the ISMS
**Answer: D**
**Explanation:** An Information Security Steering Committee is responsible for
guiding and overseeing the development, implementation, and maintenance of
the ISMS, ensuring it aligns with organizational objectives and strategies.
75. **Which ISO 27001 control category addresses physical security concerns?**
A) Human resource security
B) Access control
D) Cryptography
**Answer: C**
**Explanation:** The physical and environmental security category in ISO
27001 addresses controls related to protecting information systems, equipment,
and facilities from physical threats and environmental hazards.
76. **What is the purpose of conducting internal audits in ISO 27001?**

A) To identify external threats to the organization
B) To verify compliance with legal requirements
C) To assess the effectiveness of the ISMS and identify areas for improvement
D) To conduct financial audits
**Answer: C**
**Explanation:** Internal audits in ISO 27001 are conducted to assess the
effectiveness of the ISMS, verify compliance with organizational policies and
procedures, and identify areas for improvement.
77. **What is the significance of 'security awareness training' in ISO 27001?**

A) To increase employee turnover
B) To ensure compliance with marketing strategies
C) To educate employees about security risks and their responsibilities
D) To improve customer satisfaction
**Answer: C**
**Explanation:** Security awareness training in ISO 27001 is essential for
educating employees about security risks, best practices, and their
responsibilities in maintaining information security within the organization.
78. **What is the purpose of conducting a gap analysis in ISO 27001

implementation?**
A) To identify opportunities for revenue growth
B) To assess the maturity level of the ISMS
C) To identify discrepancies between current practices and ISO 27001
requirements
D) To evaluate employee performance
**Answer: C**
**Explanation:** A gap analysis in ISO 27001 implementation helps identify
discrepancies between current information security practices and the
requirements outlined in the ISO 27001 standard, guiding the development of an
action plan for compliance.
79. **Which ISO 27001 control addresses the management of removable

media?**
A) Incident management
B) Asset management
C) Access control
D) Cryptography
**Answer: B**
**Explanation:** Asset management controls in ISO 27001 include managing
the use of removable media to prevent unauthorized access or data breaches
through portable storage devices.
80. **Why is it important to establish an incident response plan in ISO 27001?**

A) To avoid legal liabilities
B) To ensure compliance with government regulations
C) To minimize the impact of security incidents and reduce recovery time
D) To increase employee workload
**Answer: C**
**Explanation:** Establishing an incident response plan in ISO 27001 is crucial
for minimizing the impact of security incidents, reducing recovery time, and
maintaining the organization's resilience against security threats.
81. **What is the purpose of conducting a business impact analysis (BIA) in ISO
27001?**
A) To assess the financial health of the organization
B) To identify critical business functions and their dependencies on information
assets
C) To evaluate employee satisfaction
D) To review marketing strategies
**Answer: B**
**Explanation:** The purpose of conducting a business impact analysis (BIA) in
ISO 27001 is to identify critical business functions and their dependencies on
information assets, helping prioritize resources for protection and recovery.
82. **What is the primary objective of conducting risk treatment in ISO 27001?**
A) To eliminate all identified risks
B) To transfer all risks to third parties
C) To reduce, mitigate, or accept identified risks to an acceptable level
D) To ignore identified risks
**Answer: C**
**Explanation:** The primary objective of risk treatment in ISO 27001 is to
reduce, mitigate, or accept identified risks to an acceptable level based on
organizational risk tolerance and objectives.
83. **Which ISO 27001 control category focuses on ensuring that information is
protected from unauthorized access and disclosure?**
B) Access control
C) Cryptography
D) Physical and environmental security
**Answer: B**
**Explanation:** The access control category in ISO 27001 focuses on ensuring
that information is protected from unauthorized access and disclosure through
the implementation of appropriate access control measures.
84. **What is the purpose of conducting a management review in ISO 27001?**

A) To review customer complaints
B) To evaluate the performance and suitability of the ISMS
C) To monitor competitors
D) To assess employee satisfaction
**Answer: B**
**Explanation:** The purpose of conducting a management review in ISO
27001 is to evaluate the performance and suitability of the ISMS, ensuring its
effectiveness and alignment with organizational objectives.
85. **What is the role of the risk owner in ISO 27001?**

A) To transfer all risks to third parties
B) To manage and oversee the treatment of identified risks
C) To ignore identified risks
D) To escalate all risks to senior management
**Answer: B**
**Explanation:** The role of the risk owner in ISO 27001 is to manage and
oversee the treatment of identified risks, ensuring that appropriate measures are
taken to address them effectively.
86. **Why is it important to establish an incident response team in ISO 27001?**

A) To handle marketing campaigns
B) To minimize the impact of security incidents and ensure a coordinated
response
C) To assess employee productivity
D) To manage customer complaints
**Answer: B**
**Explanation:** Establishing an incident response team in ISO 27001 is
important to minimize the impact of security incidents and ensure a coordinated
response to effectively manage and mitigate security breaches.
87. **What is the purpose of conducting security awareness training in ISO

27001?**
C) To educate employees about security risks and their responsibilities
**Answer: C**
**Explanation:** The purpose of conducting security awareness training in ISO
27001 is to educate employees about security risks, best practices, and their
responsibilities in maintaining information security within the organization.
88. **Which ISO 27001 control category addresses the protection of information
during storage and transmission?**
B) Cryptography
D) Access control
**Answer: B**
**Explanation:** The cryptography category in ISO 27001 addresses controls
related to the protection of information during storage and transmission through
the use of encryption and cryptographic techniques.
89. **What is the primary objective of conducting internal audits in ISO 27001?**
A) To identify potential security incidents
B) To ensure compliance with legal requirements
C) To assess the effectiveness of the ISMS and identify areas for improvement
D) To conduct financial audits
**Answer: C**
**Explanation:** The primary objective of conducting internal audits in ISO
27001 is to assess the effectiveness of the ISMS, verify compliance with
organizational policies and procedures, and identify areas for improvement.
90. **Why is it important for an organization to establish a clear information

security policy in ISO 27001?**
A) To increase employee workload
B) To ensure compliance with government regulations
C) To guide and inform employees about information security expectations and
responsibilities
D) To monitor employee performance
**Answer: C**
**Explanation:** Establishing a clear information security policy in ISO 27001 is
important to guide and inform employees about information security
expectations and responsibilities within the organization, ensuring consistency
and compliance.
91. **What is the purpose of a risk assessment methodology in ISO 27001?**

A) To eliminate all risks identified within the organization
B) To determine the financial impact of potential risks
C) To provide a structured approach for identifying, analyzing, and evaluating
information security risks
D) To assess employee productivity levels
**Answer: C**
**Explanation:** A risk assessment methodology in ISO 27001 provides a
structured approach for identifying, analyzing, and evaluating information
security risks within the organization.
92. **Which ISO 27001 control category focuses on ensuring that information
assets are identified and managed appropriately?**
A) Asset management
B) Access control
C) Cryptography
**Answer: A**
**Explanation:** The asset management category in ISO 27001 focuses on
ensuring that information assets are identified and managed appropriately
throughout their lifecycle.
93. **What is the role of the information security manager in ISO 27001?**
A) To handle financial audits
B) To oversee the implementation and maintenance of the ISMS
C) To manage marketing campaigns
D) To monitor competitor activities
**Answer: B**
**Explanation:** The role of the information security manager in ISO 27001 is
to oversee the implementation and maintenance of the Information Security
Management System (ISMS) within the organization.
94. **Which ISO 27001 control category focuses on ensuring that information is
protected from unauthorized access and modification?**
B) Access control
C) Cryptography
**Answer: B**
**Explanation:** The access control category in ISO 27001 focuses on ensuring
that information is protected from unauthorized access and modification through
the implementation of appropriate access controls.
95. **What is the primary objective of conducting security awareness training in
ISO 27001?**
C) To educate employees about security risks and best practices
**Answer: C**
**Explanation:** The primary objective of conducting security awareness
training in ISO 27001 is to educate employees about security risks, threats, and
best practices to enhance the organization's overall security posture.
96. **Why is it important for an organization to establish a risk treatment plan in

ISO 27001?**
A) To ignore identified risks
B) To eliminate all identified risks
C) To transfer all identified risks to third parties
D) To address identified risks through appropriate measures
**Answer: D**
**Explanation:** It is important for an organization to establish a risk
treatment plan in ISO 27001 to address identified risks through appropriate
measures, such as mitigation, acceptance, or avoidance.
97. **What is the purpose of conducting regular management reviews in ISO

27001?**
A) To review customer complaints
B) To evaluate the performance and effectiveness of the ISMS
C) To assess employee productivity levels
D) To monitor competitor activities
**Answer: B**
**Explanation:** The purpose of conducting regular management reviews in
ISO 27001 is to evaluate the performance and effectiveness of the Information
Security Management System (ISMS) within the organization.
98. **Which ISO 27001 control category addresses the protection of information
during storage and transmission?**
B) Access control
C) Cryptography
**Answer: C**
**Explanation:** The cryptography category in ISO 27001 addresses controls
related to the protection of information during storage and transmission through
the use of cryptographic techniques.
99. **What is the role of the risk owner in ISO 27001?**

A) To transfer all risks to third parties
B) To manage and oversee the treatment of identified risks
C) To ignore identified risks
D) To escalate all risks to senior management
**Answer: B**
**Explanation:** The role of the risk owner in ISO 27001 is to manage and
oversee the treatment of identified risks, ensuring that appropriate measures are
taken to address them effectively.
100. **Why is it important for an organization to establish an incident response

team in ISO 27001?**
A) To handle financial audits
B) To minimize the impact of security incidents and ensure a coordinated
response
C) To review customer complaints
D) To assess employee productivity levels
**Answer: B**
**Explanation:** It is important for an organization to establish an incident
response team in ISO 27001 to minimize the impact of security incidents and
ensure a coordinated response to effectively manage and mitigate security
breaches.
‫أﺳﺌﻠﺔ اﺧﺘ‪F‬ﺎرات ﻣﺘﻌﺪدة‬
‫@ ﻣﻦ ‪ISO 27001‬؟**‬ ‫‪** .1‬ﻣﺎ اﻟﻐﺮض اﻟﺮﺋ∞ ‪z‬‬

‫‪ (A‬ﺗﻮﻓ‪ ib‬ﻣﻌ‪7‬ﺎر ﻹدارة اﻟﺠﻮدة‪.‬‬
‫‪ (B‬إ‪ø‬ﺸﺎء إﻃﺎر ﻹدارة اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫‪ (C‬ﺗﺤﺪ‪-‬ﺪ ﻣﻌ‪7‬ﺎر ﻹدارة اﻟﺒ‪û‬ﺌﺔ‪.‬‬
‫‪ (D‬ﺗﻮﻓ‪ ib‬إﻃﺎر ﻟﻨﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت )‪.(ISMS‬‬
‫**اﻹﺟﺎ\ﺔ‪**D :‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻢ ﺗﺼﻤ‪7‬ﻢ ‪e ISO 27001‬ﺸ‪g‬ﻞ ﺧﺎص ﻟﻤﺴﺎﻋﺪة اﻟﻤﺆﺳﺴﺎت ﻋ~ إ‪ø‬ﺸﺎء وﺻ‪7‬ﺎﻧﺔ ﻧﻈﺎم‬
‫ﻓﻌﺎل ﻹدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ أﻧﻬﺎ ﺗﻘ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ وﺗﺪﻳﺮﻫﺎ ‪e‬ﺸ‪g‬ﻞ ﻣﻨﺎﺳﺐ‪.‬‬
‫ً‬
‫‪** .2‬أي ﻣﻦ اﻵ ‪ ±z j‬ﻟ∞ﺲ وﺛ‪7‬ﻘﺔ إﻟﺰاﻣ‪7‬ﺔ وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫‪ (A‬ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ (B‬ﺳ‪7‬ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ (C‬ﺳﺠﻞ ﺗﻘﻴ‪7‬ﻤﺎت ﺗﺄﺛ‪ ib‬ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت‬
‫‪ (D‬ﻣﻨﻬﺞ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﻳﺘﻄﻠﺐ ‪ ISO 27001‬وﺛﺎﺋﻖ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬وﺳ‪7‬ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪،‬‬
‫وﻣﻨﻬﺞ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ‪ .‬وﻣﻊ ذﻟﻚ‪ ،‬ﻓﺈن ﺳﺠﻼت ﺗﻘﻴ‪7‬ﻤﺎت ﺗﺄﺛ‪ ib‬ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﻟ∞ﺴﺖ إﻟﺰاﻣ‪7‬ﺔ‬
‫\ﻤﻮﺟﺐ ‪ISO 27001‬؛ ﺣ‪7‬ﺚ أن ﻫﺬە أ ‪ i—ã‬ﺻﻠﺔ \ﻤﻌﺎﻳ‪ ib‬ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﻣﺜﻞ ‪.GDPR‬‬
‫ً‬
‫‪** .3‬ﻣﺎ ﻫﻮ دور اﻹدارة اﻟﻌﻠ‪7‬ﺎ وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫‪ (A‬ﺗﻨﻔ‪7‬ﺬ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ ﻳﻮ‪.‹z‬‬
‫‪ (B‬ﺗﻮﻓ‪ ib‬اﻟﻤﻮارد اﻟﻼزﻣﺔ ﻟﻨﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ (C‬إﺟﺮاء اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪.~z‬‬
‫‪ (D‬اﺗﺨﺎذ اﻟﻘﺮارات \ﻤﻔﺮدە ‪e‬ﺸﺄن ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬ ‫‪j‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺘﺤﻤﻞ اﻹدارة اﻟﻌﻠ‪7‬ﺎ ﻣﺴﺆوﻟ‪7‬ﺔ إﻇﻬﺎر اﻟﻘ‪7‬ﺎدة واﻻﻟ‪i‬ام ﺑﻨﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ‬
‫‪ a‬اﻟﻤﺴﺘﻤﺮ‪.‬‬ ‫ﺧﻼل ﺿﻤﺎن ﺗﻮﻓ‪ ib‬اﻟﻤﻮارد اﻟﻼزﻣﺔ‪ ،‬ودﻋﻢ اﻷدوار ذات اﻟﺼﻠﺔ‪ ،‬وﺗﻌ‪[s‬ﺰ اﻟﺘﺤﺴ ‪c b‬‬
‫‪** .4‬أي ﺧﻄﻮة ‪ yc‬دورة ‪ (Plan-Do-Check-Act (PDCA‬ﺗﻨﻄﻮي ﻋ~ اﺗﺨﺎذ إﺟﺮاءات ﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬أداء ﻧﻈﺎم‬ ‫‪z‬‬
‫إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ؟**‬
‫‪ (A‬ا ﻟ ﺨ ﻄ ﺔ‬
‫‪ (B‬ا ﻟ ﻌ ﻤ ﻞ‬
‫‪ (C‬ا ﻟ ﻔ ﺤ ﺺ‬
‫‪ (D‬ا ﻟ ﺘ ﻨ ﻔ ‪ 7‬ﺬ‬
‫**اﻹﺟﺎ\ﺔ‪**D :‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺘﻌﻠﻖ ﻣﺮﺣﻠﺔ "‪ yc "Act‬دورة ‪\ PDCA‬ﺎﺗﺨﺎذ اﻹﺟﺮاءات اﺳ‪ï‬ﻨﺎًدا إ‪ r‬ﻧﺘﺎﺋﺞ اﻟﺘﻘﻴ‪7‬ﻢ اﻷدا‪Í±‬‬
‫‪z‬‬ ‫‪z‬‬
‫وﻧﺘﺎﺋﺞ اﻟﺘﺪﻗﻴﻖ ﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬ﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪c‬‬
‫‪** .5‬أي ﻣﻦ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺘﺎﻟ‪7‬ﺔ ﺻﺤﻴﺢ ﺣﻮل ﺑ‪7‬ﺎن اﻟﻘﺎ\ﻠ‪7‬ﺔ ﻟﻠﺘﻄﺒﻴﻖ ‪ISO 27001 yz‬؟**‬
‫‪ (A‬اﺧﺘ‪7‬ﺎري‪.‬‬
‫‪- (B‬ﻘﻮم ﻓﻘﻂ ‪}e‬د اﻟﻀﻮا\ﻂ اﻟﻤﺴ‪Uï‬ﻌﺪة‪.‬‬
‫‪ (C‬ﻳﻮﺿﺢ اﻟﻀﻮا\ﻂ اﻟﻤﻄ‪U‬ﻘﺔ و∆‪}o‬ح ﺳ“ﺐ اﺳ‪Uï‬ﻌﺎد اﻟ‪U‬ﻌﺾ اﻵﺧﺮ‪.‬‬
‫‪[n‬ﺎ وﻻ ﻳﺘﻢ ﻣﺸﺎرﻛﺘﻪ ﻣﻊ اﻷﻃﺮاف اﻟﺨﺎرﺟ‪7‬ﺔ‪.‬‬‫‪- (D‬ﺠﺐ أن ُ‪-‬ﺤﺘﻔﻆ \ﻪ ً‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺑ‪7‬ﺎن اﻟﻘﺎ\ﻠ‪7‬ﺔ ﻟﻠﺘﻄﺒﻴﻖ ﻫﻮ وﺛ‪7‬ﻘﺔ إﻟﺰاﻣ‪7‬ﺔ ﻻﻣﺘﺜﺎل ‪ .ISO 27001‬ﻳﻮﺿﺢ اﻟﺒ‪7‬ﺎن اﻟﻀﻮا\ﻂ اﻟ ‪Ñz‬‬
‫‪j‬‬
‫ﻳﺘﻢ ﺗﻄﺒ‪7‬ﻘﻬﺎ ﻣﻦ اﻟﺘﺬﻳ‪7‬ﻞ ‪ A‬ﻟﻠﻤﻌ‪7‬ﺎر داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪ ،‬و[ﻮﻓﺮ ﺗ‪ً[i‬ﺮا ﻻﺳ‪Uï‬ﻌﺎد أي ﺿﻮا\ﻂ‪.‬‬
‫ً‬
‫‪** .6‬ﻣﺎ اﻟﺬي ﻻ ُ‪-‬ﻌﺘ‪ i‬ﺟﺰًءا ﻣﻦ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( اﻷﻫﺪاف اﻟﺘﺠﺎر[ﺔ‬
‫≤‬ ‫ب ( ا ﻟ ﻬ ‪ g 7‬ﻞ ا ﻟﺘ ﻨ ﻈ ‪z 7‬‬
‫‪c‬‬
‫ج( أﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﺴﺘﺨﺪﻣﺔ ‪ yz‬اﻟﻤﺆﺳﺴﺔ‬
‫‪a‬‬‫د( ﻣﻤﺎرﺳﺎت اﻷﻣﺎن ﻟﻠﻤﻨﺎﻓﺴ ‪c b‬‬
‫**اﻟﺠﻮاب‪ :‬د**‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﻳ∫‪ ªz U‬أن ™ﺸﻤﻞ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت اﻟﻌﻮاﻣﻞ اﻟﺪاﺧﻠ‪7‬ﺔ ﻣﺜﻞ اﻷﻫﺪاف اﻟﺘﺠﺎر[ﺔ‬
‫‪،a‬‬‫واﻟﻬ‪g7‬ﻞ اﻟﺘﻨﻈ‪ ≤7‬وأﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬وﻟ‪Œ‬ﻨﻪ ﻋﺎدة ﻣﺎ ﻻ ™ﺸﻤﻞ ﻣﻤﺎرﺳﺎت اﻷﻣﺎن ﻟﻠﻤﻨﺎﻓﺴ ‪c b‬‬
‫‪z‬‬
‫ﺣ‪7‬ﺚ ﻳﺮﻛﺰ اﻟﻨﻄﺎق ﻋ~ اﻟﻤﺆﺳﺴﺔ ﻧﻔﺴﻬﺎ‪.‬‬
‫‪c‬‬
‫‪** .7‬ﻣﺎذا ‪-‬ﻌ ‪ Ñz c‬ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ‪ yz‬ﺳ‪7‬ﺎق ﻣﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺨﺎﻃﺮ‬
‫ب( ﺗﻘﻴ‪7‬ﻢ ﺗﺄﺛ‪ ib‬اﻟﻤﺨﺎﻃﺮ واﺣﺘﻤﺎﻟ‪7‬ﺔ ﺣﺪوﺛﻬﺎ‬
‫ج( اﺧﺘ‪7‬ﺎر اﻟﺨ‪7‬ﺎرات ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﻤﺨﺎﻃﺮ‬
‫د( ﻣﺮاﻗ‪U‬ﺔ اﻟﻤﺨﺎﻃﺮ‬
‫**اﻟﺠﻮاب‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺘﻀﻤﻦ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﺧﺘ‪7‬ﺎر ﺧ‪7‬ﺎرات إدارة اﻟﻤﺨﺎﻃﺮ وﺗﺤﺪ‪-‬ﺪ ﺟﻤﻴﻊ اﻟﻀﻮا\ﻂ اﻟﻼزﻣﺔ‬
‫ﻟﻠﺘﺨﻔ‪7‬ﻒ ﻣﻦ ﺗﻠﻚ اﻟﻤﺨﺎﻃﺮ‪ .‬و[ﺄ ‪ ±z j‬ﻫﺬا \ﻌﺪ ﻣﺮﺣﻠﺔ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ ﺣ‪7‬ﺚ ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ وﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫ُ‬
‫‪-ُ** .8‬ﻄﻠﺐ ﻣﻦ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬أن ﺗﺮاﺟﻊ ﻧﺘﺎﺋﺞ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ \ﻔ‪ij‬ات ﻣﺨﻄﻄﺔ‪ .‬ﻣﺎ‬
‫® ﻣﻦ ﻫﺬە اﻟﻤﺮاﺟﻌﺔ؟**‬ ‫اﻟﻐﺮض اﻷﺳﺎ ‪z‬‬
‫أ( ﺿﻤﺎن دﻗﺔ اﻟﺘﻘﺎر[ﺮ اﻟﻤﺎﻟ‪7‬ﺔ‬
‫ب( ﺗﺤﺪ‪-‬ﺪ ﻓﻌﺎﻟ‪7‬ﺔ اﻟﻀﻮا\ﻂ اﻟﻤﻄ‪U‬ﻘﺔ‬
‫ج( اﻟﺘﺤﻀ‪ ib‬ﻟﻠﺘﺪﻗ‪7‬ﻘﺎت اﻟﺨﺎرﺟ‪7‬ﺔ‬
‫د( ﺗﺤﺪ‪-‬ﺚ ﺧﻄﻂ اﺳﺘﻤﺮار[ﺔ اﻟﻌﻤﻞ‬
‫**اﻟﺠﻮاب‪ :‬ب**‬
‫® ﻣﻦ ﻣﺮاﺟﻌﺔ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ ﻫﻮ ﺿﻤﺎن أن اﻟﻀﻮا\ﻂ ﺗﻘﻮم‬
‫‪z‬‬ ‫ﺎ‬ ‫ﺳ‬‫ﻷ‬ ‫ا‬ ‫ض‬‫**اﻟ‪}o‬ح‪ **:‬اﻟﻐﺮ‬
‫‪c c‬‬
‫ﺑﺘﺨﻔ‪7‬ﻒ اﻟﻤﺨﺎﻃﺮ \ﻔﻌﺎﻟ‪7‬ﺔ ‪M‬ﻤﺎ ﻫﻮ ﻣﻘﺼﻮد وﺗﺤﺪ‪-‬ﺪ أي ﻣﺠﺎﻻت ﻗﺪ ﺗﺤﺘﺎج إ‪ r‬ﺗﺤﺴ‪ yz ab‬ﻋﻤﻠ‪7‬ﺔ إدارة‬
‫اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫‪** .9‬ﻣﺎ اﻟﺬي ‪-‬ﺼﻒ \ﺪﻗﺔ ﻏﺮض اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ ‪M‬ﻤﺎ ﻳﺘﻄﻠ‪U‬ﻪ ﻣﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﺗﺼﺤﻴﺢ ﻋﺪم اﻻﻣﺘﺜﺎل ﻗ‪U‬ﻞ اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺨﺎرﺟ‪7‬ﺔ‬
‫ب( اﻟﻮﻓﺎء \ﺎﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ‬
‫‪j‬‬
‫ج( ﺗﻘﻴ‪7‬ﻢ ﻣﺎ إذا ‪M‬ﺎن ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻳﺘﻮاﻓﻖ ﻣﻊ اﻟ‪i‬ﺗ‪Uû‬ﺎت اﻟﻤﺨﻄﻂ ﻟﻬﺎ وﻫﻮ ﻣﻄﺒﻖ وﻣﺤﺎﻓﻆ‬
‫ﻋ ﻠ‪7‬ﻪ ‪ e‬ﺸ ‪ g‬ﻞ ﺻ ﺤ ﻴﺢ‬
‫د( اﻟ‪ij‬و[ـ ـﺞ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻷﺻﺤﺎب اﻟﻤﺼﻠﺤﺔ‬
‫ً‬ ‫ً‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻌﺘ‪ i‬اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ ﺟﺰءا أﺳﺎﺳ‪7‬ﺎ ﻣﻦ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬وﺗﻬﺪف إ‪ r‬ﺗﻘﻴ‪7‬ﻢ ﻣﺎ إذا‬
‫‪c‬‬
‫‪M‬ﺎن ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪-‬ﻠ ‪ Ñz‬ﻣﺘﻄﻠ‪U‬ﺎت اﻟﻤﺆﺳﺴﺔ وﺗﻠﻚ اﻟﻤﻮﺟﻮدة ‪ yz‬اﻟﻤﻌ‪7‬ﺎر ﻧﻔﺴﻪ‪ .‬وﺗﻔﺤﺺ‬
‫اﻻﻣﺘﺜﺎل ﻟﻠﻮﺛﺎﺋﻖ واﻟﺘﻨﻔ‪7‬ﺬ اﻟﻔﻌﺎل واﻟﺼ‪7‬ﺎﻧﺔ‪.‬‬
‫ً‬
‫‪** .10‬ﻣﺎ اﻟﻤﻘﺼﻮد \ـ "اﺳﺘﻤﺮار[ﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت" وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﺿﻤﺎن اﺳﺘﻤﺮار[ﺔ ‪Ö‬ﺸﻐ‪7‬ﻞ اﻟﺘﺪاﺑ‪ ib‬اﻷﻣﻨ‪7‬ﺔ ﺧﻼل ﺣﺪوث ﺣﺎدث ﻣﻌﻄﻞ‬
‫‪ a‬اﻟﻴﻮ‪ ‹z‬ﻟﻠﻤﺆﺳﺴﺔ‬‫ب( اﺳﺘﻤﺮار[ﺔ إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪ yc‬اﻟﺮوﺗ ‪c b‬‬
‫‪z‬‬
‫ج( اﺳﺘﻤﺮار[ﺔ ﺗﻮاﻓﺮ اﻟﻤﻌﻠﻮﻣﺎت دون اﻧﻘﻄﺎع‬
‫‪ a‬اﻟﻤﺴﺘﻤﺮ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬ ‫د ( ا ﻟﺘ ﺤ ﺴ ‪c b‬‬
‫**اﻟﺠﻮاب‪ :‬أ**‬
‫**اﻟ‪}o‬ح‪™ **:‬ﺸ‪ ib‬اﺳﺘﻤﺮار[ﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت إ‪ r‬اﻟﺤﺎﺟﺔ إ‪ r‬اﻟﺘﺨﻄ‪7‬ﻂ وﺗﻨﻔ‪7‬ﺬ اﻟﺘﺪاﺑ‪ ib‬اﻷﻣﻨ‪7‬ﺔ اﻟ ‪ Ñz‬ﺗﻈﻞ‬
‫‪j‬‬
‫ﺗﻌﻤﻞ \ﻔﻌﺎﻟ‪7‬ﺔ أﺛﻨﺎء و≠ﻌﺪ ﺣﺪوث ﺣﺎدث ﻣﻌﻄﻞ‪- .‬ﻌﺘ‪ i‬ﻫﺬا ﺟﺰًءا ﻣﻦ إدارة اﺳﺘﻤﺮار[ﺔ اﻟﻌﻤﻞ ‪e‬ﺸ‪g‬ﻞ ﻋﺎم‪.‬‬
‫‪j‬‬ ‫ً‬
‫‪ æ‬ﻣﺨﺘﻠﻒ ﺟﻮاﻧﺐ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬وﺗﻨﺎﺳﺐ‬‫ﺗﺄ ‪7ã‬ﺪا‪ D‬إﻟ‪7‬ﻚ اﻟﻤ‪[s‬ﺪ ﻣﻦ اﻷﺳﺌﻠﺔ اﻻﺧﺘ‪7‬ﺎر[ﺔ اﻟ ‪ Ñz‬ﺗﻐ ‪z‬‬
‫اﻷﺷﺨﺎص اﻟﺬﻳﻦ ™ﺴﺘﻌﺪون ﻻﻣﺘﺤﺎن ﻣﺪﻳﺮ ﺗﻨﻔ‪7‬ﺬي رﺋ∞ﺲ‪:‬‬
‫‪ ###‬أﺳﺌﻠﺔ إﺿﺎﻓ‪7‬ﺔ‬
‫ً‬ ‫‪** .11‬ﻣﺎ اﻟﻮﺛ‪7‬ﻘﺔ اﻷﺳﺎﺳ‪7‬ﺔ اﻟ‪ Ñj‬ﻳﺘﻌ ‪c b‬‬
‫‪Ö a‬ﺴﺠ‪7‬ﻞ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة وﺗﻘﻴ‪7‬ﻤﺎﺗﻬﺎ واﺳﺘﺠﺎ\ﺎﺗﻬﺎ وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر‬ ‫‪z‬‬
‫‪ISO 27001‬؟**‬
‫أ( ﺗﻘ‪[Æ‬ﺮ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‬
‫ب( ﺳ‪7‬ﺎﺳﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬
‫ج ( ﺧ ﻄ ﺔ ﻣ ﻌ ﺎﻟﺠ ﺔ اﻟﻤ ﺨ ﺎﻃ ﺮ‬
‫د( ﺗﻘ‪[Æ‬ﺮ اﺳﺘﻌﺮاض ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪(ISMS‬‬
‫‪o‬‬
‫… وﺛ‪7‬ﻘﺔ ﺣﺎﺳﻤﺔ ‪Ö‬ﺴﺠﻞ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة وﺗﻘﻴ‪7‬ﻤﺎت ﻫﺬە‬
‫ً‬ ‫**اﻟ}ح‪ **:‬ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ‪z‬‬
‫اﻟﻤﺨﺎﻃﺮ واﻹﺟﺮاءات اﻟﻤﺨﻄﻂ ﻟﻬﺎ أو اﻟ ‪ Ñz j‬ﺗﻢ اﺗﺨﺎذﻫﺎ ﻹدارة ﻫﺬە اﻟﻤﺨﺎﻃﺮ وﻓﻘﺎ ﻟﻘﺮارات ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫‪c‬‬
‫‪** .12‬ﻣﺎ اﻟﻐﺮض ﻣﻦ 'ﺿ‪U‬ﻂ اﻟﻮﺻﻮل' ‪ yz‬ﻣﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﺿﻤﺎن أﻣﺎن ﻣﺮاﻓﻖ اﻟﻤﺒ‪Ñc‬‬
‫ب( ﻣﻨﻊ اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ إ‪ r‬اﻟﻤﻌﻠﻮﻣﺎت‬
‫ج( رﺻﺪ ﺳﻠﻮك اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬
‫د( ﺗﻌ‪[s‬ﺰ ﻛﻔﺎءة اﻟﻨﻈﺎم اﻟﺨﺎص ﺑﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ yz **:‬ﺳ‪7‬ﺎق ﻣﻌ‪7‬ﺎر ‪ ،ISO 27001‬ﻳﻬﺪف ﺿ‪U‬ﻂ اﻟﻮﺻﻮل إ‪ r‬ﻣﻨﻊ اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ إ‪r‬‬
‫ً‬ ‫ً‬
‫اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻀﻤﻨﺎ أن ‪-‬ﻜﻮن اﻟﻮﺻﻮل إ‪ r‬اﻟﻤﻌﻠﻮﻣﺎت ﻣﺘﺎﺣﺎ ﻓﻘﻂ ﻷوﻟﺌﻚ اﻟﺬﻳﻦ ﻟﺪﻳﻬﻢ ﺻﻼﺣ‪7‬ﺎت اﻟﻮﺻﻮل‪.‬‬
‫ً‬
‫‪** .13‬ﻣﺎ ﻧ‪°‬ع اﻟﺤﺎدث اﻷﻣ ‪ Ñz c‬اﻟﺬي ‪-‬ﺠﺐ اﻹ\ﻼغ ﻋﻨﻪ وﻓﻘﺎ ﻟﻤﺘﻄﻠ‪U‬ﺎت ‪ISO 27001‬؟**‬
‫أ( ﻓﻘﻂ اﻟﺤﻮادث اﻟ ‪ Ñz j‬ﺗﺆدي إ‪ r‬ﺧﺴﺎرة ﻣﺎﻟ‪7‬ﺔ‬
‫ب( ﺟﻤﻴﻊ ﺣﻮادث اﻷﻣﺎن‬
‫"‬‫ج( ﻓﻘﻂ اﻟﺤﻮادث اﻟﻤﺆﻛﺪة ﻣﻦ ﺧﻼل ﺗﺪﻗﻴﻖ ﺧﺎر ‪z‬‬
‫د( اﻟﺤﻮادث اﻟ ‪ Ñz j‬ﻳ‪U‬ﻠﻎ ﻋﻨﻬﺎ ﻣﻦ ﻗ‪U‬ﻞ اﻟﻌﻤﻼء‬
‫**اﻟ‪}o‬ح‪ **:‬ﻳﺘﻄﻠﺐ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬اﻹ\ﻼغ ﻋﻦ ﺟﻤﻴﻊ ﺣﻮادث اﻷﻣﺎن و‪Ö‬ﺴﺠ‪7‬ﻠﻬﺎ ‪e‬ﺸ‪g‬ﻞ ﺻﺤﻴﺢ‪،‬‬
‫\ﻐﺾ اﻟﻨﻈﺮ ﻋﻦ ﺷﺪﺗﻬﺎ اﻟﻈﺎﻫ‪[Æ‬ﺔ‪ ،‬ﻟﻀﻤﺎن إﻣ‪g‬ﺎﻧ‪7‬ﺔ ﺗﺤﻠ‪7‬ﻠﻬﺎ واﺳﺘﺨﺪاﻣﻬﺎ ﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬ﻧﻈﺎم إدارة أﻣﻦ‬
‫ً‬
‫‪** .14‬أي ﻣﻦ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺘﺎﻟ‪7‬ﺔ ﻟ∞ﺲ ﻓﺎﺋﺪة ﻣ‪U‬ﺎ‪no‬ة ﻟﺘﻨﻔ‪7‬ﺬ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO‬‬
‫‪27001‬؟**‬
‫‪ a‬ا ﻟ ﺴ ﻤ ﻌ ﺔ ﻣ ﻊ أﺻ ﺤ ﺎ ب ا ﻟ ﻤ ﺼ ﻠ ﺤ ﺔ‬‫أ( ﺗﺤ ﺴ ‪c b‬‬
‫ب( ز[ﺎدة اﻟﻤﺒ‪7‬ﻌﺎت‬
‫ج( اﻻﻣﺘﺜﺎل اﻟﻘﺎﻧﻮ ‪±z c‬‬
‫د( اﻟﻀﻤﺎن \ﺎﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ‬
‫**اﻟﺠﻮاب‪ :‬د**‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺑ‪û‬ﻨﻤﺎ ™ﺴﺎﻋﺪ ﻣﻌ‪7‬ﺎر ‪e ISO 27001‬ﺸ‪g‬ﻞ ﻛﺒ‪ yz ib‬إدارة وﺗﺨﻔ‪7‬ﻒ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﻦ‬
‫اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬إﻻ أﻧﻪ ﻻ ‪-‬ﻀﻤﻦ اﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ‪ ،‬ﺣ‪7‬ﺚ ﺗﻜﻮن \ﻌﺾ اﻟﻤﺨﺎﻃﺮ ﺟﺰءاً‬
‫ﻣﻦ اﻟﻨﻈﺎم وﻻ ‪-‬ﻤﻜﻦ إزاﻟﺘﻬﺎ ﺗﻤﺎًﻣﺎ‪.‬‬
‫‪c‬‬
‫‪ yz ** .15‬ﻣﻌ‪7‬ﺎر ‪ ،ISO 27001‬ﻣﺎ ﻫﻮ أﻓﻀﻞ وﺻﻒ ﻟﻤﺼﻄﻠﺢ "اﻷﺻﻞ"؟**‬
‫‪c‬‬ ‫‪o‬‬
‫®ء ﻟﻪ ﻗ‪7‬ﻤﺔ ﻣﺎﻟ‪7‬ﺔ ‪ yz‬اﻟﺴﻮق‬
‫أ( أي ‪z‬‬
‫ب( اﻷﺟﻬﺰة اﻟﻔﻌﻠ‪7‬ﺔ ﻓﻘﻂ ﻣﺜﻞ اﻟ‪Ã‬ﻤﺒﻴﻮﺗﺮات واﻟﺨﻮادم‬
‫ج( أي ﻣﻮرد ﻟﻪ ﻗ‪7‬ﻤﺔ ﻟﻠﻤﺆﺳﺴﺔ‬
‫د( اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻤﺨﺰﻧﺔ إﻟ‪ijŒ‬وﻧً‪7‬ﺎ ﻓﻘﻂ‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ yz **:‬ﺳ‪7‬ﺎق ﻣﻌ‪7‬ﺎر ‪™ ،ISO 27001‬ﺸ‪ ib‬ﻣﺼﻄﻠﺢ "اﻷﺻﻞ" إ‪ r‬أي ﻣﻮرد ﻟﻪ ﻗ‪7‬ﻤﺔ ﻟﻠﻤﺆﺳﺴﺔ‪،‬‬
‫‪.a‬‬‫\ﻤﺎ ‪ yc‬ذﻟﻚ اﻟﻤﻌﻠﻮﻣﺎت واﻷﺟﻬﺰة اﻟﻔﻌﻠ‪7‬ﺔ واﻟﺨﺪﻣﺎت واﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪z‬‬
‫‪** .16‬أي ﻣ‪U‬ﺪأ ﻣﻦ ﻣ‪U‬ﺎدئ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪-‬ﺪﻋﻢ 'اﻟ‪ï‬ﺸﻔ‪'ib‬‬
‫® ؟**‬
‫‪e‬ﺸ ‪ g‬ﻞ أ ﺳ ﺎ ‪z‬‬
‫أ( اﻟﺘﻮﻓﺮ‬
‫ب( اﻟ ‪ic c‬اﻫﺔ‬
‫ج( اﻟ}[ﺔ‬
‫د( اﻟﻤﺴﺎءﻟﺔ‬
‫ً‬ ‫‪o‬‬
‫**اﻟ}ح‪™ **:‬ﺴﺘﺨﺪم اﻟ‪ï‬ﺸﻔ‪e ib‬ﺸ‪g‬ﻞ أﺳﺎ ‪z‬‬
‫® ﻟﺪﻋﻢ ‪[n‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻀﻤﻨﺎ أن ‪-‬ﻜﻮن اﻟﺒ‪7‬ﺎﻧﺎت ﻏ‪ib‬‬
‫ﻣﺘﺎﺣﺔ ﻟﻸﻓﺮاد ﻏ‪ ib‬اﻟﻤ≈ح ﻟﻬﻢ‪.‬‬
‫ً‬
‫‪** .17‬ﻣﺎ ﻫﻮ اﻟﻔﺎﺻﻞ اﻟﺰﻣ ‪ Ñz c‬اﻟﺬي ‪-‬ﺠﺐ أن ﻳﺘﻢ ﻓ‪7‬ﻪ ﻣﺮاﺟﻌﺔ ﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ‬
‫ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﻋ~ اﻷﻗﻞ ﺳﻨ‪[ً°‬ﺎ‬
‫ب( ﻓﻘﻂ \ﻌﺪ اﺧ‪ij‬اق أﻣ ‪Ñz c‬‬
‫‪a‬‬‫ج ( ‪ M‬ﻞ ﺳ ∫ﺘ ‪c b‬‬
‫‪c‬‬
‫@ ‪ yz‬اﻟﻤﺆﺳﺴﺔ‬ ‫د( ‪M‬ﻠﻤﺎ ﺣﺪث ﺗﻐﻴ‪ ib‬رﺋ∞ ‪z‬‬
‫**اﻟﺠﻮاب‪ :‬أ**‬
‫ً‬ ‫‪o‬‬
‫’ ﻣﻌ‪7‬ﺎر ‪\ ISO 27001‬ﻤﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻋ~ اﻷﻗﻞ ﺳﻨ‪[°‬ﺎ ﻟﻀﻤﺎن‬
‫ً‬ ‫**اﻟ}ح‪ **:‬ﻳﻮ ‪z‬‬
‫ﻣﻼءﻣﺘﻪ اﻟﻤﺴﺘﻤﺮة وﻛﻔﺎوﺗﻪ وﻓﻌﺎﻟﻴﺘﻪ‪ ،‬ﻋ~ اﻟﺮﻏﻢ ﻣﻦ أﻧﻪ ﻗﺪ ﺗﻜﻮن ﻫﻨﺎك ﺣﺎﺟﺔ أ‪-‬ﻀﺎ ﻟﻠﻤﺮاﺟﻌﺎت \ﻌﺪ‬
‫اﻟﺘﻐﻴ‪ib‬ات اﻟ‪Œ‬ﺒ‪ib‬ة‪.‬‬
‫‪c‬‬
‫‪** .18‬ﻣﺎ دور 'اﺳﺘﻌﺮاض اﻹدارة' ‪ yz‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت؟**‬
‫® ﻟﺘﺪ ﻗ ﻴ ﻖ ا ﻟ ﺒ ‪ 7‬ﺎ ﻧ ﺎ ت ا ﻟ ﻤ ﺎ ﻟ ‪ 7‬ﺔ‬
‫أ ( إﻧﻬ ﺎ ‪e‬ﺸ ‪ g‬ﻞ أ ﺳ ﺎ ‪z‬‬
‫ب( إﻧﻬﺎ ﻣﺮاﺟﻌﺔ ﻓﻨ‪7‬ﺔ ﻟﺒ∫‪7‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺨﺎﺻﺔ ﺑﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‬
‫ج( إﻧﻬﺎ ﺗﻘﻴ‪7‬ﻢ ﻷداء وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ a‬ﻟﺴ‪7‬ﺎﺳﺎت اﻷﻣﺎن‬ ‫د( إﻧﻬﺎ ﺗﺘﻌﺎﻣﻞ ﻣﻊ اﻣﺘﺜﺎل اﻟﻤﻮﻇﻔ ‪c b‬‬
‫ً‬ ‫ُ‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺠﺮى ﻣﺮاﺟﻌﺎت اﻹدارة ﻟﺘﻘﻴ‪7‬ﻢ أداء وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﺿﻤﺎﻧﺎ ﻟﺘﺤﻘ‪7‬ﻘﻪ‬
‫ﻷﻫﺪاف اﻟﻤﺆﺳﺴﺔ وﺗﺤﺪ‪-‬ﺪ اﻟﻤﺠﺎﻻت اﻟ‪ Ñj‬ﻗﺪ ﺗﺤﺘﺎج إ‪ r‬ﺗﺤﺴ ‪c b‬‬
‫‪.a‬‬ ‫‪z‬‬
‫‪** .19‬أي ﻣﻦ اﻟﺒ‪7‬ﺎﻧﺎت اﻟﺘﺎﻟ‪7‬ﺔ ﺣﻮل ﺷﻬﺎدة ‪ ISO 27001‬ﺻﺤﻴﺢ؟**‬

‫أ( ﺗﺘﻄﻠﺐ إﻋﺎدة اﻟﺸﻬﺎدة ‪M‬ﻞ ‪ 10‬ﺳﻨﻮات‬
‫ب( ﻳﺘﻢ ﻣﻨﺤﻬﺎ ﻣﺪى اﻟﺤ‪7‬ﺎة \ﻤﺠﺮد ﺗﺤﻘ‪7‬ﻘﻬﺎ‬
‫ج( ﺗﺘﻄﻠﺐ ﻓﺤﻮﺻﺎت رﻗﺎ\ﺔ دور[ﺔ‬
‫د( ‪-‬ﻤﻜﻦ ﻣﻨﺤﻬﺎ ﻣﻦ ﻗ‪U‬ﻞ أي اﺳ‪ï‬ﺸﺎري‬
‫**اﻟ‪}o‬ح‪ **:‬ﻟ∞ﺴﺖ ﺷﻬﺎدة ‪ ISO 27001‬داﺋﻤﺔ اﻟﺼﻼﺣ‪7‬ﺔ وﺗﺘﻄﻠﺐ ﻓﺤﻮﺻﺎت رﻗﺎ\ﺔ دور[ﺔ ﻟﻀﻤﺎن‬
‫اﻻﻣﺘﺜﺎل اﻟﻤﺴﺘﻤﺮ‪\ ،‬ﺎﻹﺿﺎﻓﺔ إ‪ r‬إﺟﺮاء ﻓﺤﺺ ﻹﻋﺎدة اﻟﺸﻬﺎدة ﻋﺎدة ‪M‬ﻞ ﺛﻼث ﺳﻨﻮات‪.‬‬
‫‪c‬‬
‫‪** .20‬ﻣﺎ ﻫﻮ اﻟﻬﺪف اﻟﻨﻬﺎ ‪ ±z Í‬ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ‪ yz ISO 27001‬اﻟﻤﺆﺳﺴﺔ؟**‬
‫أ( ﺿﻤﺎن ‪[n‬ﺔ ‪M‬ﺎﻣﻠﺔ ﻟﺠﻤﻴﻊ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‬
‫‪ a‬أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ ﺟﻤﻴﻊ أﻧﻮاع اﻟﺘﻬﺪ‪-‬ﺪات‬ ‫ب( ﺣﻤﺎ‪-‬ﺔ وﺗﺄﻣ ‪c b‬‬
‫ج( ز[ﺎدة ﻛﻔﺎءة ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‬
‫د( اﻻﻣﺘﺜﺎل ﻟﻠﻘﻮاﻧ ‪c b‬‬
‫‪ a‬اﻟﺘﺠﺎر[ﺔ اﻟﺪوﻟ‪7‬ﺔ‬
‫‪c‬‬ ‫**اﻟ‪}o‬ح‪ **:‬اﻟﻬﺪف اﻟﻨﻬﺎ‪ ±Í‬ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻫﻮ ﺣﻤﺎ‪-‬ﺔ وﺗﺄﻣ ‪c b‬‬
‫‪ a‬أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت ‪yz‬‬ ‫‪z‬‬
‫اﻟﻤﺆﺳﺴﺔ ﻣﻦ ﺟﻤﻴﻊ أﻧﻮاع اﻟﺘﻬﺪ‪-‬ﺪات‪ ،‬ﺳﻮاء ‪M‬ﺎﻧﺖ داﺧﻠ‪7‬ﺔ أو ﺧﺎرﺟ‪7‬ﺔ‪ ،‬ﻋﻦ ﻃ‪[Æ‬ﻖ اﺗﺨﺎذ إﺟﺮاءات أﻣﻨ‪7‬ﺔ‬
‫ﻣﻼﺋﻤﺔ‪.‬‬
‫‪c‬‬
‫‪** .21‬ﻣﺎذا ™ﺸ‪ ib‬ﻣﺼﻄﻠﺢ 'اﻟﻤﺨﺎﻃﺮ اﻟ‪U‬ﺎﻗ‪7‬ﺔ' إﻟ‪7‬ﻪ ‪ yz‬ﺳ‪7‬ﺎق ‪ISO 27001‬؟**‬
‫أ( اﻟﺨﻄﺮ اﻟﺬي ﻳ‪\ –jUï‬ﻌﺪ ﺗﻄﺒﻴﻖ ﺟﻤﻴﻊ اﻟﺘﺤ‪g‬ﻤﺎت‪.‬‬
‫ب( اﻟﺨﻄﺮ اﻷو‪ rz‬اﻟﺬي ﺗﻢ ﺗﺤﺪ‪-‬ﺪە ﻗ‪U‬ﻞ ﺗﻄﺒﻴﻖ أي ﺗﺤ‪g‬ﻤﺎت‪.‬‬
‫ج( اﻟﺨﻄﺮ اﻟﺬي ﺗﻢ ﻧﻘﻠﻪ إ‪ r‬ﻃﺮف ﺛﺎﻟﺚ‪.‬‬
‫د( اﻟﺨﻄﺮ اﻟﺬي ﻗ‪U‬ﻠﺘﻪ اﻹدارة‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬أ**‬
‫‪j‬‬ ‫‪j‬‬ ‫‪o‬‬
‫**اﻟ}ح‪ **:‬اﻟﻤﺨﺎﻃﺮة اﻟ‪U‬ﺎﻗ‪7‬ﺔ ‪z‬‬
‫… اﻟﻤﺨﺎﻃﺮة اﻟ ‪ Ñz‬ﺗ‪\ –U‬ﻌﺪ ﺗﻄﺒﻴﻖ ﺟﻤﻴﻊ اﻟﺘﺤ‪g‬ﻤﺎت واﻷﺳﺎﻟ‪7‬ﺐ اﻷﺧﺮى‬
‫ﻟﻠﻤﻌﺎﻟﺠﺔ‪ .‬إﻧﻬﺎ اﻟﻤﺨﺎﻃﺮة اﻟ ‪ Ñz j‬ﺗﻘﺮر اﻟﻤﺆﺳﺴﺔ اﻟﻌ∞ﺶ ﻣﻌﻬﺎ‪.‬‬
‫‪** .22‬أي ﻣﻦ ﻣ‪U‬ﺎدئ ‪- ISO 27001‬ﺪﻋﻢ ﻣﻔﻬﻮم ﺿﻤﺎن أن ﻳﺘﻢ ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت واﻷﺻﻮل واﻟﻤﻮارد ﻣﻦ‬
‫اﻟﺘﻌﺪ‪-‬ﻼت ﻏ‪ ib‬اﻟﻤ≈ح ﺑﻬﺎ؟**‬
‫أ( اﻟ ‪ic c‬اﻫﺔ‪.‬‬
‫ب( اﻟ}[ﺔ‪.‬‬
‫ج( اﻟﺘﻮاﻓﺮ‪.‬‬
‫د ( اﻟﻤ ﺼ ﺎد ﻗﺔ ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬أ**‬
‫‪c‬‬ ‫‪c‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟ‪i‬اﻫﺔ ‪ yz‬أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺗﻀﻤﻦ أن ﺗﻜﻮن اﻟﻤﻌﻠﻮﻣﺎت دﻗ‪7‬ﻘﺔ و‪M‬ﺎﻣﻠﺔ‪ ،‬وﻣﺤﻤ‪7‬ﺔ ﺿﺪ‬
‫اﻟﺘﻌﺪ‪-‬ﻞ ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ‪.‬‬
‫ً‬
‫… اﻟﻮﻇ‪7‬ﻔﺔ اﻷﺳﺎﺳ‪7‬ﺔ ﻟ‪i‬ﻧﺎﻣﺞ اﻟﺘﺪﻗﻴﻖ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO‬‬ ‫‪** .23‬ﻣﺎ ‪z‬‬
‫‪27001‬؟**‬
‫أ( ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻤﺘﻄﻠ‪U‬ﺎت اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ ﻓﻘﻂ‪.‬‬
‫‪ a‬اﻟﺒ∫‪7‬ﺔ اﻟﺘﺤﺘ‪7‬ﺔ اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬ ‫ب( ﻟﻤﺮاﺟﻌﺔ وﺗﺤﺴ ‪c b‬‬
‫ج( ﻟﺘﻮﻓ‪ ib‬ﻧﻬﺞ ﻣﻨﻬ‪ H‬ﻟﺘﻘﻴ‪7‬ﻢ وﺗﺤﺴ ‪c b‬‬
‫‪ a‬ﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ً‬ ‫‪z‬‬
‫د( ﻟﻀﻤﺎن أن ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻳﻮﻟﺪ ر≠ﺤﺎ ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫‪o‬‬
‫**اﻟ}ح‪ **:‬ﺑﺮﻧﺎﻣﺞ اﻟﺘﺪﻗﻴﻖ ﻫﻮ ﻧﻬﺞ ‪ c‬ﻣﻨﻬ ‪z‬‬
‫‪ H‬ﻳﻬﺪف إ‪ r‬ﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬
‫وﺗﺤﺪ‪-‬ﺪ اﻟﻤﺠﺎﻻت اﻟ ‪- Ñz j‬ﻤﻜﻦ ﺗﺤﺴ‪û‬ﻨﻬﺎ ‪ yz‬ﻣﻤﺎرﺳﺎت اﻷﻣﺎن ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .24‬أي ‪ø‬ﺸﺎط ﻣﺘﻀﻤﻦ ‪ yz‬ﻣﺮﺣﻠﺔ 'ﻓﻌﻞ' ﻣﻦ دورة ‪) PDCA‬اﻟﺘﺨﻄ‪7‬ﻂ واﻟﺘﻨﻔ‪7‬ﺬ واﻟﺘﺪﻗﻴﻖ واﻟﺘﺼﺤﻴﺢ(‬
‫‪c‬‬
‫اﻟﻤﻄ‪U‬ﻘﺔ ‪ISO 27001 yz‬؟**‬
‫أ( ﺗﺤﺪ‪-‬ﺪ اﻟﻨﻄﺎق واﻷﻫﺪاف‪.‬‬
‫ب( ﺗﻨﻔ‪7‬ﺬ ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫ج( إﺟﺮاء اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ‪.‬‬
‫‪c‬‬
‫د( ﻣﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪ yz‬ﻣﺮاﺟﻌﺎت اﻹدارة‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﻤﺮﺣﻠﺔ 'اﻟﻘ‪7‬ﺎم' ﺗﻨﻄﻮي ﻋ~ ﺗﻨﻔ‪7‬ﺬ ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟ ‪Ö Ñz‬ﺸﻤﻞ ﺗﻄﺒﻴﻖ اﻟﺘﺤ‪g‬ﻤﺎت‬
‫‪j‬‬
‫اﻷﻣﻨ‪7‬ﺔ واﻹﺟﺮاءات اﻟﻢ‬
‫ﺣﺪدة ‪ yz c‬اﻟﻤﺮﺣﻠﺔ 'اﻟﺘﺨﻄ‪7‬ﻂ'‪.‬‬

‫ً‬
‫‪** .25‬ﻣﺎ اﻟﺬي ﻳﺘﻮﻗﻊ ﻣﻦ ﻋﻤﻠ‪7‬ﺔ اﻻﺗﺼﺎل وﻓﻘﺎ ﻟﻤﺘﻄﻠ‪U‬ﺎت ‪ISO 27001‬؟**‬
‫ً‬
‫أ( ‪-‬ﺠﺐ أن ‪-‬ﻜﻮن ﻣﻮﺛﻘﺎ و[ﺤﺪث ﻓﻘﻂ ‪ yz c‬اﻟﺒ‪û‬ﺌﺎت اﻟﺮﺳﻤ‪7‬ﺔ‪.‬‬
‫‪.a‬‬‫ب( ‪-‬ﺠﺐ أن ™ﺸﻤﻞ اﻟﺘﻮاﺻﻞ ﻓﻘﻂ ﻣﻊ أﺻﺤﺎب اﻟﻤﺼﻠﺤﺔ اﻟﺪاﺧﻠﻴ ‪c b‬‬
‫‪ a‬ﺟﻤﻴﻊ اﻷﻃﺮاف ذات اﻟﺼﻠﺔ‪.‬‬ ‫ج( ‪-‬ﺠﺐ أن ‪-‬ﻀﻤﻦ ﺗﻮﻋ‪7‬ﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﺑ ‪c b‬‬
‫‪ a‬ﻣﻮﻇ ‪ –z c‬ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫د( ‪-‬ﺠﺐ أن ﻳﺮﻛﺰ ‪e‬ﺸ‪g‬ﻞ أﺳﺎ® ﻋ~ اﻟﺘﻮاﺻﻞ اﻟﺘﻘ‪ Ñc‬ﺑ ‪c b‬‬
‫‪z‬‬ ‫‪z‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫ً‬
‫**اﻟ‪}o‬ح‪- **:‬ﺠﺐ أن ‪-‬ﻀﻤﻦ اﻟﺘﻮاﺻﻞ اﻟﻔّﻌﺎل وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ ISO 27001‬أن ‪-‬ﻜﻮن ﺟﻤﻴﻊ اﻷﻃﺮاف ذات‬
‫اﻟﺼﻠﺔ ﻋ~ درا‪-‬ﺔ \ﻤﺘﻄﻠ‪U‬ﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت واﻟﻤﺨﺎﻃﺮ واﻟﺘﺤ‪g‬ﻤﺎت‪ ،‬ﻣﻤﺎ ‪-‬ﻌﺰز ﺛﻘﺎﻓﺔ اﻷﻣﺎن ‪ yz c‬اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .26‬أي ﺑ‪7‬ﺎن ‪-‬ﺼﻒ ‪e‬ﺸ‪g‬ﻞ أﻓﻀﻞ 'ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ' ‪ISO 27001 yz‬؟**‬
‫أ( ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ اﻟﺸﺨﺺ اﻟﻤﺴﺆول ﻋﻦ إدارة ﻗﺴﻢ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ب( ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ اﻟﺸﺨﺺ اﻟﻤﺴﺆول ﻋﻦ ﺗﻤ‪[°‬ﻞ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ج( ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ اﻟﺸﺨﺺ اﻟﻤﺴﺆول ﻋﻦ إدارة ﻣﺨﺎﻃﺮة وﺿﻤﺎن ﻣﻌﺎﻟﺠﺘﻬﺎ ‪e‬ﺸ‪g‬ﻞ ﻣﻨﺎﺳﺐ‪.‬‬
‫د( ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ داﺋﻤﺎ ﻋﻀﻮ ‪ yz c‬اﻹدارة اﻟﻌﻠ‪7‬ﺎ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪ **:‬ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ اﻟﻔﺮد اﻟﺬي ﻳﺘﺤﻤﻞ اﻟﻤﺴﺆوﻟ‪7‬ﺔ واﻟﺴﻠﻄﺔ ﻹدارة ﻣﺨﺎﻃﺮة ﻣﻌﻴﻨﺔ واﻟﺘﺄ ‪ã‬ﺪ‬
‫ﻣﻦ اﺗﺨﺎذ اﻟﺘﺪاﺑ‪ ib‬اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻟﻤﻌﺎﻟﺠﺔ ﺗﻠﻚ اﻟﻤﺨﺎﻃﺮة‪.‬‬
‫‪c‬‬
‫‪** .27‬ﻣﺎ اﻟﺬي ‪-‬ﺠﺐ ﻣﺮاﻋﺎﺗﻪ ﻋﻨﺪ ﺗﺤﺪ‪-‬ﺪ ﺗﻜﺮار أداء ﺗﻘﻴ‪7‬ﻤﺎت اﻟﻤﺨﺎﻃﺮ ‪ISO 27001 yz‬؟**‬
‫أ( ‪-‬ﺠﺐ أن ‪-‬ﻜﻮن اﻟﺘﻜﺮار ﻫﻮ ﻧﻔﺴﻪ ﻟﺠﻤﻴﻊ أﻧﻮاع اﻟﻤﺆﺳﺴﺎت‪.‬‬
‫ب( ‪-‬ﻌﺘﻤﺪ اﻟﺘﻜﺮار ﻋ~ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت واﻟﺘﻐ‪ib‬ات اﻟﺨﺎرﺟ‪7‬ﺔ‪.‬‬
‫ج( ‪-‬ﺠﺐ إﺟﺮاء ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ أﺳﺒﻮﻋ‪7‬ﺎ‪.‬‬
‫د( ﻳﺘﻢ ﺗﻨﻈ‪7‬ﻢ اﻟﺘﻜﺮار ﻣﻦ ﻗ‪U‬ﻞ اﻟﺤﻜﻮﻣﺔ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫ً‬
‫**اﻟ‪}o‬ح‪- **:‬ﺠﺐ ﺗﺤﺪ‪-‬ﺪ ﺗﻜﺮار ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ ﺑﻨﺎء ﻋ~ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻣﺮاﻋﺎة أي‬
‫ﺗﻐﻴ‪ib‬ات ﺧﺎرﺟ‪7‬ﺔ أو داﺧﻠ‪7‬ﺔ ﻗﺪ ﺗﺆﺛﺮ ﻋ~ اﻟﻨﻈﺎم‪.‬‬
‫‪c‬‬
‫‪** .28‬ﻣﺎ اﻹﺟﺮاء اﻟﺼﺤﻴﺢ ﺧﻼل ﻣﺮﺣﻠﺔ 'اﻟﺘﺤﻘﻖ' ﻣﻦ دورة ‪ISO 27001 yz PDCA‬؟**‬
‫أ( إ‪ø‬ﺸﺎء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ب( ﺗﻄﺒﻴﻖ اﻟﺘﺤ‪g‬ﻤﺎت‪.‬‬
‫ج( إﺟﺮاء ﻗ‪7‬ﺎس اﻷداء واﻟﻤﺮاﻗ‪U‬ﺔ‪.‬‬
‫د ( ﺗ ﻌ ﺪ ‪ -‬ﻞ اﻟﺴ ‪ 7‬ﺎﺳ ﺎت ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪Ö **:‬ﺸﻤﻞ ﻣﺮﺣﻠﺔ 'اﻟﺘﺤﻘﻖ' ﻣﺮاﻗ‪U‬ﺔ وﻣﺮاﺟﻌﺔ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬واﻟﺖ‬
‫ي ﺗﺘﻀﻤﻦ ﻗ‪7‬ﺎس اﻷداء \ﺎﻧﺘﻈﺎم و‪à‬ﺟﺮاء اﻟﺘﺪﻗﻴﻖ \ﺎﻧﺘﻈﺎم‪.‬‬

‫ً‬
‫‪** .29‬ﻣﺎ ﻧ‪°‬ع اﻟﻨﻬﺞ اﻟﻤﻄﻠﻮب ﻹدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( اﻟﻨ ﻬﺞ اﻟﻘ ﺎﺋﻢ ﻋ ~ اﻟﻤﻨﺘﺞ ‪.‬‬
‫ب( اﻟﻨﻬﺞ اﻟﻘﺎﺋﻢ ﻋ~ اﻟﻤ‪}o‬وع‪.‬‬
‫ج ( اﻟﻨ ﻬﺞ اﻟﻘ ﺎﺋﻢ ﻋ ~ اﻟﻌ ﻤ ﻠ‪ 7‬ﺎت ‪.‬‬
‫د( اﻟﻨﻬﺞ اﻟﻘﺎﺋﻢ ﻋ~ اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺎ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪ **:‬ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻳ‪ï‬ﺒ‪ Ñ‬ﻧﻬﺠﺎ ﻗﺎﺋﻤﺎ ﻋ~ اﻟﻌﻤﻠ‪7‬ﺎت‪ ،‬واﻟﺬي ﻳﺘﻀﻤﻦ إ‪ø‬ﺸﺎء وﺗﻨﻔ‪7‬ﺬ و‪Ö‬ﺸﻐ‪7‬ﻞ‬
‫‪c‬‬
‫وﻣﺮاﻗ‪U‬ﺔ وﻣﺮاﺟﻌﺔ وﺻ‪7‬ﺎﻧﺔ وﺗﺤﺴ ‪c b‬‬
‫‪ a‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ً‬
‫… ﺳ‪7‬ﺎﺳﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬ ‫‪** .30‬ﻣﺎ ‪z‬‬
‫أ( إﻧﻬﺎ إرﺷﺎد ﺗﻘ ‪ Ñz c‬ﻷﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻘﻂ‪.‬‬
‫ب( إﻧﻬﺎ دﻟ‪7‬ﻞ ﻣﻔﺼﻞ ﻟﺠﻤﻴﻊ إﺟﺮاءات اﻷﻣﺎن‪.‬‬
‫ج( إﻧﻬﺎ وﺛ‪7‬ﻘﺔ ﻣﺴﺘﻮى ﻋﺎل ™‪}o‬ح ﻧﻬﺞ اﻟﻤﺆﺳﺴﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫د( إﻧﻬﺎ ﻋﻘﺪ ﻣﻊ ﻣﻘﺪ‪ ‹z‬ﺧﺪﻣﺎت اﻷﻣﺎن‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫… وﺛ‪7‬ﻘﺔ ﻣﺴﺘﻮى ﻋﺎل ﺗﻮﺿﺢ اﻟﺘﻮﺟ‪7‬ﻪ واﻟﺪﻋﻢ اﻹداري‬ ‫‪z‬‬ ‫ت‬ ‫ﺎ‬ ‫ﻣ‬‫ﻮ‬ ‫ﻠ‬ ‫ﻌ‬ ‫ﻤ‬ ‫ﻟ‬ ‫ا‬ ‫ﻦ‬ ‫ﻣ‬ ‫أ‬ ‫ة‬‫ر‬ ‫ا‬ ‫د‬ ‫إ‬ ‫م‬‫ﺎ‬ ‫ﻈ‬ ‫ﻧ‬ ‫ﺔ‬ ‫ﺳ‬ ‫ﺎ‬ ‫‪7‬‬ ‫**اﻟ‪}o‬ح‪ **:‬ﺳ‬
‫ً‬
‫ﻟﻸﻣﺎن اﻟﻤﻌﻠﻮﻣﺎ‪ ±j‬وﻓﻘﺎ ﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻌﻤﻞ واﻟﻘﻮاﻧ ‪c b‬‬
‫‪ a‬واﻟﻠﻮاﺋﺢ ذات اﻟﺼﻠﺔ‪.‬‬ ‫‪z‬‬
‫ً‬
‫‪** .30‬ﻣﺎ ‪z‬‬
‫… ﺳ‪7‬ﺎﺳﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫‪c‬‬
‫أ( إﻧﻬﺎ دﻟ‪7‬ﻞ ﺗﻘ ‪ Ñz‬ﻷﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻘﻂ‪.‬‬
‫ب( إﻧﻬﺎ دﻟ‪7‬ﻞ ﻣﻔﺼﻞ ﻟﺠﻤﻴﻊ إﺟﺮاءات اﻷﻣﺎن‪.‬‬
‫ج( إﻧﻬﺎ وﺛ‪7‬ﻘﺔ ﻣﺴﺘﻮى ﻋﺎل ‪}oÖ‬ح ﻧﻬﺞ اﻟﻤﺆﺳﺴﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫د( إﻧﻬﺎ ﻋﻘﺪ ﻣﻊ ﻣﻘﺪ‪ ‹z‬ﺧﺪﻣﺎت اﻷﻣﺎن‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫‪c‬‬ ‫‪o‬‬
‫… وﺛ‪7‬ﻘﺔ ﻣﺴﺘﻮى ﻋﺎل ﺗﻮﺿﺢ ﺗﻮﺟﻴﻬﺎت اﻹدارة ‪yz‬‬ ‫**اﻟ}ح‪ **:‬ﺳ‪7‬ﺎﺳﺔ ﻧﻈﺎم إدارة أﻣﻦ ً اﻟﻤﻌﻠﻮﻣﺎت ‪z‬‬
‫‪c‬‬
‫اﻟﻤﺆﺳﺴﺔ ودﻋﻤﻬﺎ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻌﻤﻞ واﻟﻘﻮاﻧ‪ ab‬واﻟﻠﻮاﺋﺢ ذات اﻟﺼﻠﺔ‪.‬‬
‫‪c‬‬
‫‪** .31‬أي ﻣﻦ اﻟﺨ‪7‬ﺎرات اﻟﺘﺎﻟ‪7‬ﺔ ‪-‬ﺼﻒ ‪e‬ﺸ‪g‬ﻞ أﻓﻀﻞ 'إدارة اﻷﺻﻮل' ‪ISO 27001 yz‬؟**‬
‫أ( إدارة اﻷﺻﻮل اﻟﻤﺎﻟ‪7‬ﺔ ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬
‫ب( ﺿﻤﺎن اﻷﻣﺎن اﻟﻔﻌ‪ ~z‬ﻟﻤ‪U‬ﺎ ‪ ±z c‬اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫ج( ﺗﺤﺪ‪-‬ﺪ وﺗﺼ∫‪7‬ﻒ وﺣﻤﺎ‪-‬ﺔ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ‪.‬‬
‫د( إدارة ﺟﺮد اﻷﺟﻬﺰة اﻟﺤﺎﺳ‪7≠°‬ﺔ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫‪c‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬إدارة اﻷﺻﻮل ‪Ö ISO 27001 yz‬ﺸ‪ ib‬إ‪ r‬اﻟﻌﻤﻠ‪7‬ﺎت اﻟﻤﺘﻀﻤﻨﺔ ‪ yz‬ﺗﺤﺪ‪-‬ﺪ وﺗﺼ∫‪7‬ﻒ وﺣﻤﺎ‪-‬ﺔ‬
‫اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ ﻟﻀﻤﺎن ﺗﺄﻣ ‪c b‬‬
‫‪ a‬اﻟﺒ‪7‬ﺎﻧﺎت اﻟﻘ‪7‬ﻤﺔ ‪e‬ﺸ‪g‬ﻞ ‪M‬ﺎ ٍف ﺿﺪ اﻟﺘﻬﺪ‪-‬ﺪات‪.‬‬
‫‪c‬‬
‫‪ ،ISO 27001 yz ** .32‬ﻣﺎ ﻫﻮ اﻟﻐﺮض اﻟﺮﺋ∞ ‪z‬‬
‫@ ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪(ISMS‬؟**‬
‫≤ ﻓﻘﻂ ‪.‬‬‫أ( ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل اﻟﺘﻨﻈ‪z 7‬‬
‫ب( ﻟﺘﻌ‪[s‬ﺰ ﺛﻘﺔ اﻟﻌﻤﻼء وﺳﻤﻌﺔ اﻟﻌﻤﻞ اﻟﺘﺠﺎري‪.‬‬
‫ج( ﻟﻀﻤﺎن ﻋﺪم وﻗ‪°‬ع اﻧﺘﻬﺎ‪Á‬ﺎت ‪ yz c‬أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪ H‬ﻣﺨﺎﻃﺮ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﻤﻌﻠﻮﻣﺎت اﻟﺘﺠﺎر[ﺔ‪.‬‬ ‫د( ﻹدارة ‪e‬ﺸ‪g‬ﻞ ﻣﻨﻬ ‪z‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬د**‬
‫‪o‬‬
‫@ ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻫﻮ إدارة ﻣﺨﺎﻃﺮ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬‫**اﻟ}ح‪ **:‬اﻟﻐﺮض اﻟﺮﺋ∞ ‪z‬‬
‫‪ H‬ﻟﻠﻤﺆﺳﺴﺔ‪ ،‬و≠ﺎﻟﺘﺎ‪ rz‬ﺿﻤﺎن أﻣﻦ اﻷﺻﻮل واﻟﺒ‪7‬ﺎﻧﺎت واﻟﻤﻮارد‪.‬‬‫‪e‬ﺸ ‪ g‬ﻞ ﻣﻨ ﻬ ‪z‬‬
‫‪c‬‬ ‫‪c‬‬ ‫‪** .33‬ﻣﺎ ﻫﻮ دور 'ﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬واﻟﺘﻮﻋ‪7‬ﺔ' ‪ yz ISMS yz‬إﻃﺎر ‪ISO 27001‬؟**‬
‫أ( ‪-‬ﻌﺘ‪ i‬ﻏ‪¨c ib‬وري ﻃﺎﻟﻤﺎ ﺗﻮﺟﺪ اﻟﺘﺤ‪g‬ﻤﺎت اﻟﺘﻘﻨ‪7‬ﺔ‪.‬‬
‫‪ a‬ﻷدوارﻫﻢ وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ ﺗﺠﺎە أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫ب( ‪-‬ﻠﻌﺐ دوًرا \ﺎرًزا ‪ yc‬ﺿﻤﺎن ﻓﻬﻢ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪z‬‬
‫ج( ﻳﻨﻄﺒﻖ ﻓﻘﻂ ﻋ~ ﻣﻮﻇ ‪ –z c‬ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫د( اﺧﺘ‪7‬ﺎري وﻟ‪Œ‬ﻦ ﻣﺴﺘﺤﺴﻦ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪7‬ﺔ ﻫﻤﺎ ﻣﻜﻮﻧﺎن ﺣﺎﺳﻤﺎن ‪- .ISMS yc‬ﺠﺐ اﻟﺘﺄ ‪ã‬ﺪ ﻣﻦ أن ﺟﻤﻴﻊ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬ ‫‪z‬‬
‫® ﻟﻔﻌﺎﻟ‪7‬ﺔ ‪.ISMS‬‬
‫‪z‬‬ ‫ﺎ‬ ‫ﺳ‬ ‫أ‬ ‫ﺮ‬ ‫ﻣ‬ ‫أ‬ ‫ﻮ‬ ‫ﻫ‬‫و‬ ‫‪،‬‬ ‫ة‬ ‫د‬ ‫ﺪ‬ ‫ﺤ‬ ‫ﻤ‬ ‫ﻟ‬ ‫ا‬ ‫ﻋ~ ﻋﻠﻢ ‪e‬ﺴ‪7‬ﺎﺳﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ اﻷﻣﻨ‪7‬ﺔ‬
‫ً‬
‫‪** .34‬أي وﺛ‪7‬ﻘﺔ ﺗﺤﺪد ﻛ‪7‬ﻔ‪7‬ﺔ إدارة اﻟﺘﻐﻴ‪ib‬ات اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ ﻟﻀﻤﺎن اﺳﺘﻤﺮار أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر‬
‫‪ISO 27001‬؟**‬
‫أ( ﺳ‪7‬ﺎﺳﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ب( ﺳ‪7‬ﺎﺳﺔ إدارة اﻟﺘﻐﻴ‪.ib‬‬
‫ج( ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫د( ﺗﻘ‪[Æ‬ﺮ اﺳﺘﻌﺮاض ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬ﺳ‪7‬ﺎﺳﺔ إدارة اﻟﺘﻐﻴ‪ ib‬ﻣﻬﻤﺔ ﻷﻧﻬﺎ ﺗﻮﺿﺢ اﻹﺟﺮاءات اﻟ ‪ Ñz‬ﺗﻀﻤﻦ اﺳﺘﻤﺮار اﻷﻣﺎن و‪à‬ﻋﺎدة ﺗﻘﻴ‪7‬ﻢ‬
‫‪j‬‬
‫اﻟﻤﺨﺎﻃﺮ ﻋﻨﺪ ﺣﺪوث ﺗﻐﻴ‪ib‬ات ﺗﻨﻈ‪7‬ﻤ‪7‬ﺔ‪.‬‬
‫‪c‬‬
‫… وﻇ‪7‬ﻔﺔ ﻣﻨﺘﺪى أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪ yz‬ﺳ‪7‬ﺎق ‪ISO 27001‬؟**‬ ‫‪** .35‬ﻣﺎ ‪z‬‬
‫أ( ﺣﻞ أﻋﻄﺎل أﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ب( ﻣﻨﺎﻗﺸﺔ وﻣﺮاﺟﻌﺔ ﺳ‪7‬ﺎﺳﺎت وﻣﻤﺎرﺳﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ج( اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟ‪ï‬ﺴ‪[°‬ﻖ‬
‫واﻟﻌﻼﻗﺎت اﻟﻌﺎﻣﺔ‪.‬‬
‫د( ﺗﺪﻗﻴﻖ اﻟﻤﻌﺎﻣﻼت اﻟﻤﺎﻟ‪7‬ﺔ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬ﻣﻨﺘﺪى أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪-‬ﻌﻤﻞ ‪M‬ﻤﻨﺼﺔ ﻟﻤﻨﺎﻗﺸﺔ وﻣﺮاﺟﻌﺔ ﺳ‪7‬ﺎﺳﺎت وﻣﻤﺎرﺳﺎت أﻣﺎن‬
‫اﻟﻤﻌﻠﻮﻣﺎت ‪ yz c‬اﻟﻤﺆﺳﺴﺔ‪ ،‬ﻣﻤﺎ ‪-‬ﻌﺰز ﺛﻘﺎﻓﺔ أﻣﺎﻧ‪7‬ﺔ ﻗ‪[°‬ﺔ‪.‬‬
‫‪** .36‬ﺗﺤﺖ ‪ ،ISO 27001‬أي ﻧ‪°‬ع ﻣﻦ اﻟﺘﺤ‪g‬ﻢ ُ™ﺴﺘﺨﺪم ﻹدارة ﻋﻤﻠ‪7‬ﺔ ‪ISMS‬؟**‬
‫‪.H‬‬ ‫‪j‬‬
‫أ( اﻟﺘﺤ‪g‬ﻢ اﻻﺳ‪i‬اﺗ‪z 7‬‬
‫ب( اﻟﺘﺤ‪g‬ﻢ اﻟ‪ï‬ﺸﻐ‪.~z7‬‬
‫ج( اﻟﺘﺤ‪g‬ﻢ اﻟﺘﻘ ‪.Ñz c‬‬
‫≤‪.‬‬‫د ( ا ﻟ ﺘ ﺤ ‪ g‬ﻢ ا ﻟﺘ ﻨ ﻈ ‪z 7‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫‪c‬‬ ‫‪o‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﺘﺤ‪g‬ﻢ اﻟ‪ï‬ﺸﻐ‪ ISO 27001 yz ~z7‬ﻫﻮ ﺗﻠﻚ اﻟﻤﺘﻌﻠﻘﺔ ﻣ‪U‬ﺎ‪n‬ة ﺑ‪fl‬دارة وﺗﻨﻔ‪7‬ﺬ ‪yz ISMS‬‬
‫اﻟﻌﻤﻠ‪7‬ﺎت اﻟﻴﻮﻣ‪7‬ﺔ‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ ﻓﻌﺎﻟﻴﺘﻬﺎ‪.‬‬
‫‪c‬‬
‫‪** .37‬ﻣﺎ ﻫﻮ أﻫﻤ‪7‬ﺔ 'ﺳ‪7‬ﺎق اﻟﻤﺆﺳﺴﺔ' ‪ISO 27001 yz‬؟**‬
‫أ( ‪-‬ﺤﺪد ﻧﻄﺎق اﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺔ اﻟ‪ï‬ﺴ‪[°‬ﻖ‪.‬‬
‫ب( ﻳﺘﻀﻤﻦ ﻓﻬﻢ اﻟﻤﺸ‪g‬ﻼت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ اﻟ ‪- Ñz j‬ﻤﻜﻦ أن ﺗﺆﺛﺮ ﻋ~ ‪.ISMS‬‬
‫≤‪.‬‬‫ج( ﻳﺘﻌﻠﻖ ﻓﻘﻂ \ﻌﻮاﻣﻞ اﻻﻗﺘﺼﺎد اﻟﻌﺎﻟ ‪z‬‬
‫د( ﻳﺮﻛﺰ ﻋ~ اﻟﺠﻮاﻧﺐ اﻟﺘﻘﻨ‪7‬ﺔ ﻹدارة ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬ﻓﻬﻢ ﺳ‪7‬ﺎق اﻟﻤﺆﺳﺴﺔ ﻳﻨﻄﻮي ﻋ~ ﺗﺤﺪ‪-‬ﺪ اﻟﻌﻮاﻣﻞ اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ اﻟ ‪- Ñz‬ﻤﻜﻦ أن ﺗﺆﺛﺮ‬
‫‪j‬‬
‫® ﻹدارة اﻟﻤﺨﺎﻃﺮ ‪e‬ﺸ‪g‬ﻞ ﻓﻌﺎل‪.‬‬ ‫ﻋ~ ﻗﺪرة ‪ ISMS‬ﻋ~ ﺗﺤﻘﻴﻖ اﻟﻨﺘﺎﺋﺞ اﻟﻤﻘﺼﻮدة‪ ،‬وﻫﻮ أﻣﺮ أﺳﺎ ‪z‬‬
‫‪c‬‬
‫‪** .38‬أي إﺟﺮاء ‪-‬ﺠﺐ اﺗﺨﺎذە إذا ﺗﺠﺎوزت ﻣﺨﺎﻃﺮة اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ‪ISO 27001 yz‬؟**‬
‫أ( ‪-‬ﺠﺐ ﺗﺠﺎﻫﻠﻬﺎ ﻛﺤﺎﻟﺔ ﻓﺮد‪-‬ﺔ‪.‬‬
‫ب( ‪-‬ﺠﺐ ﻧﻘﻠﻬﺎ ﻋ~ اﻟﻔﻮر إ‪ r‬ﻃﺮف ﺛﺎﻟﺚ‪.‬‬
‫ج( ‪-‬ﺠﺐ ﺗﺨﻔ‪7‬ﻔﻬﺎ إ‪ r‬ﻣﺴﺘﻮى ﻣﻘﺒﻮل‪.‬‬
‫د( ‪-‬ﺠﺐ ﻗﺒﻮﻟﻬﺎ دون ﺗﺨﻔ‪7‬ﻒ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪ **:‬إذا ﺗﺠﺎوزت ﻣﺨﺎﻃﺮة ﻣﺨﺎﻃﺮة اﻟﻤﺆﺳﺴﺔ‪- ،‬ﺠﺐ ﺗﺨﻔ‪7‬ﻔﻬﺎ ﻣﻦ ﺧﻼل اﻟﺘﺤ‪g‬ﻤﺎت اﻟﻤﻨﺎﺳ‪U‬ﺔ‬
‫ﻹﻧﻘﺎﺻﻬﺎ إ‪ r‬ﻣﺴﺘﻮى ﻣﻘﺒﻮل‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ ﺗﻮاﻓﻘﻬﺎ ﻣﻊ اﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺔ اﻟﻤﺨﺎﻃﺮ ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬
‫ً‬ ‫‪c‬‬
‫‪** .39‬ﻣﺎ ﻫﻮ اﻟﻮﻗﺖ اﻟﺬي ‪-‬ﺠﺐ ﻓ‪7‬ﻪ اﺳﺘﻌﺮاض ﻓﻌﺎﻟ‪7‬ﺔ اﻟﺘﺤ‪g‬ﻤﺎت اﻟﻤﻄ‪U‬ﻘﺔ ‪ ISMS yz‬وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO‬‬
‫‪27001‬؟**‬
‫أ( ﻣﺮة واﺣﺪة ﻋﻨﺪ اﻟﺘﻨﻔ‪7‬ﺬ‪.‬‬
‫ب( ﻓﻘﻂ ﻋﻨﺪ وﻗ‪°‬ع ﺧﺮق أﻣ ‪.Ñz c‬‬
‫ج( \ﺎﻧﺘﻈﺎم واﺳﺘﺠﺎ\ﺔ ﻟﺤﻮادث اﻷﻣﻦ‪.‬‬
‫د( ‪M‬ﻞ ﺧﻤﺲ ﺳﻨﻮات‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪- **:‬ﺠﺐ ﻣﺮاﺟﻌﺔ اﻟﺘﺤ‪g‬ﻤﺎت \ﺎﻧﺘﻈﺎم واﺳﺘﺠﺎ\ﺔ ﻟﻠﺘﻐﻴ‪ib‬ات اﻟ‪Œ‬ﺒ‪ib‬ة أو ﺣﻮادث اﻷﻣﺎن ﻟﻀﻤﺎن‬
‫ﻓﻌﺎﻟﻴﺘﻬﺎ واﺳﺘﻤﺮارﻫﺎ ‪ yz c‬ﺣﻤﺎ‪-‬ﺔ اﻟﻤﺆﺳﺴﺔ ‪M‬ﻤﺎ ﻫﻮ ﻣﺨﻄﻂ ﻟﻪ‪.‬‬
‫‪** .40‬ﻣﺎ ﻫﻮ دور ﻣﺴﺆول ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت )‪ (DPO‬ﻓ‪7‬ﻤﺎ ﻳﺘﻌﻠﻖ \ﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﻣﺴﺆول ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﻣﺴﺆول ﻋﻦ إدارة ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺎﻟ‪7‬ﺔ‪.‬‬
‫≈[ﺎ ﻣﻊ ﺷ‪g‬ﺎوى اﻟﻌﻤﻼء ‪e‬ﺸﺄن اﻧﺘﻬﺎ‪Á‬ﺎت اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬‫ب( ﻳﺘﻌﺎﻣﻞ ﻣﺴﺆول ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﺣ ً‬
‫‪c‬‬
‫ج( ‪-‬ﻀﻤﻦ ﻣﺴﺆول ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت أن ﻣﺘﻄﻠ‪U‬ﺎت ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﻣﺪﻣﺠﺔ ‪.ISMS yz‬‬
‫د( ﻣﺴﺆول ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت ﻏ‪ ib‬ذي ﺻﻠﺔ \ـ ‪.ISO 27001‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫ً ‪c‬‬ ‫ً‬
‫**اﻟ‪}o‬ح‪- **:‬ﻠﻌﺐ ﻣﺴﺆول ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت دورا ﺣﺎﺳﻤﺎ ‪ yz‬ﺿﻤﺎن أن ﺗﺘﻢ دﻣﺞ ﻗﻮاﻧ‪ ab‬وﺳ‪7‬ﺎﺳﺎت ﺣﻤﺎ‪-‬ﺔ‬
‫‪c‬‬
‫اﻟﺒ‪7‬ﺎﻧﺎت ‪ yz c‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﺧﺎﺻﺔ ‪ yz c‬اﻟﺴﻠﻄﺎت ذات اﻟﻠﻮاﺋﺢ اﻟﺼﺎرﻣﺔ ‪e‬ﺸﺄن ﺣﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت‪.‬‬
‫‪c‬‬
‫‪** .41‬ﻣﺎ اﻟﻐﺮض ﻣﻦ ﻋﻤﻠ‪7‬ﺔ 'ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ' ‪ISO 27001 yz‬؟**‬
‫أ( اﻟﺘﻌﺮف ﻋ~ اﻟﺘﻬﺪ‪-‬ﺪات واﻟﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫ب( ﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻓﻘﻂ ﻟﻠﻘﻮاﻧ ‪c b‬‬
‫‪ a‬اﻟﻤ ﺤ ﻠ‪7‬ﺔ ‪.‬‬
‫ج( ﻣﺮاﻗ‪U‬ﺔ أ‪ø‬ﺸﻄﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪.a‬‬
‫د( اﻻﺳ‪ï‬ﺜﻤﺎر ‪ yz c‬ﺗﻘﻨ‪7‬ﺎت اﻷﻣﺎن‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬أ**‬
‫‪c‬‬ ‫ً ‪c‬‬ ‫ً‬
‫**اﻟ‪}o‬ح‪- **:‬ﻌﺪ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ أﻣﺮا ﺣﺎﺳﻤﺎ ‪ ISO 27001 yz‬ﺣ‪7‬ﺚ ™ﺴﺎﻋﺪ ‪ yz‬ﺗﺤﺪ‪-‬ﺪ اﻟﺘﻬﺪ‪-‬ﺪات‬
‫واﻟﺜﻐﺮات اﻷﻣﻨ‪7‬ﺔ ﻟﻠﻤﺆﺳﺴﺔ‪ ،‬ﻣﻤﺎ ﻳ‪ï‬ﻴﺢ اﻟﺘﺨﻄ‪7‬ﻂ اﻟﻔﻌﺎل ﻟﺘﺤ‪g‬ﻢ ﻫﺬە اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫‪** .42‬ﺗﺘﻄﻠﺐ ‪ ISO 27001‬إ‪ø‬ﺸﺎء أﻫﺪاف أﻣﺎن‪ .‬ﻋ~ أي ﻣﺴﺘﻮى ‪-‬ﺠﺐ ﺗﺤﺪ‪-‬ﺪ ﻫﺬە اﻷﻫﺪاف؟**‬
‫أ( ﻓﻘﻂ ﻋ~ ﻣﺴﺘﻮى اﻹدارة اﻟﻌﻠ‪7‬ﺎ‪.‬‬
‫ب( ﻋ~ اﻟﻮﻇﺎﺋﻒ واﻟﻤﺴﺘ‪[°‬ﺎت ذات اﻟﺼﻠﺔ داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫ج( داﺧﻞ ﻗﺴﻢ ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻘﻂ‪.‬‬
‫§‬
‫د( ﺣ≈ا ﻋ~ ﻣﺴﺘﻮى اﻟﺘﻨﻔ‪7‬ﺬي‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪- **:‬ﺠﺐ ﺗﺤﺪ‪-‬ﺪ أﻫﺪاف اﻷﻣﺎن ﻋ~ ﻣﺴﺘ‪[°‬ﺎت وﻇﺎﺋﻒ ﻣﺨﺘﻠﻔﺔ داﺧﻞ اﻟﻤﺆﺳﺴﺔ ﻟﻀﻤﺎن‬
‫ﺗﻐﻄ‪7‬ﺔ ﺷﺎﻣﻠﺔ ودﻣﺞ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪ yz c‬ﺟﻤﻴﻊ ﻣﺠﺎﻻت اﻟﻌﻤﻞ‪.‬‬
‫ً‬
‫‪** .43‬أي ﻣﻦ اﻟﻨﺘﺎﺋﺞ اﻟﺘﺎﻟ‪7‬ﺔ ﻫﻮ ﻓﺎﺋﺪة ﻣﺘﻮﻗﻌﺔ ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ‪7‬ﺔ وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر‬
‫‪ISO 27001‬؟**‬
‫أ( اﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ ﻣﺨﺎﻃﺮ أﻣﺎن ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ب( ز[ﺎدة ر≠ﺤ‪7‬ﺔ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫ج( ﺗﻌ‪[s‬ﺰ اﻟﻤﺮوﻧﺔ ﺿﺪ ﺗﻬﺪ‪-‬ﺪات أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪.a‬‬‫د( اﻟﺤﺪ ﻣﻦ ﺗﺤ‪[°‬ﻞ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪- **:‬ﻌﺰز ﺗﻨﻔ‪7‬ﺬ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ‪7‬ﺔ ﻣﺮوﻧﺔ اﻟﻤﺆﺳﺴﺔ ﺿﺪ ﺗﻬﺪ‪-‬ﺪات أﻣﺎن‬
‫‪.H‬‬
‫اﻟﻤﻌﻠﻮﻣﺎت ﻋﻦ ﻃ‪[Æ‬ﻖ إدارة اﻟﻤﺨﺎﻃﺮ اﻟﻤﺘﻌﻠﻘﺔ \ﺎﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ‪7‬ﺔ ‪e‬ﺸ‪g‬ﻞ ﻣﻨﻬ ‪z‬‬
‫‪c‬‬
‫‪** .44‬أي ﻧ‪°‬ع ﻣﻦ اﻟﺘﺤﻠ‪7‬ﻞ ‪¨c‬وري ﻟﺘﺤﺪ‪-‬ﺪ ﺗﺄﺛ‪ ib‬اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ‪ISO 27001 yz‬؟**‬
‫أ( ﺗﺤﻠ‪7‬ﻞ اﻟﻤﻨﺎﻓﺴ ‪c b‬‬
‫‪.a‬‬
‫ب( ﺗﺤﻠ‪7‬ﻞ ﻣﺎ‪.rz‬‬
‫ج( ﺗﺤﻠ‪7‬ﻞ اﻟﺘﺄﺛ‪.ib‬‬
‫د( ﺗﺤﻠ‪7‬ﻞ اﻷداء‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫‪c‬‬ ‫ً ‪c‬‬ ‫ً‬
‫**اﻟ‪}o‬ح‪- **:‬ﻌﺪ ﺗﺤﻠ‪7‬ﻞ اﻟﺘﺄﺛ‪ ib‬أﻣﺮا ﺣﺎﺳﻤﺎ ‪ yz‬ﻋﻤﻠ‪7‬ﺔ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ ﺣ‪7‬ﺚ ™ﺴﺎﻋﺪ ‪ yz‬ﺗﺤﺪ‪-‬ﺪ اﻟﻌﻮاﻗﺐ‬
‫اﻟﻤﺤﺘﻤﻠﺔ ﻟﻠﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‪ ،‬و[ﻮﺟﻪ اﻟﻘﺮار ‪e‬ﺸﺄن اﻟﺘﺤ‪g‬ﻤﺎت اﻟﻤﻨﺎﺳ‪U‬ﺔ‪.‬‬
‫‪c‬‬
‫‪** .45‬ﻣﺎ ﻫﻮ ﻣﻌ‪' Ñc‬ﺑ‪7‬ﺎن اﻟﻘﺎ\ﻠ‪7‬ﺔ ﻟﻠﺘﻄﺒﻴﻖ' ‪ISO 27001 yz‬؟**‬
‫أ( ﻳﻮﺿﺢ ﺟﻤﻴﻊ اﻟﻤﻮاﺻﻔﺎت اﻟﺘﻘﻨ‪7‬ﺔ ﻷﻧﻈﻤﺔ اﻷﻣﺎن‪.‬‬
‫ب( ﻫﻮ ﻋﻘﺪ ﻣﻊ اﻷﻃﺮاف اﻟﻤﻌﻨ‪7‬ﺔ‪.‬‬
‫ج( ﻳﻮﺛﻖ أي اﻟﺘﺤ‪g‬ﻤﺎت اﻟﻘﺎ\ﻠﺔ ﻟﻠﺘﻄﺒﻴﻖ و[‪i‬ر اﻻﺳ‪Uï‬ﻌﺎدات‪.‬‬
‫د( ‪-‬ﻘﻮم ‪}e‬د اﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ ﻓﻘﻂ اﻟﻘﺎ\ﻠﺔ ﻟﻠﺘﻄﺒﻴﻖ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪ **:‬ﺑ‪7‬ﺎن اﻟﻘﺎ\ﻠ‪7‬ﺔ ﻟﻠﺘﻄﺒﻴﻖ ﻫﻮ وﺛ‪7‬ﻘﺔ رﺋ∞ﺴ‪7‬ﺔ ﺗﻮﺿﺢ اﻟﺘﺤ‪g‬ﻤﺎت اﻟﻤﺤﺪدة ﻣﻦ ﻣﻌ‪7‬ﺎر ‪ISO‬‬
‫‪ 27001‬اﻟ ‪ Ñz j‬ﺗﻢ اﺧﺘ‪7‬ﺎرﻫﺎ وﺗﻨﻔ‪7‬ﺬﻫﺎ‪ ،‬واﻟﺴ“ﺐ ‪ yz c‬ذﻟﻚ‪\ ،‬ﻤﺎ ‪ yz c‬ذﻟﻚ ﻣ‪i‬رات أي اﺳ‪Uï‬ﻌﺎدات‪.‬‬
‫‪c‬‬ ‫‪** .46‬ﻣﺎذا ‪-‬ﻌ‪' Ñc‬اﻟﺘﺤﺴ ‪c b‬‬

‫‪ a‬اﻟﻤﺴﺘﻤﺮ' ‪ yz‬ﺳ‪7‬ﺎق ‪ISO 27001‬؟**‬ ‫‪z‬‬
‫أ( ﺗﻐﻴ‪ ib‬ﺳ‪7‬ﺎﺳﺎت اﻷﻣﺎن \ﺎﺳﺘﻤﺮار‪.‬‬
‫ب( ﺗﺤﺪ‪-‬ﺚ ﻣﻌﺪات ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت \ﺎﻧﺘﻈﺎم‪.‬‬
‫ج( ﻣﺮاﺟﻌﺔ وﺗﻌ‪[s‬ﺰ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت \ﺎﻧﺘﻈﺎم‪.‬‬
‫‪ a‬أﻣﺎن ‪e‬ﺸ‪g‬ﻞ ﻣﺴﺘﻤﺮ‪.‬‬ ‫د( ﺗﻮﻇ‪7‬ﻒ ﻣﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫‪c‬‬ ‫**اﻟ‪}o‬ح‪ **:‬اﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬اﻟﻤﺴﺘﻤﺮ ‪ ISO 27001 yz‬ﻳﻨﻄﻮي ﻋ~ ﻣﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫\ﺎﻧﺘﻈﺎم ﻟﺘﺤﺪ‪-‬ﺪ اﻟﻔﺮص ﻟﻠﺘﺤﺴ ‪c b‬‬
‫‪ a‬واﺗﺨﺎذ اﻟﺘﻐﻴ‪ib‬ات اﻟﻼزﻣﺔ‬
‫ﻟﺘﻌ‪[s‬ﺰ ﻓﻌﺎﻟﻴﺘﻪ اﻟﻌﺎﻣﺔ‪.‬‬

‫ً‬ ‫‪c‬‬
‫‪** .47‬ﻛ‪7‬ﻒ ‪-‬ﺠﺐ إدارة اﻟﺘﻐﻴ‪ib‬ات ‪ yz‬ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ‪-‬ﺠﺐ ﺗﻨﻔ‪7‬ﺬ اﻟﺘﻐﻴ‪ib‬ات ﻋ~ اﻟﻔﻮر ﻋﻨﺪ ﺣﺪوث اﻟﻤﺸﺎ‪Á‬ﻞ‪.‬‬
‫ب( ‪-‬ﺠﺐ إدارة اﻟﺘﻐﻴ‪ib‬ات \ﻄ‪[Æ‬ﻘﺔ ﻣﺮاﻗ‪U‬ﺔ‪.‬‬
‫ج( اﻟﺘﻐﻴ‪ib‬ات ﻣﻜﺮوﻫﺔ و[ﺠﺐ ﺗﺠﻨﺒﻬﺎ‪.‬‬
‫د( ‪-‬ﺠﺐ إدارة اﻟﺘﻐﻴ‪ib‬ات ﻓﻘﻂ اﻟﺨﺎرﺟ‪7‬ﺔ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫‪c‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﻳﺆﻛﺪ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻋ~ ¨ورة إدارة اﻟﺘﻐﻴ‪ib‬ات ‪ yz‬ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫§‬
‫\ﻄ‪[Æ‬ﻘﺔ ﻣﺮاﻗ‪U‬ﺔ‪ ،‬ﻣﻀﻤﻮﻧﺔ أﻧﻬﺎ ﻻ ﺗﺆﺛﺮ ﺳﻠ‪U‬ﺎ ﻋ~ اﻷﻣﺎن أو ﻓﻌﺎﻟ‪7‬ﺔ اﻟﻨﻈﺎم‪.‬‬
‫‪c‬‬
‫‪** .48‬ﻣﺎ ﻫﻮ دور 'اﻟﻤﺮاﻗ‪U‬ﺔ واﻟﻘ‪7‬ﺎس' ‪ yz‬ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت؟**‬
‫أ( اﻻﻣﺘﺜﺎل ﻻﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺎت اﻟ‪ï‬ﺴ‪[°‬ﻖ‪.‬‬
‫ب( اﻟﺘﺤﻘﻖ ﻣﻦ أداء وﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫ج( رﺻﺪ اﻷداء اﻟﻤﺎ‪ rz‬اﻟﻤﺘﻌﻠﻖ ﻓﻘﻂ \ﺎﻻﺳ‪ï‬ﺜﻤﺎرات اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫د( ﻗ‪7‬ﺎس رﺿﺎ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪.a‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﻤﺮاﻗ‪U‬ﺔ واﻟﻘ‪7‬ﺎس أﻣﺮان ﻣﻬﻤﺎن ﻟﺘﻘﻴ‪7‬ﻢ أداء وﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻤﺎ ™ﺴﺎﻋﺪ‬
‫‪.a‬‬‫ﻋ~ ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺠﺎﻻت اﻟ‪ Ñj‬ﺗﺤﺘﺎج إ‪ r‬اﻫﺘﻤﺎم أو ﺗﺤﺴ ‪c b‬‬
‫‪z‬‬
‫ً‬
‫‪** .49‬وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ ،ISO 27001‬ﻣﺎ ‪-‬ﺠﺐ اﻟﻘ‪7‬ﺎم \ﻪ ﻋﻨﺪﻣﺎ ﻳﺘﻢ ﺗﺤﺪ‪-‬ﺪ ﻋﺪم اﻟﻤﻄﺎ\ﻘﺎت؟**‬
‫أ( ‪-‬ﺠﺐ ﺗﺠﺎﻫﻠﻬﺎ ﻣﺎ ﻟﻢ ‪Ö‬ﺴ“ﺐ أ‪¨c‬اًرا ﻛﺒ‪ib‬ة‪.‬‬
‫ب( ‪-‬ﺠﺐ ﺗﺼﺤ‪7‬ﺤﻬﺎ واﺗﺨﺎذ إﺟﺮاءات ﻟﻤﻨﻊ ﺗﻜﺮارﻫﺎ‪.‬‬
‫ج( ‪-‬ﺠﺐ اﻹ\ﻼغ ﻋﻨﻬﺎ ﻓﻘﻂ إ‪ r‬اﻹدارة‪.‬‬
‫د( ‪-‬ﺠﺐ ﻗﺒﻮﻟﻬﺎ دون ﺗﺼﺤﻴﺢ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬ﻋﻨﺪ ﺗﺤﺪ‪-‬ﺪ ﻋﺪم اﻟﻤﻄﺎ\ﻘﺎت‪- ،‬ﺠﺐ ﺗﺼﺤ‪7‬ﺤﻬﺎ واﺗﺨﺎذ إﺟﺮاءات ﻟﻤﻨﻊ ﺗﻜﺮارﻫﺎ ﻛﺠﺰء ﻣﻦ‬
‫اﻟﻨﻬﺞ اﻻﺳ‪Uï‬ﺎ‪ yj‬ﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬ ‫‪z‬‬
‫‪c‬‬
‫‪** .50‬ﻣﺎ اﻟﻤﻘﺼﻮد \ـ 'إدارة ﺣﻮادث أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت' ‪ISO 27001 yz‬؟**‬
‫أ( اﻟﺘﺨﻄ‪7‬ﻂ ﻟﻠﻔﻌﺎﻟ‪7‬ﺎت اﻻﺟﺘﻤﺎﻋ‪7‬ﺔ اﻟﺤ≈[ﺔ ﻟﻤﻨﺎﻗﺸﺔ ﺗﺄﺛ‪ib‬ات اﻟﺤﻮادث‪.‬‬
‫ب( اﻹﺟﺮاءات واﻟﻤﺴﺆوﻟ‪7‬ﺎت ﻹدارة وﻣﺮاﺟﻌﺔ ﺣﻮادث اﻷﻣﺎن‪.‬‬
‫ج( اﺳﺘﻌﺮاض ﺳﻨﻮي ﻟﻠﺤﻮادث اﻷﻣﻨ‪7‬ﺔ اﻟﺴﺎ\ﻘﺔ ﻓﻘﻂ‪.‬‬
‫د( ‪Ö‬ﺴﺨ‪ ib‬إدارة اﻟﺤﻮادث ﻟﺨﺪﻣﺎت ﻃﺮف ﺛﺎﻟﺚ‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺘﻀﻤﻦ إدارة ﺣﻮادث أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت إ‪ø‬ﺸﺎء إﺟﺮاءات وﻣﺴﺆوﻟ‪7‬ﺎت ﻟﻀﻤﺎن إدارة وﻣﺮاﺟﻌﺔ‬
‫اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ \ﻔﻌﺎﻟ‪7‬ﺔ‪ ،‬ﻣﻤﺎ ™ﺴﺎﻋﺪ ‪ yz c‬ﺗﻘﻠ‪7‬ﻞ ﺗﺄﺛ‪ ib‬ﻣﺜﻞ ﻫﺬە اﻟﺤﻮادث ﻋ~ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .51‬أي ﻣﻦ ﺿﻮا\ﻂ ‪ ISO 27001‬ﻳﻬﺘﻢ ‪ yz‬اﻟﻤﻘﺎم اﻷول \ﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت أﺛﻨﺎء اﻟﻨﻘﻞ؟**‬
‫أ( إدارة اﻷﺻﻮل‬
‫ب( ﺿﻮا\ﻂ اﻟ‪ï‬ﺸﻔ‪ib‬‬
‫ج( اﻷﻣﻦ اﻟﻔ ‪[ic b‬ﺎ ‪ ±z Í‬واﻟﺒﻴ ‪Ñz Í‬‬
‫د( اﻷﻣﻦ اﻟ‪ï‬ﺸﻐ‪~z7‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻌﺘ‪ i‬ﺿﻮا\ﻂ اﻟ‪ï‬ﺸﻔ‪ ib‬أﺳﺎﺳ‪7‬ﺔ ﻟﺤﻤﺎ‪-‬ﺔ اﻟﺒ‪7‬ﺎﻧﺎت أﺛﻨﺎء اﻟﻨﻘﻞ‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ ‪[n‬ﺔ وﺳﻼﻣﺔ‬
‫اﻟﺒ‪7‬ﺎﻧﺎت ﻣﻦ ﺧﻼل ‪Ö‬ﺸﻔ‪ib‬ﻫﺎ أﺛﻨﺎء ﺗﻨﻘﻠﻬﺎ ﻋ‪ i‬اﻟﺸ‪gU‬ﺎت‪.‬‬
‫ً‬
‫‪** .52‬ﻣﺎ دور اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪ ~z‬وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﺗﺼﺤﻴﺢ ﻋﺪم اﻟﻤﻄﺎ\ﻘﺎت ﻗ‪U‬ﻞ اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺨﺎرﺟ‪7‬ﺔ‪.‬‬
‫ب( ﺿﻤﺎن اﻻﻣﺘﺜﺎل اﻟﻘﺎﻧﻮ ‪.±z c‬‬
‫ج( ﺗﻘﻴ‪7‬ﻢ اﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻤﺆﺳﺴﺔ واﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‪.‬‬
‫د( اﻟﺘﻌﺎﻣﻞ ﻣﻊ ﺷ‪g‬ﺎوى اﻟﻌﻤﻼء ‪e‬ﺸﺄن أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪ **:‬دور اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ‪ ~z‬ﻫﻮ ﺗﻘﻴ‪7‬ﻢ اﻣﺘﺜﺎل ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﺴ‪7‬ﺎﺳﺎت وأﻫﺪاف‬
‫اﻟﻤﺆﺳﺴﺔ‪ ،‬وﻛﺬﻟﻚ اﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠ‪U‬ﺎت ‪ ISO 27001‬وﻏ‪ib‬ﻫﺎ ﻣﻦ اﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ‪.‬‬
‫‪** .53‬أي ﻣﻦ ﻣ‪U‬ﺎدئ ‪- ISO 27001‬ﻀﻤﻦ ﺗﻮاﻓﺮ و‪à‬ﻣ‪g‬ﺎﻧ‪7‬ﺔ اﻟﻮﺻﻮل إ‪ r‬اﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﻤﺴﺘﺨﺪﻣ ‪c b‬‬
‫‪ a‬اﻟﻤﺨﻮل‬
‫ﻟ ﻬ ﻢ ﻋ ﻨ ﺪ اﻟﺤ ﺎﺟ ﺔ؟ * *‬
‫أ( اﻟﺴﻼﻣﺔ‬
‫ب( اﻟ}[ﺔ‬
‫ج( اﻟﺘﻮاﻓﺮ‬
‫د ( اﻟﻤ ﺼ ﺪ اﻗ‪7‬ﺔ‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻀﻤﻦ ﻣ‪U‬ﺪأ اﻟﺘﻮاﻓﺮ ﺗﻮاﻓﺮ اﻟﻤﻌﻠﻮﻣﺎت واﻷﺻﻮل ذات اﻟﺼﻠﺔ واﻟﻮﺻﻮل إﻟﻴﻬﺎ ﻟﻠﻤﺴﺘﺨﺪﻣ‪cab‬‬
‫اﻟﻤﺨﻮل ﻟﻬﻢ ﻋﻨﺪ اﻟﺤﺎﺟﺔ‪.‬‬
‫ً‬ ‫‪c‬‬
‫‪** .54‬ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ ﻋﻤﻠ‪7‬ﺔ إدارة اﻟﻤﺨﺎﻃﺮ ‪ yz‬ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO‬‬
‫‪27001‬؟**‬
‫أ( اﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﺘﺠﺎر[ﺔ‬
‫‪c‬‬
‫ب( ﺗﺤﺪ‪-‬ﺪ وﺗﻘﻴ‪7‬ﻢ واﻟﺘﺤ‪g‬ﻢ ‪ yz‬ﻣﺨﺎﻃﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫ج( ﺿﻤﺎن اﻻﺳﺘﻘﺮار اﻻﻗﺘﺼﺎدي ﻟﻠﻤﺆﺳﺴﺔ‬
‫د( ﻣﺮاﻗ‪U‬ﺔ أداء اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫‪c‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺮﻛﺰ ﻋﻤﻠ‪7‬ﺔ إدارة اﻟﻤﺨﺎﻃﺮ ‪ ISO 27001 yz‬ﻋ~ ﺗﺤﺪ‪-‬ﺪ وﺗﻘﻴ‪7‬ﻢ واﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻤﺨﺎﻃﺮ‬
‫اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ أﻧﻬﺎ ﺿﻤﻦ ﺣﺪود ﻣﻘﺒﻮﻟﺔ‪.‬‬
‫‪** .55‬أي وﺛ‪7‬ﻘﺔ ﺗﻮﻓﺮ إرﺷﺎدات ﻣﻔﺼﻠﺔ ﺣﻮل ﺗﻨﻔ‪7‬ﺬ ﺿﻮا\ﻂ ‪ISO 27001‬؟**‬
‫أ( ‪ISO 27000‬‬
‫ب( ‪ISO 27002‬‬
‫ج( ‪ISO 27005‬‬
‫د( ‪ISO 27032‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻮﻓﺮ ‪ ISO 27002‬إرﺷﺎدات ﺣﻮل ﺗﻨﻔ‪7‬ﺬ ﺿﻮا\ﻂ اﻷﻣﺎن اﻟﻤﺪرﺟﺔ ‪ ،ISO 27001 yz‬وﺗﻘﺪم‬
‫ﺗﻮ‬
‫ﺻ‪7‬ﺎت اﻟﻤﻤﺎرﺳﺎت اﻟﺠ‪7‬ﺪة ‪ yz c‬إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪** .56‬ﻣﺎ ﻫﻮ اﺳﺘﺨﺪام ﺗﻘﻴ‪7‬ﻢ أداء ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت؟**‬

‫أ( ﺗﺤﺪ‪-‬ﺪ ﻋﺎﺋﺪ اﻻﺳ‪ï‬ﺜﻤﺎر ﻟﻠﻨﻔﻘﺎت اﻷﻣﻨ‪7‬ﺔ‬
‫ب( ﺗﻘﻴ‪7‬ﻢ ﻣﺪى ﺗﻠﺒ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﻤﺘﻄﻠ‪U‬ﺎت اﻷﻣﺎن واﻷﻫﺪاف‬
‫ج( ﻣﻘﺎرﻧﺔ اﻟﻤﻤﺎرﺳﺎت اﻷﻣﻨ‪7‬ﺔ ﻣﻊ اﻟﻤﻨﺎﻓﺴ ‪c b‬‬
‫‪a‬‬
‫‪a‬‬‫د( ﺗﺤﺪ‪-‬ﺪ ﻣﺪى اﻻﻣﺘﺜﺎل ﻟﺴ‪7‬ﺎﺳﺎت اﻷﻣﺎن ﻣﻦ ﻗ‪U‬ﻞ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪™ُ **:‬ﺴﺘﺨﺪم ﺗﻘﻴ‪7‬ﻢ اﻷداء ﻟﺘﻘﻴ‪7‬ﻢ ﻣﺪى ﺗﻠﺒ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﻤﺘﻄﻠ‪U‬ﺎت اﻷﻣﺎن‬
‫واﻷﻫﺪاف اﻟﻤﻨﻈﻤﺔ‪.‬‬
‫ً‬ ‫‪c‬‬
‫‪** .57‬ﻣﺎ ﻫﻮ اﻟﺨﻄﻮة اﻷو‪ yz r‬ﻋﻤﻠ‪7‬ﺔ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﺗﺤﺪ‪-‬ﺪ اﻟﺘﻬﺪ‪-‬ﺪات‬
‫ب( ﺗﻘﻴ‪7‬ﻢ اﻟﺘﺄﺛ‪ib‬‬
‫ج( ﺗﺤﺪ‪-‬ﺪ اﻟﺴ‪7‬ﺎق‬
‫د( ﺗﻘﻴ‪7‬ﻢ اﺣﺘﻤﺎﻟ‪7‬ﺔ اﻟﺤﺪوث‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺤﺪ‪-‬ﺪ اﻟﺴ‪7‬ﺎق ﻫﻮ اﻟﺨﻄﻮة اﻷو‪ yz r‬ﻋﻤﻠ‪7‬ﺔ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‪ ،‬ﺣ‪7‬ﺚ ﻳﺘﻢ ﺗﻌ‪[Æ‬ﻒ اﻟﻤﻌﺎﻳ‪ib‬‬
‫ﻹدارة اﻟﻤﺨﺎﻃﺮ‪\ ،‬ﻤﺎ ‪ yz c‬ذﻟﻚ اﻟﺒ‪û‬ﺌﺎت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﺨﺎرﺟ‪7‬ﺔ ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .58‬ﻟﻤﺎذا ﺗﻌﺘ‪ i‬اﻹﺟﺮاءات اﻟ‪ï‬ﺸﻐ‪7‬ﻠ‪7‬ﺔ واﻟﻤﺴﺆوﻟ‪7‬ﺎت ﻣﻬﻤﺔ ‪ISO 27001 yz‬؟**‬
‫أ( ﺗﺤﺪ‪-‬ﺪ اﻟﻤ ‪ic b‬اﻧ‪7‬ﺔ اﻟﻤﺎﻟ‪7‬ﺔ ﻓﻘﻂ ﻟﻨﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫≤‪.‬‬ ‫‪c‬‬ ‫ب ( إﻧﻬ ﺎ ‪c‬‬
‫¨ور[ﺔ ﻟﻼﻣﺘﺜﺎل اﻟﻘﺎﻧﻮ ‪ ±z‬واﻟﺘﻨﻈ‪z 7‬‬ ‫‪c‬‬
‫ج( ‪Ö‬ﺴﺎﻋﺪ ‪ yz‬إدارة وﺗﻘﻠ‪7‬ﻞ ﺗﻌﻘ‪7‬ﺪات اﻟﻌﻤﻠ‪7‬ﺎت اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ‪.‬‬
‫د( ﺗﻀﻤﻦ إدارة ﺛﺎﺑﺘﺔ وآﻣﻨﺔ ﻟﻤﺮاﻓﻖ ﻣﻌﺎﻟﺠﺔ اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬د**‬
‫ُ‬ ‫‪o‬‬
‫**اﻟ}ح‪ **:‬اﻹﺟﺮاءات اﻟ‪ï‬ﺸﻐ‪7‬ﻠ‪7‬ﺔ واﻟﻤﺴﺆوﻟ‪7‬ﺎ ًت ‪z‬‬
‫… أﺳﺎﺳ‪7‬ﺔ ﻟﻀﻤﺎن أن ﻣﺮاﻓﻖ ﻣﻌﺎﻟﺠﺔ اﻟﻤﻌﻠﻮﻣﺎت ﺗﺪار‬
‫‪e‬ﺸ‪g‬ﻞ آﻣﻦ وﺛﺎ\ﺖ‪\ ،‬ﺎﺗ‪U‬ﺎع ﻣﻤﺎرﺳﺎت ﻣﺤﺪدة ﻣﺴ‪U‬ﻘﺎ‪.‬‬
‫‪c‬‬
‫‪** .59‬ﻣﺎذا ™ﺸﻤﻞ 'إدارة وﺻﻮل اﻟﻤﺴﺘﺨﺪم' ‪ yz‬إﻃﺎر ‪ISO 27001‬؟**‬
‫‪Ω‬‬ ‫‪c‬‬
‫أ( رﺻﺪ أ‪ø‬ﺸﻄﺔ اﻟﻤﺴﺘﺨﺪﻣ‪ ab‬ﻋ~ وﺳﺎﺋﻞ اﻟﺘﻮاﺻﻞ اﻻﺟﺘﻤﺎ ‪z‬‬
‫‪c‬‬
‫ب( اﻟﺴ‪7‬ﻄﺮة ﻋ~ وﺻﻮل اﻟﻤﺴﺘﺨﺪﻣ‪ ab‬إ‪ r‬أﻧﻈﻤﺔ وﺧﺪﻣﺎت اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ a‬ﺣﻮل وﺻﻮل اﻟﻨﻈﺎم‬ ‫ج( إدارة ﺷ‪g‬ﺎوى اﻟﻤﺴﺘﺨﺪﻣ ‪c b‬‬
‫د ( ﺿ ﻤ ﺎ ن أ ن ﺟ ﻤ ﻴ ﻊ اﻟ ﻤ ﺴ ﺘ ﺨ ﺪ ﻣ ‪c b‬‬
‫‪ a‬ﻟﺪﻳﻬﻢ وﺻﻮل ﻣ‪ï‬ﺴﺎ ‪I‬و إ‪ r‬اﻟﻤﻌﻠﻮﻣﺎت‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫‪ a‬إ‪ r‬أﻧﻈﻤﺔ وﺧﺪﻣﺎت‬‫**اﻟ‪}o‬ح‪ **:‬ﺗﺘﻀﻤﻦ إدارة وﺻﻮل اﻟﻤﺴﺘﺨﺪم اﻟﺴ‪7‬ﻄﺮة ﻋ~ وﺻﻮل اﻟﻤﺴﺘﺨﺪﻣ ‪c b‬‬
‫ً‬ ‫اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ أن اﻟﻤﺴﺘﺨﺪﻣ ‪c b‬‬
‫‪ a‬ﻟﺪﻳﻬﻢ ﺣﻘﻮق اﻟﻮﺻﻮل اﻟﻤﻨﺎﺳ‪U‬ﺔ اﺳ‪ï‬ﻨﺎدا إ‪ r‬أدوارﻫﻢ‬
‫وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ‪.‬‬
‫‪c‬‬
‫‪** .60‬ﻳﺘﻄﻠﺐ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬اﻟﻨﻈﺮ ‪ yz‬أي ﺟﻮاﻧﺐ ﻋﻨﺪ ﺗﺤﺪ‪-‬ﺪ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن‬
‫اﻟﻤﻌﻠﻮﻣﺎت؟**‬
‫أ( ﺣﺠﻢ وﻫ‪g7‬ﻞ اﻟﻤﺆﺳﺴﺔ ﻓﻘﻂ‬
‫ب( ﻣﻮﻗﻊ اﻟﻤﺆﺳﺴﺔ وﺟﻮاﻧﺒﻬﺎ اﻟﺜﻘﺎﻓ‪7‬ﺔ ﻓﻘﻂ‬
‫‪c‬‬
‫ج( اﻫﺘﻤﺎﻣﺎت اﻷﺷﺨﺎص ‪ yz‬اﻹدارة اﻟﻌﻠ‪7‬ﺎ ﻓﻘﻂ‬
‫د( ‪M‬ﻞ ﻣﺎ ذﻛﺮ أﻋﻼە‬
‫**اﻹﺟﺎ\ﺔ‪ :‬أ**‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﻋﻨﺪ ﺗﺤﺪ‪-‬ﺪ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻦ اﻟﻤﻬﻢ اﻟﻨﻈﺮ ‪ yz‬ﺣﺠﻢ وﻫ‪g7‬ﻞ اﻟﻤﺆﺳﺴﺔ‬
‫ﻟﻀﻤﺎن أن ﻧﻄﺎق اﻟﻨﻈﺎم ﺷﺎﻣﻞ وﻗﺎ\ﻞ ﻟﻠﺘﻄﺒﻴﻖ ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺠﺎﻻت ذات اﻟﺼﻠﺔ‪.‬‬
‫‪c‬‬
‫@ ﻹدارة اﻟﺤﻮادث ‪ISO 27001 yz‬؟**‬ ‫‪** .61‬ﻣﺎ ﻫﻮ اﻟﻬﺪف اﻟﺮﺋ∞ ‪z‬‬
‫أ( ﻣﻨﻊ ﺣﺪوث اﻟﺤﻮادث‬
‫‪o‬‬ ‫ُ ‪J‬‬
‫ب( ﺿﻤﺎن أن ﺟﻤﻴﻊ اﻟﺤﻮادث ﺗ‪U‬ﻠﻎ إ‪ r‬اﻟ}ﻃﺔ‬
‫‪c‬‬ ‫‪c‬‬
‫ج( إدارة واﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﺤﻮادث واﻟﻀﻌﻒ ‪ yz‬أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ‪7‬ﺔ‬
‫د( ‪Ö‬ﺴﺠ‪7‬ﻞ اﻟﺤﻮادث ﻷﻏﺮاض ﻗﺎﻧﻮﻧ‪7‬ﺔ ﻓﻘﻂ‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ج**‬
‫‪c‬‬ ‫‪c‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻬﺪف إدارة اﻟﺤﻮادث ‪ ISO 27001 yz‬إ‪ r‬إدارة واﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﺤﻮادث واﻟﻀﻌﻒ ‪ yz‬أﻣﺎن‬
‫اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ‪7‬ﺔ‪ ،‬وﺗﻘﻠ‪7‬ﻞ ﺗﺄﺛ‪ib‬ﻫﺎ وﻣﻨﻊ ﺗﻜﺮارﻫﺎ‪.‬‬
‫‪c‬‬
‫‪** .62‬أي وﺛ‪7‬ﻘﺔ ‪-‬ﺠﺐ أن ﺗﺤﺪد اﻟﻤﺴﺆوﻟ‪7‬ﺎت واﻟﺴﻠﻄﺎت ﻟﻸدوار اﻟﻤﺘﻮرﻃﺔ ‪ yz‬ﻧﻈﺎم إدارة أﻣﺎن‬
‫اﻟﻤﻌﻠﻮﻣﺎت؟**‬
‫أ( ﺳ‪7‬ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫ب( وﺛ‪7‬ﻘﺔ اﻟﻨﻄﺎق‬
‫ج( ﺗﻘ‪[Æ‬ﺮ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‬
‫د ( ﺑ‪ 7‬ﺎ ن ا ﻟ ﺘ ﻄ ﺒ ‪ 7‬ﻘ ‪ 7‬ﺔ‬
‫**اﻹﺟﺎ\ﺔ‪ :‬أ**‬
‫**اﻟ‪}o‬ح‪- **:‬ﺠﺐ أن ﺗﺤﺪد ﺳ‪7‬ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺑﻮﺿ‪°‬ح اﻟﻤﺴﺆوﻟ‪7‬ﺎت واﻟﺴﻠﻄﺎت ﻟﻸدوار اﻟﻤﺘﻮرﻃﺔ‬
‫‪ yz c‬إدارة ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ وﺿ‪°‬ح اﻟﻤﺴﺎءﻟﺔ‪.‬‬
‫‪** .63‬ﻛ‪7‬ﻒ ‪-‬ﺠﺐ ﻗ‪7‬ﺎس ﻓﻌﺎﻟ‪7‬ﺔ اﻟﻀﻮا\ﻂ اﻟﻤﻨﻔﺬة ﻛﺠﺰء ﻣﻦ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت؟**‬
‫أ( ﻣﻦ ﺧﻼل اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﻤﺮاﺟﻌﺎت اﻟﻤﻨﺘﻈﻤﺔ‬
‫ً‬
‫ب( اﺳ‪ï‬ﻨﺎدا ﻓﻘﻂ إ‪ r‬ﻋﺪد اﻧﺘﻬﺎ‪Á‬ﺎت اﻷﻣﺎن‬
‫ج( ﻋﻦ ﻃ‪[Æ‬ﻖ ‪n‬ﻋﺔ ﻓﺮق اﻻﺳﺘﺠﺎ\ﺔ اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ‬
‫ً‬
‫د( اﺳ‪ï‬ﻨﺎدا إ‪ r‬اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺨﺎرﺟ‪7‬ﺔ ﻓﻘﻂ‬
‫**اﻹﺟﺎ\ﺔ‪ :‬أ**‬
‫**اﻟ‪}o‬ح‪- **:‬ﺠﺐ ﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ اﻟﻀﻮا\ﻂ ﻣﻦ ﺧﻼل اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ واﻟﻤﺮاﺟﻌﺎت اﻟﻤﻨﺘﻈﻤﺔ‬
‫واﻟﺘﻘﻴ‪7‬ﻤﺎت اﻷداء ﻟﻀﻤﺎن أﻧﻬﺎ ﺗﻌﻤﻞ ‪M‬ﻤﺎ ﻫﻮ ﻣﺘﻮﻗﻊ وﺗﻠ ‪ Ñz‬أﻫﺪاف اﻷﻣﺎن ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬
‫‪** .64‬ﻣﺎ اﻟﺬي ﻳﺘﻀﻤﻨﻪ ﻋﻤﻠ‪7‬ﺔ "ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ"؟**‬

‫أ( ﺗﺤﺪ‪-‬ﺪ اﻟﻤﺨﺎﻃﺮ‬
‫ب( ﺗﺤﺪ‪-‬ﺪ اﻹﺟﺮاء ﻟﻠﺘﺨﻔ‪7‬ﻒ ﻣﻦ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‬
‫ج( ﺗﺠﺎﻫﻞ اﻟﻤﺨﺎﻃﺮ ﻋ~ ﻣﺴﺘﻮى ﻣﻨﺨﻔﺾ‬
‫د( ﻧﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ‪ r‬ﺟﻬﺔ ﺧﺎرﺟ‪7‬ﺔ‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺘﻀﻤﻦ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ﺗﺤﺪ‪-‬ﺪ اﻹﺟﺮاءات ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‪ ،‬واﻟ ‪ Ñz‬ﻗﺪ‬
‫‪j‬‬
‫‪Ö‬ﺸﻤﻞ ﺗﺨﻔ‪7‬ﻒ اﻟﻤﺨﺎﻃﺮ أو ﻗﺒﻮﻟﻬﺎ أو ﻧﻘﻠﻬﺎ أو ﺗﺠﻨﺒﻬﺎ‪ ،‬اﻋﺘﻤﺎًدا ﻋ~ درﺟﺔ ﺧﻄﻮرﺗﻬﺎ وﺗﺄﺛ‪ib‬ﻫﺎ‪.‬‬
‫ً‬
‫‪** .65‬ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ أن ‪-‬ﻜﻮن ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﺘﻮاﻓﻘﺎ ﻣﻊ اﻷﻫﺪاف اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ؟**‬
‫أ( ﻟﻀﻤﺎن أﻧﻪ ‪-‬ﺨﺪم أﻫﺪاف إدارة ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻘﻂ‬
‫ب( ﻟﻠﺘﺄ ‪ã‬ﺪ ﻣﻦ أن ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪-‬ﺪﻋﻢ اﻷﻫﺪاف اﻟﻌﺎﻣﺔ ﻟﻸﻋﻤﺎل واﻻﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺔ‬
‫ج( ﻟﻼﻣﺘﺜﺎل ﻣﻊ اﻟﻤﻌﺎﻳ‪ ib‬اﻟﺘﻜﻨﻮﻟﻮﺟ‪7‬ﺔ ﻓﻘﻂ‬
‫≈[ﺎ ﻋ~ اﻟﺘﻬﺪ‪-‬ﺪات اﻟﺨﺎرﺟ‪7‬ﺔ‬‫د( ﻟﻠ‪ij‬ﻛ ‪ ic‬ﺣ ً‬
‫‪b‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪- **:‬ﻀﻤﻦ ﺗﻮاﻓﻖ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﻊ اﻷﻫﺪاف اﻟﺘﻨﻈ‪7‬ﻤ‪7‬ﺔ أﻧﻪ ‪-‬ﺪﻋﻢ اﺳ‪ij‬ا‪j±‬‬
‫‪z‬‬
‫ﺟ‪7‬ﺔ اﻷﻋﻤﺎل اﻟﻌﺎﻣﺔ و[ﻀ‪7‬ﻒ ﻗ‪7‬ﻤﺔ‪ ،‬ﻣﻤﺎ ‪-‬ﻌﺰز ﻣﻮﻗﻒ اﻟﻤﺆﺳﺴﺔ ﻣﻦ اﻷﻣﺎن \ﻄ‪[Æ‬ﻘﺔ ﺗﻌﺰز أﻫﺪاﻓﻬﺎ‪.‬‬
‫‪c‬‬
‫‪** .66‬ﻣﺎ ﻫﻮ دور اﻟﻤﺮاﺟﻌﺔ اﻹدار[ﺔ ‪ yz‬ﺳ‪7‬ﺎق ‪ISO 27001‬؟**‬
‫‪ K‬ﻟﻤﻮﻇ ‪ –z c‬اﻹدارة‬ ‫‪c j‬‬
‫أ( اﻟ‪i‬ﻛ‪ ib‬ﻋ~ اﻷداء اﻟﺸﺨ ‪z‬‬
‫ب( ﺗﻘﻴ‪7‬ﻢ أداء وﺣﺎﻟﺔ وﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫ج( ﺗﻘﻴ‪7‬ﻢ رﺿﺎ اﻟﻌﻤﻼء ﻣﻊ اﻟﻤﺆﺳﺴﺔ‬
‫د ( ﺗﻘ ﺪ ‪-‬ﻢ ا ﻟ ﺘ ﺪ ﻗ ‪ 7‬ﻘ ﺎ ت ا ﻟ ﻤ ﺎ ﻟ ‪ 7‬ﺔ‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻌﺘ‪ i‬ﻣﺮاﺟﻌﺎت اﻹدارة ﺣﺮﺟﺔ ﺣ‪7‬ﺚ ﺗﻘ‪7‬ﻢ أداء وﺣﺎﻟﺔ وﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪،‬‬
‫ً‬ ‫ً‬ ‫ﻣﻤﺎ ‪-‬ﺤﺪد اﻟﻔﺮص ﻟﻠﺘﺤﺴ ‪c b‬‬
‫‪ a‬و[ﻀﻤﻦ \ﻘﺎءە ﻓﻌﺎﻻ وﻣﺘﻮاﻓﻘﺎ ﻣﻊ اﺣﺘ‪7‬ﺎﺟﺎت اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪** .67‬ﻣﺎ ﻫﻮ اﻟﺠﺪول اﻟﺰﻣ ‪ Ñz c‬اﻟﻤﻮ’ \ﻪ ﻟﺘﺤﺪ‪-‬ﺚ أو ﻣﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ أﺟﻞ‬
‫اﻟﻔ ﻌ ﺎﻟ‪7‬ﺔ؟* *‬
‫أ( ﻓﻘﻂ \ﻌﺪ ﺣﺪوث اﻧﺘﻬﺎك ﻟﻸﻣﺎن‬
‫ب( ‪e‬ﺸ‪g‬ﻞ ﻣﻨﺘﻈﻢ‪ ،‬ﻣﻊ ﻣﺮاﻋﺎة ردود اﻟﻔﻌﻞ اﻟ‪ï‬ﺸﻐ‪7‬ﻠ‪7‬ﺔ واﻟﺘﻐﻴ‪ib‬ات اﻟﺒ‪û‬ﺌ‪7‬ﺔ‬
‫ج( ﻣﺮة ‪M‬ﻞ ﺧﻤﺲ ﺳﻨﻮات‬
‫‪c‬‬
‫د( ﻋﻨﺪﻣﺎ ‪-‬ﺤﺪث ﺗﻐﻴ‪ yz ib‬إدارة ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪- **:‬ﺠﺐ ﻣﺮاﺟﻌﺔ وﺗﺤﺪ‪-‬ﺚ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪e‬ﺸ‪g‬ﻞ ﻣﻨﺘﻈﻢ‪ ،‬ﻣﻊ ﻣﺮاﻋﺎة ردود اﻟﻔﻌﻞ‬
‫اﻟ‪ï‬ﺸﻐ‪7‬ﻠ‪7‬ﺔ واﻟﺘﻐﻴ‪ib‬ات اﻟﺒ‪û‬ﺌ‪7‬ﺔ‪ ،‬وﻧﺘﺎﺋﺞ اﻟﺘﺪﻗ‪7‬ﻘﺎت ﻟﻀﻤﺎن اﺳﺘﻤﺮار ﻣﻼءﻣﺘﻪ وﻛﻔﺎءﺗﻪ وﻓﻌﺎﻟﻴﺘﻪ‪.‬‬
‫ً‬ ‫‪c‬‬
‫‪** .68‬ﻣﺎ اﻟﺬي ‪-‬ﺠﺐ ﺗﻀﻤﻴﻨﻪ ‪ yz‬ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر ‪ISO 27001‬؟**‬
‫أ( ﻓﻘﻂ إدارة ﺗﻜﻨﻮﻟﻮﺟ‪7‬ﺎ اﻟﻤﻌﻠﻮﻣﺎت‬
‫ب( ‪M‬ﻞ ﻣﻨﻄﻘﺔ ﺣ‪7‬ﺚ ﻳﺘﻢ ﻣﻌﺎﻟﺠﺔ اﻟﻤﻌﻠﻮﻣﺎت أو ﺗﺨ‪[s‬ﻨﻬﺎ أو ﻧﻘﻠﻬﺎ‬
‫ج( ﺑ‪7‬ﺎﻧﺎت اﻟﻌﻤﻼء ﻓﻘﻂ‬
‫@ ﻓﻘﻂ‬ ‫‪o‬‬
‫د( ﻣﻜﺘﺐ اﻟ}ﻛﺔ اﻟﺮﺋ∞ ‪z‬‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫**اﻟ‪}o‬ح‪- **:‬ﺠﺐ أن ™ﺸﻤﻞ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺟﻤﻴﻊ اﻟﻤﺠﺎﻻت اﻟ ‪ Ñz‬ﻳﺘﻢ ﻓﻴﻬﺎ ﻣﻌﺎﻟﺠﺔ‬
‫‪j‬‬
‫اﻟﻤﻌﻠﻮﻣﺎت أو ﺗﺨ‪[s‬ﻨﻬﺎ أو ﻧﻘﻠﻬﺎ داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ ﺗﻐﻄ‪7‬ﺔ ﺷﺎﻣﻠﺔ ﻟﺠﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ‪7‬ﺔ‬
‫ا ﻟ ﻤ ﺤ ﺘ ﻤ ﻠ ﺔ‪.‬‬
‫‪c‬‬
‫@ ﻟﺘﺼ∫‪7‬ﻒ اﻟﻤﻌﻠﻮﻣﺎت ‪ISO 27001 yz‬؟**‬ ‫‪** .69‬ﻣﺎ ﻫﻮ اﻟﺴ“ﺐ اﻟﺮﺋ∞ ‪z‬‬
‫أ( ﻟﺘﺤﺪ‪-‬ﺪ ﻧﻄﺎق اﻻﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺔ اﻟ‪ï‬ﺴ‪[°‬ﻘ‪7‬ﺔ‬
‫ً‬
‫ب( ﻟﻀﻤﺎن ﺗﻄﺒﻴﻖ ﻣﺴﺘ‪[°‬ﺎت ﻣﻨﺎﺳ‪U‬ﺔ ﻣﻦ اﻷﻣﺎن اﺳ‪ï‬ﻨﺎدا إ‪ r‬اﻟﺤﺴﺎﺳ‪7‬ﺔ واﻟﻘ‪7‬ﻤﺔ‬
‫ج( ﻟﺠﻌﻞ اﻟﻤﻌﻠﻮم‬
‫ات ﻣﺘﺎﺣﺔ ﻟﻠﺠﻤﻬﻮر‬

‫د( ﻟﻼﻣﺘﺜﺎل ﻣﻊ اﺗﻔﺎﻗ‪7‬ﺎت ﺗﺮﺧ‪7‬ﺺ اﻟ‪i‬ﻣﺠ‪7‬ﺎت‬
‫**اﻹﺟﺎ\ﺔ‪ :‬ب**‬
‫ً‬
‫**اﻟ‪}o‬ح‪- **:‬ﻌﺘ‪ i‬ﺗﺼ∫‪7‬ﻒ اﻟﻤﻌﻠﻮﻣﺎت أﻣًﺮا ﻣﻬًﻤﺎ ﻟﻀﻤﺎن ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ اﻷﻣﻨ‪7‬ﺔ اﻟﻤﻨﺎﺳ‪U‬ﺔ اﺳ‪ï‬ﻨﺎدا إ‪r‬‬
‫ً‬
‫ﺣﺴﺎﺳ‪7‬ﺔ وﻗ‪7‬ﻤﺔ اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻤﺎ ‪-‬ﺤﻤﻴﻬﺎ وﻓﻘﺎ ﻷﻫﻤﻴﺘﻬﺎ ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .71‬ﻣﺎ اﻟﻐﺮض اﻟﺮﺋ∞ ‪z‬‬
‫@ ﻣﻦ إﺟﺮاء ﺗﻘﻴ‪7‬ﻤﺎت اﻟﻤﺨﺎﻃﺮ ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﺗﺤﺪ‪-‬ﺪ اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ اﻟﻤﺤﺘﻤﻠﺔ‬
‫‪ (B‬ﺗﺤﺪ‪-‬ﺪ اﻷﺛﺮ اﻟﻤﺎ‪ rz‬ﻻﻧﺘﻬﺎ‪Á‬ﺎت اﻷﻣﺎن‬
‫‪ (C‬ﺗﺤﺪ‪-‬ﺪ وﺗﻘﻴ‪7‬ﻢ وﺗﺮﺗ∞ﺐ ﻣﺨﺎﻃﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ (D‬ﺗﺨﺼ‪7‬ﺺ ﻣ ‪ic b‬اﻧ‪7‬ﺔ ﻟﻀﻮا\ﻂ اﻷﻣﺎن‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻬﺪف ﺗﻘﻴ‪7‬ﻤﺎت اﻟﻤﺨﺎﻃﺮ ‪ ISO 27001 yz‬إ‪ r‬ﺗﺤﺪ‪-‬ﺪ وﺗﻘﻴ‪7‬ﻢ وﺗﺮﺗ∞ﺐ أوﻟ‪[°‬ﺎت ﻣﺨﺎﻃﺮ‬
‫أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﻤﺆﺳﺴﺔ‪ ،‬ﻣﻤﺎ ‪-‬ﻤﻜﻦ ﻣﻦ اﺗﺨﺎذ ﻗﺮارات ﻣﺴ‪ï‬ﻨ‪ib‬ة ﺣﻮل ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ‪.‬‬
‫‪c‬‬
‫‪** .72‬ﻣﺎذا ﺗﻤﺜﻞ دورة ‪ISO 27001 yz PDCA‬؟**‬
‫‪ (A‬اﻟﺘﺨﻄ‪7‬ﻂ‪ ،‬اﻟﺘﻄ‪[°‬ﺮ‪ ،‬اﻟﺘﺤ‪g‬ﻢ‪ ،‬اﻟﺘﻘﻴ‪7‬ﻢ‬
‫‪ (B‬اﻟﺘﺨﻄ‪7‬ﻂ‪ ،‬اﻟﺘﻨﻔ‪7‬ﺬ‪ ،‬اﻟﺘﺤﻘﻖ‪ ،‬اﻟﺘﺤﺴ‪cab‬‬
‫‪ (C‬ا ﻟ ﺤ ﻤ ﺎ ‪ -‬ﺔ ‪ ،‬ا ﻟ ‪ Œ‬ﺸ ﻒ ‪ ،‬ا ﻟ ﺘ ﺼ ﺤ ﻴ ﺢ ‪ ،‬ا ﻟ ﺘ ﻜ ‪ 7‬ﻒ‬
‫‪ (D‬اﻹﻋﺪاد‪ ،‬اﻟ∫‪ ،}o‬اﻟﺘ∫ﺴﻴﻖ‪ ،‬اﻟﺘﺤﻠ‪7‬ﻞ‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫ُ‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻤﺜﻞ دورة ‪) PDCA‬اﻟﺘﺨﻄ‪7‬ﻂ‪-‬اﻟﺘﻨﻔ‪7‬ﺬ‪-‬اﻟﺘﺤﻘﻖ‪-‬اﻟﺘﺤﺴ‪ (ab‬ﻃ‪[Æ‬ﻘﺔ إدارة ﺗﺘﻜﻮن ﻣﻦ أر≠ ـﻊ‬
‫‪c‬‬
‫‪c‬‬ ‫ﺧﻄﻮات ﻳﺘﻢ اﺳﺘﺨﺪاﻣﻬﺎ ﻟﻠﺘﺤ‪g‬ﻢ واﻟﺘﺤﺴ ‪c b‬‬
‫‪ a‬اﻟﻤﺴﺘﻤﺮ ﻟﻠﻌﻤﻠ‪7‬ﺎت واﻟﻤﻨﺘﺠﺎت‪\ ،‬ﻤﺎ ‪ yz‬ذﻟﻚ ﺗﻠﻚ اﻟﻤﺘﻌﻠﻘﺔ‬
‫‪c‬‬
‫ﺑ‪fl‬دارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪.ISO 27001 yz‬‬
‫ً‬
‫‪** .73‬أي وﺛ‪7‬ﻘﺔ ﺗﻮﺿﺢ اﻟﻨ‪7‬ﺔ اﻟﻌﺎﻣﺔ واﻻﺗﺠﺎە اﻟ‪ ~zÃ‬ﻟﻠﻤﺆﺳﺴﺔ ‪e‬ﺸﺄن إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ‪7‬ﺎر‬
‫‪ISO 27001‬؟**‬
‫‪ (A‬ﺑ ‪ 7‬ﺎ ن ا ﻟ ﺘ ﻄ ﺒ ﻴ ﻖ‬
‫‪ (B‬ﺗﻘ‪[Æ‬ﺮ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ‬
‫‪ (C‬ﺳ‪7‬ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ (D‬وﺛ‪7‬ﻘﺔ أﻫﺪاف اﻟﺘﺤ‪g‬ﻢ‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﻮﻓﺮ ﺳ‪7‬ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻧﻈﺮة ﻋﺎﻣﺔ ﻋﺎﻟ‪7‬ﺔ اﻟﻤﺴﺘﻮى ﻋﻦ ﻧﻮا‪-‬ﺎ اﻟﻤﺆﺳﺴﺔ واﺗﺠﺎﻫﻬﺎ‬
‫‪e‬ﺸﺄن إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪\ ،‬ﻤﺎ ‪ yz c‬ذﻟﻚ اﻟ ‪ic j‬اﻣﻬﺎ \ﺤﻤﺎ‪-‬ﺔ أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت‪.‬‬
‫‪c‬‬
‫‪** .74‬ﻣﺎ ﻫﻮ دور "ﻟﺠﻨﺔ ﺗﻮﺟ‪7‬ﻪ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت" ‪ISO 27001 yz‬؟**‬
‫‪ (A‬اﻹ‪no‬اف ﻋ~ ﺗﻨﻔ‪7‬ﺬ ﺿﻮا\ﻂ اﻷﻣﺎن‬
‫‪ (B‬اﺳﺘﻌﺮاض اﻟﺘﻘﺎر[ﺮ اﻟﻤﺎﻟ‪7‬ﺔ‬
‫‪a‬‬‫‪ (C‬ﻣﺮاﻗ‪U‬ﺔ إﻧﺘﺎﺟ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ (D‬ﺗﻮﺟ‪7‬ﻪ واﻹ‪no‬اف ﻋ~ ﺗﻄ‪[°‬ﺮ وﺻ‪7‬ﺎﻧﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫**اﻹﺟﺎ\ﺔ‪**D :‬‬
‫‪o‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺘﺤﻤﻞ ﻟﺠﻨﺔ ﺗﻮﺟ‪7‬ﻪ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﺴﺆوﻟ‪7‬ﺔ ﺗﻮﺟ‪7‬ﻪ واﻹ‪n‬اف ﻋ~ ﺗﻄ‪[°‬ﺮ وﺗﻨﻔ‪7‬ﺬ‬
‫وﺻ‪7‬ﺎﻧﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻣﻤﺎ ‪-‬ﻀﻤﻦ ﺗﻮاﻓﻘﻪ ﻣﻊ أﻫﺪاف واﺳ‪ij‬اﺗﻴﺞ‬
‫‪-‬ﺎت اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .75‬أي ﻓﺌﺔ ﺿﻮا\ﻂ ‪ ISO 27001 yz‬ﺗ‪ï‬ﻨﺎول اﻟﻘﻠﻖ ‪e‬ﺸﺄن اﻷﻣﺎن اﻟﻔﻌ‪~z‬؟**‬
‫‪ (A‬أﻣﺎن اﻟﻤﻮارد اﻟ“‪[}o‬ﺔ‬
‫‪c‬‬
‫‪ (B‬اﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻮﺻﻮل‬
‫‪ (C‬اﻷﻣﺎن اﻟﻔﻌ‪ ~z‬واﻟﺒﻴ ‪Ñz Í‬‬
‫‪ (D‬اﻟ‪ï‬ﺸﻔ‪ib‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫‪c Í‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗ‪ï‬ﻨﺎول ﻓﺌﺔ اﻷﻣﺎن اﻟﻔﻌ‪ ~z‬واﻟﺒﻴ ‪ ISO 27001 yz Ñz‬اﻟﻀﻮا\ﻂ اﻟﻤﺘﻌﻠﻘﺔ \ﺤﻤﺎ‪-‬ﺔ أﻧﻈﻤﺔ‬
‫اﻟﻤﻌﻠﻮﻣﺎت واﻟﻤﻌﺪات واﻟﻤﺮاﻓﻖ ﻣﻦ اﻟﺘﻬﺪ‪-‬ﺪات اﻟﻔﻌﻠ‪7‬ﺔ واﻟﻤﺨﺎﻃﺮ اﻟﺒ‪û‬ﺌ‪7‬ﺔ‪.‬‬
‫‪c‬‬
‫‪** .76‬ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﺗﺤﺪ‪-‬ﺪ اﻟﺘﻬﺪ‪-‬ﺪات اﻟﺨﺎرﺟ‪7‬ﺔ ﻟﻠﻤﺆﺳﺴﺔ‬
‫‪ (B‬اﻟﺘﺤﻘﻖ ﻣﻦ اﻻﻣﺘﺜﺎل ﻟﻠﻤﺘﻄﻠ‪U‬ﺎت اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ‬
‫‪ (C‬ﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﺗﺤﺪ‪-‬ﺪ اﻟﻤﺠﺎﻻت اﻟ‪ Ñj‬ﺗﺤﺘﺎج إ‪ r‬ﺗﺤﺴ ‪c b‬‬
‫‪a‬‬ ‫‪z‬‬
‫‪ (D‬إﺟﺮاء ﺗﺪﻗ‪7‬ﻘﺎت ﻣﺎﻟ‪7‬ﺔ‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﻳﺘﻢ إﺟﺮاء اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ ‪ ISO 27001 yz‬ﻟﺘﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪،‬‬
‫واﻟﺘﺤﻘﻖ ﻣﻦ اﻻﻣﺘﺜﺎل ﻟﺴ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات اﻟﻤﺆﺳﺴﺔ‪ ،‬وﺗﺤﺪ‪-‬ﺪ اﻟﻤﺠﺎﻻت اﻟ‪ Ñj‬ﺗﺤﺘﺎج إ‪ r‬ﺗﺤﺴ ‪c b‬‬
‫‪.a‬‬ ‫‪z‬‬
‫‪c‬‬
‫‪** .77‬ﻣﺎ أﻫﻤ‪7‬ﺔ "ﺗﺪر[ﺐ اﻟﺘﻮﻋ‪7‬ﺔ \ﺎﻷﻣﺎن" ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ز[ﺎدة ‪ø‬ﺴ‪U‬ﺔ دوران اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬
‫‪ (B‬ﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻻﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺎت اﻟ‪ï‬ﺴ‪[°‬ﻖ‬
‫‪\ a‬ﻤﺨﺎﻃﺮ اﻷﻣﺎن وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ‬ ‫‪ (C‬ﺗﻮﻋ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬رﺿﺎ اﻟﻌﻤﻼء‬ ‫‪ (D‬ﺗ ﺤ ﺴ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫ً‬ ‫ً‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪- **:‬ﻌﺪ ﺗﺪر[ﺐ اﻟﺘﻮﻋ‪7‬ﺔ \ﺎﻷﻣﺎن ‪ ISO 27001 yz‬أﻣﺮا أﺳﺎﺳ‪7‬ﺎ ﻟﺘﻮﻋ‪7‬ﺔ اﻟﻤﻮﻇﻔ‪\ ab‬ﻤﺨﺎﻃﺮ اﻷﻣﺎن‬
‫‪c‬‬
‫وأﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت‪ ،‬وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ ‪ yz c‬اﻟﺤﻔﺎظ ﻋ~ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .78‬ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺤﻠ‪7‬ﻞ اﻟﻔﺠﻮة ‪ yz‬ﺗﻨﻔ‪7‬ﺬ ‪ISO 27001‬؟**‬
‫‪ (A‬ﺗﺤﺪ‪-‬ﺪ اﻟﻔﺮص ﻟ‪[s‬ﺎدة اﻹﻳﺮادات‬
‫‪ (B‬ﺗﻘﻴ‪7‬ﻢ ﻣﺴﺘﻮى ﻧﻀ‪°‬ج ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ a‬اﻟﻤﻤﺎرﺳﺎت اﻟﺤﺎﻟ‪7‬ﺔ وﻣﺘﻄﻠ‪U‬ﺎت ‪ISO 27001‬‬ ‫‪ (C‬ﺗﺤﺪ‪-‬ﺪ اﻻﺧﺘﻼﻓﺎت ﺑ ‪c b‬‬
‫‪a‬‬ ‫‪ (D‬ﺗﻘﻴ‪7‬ﻢ أداء اﻟﻤﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫**اﻟ‪}o‬ح‪™ **:‬ﺴﺎﻋﺪ ﺗﺤﻠ‪7‬ﻞ اﻟﻔﺠﻮة ‪ yc‬ﺗﻨﻔ‪7‬ﺬ ‪ ISO 27001‬ﻋ~ ﺗﺤﺪ‪-‬ﺪ اﻻﺧﺘﻼﻓﺎت ﺑ ‪c b‬‬
‫‪ a‬اﻟﻤﻤﺎرﺳﺎت‬
‫‪c‬‬ ‫‪z‬‬
‫اﻟﺤﺎﻟ‪7‬ﺔ ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت واﻟﻤﺘﻄﻠ‪U‬ﺎت اﻟﻤﻮﺟﻮدة ‪ yz‬ﻣﻌ‪7‬ﺎر ‪ ،ISO 27001‬ﻣﻤﺎ ﻳﻮﺟﻪ ﻋﻤﻠ‪7‬ﺔ وﺿﻊ ﺧﻄﺔ‬
‫ﻋﻤﻞ ﻟﻼﻣﺘﺜﺎل‪.‬‬
‫‪** .79‬أي ﺿﻮا\ﻂ ‪ ISO 27001‬ﺗ‪ï‬ﻨﺎول إدارة وﺳﺎﺋﻂ اﻻﺳﺘﺨﺮاج؟**‬

‫‪ (A‬إدارة اﻟﺤﻮادث‬
‫‪ (B‬إدارة اﻷﺻﻮل‬
‫‪c‬‬
‫‪ (C‬اﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻮﺻﻮل‬
‫‪ (D‬اﻟ‪ï‬ﺸﻔ‪ib‬‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺘﻀﻤﻦ ﺿﻮا\ﻂ إدارة اﻷﺻﻮل ‪ ISO 27001 yz‬إدارة اﺳﺘﺨﺪام وﺳﺎﺋﻂ اﻻﺳﺘﺨﺮاج ﻟﻤﻨﻊ‬
‫اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ أو اﻧﺘﻬﺎ‪Á‬ﺎت اﻟﺒ‪7‬ﺎﻧﺎت ﻋ‪ i‬أﺟﻬﺰة اﻟﺘﺨ‪[s‬ﻦ اﻟﻤﺤﻤﻮﻟﺔ‪.‬‬
‫‪c‬‬
‫‪** .80‬ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ إ‪ø‬ﺸﺎء ﺧﻄﺔ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﺗﺠﻨﺐ اﻟﻤﺴﺆوﻟ‪7‬ﺎت اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ‬
‫‪ (B‬ﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻮاﺋﺢ اﻟﺤﻜﻮﻣ‪7‬ﺔ‬
‫‪ (C‬ﺗﻘﻠ‪7‬ﻞ ﺗﺄﺛ‪ ib‬اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ وﺗﻘﻠ‪7‬ﻞ وﻗﺖ اﻻﺳ‪ij‬داد‬
‫‪a‬‬‫‪ (D‬ز[ﺎدة ﻋﺐء اﻟﻌﻤﻞ ﻋ~ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫‪c‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬إ‪ø‬ﺸﺎء ﺧﻄﺔ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ‪¨ ISO 27001 yz‬وري ﻟﺘﻘﻠ‪7‬ﻞ ﺗﺄﺛ‪ ib‬اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ‪،‬‬
‫وﺗﻘﻠ‪7‬ﻞ وﻗﺖ اﻻﺳ‪ij‬داد‪ ،‬واﻟﺤﻔﺎظ ﻋ~ ﻗﺪرة اﻟﻤﺆﺳﺴﺔ ﻋ~ اﻟﺘﻌﺎ ‪ yz c‬ﻣﻦ اﻟﺘﻬﺪ‪-‬ﺪات اﻷﻣﻨ‪7‬ﺔ‪.‬‬
‫‪c‬‬
‫‪** .81‬ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺤﻠ‪7‬ﻞ ﺗﺄﺛ‪ ib‬اﻷﻋﻤﺎل )‪ISO 27001 yz (BIA‬؟**‬
‫‪ (A‬ﺗﻘﻴ‪7‬ﻢ اﻟﺼﺤﺔ اﻟﻤﺎﻟ‪7‬ﺔ ﻟﻠﻤﺆﺳﺴﺔ‬
‫‪ (B‬ﺗﺤﺪ‪-‬ﺪ وﻇﺎﺋﻒ اﻷﻋﻤﺎل اﻟﺤﺮﺟﺔ وﺗ‪U‬ﻌ‪7‬ﺎﺗﻬﺎ ﻋ~ أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪a‬‬‫‪ (C‬ﺗﻘﻴ‪7‬ﻢ رﺿﺎ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ (D‬ﻣﺮاﺟﻌﺔ اﺳ‪ij‬اﺗ‪7‬ﺠ‪7‬ﺎت اﻟ‪ï‬ﺴ‪[°‬ﻖ‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺤﻠ‪7‬ﻞ ﺗﺄﺛ‪ ib‬اﻷﻋﻤﺎل )‪ ISO 27001 yz (BIA‬ﻫﻮ ﺗﺤﺪ‪-‬ﺪ وﻇﺎﺋﻒ اﻷﻋﻤﺎل‬
‫اﻟﺤﺮﺟﺔ وﺗ‪U‬ﻌ‪7‬ﺎﺗﻬﺎ ﻋ~ أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻟﻠﻤﺴﺎﻋﺪة ‪ yz c‬ﺗﺤﺪ‪-‬ﺪ ﺗﻮﺟ‪7‬ﻪ اﻟﻤﻮارد ﻟﻠﺤﻤﺎ‪-‬ﺔ واﻻﺳ‪ij‬داد‪.‬‬
‫‪c‬‬
‫® ﻣﻦ إﺟﺮاء ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ‪ISO 27001 yz‬؟**‬ ‫‪** .82‬ﻣﺎ ﻫﻮ اﻟﻬﺪف اﻷﺳﺎ ‪z‬‬
‫‪ (A‬اﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‬
‫‪ (B‬ﻧﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ‪ r‬أﻃﺮاف ﺛﺎﻟﺜﺔ‬
‫‪ (C‬ﺗﻘﻠ‪7‬ﻞ أو ﺗﺨﻔ‪7‬ﻒ أو ﻗﺒﻮل اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة إ‪ r‬ﻣﺴﺘﻮى ﻣﻘﺒﻮل‬
‫‪ (D‬ﺗ ﺠ ﺎ ﻫ ﻞ ا ﻟ ﻤ ﺨ ﺎ ﻃ ﺮ ا ﻟ ﻤ ﺤ ﺪ د ة‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫‪c‬‬
‫® ﻣﻦ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ‪ ISO 27001 yz‬ﻫﻮ ﺗﻘﻠ‪7‬ﻞ أو ﺗﺨﻔ‪7‬ﻒ أو ﻗﺒﻮل‬‫‪z‬‬ ‫**اﻟ‪}o‬ح‪ **:‬اﻟﻬﺪف اﻷﺳﺎ‬
‫اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة إ‪ r‬ﻣﺴﺘﻮى ﻣﻘﺒﻮل ﺑﻨﺎًء ﻋ~ ‪Ö‬ﺴﺎﻣﺢ اﻟﻤﺆﺳﺴﺔ ﻟﻠﻤﺨﺎﻃﺮ وأﻫﺪاﻓﻬﺎ‪.‬‬
‫‪** .83‬أي ﻓﺌﺔ ﺿﻮا\ﻂ ‪ ISO 27001‬ﺗﺮﻛﺰ ﻋ~ ﺿﻤﺎن ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻟﻮﺻﻮل ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ‬
‫واﻟ‪Œ‬ﺸﻒ؟**‬
‫‪c‬‬
‫‪ (C‬اﻟ‪ï‬ﺸﻔ‪ib‬‬
‫‪ (D‬اﻷﻣﺎن اﻟﻔﻌ‪ ~z‬واﻟﺒﻴ ‪Ñz Í‬‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺮﻛﺰ ﻓﺌﺔ اﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻮﺻﻮل ‪ ISO 27001 yz‬ﻋ~ ﺿﻤﺎن ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻟﻮﺻﻮل‬
‫ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ واﻟ‪Œ‬ﺸﻒ ﻣﻦ ﺧﻼل ﺗﻨﻔ‪7‬ﺬ ﺗﺪاﺑ‪ ib‬اﻟﺘﺤ‪g‬ﻢ ‪ yz c‬اﻟﻮﺻﻮل اﻟﻤﻨﺎﺳ‪U‬ﺔ‪.‬‬
‫‪c‬‬
‫‪** .84‬ﻣﺎ اﻟﻐﺮض ﻣﻦ إﺟﺮاء اﺳﺘﻌﺮاض إداري ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻣﺮاﺟﻌﺔ ﺷ‪g‬ﺎوى اﻟﻌﻤﻼء‬
‫‪ (B‬ﺗﻘﻴ‪7‬ﻢ أداء وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ (C‬ﻣﺮاﻗ‪U‬ﺔ اﻟﻤﻨﺎﻓﺴ ‪c b‬‬
‫‪a‬‬
‫‪ (D‬ﺗﻘﻴ‪7‬ﻢ رﺿﺎ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﻐﺮض ﻣﻦ إﺟﺮاء اﺳﺘﻌﺮاض إداري ‪ ISO 27001 yz‬ﻫﻮ ﺗﻘﻴ‪7‬ﻢ أداء وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﺎن‬
‫اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬ﻟﻀﻤﺎن ﻓﻌﺎﻟﻴﺘﻪ وﺗﻮاﻓﻘﻪ ﻣﻊ أﻫﺪاف اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .85‬ﻣﺎ دور ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻧﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ‪ r‬أﻃﺮاف ﺛﺎﻟﺜﺔ‬
‫‪ (B‬إدارة واﻹ‪no‬اف ﻋ~ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‬
‫‪ (C‬ﺗ ﺠ ﺎ ﻫ ﻞ ا ﻟ ﻤ ﺨ ﺎ ﻃ ﺮ ا ﻟ ﻤ ﺤ ﺪ د ة‬
‫‪ (D‬ﺗﺼﻌ‪7‬ﺪ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ‪ r‬اﻹدارة اﻟﻌﻠ‪7‬ﺎ‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪o‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬دور ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ‪ ISO 27001 yz‬ﻫﻮ إدارة واﻹ‪n‬اف ﻋ~ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‪،‬‬
‫ﻟﻀﻤﺎن اﺗﺨﺎذ اﻟﺘﺪاﺑ‪ ib‬اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻟﻤﻌﺎﻟﺠﺘﻬﺎ \ﻔﻌﺎﻟ‪7‬ﺔ‪.‬‬
‫‪c‬‬
‫‪** .86‬ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ إ‪ø‬ﺸﺎء ﻓ‪[Æ‬ﻖ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ ﺣﻤﻼت اﻟ‪ï‬ﺴ‪[°‬ﻖ‬
‫‪ (B‬ﻟﺘﻘﻠ‪7‬ﻞ ﺗﺄﺛ‪ ib‬اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ وﺿﻤﺎن اﺳﺘﺠﺎ\ﺔ ﻣ∫ﺴﻘﺔ‬
‫‪(C‬‬
‫‪a‬‬‫ﻟﺘﻘﻴ‪7‬ﻢ إﻧﺘﺎﺟ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ (D‬ﻹدارة ﺷ‪g‬ﺎوى اﻟﻌﻤﻼء‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬إ‪ø‬ﺸﺎء ﻓ‪[Æ‬ﻖ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ‪ ISO 27001 yz‬ﻣﻬﻢ ﻟﺘﻘﻠ‪7‬ﻞ ﺗﺄﺛ‪ ib‬اﻟﺤﻮادث اﻷﻣﻨ‪7‬ﺔ‬
‫وﺿﻤﺎن اﺳﺘﺠﺎ\ﺔ ﻣ∫ﺴﻘﺔ ﻹدارة وﺗﺨﻔ‪7‬ﻒ اﻻﻧﺘﻬﺎ‪Á‬ﺎت اﻷﻣﻨ‪7‬ﺔ \ﻔﻌﺎﻟ‪7‬ﺔ‪.‬‬
‫‪c‬‬
‫‪** .87‬ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺪر[ﺐ ﺗﻮﻋ‪7‬ﺔ \ﺎﻷﻣﺎن ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ز[ﺎدة ‪ø‬ﺴ‪U‬ﺔ دوران اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬
‫‪\ a‬ﻤﺨﺎﻃﺮ اﻷﻣﺎن وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ‬ ‫‪ (C‬ﺗﻮﻋ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺪر[ﺐ ﺗﻮﻋ‪7‬ﺔ \ﺎﻷﻣﺎن ‪ ISO 27001 yc‬ﻫﻮ ﺗﻮﻋ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪\ a‬ﻤ ﺨ ﺎﻃﺮ‬ ‫‪z‬‬
‫اﻷﻣﺎن وأﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت وﻣﺴﺆوﻟ‪7‬ﺎﺗﻬﻢ ‪ yz c‬اﻟﺤﻔﺎظ ﻋ~ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪** .88‬أي ﻓﺌﺔ ﺿﻮا\ﻂ ‪ ISO 27001‬ﺗ‪ï‬ﻨﺎول ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت أﺛﻨﺎء اﻟﺘﺨ‪[s‬ﻦ واﻟﻨﻘﻞ؟**‬
‫‪ (B‬اﻟ‪ï‬ﺸﻔ‪ib‬‬
‫‪Í‬‬
‫‪ (C‬اﻷﻣﺎن اﻟﻔﻌ‪ ~z‬واﻟﺒﻴ ‪Ñz‬‬
‫‪c‬‬
‫‪ (D‬اﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻮﺻﻮل‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗ‪ï‬ﻨﺎول ﻓﺌﺔ اﻟ‪ï‬ﺸﻔ‪ ISO 27001 yz ib‬اﻟﻀﻮا\ﻂ اﻟﻤﺘﻌﻠﻘﺔ \ﺤﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت أﺛﻨﺎء اﻟﺘﺨ‪[s‬ﻦ‬
‫واﻟﻨﻘﻞ ﻣﻦ ﺧﻼل اﺳﺘﺨﺪام اﻟ‪ï‬ﺸﻔ‪ ib‬واﻟﺘﻘﻨ‪7‬ﺎت اﻟ‪ï‬ﺸﻔ‪[ib‬ﺔ‪.‬‬
‫‪c‬‬
‫® ﻣﻦ إﺟﺮاء اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ ‪ISO 27001 yz‬؟**‬ ‫‪** .89‬ﻣﺎ اﻟﻬﺪف اﻷﺳﺎ ‪z‬‬
‫‪ (A‬ﺗﺤﺪ‪-‬ﺪ اﻟﺘﻬﺪ‪-‬ﺪات اﻷﻣﻨ‪7‬ﺔ اﻟﻤﺤﺘﻤﻠﺔ‬
‫‪ (B‬ﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻤﺘﻄﻠ‪U‬ﺎت اﻟﻘﺎﻧﻮﻧ‪7‬ﺔ‬
‫‪ (C‬ﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﺗﺤﺪ‪-‬ﺪ اﻟﻤﺠﺎﻻت اﻟ‪ Ñj‬ﺗﺤﺘﺎج إ‪ r‬ﺗﺤﺴ ‪c b‬‬
‫‪a‬‬ ‫‪z‬‬
‫‪ (D‬إﺟﺮاء ﺗﺪﻗ‪7‬ﻘﺎت ﻣﺎﻟ‪7‬ﺔ‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫‪c‬‬ ‫‪o‬‬
‫**اﻟ}ح‪ **:‬اﻟﻬﺪف اﻷﺳﺎ ‪z‬‬
‫® ﻣﻦ إﺟﺮاء اﻟﺘﺪﻗ‪7‬ﻘﺎت اﻟﺪاﺧﻠ‪7‬ﺔ ‪ ISO 27001 yz‬ﻫﻮ ﺗﻘﻴ‪7‬ﻢ ﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم‬
‫إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‪ ،‬واﻟﺘﺤﻘﻖ ﻣﻦ اﻻﻣﺘﺜﺎل ﻟﺴ‪7‬ﺎﺳﺎت و‪à‬ﺟﺮاءات اﻟﻤﺆﺳﺴﺔ‪ ،‬وﺗﺤﺪ‪-‬ﺪ اﻟﻤﺠﺎﻻت اﻟ ‪Ñz j‬‬
‫‪.a‬‬‫ﺗﺤﺘﺎج إ‪ r‬ﺗﺤﺴ ‪c b‬‬
‫‪c‬‬
‫‪** .90‬ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﺳ‪7‬ﺎﺳﺔ واﺿﺤﺔ ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻟ‪[s‬ﺎدة ﻋﺐء اﻟﻌﻤﻞ ﻋ~ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬
‫‪ (B‬ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻮاﺋﺢ اﻟﺤﻜﻮﻣ‪7‬ﺔ‬
‫‪ (C‬ﻟﺘﻮﺟ‪7‬ﻪ و‪à‬ﻋﻼم اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬ﺑﺘﻮﻗﻌﺎت وﻣﺴﺆوﻟ‪7‬ﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪a‬‬‫‪ (D‬ﻟﻤﺮاﻗ‪U‬ﺔ أداء اﻟﻤﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﺳ‪7‬ﺎﺳﺔ واﺿﺤﺔ ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪ ISO 27001 yz‬ﻟﺘﻮﺟ‪7‬ﻪ‬
‫و‪à‬ﻋﻼم اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪ a‬ﺑﺘﻮﻗﻌﺎت وﻣﺴﺆوﻟ‪7‬ﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪ ،‬ﻟﻀﻤﺎن اﻟﺘﻤﺎﺳﻚ واﻻﻣﺘﺜﺎل‪.‬‬
‫‪c‬‬
‫‪** .91‬ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ ﻣﻨﻬﺞ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻟﻠﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة داﺧﻞ اﻟﻤﺆﺳﺴﺔ‬
‫‪ (B‬ﻟﺘﺤﺪ‪-‬ﺪ اﻟﺘﺄﺛ‪ ib‬اﻟﻤﺎ‪ rz‬ﻟﻠﻤﺨﺎﻃﺮ اﻟﻤﺤﺘﻤﻠﺔ‬
‫‪ (C‬ﻟﺘﻮﻓ‪ ib‬ﻧﻬﺞ ﻣﻨﻈﻢ ﻟﺘﺤﺪ‪-‬ﺪ وﺗﺤﻠ‪7‬ﻞ وﺗﻘﻴ‪7‬ﻢ ﻣﺨﺎﻃﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪a‬‬‫‪ (D‬ﻟﺘﻘﻴ‪7‬ﻢ ﻣﺴﺘ‪[°‬ﺎت إﻧﺘﺎﺟ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫ً‬ ‫ً‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﻣﻨﻬﺞ ﺗﻘﻴ‪7‬ﻢ اﻟﻤﺨﺎﻃﺮ ‪ ISO 27001 yz‬ﻳﻮﻓﺮ ﻧﻬﺠﺎ ﻣﻨﻈﻤﺎ ﻟﺘﺤﺪ‪-‬ﺪ وﺗﺤﻠ‪7‬ﻞ وﺗﻘﻴ‪7‬ﻢ ﻣﺨﺎﻃﺮ‬
‫أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪** .92‬أي ﻓﺌﺔ ﻣﻦ ﺿﻮا\ﻂ ‪ ISO 27001‬ﺗﺮﻛﺰ ﻋ~ ﺿﻤﺎن ﺗﺤﺪ‪-‬ﺪ و‪à‬دارة اﻷﺻﻮل ‪e‬ﺸ‪g‬ﻞ ﻣﻨﺎﺳﺐ؟**‬
‫‪ (A‬إدارة اﻷﺻﻮل‬
‫‪c‬‬
‫**اﻹﺟﺎ\ﺔ‪**A :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺮﻛﺰ ﻓﺌﺔ إدارة اﻷﺻﻮل ‪ ISO 27001 yz‬ﻋ~ ﺿﻤﺎن ﺗﺤﺪ‪-‬ﺪ و‪à‬دارة اﻷﺻﻮل ‪e‬ﺸ‪g‬ﻞ ﻣﻨﺎﺳﺐ‬
‫ﻋ~ ﻣﺮ اﻟﺪورة اﻟﺤ‪7‬ﺎة اﻟﺨﺎﺻﺔ ﺑﻬﺎ‪.‬‬
‫‪c‬‬
‫‪** .93‬ﻣﺎ ﻫﻮ دور ﻣﺪﻳﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻟ ﻠ ﺘ ﻌ ﺎ ﻣ ﻞ ﻣ ﻊ ا ﻟ ﺘ ﺪ ﻗ ‪ 7‬ﻘ ﺎ ت ا ﻟ ﻤ ﺎ ﻟ ‪ 7‬ﺔ‬
‫‪ (B‬ﻟﻺ‪no‬اف ﻋ~ ﺗﻨﻔ‪7‬ﺬ وﺻ‪7‬ﺎﻧﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ (C‬ﻹدارة ﺣﻤﻼت اﻟ‪ï‬ﺴ‪[°‬ﻖ‬
‫‪ (D‬ﻟﻤﺮاﻗ‪U‬ﺔ أ‪ø‬ﺸﻄﺔ اﻟﻤﻨﺎﻓﺴ‪cab‬‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬دور ﻣﺪﻳﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ‪ ISO 27001 yz‬ﻫﻮ اﻹ‪no‬اف ﻋ~ ﺗﻨﻔ‪7‬ﺬ وﺻ‪7‬ﺎﻧﺔ ﻧﻈﺎم إدارة‬
‫أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪** .94‬أي ﻓﺌﺔ ﻣﻦ ﺿﻮا\ﻂ ‪ ISO 27001‬ﺗﺮﻛﺰ ﻋ~ ﺿﻤﺎن ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻟﻮﺻﻮل واﻟﺘﻌﺪ‪-‬ﻞ ﻏ‪ib‬‬
‫اﻟﻤ≈ح \ﻪ؟**‬
‫‪c‬‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺮﻛﺰ ﻓﺌﺔ اﻟﺘﺤ‪g‬ﻢ ‪ yz‬اﻟﻮﺻﻮل ‪ ISO 27001 yz‬ﻋ~ ﺿﻤﺎن ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻟﻮﺻﻮل‬
‫واﻟﺘﻌﺪ‪-‬ﻞ ﻏ‪ ib‬اﻟﻤ≈ح \ﻪ ﻣﻦ ﺧﻼل ﺗﻨﻔ‪7‬ﺬ وﺳﺎﺋﻞ اﻟﺘﺤ‪g‬ﻢ ‪ yz c‬اﻟﻮﺻﻮل اﻟﻤﻨﺎﺳ‪U‬ﺔ‪.‬‬
‫‪c‬‬
‫® ﻣﻦ إﺟﺮاء ﺗﺪر[ﺐ ﺗﻮﻋ‪7‬ﺔ \ﺎﻷﻣﺎن ‪ISO 27001 yz‬؟**‬‫‪** .95‬ﻣﺎ ﻫﻮ اﻟﻬﺪف اﻷﺳﺎ ‪z‬‬
‫‪ (A‬ز[ﺎدة ‪ø‬ﺴ‪U‬ﺔ دوران اﻟﻤﻮﻇﻔ‪cab‬‬
‫‪\ a‬ﻤﺨﺎﻃﺮ اﻷﻣﺎن وأﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت‬ ‫‪ (C‬ﺗﻮﻋ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﻬﺪف اﻷﺳﺎ® ﻣﻦ إﺟﺮاء ﺗﺪر[ﺐ ﺗﻮﻋ‪7‬ﺔ \ﺎﻷﻣﺎن ‪ ISO 27001 yc‬ﻫﻮ ﺗﻮﻋ‪7‬ﺔ اﻟﻤﻮﻇﻔ‪cab‬‬
‫‪z‬‬ ‫‪z‬‬
‫\ﻤﺨﺎﻃﺮ اﻷﻣﺎن واﻟﺘﻬﺪ‪-‬ﺪات وأﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت ﻟﺘﻌ‪[s‬ﺰ ﻣﻮﻗﻒ اﻷﻣﺎن اﻟﻌﺎم ﻟﻠﻤﺆﺳﺴﺔ‪.‬‬
‫‪c‬‬
‫‪** .96‬ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻟﺘ ﺠ ﺎ ﻫ ﻞ ا ﻟ ﻤ ﺨ ﺎ ﻃ ﺮ ا ﻟ ﻤ ﺤ ﺪ د ة‬
‫‪ (B‬ﻟﻠﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‬
‫‪ (C‬ﻟﻨﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة إ‪ r‬أﻃﺮاف ﺛﺎﻟﺜﺔ‬
‫‪ (D‬ﻟﻤﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ﻣﻦ ﺧﻼل اﻟﺘﺪاﺑ‪ ib‬اﻟﻤﻨﺎﺳ‪U‬ﺔ‬
‫**اﻹﺟﺎ\ﺔ‪**D :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ‪ ISO 27001 yz‬ﻟﻤﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ‬
‫اﻟﻤﺤﺪدة ﻣﻦ ﺧﻼل اﻟﺘﺪاﺑ‪ ib‬اﻟﻤﻨﺎﺳ‪U‬ﺔ‪ ،‬ﻣﺜﻞ اﻟﺘﺨﻔ‪7‬ﻒ أو اﻟﻘﺒﻮل أو اﻹﺑﺘﻌﺎد‪.‬‬
‫‪c‬‬
‫‪** .97‬ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﻣﺮاﺟﻌﺎت اﻹدارة اﻟﺪور[ﺔ ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻟﻤﺮاﺟﻌﺔ ﺷ‪g‬ﺎوى اﻟﻌﻤﻼء‬
‫‪ (B‬ﻟﺘﻘﻴ‪7‬ﻢ أداء وﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت‬
‫‪ (C‬ﻟﺘﻘﻴ‪7‬ﻢ ﻣﺴﺘ‪[°‬ﺎت إﻧﺘﺎﺟ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬
‫‪ (D‬ﻟﻤﺮاﻗ‪U‬ﺔ أ‪ø‬ﺸﻄﺔ اﻟﻢ‬
‫ﻧ ﺎﻓ ﺴ ‪c b‬‬
‫‪a‬‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﻣﺮاﺟﻌﺎت اﻹدارة اﻟﺪور[ﺔ ‪ ISO 27001 yz‬ﻫﻮ ﺗﻘﻴ‪7‬ﻢ أداء وﻓﻌﺎﻟ‪7‬ﺔ ﻧﻈﺎم‬
‫إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ‪.‬‬
‫‪** .98‬أي ﻓﺌﺔ ﻣﻦ ﺿﻮا\ﻂ ‪ ISO 27001‬ﺗﺮﻛﺰ ﻋ~ ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت أﺛﻨﺎء اﻟﺘﺨ‪[s‬ﻦ واﻟﻨﻘﻞ؟**‬
‫‪c‬‬
‫‪Í‬‬
‫‪ (D‬اﻷﻣﺎن اﻟﻔﻌ‪ ~z‬واﻟﺒﻴ ‪Ñz‬‬
‫**اﻹﺟﺎ\ﺔ‪**C :‬‬
‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬ﺗﺮﻛﺰ ﻓﺌﺔ اﻟ‪ï‬ﺸﻔ‪ ISO 27001 yz ib‬ﻋ~ ﺿﻤﺎن ﺣﻤﺎ‪-‬ﺔ اﻟﻤﻌﻠﻮﻣﺎت أﺛﻨﺎء اﻟﺘﺨ‪[s‬ﻦ واﻟﻨﻘﻞ ﻣﻦ‬
‫ﺧﻼل اﺳﺘﺨﺪام ﺗﻘﻨ‪7‬ﺎت اﻟ‪ï‬ﺸﻔ‪.ib‬‬
‫‪c‬‬
‫‪** .99‬ﻣﺎ ﻫﻮ دور ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻟﻨﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ‪ r‬أﻃﺮاف ﺛﺎﻟﺜﺔ‬
‫‪ (B‬ﻹدارة واﻹ‪no‬اف ﻋ~ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‬
‫‪ (C‬ﻟﺘ ﺠ ﺎ ﻫ ﻞ ا ﻟ ﻤ ﺨ ﺎ ﻃ ﺮ ا ﻟ ﻤ ﺤ ﺪ د ة‬
‫‪ (D‬ﻟﺘﺼﻌ‪7‬ﺪ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ‪ r‬اﻹدارة اﻟﻌﻠ‪7‬ﺎ‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫‪o‬‬ ‫‪c‬‬
‫**اﻟ‪}o‬ح‪ **:‬دور ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ‪ ISO 27001 yz‬ﻫﻮ إدارة واﻹ‪n‬اف ﻋ~ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة‪،‬‬
‫ﻣﻊ اﻟﺘﺄ ‪ã‬ﺪ ﻣﻦ اﺗﺨﺎذ اﻟﺘﺪاﺑ‪ ib‬اﻟﻤﻨﺎﺳ‪U‬ﺔ ﻟﻤﻌﺎﻟﺠﺘﻬﺎ \ﻔﻌﺎﻟ‪7‬ﺔ‪.‬‬
‫‪c‬‬
‫‪** .100‬ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﻓ‪[Æ‬ﻖ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ‪ISO 27001 yz‬؟**‬
‫‪ (A‬ﻟ ﻠ ﺘ ﻌ ﺎ ﻣ ﻞ ﻣ ﻊ ا ﻟ ﺘ ﺪ ﻗ ‪ 7‬ﻘ ﺎ ت ا ﻟ ﻤ ﺎ ﻟ ‪ 7‬ﺔ‬
‫‪ (B‬ﻟﺘﻘﻠ‪7‬ﻞ ﺗﺄﺛ‪ ib‬ﺣﻮادث اﻷﻣﺎن وﺿﻤﺎن اﺳﺘﺠﺎ\ﺔ ﻣ∫ﺴﻘﺔ‬
‫‪ (C‬ﻟﻤﺮاﺟﻌﺔ ﺷ‪g‬ﺎوى اﻟﻌﻤﻼء‬
‫‪ (D‬ﻟﺘﻘﻴ‪7‬ﻢ ﻣﺴﺘ‪[°‬ﺎت إﻧﺘﺎﺟ‪7‬ﺔ اﻟﻤﻮﻇﻔ ‪c b‬‬
‫‪a‬‬
‫**اﻹﺟﺎ\ﺔ‪**B :‬‬
‫ﻟﺗﻘﻠﯾل ﺗﺄﺛﯾر ﺣوادث ‪** ISO 27001‬اﻟﺷرح‪ **:‬ﻣن اﻟﻣﮭم ﻟﻠﻣؤﺳﺳﺔ وﺿﻊ ﻓرﯾق اﺳﺗﺟﺎﺑﺔ ﻟﻠﺣوادث ﻓﻲ‬
‫ا ﻷ ﻣ ﺎ ن و ﺿ ﻣ ﺎ ن ا ﺳ ﺗ ﺟ ﺎ ﺑ ﺔ ﻣ ﻧ ﺳ ﻘ ﺔ ﻹ د ار ة و ﺗ ﺧ ﻔ ﯾ ف ا ﻻ ﻧ ﺗ ﮭ ﺎ ﻛ ﺎ ت ا ﻷ ﻣ ﻧ ﯾ ﺔ ﺑ ﻔ ﻌ ﺎ ﻟ ﯾ ﺔ ‪.‬‬

Iso 27001 Li

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso 27001 Li

Uploaded by

Copyright:

Available Formats

‫‪By Mohammed AlSubayt‬‬

‫‪ISO 27001 Lead Implementer‬‬

‫؟ ﻣﺎ ھﻮ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪(ISMS‬؟‬

‫ﻧﻈﺮة ﻋﺎﻣﺔ ‪:‬‬ ‫•‬

‫• اﻟﻌﻨﺎﺻﺮ اﻷﺳﺎﺳﯿﺔ ﻟـ‪: ISMS‬‬

‫‪. 1‬ﺗﻘﯿﯿﻢ اﻟﻤﺨﺎطﺮ واﻹدارة ‪:‬‬

‫‪. 2‬اﻟﺴﯿﺎﺳﺎت واﻹﺟﺮاءات ‪:‬‬

‫‪. 3‬اﻟﺘﺪرﯾﺐ واﻟﻮﻋﻲ ‪:‬‬

‫‪. 4‬اﻟﻤﺮاﺟﻌﺔ واﻟﻤﺘﺎﺑﻌﺔ ‪:‬‬

‫ﻣﺜﺎل ﻋﻠﻰ ﺗﻄﺒﯿﻖ ‪: ISMS‬‬ ‫•‬

‫• ﺗﻌ‪$#‬ﻒ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪: (ISMS‬‬

‫• ﺗﻄﺒﻴﻖ ﻋﻤ‪ TG‬ﻟﻠﻤﺜﺎل ‪:‬‬

‫• ﻣﻠﺨﺺ إﻃﻼق ‪. ISMS‬ﻤﻮﺟﺐ ‪: ISO 27001‬‬

‫‪ .1‬ﺗﺤﺪ‪G‬ﺪ اﻟﺴ‪:‬ﺎق واﻟﻨﻄﺎق‪:‬‬

‫‪ .2‬اﻟﺤﺼﻮل ﻋ‪ Q‬اﻻﻟ ‪SU T‬ام اﻟﺘﻨﻔ‪:‬ﺬي‪:‬‬

‫ﻣﺜﺎل ﻋ= إﻃﻼق ‪: ISMS‬‬

‫ﺳ?ﺎق اﻟﻤﻨﻈﻤﺔ ‪: ISO 27001 EG F‬‬

‫اﻟﺨﻄﻮات اﻟﺮﺋ‪m‬ﺴ‪:‬ﺔ ﻟﺘﺤﺪ‪G‬ﺪ ﺳ‪:‬ﺎق اﻟﻤﻨﻈﻤﺔ‪:‬‬

‫اﻟﺒﻨﺪ ‪ :4‬ﺳ*ﺎق اﻟﻤﻨﻈﻤﺔ ‪:‬‬

‫‪ 4.1‬ﻓﻬﻢ اﻟﻤﻨﻈﻤﺔ وﺳ‪:‬ﺎﻗﻬﺎ‪:‬‬

‫‪ 4.2‬ﻓﻬﻢ اﺣﺘ‪:‬ﺎﺟﺎت وﺗﻮﻗﻌﺎت اﻷﻃﺮاف اﻟﻤﻌﻨ‪:‬ﺔ ‪:‬‬

‫‪ 4.3‬ﺗﺤﺪ‪G‬ﺪ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪:‬‬

‫‪ 4.4‬ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ‪:‬‬

‫اﻟﻬﺪف‪ :‬إ‪ø‬ﺸﺎء‪ ،‬ﺗﻨﻔ‪7‬ﺬ‪Ö ،‬ﺸﻐ‪7‬ﻞ‪ ،‬ﻣﺮاﻗ‪U‬ﺔ‪ ،‬ﻣﺮاﺟﻌﺔ‪ ،‬ﺻ‪7‬ﺎﻧﺔ وﺗﺤﺴ ‪c b‬‬

‫‪ 6.1‬ﺗﻘﻴ‪:‬ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ‬

‫‪ 6.1.2‬ﺗﻘﻴ‪:‬ﻢ اﻟﻤﺨﺎﻃﺮ‬ ‫•‬

‫‪ 6.1.3‬ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ‬ ‫•‬

‫‪ 6.2‬اﻷ`ﺪاف اﻷﻣﻨ‪:‬ﺔ واﻟﺘﺨﻄ‪:‬ﻂ ﻟﺘﺤﻘ‪:‬ﻘﻬﺎ‬

‫‪å‬‬‫‪ 7.3‬اﻟﻮ ‪ç‬‬

‫‪ 8.1‬ﺗﺨﻄ‪:‬ﻂ وﺗﻨﻔ‪:‬ﺬ ﻋﻤﻠ‪:‬ﺎت اﻟﺘﻘﻴ‪:‬ﻢ واﻟﻤﻌﺎﻟﺠﺔ‬

‫اﻟﺒﻨﺪ ‪ :9‬ﺗﻘﻴ*ﻢ اﻷداء‬

‫‪ 9.1‬ﻣﺮاﻗ‪à‬ﺔ‪ ،‬ﻗ‪:‬ﺎس‪ ،‬ﺗﺤﻠ‪:‬ﻞ وﺗﻘﻴ‪:‬ﻢ‬

‫‪ 10.2‬اﻟﺘﻌﺎﻣﻞ ﻣﻊ ﻋﺪم اﻟﻤﻄﺎ‪c‬ﻘﺔ واﻟﺘﺼﺤﻴﺢ‬

‫‪ û‬اﻟﻤ ﺴ ﺘﻤ ﺮ‬ ‫‪ 10.3‬اﻟﺘﺤﺴ ‪U ò‬‬

‫ﺧﻄﻮات ﺗﺤﻠ?ﻞ اﻟﻨﻈﺎم اﻹداري اﻟﻘﺎﺋﻢ‪:‬‬

‫‪ :û‬ﺑﻨﺎًء ﻋ~ ﻧﺘﺎﺋﺞ اﻟﺘﺤﻠ‪7‬ﻞ‪ ،‬ﻳﺘﻢ ﺗﻘﺪ‪-‬ﻢ ﺗﻮﺻ‪7‬ﺎت ﻟﻤﻌﺎﻟﺠﺔ اﻟﻔﺠﻮات‬

‫‪ .3‬ﺳ‪:‬ﺎﺳﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪:‬‬

‫‪ ß‬ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‪:‬‬ ‫‪ .5‬ا ﻟ ﻬ ‪ ë :‬ﻞ ا ﻟ ﺘ ﻨ ﻈ ‪ç :‬‬

‫ﺗﺼﻤ‪%‬ﻢ اﻟﻀﻮا‪+‬ﻂ اﻷﻣﻨ‪%‬ﺔ )‪: Design of security controls (P&P‬‬

‫‪ .3‬ﺗ ﺼ ﻤ ‪ 7‬ﻢ ا ﻟ ﺴ ‪ 7‬ﺎ ﺳ ﺎ ت ‪:‬‬

‫‪ . 5‬ا ﻟ ﺘ ‪ g‬ﺎ ﻣ ﻞ ﻣ ﻊ ا ﻟ ﻌ ﻤ ﻠ ‪ 7‬ﺎ ت ا ﻟ ﺤ ﺎ ﻟ ‪ 7‬ﺔ‪:‬‬

‫ﻣﺜﺎل ﺗﻄﺒ‪:–z j 7‬‬

‫ﺗﻨﻔ‪%‬ﺬ اﻟﻀﻮا‪+‬ﻂ اﻷﻣﻨ‪%‬ﺔ ‪: Implementation of security controls‬‬

‫ﻣﺜﺎل ﺗﻄﺒ‪:–z j 7‬‬

‫ﻋﻤﻠ‪%‬ﺔ إدارة اﻟﻮﺛﺎﺋﻖ ) ‪( Document management‬‬

‫ﻣﺜﺎل ﺗﻄﺒ‪:–z j 7‬‬

‫® ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )‪ .(ISMS‬ﺗﻬﺪف‬

‫ﺧﻄﺔ اﻟﺘﻮاﺻﻞ ) ‪: ( Communication plan‬‬

‫‪ .2‬ﺗﺤﺪ‪-‬ﺪ اﻟﺮﺳﺎﺋﻞ اﻟﺮﺋ∞ﺴ‪7‬ﺔ‪:‬‬

‫‪ .3‬اﺧﺘ‪7‬ﺎر وﺳﺎﺋﻞ اﻻﺗﺼﺎل‪:‬‬

‫‪ .4‬ﺗﺤﺪ‪-‬ﺪ ﺟﺪول زﻣ ‪:Ñz c‬‬

‫‪ . 5‬ﺗﻨﻔ ‪7‬ﺬ ا ﻟ ﺨ ﻄ ﺔ ‪:‬‬

‫ﻣﺜﺎل ﺗﻄﺒ‪:–z j 7‬‬

‫… ﺟﺰء ﺣﻴﻮي ﻣﻦ ﺗﻨﻔ‪7‬ﺬ ﻣﻌ‪7‬ﺎر ‪ ISO 27001‬ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت‬

‫ﺧﻄﺔ اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ‪%‬ﺔ ) ‪: ( Training and awareness‬‬

‫‪ .2‬ﺗﺼﻤ‪7‬ﻢ ﺑﺮﻧﺎﻣﺞ اﻟﺘﺪر[ﺐ‪:‬‬

‫ﻣﺜﺎل ﺗﻄﺒ‪:–z j 7‬‬

‫إدارة اﻟﻌﻤﻠ‪%‬ﺎت ) ‪: ( Operations management‬‬

‫ﻣﺜﺎل ﺗﻄﺒ‪:–z j 7‬‬

‫® ﻣ ﻦ ﺗﻨﻔ ‪7‬ﺬ ﻣ ﻌ ‪ 7‬ﺎ ر‬‫… ﺟﺰء أﺳﺎ ‪z‬‬

‫إدارة اﻟﺤﻮادث ) ‪( Incident Management‬‬

‫‪ .5‬ﺗﻘﻴ‪7‬ﻢ اﻷداء واﻟﺘﺤﺴ ‪c b‬‬

‫ﻣﺜﺎل ﺗﻄﺒ‪:–z j 7‬‬

1. What is the primary purpose of ISO 27001?

3. What is the role of top management according to ISO 27001?

7. What does risk treatment involve in the context of ISO 27001?

10. What is meant by 'information security continuity' under ISO 27001?

12. What is the purpose of 'access control' in ISO 27001?

18. What role does 'management review' play in an ISMS?

20. What is the ultimate goal of implementing ISO 27001 in an organization?

30. What is an ISMS policy as per ISO 27001?

37. What is the significance of 'context of the organization' in ISO 27001?

48. What is the role of 'monitoring and measurement' in an ISMS?

56. What is an ISMS performance evaluation used for?

61. What is the primary goal of incident management in ISO 27001?

64. What does the process of 'risk treatment' involve?