Professional Documents
Culture Documents
Iso 27001 Li
Iso 27001 Li
ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ) (ISMSھﻮ ﺟﺰء أﺳﺎﺳﻲ ﻣﻦ ﻣﻌﯿﺎر ، ISO 27001وھﻮ ﻣﺼﻤﻢ ﻟﻀﻤﺎن ﺣﻤﺎﯾﺔ
اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ واﻟﺜﻤﯿﻨﺔ ﻟﻠﺸﺮﻛﺔ ﻣﻦ اﻟﺘﮭﺪﯾﺪات اﻟﻤﺤﺘﻤﻠﺔ واﻟﺤﻔﺎظ ﻋﻠﯿﮭﺎ آﻣﻨﺔ .ﯾﺴﺎﻋﺪ ISMSاﻟﻤﺆﺳﺴﺎت ﻋﻠﻰ
إدارة أﻣﻦ ﻣﻌﻠﻮﻣﺎﺗﮭﺎ ﻣﻦ ﺧﻼل ﻋﻤﻠﯿﺎت ﻣﻨﻈﻤﺔ وﻣﻮﺣﺪة.
ISMSھﻮ إطﺎر ﻋﻤﻞ ﯾﺘﺄﻟﻒ ﻣﻦ ﺳﯿﺎﺳﺎت وإﺟﺮاءات ﯾﺤﺘﺎﺟﮭﺎ أي ﻧﻮع ﻣﻦ اﻟﻤﻨﻈﻤﺎت ﻟﺤﻤﺎﯾﺔ وإدارة أﺻﻮل
اﻟﻤﻌﻠﻮﻣﺎت اﻟﺨﺎﺻﺔ ﺑﮭﺎ .ﯾﺸﻤﻞ اﻟﻨﻈﺎم ﺟﻤﯿﻊ اﻟﺠﻮاﻧﺐ اﻟﻘﺎﻧﻮﻧﯿﺔ ،اﻟﻔﯿﺰﯾﺎﺋﯿﺔ ،واﻟﺘﻘﻨﯿﺔ اﻟﺘﻲ ﺗﺘﻌﻠﻖ ﺑﻌﻤﻠﯿﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت
ﻓﻲ اﻟﻤﻨﻈﻤﺔ.
• اﻟﮭﺪف ﻣﻦ : ISMS
اﻟﮭﺪف اﻷﺳﺎﺳﻲ ﻣﻦ ISMSھﻮ ﺣﻤﺎﯾﺔ وﺿﻤﺎن ﺳﻼﻣﺔ اﻟﺒﯿﺎﻧﺎت واﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻷﺿﺮار ،اﻟﻔﻘﺪان أو اﻟﺘﻌﺪﯾﻞ ﻏﯿﺮ
اﻟﻤﺼﺮح ﺑﮫ ،واﻟﻮﺻﻮل ﻏﯿﺮ اﻟﻤﺼﺮح ﺑﮫ ،ﺳﻮاء ﻛﺎن ذﻟﻚ ﻋﻦ طﺮﯾﻖ اﻟﺤﻮادث أو اﻟﻌﻤﻠﯿﺎت اﻟﺨﺒﯿﺜﺔ.
ﺗﻘﯿﯿﺪ اﻟﻮﺻﻮل ﺑﻨﺎًء ﻋﻠﻰ اﻷدوار .ﺗﺘﻢ ﻣﺮاﻗﺒﺔ اﻟﻨﻈﺎم وﺗﺤﺪﯾﺜﮫ ﺑﺎﺳﺘﻤﺮار ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺘﮭﺪﯾﺪات اﻟﺠﺪﯾﺪة وﺿﻤﺎن اﻻﻣﺘﺜﺎل
ﻟﻠﻮاﺋﺢ اﻟﺼﻨﺎﻋﯿﺔ.
ISMSھﻮ ﺟﺰء ﺣﯿﻮي ﻣﻦ إدارة اﻟﻤﺆﺳﺴﺔ اﻟﺤﺪﯾﺜﺔ ،وﯾﺴﺎﻋﺪ ﻓﻲ ﺗﺤﻘﯿﻖ اﻟﺘﻮازن ﺑﯿﻦ ﺗﻤﻜﯿﻦ اﺳﺘﺨﺪام اﻟﻤﻌﻠﻮﻣﺎت
وﺣﻤﺎﯾﺘﮭﺎ ﻣﻦ اﻷﺧﻄﺎر.
ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ) (ISMSھو ﺟزء ﻣن اﻟﻌﻣﻠﯾﺎت اﻟﻌﺎﻣﺔ ﻟﻠﻣﻧظﻣﺔ ،اﺳﺗﻧﺎدًا إﻟﻰ ﻧﮭﺞ ﯾﻘوم ﻋﻠﻰ ﺗﻘﯾﯾم
ا ﻟ ﻣ ﺧ ﺎ ط ر ،و ھ و ﻣ ﺻ ﻣ م ﻟ ﺿ ﻣ ﺎ ن ا ﺧ ﺗ ﯾ ﺎ ر ا ﻟ ﺿ و ا ﺑ ط ا ﻷ ﻣ ﻧ ﯾ ﺔ ا ﻟ ﻣ ﻧ ﺎ ﺳ ﺑ ﺔ و ا ﻟ ﻛ ﺎ ﻓ ﯾ ﺔ ا ﻟ ﺗ ﻲ ﺗ ﺣ ﻣ ﻲ ﻣ ﻌ ﻠو ﻣ ﺎ ت ا ﻟ ﻣ ﻧ ظ ﻣ ﺔ ﻣ ن
اﻟﺗﮭدﯾدات وﺗﺿﻣن ﺗوﻓرھﺎ ﻋﻧد اﻟﺣﺎﺟﺔ .ﯾﺟب أن ﯾﻛون ISMSﻗﺎدًرا ﻋﻠﻰ اﻟﺗﻛﯾف ﻣﻊ اﻟﺗﻐﯾﯾرات ﻓﻲ اﻟﺑﯾﺋﺔ
ا ﻷ ﻣ ﻧ ﯾ ﺔ ،و اﻟﺗﮭ د ﯾ د ا ت ،و اﻟﻣ ﺗط ﻠﺑ ﺎ ت ا ﻟ ﺗ ﺟ ﺎ ر ﯾ ﺔ و اﻟﺗﻧظ ﯾﻣ ﯾﺔ .
F
• اﻟﻤ?ﺎدئ اﻷﺳﺎﺳCﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت : ISO 27001 EG
اﻟﺳرﯾﺔ(Confidentiality):
ا ﻟ ﮭ د ف ﻣ ن ا ﻟ ﺳ ر ﯾ ﺔ ھ و ا ﻟ ﺗ ﺄ ﻛ د ﻣ ن أ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ﻻ ﺗ ﻛ و ن ﻣ ﺗ ﺎ ﺣ ﺔ أ و ﻣ ﻛ ﺷ و ﻓ ﺔ ﻟﻸ ﻓر ا د ،ا ﻟ ﻛ ﯾ ﺎ ﻧ ﺎ ت ،أ و ا ﻟ ﻌ ﻣ ﻠ ﯾ ﺎ ت ﻏ ﯾ ر
اﻟﻣ ﺻ ر ح ﻟﮭ ﺎ .
ﻣ ﺛ ﺎ ل :اﺳ ﺗﺧ د ام ﺗﻘ ﻧﯾ ﺎ ت ا ﻟ ﺗ ﺷ ﻔ ﯾ ر ﻟﺣ ﻣ ﺎﯾﺔ ﺑ ﯾ ﺎ ﻧ ﺎ ت ا ﻟ ﻌ ﻣ ﻼ ء ا ﻟ ﺣ ﺳ ﺎ ﺳ ﺔ ﻣ ن ا ﻟ و ﺻ و ل ﻏ ﯾ ر ا ﻟ ﻣ ﺻ ر ح ﺑ ﮫ .
اﻟﺳﻼﻣﺔ(Integrity):
ا ﻟ ﮭ د ف ﻣ ن ا ﻟ ﺳ ﻼ ﻣ ﺔ ھ و ا ﻟ ﻣ ﺣ ﺎ ﻓ ظ ﺔ ﻋ ﻠ ﻰ د ﻗ ﺔ و ﻛ ﻣ ﺎ ل ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت و أ ﺳ ﺎ ﻟ ﯾ ب ﻣ ﻌ ﺎﻟﺟ ﺗﮭ ﺎ .
ﻣ ﺛ ﺎ ل :ﺗط ﺑ ﯾق ا ﻟ ﺳ ﯾ ط ر ا ت ﻣ ﺛ ل ا ﻟ و ﺻ و ل ا ﻟ ﻣ ﺣ ﻛ م و ﺗ ﻘ ﻧ ﯾ ﺎ ت ا ﻟ ﺗ ﺣ ﻘ ق ﻣ ن ا ﻟ ﺑ ﯾ ﺎ ﻧ ﺎ ت ﻟ ﻣ ﻧ ﻊ ا ﻟ ﺗ ﻌ د ﯾ ل ﻏ ﯾ ر ا ﻟ ﻣ ﺻ ر ح ﺑ ﮫ
ﻟﻠﻣ ﻌ ﻠو ﻣ ﺎت .
اﻟﺗوﻓر(Availability):
ا ﻟ ﮭ د ف ﻣ ن ا ﻟ ﺗ و ﻓ ر ھ و ا ﻟ ﺗ ﺄ ﻛ د ﻣ ن أ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ﻣ ﺗ ﺎ ﺣ ﺔ و ﻗ ﺎ ﺑ ﻠ ﺔ ﻟﻼ ﺳ ﺗﺧ د ام ﻣ ن ﻗ ﺑ ل ا ﻷ ﻓ ر ا د ا ﻟ ﻣ ﺻ ر ح ﻟ ﮭ م ﻋ ﻧ د ا ﻟ ﺣ ﺎ ﺟ ﺔ .
ﻣ ﺛ ﺎ ل :اﺳ ﺗﺧ د ام ﺣ ﻠ و ل ا ﻟ ﻧ ﺳ ﺦ ا ﻻ ﺣ ﺗ ﯾ ﺎ ط ﻲ و اﻻ ﺳ ﺗر ﺟ ﺎع ﻟ ﺿ ﻣ ﺎ ن ﺗ و ﻓ ر ا ﻟ ﺑ ﯾ ﺎ ﻧ ﺎ ت ﺑ ﻌ د ا ﻟ ﺣ و ا د ث ﻣ ﺛ ل ا ﻟ ﮭ ﺟ ﻣ ﺎ ت ا ﻟ ﺳ ﯾ ﺑ ر ا ﻧ ﯾ ﺔ
أو اﻟﻛ و ار ث اﻟط ﺑﯾﻌ ﯾﺔ .
By Mohammed AlSubayt
CONFIDENTIALITY
ty
itali
Int
den
eg
rity
nfi
Co
AVAILABILITY INTEGRITY
Availability
• ﺗﻄ ﺒﻴ ﻖ ﻧﻬ ﺞ اﻟ ﻌ ﻤ ﻠ Cﺔ :
ً
اﻟﺘﺨﻄ:ﻂ :ﺗﺤﺪ-ﺪ اﻷﻫﺪاف واﻟﻌﻤﻠ7ﺎت اﻟﻼزﻣﺔ ﻟﺘﺤﻘﻴﻖ اﻟﻨﺘﺎﺋﺞ وﻓﻘﺎ ﻟﺴ7ﺎﺳﺔ ISMSوأﻫﺪاف -
اﻟﻤﻨﻈ ﻤﺔ .
ا ﻟ ﺘ ﻨ ﻔ :ﺬ :ﺗﻨ ﻔ 7ﺬ ا ﻟ ﻌ ﻤ ﻠ 7ﺎ ت Mﻤ ﺎ ﻫ ﻮ ﻣ ﺨ ﻄ ﻂ ﻟ ﻬ ﺎ . -
ً
اﻟﻔﺤﺺ :ﻣﺮاﻗUﺔ وﻗ7ﺎس اﻟﻌﻤﻠ7ﺎت وﻓﻘﺎ ﻟﺴ7ﺎﺳﺔ ISMSواﻷﻫﺪاف واﻟﻤﺘﻄﻠUﺎت اﻟﻘﺎﻧﻮﻧ7ﺔ -
واﻟﺘﻨﻈ7ﻤ7ﺔ ،وﺗﻘﺪ-ﻢ ﺗﻘﺎر[ﺮ \ﺎﻟﻨﺘﺎﺋﺞ.
aأداء e ISMSﺸgﻞ ﻣﺴﺘﻤﺮ. اﻟﺘﺤﺮك :اﺗﺨﺎذ إﺟﺮاءات ﻟﺘﺤﺴ c b -
c
ﻟﻨﻔijض أن ﻫﻨﺎك noﻛﺔ ﺗﺤﺘﺎج إ rﺗﻌ[sﺰ ﻋﻤﻠ7ﺎت ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ﻟﺪﻳﻬﺎ yz .إﻃﺎر ﻧﻬﺞ اﻟﻌﻤﻠ7ﺔ ،ﺳﺘﻘﻮم
اﻟ}oﻛﺔ \ﻤﺎ :~z-
c
-اﻟﺘﺨﻄ:ﻂ :ﺗﺤﺪ-ﺪ ﻣﺎ -ﺠﺐ ﺗﺤﻘ7ﻘﻪ yzﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ،وﺿﻊ أﻫﺪاف واﺿﺤﺔ ،وﺗﺨﻄ7ﻂ
c
اﻟﻌﻤﻠ7ﺎت اﻟ Ö Ñz jﺸﻤﻞ Öﺸﻔ ibاﻟﺒ7ﺎﻧﺎت ،اﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل ،وàﺟﺮاء اﻟﺘﺪﻗ7ﻘﺎت \ﺎﻧﺘﻈﺎم.
-اﻟﺘﻨﻔ:ﺬ :ﺗﻨﻔ7ﺬ ﻫﺬە اﻟﻌﻤﻠ7ﺎت ،ﻣﻊ اﻟﺘﺄ ãﺪ ﻣﻦ ﺗﺪر[ﺐ ﺟﻤﻴﻊ اﻟﻤﻮﻇﻔ c b
aﻋ ~ أ ﻫ ﻤ 7ﺔ ﺣ ﻤ ﺎ -ﺔ ا ﻟﺒ 7ﺎ ﻧ ﺎ ت
وﻣﻌﺮﻓﺘﻬﻢ \ﻜ7ﻔ7ﺔ اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ \ﺄﻣﺎن.
-اﻟﻔﺤﺺ :ﻣﺮاﺟﻌﺔ ﺳﺠﻼت اﻟﻮﺻﻮل وﻧﺘﺎﺋﺞ اﻟﺘﺪﻗﻴﻖ وﺗﻘﺎر[ﺮ اﻟﺤﻮادث \ﺎﻧﺘﻈﺎم ﻟﻘ7ﺎس ﻣﺪى ﻓﻌﺎﻟ7ﺔ
ﻋﻤﻠ7ﺎت ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت.
c
-اﻟﺘﺤﺮك :ﺑﻨﺎًء ﻋ~ اﻟﻨﺘﺎﺋﺞ ،إﺟﺮاء ﺗﻌﺪ-ﻼت ﻣﺜﻞ Öﺸﺪ-ﺪ إﺟﺮاءات اﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل ،ﺗﺤﺪ-ﺚ
ﻃﺮق اﻟïﺸﻔ ،ibأو إﺟﺮاء ﺟﻠﺴﺎت ﺗﺪر[ﺐ إﺿﺎﻓ7ﺔ ﻟﻤﻌﺎﻟﺠﺔ أي ﺿﻌﻒ ﺗﻢ ﺗﺤﺪ-ﺪە.
By Mohammed AlSubayt
• اﻟﻨﻄﺎق :ﺗﺤﺪ-ﺪ ﻧﻄﺎق ISMSﺑﻮﺿ°ح -ﻀﻤﻦ ﺗﻐﻄ7ﺔ ﺟﻤﻴﻊ اﻟﻤﻨﺎﻃﻖ واﻷﺻﻮل اﻟ Ñz jﺗﺤﺘﺎج إr
§
ﺣﻤﺎ-ﺔ- .ﺠﺐ أن -ﻜﻮن اﻟﻨﻄﺎق ﻣﺤﺪدا eﺸgﻞ -ﻤﻜﻦ اﻟﻤﺆﺳﺴﺔ ﻣﻦ إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ7ﺔ.
• ﻟﺘ ﺄ ﻣ c b
aاﻟﺪﻋﻢ واﻟﻤﻮارد اﻟﻼزﻣﺔ ﻣﻦ اﻹدارة اﻟﻌﻠ7ﺎ- ،ﺠﺐ ﺗﻘﺪ-ﻢ ﻓﻮاﺋﺪ وأﻫﻤ7ﺔ e ISMSﺸgﻞ واﺿﺢ.
® ﻟﻠﻨﺠﺎح اﻟﻤﺴﺘﻤﺮ ﻟﻠﻨﻈﺎم. cj
اﻻﻟiام اﻟﺘﻨﻔ7ﺬي أﺳﺎ z
.3ﺗﻘﻴ:ﻢ اﻟﻤﺨﺎﻃﺮ:
• ﻗUﻞ ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ- ،ﺠﺐ إﺟﺮاء ﺗﻘﻴ7ﻢ ﺷﺎﻣﻞ ﻟﻠﻤﺨﺎﻃﺮ ﻟﺘﺤﺪ-ﺪ اﻟﺘﻬﺪ-ﺪات واﻟﻀﻌﻔ7ﺎت اﻟ Ñz jﻗﺪ
c c
ﺗﺆﺛﺮ ﻋ~ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ™ .ﺴﺎﻋﺪ ﻫﺬا اﻟﺘﻘﻴ7ﻢ yzﺗﺤﺪ-ﺪ اﻟﻀﻮا\ﻂ اﻟﻤﻨﺎﺳUﺔ ﻟﺘﻄﺒ7ﻘﻬﺎ yz
إﻃﺎرISMS.
.4ﺗﺤﺪGﺪ اﻷ`ﺪاف واﻟﻀﻮاcﻂ:
• ﺗﺤﺪ-ﺪ اﻷﻫﺪاف اﻷﻣﻨ7ﺔ ﻳﻮﺟﻪ اﻟﺠﻬﻮد و[ﻀﻤﻦ ﺗﻮﺟ7ﻪ اﻟﻤﻮارد eﺸgﻞ ﻓﻌﺎل .اﻟﻀﻮا\ﻂ ،اﻟ Ñz jﺗﻢ
ُ
اﺧﺘ7ﺎرﻫﺎ ﺑﻨﺎًء ﻋ~ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ ،ﺗﻄﺒﻖ ﻟﻤﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة.
By Mohammed AlSubayt
.5اﻟﺘﻮﺛﻴﻖ:
• ﺗﻮﺛﻴﻖ اﻟﺴ7ﺎﺳﺎت ،اﻹﺟﺮاءات ،واﻟﻌﻤﻠ7ﺎت أﻣﺮ ¨cوري ﻟﻀﻤﺎن اﻟﻔﻬﻢ اﻟﻮاﺿﺢ واﻟﺘﻄﺒﻴﻖ اﻟﻤïﺴﻖ
ﻟﻤﺘﻄﻠUﺎت. ISMS.
اﻟﺘﻌihﻒ:
c j
ﺳ7ﺎق اﻟﻤﻨﻈﻤﺔ ™ﺸﻤﻞ اﻟﻈﺮوف اﻟ Ñzﺗﻌﻤﻞ ﻓﻴﻬﺎ اﻟﻤﻨﻈﻤﺔ\ ،ﻤﺎ yzذﻟﻚ اﻟﻌﻮاﻣﻞ اﻟﺪاﺧﻠ7ﺔ ﻣﺜﻞ اﻟﺜﻘﺎﻓﺔ
اﻟﺘﻨﻈ7ﻤ7ﺔ واﻷﻫﺪاف واﻟﻘﺪرات ،واﻟﻌﻮاﻣﻞ اﻟﺨﺎرﺟ7ﺔ ﻣﺜﻞ اﻟﺒûﺌﺔ اﻟﻘﺎﻧﻮﻧ7ﺔ واﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ واﻟﺴﻮﻗ7ﺔ.
) Clauses 4 – 10اﻟﺒﻨﻮد (
اﻟﻬﺪف :ﺗﺤﺪ-ﺪ اﻟﺤﺪود وﻗﺎ\ﻠ7ﺔ ﺗﻄﺒﻴﻖ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت. •
ﺗﻔﺎﺻ:ﻞ- :ﺠﺐ ﻋ~ اﻟﻤﻨﻈﻤﺔ ﺗﺤﺪ-ﺪ اﻟﺤﺪود اﻟﻮاﺿﺤﺔ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ ﺧﻼل •
ﺗﺤﺪ-ﺪ ﻣﺎ ﻳﺘﻢ ﺗﻀﻤﻴﻨﻪ وﻣﺎ ُ™ﺴïﺜ Ñcﻣﻦ اﻟﻨﻈﺎم.
c
æﺟﻤﻴﻊ اﻟﺒ7ﺎﻧﺎت واﻷﻧﻈﻤﺔ اﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ داﺧﻞ اﻟ}oﻛﺔ \ﻤﺎ yzذﻟﻚﻣﺜﺎل :ﺗﺤﺪ-ﺪ أن ISMSﺳ7ﻐ z •
اﻟﻔﺮوع اﻟﻌﺎﻟﻤ7ﺔ.
aﻧﻈﺎم إدارة أﻣﺎن اﻻﻟ SU Tام :اﻹدارة اﻟﻌﻠ7ﺎ -ﺠﺐ أن ﺗﻈﻬﺮ اﻟﻘ7ﺎدة واﻻﻟ ic jام ﺑﺘﺄﺳ∞ﺲ وﺗﺤﺴ c b •
c ً
اﻟﻤﻌﻠﻮﻣﺎت .ﻣﺜﻼ ،اﻟﺮﺋ∞ﺲ اﻟﺘﻨﻔ7ﺬي -ﻤﻜﻦ أن -ﺤ ≈cو∆ﺸﺎرك yzاﻻﺟﺘﻤﺎﻋﺎت اﻟﺨﺎﺻﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
ﻹﻇﻬﺎر اﻟﺪﻋﻢ.
:
ﺗﺤﺪGﺪ اﻷ`ﺪاف واﻟﺘﻮﺟﻴﻬﺎت -ﺠﺐ ﻋ~ اﻹدارة اﻟﻌﻠ7ﺎ اﻟﺘﺄ ãﺪ ﻣﻦ أن أﻫﺪاف أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت •
… ﺗﻮﺳﻴﻊ ﺔ ﻛ
} ﻣﺘﻮاﻓﻘﺔ ﻣﻊ أﻫﺪاف اﻟ}oﻛﺔ اﻻﺳijاﺗ7ﺠ7ﺔ .ﻋ~ ﺳ«7ﻞ اﻟﻤﺜﺎل ،إذا Mﺎﻧﺖ إﺣﺪى أﻫﺪاف اﻟ o
c z c
اﻟﻨﻄﺎق اﻟﺠﻐﺮا yzﻟﺨﺪﻣﺎﺗﻬﺎ ،ﻓ7ﺠﺐ أن ﺗﻌﻜﺲ أﻫﺪاف أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ذﻟﻚ ﺑﺘﻌ[sﺰ اﻹﺟﺮاءات اﻷﻣﻨ7ﺔ yz
اﻟﺒ7ﺎﻧﺎت ﻋ iاﻟﺤﺪود.
ً
ﻼ ،ﺗﻌﻴ c b اﻟﻤﺴﺆوﻟ:ﺔ واﻟﺴﻠﻄﺔ- :ﺠﺐ ﺗﻌﻴ c b
aﻣﺪﻳﺮ أﻣﻦ aأدوار وﻣﺴﺆوﻟ7ﺎت واﺿﺤﺔ ﻹدارة اﻷﻣﻦ .ﻣﺜ •
o
اﻟﻤﻌﻠﻮﻣﺎت ) (CISOاﻟﺬي ﻳﺘﺤﻤﻞ اﻟﻤﺴﺆوﻟ7ﺔ اﻟÃﺎﻣﻠﺔ ﻋﻦ اﻹnاف ﻋ~ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
5.2اﻟﺴCﺎﺳﺔ :
ﺗﻮﻓﺮ ﺳ:ﺎﺳﺔ- :ﺠﺐ ﺗﻄ[°ﺮ ﺳ7ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺗﻌﻜﺲ اﻟ ic jام اﻟﻤﺆﺳﺴﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت •
وﺗﻮﺿﺢ ﻣﺘﻄﻠUﺎت وàﻃﺎر اﻟﻌﻤﻞ ﻟﺘﺤﻘ7ﻘﻬﺎ .ﻋ~ ﺳ«7ﻞ اﻟﻤﺜﺎل- ،ﻤﻜﻦ أن ﺗﺤﺘﻮي اﻟﺴ7ﺎﺳﺔ ﻋ~ ﻣﻌﺎﻳib
ﻟﺘﺼ∫7ﻒ اﻟﺒ7ﺎﻧﺎت وﻣﺘﻄﻠUﺎت ﻟﺤﻤﺎ-ﺔ Mﻞ ﻓﺌﺔ ﻣﻦ اﻟﺒ7ﺎﻧﺎت.
اﻟﺘﻮاﺻﻞ :ﺳ7ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت -ﺠﺐ أن ﺗﻜﻮن ﻣﺘﺎﺣﺔ وﻣﻔﻬﻮﻣﺔ ﻟﺠﻤﻴﻊ اﻷﻃﺮاف اﻟﻤﻌﻨ7ﺔ •
c j c ً
داﺧﻞ وﺧﺎرج اﻟﻤﺆﺳﺴﺔ .ﻣﺜﻼ- ،ﻤﻜﻦ ﺗﻮز[ـ ـﻊ اﻟﺴ7ﺎﺳﺔ ﻋ~ ﺟﻤﻴﻊ اﻟﻤﻮﻇﻔ abﻋ iاﻟ[iﺪ اﻹﻟiŒو ±zوﺗﻀﻤﻴﻨﻬﺎ
c
yzاﻟﺘﺪر[Uﺎت اﻟﺪور[ﺔ.
•
By Mohammed AlSubayt
ا ﻟ ﺑ ﻧ د 5ﯾ ﻌ ﻛ س أ ھ ﻣ ﯾ ﺔ ا ﻟ د و ر ا ﻟ ذ ي ﺗ ﻠ ﻌ ﺑ ﮫ اﻹ دار ة ا ﻟ ﻌ ﻠ ﯾ ﺎ ﻓ ﻲ ﺗ و ﺟ ﯾ ﮫ و د ﻋ م ﺟ ﮭ و د أ ﻣ ﺎ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ،ﻣ ﻣ ﺎ ﯾ ؤ ﻛ د ﻋ ﻠ ﻰ أن
أﻣﺎن اﻟﻣﻌﻠوﻣﺎت ﯾﻌﺗﺑر ﻣﺳؤوﻟﯾﺔ إدارﯾﺔ ﻗﺑل أن ﯾﻛون ﻣﺳؤوﻟﯾﺔ ﺗﻘﻧﯾﺔ.
By Mohammed AlSubayt
اﻟﺒﻨﺪ :6اﻟﺘﺨﻄ*ﻂ
ﺧﻼﺻﺔ
ﯾؤﻛد اﻟﺑﻧد 6ﻣن ISO 27001ﻋﻠﻰ أھﻣﯾﺔ اﻟﺗﺧطﯾط اﻟدﻗﯾق واﻟﻣﻧﮭﺟﻲ ﻹدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ﻋﺑر ﺗﻘﯾﯾم
و ﻣ ﻌ ﺎﻟﺟ ﺔ ا ﻟ ﻣ ﺧ ﺎ ط ر ﺑﺷ ﻛ ل ﻓ ﻌ ﺎ ل .ﻣ ن ﺧ ﻼ ل ھ ذ ه ا ﻟ ﻌ ﻣ ﻠ ﯾ ﺔ ،ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ؤ ﺳ ﺳ ﺎ ت أن ﺗﺣ د د ا ﻷ ﺻ و ل ا ﻟ ﺣ ﺳ ﺎ ﺳ ﺔ و اﻟﺗﮭ د ﯾ د ا ت
ا ﻟ ﻣ ﺣ ﺗ ﻣ ﻠ ﺔ و ﺗط ﺑق ا ﻹ ﺟ ر ا ء ا ت ا ﻟ ﻣ ﻧ ﺎ ﺳ ﺑ ﺔ ﻟ ﺿ ﻣ ﺎ ن ا ﻟ ﺣ ﻣ ﺎ ﯾ ﺔ ا ﻟ ﻣ ﻧ ﺎ ﺳ ﺑ ﺔ و اﺳ ﺗﻣ ر ار ﯾﺔ ا ﻟ ﻌ ﻣ ﻠ ﯾ ﺎ ت ا ﻟ ﺗ ﺟ ﺎ ر ﯾ ﺔ .
By Mohammed AlSubayt
اﻟﺒﻨﺪ :7دﻋﻢ
7.1اﻟﻤﻮارد
اﻟﻬﺪف :ﺗﻮﻓ ibاﻟﻤﻮارد اﻟﻼزﻣﺔ ﻹøﺸﺎء ،ﺗﻨﻔ7ﺬ ،اﻟﺤﻔﺎظ ﻋ~ ،وﺗﺤﺴ c b
aﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت. •
o c
ﻣﺜﺎلn :ﻛﺔ ﺗﻘﻮم ﺑﺘﺨﺼ7ﺺ ﻣibاﻧ7ﺔ ﺧﺎﺻﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت Öﺸﻤﻞ nاء ﺑﺮﻣﺠ7ﺎت اﻷﻣﺎن، o •
yc aأﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ،وﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ c b
e aﺸgﻞ دوري. وﺗﻮﻇ7ﻒ ﻣﺘﺨﺼﺼ c b
z
7.2اﻟäﻔﺎءة
اﻟﻬﺪف :ﺿﻤﺎن ﺣﺼﻮل ﺟﻤﻴﻊ اﻷﺷﺨﺎص اﻟﺬﻳﻦ -ﻌﻤﻠﻮن ﺗﺤﺖ ﺗﺄﺛ ibﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻋ~ •
اﻟŒﻔﺎءة اﻟﻤﻄﻠ≠°ﺔ.
c c
ﻣﺜﺎل :ﺗﻘﻴ7ﻢ ﻣﻬﺎرات اﻟﻤﻮﻇﻔ abواﻟﺤﺎﺟﺔ إ rاﻟﺘﺪر[ﺐ yzﻣﺠﺎل أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ،وﺗﻘﺪ-ﻢ دورات •
ﺗﺪر[«7ﺔ ﻟﺮﻓﻊ ﻛﻔﺎءﺗﻬﻢ \ﻤﺎ ﻳﺘﻮاﻓﻖ ﻣﻊ ﻣﺘﻄﻠUﺎت اﻷﻣﻦ.
7.4اﻟﺘﻮاﺻﻞ
ّ
اﻟﻬﺪف :ﺿﻤﺎن اﻟﺘﻮاﺻﻞ اﻟﻔﻌﺎل ﺣﻮل أﻣﻮر أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ وﺧﺎرج اﻟﻤﻨﻈﻤﺔ \ﻄ[Æﻘﺔ ﻣﻨﺎﺳUﺔ. •
aﻣﺜﺎل :اﺳﺘﺨﺪام اﻟ∫}oات اﻹﻟijŒوﻧ7ﺔ ،اﻟ[iﺪ اﻹﻟijŒو ،±cواﻻﺟﺘﻤﺎﻋﺎت اﻟﺪور[ﺔ ﻟﺘﺤﺪ-ﺚ اﻟﻤﻮﻇﻔ c b •
z c
واﻷﻃﺮاف اﻟﻤﻌﻨ7ﺔ ﻋﻦ اﻟﺘﻄﻮرات اﻟﺠﺪ-ﺪة yzأﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
•
7.5اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ
اﻟﻬﺪف :إدارة اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ eﺸgﻞ -ﻀﻤﻦ ﺳﻬﻮﻟﺔ اﻟﻮﺻﻮل ،اﻟﺪﻗﺔ ،واﻟﺤﻔﺎظ ﻋﻠﻴﻬﺎ. •
ﻣﺜﺎل إøﺸﺎء ،ﺻ7ﺎﻧﺔ ،وﻣﺮاﺟﻌﺔ وﺛﺎﺋﻖ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت eﺸgﻞ ﻣﻨﺘﻈﻢ ﻟﻀﻤﺎن ﺗﺤﺪﻳﺜﻬﺎ : •
وﺗﻮاﻓﻘﻬﺎ ﻣﻊ ﻣﺘﻄﻠUﺎت اﻟﻤﻌ7ﺎرISO 27001.
7.5.1اﻟﻌﺎﻣﺔ
اﻟﻬﺪف :ﺿﻤﺎن إدارة اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ \ﻄ[Æﻘﺔ ﺗﺪﻋﻢ ﻋﻤﻠ7ﺔ ﻧﻈﺎم إدارة اﻷﻣﻦ. •
c j o
ﻣﺜﺎلn :ﻛﺔ ﺗﻄ[°ﺮ ﺑﺮﻣﺠ7ﺎت Öﺴﺘﺨﺪم ﻧﻈﺎم إدارة وﺛﺎﺋﻖ إﻟiŒو ±zﻟﻠﺤﻔﺎظ ﻋ~ ﺟﻤﻴﻊ اﻟﻮﺛﺎﺋﻖ •
اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﺜﻞ اﻟﺴ7ﺎﺳﺎت ،اﻹﺟﺮاءات ،وﻧﺘﺎﺋﺞ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ.
•
7.5.2إéﺸﺎء وﺗﺤﺪGﺚ
اﻟﻬﺪف :ﺗﺤﺪ-ﺪ اﻟﻌﻤﻠ7ﺎت اﻟﻤﻨﺎﺳUﺔ ﻹøﺸﺎء وﺗﺤﺪ-ﺚ اﻟﻮﺛﺎﺋﻖ\ ،ﻤﺎ -ﻀﻤﻦ ﺻﺤﺘﻬﺎ وﻣﻼءﻣﺘﻬﺎ •
ﻟﻸﻏﺮاض.
ﻣﺜﺎل :ﻗUﻞ إﺻﺪار أي وﺛ7ﻘﺔ ﺟﺪ-ﺪة- ،ﺠﺐ أن ﺗﺨﻀﻊ ﻟﻌﻤﻠ7ﺔ ﻣﺮاﺟﻌﺔ Öﺸﻤﻞ اﻟﺘﺤﻘﻖ ﻣﻦ ﺻﺤﺔ •
ً
اﻟﻤﻌﻠﻮﻣﺎت وﻣﻄﺎ\ﻘﺘﻬﺎ ﻟﻠﺴ7ﺎﺳﺎت اﻟﻌﻠ7ﺎ .ﻣﺜﻼ ،ﻣﺮاﺟﻌﺔ وﺛﺎﺋﻖ ﺳ7ﺎﺳﺔ اﻷﻣﺎن ﺑﻮاﺳﻄﺔ ﻣﺪﻳﺮ اﻷﻣﻦ ﻟﻠﺘﺄ ãﺪ ﻣﻦ
ً
أﻧﻬﺎ ﺗﺘﻀﻤﻦ ﺟﻤﻴﻊ اﻟﻌﻨﺎ¨ اﻷﺳﺎﺳ7ﺔ وﺗﻢ ﺗﺤﺪﻳﺜﻬﺎ وﻓﻘﺎ ﻷﺣﺪث اﻟﻤﺘﻄﻠUﺎت اﻷﻣﻨ7ﺔ.
By Mohammed AlSubayt
U
7.5.3اﻟﺘﺤëﻢ íçاﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ
c
اﻟﻬﺪف :ﺗﺤﺪ-ﺪ اﻹﺟﺮاءات اﻟﻤﻨﺎﺳUﺔ ﻟﻠﺘﺤgﻢ yzاﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﻮﺛﻘﺔ \ﻤﺎ -ﻀﻤﻦ إﻣgﺎﻧ7ﺔ اﻟﻮﺻﻮل •
إﻟﻴﻬﺎ وﺣﻤﺎﻳﺘﻬﺎ ﻣﻦ اﻟﻀ7ﺎع أو اﻟﺪﻣﺎر أو اﻻﺳﺘﺨﺪام أو اﻹﻓﺸﺎء ﻏ ibاﻟﻤ≈ح \ﻪ.
ﻣ ﺛ ﺎ ل :ﺗﻘ ﯾﯾ د ا ﻟ و ﺻ و ل إ ﻟ ﻰ ا ﻟ و ﺛ ﺎ ﺋ ق ا ﻷ ﻣ ﻧ ﯾ ﺔ ا ﻟ ﺣ ﺳ ﺎ ﺳ ﺔ ﻟ ﻠ ﻣ و ظ ﻔ ﯾ ن ا ﻟ ﻣ ﺧ و ﻟ ﯾ ن ﻓﻘط و اﺳ ﺗﺧ د ام ﺗﻘ ﻧﯾ ﺎ ت ا ﻟ ﺗ ﺷ ﻔ ﯾ ر •
ﻟﺣﻣﺎﯾﺔ اﻟوﺛﺎﺋق اﻟﻣﺧزﻧﺔ إﻟﻛﺗروﻧﯾﺎ ً .ﺗطﺑﯾق إﺟراءات دﻗﯾﻘﺔ ﻟﻠﻧﺳﺦ اﻻﺣﺗﯾﺎطﻲ ﻟﺿﻣﺎن اﺳﺗﻌﺎدة اﻟوﺛﺎﺋق ﻓﻲ ﺣﺎﻟﺔ
ﻓﻘ د ان ا ﻟ ﺑ ﯾ ﺎ ﻧ ﺎ ت .
ﺧﻼﺻﺔ
اﻟﺑﻧد 7ﻣن ISO 27001ﯾرﻛز ﻋﻠﻰ اﻟﻌﻧﺎﺻر اﻟﺿرورﯾﺔ ﻟدﻋم ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ،ﻣن ﺧﻼل ﺗوﻓﯾر
ا ﻟ ﻣ و ا ر د ،ا ﻟ ﻛ ﻔ ﺎ ء ا ت ،ا ﻟ و ﻋ ﻲ ،ا ﻟ ﺗ و ا ﺻ ل ،و ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ا ﻟ ﻣ و ﺛ ﻘ ﺔ ا ﻟ ﻼ ز ﻣ ﺔ ﻹ د ار ﺗ ﮫ ﺑ ﻔ ﻌ ﺎ ﻟ ﯾ ﺔ .ھ ذ ه ا ﻟ ﻌ ﻧ ﺎ ﺻ ر ﻣ ﮭ ﻣ ﺔ ﻟ ﻠ ﺣ ﻔ ﺎ ظ
ﻋﻠﻰ ﻧظﺎم أﻣن ﻣﻌﻠوﻣﺎت ﻣﺗﻛﺎﻣل وﻓﻌّﺎل ﯾﻠﺑﻲ اﻻﺣﺗﯾﺎﺟﺎت اﻟﺗﻧظﯾﻣﯾﺔ واﻻﻣﺗﺛﺎل ﻟﻠﻣﻌﺎﯾﯾر اﻟدوﻟﯾﺔ.
اﻟﺒﻨﺪ :8اﻟ=ﺸﻐ*ﻞ
9.2اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧQç
اﻟﻬﺪف :ﺗﻘﻴ7ﻢ ﻣﺪى ﺗﻮاﻓﻖ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻊ اﻟﻤﺘﻄﻠUﺎت اﻟﺘﻨﻈ7ﻤ7ﺔ وﻣﻌﺎﻳISO ib •
27001.
ﻣﺜﺎل :ﺗﻨﻔ7ﺬ اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ اﻟﻤﻨﺘﻈﻤﺔ ﻟﻔﺤﺺ اﻟ ic jام اﻷﻗﺴﺎم اﻟﻤﺨﺘﻠﻔﺔ eﺴ7ﺎﺳﺎت اﻷﻣﻦ •
واﻟﺘﺤﻘﻖ ﻣﻦ ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ eﺸgﻞ ﺳﻠ7ﻢ.
9.3ﻣﺮاﺟﻌﺔ اﻹدارة
اﻟﻬﺪف :ﺿﻤﺎن ﻣﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﺑﻮاﺳﻄﺔ اﻹدارة اﻟﻌﻠ7ﺎ ﻟﻠﺘﺄ ãﺪ ﻣﻦ ﻓﻌﺎﻟﻴﺘﻪ •
وﻣﻼءﻣﺘﻪ اﻟﻤﺴﺘﻤﺮة.
ﻣﺜﺎل :اﻹدارة اﻟﻌﻠ7ﺎ ﺗﻌﻘﺪ اﺟﺘﻤﺎﻋﺎت دور[ﺔ ﻟﻤﺮاﺟﻌﺔ ﺗﻘﺎر[ﺮ اﻷداء اﻷﻣ ،Ñz cﻧﺘﺎﺋﺞ اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ،~z •
واﻟﺘﺤﺪ-ﺎت اﻷﻣﻨ7ﺔ اﻟﺤﺎﻟ7ﺔ ﻻﺗﺨﺎذ ﻗﺮارات ﺗﺤﺴûﻨ7ﺔ.
•
ﺧﻼﺻﺔ
اﻟﺑﻧد 9ﻣن ISO 27001ﯾؤﻛد ﻋﻠﻰ اﻟﺣﺎﺟﺔ إﻟﻰ اﻟﺗﻘﯾﯾم اﻟﻣﻧﺗظم ﻷداء ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ﻟﺿﻣﺎن ﻓﻌﺎﻟﯾﺗﮫ
وﺗﺣدﯾﺛﮫ ﺑﻣﺎ ﯾﺗواﻓق ﻣﻊ اﻟﺗﻐﯾﯾرات ﻓﻲ اﻟﺑﯾﺋﺔ اﻟﺗﻛﻧوﻟوﺟﯾﺔ واﻟﺗﮭدﯾدات اﻷﻣﻧﯾﺔ .ﻣن ﺧﻼل ﻣراﻗﺑﺔ اﻷداء واﻟﺗدﻗﯾق
ا ﻟ د ا ﺧ ﻠ ﻲ و ﻣ ر ا ﺟ ﻌ ﺎ ت ا ﻹ د ا ر ة ،ﺗ ﺳ ﺗ ط ﯾ ﻊ ا ﻟ ﻣ ؤ ﺳ ﺳ ﺎ ت ﺗ ﺣ ﺳ ﯾ ن أ ﻣ ﺎ ﻧ ﮭ ﺎ ﺑ ﺷ ﻛ ل ﻣ ﺳ ﺗ ﻣ ر و ا ﻟ ﺗ ﺄ ﻛ د ﻣ ن ﺗ ط ﺑ ﯾ ق ﻧ ظ ﺎ م إ د ار ة أ ﻣ ن
ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ﺑﺷ ﻛ ل ﻓ ﻌ ﺎ ل .
By Mohammed AlSubayt
اﻟﺒﻨﺪ :10اﻟﺘﺤﺴ L K
J
10.1اﻻﺳﺘﻤﺮارiﺔ واﻟﺘﺤﺴ U ò
ûاﻟﻤ ﺴ ﺘﻤ ﺮ
c
اﻟﻬﺪف :ﺗﺤﺪ-ﺪ وﺗﻨﻔ7ﺬ اﻟﻔﺮص ﻟﺘﺤﺴ abاﻷداء اﻟﻌﺎم ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت eﺸgﻞ ﻣﺴﺘﻤﺮ. •
ﻣﺜﺎلn :ﻛﺔ ﺑﺮﻣﺠ7ﺎت ﺗﻘﻮم ﺑflﺟﺮاء ﻣﺮاﺟﻌﺎت دور[ﺔ ﻟﺘﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ اﻟﺘﺪاﺑ ibاﻷﻣﻨ7ﺔ اﻟﺤﺎﻟ7ﺔo •
وÖﺴﺘﺨﺪم ﻣﺆnoات أداء رﺋ∞ﺴ7ﺔ ﻟﻘ7ﺎس ﻧﺠﺎح ﻫﺬە اﻟﺘﺪاﺑ .ibﺑﻨﺎًء ﻋ~ ﻧﺘﺎﺋﺞ ﻫﺬە اﻟﻤﺮاﺟﻌﺎت ،ﺗﻘﻮم اﻟ}oﻛﺔ
aﻋ~ أﺣﺪث اﻷﺳﺎﻟ7ﺐ اﻷﻣﻨ7ﺔ. ﺑﺘﺤﺪ-ﺚ ﺑﺮوﺗﻮﻛﻮﻻت اﻷﻣﺎن وﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ c b
ﺧﻼﺻﺔ
اﻟﺑﻧد 10ﻣن ISO 27001ﯾؤﻛد ﻋﻠﻰ أھﻣﯾﺔ اﻟﺗﺣﺳﯾن اﻟﻣﺳﺗﻣر ﻓﻲ ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت .ﻣن ﺧﻼل اﻟﺗﻘﯾﯾم
اﻟﻣﺳﺗﻣر وﺗﺻﺣﯾﺢ اﻷﺧطﺎء وﺗﻧﻔﯾذ اﻟﺗﺣﺳﯾﻧﺎت ،ﺗﺳﺗطﯾﻊ اﻟﻣؤﺳﺳﺎت اﻟﺣﻔﺎظ ﻋﻠﻰ ﻣروﻧﺔ أﻧظﻣﺗﮭﺎ اﻷﻣﻧﯾﺔ وﺗﻌزﯾز
ﻗ د ر ﺗ ﮭ ﺎ ﻋ ﻠ ﻰ ا ﻟ ﺗ ﻛ ﯾ ف ﻣ ﻊ ا ﻟ ﺗ ﮭ د ﯾ د ا ت ا ﻟ ﻣ ﺗ ﻐ ﯾ ر ة و اﻟﺣ ﻔ ﺎظ ﻋ ﻠ ﻰ ﻓ ﻌ ﺎ ﻟ ﯾ ﺔ ا ﻟ ﻧ ظ ﺎ م .
By Mohammed AlSubayt
c
ﺗﺤﻠ7ﻞ اﻟﻨﻈﺎم اﻹداري اﻟﻘﺎﺋﻢ ﻫﻮ ﺧﻄﻮة أﺳﺎﺳ7ﺔ yzﻋﻤﻠ7ﺔ ﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ،ISO 27001واﻟﺬي -ﻌ Ñcﺑﻨﻈﺎم
aﻣﻤﺎرﺳﺎﺗﻬﺎإدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ) .(ISMSﻫﺬا اﻟﺘﺤﻠ7ﻞ ™ﺴﺎﻋﺪ اﻟﻤﻨﻈﻤﺎت ﻋ~ ﺗﺤﺪ-ﺪ اﻟﻔﺠﻮات ﺑ c b
اﻟﺤﺎﻟ7ﺔ وﻣﺘﻄﻠUﺎت اﻟﻤﻌ7ﺎر ،ISO 27001و≠ﺎﻟﺘﺎ rzﺗﻘﺪ-ﻢ اﻷﺳﺎس ﻟﺘﺨﻄ7ﻂ اﻟﺘﺤﺴûﻨﺎت اﻟﻼزﻣﺔ ﻟﺘﻠﺒ7ﺔ
اﻟﻤﻌﺎﻳ ibاﻟﺪوﻟ7ﺔ .ﻓ7ﻤﺎ ~z-ﺳﺄﻗﺪم ﻣﻠﺨًﺼﺎ ﻋﻦ ﻛ7ﻔ7ﺔ إﺟﺮاء ﻫﺬا اﻟﺘﺤﻠ7ﻞ:
c
ﺟﻤﻊ اﻟﺒ:ﺎﻧﺎت :ﻳUﺪأ اﻟﺘﺤﻠ7ﻞ \ﺠﻤﻊ ﺑ7ﺎﻧﺎت ﺣﻮل اﻟﻨﻈﺎم اﻹداري اﻟﺤﺎ\ ،rzﻤﺎ yzذﻟﻚ اﻟﺴ7ﺎﺳﺎت، •
§
اﻹﺟﺮاءات ،واﻟﻤﻤﺎرﺳﺎت اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت .ﻫﺬە اﻟﺒ7ﺎﻧﺎت Öﺸﻤﻞ أ-ﻀﺎ ﻣﺮاﺟﻌﺔ اﻟﻮﺛﺎﺋﻖ ،اﻷﻧﻈﻤﺔ
اﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ اﻟﻤﺴﺘﺨﺪﻣﺔ ،وآﻟ7ﺎت اﻟﺘﺤgﻢ اﻷﻣ Ñz cاﻟﻤﻄUﻘﺔ.
ﺗﺤﺪGﺪ اﻟﻔﺠﻮات\ :ﻌﺪ ﺟﻤﻊ اﻟﺒ7ﺎﻧﺎت ،ﻳﺘﻢ ﺗﺤﻠ7ﻠﻬﺎ ﻟﺘﺤﺪ-ﺪ اﻟﻔﺠﻮات ﺑ c b
aاﻹﺟﺮاءات اﻟﺤﺎﻟ7ﺔ •
وﻣﺘﻄﻠUﺎت ISO 27001.ﻫﺬا ™ﺸﻤﻞ ﺗﻘﻴ7ﻢ ﻣﺪى اãﺘﻤﺎل اﻟﺴ7ﺎﺳﺎت اﻷﻣﻨ7ﺔ ،ﻛﻔﺎءة اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ،
وﻓﻌﺎﻟ7ﺔ اﻹﺟﺮاءات اﻟﻤﻨﻔﺬة.
ﺗﻘﻴ:ﻢ اﻟﻤﺨﺎﻃﺮ :ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺮﺗUﻄﺔ \ﺎﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ ﺟﺰء ﻻ ﻳﺘﺠﺰأ ﻣﻦ ﺗﺤﻠ7ﻞ اﻟﻨﻈﺎم •
اﻹداري .ﻳﺘﻢ ﺗﺤﺪ-ﺪ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ ،ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺘﻤﻠﺔ ﻟÃﻞ أﺻﻞ ،وﺗﺤﺪ-ﺪ ﻣﺪى ﻛﻔﺎءة
c
اﻟﻀﻮا\ﻂ اﻟﺤﺎﻟ7ﺔ yzاﻟﺘﺨﻔ7ﻒ ﻣﻦ ﻫﺬە اﻟﻤﺨﺎﻃﺮ.
:Z [
ً ﻣﺜﺎل ﺗﻄﺒ? G
noﻛﺔ ﺗﻜﻨﻮﻟﻮﺟ7ﺎ ﺗﺠﺮي ﺗﺤﻠ7ﻼ ﻟﻨﻈﺎﻣﻬﺎ اﻹداري اﻟﻘﺎﺋﻢ ﻟﺘﺤﺪ-ﺪ اﻟﺘﻮاﻓﻖ ﻣﻊ .ISO 27001اﻟﻨﺘﺎﺋﺞ ﺗﻈﻬﺮ أن
اﻟ}oﻛﺔ ﺗﻔﺘﻘﺮ إ rﺿﻮا\ﻂ أﻣﻨ7ﺔ Mﺎﻓ7ﺔ ﻟﺤﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت اﻟﺴﺤﺎﺑ7ﺔ .اﻟﺘﻮﺻ7ﺎت Öﺸﻤﻞ ﺗﻨﻔ7ﺬ ﺗﻘﻨ7ﺎت اﻟïﺸﻔib
aﻋ~ اﻷﻣﻦ اﻟﺴﻴiا ±z cﻟﺘﻌ[sﺰ اﻟﺤﻤﺎ-ﺔ. اﻟﻤﺘﻘﺪﻣﺔ وﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ c b
ﺧﻼﺻﺔ:
· c
ﺗﺤﻠ7ﻞ اﻟﻨﻈﺎم اﻹداري اﻟﻘﺎﺋﻢ -ﻌﺘ iﺧﻄﻮة ﺣﻴ[°ﺔ yzﻋﻤﻠ7ﺔ ﺗﻄﺒﻴﻖ ،ISO 27001ﺣ7ﺚ -ﻤﻜﻦ اﻟﻤﻨﻈﻤﺎت
c
ﻣﻦ ﺗﺤﺪ-ﺪ ﻧﻘﺎط اﻟﻀﻌﻒ yzأﻧﻈﻤﺘﻬﺎ ووﺿﻊ ﺧﻄﻂ ﻓﻌﺎﻟﺔ ﻟﺘﻌ[sﺰ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت .ﻫﺬا اﻟﻨﻬﺞ -ﻀﻤﻦ
aاﻷداء اﻷﻣ Ñz cﻟﻠﻤﻨﻈﻤﺔ.
ﺗﺤﻘﻴﻖ اﻟﺘﻮاﻓﻖ ﻣﻊ اﻟﻤﻌﺎﻳ ibاﻟﺪوﻟ7ﺔ وﺗﺤﺴ c b
By Mohammed AlSubayt
ﻣﻌ7ﺎر ™ ISO 27001ﺸﻤﻞ ﻋﺪة ﺟﻮاﻧﺐ رﺋ∞ﺴ7ﺔ ﺗﺘﻌﻠﻖ ﺑïﻨﻔ7ﺬ وﻗ7ﺎدة ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت (ISMS).
ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻸﺟﺰاء اﻟﺮﺋ∞ﺴ7ﺔ اﻟ Ö Ñz jﺸﻤﻞ ﻗ7ﺎدة وﻣﻮاﻓﻘﺔ اﻟﻤ}oوع ،ﻧﻄﺎق ، ISMSﺳ7ﺎﺳﺎت أﻣﻦ
≤ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ،و≠7ﺎن ﻗﺎ\ﻠ7ﺔ اﻟﺘﻄﺒﻴﻖ(SOA): اﻟﻤﻌﻠﻮﻣﺎت ،ﻋﻤﻠ7ﺔ إدارة اﻟﻤﺨﺎﻃﺮ ،اﻟﻬg7ﻞ اﻟﺘﻨﻈz 7
1.ﻗ:ﺎدة وﻣﻮاﻓﻘﺔ ﻣ¢£وع : ISMS
c j
اﻟﻘ:ﺎدة :اﻹدارة اﻟﻌﻠ7ﺎ -ﺠﺐ أن ﺗﻈﻬﺮ اﻻﻟiام واﻟﺪﻋﻢ ﻟﻤUﺎدرة ISMS.ﻫﺬا ™ﺸﻤﻞ ﺗﻮﻓ ibاﻟﻤﻮارد اﻟﻼزﻣﺔ •
وﺗﺤﺪ-ﺪ اﻷدوار واﻟﻤﺴﺆوﻟ7ﺎت.
اﻟﻤﻮاﻓﻘﺔ- :ﺠﺐ ﻋ~ اﻹدارة اﻟﻌﻠ7ﺎ اﻟﻤﻮاﻓﻘﺔ ﻋ~ ﻧﻄﺎق ISMSواﻟﺴ7ﺎﺳﺎت اﻷﻣﻨ7ﺔ ﻟﻀﻤﺎن أﻧﻬﺎ •
ﺗﺘﻮاﻓﻖ ﻣﻊ اﻷﻫﺪاف اﻻﺳijاﺗ7ﺠ7ﺔ ﻟﻠﻤﻨﻈﻤﺔ.
.2ﻧﻄﺎق : ISMS
j ً
ﻳﺘﻢ ﺗﺤﺪ-ﺪ ﻧﻄﺎق ISMSﺑﻨﺎء ﻋ~ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ اﻟ Ñzﺗﺤﺘﺎج إ rﺣﻤﺎ-ﺔ ،واﻟﻤﺘﻄﻠUﺎت •
ً ً
اﻟﺘﻨﻈ7ﻤ7ﺔ ،واﻷﻃﺮاف اﻟﻤﻌﻨ7ﺔ- .ﺠﺐ أن -ﻜﻮن اﻟﻨﻄﺎق واﺿﺤﺎ وﻣﺤﺪدا ﻟïﺴﻬ7ﻞ ﺗﻨﻔ7ﺬ وàدارة اﻟﻨﻈﺎم.
ﺧﻼﺻﺔ:
اﻟﻔﮭم اﻟﺷﺎﻣل ﻟﮭذه اﻟﺟواﻧب ﯾﺳﺎﻋد اﻟﻣﻧظﻣﺎت ﻋﻠﻰ ﺗطوﯾر ISMSﻓﻌﺎل ﯾﻠﺑﻲ اﻟﻣﺗطﻠﺑﺎت اﻟﺗﻧظﯾﻣﯾﺔ وﯾﺣﻣﻲ اﻷﺻول
ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ﺗ ﯾ ﺔ ﺑﺷ ﻛ ل ﻛ ﺎ ف .ﺗﺣ د ﯾ د و ﺗﻧﻔﯾ ذ ھ ذ ه ا ﻟ ﻌ ﻧ ﺎ ﺻ ر ﺑﺷ ﻛ ل ﺻ ﺣ ﯾﺢ ﯾ ﺿ ﻣ ن ا ﻟ ﻧ ﺟ ﺎ ح ا ﻟ ط و ﯾ ل ا ﻷ ﻣ د ﻟﺟ ﮭ و د أ ﻣ ن
اﻟﻣ ﻌ ﻠو ﻣ ﺎت .
By Mohammed AlSubayt
c
ﺗﺼﻤ7ﻢ اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ )اﻟﺴ7ﺎﺳﺎت واﻹﺟﺮاءات ،أو (P&Pﻫﻮ ﺟﺰء ﺣﻴﻮي yzﺗﻨﻔ7ﺬ ﻧﻈﺎم إدارة أﻣﻦ
ً
اﻟﻤﻌﻠﻮﻣﺎت ) (ISMSوﻓﻘﺎ ﻟﻤﻌ7ﺎر .ISO 27001ﻫﺬە اﻟﻌﻤﻠ7ﺔ ﺗﻀﻤﻦ أن اﻟﺴ7ﺎﺳﺎت واﻹﺟﺮاءات اﻟﻤﺼﻤﻤﺔ
ﺗﻠ Ñzاﻻﺣﺘ7ﺎﺟﺎت اﻟﻤﺤﺪدة ﻟﻠﻤﻨﻈﻤﺔ وﺗﻌﺎﻟﺞ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ7ﺔ \ﻔﻌﺎﻟ7ﺔ .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻌﻤﻠ7ﺔ ﺗﺼﻤ7ﻢ
اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ:
.2ﺗﺤﺪ-ﺪ اﻟﻀﻮا\ﻂ:
c
-ﺑﻨﺎًء ﻋ~ اﻻﺣﺘ7ﺎﺟﺎت اﻟﻤﺤﺪدة ،ﻳﺘﻢ اﺧﺘ7ﺎر اﻟﻀﻮا\ﻂ اﻟﻤﻨﺎﺳUﺔ ﻣﻦ ﻣﻠﺤﻖ - .ISO 27001 yz Aﺠﺐ أن
ﺗﻜﻮن ﻫﺬە اﻟﻀﻮا\ﻂ Mﺎﻓ7ﺔ ﻟﻠﺘﻘﻠ7ﻞ ﻣﻦ اﻟﻤﺨﺎﻃﺮ إ rﻣﺴﺘﻮى ﻣﻘﺒﻮل.
.4ﺗﺼﻤ7ﻢ اﻹﺟﺮاءات:
… ﺧﻄﻮات ﻣﺤﺪدة أو ﺗﻌﻠ7ﻤﺎت ﺗﻨﻔ7ﺬ-ﺔ ﺗﻔﺼﻞ ﻛ7ﻔ7ﺔ ﺗﻄﺒﻴﻖ اﻟﺴ7ﺎﺳﺎت eﺸgﻞ ﻳﻮ- .‹zﺠﺐ -اﻹﺟﺮاءات z
أن ﺗﻜﻮن اﻹﺟﺮاءات دﻗ7ﻘﺔ وﻣﺤﺪدة ﻟﻀﻤﺎن ﺗﻄﺒﻴﻖ ﻓﻌﺎل ﻟﻠﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ.
.6اﻻﺧﺘUﺎر واﻟﻤﺮاﺟﻌﺔ:
\ -ﻌﺪ ﺗﺼﻤ7ﻢ اﻟﺴ7ﺎﺳﺎت واﻹﺟﺮاءات- ،ﺠﺐ اﺧﺘUﺎرﻫﺎ ﻟﻠﺘﺄ ãﺪ ﻣﻦ ﻓﻌﺎﻟﻴﺘﻬﺎ- .ﻤﻜﻦ إﺟﺮاء ﺗﻤﺎر[ﻦ اﺧﺘUﺎر أو
ﻣﺤﺎÁﺎة ﻟﺘﻘﻴ7ﻢ ﻛ7ﻔ7ﺔ ﻋﻤﻞ اﻟﻀﻮا\ﻂ yz cﺳûﻨﺎر[ﻮﻫﺎت واﻗﻌ7ﺔ.
واﻟﺘﺨ[sﻦ اﻟﺴﺤﺎ ،±zوﺗﺼﻤﻢ ﺳ7ﺎﺳﺎت ﻟﻠﺘﺤﻘﻖ ﻣﻦ اﻟﻬ[°ﺔ واﻟﻮﺻﻮل اﻟﻤﺤﺪود .ﺗﻨﻔﺬ اﻟ}oﻛﺔ إﺟﺮاءات
ﺗﻔﺼﻞ ﺧﻄﻮات اﻟﺘﺤﻘﻖ واﻟﺮﺻﺪ اﻷﻣ ،Ñz cوﺗﺪﻣﺞ ﻫﺬە اﻟﻀﻮا\ﻂ ﻣﻊ ﻧﻈﺎﻣﻬﺎ اﻹداري اﻟﻘﺎﺋﻢ دون اﻟﺘﺄﺛ ibﻋ~
اﻷداء.
ﺧﻼﺻﺔ:
By Mohammed AlSubayt
ﺗﺻﻣﯾم اﻟﺿواﺑط اﻷﻣﻧﯾﺔ ﻓﻲ إطﺎر ISO 27001ﯾﺗطﻠب ﻓﮭًﻣﺎ دﻗﯾﻘًﺎ ﻟﻠﻣﺧﺎطر واﻻﺣﺗﯾﺎﺟﺎت اﻷﻣﻧﯾﺔ ﻟﻠﻣﻧظﻣﺔ،
ﺑ ﺎ ﻹ ﺿ ﺎﻓ ﺔ إ ﻟ ﻰ ﺗ ط و ﯾ ر ﺳ ﯾ ﺎ ﺳ ﺎ ت و إ ﺟ ر ا ء ا ت ﻓ ﻌ ﺎ ﻟ ﺔ ﺗ ﺿ ﻣ ن ﺣ ﻣ ﺎ ﯾ ﺔ ا ﻷ ﺻ و ل ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ﺗ ﯾ ﺔ ﺑ ﺷ ﻛ ل ﻣ ﺳ ﺗ ﻣ ر و ﻓ ﻌ ﺎ ل .
ﺗﻨﻔ7ﺬ اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ ﻫﻮ ﺟﺰء ﺣﻴﻮي yz cﺗﻄﺒﻴﻖ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ).(ISMS
ُ
ﻫﺬە اﻟﻌﻤﻠ7ﺔ ﺗﻀﻤﻦ أن اﻟﻀﻮا\ﻂ اﻟﻤﺨﻄﻂ ﻟﻬﺎ ﺗﻨﻔﺬ eﺸgﻞ ﻓﻌﺎل ﻟﺤﻤﺎ-ﺔ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ ﻣﻦ
§
اﻟﺘﻬﺪ-ﺪات واﻟﻤﺨﺎﻃﺮ .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻌﻤﻠ7ﺔ ﺗﻨﻔ7ﺬ اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ وﻓﻘﺎ ل:ISO 27001
.2اﻟﺘﺨﻄ7ﻂ ﻟﻠﺘﻨﻔ7ﺬ:
.
-ﻳﺘﻀﻤﻦ ﺗﺨﻄ7ﻂ ﺗﻨﻔ7ﺬ اﻟﻀﻮا\ﻂ ﺗﺤﺪ-ﺪ اﻟﻤﻮارد اﻟﻼزﻣﺔ ،اﻟﺠﺪاول اﻟﺰﻣﻨ7ﺔ ،واﻟﻤﺴﺆوﻟ7ﺎت ﻣﻦ اﻟﻤﻬﻢ أن
aدورﻫﻢ yz cﻋﻤﻠ7ﺔ اﻟﺘﻨﻔ7ﺬ.
ﻳﺘﻢ ﺗﺨﺼ7ﺺ اﻟﻤﻮارد اﻟÃﺎﻓ7ﺔ وأن -ﻔﻬﻢ ﺟﻤﻴﻊ اﻟﻤﺸﺎرﻛ c b
.3ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ:
™ -ﺸﻤﻞ ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ ﺗﻨﻔ7ﺬ اﻟﺘﻐﻴibات اﻟﻔﻨ7ﺔ واﻹدار[ﺔ اﻟﻼزﻣﺔ .ﻗﺪ ﻳﺘﻄﻠﺐ ﻫﺬا ﺗﺮﻛ7ﺐ أﻧﻈﻤﺔ أﻣﺎن
ﺟﺪ-ﺪة ،ﺗﺤﺪ-ﺚ اﻟiﻣﺠ7ﺎت ،ﺗﻌﺪ-ﻞ اﻟﺴ7ﺎﺳﺎت ،أو إﺟﺮاء ﺗﺪر[Uﺎت ﻟﻠﻤﻮﻇﻔ c b
.a
.4اﻟﺘﻮﺛﻴﻖ:
- -ﺠﺐ ﺗﻮﺛﻴﻖ ﺟﻤﻴﻊ اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ اﻟﻤﻄUﻘﺔ وàﺟﺮاءاﺗﻬﺎ eﺸgﻞ واﺿﺢ ﻟﻀﻤﺎن -ﻤﻜﻦ اﻟﺮﺟ°ع إﻟﻴﻬﺎ
وﻣﺮاﺟﻌﺘﻬﺎ .اﻟﺘﻮﺛﻴﻖ ﻣﻬﻢ ﻟﻠﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ واﻟﺨﺎرﺟ7ﺔ وﻟﻠﻤﺤﺎﻓﻈﺔ ﻋ~ اﻟﺸﻔﺎﻓ7ﺔ yz cاﻟﻌﻤﻠ7ﺎت اﻷﻣﻨ7ﺔ.
.5اﻟﺘﺤﻘﻖ واﻻﺧﺘUﺎر:
\ -ﻌﺪ ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ ،ﻣﻦ اﻟﻤﻬﻢ إﺟﺮاء اﻟﺘﺤﻘﻖ واﻻﺧﺘUﺎر ﻟﻠﺘﺄ ãﺪ ﻣﻦ أﻧﻬﺎ ﺗﻌﻤﻞ Mﻤﺎ ﻫﻮ ﻣﺨﻄﻂ ﻟﻬﺎ- .ﻤﻜﻦ
أن ™ﺸﻤﻞ ذﻟﻚ اﺧﺘUﺎرات اﻻﺧijاق ،ﻣﺮاﺟﻌﺔ اﻷﻣﺎن ،وﺗﻘﻴ7ﻤﺎت اﻟﺘﻘ7ﺪ.
.6اﻟﻤﺮاﺟﻌﺔ واﻟﺘﺤﺪ-ﺚ:
ً .
-ﺗﻨﻔ7ﺬ اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ ﻫﻮ ﻋﻤﻠ7ﺔ ﻣﺴﺘﻤﺮة -ﺠﺐ ﻣﺮاﺟﻌﺔ اﻟﻀﻮا\ﻂ \ﺎﻧﺘﻈﺎم وﺗﺤﺪﻳﺜﻬﺎ ﺑﻨﺎء ﻋ~ ﺗﻐib
اﻟﺒûﺌﺔ اﻷﻣﻨ7ﺔ وﻧﺘﺎﺋﺞ اﻟﺘﺤﻘﻖ واﻻﺧﺘUﺎر.
ﺧﻼﺻﺔ:
ﺳﺎ ،وﺗﻘﯾﯾًﻣﺎ ﻣﺳﺗﻣًرا .ﻣن ً ً ً
ﺗﻧﻔﯾذ اﻟﺿواﺑط اﻷﻣﻧﯾﺔ ﻓﻲ إطﺎر ISO 27001ﯾﺗطﻠب ﺗﺧطﯾطﺎ دﻗﯾﻘﺎ ،ﺗطﺑﯾﻘﺎ ﻣدرو ً
ﺧ ﻼ ل ﺗ ﺑ ﻧ ﻲ ھ ذ ه ا ﻟ ﻌ ﻣ ﻠ ﯾ ﺔ ،ﺗﺳ ﺗط ﯾﻊ ا ﻟ ﻣ ؤ ﺳ ﺳ ﺎ ت ﺗ ﻌ ز ﯾ ز أ ﻣ ﺎ ﻧ ﮭ ﺎ ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ﺗ ﻲ و اﻟﺣ ﻔ ﺎظ ﻋ ﻠ ﻰ ﻣ ﺳ ﺗ و ﯾ ﺎ ت ﻋ ﺎ ﻟ ﯾ ﺔ ﻣ ن ا ﻟ ﺣ ﻣ ﺎ ﯾ ﺔ
ﺿ د ا ﻟ ﺗ ﮭ د ﯾ د ا ت و اﻟﻣ ﺧ ﺎط ر .
® ﻣﻦ ﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ).(ISMS … ﺟﺰء أﺳﺎ z
ﻋﻤﻠ7ﺔ إدارة اﻟﻮﺛﺎﺋﻖ z
ﺗﻬﺪف ﻫﺬە اﻟﻌﻤﻠ7ﺔ إ rﺿﻤﺎن أن ﺟﻤﻴﻊ اﻟﻮﺛﺎﺋﻖ اﻟﻤﺘﻌﻠﻘﺔ \ـ ISMSﻳﺘﻢ إøﺸﺎؤﻫﺎ ،ﻣﺮاﺟﻌﺘﻬﺎ ،اﻟﻤﻮاﻓﻘﺔ ﻋﻠﻴﻬﺎ،
c
ﺗﺤﺪﻳﺜﻬﺎ ،واﻟﺤﻔﺎظ ﻋﻠﻴﻬﺎ \ﻄ[Æﻘﺔ ﻣﻨﻈﻤﺔ وﻣﻨﻬﺠ7ﺔ .ﻓ7ﻤﺎ ~z-ﺗﻔﺼ7ﻞ ﻟﻌﻤﻠ7ﺔ إدارة اﻟﻮﺛﺎﺋﻖ yzإﻃﺎر ISO
:27001
.2ﻣﺮاﺟﻌﺔ واﻟﻤﻮاﻓﻘﺔ:
c
-ﻗUﻞ أن ﺗﺼﺒﺢ اﻟﻮﺛﺎﺋﻖ øﺸﻄﺔ- ،ﺠﺐ ﻣﺮاﺟﻌﺘﻬﺎ واﻟﻤﻮاﻓﻘﺔ ﻋﻠﻴﻬﺎ ﻣﻦ ﻗUﻞ اﻷﺷﺨﺎص اﻟﻤﺨﺘﺼ abداﺧﻞ
اﻟﻤﻨﻈﻤﺔ .ﻫﺬە اﻟﺨﻄﻮة ﺗﻀﻤﻦ أن اﻟﻮﺛﺎﺋﻖ ﺗﻠ Ñzاﻟﻤﻌﺎﻳ ibاﻟﻤﻄﻠ≠°ﺔ وأﻧﻬﺎ ﺻﺎﻟﺤﺔ ﻟﻠﻐﺮض اﻟﻤ∫ﺸﻮد.
.3اﻟﺘﻮز[ـ ـﻊ واﻟﺘﻨﻔ7ﺬ:
\-ﻌﺪ اﻟﻤﻮاﻓﻘﺔ ،ﻳﺘﻢ ﺗﻮز[ـ ـﻊ اﻟﻮﺛﺎﺋﻖ إ rﺟﻤﻴﻊ اﻷﻃﺮاف اﻟﻤﻌﻨ7ﺔ داﺧﻞ اﻟﻤﻨﻈﻤﺔ- .ﺠﺐ أن ﺗﻜﻮن اﻟﻮﺛﺎﺋﻖ
ﺳﻬﻠﺔ اﻟﻮﺻﻮل ﻟﻸﺷﺨﺎص اﻟﺬﻳﻦ -ﺤﺘﺎﺟﻮن إﻟﻴﻬﺎ ﻟﺘﻨﻔ7ﺬ ﻣﻬﺎﻣﻬﻢ.
.4اﻟﺘﺤﺪ-ﺚ واﻟﺘﺤgﻢ:
c c
-ﺗﺤﺘﺎج اﻟﻮﺛﺎﺋﻖ إ rﻣﺮاﻗUﺔ وﺗﺤﺪ-ﺚ دوري ﻟﻀﻤﺎن اﺳﺘﻤﺮارﻫﺎ yzﺗﻠﺒ7ﺔ اﻟﻤﺘﻄﻠUﺎت اﻟﺘﻨﻈ7ﻤ7ﺔ واﻟﺘﻐibات yz
اﻟﺒûﺌﺔ اﻷﻣﻨ7ﺔ- .ﺠﺐ أن ﻳﺘﻢ Öﺴﺠ7ﻞ ﺟﻤﻴﻊ اﻟﺘﻐﻴibات وﻣﺮاﺟﻌﺘﻬﺎ واﻟﻤﻮاﻓﻘﺔ ﻋﻠﻴﻬﺎ \ﻄ[Æﻘﺔ ﻣﺸﺎﺑﻬﺔ ﻟﻠﻮﺛﺎﺋﻖ
اﻷﺻﻠ7ﺔ.
.5اﻻﺣﺘﻔﺎظ واﻷرﺷﻔﺔ:
j
-ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻤﺘﻄﻠUﺎت اﻟﻘﺎﻧﻮﻧ7ﺔ واﻟﺘﻨﻈ7ﻤ7ﺔ- ،ﺠﺐ ﻋ~ اﻟﻤﻨﻈﻤﺎت اﻻﺣﺘﻔﺎظ \ﺎﻟﻮﺛﺎﺋﻖ ﻟﻔiة زﻣﻨ7ﺔ
ﻣﺤﺪدة- .ﺠﺐ أن ﺗﻜﻮن ﻋﻤﻠ7ﺎت اﻷرﺷﻔﺔ آﻣﻨﺔ ﻟﻤﻨﻊ اﻟﻔﻘﺪان أو اﻟﺘﻠﻒ.
.6اﻟﺘﺨﻠﺺ ﻣﻦ اﻟﻮﺛﺎﺋﻖ:
By Mohammed AlSubayt
-ﻋﻨﺪﻣﺎ ﻻ ﺗﻌﻮد اﻟﻮﺛﺎﺋﻖ ¨cور[ﺔ- ،ﺠﺐ اﻟﺘﺨﻠﺺ ﻣﻨﻬﺎ \ﻄ[Æﻘﺔ آﻣﻨﺔ ﺗﻀﻤﻦ ﻋﺪم ﺗﻌﺮض اﻟﻤﻌﻠﻮﻣﺎت
اﻟﺤﺴﺎﺳﺔ ﻟﻠﺨﻄﺮ.
ﺧﻼﺻﺔ:
ﻋﻣﻠﯾﺔ إدارة اﻟوﺛﺎﺋق ﺗﻠﻌب دوًرا أﺳﺎﺳﯾًﺎ ﻓﻲ اﻟﺣﻔﺎظ ﻋﻠﻰ ﻓﻌﺎﻟﯾﺔ ISMSوﺿﻣﺎن اﻟﺗزام اﻟﻣﻧظﻣﺔ ﺑﻣﻌﺎﯾﯾر ISO
.27001ﻣن ﺧﻼل ﺗوﺛﯾق ﻣﻧظم وﻣراﺟﻌﺔ دورﯾﺔ ،ﺗﺳﺗطﯾﻊ اﻟﻣﻧظﻣﺎت اﻟﺣﻔﺎظ ﻋﻠﻰ أﻣن اﻟﻣﻌﻠوﻣﺎت واﻟﺗﺣﻛم ﻓﯾﮫ
ﺑﺷ ﻛ ل ﻓ ﻌ ﺎ ل .
ﺧﻼﺻﺔ:
ﺗﻠﻌب ﺧطﺔ اﻻﺗﺻﺎل دوًرا ﺣﯾوﯾًﺎ ﻓﻲ ﺗﻧﻔﯾذ ISMSوﺿﻣﺎن ﺗﻔﺎﻋل ﻓﻌّﺎل ﻣﻊ ﺟﻣﯾﻊ اﻷطراف اﻟﻣﻌﻧﯾﺔ .ﻣن ﺧﻼل
ﺗوﺟﯾﮫ اﻟرﺳﺎﺋل اﻟﺻﺣﯾﺣﺔ إﻟﻰ اﻟﺟﻣﮭور اﻟﻣﻧﺎﺳب ﺑﺷﻛل ﻣﻧﮭﺟﻲ ،ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت ﺿﻣﺎن ﺗﺣﻘﯾق أھداﻓﮭﺎ ﻓﯾﻣﺎ
ﯾﺗﻌﻠق ﺑﺄﻣﺎن اﻟﻣﻌﻠوﻣﺎت واﻻﻣﺗﺛﺎل ﻟﻣﻌﺎﯾﯾر .ISO 27001
.3ﺗﻨﻔ7ﺬ اﻟiﻧﺎﻣﺞ:
c c ً
-ﻳﺘﻢ ﺗﻨﻔ7ﺬ ﺑﺮﻧﺎﻣﺞ اﻟﺘﺪر[ﺐ وﻓﻘﺎ ﻟﻠﺠﺪول اﻟﺰﻣ Ñzاﻟﻤﺤﺪد\ ،ﻤﺎ yzذﻟﻚ ﺟﻠﺴﺎت اﻟﺘﺪر[ﺐ اﻟﻔﻌﻠ7ﺔ وورش
اﻟﻌﻤﻞ واﻟﻤﺤﺎ¨cات.
.4ﺗﻘﻴ7ﻢ اﻷداء:
c
\ -ﻌﺪ اﻧﺘﻬﺎء اﻟiﻧﺎﻣﺞ ،ﻳﺘﻢ ﺗﻘﻴ7ﻢ أداء اﻟﺘﺪر[ﺐ ﻟﺘﺤﺪ-ﺪ ﻣﺪى ﻓﻌﺎﻟﻴﺘﻪ واﻟﺘﻌﺮف ﻋ~ أي ﻓﺠﻮات yzاﻟﻤﻌﺮﻓﺔ
أو ا ﻟ ﻔ ﻬ ﻢ .
Ωواﻟﺘﺜﻘ7ﻒ اﻟﻤﺴﺘﻤﺮ:
.5ا ﻟ ﻮ z
By Mohammed AlSubayt
Ωواﻟﺘﺜﻘ7ﻒ اﻟﻤﺴﺘﻤﺮ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ c j Í
-ﻳﺘﻀﻤﻦ اﻟﺠﺰء اﻟﻨﻬﺎ ±zﻣﻦ اﻟﺨﻄﺔ اﻟiﻛ ibﻋ~ اﻟﺤﻔﺎظ ﻋ~ اﻟﻮ z
ﺧﻼل إﺟﺮاءات ﻣﺴﺘﻤﺮة ﻟﻠﺘﺜﻘ7ﻒ واﻟﺘﺪر[ﺐ.
.6ﺗﻘﻴ7ﻢ اﻟﻔﻌﺎﻟ7ﺔ:
ُ
- -ﺠﺐ أن ﺗﻘّ7ﻢ ﺧﻄﺔ اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ7ﺔ \ﺎﻧﺘﻈﺎم ﻟﻀﻤﺎن ﺗﺤﻘﻴﻖ اﻷﻫﺪاف اﻟﻤﺤﺪدة وﺗﺤﺴ abاﻟﻌﻤﻠ7ﺔ
c
\ﻤﺮور اﻟﻮﻗﺖ.
ﺧﻼﺻﺔ:
ﺧطﺔ اﻟﺗدرﯾب واﻟﺗوﻋﯾﺔ ﺗﻠﻌب دوًرا أﺳﺎﺳﯾًﺎ ﻓﻲ ﺗﻌزﯾز ﻓﮭم ووﻋﻲ اﻟﻣوظﻔﯾن ﺑﺄﻣن اﻟﻣﻌﻠوﻣﺎت وﻣﺗطﻠﺑﺎت ﻣﻌﯾﺎر
.ISO 27001ﻣن ﺧﻼل ﺗوﺟﯾﮫ اﻟﺟﮭود اﻟﺗدرﯾﺑﯾﺔ ﺑﺷﻛل ﻣﻧﮭﺟﻲ وﻣﺳﺗﻣر ،ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت ﺗﺣﻘﯾق أھداﻓﮭﺎ ﻓﯾﻣﺎ
ﯾﺗﻌﻠق ﺑﺗﺣﻘﯾق أﻣﺎن اﻟﻣﻌﻠوﻣﺎت واﻻﻣﺗﺛﺎل ﻟﻠﻣﻌﺎﯾﯾر اﻟدوﻟﯾﺔ.
® ﻣﻦ ﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ) .(ISMSﺗﺮﻛﺰ… ﺟﺰء أﺳﺎ z إدارة اﻟﻌﻤﻠ7ﺎت z
ﻫﺬە اﻟﺠﺰء ﻋ~ ﺗﻨﻔ7ﺬ وﺻ7ﺎﻧﺔ اﻟﺴ7ﺎﺳﺎت واﻹﺟﺮاءات اﻷﻣﻨ7ﺔ اﻟﻤﺤﺪدة ﻟﺤﻤﺎ-ﺔ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ
c
ﻟﻠﻤﻨﻈﻤﺔ eﺸgﻞ ﻓﻌﺎل .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻌﻤﻠ7ﺔ إدارة اﻟﻌﻤﻠ7ﺎت yzإﻃﺎر :ISO 27001
.2إدارة اﻟﻮﺻﻮل:
ً
-ﻳﺘﻢ إدارة اﻟﻮﺻﻮل إ rاﻟﺒ7ﺎﻧﺎت واﻷﻧﻈﻤﺔ eﺸgﻞ ﺻﺎرم وﻓﻘﺎ ﻟﺴ7ﺎﺳﺎت وàﺟﺮاءات اﻟﻮﺻﻮل اﻟﻤﺤﺪدة
ﻟﻀﻤﺎن اﻟﺤﻔﺎظ ﻋ~ اﻟ}[ﺔ واﻟ ic cاﻫﺔ.
.3إدارة اﻟﺘﻐﻴ:ib
-ﺗﺘﻀﻤﻦ إدارة اﻟﺘﻐﻴ ibﺗﻘﺪ-ﻢ ﺗﻐﻴibات ﻓﻨ7ﺔ وàدار[ﺔ \ﻄ[Æﻘﺔ ﻣﻨﻈﻤﺔ ﺗﻀﻤﻦ اﺳﺘﻤﺮار[ﺔ اﻷﻣﻦ واﻷداء ﻟﻠﻨﻈﺎم.
.4إدارة اﻟﺤﻮادث:
ّ
-ﻳﺘﻢ ﺗﻄﺒﻴﻖ وﺗﻨﻔ7ﺬ إﺟﺮاءات اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻻﻧﺘﻬﺎÁﺎت اﻷﻣﻨ7ﺔ واﻟﺘﻬﺪ-ﺪات eﺸgﻞ ﻓﻌﺎل
وﻓﻮري.
.5اﻟﺮﺻﺪ واﻟﺘﻘﻴ7ﻢ:
By Mohammed AlSubayt
™ -ﺸﻤﻞ ﻫﺬا اﻟﺠﺰء ﻣﺮاﻗUﺔ اﻟﻨﻈﺎم eﺸgﻞ ﻣﺴﺘﻤﺮ وﺗﻘﻴ7ﻢ أداﺋﻪ وﻓﻌﺎﻟﻴﺘﻪ ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل اﻟﻤﺴﺘﻤﺮ ﻟﻤﺘﻄﻠUﺎت
اﻷﻣﺎن واﻟﻤﻌﺎﻳ.ib
.6ﺗﻘﻴ7ﻢ اﻷداء:
-ﻳﺘﻢ ﺗﻘﻴ7ﻢ أداء ﻋﻤﻠ7ﺎت اﻷﻣﺎن \ﺎﻧﺘﻈﺎم ﻟﺘﺤﺪ-ﺪ ﻧﻘﺎط اﻟﻘﻮة واﻟﻀﻌﻒ واﺗﺨﺎذ اﻟﺘﺤﺴûﻨﺎت اﻟﻼزﻣﺔ.
ﺧﻼﺻﺔ:
إدارة اﻟﻌﻣﻠﯾﺎت ﻓﻲ إطﺎر ISO 27001ﺗرﻛز ﻋﻠﻰ ﺗطﺑﯾق وﺻﯾﺎﻧﺔ اﻟﺳﯾﺎﺳﺎت واﻹﺟراءات اﻷﻣﻧﯾﺔ ﻟﺣﻣﺎﯾﺔ
اﻟﻣﻌﻠوﻣﺎت ﺑﺷﻛل ﻓﻌّﺎل .ﻣن ﺧﻼل ﺗﻧﻔﯾذ ﻋﻣﻠﯾﺎت ﻣﺗﻛﺎﻣﻠﺔ وﺗﻘﯾﯾم ﻣﺳﺗﻣر ،ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت ﺗﺣﻘﯾق أﻣﺎن اﻟﻣﻌﻠوﻣﺎت
واﻻﻣﺗﺛﺎل ﻟﻣﻌﺎﯾﯾر اﻷﻣﺎن ﺑﺷﻛل ﻣﺳﺗدام.
.2اﺳﺘﺠﺎ\ﺔ [nﻌﺔ:
c
- -ﺠﺐ أن ﺗﻜﻮن اﻻﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث [nﻌﺔ وﻓّﻌﺎﻟﺔ ﻟﻠﺘﺤgﻢ yzاﻟ≈cر وﺗﻘﻠ7ﻞ ﺗﺄﺛibە ﻋ~ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت
وﺳ ibاﻟﻌﻤﻞ.
.3ﺗﻘﻴ7ﻢ اﻟﺤﻮادث:
-ﻳﺘﻀﻤﻦ ﺗﻘﻴ7ﻢ اﻟﺤﻮادث ﺗﺤﻠ7ﻞ أﺳUﺎﺑﻬﺎ وﺗﺄﺛibﻫﺎ وﺗﺤﺪ-ﺪ اﻟﺨﻄﻮات اﻟﻼزﻣﺔ ﻟﻠﺘﻌﺎﻣﻞ ﻣﻌﻬﺎ وﻣﻨﻊ ﺣﺪوﺛﻬﺎ
ً
ﻣﺴﺘﻘUﻼ.
.4ﺗﻮﺛﻴﻖ اﻟﺤﻮادث:
- -ﺠﺐ أن ﻳﺘﻢ ﺗﻮﺛﻴﻖ ﺟﻤﻴﻊ اﻟﺤﻮادث واﻟﺘﺤﻘ7ﻘﺎت اﻟﻤﺘﻌﻠﻘﺔ ﺑﻬﺎ eﺸgﻞ دﻗﻴﻖ ﻟﺘﻮﻓ ibﺳﺠﻼت ﺷﺎﻣﻠﺔ وﻗﺎ\ﻠﺔ
ﻟﻠﺘﺪ ﻗﻴﻖ .
ﺧﻼﺻﺔ:
إدارة اﻟﺣوادث ﻓﻲ إطﺎر ISO 27001ﺗﮭدف إﻟﻰ ﺗوﻓﯾر اﺳﺗﺟﺎﺑﺔ ﻓﻌّﺎﻟﺔ ﻟﻼﻧﺗﮭﺎﻛﺎت اﻷﻣﻧﯾﺔ واﻟﺣوادث اﻟﻣﺣﺗﻣﻠﺔ
ﻷ ﻣ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت .ﻣ ن ﺧ ﻼ ل ﺗط ﺑ ﯾق إ ﺟ ر ا ء ا ت ﻣ د ر و ﺳ ﺔ و ﺗ ﻘ ﯾ ﯾ م ﻣ ﺳ ﺗ ﻣ ر ،ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺗ ﺣ ﺳ ﯾ ن ﻗ د ر ﺗ ﮭ ﺎ ﻋ ﻠ ﻰ
اﻟﺗﻌﺎﻣل ﻣﻊ اﻟﺣوادث ﺑﺷﻛل ﻓﻌّﺎل وﻣﻧﻌﮭﺎ ﻓﻲ اﻟﻣﺳﺗﻘﺑل.
…رﺻﺪ وﻗ7ﺎس وﺗ cﺤﻠ7ﻞ وﺗﻘﻴ7ﻢ )z (Monitoring, Measurement, Analysis, and Evaluation
ﻋﻨﺎ¨ أﺳﺎﺳ7ﺔ yzﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ) .(ISMSﺗﻬﺪف ﻫﺬە اﻟﻌﻨﺎ¨ إr
ﺗﻘﻴ7ﻢ أداء اﻟﻨﻈﺎم وﻓﻌﺎﻟﻴﺘﻪ ،وﺗﺤﻠ7ﻞ اﻟﺒ7ﺎﻧﺎت اﻟﻤﺠﻤﻌﺔ ﻟﻠﺘﻌﺮف ﻋ~ اﻟﻔﺮص ﻟﻠﺘﺤﺴ c b
aوﺗﻘﺪ-ﻢ ﺗﻘﻴ7ﻢ ﺷﺎﻣﻞ
c
ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟÃﻞ ﻋﻨ≈ ﻣﻦ ﻫﺬە اﻟﻌﻨﺎ¨ yzإﻃﺎر :ISO 27001
.1اﻟﺮﺻﺪ ):(Monitoring
c
-ﻳﺘﻤﺜﻞ اﻟﺮﺻﺪ yzﻣﺘﺎ\ﻌﺔ وﻣﺮاﻗUﺔ أداء اﻟﻨﻈﺎم واﻟﻌﻤﻠ7ﺎت اﻷﻣﻨ7ﺔ eﺸgﻞ دوري وﻣﺴﺘﻤﺮ .ﻳﻬﺪف اﻟﺮﺻﺪ إr
اﻟﺘﺤﻘﻖ ﻣﻦ ﺗﻨﻔ7ﺬ اﻟﺴ7ﺎﺳﺎت واﻹﺟﺮاءات eﺸgﻞ ﺻﺤﻴﺢ وﻓﻌﺎل.
.2اﻟﻘ7ﺎس ):(Measurement
-ﻳﺘﻀﻤﻦ اﻟﻘ7ﺎس ﺗﺤﺪ-ﺪ ﻣﺆnoات اﻷداء اﻟﺮﺋ∞ﺴ7ﺔ وﺗﻄﺒ7ﻘﻬﺎ ﻟﻘ7ﺎس أداء اﻟﻨﻈﺎم وﻣﺴﺘﻮى اﻻﻣﺘﺜﺎل
ﻟﻤﺘﻄﻠUﺎت - .ISO 27001ﻤﻜﻦ أن ﺗﺘﻀﻤﻦ ﻫﺬە اﻟﻤﺆnoات ﻋﺪد اﻻﻧﺘﻬﺎÁﺎت ،وﻣﻌﺪل اﻻﺳﺘﺠﺎ\ﺔ ،وﻣﺴﺘﻮى
ﺗﻄﺒﻴﻖ اﻟﺴ7ﺎﺳﺎت ،وﻏibﻫﺎ.
.3اﻟﺘﺤﻠ7ﻞ ):(Analysis
-ﻳﻬﺪف اﻟﺘﺤﻠ7ﻞ إ rﻓﻬﻢ اﻟﺒ7ﺎﻧﺎت اﻟﻤﺠﻤﻌﺔ وﺗﺤﻠ7ﻠﻬﺎ eﺸgﻞ ﻣﺘﻌﻤﻖ ﻟﺘﺤﺪ-ﺪ اﻷﺳUﺎب اﻟﺠﺬر[ﺔ ﻟﻠﻤﺸﺎÁﻞ
واﻟﻔﺮص ﻟﻠﺘﺤﺴ c b
- .aﻤﻜﻦ أن ™ﺸﻤﻞ اﻟﺘﺤﻠ7ﻞ ﺗﻘﻴ7ﻢ اﻟﻨﺘﺎﺋﺞ وﺗﺤﺪ-ﺪ اﻻﺗﺠﺎﻫﺎت واﻟﺘﺤﺪ-ﺎت اﻟﻤﺴﺘﻘUﻠ7ﺔ.
.4اﻟﺘﻘﻴ7ﻢ ):(Evaluation
. ً
-ﻳﺘﻀﻤﻦ اﻟﺘﻘﻴ7ﻢ ﺗﻘﺪ-ﻢ ﺗﻘﻴ7ﻢ ﺷﺎﻣﻞ ﻷداء اﻟﻨﻈﺎم وﻓﻌﺎﻟﻴﺘﻪ ﺑﻨﺎء ﻋ~ اﻟﺒ7ﺎﻧﺎت اﻟﻤﺠﻤﻌﺔ وﺗﺤﻠ7ﻠﻬﺎ ﻳﻬﺪف
aوﺗﺤﺪ-ﺪ اﻟﻔﺮص ﻟﺘﻄ[°ﺮ اﻟﻨﻈﺎم وﺗﻌ[sﺰ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت. اﻟﺘﻘﻴ7ﻢ إ rﺗﻘﺪ-ﻢ ﺗﻮﺻ7ﺎت ﻟﻠﺘﺤﺴ c b
ﺧﻼﺻﺔ:
By Mohammed AlSubayt
رﺻد وﻗﯾﺎس وﺗﺣﻠﯾل وﺗﻘﯾﯾم ھﻲ ﻋﻣﻠﯾﺎت ﺣﯾوﯾﺔ ﻓﻲ ﺗﻧﻔﯾذ ﻣﻌﯾﺎر ISO 27001ﻹدارة أﻣن اﻟﻣﻌﻠوﻣﺎت .ﻣن ﺧﻼل
اﺳﺗﺧدام ھذه اﻟﻌﻣﻠﯾﺎت ﺑﺷﻛل ﻣﺗﻛﺎﻣل وﻣﺳﺗﻣر ،ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت ﺗﺣﺳﯾن أداء أﻣﺎن اﻟﻣﻌﻠوﻣﺎت وﺿﻣﺎن اﻻﻣﺗﺛﺎل
ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ﻟ ﻠ ﻣ ﻌ ﺎ ﯾ ﯾ ر و اﻟﻣ ﺗط ﻠﺑ ﺎ ت .
® ﻣﻦ ﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ).(ISMS اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ ~zﻫﻮ ﺟﺰء أﺳﺎ z
ﻳﻬﺪف اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ ~zإ rﺗﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻊ ﻣﺘﻄﻠUﺎت اﻟﻤﻌ7ﺎر
c
وﺳ7ﺎﺳﺎت اﻟﻤﻨﻈﻤﺔ .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻌﻤﻠ7ﺔ اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ yz ~zإﻃﺎر :ISO 27001
.2إﺟﺮاء اﻟﺘﺪﻗﻴﻖ:
-ﻳﺘﻢ ﺗﻨﻔ7ﺬ اﻟﺘﺪﻗﻴﻖ \ﻤﺮاﺟﻌﺔ وﺗﻘﻴ7ﻢ ﻋﻤﻠ7ﺎت ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﺗﻘﺪ-ﻢ اﻟﺘﻮﺻ7ﺎت ﻟﺘﺤﺴcab
اﻷداء.
.3ﺗﻮﺛﻴﻖ اﻟﻨﺘﺎﺋﺞ:
c
-ﻳﺘﻢ ﺗﻮﺛﻴﻖ ﻧﺘﺎﺋﺞ اﻟﺘﺪﻗﻴﻖ eﺸgﻞ دﻗﻴﻖ\ ،ﻤﺎ yzذﻟﻚ اﻟﻌﺜﻮر ﻋ~ اﻻﺳïﺜﻨﺎءات واﻟﻤﺨﺎﻟﻔﺎت وﺗﻮﺻ7ﺎت
ا ﻟﺘ ﺤ ﺴ c b
.a
.5ﺗﻘﻴ7ﻢ اﻷداء:
-ﻳﺘﻢ ﺗﻘﻴ7ﻢ أداء ﻋﻤﻠ7ﺎت اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ\ ~zﺎﻧﺘﻈﺎم ﻟﻀﻤﺎن ﻓﻌﺎﻟ7ﺔ اﻟﻨﻈﺎم واﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠUﺎت ISO
.27001
ﺧﻼﺻﺔ:
اﻟﺗدﻗﯾق اﻟداﺧﻠﻲ ھو ﻋﻣﻠﯾﺔ ﻣﮭﻣﺔ ﻓﻲ إطﺎر ISO 27001ﻟﺗﻘﯾﯾم وﺗﺣﺳﯾن أداء ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت .ﻣن
ﺧ ﻼ ل ﺗ ﻧ ﻔ ﯾ ذ ا ﻟ ﺗ د ﻗ ﯾ ق ﺑ ﺎ ﻧ ﺗظ ﺎم و ﻣ ﺗ ﺎ ﺑ ﻌ ﺔ ﺗ ﻧ ﻔ ﯾ ذ ا ﻟ ﺗ ﺣ ﺳ ﯾ ﻧ ﺎ ت ،ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺗ ﻌ ز ﯾ ز أ ﻣ ﺎ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت و ﺿ ﻣ ﺎ ن ا ﻻ ﻣ ﺗ ﺛ ﺎ ل
ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ﻟ ﻠ ﻣ ﻌ ﺎ ﯾ ﯾ ر و اﻟﻣ ﺗط ﻠﺑ ﺎ ت .
By Mohammed AlSubayt
ﻣﺮاﺟﻌﺔ اﻹدارة ﻫﻮ ﻋﻤﻠ7ﺔ أﺳﺎﺳ7ﺔ yz cﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ).(ISMS
ﻳﻬﺪف اﺳﺘﻌﺮاض اﻹدارة إ rﺗﻘﻴ7ﻢ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻌﺎﻟﻴﺘﻪ وﻣﺪى ﻣﻼءﻣﺘﻪ ﻣﻊ أﻫﺪاف
c
اﻟﻤﻨﻈﻤﺔ وﺗﻮﺟﻴﻬﺎﺗﻬﺎ اﻻﺳijاﺗ7ﺠ7ﺔ .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻌﻤﻠ7ﺔ اﺳﺘﻌﺮاض اﻹدارة yzإﻃﺎر :ISO 27001
.2إﺟﺮاء اﻻﺳﺘﻌﺮاض:
-ﻳﺘﻢ اﺳﺘﻌﺮاض أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ ﻗUﻞ اﻹدارة اﻟﻌﻠ7ﺎ ﻟﻠﻤﻨﻈﻤﺔ ،وذﻟﻚ ﺑﺘﻘﻴ7ﻢ اﻟﺒ7ﺎﻧﺎت
واﻟﺘﻘﺎر[ﺮ اﻟﻤﺘﺎﺣﺔ ﺣﻮل أداء اﻟﻨﻈﺎم.
.5ﺗﻮﺛﻴﻖ اﻟﻨﺘﺎﺋﺞ:
-ﻳﺘﻢ ﺗﻮﺛﻴﻖ ﻧﺘﺎﺋﺞ اﺳﺘﻌﺮاض اﻹدارة واﻹﺟﺮاءات اﻟﺘﺼﺤ7ﺤ7ﺔ اﻟﻤﺘﺨﺬة واﻟﺘﺤﺴûﻨﺎت اﻟ Ñz jﺗﻢ ﺗﻄﺒ7ﻘﻬﺎ.
ﺧﻼﺻﺔ:
-اﺳﺗﻌراض اﻹدارة ھو ﻋﻣﻠﯾﺔ ﻣﮭﻣﺔ ﻓﻲ ﺗﻘﯾﯾم وﺗﺣﺳﯾن أداء ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت وﺿﻣﺎن ﺗواﻓﻘﮫ ﻣﻊ
ﻣ ﺗ ط ﻠ ﺑ ﺎ ت ا ﻟ ﻣ ﻌ ﯾ ﺎ ر و أ ھ د ا ف ا ﻟ ﻣ ﻧ ظ ﻣ ﺔ .ﻣ ن ﺧ ﻼ ل ﺗ ﻧ ﻔ ﯾ ذ ا ﺳ ﺗ ﻌ ر ا ض ا ﻹ د ا ر ة ﺑ ﺎ ﻧ ﺗظ ﺎم و ا ﺗ ﺧ ﺎ ذ ا ﻹ ﺟ ر ا ء ا ت ا ﻟ ﺗ ﺻ ﺣ ﯾ ﺣ ﯾ ﺔ
ا ﻟ ﻼ ز ﻣ ﺔ ،ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺗ ﻌ ز ﯾ ز أ ﻣ ﺎ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت و ﺗﺣ ﻘﯾق اﻻ ﻣ ﺗﺛ ﺎل ا ﻟ ﻣ ﺳ ﺗ ﻣ ر .
… ﻋﻤﻠ7ﺔ o
® )z (Treatment of Problems and Non-conformities ﻣﻌﺎﻟﺠﺔ cاﻟﻤﺸﺎÁﻞ وﻋﺪم اﻟﺘﻤﺎ z
ﺣﻴ[°ﺔ yzﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ) .(ISMSﺗﻬﺪف ﻫﺬە اﻟﻌﻤﻠ7ﺔ إ rاﻟﺘﻌﺎﻣﻞ
ﻣﻊ اﻟﻤﺸﺎÁﻞ واﻟﻤﺨﺎﻟﻔﺎت اﻟ Ñz jﻳﺘﻢ اïãﺸﺎﻓﻬﺎ ﺧﻼل اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ أو اﻟﺨﺎرﺟ7ﺔ ،وﺿﻤﺎن ﺗﺼﺤ7ﺤﻬﺎ
c o c
® yzإﻃﺎر وﻣﻨﻊ ﺣﺪوﺛﻬﺎ ﻣﺮة أﺧﺮى yzاﻟﻤﺴﺘﻘUﻞ .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻌﻤﻠ7ﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺸﺎÁﻞ وﻋﺪم اﻟﺘﻤﺎ z
:ISO 27001
By Mohammed AlSubayt
ﺧﻼﺻﺔ:
.
-ﻣﻌﺎﻟﺟﺔ اﻟﻣﺷﺎﻛل وﻋدم اﻟﺗﻣﺎﺷﻲ ھﻲ ﻋﻣﻠﯾﺔ ﻣﮭﻣﺔ ﻓﻲ ﺗﺣﺳﯾن وﺿﻣﺎن ﻓﻌﺎﻟﯾﺔ ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ﻣن
ﺧ ﻼ ل ﺗﺣ د ﯾ د اﻷ ﺳ ﺑ ﺎ ب ا ﻟ ﺟ ذ ر ﯾ ﺔ و ﺗﻧﻔﯾ ذ ا ﻟ ﺗ ﺻ ﺣ ﯾ ﺣ ﺎ ت ا ﻟ ﻔ و ر ﯾ ﺔ و ﺗﺣ د ﯾ د اﻹ ﺟ ر اء ات ا ﻟ و ﻗ ﺎ ﺋ ﯾ ﺔ ،ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺗ ﻌ ز ﯾ ز
أ ﻣ ﺎ ن ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت و ﺿ ﻣ ﺎن اﻻ ﻣ ﺗﺛ ﺎل ا ﻟ ﻣ ﺳ ﺗ ﻣ ر .
اﻟﺘﺤﺴ z y
xاﻟﻤﺴﺘﻤﺮ Continual improvement
.1ﺗﻘﻴ7ﻢ اﻷداء:
-ﻳﺘﻀﻤﻦ ﻫﺬا اﻟﺨﻄﻮة ﺗﻘﻴ7ﻢ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت eﺸgﻞ دوري وﻣﻨﺘﻈﻢ ﻟﺘﺤﺪ-ﺪ ﻧﻘﺎط اﻟﻘﻮة
.aواﻟﻀﻌﻒ واﻟﻔﺮص ﻟﻠﺘﺤﺴ c b
By Mohammed AlSubayt
.2ﺗﺤﻠ7ﻞ اﻟﺒ7ﺎﻧﺎت:
j
-ﻳﺘﻢ ﺗﺤﻠ7ﻞ اﻟﺒ7ﺎﻧﺎت اﻟﻤﺠﻤﻌﺔ ﻣﻦ ﻋﻤﻠ7ﺎت اﻟﺘﻘﻴ7ﻢ ﻟﻔﻬﻢ اﻻﺗﺠﺎﻫﺎت وﺗﺤﺪ-ﺪ اﻟﻤﺠﺎﻻت اﻟ Ñzﺗﺤﺘﺎج إr
ﺗﺤ ﺴ c b
.a
.3ﺗﻄﺒﻴﻖ اﻟﺘﺤﺴûﻨﺎت:
-ﺑﻨﺎًء ﻋ~ ﺗﺤﻠ7ﻞ اﻟﺒ7ﺎﻧﺎت ،ﻳﺘﻢ ﺗﻄﺒﻴﻖ اﻟﺘﺤﺴûﻨﺎت اﻟﻤﺴﺘﻤﺮة ﻟﺘﻌ[sﺰ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت
وﺗﺤﺴûﻨﻪ.
.4ﻣﺮاﻗUﺔ اﻷﺛﺮ:
c
-ﻳﺘﻢ ﻣﺮاﻗUﺔ اﻷﺛﺮ واﻟﻔﻌﺎﻟ7ﺔ ﻟﻠﺘﺤﺴûﻨﺎت اﻟﻤﻄUﻘﺔ ﻟﻀﻤﺎن ﺗﺤﻘﻴﻖ اﻟﻨﺘﺎﺋﺞ اﻟﻤﺮﺟﻮة وﺗﺤﺴ abأﻣﺎن
اﻟﻤﻌﻠﻮﻣﺎت.
.5ﻣﺘﺎ\ﻌﺔ اﻷداء:
-ﻳﺘﻢ ﻣﺘﺎ\ﻌﺔ اﻷداء \ﺎﻧﺘﻈﺎم ﻟﻀﻤﺎن اﺳﺘﻤﺮار ﺗﺤﻘﻴﻖ اﻟﺘﺤﺴ c b
aاﻟﻤﺴﺘﻤﺮ واﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠUﺎت .ISO 27001
ﺧﻼﺻﺔ:
-اﻟﺗﺣﺳﯾن اﻟﻣﺳﺗﻣر ھو ﺟزء أﺳﺎﺳﻲ ﻓﻲ ﺗﻧﻔﯾذ ،ISO 27001ﺣﯾث ﯾﺳﻣﺢ ﺑﺗﻌزﯾز أﻣﺎن اﻟﻣﻌﻠوﻣﺎت وﺗﺣﺳﯾن أداء
ﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت ﺑﺷﻛل داﺋم .ﻣن ﺧﻼل دورات اﻟﺗﻘﯾﯾم واﻟﺗﺣﺳﯾن ،ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت اﻟﺣﻔﺎظ ﻋﻠﻰ
ﺗ ﻣ ﯾ ز ھ ﺎ و اﻻ ﻣ ﺗﺛ ﺎ ل ا ﻟ ﻣ ﺳ ﺗ ﻣ ر ﻟ ﻣ ﺗ ط ﻠ ﺑ ﺎ ت ا ﻟ ﻣ ﻌ ﯾ ﺎ ر و ﺗﺣ ﺳ ﯾن أ د ا ﺋ ﮭ ﺎ ﺑﺷ ﻛ ل ﻣ ﺳ ﺗ ﻣ ر .
c
اﻻﺳﺘﻌﺪاد ﻟﻠﺘﺪﻗﻴﻖ ﻟﻠﺤﺼﻮل ﻋ~ اﻟﺸﻬﺎدة ﻫﻮ ﺧﻄﻮة ﺣﺎﺳﻤﺔ yzﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ
c
"اﻟﻤﻌﻠﻮﻣﺎت ) .(ISMSﻳﺘﻄﻠﺐ ﻫﺬا اﻻﺳﺘﻌﺪاد اﻟﺘﺄ ãﺪ ﻣﻦ ﺟﺎﻫ[sﺔ اﻟﻤﻨﻈﻤﺔ ﻻﺳﺘﻘUﺎل اﻟﺘﺪﻗﻴﻖ اﻟﺨﺎر z
وﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠUﺎت اﻟﻤﻌ7ﺎر .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻌﻤﻠ7ﺔ اﻻﺳﺘﻌﺪاد ﻟﻠﺘﺪﻗﻴﻖ ﻟﻠﺤﺼﻮل ﻋ~ اﻟﺸﻬﺎدة yz
إﻃﺎر :ISO 27001
.2ﺗﻘﻴ7ﻢ اﻻﻣﺘﺜﺎل:
By Mohammed AlSubayt
-ﻳﺘﻢ ﺗﻘﻴ7ﻢ اﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠUﺎت ISO 27001ﻣﻦ ﺧﻼل إﺟﺮاء ﺗﻘﻴ7ﻢ داﺧ ~zﻟﻠﺘﺤﻘﻖ ﻣﻦ اﺳ7ïﻔﺎء ﺟﻤﻴﻊ
اﻟﻨﻘﺎط اﻟﻤﻄﻠ≠°ﺔ.
.3ﺗﺤﻀ ibاﻟﻮﺛﺎﺋﻖ:
-ﻳﺘﻢ إﻋﺪاد وﺛﺎﺋﻖ وﺳﺠﻼت اﻟﺪﻋﻢ اﻟﻼزﻣﺔ ﻟﻠﺘﺄ 7ãﺪ ﻋ~ اﻣﺘﺜﺎل اﻟﻤﻨﻈﻤﺔ ﻟﻤﺘﻄﻠUﺎت اﻟﻤﻌ7ﺎر.
.4اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ7ﺔ:
-ﻳﺘﻢ ﺗﻮﺟ7ﻪ اﻟﻔﺮق اﻟﻌﺎﻣﻠﺔ \ﺎﻟﻤﻨﻈﻤﺔ وﺗﻘﺪ-ﻢ اﻟﺘﺪر[ﺐ اﻟﻼزم ﺣﻮل ﻣﺘﻄﻠUﺎت اﻟﻤﻌ7ﺎر وàﺟﺮاءات اﻟﺘﺪﻗﻴﻖ.
.5اﻟﻤﺮاﺟﻌﺔ اﻟﻨﻬﺎﺋ7ﺔ:
".
-ﻳﺘﻢ إﺟﺮاء ﻣﺮاﺟﻌﺔ ﻧﻬﺎﺋ7ﺔ ﻟﺠﻤﻴﻊ اﻟﻮﺛﺎﺋﻖ واﻹﺟﺮاءات ﻟﻀﻤﺎن اﺳﺘﻌﺪاد اﻟﻤﻨﻈﻤﺔ ﻟﻠﺘﺪﻗﻴﻖ اﻟﺨﺎر z
ﺧﻼﺻﺔ:
-اﻻﺳﺗﻌداد ﻟﻠﺗدﻗﯾق ﻟﻠﺣﺻول ﻋﻠﻰ اﻟﺷﮭﺎدة ھو ﺧطوة أﺳﺎﺳﯾﺔ ﻟﺿﻣﺎن اﻣﺗﺛﺎل اﻟﻣﻧظﻣﺔ ﻟﻣﻌﺎﯾﯾر ISO 27001
و اﻟﺣ ﺻ و ل ﻋ ﻠ ﻰ ا ﻟ ﺷ ﮭ ﺎ د ة .ﻣ ن ﺧ ﻼ ل ﺗﺣ ﻠﯾ ل ا ﻟ ﻣ ﺗ ط ﻠ ﺑ ﺎ ت و ﺗﻘﯾﯾم ا ﻻ ﻣ ﺗ ﺛ ﺎ ل و إﻋ د ا د ا ﻟ و ﺛ ﺎ ﺋ ق و اﻟﺗ در ﯾ ب و اﻟﻣ ر اﺟ ﻌ ﺔ
ا ﻟ ﻧ ﮭ ﺎ ﺋ ﯾ ﺔ ،ﯾ ﻣ ﻛ ن ﻟ ﻠ ﻣ ﻧ ظ ﻣ ﺎ ت ﺿ ﻣ ﺎ ن ﺟ ﺎ ھ ز ﯾ ﺗ ﮭ ﺎ ﻻ ﺳ ﺗﻘ ﺑ ﺎ ل ا ﻟ ﺗ د ﻗ ﯾ ق ا ﻟ ﺧ ﺎ ر ﺟ ﻲ و ﺗﺣ ﻘﯾق ا ﻻ ﻣ ﺗ ﺛ ﺎ ل ا ﻟ ﻣ ﺳ ﺗ ﻣ ر .
c
® yzﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت … ﺟﺰء أﺳﺎ z
اﻟŒﻔﺎءة وﺗﻘﻴ7ﻢ اﻟﻤﻨﻔﺬﻳﻦ z
aﻋﻦ ﺗﻨﻔ7ﺬ أﻧﻈﻤﺔ اﻷﻣﺎن ﻟﺪﻳﻬﻢ اﻟﻤﻌﺮﻓﺔ) .(ISMSﻳﻬﺪف ﻫﺬا اﻟﺠﺰء إ rﺿﻤﺎن أن اﻟﻤﻨﻔﺬﻳﻦ اﻟﻤﺴﺆوﻟ c b
واﻟﻤﻬﺎرات اﻟﻼزﻣﺔ ﻟﻀﻤﺎن ﻓﻌﺎﻟ7ﺔ وﻓﺎﻋﻠ7ﺔ ﺗﻨﻔ7ﺬ اﻟﻤﻌﺎﻳ ibواﻟﺴ7ﺎﺳﺎت اﻷﻣﻨ7ﺔ .ﻓ7ﻤﺎ ~z-ﻣﻠﺨﺺ ﻟﻬﺬا اﻟﺠﺰء
c
yzإﻃﺎر :ISO 27001
.3اﻟﺘﻘﻴ7ﻢ واﻻﻋﺘﻤﺎد:
ً
-ﻳﺘﻢ ﺗﻘﻴ7ﻢ ﻛﻔﺎءة اﻟﻤﻨﻔﺬﻳﻦ \ﺎﻧﺘﻈﺎم وﻓﻘﺎ ﻟﻠﻤﻌﺎﻳ ibاﻟﻤﺤﺪدة و[ﺘﻢ ﻣﻨﺢ اﻻﻋﺘﻤﺎد ﻷوﻟﺌﻚ اﻟﺬﻳﻦ -ﻈﻬﺮون
ﻛﻔﺎءة ﻋﺎﻟ7ﺔ yz cﻣﺠﺎل أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
.4ﻣﺘﺎ\ﻌﺔ اﻷداء:
-ﻳﺘﻢ ﻣﺘﺎ\ﻌﺔ أداء اﻟﻤﻨﻔﺬﻳﻦ وﺗﻘﻴ7ﻢ اﺳﺘﺠﺎﺑﺘﻬﻢ ﻟﻤﺘﻄﻠUﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﺗﻘﺪ-ﻢ اﻟﺘﻐﺬ-ﺔ اﻟﺮاﺟﻌﺔ اﻟﻼزﻣﺔ
ﻟﺘ ﺤ ﺴ c b
aاﻷداء.
ﺧﻼﺻﺔ:
-ﺗﻘﯾﯾم ﻛﻔﺎءة اﻟﻣﻧﻔذﯾن وﺗوﻓﯾر اﻟﺗدرﯾب واﻟﺗﻌﻠﯾم اﻟﻣﻧﺎﺳﺑﯾن ﯾﺳﮭﻣﺎن ﻓﻲ ﺿﻣﺎن ﻓﻌﺎﻟﯾﺔ ﺗﻧﻔﯾذ ﻣﻌﯾﺎر ISO 27001
ﻟﻧظﺎم إدارة أﻣن اﻟﻣﻌﻠوﻣﺎت .ﻣن ﺧﻼل ﺗﺣدﯾد اﻟﻣﺗطﻠﺑﺎت وﺗوﻓﯾر اﻟدﻋم اﻟﻼزم وﻣﺗﺎﺑﻌﺔ اﻷداء ،ﯾﻣﻛن ﻟﻠﻣﻧظﻣﺎت
ﺗﻌزﯾز ﻛﻔﺎءة ﻓرﻗﮭﺎ وﺿﻣﺎن ﺗﺣﻘﯾق اﻻﻣﺗﺛﺎل اﻟﻣﺳﺗﻣر.
By Mohammed AlSubayt
Annex 5 – 18
طﺎ ﻓﻲ اﻟﻣرﻓق Aﻣن ﻣﻌﯾﺎر ، ISO/IEC 27001:2013واﻟذي ﯾﻌﺗﺑر إطﺎًرا ﺷﺎﻣﻼ ﻹدارة أﻣﺎن ﺗوﺟد 114ﺿﺎﺑ ً
ا ﻟ ﻣ ﻌ ﻠ و ﻣ ﺎ ت ﻓ ﻲ ا ﻟ ﻣ ﻧ ظ ﻣ ﺎ ت .ﻓ ﯾ ﻣ ﺎ ﯾ ﻠ ﻲ ﻗ ﺎﺋﻣ ﺔ ﺑ ﺟ ﻣ ﯾ ﻊ ا ﻟ ﺿ و ا ﺑ ط ﻣ ﻊ أ ﻣ ﺛ ﻠ ﺔ و ﺗ ﻔ ﺎ ﺻ ﯾ ل ﻋ ن ﻛ ل و ا ﺣ د ة :
- A.5ﺳ%ﺎﺳﺎت اﻷﻣﺎن
- A.5.1.1 .1اﻟﺴ7ﺎﺳﺔ اﻷﻣﻨ7ﺔ :وﺛ7ﻘﺔ ﺗﺤﺪد اﻟﻬﺪف اﻟﻌﺎم ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت yz cاﻟﻤﻨﻈﻤﺔ واﻻﻟ ic jام \ﻪ.
-ﻣﺜﺎل :ﺗﻮﺿﻴﺢ اﻻﻟ ic jام \ﺤﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت اﻟﺸﺨﺼ7ﺔ وﻋﺪم ﻣﺸﺎرﻛﺘﻬﺎ ﻣﻊ أﻃﺮاف ﺛﺎﻟﺜﺔ \ﺪون ﻣﻮاﻓﻘﺔ.
- A.5.1.2 .2اﺳﺘﻌﺮاض اﻟﺴ7ﺎﺳﺔ اﻷﻣﻨ7ﺔ- :ﺠﺐ اﺳﺘﻌﺮاض وﺗﺤﺪ-ﺚ اﻟﺴ7ﺎﺳﺔ اﻷﻣﻨ7ﺔ eﺸgﻞ دوري
ﻟﻀﻤﺎن اﺳﺘﻤﺮار[ﺔ ﻓﻌﺎﻟﻴﺘﻬﺎ وﻣﻼءﻣﺘﻬﺎ ﻟﻠﺒûﺌﺔ اﻟﻤﺘﻐibة.
-ﻣﺜﺎل :اﺳﺘﻌﺮاض اﻟﺴ7ﺎﺳﺔ اﻷﻣﻨ7ﺔ Mﻞ ﺳﻨﺔ ﻟﺘﺤﺪﻳﺜﻬﺎ وﻣﺮاﺟﻌﺘﻬﺎ ﻟﺘﻠﺒ7ﺔ اﻟﻤﺘﻄﻠUﺎت اﻟﺠﺪ-ﺪة.
- A.5.1.3 .3ﺗﺨﺼ7ﺺ ﻣﺴﺆوﻟ7ﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت :ﺗﺤﺪ-ﺪ اﻟﻤﺴﺆوﻟ7ﺎت اﻟﺨﺎﺻﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
.a aا ﻟ ﻤ ﻌ ﻨﻴ c b
وﺗﻮز[ﻌﻬﺎ ﻋ~ اﻟﻤﻮﻇﻔ c b
aﻣﺴﺆول أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻹدارة ﺳ7ﺎﺳﺎت اﻷﻣﺎن وﺗﻨﻔ7ﺬﻫﺎ واﻹ\ﻼغ ﻋﻦ أي ﻣﺨﺎﻃﺮ أﻣﻨ7ﺔ. -ﻣﺜﺎل :ﺗ ﻌﻴ c b
- A.6.1.2 .5ﻓﺼﻞ اﻟﻮﻇﺎﺋﻒ :ﺗﻔﺼ7ﻞ اﻟﻮﻇﺎﺋﻒ ﻟﺘﻘﻠ7ﻞ ﺧﻄﺮ اﻻﺣﺘ7ﺎل وﺗﺤﻘﻴﻖ اﻟﺘﺪﻗﻴﻖ واﻟﺘﻮازن.
aﻟﻀﻤﺎن اﺳﺘﻘﻼﻟ7ﺔ اﻟﺘﺤﻘﻖ. -ﻣﺜﺎل :ﺗﻘﺴ7ﻢ ﻣﻬﺎم اﻟﺘﻄ[°ﺮ واﻻﺧﺘUﺎر إ rأﺷﺨﺎص ﻣﺨﺘﻠﻔ c b
- A.6.1.3 .6اﻻﺗﺼﺎل ﻣﻊ اﻟﺴﻠﻄﺎت :وﺿﻊ آﻟ7ﺎت ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺴﻠﻄﺎت اﻟﻤﺤﻠ7ﺔ أو اﻟﻘﺎﻧﻮﻧ7ﺔ ﻓ7ﻤﺎ ﻳﺘﻌﻠﻖ
\ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
-ﻣﺜﺎل :ﺗﺤﺪ-ﺪ ﻣﺴﺆول ﻟﻠﺘﻮاﺻﻞ ﻣﻊ اﻟﻬﻴﺌﺎت اﻟﺮﻗﺎﺑ7ﺔ ﻟﺘUﺎدل اﻟﻤﻌﻠﻮﻣﺎت اﻷﻣﻨ7ﺔ.
- A.7.1.2 .8أﺛﻨﺎء اﻟﺘﻮﻇ7ﻒ :ﺗﺤﺪ-ﺪ وﺗﻄﺒﻴﻖ إﺟﺮاءات ﻟﻠﻤﺮاﻗUﺔ واﻟﺘﺤgﻢ ycوﺻﻮل اﻟﻤﻮﻇﻔ c b
aﻟﻠﻤﻌﻠﻮﻣﺎت z
اﻟﺤﺴﺎﺳﺔ أﺛﻨﺎء ﻓijة اﻟﺘﻮﻇ7ﻒ.
By Mohammed AlSubayt
aاﻟﺠﺪد ﺣ Ñjﻳﺘﻢ ﺗﺪر[ﺒﻬﻢ eﺸgﻞ Mﺎﻣﻞ.
-ﻣﺜﺎل :ﺗﻮﻓ ibوﺻﻮل ﻣﺤﺪود إ rاﻟﺒ7ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ ﻟﻠﻤﻮﻇﻔ c b
- A.7.1.3 .9اﻹﻧﻬﺎء وﺗﻐﻴ ibاﻟﺘﻮﻇ7ﻒ :ﺗﻄﺒﻴﻖ إﺟﺮاءات ﻟﻀﻤﺎن إزاﻟﺔ وﺻﻮل اﻟﻤﻮﻇﻔ c b
aا ﻟ ﻤ ﻨ ﺘ ﻬ 7ﺔ ﺧ ﺪ ﻣ ﺎﺗﻬﻢ
ﻣﻦ اﻷﻧﻈﻤﺔ واﻟﻤﻌﻠﻮﻣﺎت.
§ c
-ﻣﺜﺎل :إﻟﻐﺎء ﺣﺴﺎ\ﺎت اﻟﻤﻮﻇﻔ abاﻟﺬﻳﻦ ﺗﻢ ﻓﺼﻠﻬﻢ ﻓﻮرا \ﻌﺪ إﻋﻼن ﻓﺼﻠﻬﻢ.
- A.7.2.1 .10ﻣﺴﺆوﻟ7ﺎت اﻹدارة :ﺗﺤﺪ-ﺪ ﻣﺴﺆوﻟ7ﺎت اﻹدارة ﻓ7ﻤﺎ ﻳﺘﻌﻠﻖ \ﺄﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﺗﻮﻓ ibاﻟﺪﻋﻢ
اﻟﻼزم.
aﻣﺪﻳﺮ ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﺘﻨﻔ7ﺬ اﺳijاﺗ7ﺠ7ﺎت اﻷﻣﺎن وﺗ∫ﺴﻴﻖ اﻟﺠﻬﻮد اﻟﻤﺨﺘﻠﻔﺔ. -ﻣﺜﺎل :ﺗ ﻌﻴ c b
- A.7.2.2 .11اﻟﺘﻮﻋ7ﺔ واﻟﺘﻌﻠ7ﻢ ycأﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت :ﺗﻮﻓ ibاﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ7ﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﻤﻮﻇﻔ c b
a z
Ωواﻟﻤﻌﺮﻓﺔ.ﻟﺘﻌ[sﺰ اﻟﻮ z
c j
-ﻣﺜﺎل :إﺟﺮاء دورات ﺗﺪر[«7ﺔ دور[ﺔ ﺣﻮل ﻣﺨﺎﻃﺮ اﻟ[iﺪ اﻹﻟiŒو ±zاﻻﺣﺘ7ﺎ rzوﻛ7ﻔ7ﺔ اﻟﺘﻌﺎﻣﻞ ﻣﻌﻬﺎ.
- A.7.2.3 .12اﻹﺟﺮاءات اﻟﺘﺄدﻳ«7ﺔ :وﺿﻊ وﺗﻄﺒﻴﻖ إﺟﺮاءات ﺗﺄدﻳ«7ﺔ ﻟﻤﻮاﺟﻬﺔ ﻣﺨﺎﻟﻔﺎت ﺳ7ﺎﺳﺎت أﻣﺎن
اﻟﻤﻌﻠﻮﻣﺎت.
-ﻣﺜﺎل :ﻓﺮض ﻋﻘ≠°ﺎت ﻋ~ اﻟﻤﻮﻇﻔ c b
aاﻟﺬﻳﻦ ﻳﺘﺠﺎوزون ﺳ7ﺎﺳﺎت اﻟﻮﺻﻮل إ rاﻟﺒ7ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ.
- A.8إدارة اﻷﺻﻮل
- A.8.1.1 .13ﻣﺴﺆوﻟ7ﺔ اﻷﺻﻮل :ﺗﺤﺪ-ﺪ اﻟﻤﺴﺆوﻟ7ﺔ ﻋﻦ أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت وﺗﻮﻓ ibاﻟﺮﻋﺎ-ﺔ اﻟﻼزﻣﺔ ﻟﻬﺎ.
aﻣﻮﻇﻒ ﻣﺴﺆول ﻋﻦ ﻣﺘﺎ\ﻌﺔ اﻷﺻﻮل اﻟﻔﻌﻠ7ﺔ واﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ وﺗﺤﺪ-ﺚ ﺳﺠﻼﺗﻬﺎ. -ﻣﺜﺎل :ﺗ ﻌﻴ c b
- A.8.1.2 .14ﺟﺮد اﻷﺻﻮل :إﺟﺮاء ﺟﺮد دوري ﻟﺠﻤﻴﻊ اﻷﺻﻮل اﻟﻤﺎد-ﺔ واﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ اﻟ Ñz jﺗﻤﺘﻠŒﻬﺎ
اﻟﻤﻨﻈ ﻤﺔ .
-ﻣﺜﺎل :إøﺸﺎء ﻗﺎﻋﺪة ﺑ7ﺎﻧﺎت ﻟﺠﻤﻊ ﻣﻌﻠﻮﻣﺎت ﻋﻦ اﻷﺻﻮل اﻟﻤﺎد-ﺔ ﻣﺜﻞ اﻷﺟﻬﺰة واﻟﻤﻌﺪات.
- A.8.1.3.15اﺳﺘﺨﺪام اﻷﺻﻮل eﺸgﻞ ﻣﻘﺒﻮل :وﺿﻊ ﺳ7ﺎﺳﺎت وàﺟﺮاءات ﻟﻀﻤﺎن اﺳﺘﺨﺪام اﻷﺻﻮل
ً
eﺸgﻞ ﻣﻼﺋﻢ وﻓﻘﺎ ﻟﻠﻤﻌﺎﻳ ibاﻟﻤﺤﺪدة.
-ﻣﺜﺎل :ﺗﺤﺪ-ﺪ اﻻﺳﺘﺨﺪاﻣﺎت اﻟﻤﺴﻤ°ح ﺑﻬﺎ ﻟﻸﺻﻮل ﻣﺜﻞ اﻟÃﻤﺒﻴﻮﺗﺮات واﻷﺟﻬﺰة اﻷﺧﺮى.
- A.8.1.4 .16إرﺟﺎع اﻷﺻﻮل :ﺗﺤﺪ-ﺪ إﺟﺮاءات ﻹرﺟﺎع اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ \ﻌﺪ اﻧﺘﻬﺎء اﻻﺳﺘﺨﺪام.
-ﻣﺜﺎل :ﺗﻨﻈ7ﻢ ﻋﻤﻠ7ﺔ إزاﻟﺔ اﻟﺒ7ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ ﻣﻦ اﻷﺟﻬﺰة ﻗUﻞ إﻋﺎدة اﺳﺘﺨﺪاﻣﻬﺎ أو إﻋﺎدة ﺑ7ﻌﻬﺎ.
- A.8.2.1 .17ﺗﺼ∫7ﻒ اﻟﻤﻌﻠﻮﻣﺎت :ﺗﺼ∫7ﻒ اﻟﻤﻌﻠﻮﻣﺎت ﺑﻨﺎًء ﻋ~ ﻣﺴﺘﻮى اﻟﺤﺴﺎﺳ7ﺔ واﻷﻫﻤ7ﺔ ﻟﺤﻤﺎﻳﺘﻬﺎ.
-ﻣﺜﺎل :ﺗﺼ∫7ﻒ اﻟﺒ7ﺎﻧﺎت إ rﻣﺴﺘ[°ﺎت ﻣﺜﻞ اﻟﻌﺎﻣﺔ ،واﻟ}[ﺔ ،واﻟ}[ﺔ ﻟﻠﻐﺎ-ﺔ.
ً
Ö - A.8.2.2 .18ﺴﻤ7ﺔ اﻟﻤﻌﻠﻮﻣﺎتÖ :ﺴﻤ7ﺔ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﺴﺘﻮى ﺗﺼ∫7ﻔﻬﺎ ﻟﺴﻬﻮﻟﺔ اﻟﺘﻌﺮف ﻋﻠﻴﻬﺎ
وàدارﺗﻬﺎ.
By Mohammed AlSubayt
-ﻣﺜﺎل :وﺿﻊ ﻧﻈﺎم ﻟïﺴﻤ7ﺔ اﻟﻮﺛﺎﺋﻖ \ﺎﻟﺘﺼ∫7ﻒ اﻟﺨﺎص ﺑﻬﺎ ﻣﺜﻞ "nي" أو "ﻋﺎم".
- A.8.2.3.19اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻷﺻﻮل :وﺿﻊ إﺟﺮاءات ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻷﺻﻮل اﻟﻤﺎد-ﺔ واﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ eﺸgﻞ آﻣﻦ.
-ﻣﺜﺎل :ﺗﺨ[sﻦ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ yz cﻣgﺎن آﻣﻦ ﻣﺜﻞ ﺧﺰﻧﺔ ﻣﻌﻴﻨﺔ أو ﺧﺎدم ﻣﺸﻔﺮ.
z
- A.9اﻟﺘﺤëﻢ íjاﻟﻮﺻﻮل
- A.9.1.1 .23ﺳ7ﺎﺳﺎت وàﺟﺮاءات اﻟﻮﺻﻮل :وﺿﻊ ﺳ7ﺎﺳﺎت وàﺟﺮاءات ﻹدارة اﻟﻮﺻﻮل إ rاﻟﻤﻌﻠﻮﻣﺎت.
-ﻣﺜﺎل :ﺗﺤﺪ-ﺪ اﻟﺼﻼﺣ7ﺎت اﻟﻤﻄﻠ≠°ﺔ ﻟÃﻞ ﻣﺴﺘﺨﺪم ﺑﻨﺎًء ﻋ~ وﻇ7ﻔﺘﻪ.
Ö - A.9.2.2 .25ﺴﺠ7ﻞ وﻣﺮاﻗUﺔ اﻟﻮﺻﻮلÖ :ﺴﺠ7ﻞ وﻣﺮاﻗUﺔ ﺟﻤﻴﻊ اﻟﻮﺻﻮل إ rاﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ.
-ﻣﺜﺎلÖ :ﺴﺠ7ﻞ ﺟﻤﻴﻊ اﻟﻮﺻﻮل إ rﻗﺎﻋﺪة اﻟﺒ7ﺎﻧﺎت ﻣﻊ ﺗﻮﺛﻴﻖ ﺗﻔﺎﺻ7ﻞ Mﻞ ﻋﻤﻠ7ﺔ.
- A.9.2.4 .27اﻻﻧﻔﺼﺎل أو ﺗﻌﻄ7ﻞ اﻟﻮﺻﻮل :إﺟﺮاءات ﻟﻼﻧﻔﺼﺎل أو ﺗﻌﻄ7ﻞ اﻟﻮﺻﻮل إ rاﻟﻤﻌﻠﻮﻣﺎت ﻋﻨﺪ
اﻟﺤ ﺎﺟ ﺔ .
§
-ﻣﺜﺎل :ﺗﻌﻄ7ﻞ ﺣﺴﺎب ﻣﺴﺘﺨﺪم ﻓﻮرا \ﻌﺪ إﻋﻼن إﻧﻬﺎء ﺧﺪﻣﺎﺗﻪ.
- A.10اﻟïﺸﻔñy
- A.10.1.1 .28اﻟﺴ7ﺎﺳﺎت واﻹﺟﺮاءات ﻟﻠïﺸﻔ :ibﺗﻄ[°ﺮ ﺳ7ﺎﺳﺎت وàﺟﺮاءات ﻻﺳﺘﺨﺪام اﻟïﺸﻔ.ib
-ﻣﺜﺎل :ﺗﻮﺿﻴﺢ اﻟﺨﻮارزﻣ7ﺎت اﻟﻤﺴﺘﺨﺪﻣﺔ وﻃﺮق ﺗUﺎدل اﻟﻤﻔﺎﺗﻴﺢ.
- A.10.1.2 .29اﻟﺘﺤgﻢ yz cاﻟﻤﻔﺎﺗﻴﺢ :ﺗﻨﻈ7ﻢ إدارة اﻟﻤﻔﺎﺗﻴﺢ وﺗﺤﺪ-ﺪ اﻟﺴ7ﺎﺳﺎت واﻹﺟﺮاءات اﻟﻤﺘﻌﻠﻘﺔ.
-ﻣﺜﺎل :ﺗﺤﺪ-ﺪ ﻣﺪة ﺻﻼﺣ7ﺔ اﻟﻤﻔﺎﺗﻴﺢ وﺗﻐﻴibﻫﺎ \ﺎﻧﺘﻈﺎم.
- A.11.1.4 .35ﺣﻤﺎ-ﺔ اﻷﺟﻬﺰة اﻟﻤﺤﻤﻮﻟﺔ :ﺗﻮﻓ ibﺣﻤﺎ-ﺔ ﻟﻸﺟﻬﺰة اﻟﻤﺤﻤﻮﻟﺔ اﻟ Ñz jﺗﺤﺘﻮي ﻋ~ ﻣﻌﻠﻮﻣﺎت
ﺣ ﺴ ﺎ ﺳ ﺔ.
-ﻣﺜﺎلÖ :ﺸﻔ ibأﺟﻬﺰة اﻟÃﻤﺒﻴﻮﺗﺮ اﻟﻤﺤﻤﻮﻟﺔ ﻟﺤﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ﻋﻨﺪ اﻟﻔﻘﺪان أو اﻟ}ﻗﺔ.
- A.12اﻟïﺸﻐ%ﻞ اﻵﻣﻦ
ً
- A.12.1.1 .36ﻋﻤﻠ7ﺎت اﻟﻌﻤﻞ اﻟﻤﺘﻮاﻓﻘﺔ ﻣﻊ اﻷﻣﺎن :ﺿﻤﺎن أن اﻟﻌﻤﻠ7ﺎت اﻟïﺸﻐ7ﻠ7ﺔ ﺗﺘﻢ وﻓﻘﺎ ﻟﻤﺘﻄﻠUﺎت
اﻷﻣﺎن.
c j
-ﻣﺜﺎل :ﺗﻮﺛﻴﻖ اﻹﺟﺮاءات اﻟﻘ7ﺎﺳ7ﺔ ﻟïﺸﻐ7ﻞ اﻟﻨﻈﺎم ﻣﻊ اﻟiﻛ ibﻋ~ اﻷﻣﺎن.
- A.12.1.2 .37اﻟﻨﻈﺎم اﻵﻣﻦ ﻟﻠﻤﻌﻠﻮﻣﺎت :ﺗﻮﻓ ibﻧﻈﺎم آﻣﻦ ﻟﺠﻤﻴﻊ اﻟﻌﻤﻠ7ﺎت اﻟïﺸﻐ7ﻠ7ﺔ.
-ﻣﺜﺎل :ﺗ'ﺒ7ﺖ ﺑﺮاﻣﺞ ﻣgﺎﻓﺤﺔ اﻟﻔibوﺳﺎت وﺗﺤﺪﻳﺜﻬﺎ \ﺎﻧﺘﻈﺎم ﻟﺤﻤﺎ-ﺔ اﻷﻧﻈﻤﺔ ﻣﻦ اﻟﻬﺠﻤﺎت اﻟﺴﻴiاﻧ7ﺔ.
- A.12.1.3 .38ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ7ﺔ :ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ7ﺔ وﺗﺤﺪ-ﺪ اﻹﺟﺮاءات اﻟﻮﻗﺎﺋ7ﺔ اﻟﻤﻨﺎﺳUﺔ.
-ﻣﺜﺎل :إﺟﺮاء ﺗﻘﻴ7ﻢ دوري ﻟﻠﺜﻐﺮات اﻷﻣﻨ7ﺔ وﺗﻄﺒﻴﻖ اﻟﺘﺤﺪﻳﺜﺎت اﻟﻼزﻣﺔ ﻟﺴﺪ اﻟﺜﻐﺮات.
c
- A.13.1.2 .40ﺣﻤﺎ-ﺔ ﻣﻦ اﻟﺘﻬﺪ-ﺪات اﻟﺨﺎرﺟ7ﺔ :ﺗﺤﻘﻖ ﻣﻦ ﻓﻌﺎﻟ7ﺔ إﺟﺮاءات اﻷﻣﻦ yzﺣﻤﺎ-ﺔ اﻟﻤﻨﻈﻤﺔ ﻣﻦ
اﻟﺘﻬﺪ-ﺪات اﻟﺨﺎرﺟ7ﺔ.
-ﻣﺜﺎل :إﺟﺮاء اﺧﺘUﺎرات اﺧijاق دور[ﺔ ﻟﺘﻘﻴ7ﻢ ﻗﻮة اﻟﺪﻓﺎع اﻷﻣ Ñz cﻟﻠﻤﻨﻈﻤﺔ.
- A.13.2.1 .41اﻟﺜﻐﺮات اﻷﻣﻨ7ﺔ واﻟﺘﺤﺴûﻨﺎت :اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺜﻐﺮات اﻷﻣﻨ7ﺔ وﺗﻄﺒﻴﻖ اﻟﺘﺤﺴûﻨﺎت اﻟﻼزﻣﺔ.
-ﻣﺜﺎل :إøﺸﺎء ﺧﻄﺔ ﻋﻤﻞ ﻹﺻﻼح اﻟﺜﻐﺮات اﻷﻣﻨ7ﺔ اﻟﻤﻜïﺸﻔﺔ ﺧﻼل ﻋﻤﻠ7ﺔ اﻟﺘﺤﻘﻖ.
By Mohammed AlSubayt
c
- A.14.1.2 .43ﺣﻤﺎ-ﺔ ﻣﻦ اﻟﺘﻬﺪ-ﺪات اﻟﺨﺎرﺟ7ﺔ :ﺗﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ إﺟﺮاءات اﻷﻣﻦ yzﺣﻤﺎ-ﺔ اﻟﻤﻨﻈﻤﺔ ﻣﻦ
اﻟﺘﻬﺪ-ﺪات اﻟﺨﺎرﺟ7ﺔ.
c j
-ﻣﺜﺎل :ﺗﻨﻔ7ﺬ اﺧﺘUﺎرات اﻻﺧiاق ﻟﺘﺤﺪ-ﺪ ﻧﻘﺎط اﻟﻀﻌﻒ yzاﻷﻧﻈﻤﺔ وﺗﻘﻴ7ﻢ اﺳﺘﺠﺎﺑﺘﻬﺎ.
- A.14.2.1 .44اﻟﺜﻐﺮات اﻷﻣﻨ7ﺔ واﻟﺘﺤﺴûﻨﺎت :اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺜﻐﺮات اﻷﻣﻨ7ﺔ وﺗﻄﺒﻴﻖ اﻟﺘﺤﺴûﻨﺎت اﻟﻼزﻣﺔ.
-ﻣﺜﺎل :ﺗﺤﺪ-ﺚ اﻟiاﻣﺞ وﺗﺼﺤﻴﺢ اﻟﺜﻐﺮات اﻷﻣﻨ7ﺔ اﻟﻤﻜïﺸﻔﺔ yz cاﻟﺘﺤﻘﻖ واﻻﺧﺘUﺎر.
- A.15.1.2 .46اﻻﺗﺼﺎل ﻣﻊ اﻷﻃﺮاف اﻟﺨﺎرﺟ7ﺔ :ﺗﺤﺪ-ﺪ وﺗﻨﻔ7ﺬ اﻻﺗﺼﺎل ﻣﻊ اﻷﻃﺮاف اﻟﺨﺎرﺟ7ﺔ ذات
اﻟﺼﻠﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
j c o
* -ﻣﺜﺎل *:ﺗﻮﻗﻴﻊ اﺗﻔﺎﻗ7ﺎت اﻟ}[ﺔ ﻣﻊ اﻟ}Mﺎء اﻟﺘﺠﺎر[ abﻟﺤﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺤﺴﺎﺳﺔ اﻟﻤﺸiﻛﺔ.
- A.15.1.3 .47اﻟﺤﻤﻼت اﻹﻋﻼﻣ7ﺔ واﻟﺘﻮﻋ7ﺔ :ﺗﻨﻔ7ﺬ ﺣﻤﻼت إﻋﻼﻣ7ﺔ وﺗﻮﻋ7ﺔ داﺧﻞ اﻟﻤﻨﻈﻤﺔ eﺸﺄن أﻣﻦ
اﻟﻤﻌﻠﻮﻣﺎت.
-ﻣﺜﺎل :ﺗﻘﺪ-ﻢ دورات ﺗﺪر[«7ﺔ داﺧﻠ7ﺔ ﺣﻮل أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت واﻟﺘﻬﺪ-ﺪات اﻟﺴﻴiاﻧ7ﺔ ﻟﻠﻤﻮﻇﻔ c b
.a
- A.16اﻟﺘﻮﺛﻴﻖ واﻟﺴﺠﻼت
- A.16.1.1 .48اﻟﺴ7ﺎﺳﺎت واﻹﺟﺮاءات ﻟﻠﺘﻮﺛﻴﻖ واﻟﺴﺠﻼت **:ﺗﻄ[°ﺮ ﺳ7ﺎﺳﺎت وàﺟﺮاءات ﻹدارة اﻟﺘﻮﺛﻴﻖ
واﻟﺴﺠﻼت.
-ﻣﺜﺎل :وﺿﻊ إﺟﺮاءات ﻟﺘﻮﺛﻴﻖ اﻟﻮﺛﺎﺋﻖ اﻟﻤﻬﻤﺔ وﺗﺨ[sﻨﻬﺎ eﺸgﻞ آﻣﻦ.
- A.16.1.2 .49اﻟﺴﺠﻼت اﻟﺪاﺧﻠ7ﺔ واﻟﺨﺎرﺟ7ﺔ :ﺗﺄ 7ãﺪ أن اﻟﺴﺠﻼت اﻟﺪاﺧﻠ7ﺔ واﻟﺨﺎرﺟ7ﺔ ﺗﺤﺘﻔﻆ
\ﻤﻌﻠﻮﻣﺎت اﻷﻣﺎن eﺸgﻞ Mﺎ ٍف.
j
-ﻣﺜﺎل :إøﺸﺎء ﺳﺠﻼت ﻟﻠﻮﺻﻮل إ rاﻟﺒ7ﺎﻧﺎت اﻟﺤﺴﺎﺳﺔ وÖﺴﺠ7ﻞ اﻟﺘﻐﻴibات اﻟ Ñzﺗﻄﺮأ ﻋﻠﻴﻬﺎ.
- A.16.1.3 .50ﺣﻤﺎ-ﺔ اﻟﺴﺠﻼت :ﺿﻤﺎن ﺣﻤﺎ-ﺔ اﻟﺴﺠﻼت ﻣﻦ اﻟﻮﺻﻮل ﻏ ibاﻟﻤ≈ح \ﻪ واﻟﺘﻼﻋﺐ ﺑﻬﺎ.
-ﻣﺜﺎل :ﺗﻄﺒﻴﻖ ﺗﺪاﺑ ibأﻣﻨ7ﺔ ﻣﺜﻞ Öﺸﻔ ibاﻟﺒ7ﺎﻧﺎت اﻟﻤﺨﺰﻧﺔ yz cاﻟﺴﺠﻼت اﻟﺤﺴﺎﺳﺔ.
By Mohammed AlSubayt
- A.17اﻟﻤﺮاﻗóﺔ
- A.17.1.1 .51اﻟﻨﻈﺎم اﻟﻤﺮاﻗﺐ :ﺗﻄ[°ﺮ ﻧﻈﺎم ﻟﻤﺮاﻗUﺔ اﻟﻮﺻﻮل إ rاﻟﻤﻌﻠﻮﻣﺎت واﺳﺘﺨﺪاﻣﻬﺎ وﻣﻌﺎﻟﺠﺘﻬﺎ.
-ﻣﺜﺎل :ﺗ'ﺒ7ﺖ أﻧﻈﻤﺔ ﻣﺮاﻗUﺔ اﻟﻮﺻﻮل ﻟïﺴﺠ7ﻞ ﺟﻤﻴﻊ اﻷøﺸﻄﺔ ذات اﻟﺼﻠﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
- A.17.1.2 .52ﺗﻘﻴ7ﻢ اﻟﻨﻈﺎم اﻟﻤﺮاﻗﺐ :ﺗﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ اﻟﻨﻈﺎم اﻟﻤﺮاﻗﺐ وﺗﻄ[°ﺮە eﺸgﻞ ﻣﺴﺘﻤﺮ.
ً
-ﻣﺜﺎل :ﻣﺮاﺟﻌﺔ اﻟﺴﺠﻼت اﻟﻤﺤﻔﻮﻇﺔ ﻟﻀﻤﺎن أن ﺟﻤﻴﻊ اﻟﻮﺻﻮﻻت ﺗﻤﺖ وﻓﻘﺎ ﻟﻠﺴ7ﺎﺳﺎت واﻹﺟﺮاءات.
- A.17.2.1 .53ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﺮاﻗUﺔ :ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﺮاﻗUﺔ ﻣﻦ اﻟﻮﺻﻮل ﻏ ibاﻟﻤ≈ح \ﻪ
واﻟﺘﻼﻋﺐ ﺑﻬﺎ.
-ﻣﺜﺎل :ﺗﻄﺒﻴﻖ إﺟﺮاءات اﻟﺤﻤﺎ-ﺔ ﻣﺜﻞ Öﺸﻔ ibاﻟﺒ7ﺎﻧﺎت اﻟﻤﺮاﻗUﺔ ﻟﻤﻨﻊ اﻟﻮﺻﻮل ﻏ ibاﻟﻤ≈ح \ﻪ.
- A.18.1.2 .55ﺗﻘﻴ7ﻢ اﻷﻣﺎن اﻟﺬا :±z jﺗﻘﻴ7ﻢ اﻷﻣﺎن اﻟﺬا ±z jﻟﻠﺘﺤﻘﻖ ﻣﻦ ﻣﺪى اﻟ ic jام اﻟﻤﻨﻈﻤﺔ \ﻤﺘﻄﻠUﺎت
اﻷﻣﺎن.
-ﻣﺜﺎل :إﺟﺮاء ﺗﻘﻴ7ﻢ ﻟﺘﻘﻴ7ﻢ اﻟﺘﻬﺪ-ﺪات اﻷﻣﻨ7ﺔ اﻟﺤﺎﻟ7ﺔ وﻗﺪرة اﻟﻤﻨﻈﻤﺔ ﻋ~ اﻟﺘﻌﺎﻣﻞ ﻣﻌﻬﺎ.
- A.18.2.1 .56اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ :~zﺗﻨﻔ7ﺬ ﺗﺪﻗﻴﻖ داﺧ ~zﻟﻠﺘﺤﻘﻖ ﻣﻦ ﺗﻨﻔ7ﺬ وﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن
اﻟﻤﻌﻠﻮﻣﺎت.
-ﻣﺜﺎل :إﺟﺮاء ﺗﺪﻗﻴﻖ داﺧ ~zﻟﺘﻘﻴ7ﻢ ﻣﺪى ﻣﻄﺎ\ﻘﺔ ﻋﻤﻠ7ﺎت اﻷﻣﺎن ﻟﻤﺘﻄﻠUﺎت ﻣﻌ7ﺎر .ISO/IEC 27001
By Mohammed AlSubayt
**Answer: D**
**Explanation:** ISO 27001 is designed specifically to help organizations
establish and maintain an effective information security management system,
ensuring that they assess risks and appropriately manage them.
**Answer: C**
**Explanation:** ISO 27001 requires the documentation of the ISMS scope,
Information Security Policy, and the Risk Assessment and Risk Treatment
methodology. However, records of data protection impact assessments are not
mandatory under ISO 27001; these are more relevant to data protection
standards like the GDPR.
**Answer: B**
By Mohammed AlSubayt
**Explanation:** Top management is responsible for demonstrating leadership
and commitment to the ISMS by ensuring the availability of necessary resources,
supporting relevant roles, and promoting continual improvement.
**Answer: D**
**Explanation:** The 'Act' phase of the PDCA cycle is about taking actions
based on the performance evaluation and audit results to continually improve
the effectiveness of the ISMS.
**Answer: C**
**Explanation:** The Statement of Applicability is a mandatory document for
ISO 27001 compliance. It details which controls from Annex A of the standard are
applied within the organization, and provides justification for excluding any
controls.
Certainly! Here are more sample multiple choice questions that cover various
aspects of ISO 27001 and are suitable for someone preparing for a Lead
Implementer exam:
**Answer: D**
**Explanation:** The ISMS scope should include internal factors like business
objectives, organizational structure, and IT systems, but it does not typically
include competitors' security practices, as the scope focuses on the organization
itself.
**Answer: C**
**Explanation:** Risk treatment involves selecting risk management options
and determining all the controls necessary to mitigate those risks. This follows
the risk assessment phase where risks are identified and evaluated.
8. **ISO 27001 requires that the results of the risk assessment and risk treatment
are reviewed at planned intervals. What is the primary purpose of this review?**
A) To ensure the accuracy of financial reporting
B) To determine the effectiveness of the implemented controls
C) To prepare for external audits
D) To update the business continuity plans
**Answer: B**
**Explanation:** The primary purpose of reviewing risk assessments and
treatments is to ensure that the controls are effectively mitigating risks as
intended and to identify any areas where the risk management process may need
improvement.
**Answer: C**
**Explanation:** Internal audits are a fundamental part of ISO 27001 and serve
to assess whether the ISMS meets the organization's own requirements and
those of the standard itself. They check both conformity with documentation and
effective implementation and maintenance.
**Answer: A**
**Explanation:** Information security continuity refers to the need for
planning and implementing information security measures that continue to
operate effectively during and following a disruptive incident. This is a part of
overall business continuity management.
**Answer: C**
**Explanation:** The Risk Treatment Plan is a crucial document that records
identified risks, assessments of these risks, and the actions planned or taken to
manage these risks according to the risk treatment decisions.
13. **What type of security incident needs to be reported according to ISO 27001
requirements?**
A) Only incidents that lead to a financial loss
B) All security incidents
C) Only incidents confirmed by an external audit
D) Incidents that are reported by customers
**Answer: B**
**Explanation:** ISO 27001 requires that all security incidents be reported and
properly logged, regardless of their apparent severity, to ensure that they can be
analyzed and used for improving the ISMS.
**Answer: D**
**Explanation:** While ISO 27001 significantly helps manage and mitigate
information security risks, it does not guarantee the elimination of all IT risks, as
some risks are inherent and cannot be completely removed.
15. **In ISO 27001, which of the following best describes the term 'asset'?**
A) Anything that has a financial value in the market
B) Only physical devices like computers and servers
C) Any resource of value to the organization
D) Only data stored electronically
**Answer: C**
**Explanation:** In the context of ISO 27001, an asset refers to any resource of
value to the organization, including information, physical devices, services, and
personnel.
By Mohammed AlSubayt
16. **Which principle of information security does 'encryption' primarily
support?**
A) Availability
B) Integrity
C) Confidentiality
D) Accountability
**Answer: C**
**Explanation:** Encryption is primarily used to support the confidentiality of
information, ensuring that data is inaccessible to unauthorized individuals.
17. **How often should the effectiveness of the ISMS be reviewed according to
ISO 27001?**
A) At least annually
B) Only after a security breach
C) Every two years
D) Whenever there is a major change in the organization
**Answer: A**
**Explanation:** ISO 27001 recommends that the ISMS be reviewed at least
annually to ensure its continuing suitability, adequacy, and effectiveness,
although reviews may also be necessary after significant changes.
**Answer: C**
**Explanation:** Management reviews are conducted to evaluate the ISMS's
performance, suitability, and effectiveness, ensuring that it meets the
organization's objectives and identifying areas for improvement.
19. **Which of the following statements about ISO 27001 certification is true?**
A) It requires recertification every 10 years
B) It is granted for life once achieved
C) It requires periodic surveillance audits
D) It can be granted by any consultant
By Mohammed AlSubayt
**Answer: C**
**Explanation:** ISO 27001 certification is not permanent and requires
periodic surveillance audits to ensure ongoing compliance, along with a
recertification audit typically every three years.
**Answer: B**
**Explanation:** The ultimate goal of implementing ISO 27001 is to protect
and secure the organization's information assets from all types of threats,
whether internal or external, deliberate or accidental.
21. **What does the term 'residual risk' refer to in the context of ISO 27001?**
A) The risk remaining after all controls have been applied
B) The initial risk identified before any controls are applied
C) The risk transferred to a third party
D) The risk accepted by management
**Answer: A**
**Explanation:** Residual risk is the amount of risk that remains after all
controls and other treatment methods have been applied. It is the risk that the
organization decides it must live with.
22. **Which ISO 27001 principle supports the concept of ensuring that data,
assets, and resources are safeguarded from unauthorized modifications?**
A) Integrity
B) Confidentiality
C) Availability
D) Authentication
**Answer: A**
**Explanation:** Integrity in information security ensures that information is
accurate and complete, and is protected against unauthorized modification.
By Mohammed AlSubayt
23. **What is the primary function of an ISMS audit program according to ISO
27001?**
A) To ensure compliance with legal requirements only
B) To review and improve the technological infrastructure of the organization
C) To provide a systematic approach to assess and improve the effectiveness of
the ISMS
D) To ensure that the ISMS is generating a profit for the organization
**Answer: C**
**Explanation:** The audit program is a systematic approach intended to
assess the effectiveness of the ISMS and to identify areas for improvement in the
security practices of the organization.
24. **Which activity is involved in the 'Do' phase of the PDCA (Plan-Do-Check-
Act) cycle applied in ISO 27001?**
A) Defining the scope and objectives
B) Implementing the risk treatment plan
C) Conducting internal audits
D) Reviewing the ISMS at management reviews
**Answer: B**
**Explanation:** The 'Do' phase involves implementing the risk treatment plan
which includes applying the security controls and procedures outlined in the
'Plan' phase.
25. **What is expected from the communication process as per ISO 27001
requirements?**
A) It should be documented and occur only in formal settings.
B) It should include communicating only with internal stakeholders.
C) It should ensure information security awareness among all relevant parties.
D) It should focus primarily on technical communication between IT staff.
**Answer: C**
**Explanation:** Effective communication as per ISO 27001 should ensure that
all relevant parties are aware of information security requirements, risks, and
controls, thereby promoting an organizational culture of security.
26. **Which statement best describes the 'risk owner' in ISO 27001?**
A) The risk owner is the person responsible for managing the IT department.
B) The risk owner is the person responsible for funding the ISMS.
By Mohammed AlSubayt
C) The risk owner is the person accountable for managing a risk and ensuring it
is treated appropriately.
D) The risk owner is always a member of senior management.
**Answer: C**
**Explanation:** The risk owner is the individual who has the accountability
and authority to manage a risk and to ensure that appropriate measures are
taken to treat that risk.
**Answer: B**
**Explanation:** The frequency of risk assessments should be determined
based on the performance of the ISMS and considering any external or internal
changes that might affect the system.
28. **Which of the following is a correct action during the 'Check' phase of the
PDCA cycle in ISO 27001?**
A) Establishing the ISMS
B) Applying controls
C) Conducting performance measurement and monitoring
D) Modifying policies
**Answer: C**
**Explanation:** The 'Check' phase involves monitoring and reviewing the
performance of the ISMS, which includes regular performance measurement and
auditing.
**Answer: C**
**Explanation:** The ISMS policy is a high-level document that outlines the
organization’s management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
31. **Which of the following best describes 'asset management' in ISO 27001?**
A) Managing the financial assets of the organization.
B) Ensuring physical security of the organization's premises.
C) Identifying, classifying, and protecting information assets.
D) Managing the inventory of IT hardware.
**Answer: C**
**Explanation:** Asset management in ISO 27001 refers to the processes
involved in identifying, classifying, and protecting information assets to ensure
that valuable data is adequately secured against threats.
32. **In ISO 27001, what is the primary purpose of implementing an Information
Security Management System (ISMS)?**
A) To ensure regulatory compliance only.
B) To enhance customer trust and business reputation.
C) To guarantee no information security breaches.
D) To systematically manage information security risks to business information.
**Answer: D**
By Mohammed AlSubayt
**Explanation:** The primary purpose of implementing an ISMS is to
systematically manage risks to the organization's information, thereby ensuring
the security of assets, data, and resources.
33. **What role does 'employee training and awareness' play in an ISMS under
ISO 27001?**
A) It is considered unnecessary as long as technical controls are in place.
B) It is pivotal in ensuring that employees understand their roles and
responsibilities towards information security.
C) It only applies to IT staff.
D) It is optional but recommended.
**Answer: B**
**Explanation:** Training and awareness are critical components of an ISMS.
Ensuring that all employees are aware of the information security policies and
their specific security responsibilities is vital to the effectiveness of the ISMS.
**Answer: B**
**Explanation:** The Change Management Policy is crucial as it outlines
procedures that ensure security is maintained and risks are reassessed whenever
organizational changes occur.
35. **What is the function of an Information Security Forum within the context
of ISO 27001?**
A) To resolve IT system malfunctions.
B) To discuss and review the information security policies and practices.
C) To handle marketing and public relations.
D) To audit financial transactions.
**Answer: B**
**Explanation:** An Information Security Forum serves as a platform for
discussing and reviewing the organization’s information security policies,
practices, and issues, promoting a robust security culture.
By Mohammed AlSubayt
36. **Under ISO 27001, which type of control is used to manage the operation of
the ISMS?**
A) Strategic controls
B) Operational controls
C) Technical controls
D) Organizational controls
**Answer: B**
**Explanation:** Operational controls in ISO 27001 are those directly related to
the management and execution of the ISMS in daily operations, ensuring its
effectiveness.
**Answer: B**
**Explanation:** Understanding the context of the organization involves
identifying both internal and external factors that can influence the ISMS’s ability
to achieve its intended outcomes, essential for effective risk management.
38. **Which action should be taken if a risk exceeds the defined risk appetite in
ISO 27001?**
A) It should be ignored as an outlier.
B) It should be immediately transferred to a third party.
C) It should be mitigated to an acceptable level.
D) It should be accepted without mitigation.
**Answer: C**
**Explanation:** If a risk exceeds the organization's risk appetite, it should be
mitigated through appropriate controls to bring it down to an acceptable level,
ensuring it aligns with the organization’s risk strategy.
**Answer: C**
**Explanation:** Controls should be reviewed at regular intervals and in
response to significant changes or security incidents to ensure they are effective
and continue to protect the organization as intended.
40. **What is the role of a Data Protection Officer (DPO) in relation to ISO
27001?**
A) The DPO is responsible for managing all financial risks.
B) The DPO solely handles customer complaints regarding data breaches.
C) The DPO ensures that data protection requirements are integrated into the
ISMS.
D) The DPO is irrelevant to ISO 27001.
**Answer: C**
**Explanation:** The Data Protection Officer plays a crucial role in ensuring
that data protection laws and policies are integrated into the ISMS, particularly
important in jurisdictions with stringent data protection regulations.
41. **What is the purpose of the 'risk assessment' process in ISO 27001?**
A) To identify security threats and vulnerabilities.
B) To ensure compliance with local laws only.
C) To monitor employee activities.
D) To invest in security technologies.
**Answer: A**
**Explanation:** Risk assessment is critical in ISO 27001 as it helps identify the
organization's security threats and vulnerabilities, allowing for effective planning
of controls to mitigate these risks.
42. **ISO 27001 requires the establishment of security objectives. At which level
should these objectives be set?**
A) Only at the top management level.
B) At relevant functions and levels within the organization.
C) Solely within the IT department.
By Mohammed AlSubayt
D) Exclusively at the operational level.
**Answer: B**
**Explanation:** Security objectives should be set at relevant functions and
levels within the organization to ensure comprehensive coverage and integration
of information security into all areas of operation.
**Answer: C**
**Explanation:** An effectively implemented ISMS enhances an organization's
resilience against information security threats by systematically managing risks
associated with information assets.
44. **Which type of analysis is crucial for determining the impact of identified
risks in ISO 27001?**
A) Competitor analysis.
B) Financial analysis.
C) Impact analysis.
D) Performance analysis.
**Answer: C**
**Explanation:** Impact analysis is crucial in the risk assessment process as it
helps determine the potential consequences of identified risks, guiding the
decision on appropriate controls.
45. **In ISO 27001, what is the significance of the 'Statement of Applicability'?**
A) It details all technical specifications of security systems.
B) It is a contract with stakeholders.
C) It documents which controls are applicable and justifies exclusions.
D) It lists only the applicable legal requirements.
**Answer: C**
By Mohammed AlSubayt
**Explanation:** The Statement of Applicability is a key document that details
which controls from the ISO 27001 standard have been selected, implemented,
and why, including justifications for any exclusions.
**Answer: C**
**Explanation:** Continuous improvement in ISO 27001 involves periodically
reviewing the ISMS to identify opportunities for improvement and making
necessary changes to enhance its overall effectiveness.
47. **How should changes to the ISMS be managed according to ISO 27001?**
A) Changes should be implemented spontaneously as issues arise.
B) Changes must be managed in a controlled manner.
C) Changes are discouraged and should be avoided.
D) Only external changes should be managed.
**Answer: B**
**Explanation:** ISO 27001 emphasizes that changes to the ISMS should be
managed in a controlled manner, ensuring that they do not adversely affect
security or the effectiveness of the system.
**Answer: B**
**Explanation:** Monitoring and measurement are important to assess the
performance and effectiveness of the ISMS, helping identify areas that require
attention or improvement.
49. **According to ISO 27001, what should be done when nonconformities are
identified?**
By Mohammed AlSubayt
A) They should be ignored unless they cause significant damage.
B) They must be corrected and actions taken to prevent their recurrence.
C) They should be reported only to management.
D) They must be accepted as part of the risk.
**Answer: B**
**Explanation:** When nonconformities are identified, they must be corrected
and actions taken to prevent their recurrence, as part of a proactive approach to
improve the ISMS.
**Answer: B**
**Explanation:** Information security incident management involves
establishing procedures and responsibilities to ensure that security incidents are
managed and reviewed effectively, helping minimize the impact of such incidents
on the organization.
51. **Which ISO 27001 control is primarily concerned with protecting data during
transit?**
A) Asset management
B) Cryptographic controls
C) Physical and environmental security
D) Operational security
**Answer: B**
**Explanation:** Cryptographic controls are essential for protecting data
during transit, ensuring that it remains confidential and integral by encrypting the
data as it moves across networks.
52. **What is the role of the internal audit according to ISO 27001?**
A) To correct non-conformities before external audits.
By Mohammed AlSubayt
B) To ensure legal compliance.
C) To assess conformity with organizational and regulatory requirements.
D) To handle customer complaints regarding information security.
**Answer: C**
**Explanation:** The role of the internal audit is to assess the ISMS's
conformity with organizational policies and objectives, as well as compliance with
ISO 27001 and other regulatory requirements.
53. **Which ISO 27001 principle ensures that information is available and
accessible to authorized users when needed?**
A) Integrity
B) Confidentiality
C) Availability
D) Authenticity
**Answer: C**
**Explanation:** The principle of availability ensures that information and
related assets are accessible to authorized users whenever required.
**Answer: B**
**Explanation:** The risk management process in ISO 27001 focuses on
identifying, assessing, and controlling risks related to information security,
ensuring that they are within acceptable limits.
**Answer: B**
By Mohammed AlSubayt
**Explanation:** ISO 27002 provides guidance on implementing the security
controls listed in ISO 27001, offering best practice recommendations on
information security management.
**Answer: B**
**Explanation:** Performance evaluation is used to assess how well the ISMS
meets the organization's information security requirements and objectives.
57. **What is the first step in the risk assessment process according to ISO
27001?**
A) Identifying threats
B) Assessing impact
C) Establishing the context
D) Evaluating likelihood
**Answer: C**
**Explanation:** Establishing the context is the first step in the risk assessment
process, where the parameters for managing risk are defined, including the
organization's external and internal environments.
**Answer: D**
**Explanation:** Operational procedures and responsibilities are key to
ensuring that information processing facilities are managed securely and
consistently, following predefined practices.
59. **What does 'user access management' entail under ISO 27001?**
By Mohammed AlSubayt
A) Monitoring user activities on social media
B) Controlling user access to information systems and services
C) Managing user complaints about system access
D) Ensuring all users have equal access to information
**Answer: B**
**Explanation:** User access management involves controlling access to
information systems and services, ensuring that users have appropriate access
rights based on their roles and responsibilities.
60. **ISO 27001 requires consideration of which aspects when defining the scope
of the ISMS?**
A) The size and structure of the organization
B) The organization’s location and cultural aspects
C) Personal interests of top management
D) All of the above
**Answer: A**
**Explanation:** When defining the scope of the ISMS, it's important to
consider the size and structure of the organization to ensure that the ISMS is
comprehensive and applicable across all relevant areas.
**Answer: C**
**Explanation:** Incident management in ISO 27001 aims to effectively
manage and control information security incidents and weaknesses, minimizing
their impact and preventing recurrence.
62. **Which document must specify the responsibilities and authorities for roles
involved with the ISMS?**
A) The Information Security Policy
B) The Scope Document
By Mohammed AlSubayt
C) The Risk Assessment Report
D) The Statement of Applicability
**Answer: A**
**Explanation:** The Information Security Policy should clearly specify the
responsibilities and authorities for roles involved with managing the ISMS,
ensuring clarity in accountability.
63. **How should the effectiveness of the controls implemented as part of the
ISMS be measured?**
A) Through internal audits and regular reviews
B) Solely based on the number of security breaches
C) By the speed of IT response teams
D) Based on external audits only
**Answer: A**
**Explanation:** The effectiveness of the controls should be assessed through
internal audits, regular reviews, and performance evaluations to ensure they are
operating as intended and meeting the organization's security objectives.
**Answer: B**
**Explanation:** Risk treatment involves determining actions to address
identified risks, which may include mitigating, accepting, transferring, or avoiding
the risks, depending on their severity and impact.
**Answer: B**
By Mohammed AlSubayt
**Explanation:** Aligning the ISMS with organizational objectives ensures that
it supports the overall business strategy and adds value, enhancing the
organization's security posture in a way that promotes its goals.
66. **What is the role of a management review in the context of ISO 27001?**
A) To focus on the personal performance of management staff
B) To evaluate the performance, status, and effectiveness of the ISMS
C) To assess customer satisfaction with the organization
D) To provide financial audits
**Answer: B**
**Explanation:** Management reviews are critical as they assess the
performance, status, and effectiveness of the ISMS, identifying opportunities for
improvement and ensuring it remains effective and aligned with the
organizational needs.
67. **How often should the ISMS be updated or reviewed for effectiveness?**
A) Only after a security breach
B) At regular intervals, considering operational feedback and environmental
changes
C) Once every five years
D) When there is a change in IT management
**Answer: B**
**Explanation:** The ISMS should be reviewed and updated at regular
intervals, taking into account operational feedback, environmental changes, and
the results of audits to ensure ongoing suitability, adequacy, and effectiveness.
68. **What should be included in the scope of the ISMS according to ISO
27001?**
A) Only the IT department
B) Every area where information is processed, stored, or transmitted
C) Only customer data
D) The headquarters office only
**Answer: B**
**Explanation:** The scope of the ISMS should include all areas where
information is processed, stored, or transmitted within the organization, ensuring
comprehensive coverage of all potential security risks.
By Mohammed AlSubayt
69. **Which of the following is a recommended practice for maintaining
information security during employee termination or change of employment?**
A) Retaining access rights indefinitely
B) Performing an exit interview to ensure awareness of ongoing confidentiality
agreements
C) Allowing continued access to the network for a grace period
D) None of the above
**Answer: B**
**Explanation:** Conducting an exit interview to reinforce confidentiality
agreements and responsibilities is a recommended practice to maintain security
when an employee leaves or changes roles within the organization.
70. **What is the main reason for classifying information in ISO 27001?**
A) To determine the scope of the marketing strategy
B) To ensure appropriate levels of security are applied based on sensitivity and
value
C) To make information publicly accessible
**Answer: B**
**Explanation:** Classifying information is important to ensure that
appropriate security controls are applied based on the sensitivity and value of the
information, protecting it according to its importance to the organization.
**Answer: C**
**Explanation:** Risk assessments in ISO 27001 aim to systematically identify,
evaluate, and prioritize information security risks to the organization, enabling
informed decision-making about risk treatment.
By Mohammed AlSubayt
**Answer: B**
**Explanation:** The PDCA (Plan-Do-Check-Act) cycle is a four-step
management method used for the control and continuous improvement of
processes and products, including those related to information security
management in ISO 27001.
**Answer: C**
**Explanation:** The Information Security Policy provides a high-level overview
of the organization's intentions and direction regarding information security
management, including its commitment to protecting information assets.
**Answer: D**
**Explanation:** An Information Security Steering Committee is responsible for
guiding and overseeing the development, implementation, and maintenance of
the ISMS, ensuring it aligns with organizational objectives and strategies.
75. **Which ISO 27001 control category addresses physical security concerns?**
A) Human resource security
By Mohammed AlSubayt
B) Access control
C) Physical and environmental security
D) Cryptography
**Answer: C**
**Explanation:** The physical and environmental security category in ISO
27001 addresses controls related to protecting information systems, equipment,
and facilities from physical threats and environmental hazards.
**Answer: C**
**Explanation:** Internal audits in ISO 27001 are conducted to assess the
effectiveness of the ISMS, verify compliance with organizational policies and
procedures, and identify areas for improvement.
**Answer: C**
**Explanation:** Security awareness training in ISO 27001 is essential for
educating employees about security risks, best practices, and their
responsibilities in maintaining information security within the organization.
**Answer: C**
By Mohammed AlSubayt
**Explanation:** A gap analysis in ISO 27001 implementation helps identify
discrepancies between current information security practices and the
requirements outlined in the ISO 27001 standard, guiding the development of an
action plan for compliance.
**Answer: B**
**Explanation:** Asset management controls in ISO 27001 include managing
the use of removable media to prevent unauthorized access or data breaches
through portable storage devices.
**Answer: C**
**Explanation:** Establishing an incident response plan in ISO 27001 is crucial
for minimizing the impact of security incidents, reducing recovery time, and
maintaining the organization's resilience against security threats.
81. **What is the purpose of conducting a business impact analysis (BIA) in ISO
27001?**
A) To assess the financial health of the organization
B) To identify critical business functions and their dependencies on information
assets
C) To evaluate employee satisfaction
D) To review marketing strategies
**Answer: B**
By Mohammed AlSubayt
**Explanation:** The purpose of conducting a business impact analysis (BIA) in
ISO 27001 is to identify critical business functions and their dependencies on
information assets, helping prioritize resources for protection and recovery.
82. **What is the primary objective of conducting risk treatment in ISO 27001?**
A) To eliminate all identified risks
B) To transfer all risks to third parties
C) To reduce, mitigate, or accept identified risks to an acceptable level
D) To ignore identified risks
**Answer: C**
**Explanation:** The primary objective of risk treatment in ISO 27001 is to
reduce, mitigate, or accept identified risks to an acceptable level based on
organizational risk tolerance and objectives.
83. **Which ISO 27001 control category focuses on ensuring that information is
protected from unauthorized access and disclosure?**
A) Human resource security
B) Access control
C) Cryptography
D) Physical and environmental security
**Answer: B**
**Explanation:** The access control category in ISO 27001 focuses on ensuring
that information is protected from unauthorized access and disclosure through
the implementation of appropriate access control measures.
**Answer: B**
**Explanation:** The purpose of conducting a management review in ISO
27001 is to evaluate the performance and suitability of the ISMS, ensuring its
effectiveness and alignment with organizational objectives.
**Answer: B**
**Explanation:** The role of the risk owner in ISO 27001 is to manage and
oversee the treatment of identified risks, ensuring that appropriate measures are
taken to address them effectively.
**Answer: B**
**Explanation:** Establishing an incident response team in ISO 27001 is
important to minimize the impact of security incidents and ensure a coordinated
response to effectively manage and mitigate security breaches.
**Answer: C**
**Explanation:** The purpose of conducting security awareness training in ISO
27001 is to educate employees about security risks, best practices, and their
responsibilities in maintaining information security within the organization.
88. **Which ISO 27001 control category addresses the protection of information
during storage and transmission?**
A) Human resource security
B) Cryptography
C) Physical and environmental security
D) Access control
By Mohammed AlSubayt
**Answer: B**
**Explanation:** The cryptography category in ISO 27001 addresses controls
related to the protection of information during storage and transmission through
the use of encryption and cryptographic techniques.
89. **What is the primary objective of conducting internal audits in ISO 27001?**
A) To identify potential security incidents
B) To ensure compliance with legal requirements
C) To assess the effectiveness of the ISMS and identify areas for improvement
D) To conduct financial audits
**Answer: C**
**Explanation:** The primary objective of conducting internal audits in ISO
27001 is to assess the effectiveness of the ISMS, verify compliance with
organizational policies and procedures, and identify areas for improvement.
**Answer: C**
**Explanation:** Establishing a clear information security policy in ISO 27001 is
important to guide and inform employees about information security
expectations and responsibilities within the organization, ensuring consistency
and compliance.
**Answer: C**
By Mohammed AlSubayt
**Explanation:** A risk assessment methodology in ISO 27001 provides a
structured approach for identifying, analyzing, and evaluating information
security risks within the organization.
92. **Which ISO 27001 control category focuses on ensuring that information
assets are identified and managed appropriately?**
A) Asset management
B) Access control
C) Cryptography
D) Physical and environmental security
**Answer: A**
**Explanation:** The asset management category in ISO 27001 focuses on
ensuring that information assets are identified and managed appropriately
throughout their lifecycle.
93. **What is the role of the information security manager in ISO 27001?**
A) To handle financial audits
B) To oversee the implementation and maintenance of the ISMS
C) To manage marketing campaigns
D) To monitor competitor activities
**Answer: B**
**Explanation:** The role of the information security manager in ISO 27001 is
to oversee the implementation and maintenance of the Information Security
Management System (ISMS) within the organization.
94. **Which ISO 27001 control category focuses on ensuring that information is
protected from unauthorized access and modification?**
A) Human resource security
B) Access control
C) Cryptography
D) Physical and environmental security
**Answer: B**
**Explanation:** The access control category in ISO 27001 focuses on ensuring
that information is protected from unauthorized access and modification through
the implementation of appropriate access controls.
By Mohammed AlSubayt
95. **What is the primary objective of conducting security awareness training in
ISO 27001?**
A) To increase employee turnover
B) To ensure compliance with marketing strategies
C) To educate employees about security risks and best practices
D) To improve customer satisfaction
**Answer: C**
**Explanation:** The primary objective of conducting security awareness
training in ISO 27001 is to educate employees about security risks, threats, and
best practices to enhance the organization's overall security posture.
**Answer: D**
**Explanation:** It is important for an organization to establish a risk
treatment plan in ISO 27001 to address identified risks through appropriate
measures, such as mitigation, acceptance, or avoidance.
**Answer: B**
**Explanation:** The purpose of conducting regular management reviews in
ISO 27001 is to evaluate the performance and effectiveness of the Information
Security Management System (ISMS) within the organization.
98. **Which ISO 27001 control category addresses the protection of information
during storage and transmission?**
A) Human resource security
B) Access control
By Mohammed AlSubayt
C) Cryptography
D) Physical and environmental security
**Answer: C**
**Explanation:** The cryptography category in ISO 27001 addresses controls
related to the protection of information during storage and transmission through
the use of cryptographic techniques.
**Answer: B**
**Explanation:** The role of the risk owner in ISO 27001 is to manage and
oversee the treatment of identified risks, ensuring that appropriate measures are
taken to address them effectively.
**Answer: B**
**Explanation:** It is important for an organization to establish an incident
response team in ISO 27001 to minimize the impact of security incidents and
ensure a coordinated response to effectively manage and mitigate security
breaches.
By Mohammed AlSubayt
**اﻹﺟﺎ\ﺔ**D :
**اﻟ}oح **:ﺗﻢ ﺗﺼﻤ7ﻢ e ISO 27001ﺸgﻞ ﺧﺎص ﻟﻤﺴﺎﻋﺪة اﻟﻤﺆﺳﺴﺎت ﻋ~ إøﺸﺎء وﺻ7ﺎﻧﺔ ﻧﻈﺎم
ﻓﻌﺎل ﻹدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻤﺎ -ﻀﻤﻦ أﻧﻬﺎ ﺗﻘ7ﻢ اﻟﻤﺨﺎﻃﺮ وﺗﺪﻳﺮﻫﺎ eﺸgﻞ ﻣﻨﺎﺳﺐ.
ً
** .2أي ﻣﻦ اﻵ ±z jﻟ∞ﺲ وﺛ7ﻘﺔ إﻟﺰاﻣ7ﺔ وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟**
(Aﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
(Bﺳ7ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
(Cﺳﺠﻞ ﺗﻘﻴ7ﻤﺎت ﺗﺄﺛ ibﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت
(Dﻣﻨﻬﺞ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ
**اﻹﺟﺎ\ﺔ**C :
**اﻟ}oح **:ﻳﺘﻄﻠﺐ ISO 27001وﺛﺎﺋﻖ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ،وﺳ7ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت،
وﻣﻨﻬﺞ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ .وﻣﻊ ذﻟﻚ ،ﻓﺈن ﺳﺠﻼت ﺗﻘﻴ7ﻤﺎت ﺗﺄﺛ ibﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ﻟ∞ﺴﺖ إﻟﺰاﻣ7ﺔ
\ﻤﻮﺟﺐ ISO 27001؛ ﺣ7ﺚ أن ﻫﺬە أ i—ãﺻﻠﺔ \ﻤﻌﺎﻳ ibﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ﻣﺜﻞ .GDPR
ً
** .3ﻣﺎ ﻫﻮ دور اﻹدارة اﻟﻌﻠ7ﺎ وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟**
(Aﺗﻨﻔ7ﺬ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت eﺸgﻞ ﻳﻮ.‹z
(Bﺗﻮﻓ ibاﻟﻤﻮارد اﻟﻼزﻣﺔ ﻟﻨﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
(Cإﺟﺮاء اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ.~z
(Dاﺗﺨﺎذ اﻟﻘﺮارات \ﻤﻔﺮدە eﺸﺄن ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ.
**اﻹﺟﺎ\ﺔ**B :
c j
**اﻟ}oح **:ﺗﺘﺤﻤﻞ اﻹدارة اﻟﻌﻠ7ﺎ ﻣﺴﺆوﻟ7ﺔ إﻇﻬﺎر اﻟﻘ7ﺎدة واﻻﻟiام ﺑﻨﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ
aاﻟﻤﺴﺘﻤﺮ. ﺧﻼل ﺿﻤﺎن ﺗﻮﻓ ibاﻟﻤﻮارد اﻟﻼزﻣﺔ ،ودﻋﻢ اﻷدوار ذات اﻟﺼﻠﺔ ،وﺗﻌ[sﺰ اﻟﺘﺤﺴ c b
By Mohammed AlSubayt
** .4أي ﺧﻄﻮة ycدورة (Plan-Do-Check-Act (PDCAﺗﻨﻄﻮي ﻋ~ اﺗﺨﺎذ إﺟﺮاءات ﻟﺘﺤﺴ c b
aأداء ﻧﻈﺎم z
إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت eﺸgﻞ ﻣﺴﺘﻤﺮ؟**
(Aا ﻟ ﺨ ﻄ ﺔ
(Bا ﻟ ﻌ ﻤ ﻞ
(Cا ﻟ ﻔ ﺤ ﺺ
(Dا ﻟ ﺘ ﻨ ﻔ 7ﺬ
**اﻹﺟﺎ\ﺔ**D :
**اﻟ}oح **:ﺗﺘﻌﻠﻖ ﻣﺮﺣﻠﺔ " yc "Actدورة \ PDCAﺎﺗﺨﺎذ اﻹﺟﺮاءات اﺳïﻨﺎًدا إ rﻧﺘﺎﺋﺞ اﻟﺘﻘﻴ7ﻢ اﻷداͱ
z z
وﻧﺘﺎﺋﺞ اﻟﺘﺪﻗﻴﻖ ﻟﺘﺤﺴ c b
aﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
c
** .5أي ﻣﻦ اﻟﺒ7ﺎﻧﺎت اﻟﺘﺎﻟ7ﺔ ﺻﺤﻴﺢ ﺣﻮل ﺑ7ﺎن اﻟﻘﺎ\ﻠ7ﺔ ﻟﻠﺘﻄﺒﻴﻖ ISO 27001 yz؟**
(Aاﺧﺘ7ﺎري.
- (Bﻘﻮم ﻓﻘﻂ }eد اﻟﻀﻮا\ﻂ اﻟﻤﺴUïﻌﺪة.
(Cﻳﻮﺿﺢ اﻟﻀﻮا\ﻂ اﻟﻤﻄUﻘﺔ و∆}oح ﺳ“ﺐ اﺳUïﻌﺎد اﻟUﻌﺾ اﻵﺧﺮ.
[nﺎ وﻻ ﻳﺘﻢ ﻣﺸﺎرﻛﺘﻪ ﻣﻊ اﻷﻃﺮاف اﻟﺨﺎرﺟ7ﺔ.- (Dﺠﺐ أن ُ-ﺤﺘﻔﻆ \ﻪ ً
**اﻹﺟﺎ\ﺔ**C :
**اﻟ}oح **:ﺑ7ﺎن اﻟﻘﺎ\ﻠ7ﺔ ﻟﻠﺘﻄﺒﻴﻖ ﻫﻮ وﺛ7ﻘﺔ إﻟﺰاﻣ7ﺔ ﻻﻣﺘﺜﺎل .ISO 27001ﻳﻮﺿﺢ اﻟﺒ7ﺎن اﻟﻀﻮا\ﻂ اﻟ Ñz
j
ﻳﺘﻢ ﺗﻄﺒ7ﻘﻬﺎ ﻣﻦ اﻟﺘﺬﻳ7ﻞ Aﻟﻠﻤﻌ7ﺎر داﺧﻞ اﻟﻤﺆﺳﺴﺔ ،و[ﻮﻓﺮ ﺗً[iﺮا ﻻﺳUïﻌﺎد أي ﺿﻮا\ﻂ.
ً
** .6ﻣﺎ اﻟﺬي ﻻ ُ-ﻌﺘ iﺟﺰًءا ﻣﻦ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟**
أ( اﻷﻫﺪاف اﻟﺘﺠﺎر[ﺔ
≤ ب ( ا ﻟ ﻬ g 7ﻞ ا ﻟﺘ ﻨ ﻈ z 7
c
ج( أﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت اﻟﻤﺴﺘﺨﺪﻣﺔ yzاﻟﻤﺆﺳﺴﺔ
aد( ﻣﻤﺎرﺳﺎت اﻷﻣﺎن ﻟﻠﻤﻨﺎﻓﺴ c b
**اﻟﺠﻮاب :د**
c
**اﻟ}oح **:ﻳ∫ ªz Uأن ™ﺸﻤﻞ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت اﻟﻌﻮاﻣﻞ اﻟﺪاﺧﻠ7ﺔ ﻣﺜﻞ اﻷﻫﺪاف اﻟﺘﺠﺎر[ﺔ
،aواﻟﻬg7ﻞ اﻟﺘﻨﻈ ≤7وأﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت ،وﻟŒﻨﻪ ﻋﺎدة ﻣﺎ ﻻ ™ﺸﻤﻞ ﻣﻤﺎرﺳﺎت اﻷﻣﺎن ﻟﻠﻤﻨﺎﻓﺴ c b
z
ﺣ7ﺚ ﻳﺮﻛﺰ اﻟﻨﻄﺎق ﻋ~ اﻟﻤﺆﺳﺴﺔ ﻧﻔﺴﻬﺎ.
c
** .7ﻣﺎذا -ﻌ Ñz cﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ yzﺳ7ﺎق ﻣﻌ7ﺎر ISO 27001؟**
أ( ﺗﺤﺪ-ﺪ اﻟﻤﺨﺎﻃﺮ
ب( ﺗﻘﻴ7ﻢ ﺗﺄﺛ ibاﻟﻤﺨﺎﻃﺮ واﺣﺘﻤﺎﻟ7ﺔ ﺣﺪوﺛﻬﺎ
ج( اﺧﺘ7ﺎر اﻟﺨ7ﺎرات ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﻤﺨﺎﻃﺮ
د( ﻣﺮاﻗUﺔ اﻟﻤﺨﺎﻃﺮ
**اﻟﺠﻮاب :ج**
By Mohammed AlSubayt
**اﻟ}oح **:ﺗﺘﻀﻤﻦ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﺧﺘ7ﺎر ﺧ7ﺎرات إدارة اﻟﻤﺨﺎﻃﺮ وﺗﺤﺪ-ﺪ ﺟﻤﻴﻊ اﻟﻀﻮا\ﻂ اﻟﻼزﻣﺔ
ﻟﻠﺘﺨﻔ7ﻒ ﻣﻦ ﺗﻠﻚ اﻟﻤﺨﺎﻃﺮ .و[ﺄ ±z jﻫﺬا \ﻌﺪ ﻣﺮﺣﻠﺔ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ ﺣ7ﺚ ﻳﺘﻢ ﺗﺤﺪ-ﺪ وﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ.
ُ
-ُ** .8ﻄﻠﺐ ﻣﻦ ﻣﻌ7ﺎر ISO 27001أن ﺗﺮاﺟﻊ ﻧﺘﺎﺋﺞ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ \ﻔijات ﻣﺨﻄﻄﺔ .ﻣﺎ
® ﻣﻦ ﻫﺬە اﻟﻤﺮاﺟﻌﺔ؟** اﻟﻐﺮض اﻷﺳﺎ z
أ( ﺿﻤﺎن دﻗﺔ اﻟﺘﻘﺎر[ﺮ اﻟﻤﺎﻟ7ﺔ
ب( ﺗﺤﺪ-ﺪ ﻓﻌﺎﻟ7ﺔ اﻟﻀﻮا\ﻂ اﻟﻤﻄUﻘﺔ
ج( اﻟﺘﺤﻀ ibﻟﻠﺘﺪﻗ7ﻘﺎت اﻟﺨﺎرﺟ7ﺔ
د( ﺗﺤﺪ-ﺚ ﺧﻄﻂ اﺳﺘﻤﺮار[ﺔ اﻟﻌﻤﻞ
**اﻟﺠﻮاب :ب**
® ﻣﻦ ﻣﺮاﺟﻌﺔ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ وﻣﻌﺎﻟﺠﺘﻬﺎ ﻫﻮ ﺿﻤﺎن أن اﻟﻀﻮا\ﻂ ﺗﻘﻮم
z ﺎ ﺳﻷ ا ض**اﻟ}oح **:اﻟﻐﺮ
c c
ﺑﺘﺨﻔ7ﻒ اﻟﻤﺨﺎﻃﺮ \ﻔﻌﺎﻟ7ﺔ Mﻤﺎ ﻫﻮ ﻣﻘﺼﻮد وﺗﺤﺪ-ﺪ أي ﻣﺠﺎﻻت ﻗﺪ ﺗﺤﺘﺎج إ rﺗﺤﺴ yz abﻋﻤﻠ7ﺔ إدارة
اﻟﻤﺨﺎﻃﺮ.
** .9ﻣﺎ اﻟﺬي -ﺼﻒ \ﺪﻗﺔ ﻏﺮض اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ Mﻤﺎ ﻳﺘﻄﻠUﻪ ﻣﻌ7ﺎر ISO 27001؟**
أ( ﺗﺼﺤﻴﺢ ﻋﺪم اﻻﻣﺘﺜﺎل ﻗUﻞ اﻟﺘﺪﻗ7ﻘﺎت اﻟﺨﺎرﺟ7ﺔ
ب( اﻟﻮﻓﺎء \ﺎﻟﻤﺘﻄﻠUﺎت اﻟﻘﺎﻧﻮﻧ7ﺔ
j
ج( ﺗﻘﻴ7ﻢ ﻣﺎ إذا Mﺎن ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻳﺘﻮاﻓﻖ ﻣﻊ اﻟiﺗUûﺎت اﻟﻤﺨﻄﻂ ﻟﻬﺎ وﻫﻮ ﻣﻄﺒﻖ وﻣﺤﺎﻓﻆ
ﻋ ﻠ7ﻪ eﺸ gﻞ ﺻ ﺤ ﻴﺢ
د( اﻟijو[ـ ـﺞ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻷﺻﺤﺎب اﻟﻤﺼﻠﺤﺔ
**اﻟﺠﻮاب :ج**
ً ً
**اﻟ}oح **:ﺗﻌﺘ iاﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ ﺟﺰءا أﺳﺎﺳ7ﺎ ﻣﻦ ﻣﻌ7ﺎر ISO 27001وﺗﻬﺪف إ rﺗﻘﻴ7ﻢ ﻣﺎ إذا
c
Mﺎن ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت -ﻠ ÑzﻣﺘﻄﻠUﺎت اﻟﻤﺆﺳﺴﺔ وﺗﻠﻚ اﻟﻤﻮﺟﻮدة yzاﻟﻤﻌ7ﺎر ﻧﻔﺴﻪ .وﺗﻔﺤﺺ
اﻻﻣﺘﺜﺎل ﻟﻠﻮﺛﺎﺋﻖ واﻟﺘﻨﻔ7ﺬ اﻟﻔﻌﺎل واﻟﺼ7ﺎﻧﺔ.
ً
** .10ﻣﺎ اﻟﻤﻘﺼﻮد \ـ "اﺳﺘﻤﺮار[ﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت" وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟**
أ( ﺿﻤﺎن اﺳﺘﻤﺮار[ﺔ Öﺸﻐ7ﻞ اﻟﺘﺪاﺑ ibاﻷﻣﻨ7ﺔ ﺧﻼل ﺣﺪوث ﺣﺎدث ﻣﻌﻄﻞ
aاﻟﻴﻮ ‹zﻟﻠﻤﺆﺳﺴﺔب( اﺳﺘﻤﺮار[ﺔ إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ycاﻟﺮوﺗ c b
z
ج( اﺳﺘﻤﺮار[ﺔ ﺗﻮاﻓﺮ اﻟﻤﻌﻠﻮﻣﺎت دون اﻧﻘﻄﺎع
aاﻟﻤﺴﺘﻤﺮ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت د ( ا ﻟﺘ ﺤ ﺴ c b
**اﻟﺠﻮاب :أ**
**اﻟ}oح™ **:ﺸ ibاﺳﺘﻤﺮار[ﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت إ rاﻟﺤﺎﺟﺔ إ rاﻟﺘﺨﻄ7ﻂ وﺗﻨﻔ7ﺬ اﻟﺘﺪاﺑ ibاﻷﻣﻨ7ﺔ اﻟ Ñzﺗﻈﻞ
j
ﺗﻌﻤﻞ \ﻔﻌﺎﻟ7ﺔ أﺛﻨﺎء و≠ﻌﺪ ﺣﺪوث ﺣﺎدث ﻣﻌﻄﻞ- .ﻌﺘ iﻫﺬا ﺟﺰًءا ﻣﻦ إدارة اﺳﺘﻤﺮار[ﺔ اﻟﻌﻤﻞ eﺸgﻞ ﻋﺎم.
j ً
æﻣﺨﺘﻠﻒ ﺟﻮاﻧﺐ ﻣﻌ7ﺎر ISO 27001وﺗﻨﺎﺳﺐﺗﺄ 7ãﺪا Dإﻟ7ﻚ اﻟﻤ[sﺪ ﻣﻦ اﻷﺳﺌﻠﺔ اﻻﺧﺘ7ﺎر[ﺔ اﻟ Ñzﺗﻐ z
اﻷﺷﺨﺎص اﻟﺬﻳﻦ ™ﺴﺘﻌﺪون ﻻﻣﺘﺤﺎن ﻣﺪﻳﺮ ﺗﻨﻔ7ﺬي رﺋ∞ﺲ:
By Mohammed AlSubayt
###أﺳﺌﻠﺔ إﺿﺎﻓ7ﺔ
ً ** .11ﻣﺎ اﻟﻮﺛ7ﻘﺔ اﻷﺳﺎﺳ7ﺔ اﻟ Ñjﻳﺘﻌ c b
Ö aﺴﺠ7ﻞ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة وﺗﻘﻴ7ﻤﺎﺗﻬﺎ واﺳﺘﺠﺎ\ﺎﺗﻬﺎ وﻓﻘﺎ ﻟﻤﻌ7ﺎر z
ISO 27001؟**
أ( ﺗﻘ[Æﺮ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ
ب( ﺳ7ﺎﺳﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت
ج ( ﺧ ﻄ ﺔ ﻣ ﻌ ﺎﻟﺠ ﺔ اﻟﻤ ﺨ ﺎﻃ ﺮ
د( ﺗﻘ[Æﺮ اﺳﺘﻌﺮاض ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )(ISMS
**اﻟﺠﻮاب :ج**
o
… وﺛ7ﻘﺔ ﺣﺎﺳﻤﺔ Öﺴﺠﻞ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة وﺗﻘﻴ7ﻤﺎت ﻫﺬە
ً **اﻟ}ح **:ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ z
اﻟﻤﺨﺎﻃﺮ واﻹﺟﺮاءات اﻟﻤﺨﻄﻂ ﻟﻬﺎ أو اﻟ Ñz jﺗﻢ اﺗﺨﺎذﻫﺎ ﻹدارة ﻫﺬە اﻟﻤﺨﺎﻃﺮ وﻓﻘﺎ ﻟﻘﺮارات ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ.
c
** .12ﻣﺎ اﻟﻐﺮض ﻣﻦ 'ﺿUﻂ اﻟﻮﺻﻮل' yzﻣﻌ7ﺎر ISO 27001؟**
أ( ﺿﻤﺎن أﻣﺎن ﻣﺮاﻓﻖ اﻟﻤﺒÑc
ب( ﻣﻨﻊ اﻟﻮﺻﻮل ﻏ ibاﻟﻤ≈ح \ﻪ إ rاﻟﻤﻌﻠﻮﻣﺎت
ج( رﺻﺪ ﺳﻠﻮك اﻟﻤﻮﻇﻔ c b
a
د( ﺗﻌ[sﺰ ﻛﻔﺎءة اﻟﻨﻈﺎم اﻟﺨﺎص ﺑﺘﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت
**اﻟﺠﻮاب :ب**
c
**اﻟ}oح yz **:ﺳ7ﺎق ﻣﻌ7ﺎر ،ISO 27001ﻳﻬﺪف ﺿUﻂ اﻟﻮﺻﻮل إ rﻣﻨﻊ اﻟﻮﺻﻮل ﻏ ibاﻟﻤ≈ح \ﻪ إr
ً ً
اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻀﻤﻨﺎ أن -ﻜﻮن اﻟﻮﺻﻮل إ rاﻟﻤﻌﻠﻮﻣﺎت ﻣﺘﺎﺣﺎ ﻓﻘﻂ ﻷوﻟﺌﻚ اﻟﺬﻳﻦ ﻟﺪﻳﻬﻢ ﺻﻼﺣ7ﺎت اﻟﻮﺻﻮل.
ً
** .13ﻣﺎ ﻧ°ع اﻟﺤﺎدث اﻷﻣ Ñz cاﻟﺬي -ﺠﺐ اﻹ\ﻼغ ﻋﻨﻪ وﻓﻘﺎ ﻟﻤﺘﻄﻠUﺎت ISO 27001؟**
أ( ﻓﻘﻂ اﻟﺤﻮادث اﻟ Ñz jﺗﺆدي إ rﺧﺴﺎرة ﻣﺎﻟ7ﺔ
ب( ﺟﻤﻴﻊ ﺣﻮادث اﻷﻣﺎن
"ج( ﻓﻘﻂ اﻟﺤﻮادث اﻟﻤﺆﻛﺪة ﻣﻦ ﺧﻼل ﺗﺪﻗﻴﻖ ﺧﺎر z
د( اﻟﺤﻮادث اﻟ Ñz jﻳUﻠﻎ ﻋﻨﻬﺎ ﻣﻦ ﻗUﻞ اﻟﻌﻤﻼء
**اﻟﺠﻮاب :ب**
**اﻟ}oح **:ﻳﺘﻄﻠﺐ ﻣﻌ7ﺎر ISO 27001اﻹ\ﻼغ ﻋﻦ ﺟﻤﻴﻊ ﺣﻮادث اﻷﻣﺎن وÖﺴﺠ7ﻠﻬﺎ eﺸgﻞ ﺻﺤﻴﺢ،
\ﻐﺾ اﻟﻨﻈﺮ ﻋﻦ ﺷﺪﺗﻬﺎ اﻟﻈﺎﻫ[Æﺔ ،ﻟﻀﻤﺎن إﻣgﺎﻧ7ﺔ ﺗﺤﻠ7ﻠﻬﺎ واﺳﺘﺨﺪاﻣﻬﺎ ﻟﺘﺤﺴ c b
aﻧﻈﺎم إدارة أﻣﻦ
اﻟﻤﻌﻠﻮﻣﺎت.
ً
** .14أي ﻣﻦ اﻟﺒ7ﺎﻧﺎت اﻟﺘﺎﻟ7ﺔ ﻟ∞ﺲ ﻓﺎﺋﺪة ﻣUﺎnoة ﻟﺘﻨﻔ7ﺬ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO
27001؟**
aا ﻟ ﺴ ﻤ ﻌ ﺔ ﻣ ﻊ أﺻ ﺤ ﺎ ب ا ﻟ ﻤ ﺼ ﻠ ﺤ ﺔأ( ﺗﺤ ﺴ c b
ب( ز[ﺎدة اﻟﻤﺒ7ﻌﺎت
ج( اﻻﻣﺘﺜﺎل اﻟﻘﺎﻧﻮ ±z c
د( اﻟﻀﻤﺎن \ﺎﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ
By Mohammed AlSubayt
**اﻟﺠﻮاب :د**
c
**اﻟ}oح **:ﺑûﻨﻤﺎ ™ﺴﺎﻋﺪ ﻣﻌ7ﺎر e ISO 27001ﺸgﻞ ﻛﺒ yz ibإدارة وﺗﺨﻔ7ﻒ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﻦ
اﻟﻤﻌﻠﻮﻣﺎت ،إﻻ أﻧﻪ ﻻ -ﻀﻤﻦ اﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ ،ﺣ7ﺚ ﺗﻜﻮن \ﻌﺾ اﻟﻤﺨﺎﻃﺮ ﺟﺰءاً
ﻣﻦ اﻟﻨﻈﺎم وﻻ -ﻤﻜﻦ إزاﻟﺘﻬﺎ ﺗﻤﺎًﻣﺎ.
c
yz ** .15ﻣﻌ7ﺎر ،ISO 27001ﻣﺎ ﻫﻮ أﻓﻀﻞ وﺻﻒ ﻟﻤﺼﻄﻠﺢ "اﻷﺻﻞ"؟**
c o
®ء ﻟﻪ ﻗ7ﻤﺔ ﻣﺎﻟ7ﺔ yzاﻟﺴﻮق
أ( أي z
ب( اﻷﺟﻬﺰة اﻟﻔﻌﻠ7ﺔ ﻓﻘﻂ ﻣﺜﻞ اﻟÃﻤﺒﻴﻮﺗﺮات واﻟﺨﻮادم
ج( أي ﻣﻮرد ﻟﻪ ﻗ7ﻤﺔ ﻟﻠﻤﺆﺳﺴﺔ
د( اﻟﺒ7ﺎﻧﺎت اﻟﻤﺨﺰﻧﺔ إﻟijŒوﻧً7ﺎ ﻓﻘﻂ
**اﻟﺠﻮاب :ج**
c
**اﻟ}oح yz **:ﺳ7ﺎق ﻣﻌ7ﺎر ™ ،ISO 27001ﺸ ibﻣﺼﻄﻠﺢ "اﻷﺻﻞ" إ rأي ﻣﻮرد ﻟﻪ ﻗ7ﻤﺔ ﻟﻠﻤﺆﺳﺴﺔ،
.a\ﻤﺎ ycذﻟﻚ اﻟﻤﻌﻠﻮﻣﺎت واﻷﺟﻬﺰة اﻟﻔﻌﻠ7ﺔ واﻟﺨﺪﻣﺎت واﻟﻤﻮﻇﻔ c b
z
® ؟**
eﺸ gﻞ أ ﺳ ﺎ z
أ( اﻟﺘﻮﻓﺮ
ب( اﻟ ic cاﻫﺔ
ج( اﻟ}[ﺔ
د( اﻟﻤﺴﺎءﻟﺔ
**اﻟﺠﻮاب :ج**
ً o
**اﻟ}ح™ **:ﺴﺘﺨﺪم اﻟïﺸﻔe ibﺸgﻞ أﺳﺎ z
® ﻟﺪﻋﻢ [nﺔ اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻀﻤﻨﺎ أن -ﻜﻮن اﻟﺒ7ﺎﻧﺎت ﻏib
ﻣﺘﺎﺣﺔ ﻟﻸﻓﺮاد ﻏ ibاﻟﻤ≈ح ﻟﻬﻢ.
ً
** .17ﻣﺎ ﻫﻮ اﻟﻔﺎﺻﻞ اﻟﺰﻣ Ñz cاﻟﺬي -ﺠﺐ أن ﻳﺘﻢ ﻓ7ﻪ ﻣﺮاﺟﻌﺔ ﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ
ﻟﻤﻌ7ﺎر ISO 27001؟**
أ( ﻋ~ اﻷﻗﻞ ﺳﻨ[ً°ﺎ
ب( ﻓﻘﻂ \ﻌﺪ اﺧijاق أﻣ Ñz c
aج ( Mﻞ ﺳ ∫ﺘ c b
c
@ yzاﻟﻤﺆﺳﺴﺔ د( Mﻠﻤﺎ ﺣﺪث ﺗﻐﻴ ibرﺋ∞ z
**اﻟﺠﻮاب :أ**
ً o
’ ﻣﻌ7ﺎر \ ISO 27001ﻤﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻋ~ اﻷﻗﻞ ﺳﻨ[°ﺎ ﻟﻀﻤﺎن
ً **اﻟ}ح **:ﻳﻮ z
ﻣﻼءﻣﺘﻪ اﻟﻤﺴﺘﻤﺮة وﻛﻔﺎوﺗﻪ وﻓﻌﺎﻟﻴﺘﻪ ،ﻋ~ اﻟﺮﻏﻢ ﻣﻦ أﻧﻪ ﻗﺪ ﺗﻜﻮن ﻫﻨﺎك ﺣﺎﺟﺔ أ-ﻀﺎ ﻟﻠﻤﺮاﺟﻌﺎت \ﻌﺪ
اﻟﺘﻐﻴibات اﻟŒﺒibة.
By Mohammed AlSubayt
c
** .18ﻣﺎ دور 'اﺳﺘﻌﺮاض اﻹدارة' yzﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت؟**
® ﻟﺘﺪ ﻗ ﻴ ﻖ ا ﻟ ﺒ 7ﺎ ﻧ ﺎ ت ا ﻟ ﻤ ﺎ ﻟ 7ﺔ
أ ( إﻧﻬ ﺎ eﺸ gﻞ أ ﺳ ﺎ z
ب( إﻧﻬﺎ ﻣﺮاﺟﻌﺔ ﻓﻨ7ﺔ ﻟﺒ∫7ﺔ اﻟﺒ7ﺎﻧﺎت اﻟﺨﺎﺻﺔ ﺑﺘﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت
ج( إﻧﻬﺎ ﺗﻘﻴ7ﻢ ﻷداء وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت
aﻟﺴ7ﺎﺳﺎت اﻷﻣﺎن د( إﻧﻬﺎ ﺗﺘﻌﺎﻣﻞ ﻣﻊ اﻣﺘﺜﺎل اﻟﻤﻮﻇﻔ c b
**اﻟﺠﻮاب :ج**
ً ُ
**اﻟ}oح **:ﺗﺠﺮى ﻣﺮاﺟﻌﺎت اﻹدارة ﻟﺘﻘﻴ7ﻢ أداء وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ،ﺿﻤﺎﻧﺎ ﻟﺘﺤﻘ7ﻘﻪ
ﻷﻫﺪاف اﻟﻤﺆﺳﺴﺔ وﺗﺤﺪ-ﺪ اﻟﻤﺠﺎﻻت اﻟ Ñjﻗﺪ ﺗﺤﺘﺎج إ rﺗﺤﺴ c b
.a z
**اﻟﺠﻮاب :ج**
**اﻟ}oح **:ﻟ∞ﺴﺖ ﺷﻬﺎدة ISO 27001داﺋﻤﺔ اﻟﺼﻼﺣ7ﺔ وﺗﺘﻄﻠﺐ ﻓﺤﻮﺻﺎت رﻗﺎ\ﺔ دور[ﺔ ﻟﻀﻤﺎن
اﻻﻣﺘﺜﺎل اﻟﻤﺴﺘﻤﺮ\ ،ﺎﻹﺿﺎﻓﺔ إ rإﺟﺮاء ﻓﺤﺺ ﻹﻋﺎدة اﻟﺸﻬﺎدة ﻋﺎدة Mﻞ ﺛﻼث ﺳﻨﻮات.
c
** .20ﻣﺎ ﻫﻮ اﻟﻬﺪف اﻟﻨﻬﺎ ±z Íﻣﻦ ﺗﻨﻔ7ﺬ yz ISO 27001اﻟﻤﺆﺳﺴﺔ؟**
أ( ﺿﻤﺎن [nﺔ Mﺎﻣﻠﺔ ﻟﺠﻤﻴﻊ اﻟﻤﻌﻠﻮﻣﺎت اﻟﺘﻨﻈ7ﻤ7ﺔ
aأﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ ﺟﻤﻴﻊ أﻧﻮاع اﻟﺘﻬﺪ-ﺪات ب( ﺣﻤﺎ-ﺔ وﺗﺄﻣ c b
ج( ز[ﺎدة ﻛﻔﺎءة ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت
د( اﻻﻣﺘﺜﺎل ﻟﻠﻘﻮاﻧ c b
aاﻟﺘﺠﺎر[ﺔ اﻟﺪوﻟ7ﺔ
**اﻟﺠﻮاب :ب**
c **اﻟ}oح **:اﻟﻬﺪف اﻟﻨﻬﺎ ±Íﻣﻦ ﺗﻨﻔ7ﺬ ﻣﻌ7ﺎر ISO 27001ﻫﻮ ﺣﻤﺎ-ﺔ وﺗﺄﻣ c b
aأﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت yz z
اﻟﻤﺆﺳﺴﺔ ﻣﻦ ﺟﻤﻴﻊ أﻧﻮاع اﻟﺘﻬﺪ-ﺪات ،ﺳﻮاء Mﺎﻧﺖ داﺧﻠ7ﺔ أو ﺧﺎرﺟ7ﺔ ،ﻋﻦ ﻃ[Æﻖ اﺗﺨﺎذ إﺟﺮاءات أﻣﻨ7ﺔ
ﻣﻼﺋﻤﺔ.
c
** .21ﻣﺎذا ™ﺸ ibﻣﺼﻄﻠﺢ 'اﻟﻤﺨﺎﻃﺮ اﻟUﺎﻗ7ﺔ' إﻟ7ﻪ yzﺳ7ﺎق ISO 27001؟**
أ( اﻟﺨﻄﺮ اﻟﺬي ﻳ\ –jUïﻌﺪ ﺗﻄﺒﻴﻖ ﺟﻤﻴﻊ اﻟﺘﺤgﻤﺎت.
ب( اﻟﺨﻄﺮ اﻷو rzاﻟﺬي ﺗﻢ ﺗﺤﺪ-ﺪە ﻗUﻞ ﺗﻄﺒﻴﻖ أي ﺗﺤgﻤﺎت.
ج( اﻟﺨﻄﺮ اﻟﺬي ﺗﻢ ﻧﻘﻠﻪ إ rﻃﺮف ﺛﺎﻟﺚ.
د( اﻟﺨﻄﺮ اﻟﺬي ﻗUﻠﺘﻪ اﻹدارة.
**اﻹﺟﺎ\ﺔ :أ**
j j o
**اﻟ}ح **:اﻟﻤﺨﺎﻃﺮة اﻟUﺎﻗ7ﺔ z
… اﻟﻤﺨﺎﻃﺮة اﻟ Ñzﺗ\ –Uﻌﺪ ﺗﻄﺒﻴﻖ ﺟﻤﻴﻊ اﻟﺘﺤgﻤﺎت واﻷﺳﺎﻟ7ﺐ اﻷﺧﺮى
ﻟﻠﻤﻌﺎﻟﺠﺔ .إﻧﻬﺎ اﻟﻤﺨﺎﻃﺮة اﻟ Ñz jﺗﻘﺮر اﻟﻤﺆﺳﺴﺔ اﻟﻌ∞ﺶ ﻣﻌﻬﺎ.
By Mohammed AlSubayt
** .22أي ﻣﻦ ﻣUﺎدئ - ISO 27001ﺪﻋﻢ ﻣﻔﻬﻮم ﺿﻤﺎن أن ﻳﺘﻢ ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت واﻷﺻﻮل واﻟﻤﻮارد ﻣﻦ
اﻟﺘﻌﺪ-ﻼت ﻏ ibاﻟﻤ≈ح ﺑﻬﺎ؟**
أ( اﻟ ic cاﻫﺔ.
ب( اﻟ}[ﺔ.
ج( اﻟﺘﻮاﻓﺮ.
د ( اﻟﻤ ﺼ ﺎد ﻗﺔ .
**اﻹﺟﺎ\ﺔ :أ**
c c c
**اﻟ}oح **:اﻟiاﻫﺔ yzأﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺗﻀﻤﻦ أن ﺗﻜﻮن اﻟﻤﻌﻠﻮﻣﺎت دﻗ7ﻘﺔ وMﺎﻣﻠﺔ ،وﻣﺤﻤ7ﺔ ﺿﺪ
اﻟﺘﻌﺪ-ﻞ ﻏ ibاﻟﻤ≈ح \ﻪ.
ً
… اﻟﻮﻇ7ﻔﺔ اﻷﺳﺎﺳ7ﺔ ﻟiﻧﺎﻣﺞ اﻟﺘﺪﻗﻴﻖ ﻟﻨﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO ** .23ﻣﺎ z
27001؟**
أ( ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻤﺘﻄﻠUﺎت اﻟﻘﺎﻧﻮﻧ7ﺔ ﻓﻘﻂ.
aاﻟﺒ∫7ﺔ اﻟﺘﺤﺘ7ﺔ اﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ ﻟﻠﻤﺆﺳﺴﺔ. ب( ﻟﻤﺮاﺟﻌﺔ وﺗﺤﺴ c b
ج( ﻟﺘﻮﻓ ibﻧﻬﺞ ﻣﻨﻬ Hﻟﺘﻘﻴ7ﻢ وﺗﺤﺴ c b
aﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
ً z
د( ﻟﻀﻤﺎن أن ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻳﻮﻟﺪ ر≠ﺤﺎ ﻟﻠﻤﺆﺳﺴﺔ.
**اﻹﺟﺎ\ﺔ :ج**
o
**اﻟ}ح **:ﺑﺮﻧﺎﻣﺞ اﻟﺘﺪﻗﻴﻖ ﻫﻮ ﻧﻬﺞ cﻣﻨﻬ z
Hﻳﻬﺪف إ rﺗﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت
وﺗﺤﺪ-ﺪ اﻟﻤﺠﺎﻻت اﻟ - Ñz jﻤﻜﻦ ﺗﺤﺴûﻨﻬﺎ yzﻣﻤﺎرﺳﺎت اﻷﻣﺎن ﻟﻠﻤﺆﺳﺴﺔ.
c
** .24أي øﺸﺎط ﻣﺘﻀﻤﻦ yzﻣﺮﺣﻠﺔ 'ﻓﻌﻞ' ﻣﻦ دورة ) PDCAاﻟﺘﺨﻄ7ﻂ واﻟﺘﻨﻔ7ﺬ واﻟﺘﺪﻗﻴﻖ واﻟﺘﺼﺤﻴﺢ(
c
اﻟﻤﻄUﻘﺔ ISO 27001 yz؟**
أ( ﺗﺤﺪ-ﺪ اﻟﻨﻄﺎق واﻷﻫﺪاف.
ب( ﺗﻨﻔ7ﺬ ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ.
ج( إﺟﺮاء اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ.
c
د( ﻣﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت yzﻣﺮاﺟﻌﺎت اﻹدارة.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:اﻟﻤﺮﺣﻠﺔ 'اﻟﻘ7ﺎم' ﺗﻨﻄﻮي ﻋ~ ﺗﻨﻔ7ﺬ ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟ Ö Ñzﺸﻤﻞ ﺗﻄﺒﻴﻖ اﻟﺘﺤgﻤﺎت
j
اﻷﻣﻨ7ﺔ واﻹﺟﺮاءات اﻟﻢ
**اﻹﺟﺎ\ﺔ :ج**
ً
**اﻟ}oح- **:ﺠﺐ أن -ﻀﻤﻦ اﻟﺘﻮاﺻﻞ اﻟﻔّﻌﺎل وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001أن -ﻜﻮن ﺟﻤﻴﻊ اﻷﻃﺮاف ذات
اﻟﺼﻠﺔ ﻋ~ درا-ﺔ \ﻤﺘﻄﻠUﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت واﻟﻤﺨﺎﻃﺮ واﻟﺘﺤgﻤﺎت ،ﻣﻤﺎ -ﻌﺰز ﺛﻘﺎﻓﺔ اﻷﻣﺎن yz cاﻟﻤﺆﺳﺴﺔ.
c
** .26أي ﺑ7ﺎن -ﺼﻒ eﺸgﻞ أﻓﻀﻞ 'ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ' ISO 27001 yz؟**
أ( ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ اﻟﺸﺨﺺ اﻟﻤﺴﺆول ﻋﻦ إدارة ﻗﺴﻢ ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت.
ب( ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ اﻟﺸﺨﺺ اﻟﻤﺴﺆول ﻋﻦ ﺗﻤ[°ﻞ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
ج( ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ اﻟﺸﺨﺺ اﻟﻤﺴﺆول ﻋﻦ إدارة ﻣﺨﺎﻃﺮة وﺿﻤﺎن ﻣﻌﺎﻟﺠﺘﻬﺎ eﺸgﻞ ﻣﻨﺎﺳﺐ.
د( ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ داﺋﻤﺎ ﻋﻀﻮ yz cاﻹدارة اﻟﻌﻠ7ﺎ.
**اﻹﺟﺎ\ﺔ :ج**
**اﻟ}oح **:ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ﻫﻮ اﻟﻔﺮد اﻟﺬي ﻳﺘﺤﻤﻞ اﻟﻤﺴﺆوﻟ7ﺔ واﻟﺴﻠﻄﺔ ﻹدارة ﻣﺨﺎﻃﺮة ﻣﻌﻴﻨﺔ واﻟﺘﺄ ãﺪ
ﻣﻦ اﺗﺨﺎذ اﻟﺘﺪاﺑ ibاﻟﻤﻨﺎﺳUﺔ ﻟﻤﻌﺎﻟﺠﺔ ﺗﻠﻚ اﻟﻤﺨﺎﻃﺮة.
c
** .27ﻣﺎ اﻟﺬي -ﺠﺐ ﻣﺮاﻋﺎﺗﻪ ﻋﻨﺪ ﺗﺤﺪ-ﺪ ﺗﻜﺮار أداء ﺗﻘﻴ7ﻤﺎت اﻟﻤﺨﺎﻃﺮ ISO 27001 yz؟**
أ( -ﺠﺐ أن -ﻜﻮن اﻟﺘﻜﺮار ﻫﻮ ﻧﻔﺴﻪ ﻟﺠﻤﻴﻊ أﻧﻮاع اﻟﻤﺆﺳﺴﺎت.
ب( -ﻌﺘﻤﺪ اﻟﺘﻜﺮار ﻋ~ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت واﻟﺘﻐibات اﻟﺨﺎرﺟ7ﺔ.
ج( -ﺠﺐ إﺟﺮاء ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ أﺳﺒﻮﻋ7ﺎ.
د( ﻳﺘﻢ ﺗﻨﻈ7ﻢ اﻟﺘﻜﺮار ﻣﻦ ﻗUﻞ اﻟﺤﻜﻮﻣﺔ.
**اﻹﺟﺎ\ﺔ :ب**
ً
**اﻟ}oح- **:ﺠﺐ ﺗﺤﺪ-ﺪ ﺗﻜﺮار ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ ﺑﻨﺎء ﻋ~ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻣﺮاﻋﺎة أي
ﺗﻐﻴibات ﺧﺎرﺟ7ﺔ أو داﺧﻠ7ﺔ ﻗﺪ ﺗﺆﺛﺮ ﻋ~ اﻟﻨﻈﺎم.
c
** .28ﻣﺎ اﻹﺟﺮاء اﻟﺼﺤﻴﺢ ﺧﻼل ﻣﺮﺣﻠﺔ 'اﻟﺘﺤﻘﻖ' ﻣﻦ دورة ISO 27001 yz PDCA؟**
أ( إøﺸﺎء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
ب( ﺗﻄﺒﻴﻖ اﻟﺘﺤgﻤﺎت.
ج( إﺟﺮاء ﻗ7ﺎس اﻷداء واﻟﻤﺮاﻗUﺔ.
د ( ﺗ ﻌ ﺪ -ﻞ اﻟﺴ 7ﺎﺳ ﺎت .
**اﻹﺟﺎ\ﺔ :ج**
**اﻟ}oحÖ **:ﺸﻤﻞ ﻣﺮﺣﻠﺔ 'اﻟﺘﺤﻘﻖ' ﻣﺮاﻗUﺔ وﻣﺮاﺟﻌﺔ أداء ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ،واﻟﺖ
**اﻹﺟﺎ\ﺔ :ج**
**اﻟ}oح **:ﻣﻌ7ﺎر ISO 27001ﻳïﺒ Ñﻧﻬﺠﺎ ﻗﺎﺋﻤﺎ ﻋ~ اﻟﻌﻤﻠ7ﺎت ،واﻟﺬي ﻳﺘﻀﻤﻦ إøﺸﺎء وﺗﻨﻔ7ﺬ وÖﺸﻐ7ﻞ
c
وﻣﺮاﻗUﺔ وﻣﺮاﺟﻌﺔ وﺻ7ﺎﻧﺔ وﺗﺤﺴ c b
aﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
ً
… ﺳ7ﺎﺳﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟** ** .30ﻣﺎ z
أ( إﻧﻬﺎ إرﺷﺎد ﺗﻘ Ñz cﻷﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻘﻂ.
ب( إﻧﻬﺎ دﻟ7ﻞ ﻣﻔﺼﻞ ﻟﺠﻤﻴﻊ إﺟﺮاءات اﻷﻣﺎن.
ج( إﻧﻬﺎ وﺛ7ﻘﺔ ﻣﺴﺘﻮى ﻋﺎل ™}oح ﻧﻬﺞ اﻟﻤﺆﺳﺴﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
د( إﻧﻬﺎ ﻋﻘﺪ ﻣﻊ ﻣﻘﺪ ‹zﺧﺪﻣﺎت اﻷﻣﺎن.
**اﻹﺟﺎ\ﺔ :ج**
… وﺛ7ﻘﺔ ﻣﺴﺘﻮى ﻋﺎل ﺗﻮﺿﺢ اﻟﺘﻮﺟ7ﻪ واﻟﺪﻋﻢ اﻹداري z ت ﺎ ﻣﻮ ﻠ ﻌ ﻤ ﻟ ا ﻦ ﻣ أ ةر ا د إ مﺎ ﻈ ﻧ ﺔ ﺳ ﺎ 7 **اﻟ}oح **:ﺳ
ً
ﻟﻸﻣﺎن اﻟﻤﻌﻠﻮﻣﺎ ±jوﻓﻘﺎ ﻟﻤﺘﻄﻠUﺎت اﻟﻌﻤﻞ واﻟﻘﻮاﻧ c b
aواﻟﻠﻮاﺋﺢ ذات اﻟﺼﻠﺔ. z
ً
** .30ﻣﺎ z
… ﺳ7ﺎﺳﺔ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟**
c
أ( إﻧﻬﺎ دﻟ7ﻞ ﺗﻘ Ñzﻷﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻘﻂ.
ب( إﻧﻬﺎ دﻟ7ﻞ ﻣﻔﺼﻞ ﻟﺠﻤﻴﻊ إﺟﺮاءات اﻷﻣﺎن.
ج( إﻧﻬﺎ وﺛ7ﻘﺔ ﻣﺴﺘﻮى ﻋﺎل }oÖح ﻧﻬﺞ اﻟﻤﺆﺳﺴﺔ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
د( إﻧﻬﺎ ﻋﻘﺪ ﻣﻊ ﻣﻘﺪ ‹zﺧﺪﻣﺎت اﻷﻣﺎن.
**اﻹﺟﺎ\ﺔ :ج**
c o
… وﺛ7ﻘﺔ ﻣﺴﺘﻮى ﻋﺎل ﺗﻮﺿﺢ ﺗﻮﺟﻴﻬﺎت اﻹدارة yz **اﻟ}ح **:ﺳ7ﺎﺳﺔ ﻧﻈﺎم إدارة أﻣﻦ ً اﻟﻤﻌﻠﻮﻣﺎت z
c
اﻟﻤﺆﺳﺴﺔ ودﻋﻤﻬﺎ ﻷﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﺘﻄﻠUﺎت اﻟﻌﻤﻞ واﻟﻘﻮاﻧ abواﻟﻠﻮاﺋﺢ ذات اﻟﺼﻠﺔ.
c
** .31أي ﻣﻦ اﻟﺨ7ﺎرات اﻟﺘﺎﻟ7ﺔ -ﺼﻒ eﺸgﻞ أﻓﻀﻞ 'إدارة اﻷﺻﻮل' ISO 27001 yz؟**
أ( إدارة اﻷﺻﻮل اﻟﻤﺎﻟ7ﺔ ﻟﻠﻤﺆﺳﺴﺔ.
ب( ﺿﻤﺎن اﻷﻣﺎن اﻟﻔﻌ ~zﻟﻤUﺎ ±z cاﻟﻤﺆﺳﺴﺔ.
ج( ﺗﺤﺪ-ﺪ وﺗﺼ∫7ﻒ وﺣﻤﺎ-ﺔ اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ.
د( إدارة ﺟﺮد اﻷﺟﻬﺰة اﻟﺤﺎﺳ7≠°ﺔ.
**اﻹﺟﺎ\ﺔ :ج**
c c
**اﻟ}oح **:إدارة اﻷﺻﻮل Ö ISO 27001 yzﺸ ibإ rاﻟﻌﻤﻠ7ﺎت اﻟﻤﺘﻀﻤﻨﺔ yzﺗﺤﺪ-ﺪ وﺗﺼ∫7ﻒ وﺣﻤﺎ-ﺔ
اﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ ﻟﻀﻤﺎن ﺗﺄﻣ c b
aاﻟﺒ7ﺎﻧﺎت اﻟﻘ7ﻤﺔ eﺸgﻞ Mﺎ ٍف ﺿﺪ اﻟﺘﻬﺪ-ﺪات.
c
،ISO 27001 yz ** .32ﻣﺎ ﻫﻮ اﻟﻐﺮض اﻟﺮﺋ∞ z
@ ﻣﻦ ﺗﻨﻔ7ﺬ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )(ISMS؟**
≤ ﻓﻘﻂ .أ( ﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل اﻟﺘﻨﻈz 7
ب( ﻟﺘﻌ[sﺰ ﺛﻘﺔ اﻟﻌﻤﻼء وﺳﻤﻌﺔ اﻟﻌﻤﻞ اﻟﺘﺠﺎري.
By Mohammed AlSubayt
ج( ﻟﻀﻤﺎن ﻋﺪم وﻗ°ع اﻧﺘﻬﺎÁﺎت yz cأﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
Hﻣﺨﺎﻃﺮ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﻤﻌﻠﻮﻣﺎت اﻟﺘﺠﺎر[ﺔ. د( ﻹدارة eﺸgﻞ ﻣﻨﻬ z
**اﻹﺟﺎ\ﺔ :د**
o
@ ﻣﻦ ﺗﻨﻔ7ﺬ ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ﻫﻮ إدارة ﻣﺨﺎﻃﺮ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت**اﻟ}ح **:اﻟﻐﺮض اﻟﺮﺋ∞ z
Hﻟﻠﻤﺆﺳﺴﺔ ،و≠ﺎﻟﺘﺎ rzﺿﻤﺎن أﻣﻦ اﻷﺻﻮل واﻟﺒ7ﺎﻧﺎت واﻟﻤﻮارد.eﺸ gﻞ ﻣﻨ ﻬ z
c c ** .33ﻣﺎ ﻫﻮ دور 'ﺗﺪر[ﺐ اﻟﻤﻮﻇﻔ c b
aواﻟﺘﻮﻋ7ﺔ' yz ISMS yzإﻃﺎر ISO 27001؟**
أ( -ﻌﺘ iﻏ¨c ibوري ﻃﺎﻟﻤﺎ ﺗﻮﺟﺪ اﻟﺘﺤgﻤﺎت اﻟﺘﻘﻨ7ﺔ.
aﻷدوارﻫﻢ وﻣﺴﺆوﻟ7ﺎﺗﻬﻢ ﺗﺠﺎە أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت. ب( -ﻠﻌﺐ دوًرا \ﺎرًزا ycﺿﻤﺎن ﻓﻬﻢ اﻟﻤﻮﻇﻔ c b
z
ج( ﻳﻨﻄﺒﻖ ﻓﻘﻂ ﻋ~ ﻣﻮﻇ –z cﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت.
د( اﺧﺘ7ﺎري وﻟŒﻦ ﻣﺴﺘﺤﺴﻦ.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:اﻟﺘﺪر[ﺐ واﻟﺘﻮﻋ7ﺔ ﻫﻤﺎ ﻣﻜﻮﻧﺎن ﺣﺎﺳﻤﺎن - .ISMS ycﺠﺐ اﻟﺘﺄ ãﺪ ﻣﻦ أن ﺟﻤﻴﻊ اﻟﻤﻮﻇﻔ c b
a z
® ﻟﻔﻌﺎﻟ7ﺔ .ISMS
z ﺎ ﺳ أ ﺮ ﻣ أ ﻮ ﻫو ، ة د ﺪ ﺤ ﻤ ﻟ ا ﻋ~ ﻋﻠﻢ eﺴ7ﺎﺳﺎت أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت وﻣﺴﺆوﻟ7ﺎﺗﻬﻢ اﻷﻣﻨ7ﺔ
ً
** .34أي وﺛ7ﻘﺔ ﺗﺤﺪد ﻛ7ﻔ7ﺔ إدارة اﻟﺘﻐﻴibات اﻟﺘﻨﻈ7ﻤ7ﺔ ﻟﻀﻤﺎن اﺳﺘﻤﺮار أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر
ISO 27001؟**
أ( ﺳ7ﺎﺳﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
ب( ﺳ7ﺎﺳﺔ إدارة اﻟﺘﻐﻴ.ib
ج( ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ.
د( ﺗﻘ[Æﺮ اﺳﺘﻌﺮاض ﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:ﺳ7ﺎﺳﺔ إدارة اﻟﺘﻐﻴ ibﻣﻬﻤﺔ ﻷﻧﻬﺎ ﺗﻮﺿﺢ اﻹﺟﺮاءات اﻟ Ñzﺗﻀﻤﻦ اﺳﺘﻤﺮار اﻷﻣﺎن وàﻋﺎدة ﺗﻘﻴ7ﻢ
j
اﻟﻤﺨﺎﻃﺮ ﻋﻨﺪ ﺣﺪوث ﺗﻐﻴibات ﺗﻨﻈ7ﻤ7ﺔ.
c
… وﻇ7ﻔﺔ ﻣﻨﺘﺪى أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت yzﺳ7ﺎق ISO 27001؟** ** .35ﻣﺎ z
أ( ﺣﻞ أﻋﻄﺎل أﻧﻈﻤﺔ ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت.
ب( ﻣﻨﺎﻗﺸﺔ وﻣﺮاﺟﻌﺔ ﺳ7ﺎﺳﺎت وﻣﻤﺎرﺳﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
ج( اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟïﺴ[°ﻖ
واﻟﻌﻼﻗﺎت اﻟﻌﺎﻣﺔ.
د( ﺗﺪﻗﻴﻖ اﻟﻤﻌﺎﻣﻼت اﻟﻤﺎﻟ7ﺔ.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:ﻣﻨﺘﺪى أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت -ﻌﻤﻞ Mﻤﻨﺼﺔ ﻟﻤﻨﺎﻗﺸﺔ وﻣﺮاﺟﻌﺔ ﺳ7ﺎﺳﺎت وﻣﻤﺎرﺳﺎت أﻣﺎن
اﻟﻤﻌﻠﻮﻣﺎت yz cاﻟﻤﺆﺳﺴﺔ ،ﻣﻤﺎ -ﻌﺰز ﺛﻘﺎﻓﺔ أﻣﺎﻧ7ﺔ ﻗ[°ﺔ.
By Mohammed AlSubayt
** .36ﺗﺤﺖ ،ISO 27001أي ﻧ°ع ﻣﻦ اﻟﺘﺤgﻢ ُ™ﺴﺘﺨﺪم ﻹدارة ﻋﻤﻠ7ﺔ ISMS؟**
.H j
أ( اﻟﺘﺤgﻢ اﻻﺳiاﺗz 7
ب( اﻟﺘﺤgﻢ اﻟïﺸﻐ.~z7
ج( اﻟﺘﺤgﻢ اﻟﺘﻘ .Ñz c
≤.د ( ا ﻟ ﺘ ﺤ gﻢ ا ﻟﺘ ﻨ ﻈ z 7
**اﻹﺟﺎ\ﺔ :ب**
c o c
**اﻟ}oح **:اﻟﺘﺤgﻢ اﻟïﺸﻐ ISO 27001 yz ~z7ﻫﻮ ﺗﻠﻚ اﻟﻤﺘﻌﻠﻘﺔ ﻣUﺎnة ﺑflدارة وﺗﻨﻔ7ﺬ yz ISMS
اﻟﻌﻤﻠ7ﺎت اﻟﻴﻮﻣ7ﺔ ،ﻣﻤﺎ -ﻀﻤﻦ ﻓﻌﺎﻟﻴﺘﻬﺎ.
c
** .37ﻣﺎ ﻫﻮ أﻫﻤ7ﺔ 'ﺳ7ﺎق اﻟﻤﺆﺳﺴﺔ' ISO 27001 yz؟**
أ( -ﺤﺪد ﻧﻄﺎق اﺳijاﺗ7ﺠ7ﺔ اﻟïﺴ[°ﻖ.
ب( ﻳﺘﻀﻤﻦ ﻓﻬﻢ اﻟﻤﺸgﻼت اﻟﺪاﺧﻠ7ﺔ واﻟﺨﺎرﺟ7ﺔ اﻟ - Ñz jﻤﻜﻦ أن ﺗﺆﺛﺮ ﻋ~ .ISMS
≤.ج( ﻳﺘﻌﻠﻖ ﻓﻘﻂ \ﻌﻮاﻣﻞ اﻻﻗﺘﺼﺎد اﻟﻌﺎﻟ z
د( ﻳﺮﻛﺰ ﻋ~ اﻟﺠﻮاﻧﺐ اﻟﺘﻘﻨ7ﺔ ﻹدارة ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:ﻓﻬﻢ ﺳ7ﺎق اﻟﻤﺆﺳﺴﺔ ﻳﻨﻄﻮي ﻋ~ ﺗﺤﺪ-ﺪ اﻟﻌﻮاﻣﻞ اﻟﺪاﺧﻠ7ﺔ واﻟﺨﺎرﺟ7ﺔ اﻟ - Ñzﻤﻜﻦ أن ﺗﺆﺛﺮ
j
® ﻹدارة اﻟﻤﺨﺎﻃﺮ eﺸgﻞ ﻓﻌﺎل. ﻋ~ ﻗﺪرة ISMSﻋ~ ﺗﺤﻘﻴﻖ اﻟﻨﺘﺎﺋﺞ اﻟﻤﻘﺼﻮدة ،وﻫﻮ أﻣﺮ أﺳﺎ z
c
** .38أي إﺟﺮاء -ﺠﺐ اﺗﺨﺎذە إذا ﺗﺠﺎوزت ﻣﺨﺎﻃﺮة اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ISO 27001 yz؟**
أ( -ﺠﺐ ﺗﺠﺎﻫﻠﻬﺎ ﻛﺤﺎﻟﺔ ﻓﺮد-ﺔ.
ب( -ﺠﺐ ﻧﻘﻠﻬﺎ ﻋ~ اﻟﻔﻮر إ rﻃﺮف ﺛﺎﻟﺚ.
ج( -ﺠﺐ ﺗﺨﻔ7ﻔﻬﺎ إ rﻣﺴﺘﻮى ﻣﻘﺒﻮل.
د( -ﺠﺐ ﻗﺒﻮﻟﻬﺎ دون ﺗﺨﻔ7ﻒ.
**اﻹﺟﺎ\ﺔ :ج**
**اﻟ}oح **:إذا ﺗﺠﺎوزت ﻣﺨﺎﻃﺮة ﻣﺨﺎﻃﺮة اﻟﻤﺆﺳﺴﺔ- ،ﺠﺐ ﺗﺨﻔ7ﻔﻬﺎ ﻣﻦ ﺧﻼل اﻟﺘﺤgﻤﺎت اﻟﻤﻨﺎﺳUﺔ
ﻹﻧﻘﺎﺻﻬﺎ إ rﻣﺴﺘﻮى ﻣﻘﺒﻮل ،ﻣﻤﺎ -ﻀﻤﻦ ﺗﻮاﻓﻘﻬﺎ ﻣﻊ اﺳijاﺗ7ﺠ7ﺔ اﻟﻤﺨﺎﻃﺮ ﻟﻠﻤﺆﺳﺴﺔ.
ً c
** .39ﻣﺎ ﻫﻮ اﻟﻮﻗﺖ اﻟﺬي -ﺠﺐ ﻓ7ﻪ اﺳﺘﻌﺮاض ﻓﻌﺎﻟ7ﺔ اﻟﺘﺤgﻤﺎت اﻟﻤﻄUﻘﺔ ISMS yzوﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO
27001؟**
أ( ﻣﺮة واﺣﺪة ﻋﻨﺪ اﻟﺘﻨﻔ7ﺬ.
ب( ﻓﻘﻂ ﻋﻨﺪ وﻗ°ع ﺧﺮق أﻣ .Ñz c
ج( \ﺎﻧﺘﻈﺎم واﺳﺘﺠﺎ\ﺔ ﻟﺤﻮادث اﻷﻣﻦ.
د( Mﻞ ﺧﻤﺲ ﺳﻨﻮات.
**اﻹﺟﺎ\ﺔ :ج**
**اﻟ}oح- **:ﺠﺐ ﻣﺮاﺟﻌﺔ اﻟﺘﺤgﻤﺎت \ﺎﻧﺘﻈﺎم واﺳﺘﺠﺎ\ﺔ ﻟﻠﺘﻐﻴibات اﻟŒﺒibة أو ﺣﻮادث اﻷﻣﺎن ﻟﻀﻤﺎن
ﻓﻌﺎﻟﻴﺘﻬﺎ واﺳﺘﻤﺮارﻫﺎ yz cﺣﻤﺎ-ﺔ اﻟﻤﺆﺳﺴﺔ Mﻤﺎ ﻫﻮ ﻣﺨﻄﻂ ﻟﻪ.
By Mohammed AlSubayt
** .40ﻣﺎ ﻫﻮ دور ﻣﺴﺆول ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ) (DPOﻓ7ﻤﺎ ﻳﺘﻌﻠﻖ \ﻤﻌ7ﺎر ISO 27001؟**
أ( ﻣﺴﺆول ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ﻣﺴﺆول ﻋﻦ إدارة ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺎﻟ7ﺔ.
≈[ﺎ ﻣﻊ ﺷgﺎوى اﻟﻌﻤﻼء eﺸﺄن اﻧﺘﻬﺎÁﺎت اﻟﺒ7ﺎﻧﺎت.ب( ﻳﺘﻌﺎﻣﻞ ﻣﺴﺆول ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ﺣ ً
c
ج( -ﻀﻤﻦ ﻣﺴﺆول ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت أن ﻣﺘﻄﻠUﺎت ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ﻣﺪﻣﺠﺔ .ISMS yz
د( ﻣﺴﺆول ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت ﻏ ibذي ﺻﻠﺔ \ـ .ISO 27001
**اﻹﺟﺎ\ﺔ :ج**
ً c ً
**اﻟ}oح- **:ﻠﻌﺐ ﻣﺴﺆول ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت دورا ﺣﺎﺳﻤﺎ yzﺿﻤﺎن أن ﺗﺘﻢ دﻣﺞ ﻗﻮاﻧ abوﺳ7ﺎﺳﺎت ﺣﻤﺎ-ﺔ
c
اﻟﺒ7ﺎﻧﺎت yz cﻧﻈﺎم إدارة أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت ،ﺧﺎﺻﺔ yz cاﻟﺴﻠﻄﺎت ذات اﻟﻠﻮاﺋﺢ اﻟﺼﺎرﻣﺔ eﺸﺄن ﺣﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت.
c
** .41ﻣﺎ اﻟﻐﺮض ﻣﻦ ﻋﻤﻠ7ﺔ 'ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ' ISO 27001 yz؟**
أ( اﻟﺘﻌﺮف ﻋ~ اﻟﺘﻬﺪ-ﺪات واﻟﺜﻐﺮات اﻷﻣﻨ7ﺔ.
ب( ﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻓﻘﻂ ﻟﻠﻘﻮاﻧ c b
aاﻟﻤ ﺤ ﻠ7ﺔ .
ج( ﻣﺮاﻗUﺔ أøﺸﻄﺔ اﻟﻤﻮﻇﻔ c b
.a
د( اﻻﺳïﺜﻤﺎر yz cﺗﻘﻨ7ﺎت اﻷﻣﺎن.
**اﻹﺟﺎ\ﺔ :أ**
c ً c ً
**اﻟ}oح- **:ﻌﺪ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ أﻣﺮا ﺣﺎﺳﻤﺎ ISO 27001 yzﺣ7ﺚ ™ﺴﺎﻋﺪ yzﺗﺤﺪ-ﺪ اﻟﺘﻬﺪ-ﺪات
واﻟﺜﻐﺮات اﻷﻣﻨ7ﺔ ﻟﻠﻤﺆﺳﺴﺔ ،ﻣﻤﺎ ﻳïﻴﺢ اﻟﺘﺨﻄ7ﻂ اﻟﻔﻌﺎل ﻟﺘﺤgﻢ ﻫﺬە اﻟﻤﺨﺎﻃﺮ.
** .42ﺗﺘﻄﻠﺐ ISO 27001إøﺸﺎء أﻫﺪاف أﻣﺎن .ﻋ~ أي ﻣﺴﺘﻮى -ﺠﺐ ﺗﺤﺪ-ﺪ ﻫﺬە اﻷﻫﺪاف؟**
أ( ﻓﻘﻂ ﻋ~ ﻣﺴﺘﻮى اﻹدارة اﻟﻌﻠ7ﺎ.
ب( ﻋ~ اﻟﻮﻇﺎﺋﻒ واﻟﻤﺴﺘ[°ﺎت ذات اﻟﺼﻠﺔ داﺧﻞ اﻟﻤﺆﺳﺴﺔ.
ج( داﺧﻞ ﻗﺴﻢ ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻘﻂ.
§
د( ﺣ≈ا ﻋ~ ﻣﺴﺘﻮى اﻟﺘﻨﻔ7ﺬي.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح- **:ﺠﺐ ﺗﺤﺪ-ﺪ أﻫﺪاف اﻷﻣﺎن ﻋ~ ﻣﺴﺘ[°ﺎت وﻇﺎﺋﻒ ﻣﺨﺘﻠﻔﺔ داﺧﻞ اﻟﻤﺆﺳﺴﺔ ﻟﻀﻤﺎن
ﺗﻐﻄ7ﺔ ﺷﺎﻣﻠﺔ ودﻣﺞ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت yz cﺟﻤﻴﻊ ﻣﺠﺎﻻت اﻟﻌﻤﻞ.
ً
** .43أي ﻣﻦ اﻟﻨﺘﺎﺋﺞ اﻟﺘﺎﻟ7ﺔ ﻫﻮ ﻓﺎﺋﺪة ﻣﺘﻮﻗﻌﺔ ﻣﻦ ﺗﻨﻔ7ﺬ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ7ﺔ وﻓﻘﺎ ﻟﻤﻌ7ﺎر
ISO 27001؟**
أ( اﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ ﻣﺨﺎﻃﺮ أﻣﺎن ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت.
ب( ز[ﺎدة ر≠ﺤ7ﺔ اﻟﻤﺆﺳﺴﺔ.
ج( ﺗﻌ[sﺰ اﻟﻤﺮوﻧﺔ ﺿﺪ ﺗﻬﺪ-ﺪات أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
.aد( اﻟﺤﺪ ﻣﻦ ﺗﺤ[°ﻞ اﻟﻤﻮﻇﻔ c b
**اﻹﺟﺎ\ﺔ :ج**
By Mohammed AlSubayt
**اﻟ}oح- **:ﻌﺰز ﺗﻨﻔ7ﺬ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ7ﺔ ﻣﺮوﻧﺔ اﻟﻤﺆﺳﺴﺔ ﺿﺪ ﺗﻬﺪ-ﺪات أﻣﺎن
.H
اﻟﻤﻌﻠﻮﻣﺎت ﻋﻦ ﻃ[Æﻖ إدارة اﻟﻤﺨﺎﻃﺮ اﻟﻤﺘﻌﻠﻘﺔ \ﺎﻷﺻﻮل اﻟﻤﻌﻠﻮﻣﺎﺗ7ﺔ eﺸgﻞ ﻣﻨﻬ z
c
** .44أي ﻧ°ع ﻣﻦ اﻟﺘﺤﻠ7ﻞ ¨cوري ﻟﺘﺤﺪ-ﺪ ﺗﺄﺛ ibاﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ISO 27001 yz؟**
أ( ﺗﺤﻠ7ﻞ اﻟﻤﻨﺎﻓﺴ c b
.a
ب( ﺗﺤﻠ7ﻞ ﻣﺎ.rz
ج( ﺗﺤﻠ7ﻞ اﻟﺘﺄﺛ.ib
د( ﺗﺤﻠ7ﻞ اﻷداء.
**اﻹﺟﺎ\ﺔ :ج**
c ً c ً
**اﻟ}oح- **:ﻌﺪ ﺗﺤﻠ7ﻞ اﻟﺘﺄﺛ ibأﻣﺮا ﺣﺎﺳﻤﺎ yzﻋﻤﻠ7ﺔ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ ﺣ7ﺚ ™ﺴﺎﻋﺪ yzﺗﺤﺪ-ﺪ اﻟﻌﻮاﻗﺐ
اﻟﻤﺤﺘﻤﻠﺔ ﻟﻠﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ،و[ﻮﺟﻪ اﻟﻘﺮار eﺸﺄن اﻟﺘﺤgﻤﺎت اﻟﻤﻨﺎﺳUﺔ.
c
** .45ﻣﺎ ﻫﻮ ﻣﻌ' Ñcﺑ7ﺎن اﻟﻘﺎ\ﻠ7ﺔ ﻟﻠﺘﻄﺒﻴﻖ' ISO 27001 yz؟**
أ( ﻳﻮﺿﺢ ﺟﻤﻴﻊ اﻟﻤﻮاﺻﻔﺎت اﻟﺘﻘﻨ7ﺔ ﻷﻧﻈﻤﺔ اﻷﻣﺎن.
ب( ﻫﻮ ﻋﻘﺪ ﻣﻊ اﻷﻃﺮاف اﻟﻤﻌﻨ7ﺔ.
ج( ﻳﻮﺛﻖ أي اﻟﺘﺤgﻤﺎت اﻟﻘﺎ\ﻠﺔ ﻟﻠﺘﻄﺒﻴﻖ و[iر اﻻﺳUïﻌﺎدات.
د( -ﻘﻮم }eد اﻟﻤﺘﻄﻠUﺎت اﻟﻘﺎﻧﻮﻧ7ﺔ ﻓﻘﻂ اﻟﻘﺎ\ﻠﺔ ﻟﻠﺘﻄﺒﻴﻖ.
**اﻹﺟﺎ\ﺔ :ج**
**اﻟ}oح **:ﺑ7ﺎن اﻟﻘﺎ\ﻠ7ﺔ ﻟﻠﺘﻄﺒﻴﻖ ﻫﻮ وﺛ7ﻘﺔ رﺋ∞ﺴ7ﺔ ﺗﻮﺿﺢ اﻟﺘﺤgﻤﺎت اﻟﻤﺤﺪدة ﻣﻦ ﻣﻌ7ﺎر ISO
27001اﻟ Ñz jﺗﻢ اﺧﺘ7ﺎرﻫﺎ وﺗﻨﻔ7ﺬﻫﺎ ،واﻟﺴ“ﺐ yz cذﻟﻚ\ ،ﻤﺎ yz cذﻟﻚ ﻣiرات أي اﺳUïﻌﺎدات.
**اﻹﺟﺎ\ﺔ :ج**
c **اﻟ}oح **:اﻟﺘﺤﺴ c b
aاﻟﻤﺴﺘﻤﺮ ISO 27001 yzﻳﻨﻄﻮي ﻋ~ ﻣﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
\ﺎﻧﺘﻈﺎم ﻟﺘﺤﺪ-ﺪ اﻟﻔﺮص ﻟﻠﺘﺤﺴ c b
aواﺗﺨﺎذ اﻟﺘﻐﻴibات اﻟﻼزﻣﺔ
**اﻹﺟﺎ\ﺔ :ب**
c c
**اﻟ}oح **:ﻳﺆﻛﺪ ﻣﻌ7ﺎر ISO 27001ﻋ~ ¨ورة إدارة اﻟﺘﻐﻴibات yzﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
§
\ﻄ[Æﻘﺔ ﻣﺮاﻗUﺔ ،ﻣﻀﻤﻮﻧﺔ أﻧﻬﺎ ﻻ ﺗﺆﺛﺮ ﺳﻠUﺎ ﻋ~ اﻷﻣﺎن أو ﻓﻌﺎﻟ7ﺔ اﻟﻨﻈﺎم.
c
** .48ﻣﺎ ﻫﻮ دور 'اﻟﻤﺮاﻗUﺔ واﻟﻘ7ﺎس' yzﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت؟**
أ( اﻻﻣﺘﺜﺎل ﻻﺳijاﺗ7ﺠ7ﺎت اﻟïﺴ[°ﻖ.
ب( اﻟﺘﺤﻘﻖ ﻣﻦ أداء وﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
ج( رﺻﺪ اﻷداء اﻟﻤﺎ rzاﻟﻤﺘﻌﻠﻖ ﻓﻘﻂ \ﺎﻻﺳïﺜﻤﺎرات اﻷﻣﻨ7ﺔ.
د( ﻗ7ﺎس رﺿﺎ اﻟﻤﻮﻇﻔ c b
.a
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:اﻟﻤﺮاﻗUﺔ واﻟﻘ7ﺎس أﻣﺮان ﻣﻬﻤﺎن ﻟﺘﻘﻴ7ﻢ أداء وﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻤﺎ ™ﺴﺎﻋﺪ
.aﻋ~ ﺗﺤﺪ-ﺪ اﻟﻤﺠﺎﻻت اﻟ Ñjﺗﺤﺘﺎج إ rاﻫﺘﻤﺎم أو ﺗﺤﺴ c b
z
ً
** .49وﻓﻘﺎ ﻟﻤﻌ7ﺎر ،ISO 27001ﻣﺎ -ﺠﺐ اﻟﻘ7ﺎم \ﻪ ﻋﻨﺪﻣﺎ ﻳﺘﻢ ﺗﺤﺪ-ﺪ ﻋﺪم اﻟﻤﻄﺎ\ﻘﺎت؟**
أ( -ﺠﺐ ﺗﺠﺎﻫﻠﻬﺎ ﻣﺎ ﻟﻢ Öﺴ“ﺐ أ¨cاًرا ﻛﺒibة.
ب( -ﺠﺐ ﺗﺼﺤ7ﺤﻬﺎ واﺗﺨﺎذ إﺟﺮاءات ﻟﻤﻨﻊ ﺗﻜﺮارﻫﺎ.
ج( -ﺠﺐ اﻹ\ﻼغ ﻋﻨﻬﺎ ﻓﻘﻂ إ rاﻹدارة.
د( -ﺠﺐ ﻗﺒﻮﻟﻬﺎ دون ﺗﺼﺤﻴﺢ.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:ﻋﻨﺪ ﺗﺤﺪ-ﺪ ﻋﺪم اﻟﻤﻄﺎ\ﻘﺎت- ،ﺠﺐ ﺗﺼﺤ7ﺤﻬﺎ واﺗﺨﺎذ إﺟﺮاءات ﻟﻤﻨﻊ ﺗﻜﺮارﻫﺎ ﻛﺠﺰء ﻣﻦ
اﻟﻨﻬﺞ اﻻﺳUïﺎ yjﻟﺘﺤﺴ c b
aﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت. z
c
** .50ﻣﺎ اﻟﻤﻘﺼﻮد \ـ 'إدارة ﺣﻮادث أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت' ISO 27001 yz؟**
أ( اﻟﺘﺨﻄ7ﻂ ﻟﻠﻔﻌﺎﻟ7ﺎت اﻻﺟﺘﻤﺎﻋ7ﺔ اﻟﺤ≈[ﺔ ﻟﻤﻨﺎﻗﺸﺔ ﺗﺄﺛibات اﻟﺤﻮادث.
ب( اﻹﺟﺮاءات واﻟﻤﺴﺆوﻟ7ﺎت ﻹدارة وﻣﺮاﺟﻌﺔ ﺣﻮادث اﻷﻣﺎن.
ج( اﺳﺘﻌﺮاض ﺳﻨﻮي ﻟﻠﺤﻮادث اﻷﻣﻨ7ﺔ اﻟﺴﺎ\ﻘﺔ ﻓﻘﻂ.
د( Öﺴﺨ ibإدارة اﻟﺤﻮادث ﻟﺨﺪﻣﺎت ﻃﺮف ﺛﺎﻟﺚ.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:ﺗﺘﻀﻤﻦ إدارة ﺣﻮادث أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت إøﺸﺎء إﺟﺮاءات وﻣﺴﺆوﻟ7ﺎت ﻟﻀﻤﺎن إدارة وﻣﺮاﺟﻌﺔ
اﻟﺤﻮادث اﻷﻣﻨ7ﺔ \ﻔﻌﺎﻟ7ﺔ ،ﻣﻤﺎ ™ﺴﺎﻋﺪ yz cﺗﻘﻠ7ﻞ ﺗﺄﺛ ibﻣﺜﻞ ﻫﺬە اﻟﺤﻮادث ﻋ~ اﻟﻤﺆﺳﺴﺔ.
c
** .51أي ﻣﻦ ﺿﻮا\ﻂ ISO 27001ﻳﻬﺘﻢ yzاﻟﻤﻘﺎم اﻷول \ﺤﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت أﺛﻨﺎء اﻟﻨﻘﻞ؟**
أ( إدارة اﻷﺻﻮل
ب( ﺿﻮا\ﻂ اﻟïﺸﻔib
ج( اﻷﻣﻦ اﻟﻔ [ic bﺎ ±z Íواﻟﺒﻴ Ñz Í
د( اﻷﻣﻦ اﻟïﺸﻐ~z7
By Mohammed AlSubayt
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:ﺗﻌﺘ iﺿﻮا\ﻂ اﻟïﺸﻔ ibأﺳﺎﺳ7ﺔ ﻟﺤﻤﺎ-ﺔ اﻟﺒ7ﺎﻧﺎت أﺛﻨﺎء اﻟﻨﻘﻞ ،ﻣﻤﺎ -ﻀﻤﻦ [nﺔ وﺳﻼﻣﺔ
اﻟﺒ7ﺎﻧﺎت ﻣﻦ ﺧﻼل Öﺸﻔibﻫﺎ أﺛﻨﺎء ﺗﻨﻘﻠﻬﺎ ﻋ iاﻟﺸgUﺎت.
ً
** .52ﻣﺎ دور اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ ~zوﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟**
أ( ﺗﺼﺤﻴﺢ ﻋﺪم اﻟﻤﻄﺎ\ﻘﺎت ﻗUﻞ اﻟﺘﺪﻗ7ﻘﺎت اﻟﺨﺎرﺟ7ﺔ.
ب( ﺿﻤﺎن اﻻﻣﺘﺜﺎل اﻟﻘﺎﻧﻮ .±z c
ج( ﺗﻘﻴ7ﻢ اﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠUﺎت اﻟﻤﺆﺳﺴﺔ واﻟﺘﻨﻈ7ﻤ7ﺔ.
د( اﻟﺘﻌﺎﻣﻞ ﻣﻊ ﺷgﺎوى اﻟﻌﻤﻼء eﺸﺄن أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
**اﻹﺟﺎ\ﺔ :ج**
**اﻟ}oح **:دور اﻟﺘﺪﻗﻴﻖ اﻟﺪاﺧ ~zﻫﻮ ﺗﻘﻴ7ﻢ اﻣﺘﺜﺎل ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﺴ7ﺎﺳﺎت وأﻫﺪاف
اﻟﻤﺆﺳﺴﺔ ،وﻛﺬﻟﻚ اﻻﻣﺘﺜﺎل ﻟﻤﺘﻄﻠUﺎت ISO 27001وﻏibﻫﺎ ﻣﻦ اﻟﻤﺘﻄﻠUﺎت اﻟﺘﻨﻈ7ﻤ7ﺔ.
** .53أي ﻣﻦ ﻣUﺎدئ - ISO 27001ﻀﻤﻦ ﺗﻮاﻓﺮ وàﻣgﺎﻧ7ﺔ اﻟﻮﺻﻮل إ rاﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﻤﺴﺘﺨﺪﻣ c b
aاﻟﻤﺨﻮل
ﻟ ﻬ ﻢ ﻋ ﻨ ﺪ اﻟﺤ ﺎﺟ ﺔ؟ * *
أ( اﻟﺴﻼﻣﺔ
ب( اﻟ}[ﺔ
ج( اﻟﺘﻮاﻓﺮ
د ( اﻟﻤ ﺼ ﺪ اﻗ7ﺔ
**اﻹﺟﺎ\ﺔ :ج**
**اﻟ}oح **:ﺗﻀﻤﻦ ﻣUﺪأ اﻟﺘﻮاﻓﺮ ﺗﻮاﻓﺮ اﻟﻤﻌﻠﻮﻣﺎت واﻷﺻﻮل ذات اﻟﺼﻠﺔ واﻟﻮﺻﻮل إﻟﻴﻬﺎ ﻟﻠﻤﺴﺘﺨﺪﻣcab
اﻟﻤﺨﻮل ﻟﻬﻢ ﻋﻨﺪ اﻟﺤﺎﺟﺔ.
ً c
** .54ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ ﻋﻤﻠ7ﺔ إدارة اﻟﻤﺨﺎﻃﺮ yzﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO
27001؟**
أ( اﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﺘﺠﺎر[ﺔ
c
ب( ﺗﺤﺪ-ﺪ وﺗﻘﻴ7ﻢ واﻟﺘﺤgﻢ yzﻣﺨﺎﻃﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
ج( ﺿﻤﺎن اﻻﺳﺘﻘﺮار اﻻﻗﺘﺼﺎدي ﻟﻠﻤﺆﺳﺴﺔ
د( ﻣﺮاﻗUﺔ أداء اﻟﻤﻮﻇﻔ c b
a
**اﻹﺟﺎ\ﺔ :ب**
c c
**اﻟ}oح **:ﺗﺮﻛﺰ ﻋﻤﻠ7ﺔ إدارة اﻟﻤﺨﺎﻃﺮ ISO 27001 yzﻋ~ ﺗﺤﺪ-ﺪ وﺗﻘﻴ7ﻢ واﻟﺘﺤgﻢ yzاﻟﻤﺨﺎﻃﺮ
اﻟﻤﺘﻌﻠﻘﺔ \ﺄﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻤﺎ -ﻀﻤﻦ أﻧﻬﺎ ﺿﻤﻦ ﺣﺪود ﻣﻘﺒﻮﻟﺔ.
** .55أي وﺛ7ﻘﺔ ﺗﻮﻓﺮ إرﺷﺎدات ﻣﻔﺼﻠﺔ ﺣﻮل ﺗﻨﻔ7ﺬ ﺿﻮا\ﻂ ISO 27001؟**
أ( ISO 27000
ب( ISO 27002
By Mohammed AlSubayt
ج( ISO 27005
د( ISO 27032
**اﻹﺟﺎ\ﺔ :ب**
c
**اﻟ}oح **:ﺗﻮﻓﺮ ISO 27002إرﺷﺎدات ﺣﻮل ﺗﻨﻔ7ﺬ ﺿﻮا\ﻂ اﻷﻣﺎن اﻟﻤﺪرﺟﺔ ،ISO 27001 yzوﺗﻘﺪم
ﺗﻮ
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح™ُ **:ﺴﺘﺨﺪم ﺗﻘﻴ7ﻢ اﻷداء ﻟﺘﻘﻴ7ﻢ ﻣﺪى ﺗﻠﺒ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﻤﺘﻄﻠUﺎت اﻷﻣﺎن
واﻷﻫﺪاف اﻟﻤﻨﻈﻤﺔ.
ً c
** .57ﻣﺎ ﻫﻮ اﻟﺨﻄﻮة اﻷو yz rﻋﻤﻠ7ﺔ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟**
أ( ﺗﺤﺪ-ﺪ اﻟﺘﻬﺪ-ﺪات
ب( ﺗﻘﻴ7ﻢ اﻟﺘﺄﺛib
ج( ﺗﺤﺪ-ﺪ اﻟﺴ7ﺎق
د( ﺗﻘﻴ7ﻢ اﺣﺘﻤﺎﻟ7ﺔ اﻟﺤﺪوث
**اﻹﺟﺎ\ﺔ :ج**
c
**اﻟ}oح **:ﺗﺤﺪ-ﺪ اﻟﺴ7ﺎق ﻫﻮ اﻟﺨﻄﻮة اﻷو yz rﻋﻤﻠ7ﺔ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ ،ﺣ7ﺚ ﻳﺘﻢ ﺗﻌ[Æﻒ اﻟﻤﻌﺎﻳib
ﻹدارة اﻟﻤﺨﺎﻃﺮ\ ،ﻤﺎ yz cذﻟﻚ اﻟﺒûﺌﺎت اﻟﺪاﺧﻠ7ﺔ واﻟﺨﺎرﺟ7ﺔ ﻟﻠﻤﺆﺳﺴﺔ.
c
** .58ﻟﻤﺎذا ﺗﻌﺘ iاﻹﺟﺮاءات اﻟïﺸﻐ7ﻠ7ﺔ واﻟﻤﺴﺆوﻟ7ﺎت ﻣﻬﻤﺔ ISO 27001 yz؟**
أ( ﺗﺤﺪ-ﺪ اﻟﻤ ic bاﻧ7ﺔ اﻟﻤﺎﻟ7ﺔ ﻓﻘﻂ ﻟﻨﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت.
≤. c ب ( إﻧﻬ ﺎ c
¨ور[ﺔ ﻟﻼﻣﺘﺜﺎل اﻟﻘﺎﻧﻮ ±zواﻟﺘﻨﻈz 7 c
ج( Öﺴﺎﻋﺪ yzإدارة وﺗﻘﻠ7ﻞ ﺗﻌﻘ7ﺪات اﻟﻌﻤﻠ7ﺎت اﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ.
د( ﺗﻀﻤﻦ إدارة ﺛﺎﺑﺘﺔ وآﻣﻨﺔ ﻟﻤﺮاﻓﻖ ﻣﻌﺎﻟﺠﺔ اﻟﻤﻌﻠﻮﻣﺎت.
**اﻹﺟﺎ\ﺔ :د**
ُ o
**اﻟ}ح **:اﻹﺟﺮاءات اﻟïﺸﻐ7ﻠ7ﺔ واﻟﻤﺴﺆوﻟ7ﺎ ًت z
… أﺳﺎﺳ7ﺔ ﻟﻀﻤﺎن أن ﻣﺮاﻓﻖ ﻣﻌﺎﻟﺠﺔ اﻟﻤﻌﻠﻮﻣﺎت ﺗﺪار
eﺸgﻞ آﻣﻦ وﺛﺎ\ﺖ\ ،ﺎﺗUﺎع ﻣﻤﺎرﺳﺎت ﻣﺤﺪدة ﻣﺴUﻘﺎ.
c
** .59ﻣﺎذا ™ﺸﻤﻞ 'إدارة وﺻﻮل اﻟﻤﺴﺘﺨﺪم' yzإﻃﺎر ISO 27001؟**
By Mohammed AlSubayt
Ω c
أ( رﺻﺪ أøﺸﻄﺔ اﻟﻤﺴﺘﺨﺪﻣ abﻋ~ وﺳﺎﺋﻞ اﻟﺘﻮاﺻﻞ اﻻﺟﺘﻤﺎ z
c
ب( اﻟﺴ7ﻄﺮة ﻋ~ وﺻﻮل اﻟﻤﺴﺘﺨﺪﻣ abإ rأﻧﻈﻤﺔ وﺧﺪﻣﺎت اﻟﻤﻌﻠﻮﻣﺎت
aﺣﻮل وﺻﻮل اﻟﻨﻈﺎم ج( إدارة ﺷgﺎوى اﻟﻤﺴﺘﺨﺪﻣ c b
د ( ﺿ ﻤ ﺎ ن أ ن ﺟ ﻤ ﻴ ﻊ اﻟ ﻤ ﺴ ﺘ ﺨ ﺪ ﻣ c b
aﻟﺪﻳﻬﻢ وﺻﻮل ﻣïﺴﺎ Iو إ rاﻟﻤﻌﻠﻮﻣﺎت
**اﻹﺟﺎ\ﺔ :ب**
aإ rأﻧﻈﻤﺔ وﺧﺪﻣﺎت**اﻟ}oح **:ﺗﺘﻀﻤﻦ إدارة وﺻﻮل اﻟﻤﺴﺘﺨﺪم اﻟﺴ7ﻄﺮة ﻋ~ وﺻﻮل اﻟﻤﺴﺘﺨﺪﻣ c b
ً اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻤﺎ -ﻀﻤﻦ أن اﻟﻤﺴﺘﺨﺪﻣ c b
aﻟﺪﻳﻬﻢ ﺣﻘﻮق اﻟﻮﺻﻮل اﻟﻤﻨﺎﺳUﺔ اﺳïﻨﺎدا إ rأدوارﻫﻢ
وﻣﺴﺆوﻟ7ﺎﺗﻬﻢ.
c
** .60ﻳﺘﻄﻠﺐ ﻣﻌ7ﺎر ISO 27001اﻟﻨﻈﺮ yzأي ﺟﻮاﻧﺐ ﻋﻨﺪ ﺗﺤﺪ-ﺪ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن
اﻟﻤﻌﻠﻮﻣﺎت؟**
أ( ﺣﺠﻢ وﻫg7ﻞ اﻟﻤﺆﺳﺴﺔ ﻓﻘﻂ
ب( ﻣﻮﻗﻊ اﻟﻤﺆﺳﺴﺔ وﺟﻮاﻧﺒﻬﺎ اﻟﺜﻘﺎﻓ7ﺔ ﻓﻘﻂ
c
ج( اﻫﺘﻤﺎﻣﺎت اﻷﺷﺨﺎص yzاﻹدارة اﻟﻌﻠ7ﺎ ﻓﻘﻂ
د( Mﻞ ﻣﺎ ذﻛﺮ أﻋﻼە
**اﻹﺟﺎ\ﺔ :أ**
c
**اﻟ}oح **:ﻋﻨﺪ ﺗﺤﺪ-ﺪ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻦ اﻟﻤﻬﻢ اﻟﻨﻈﺮ yzﺣﺠﻢ وﻫg7ﻞ اﻟﻤﺆﺳﺴﺔ
ﻟﻀﻤﺎن أن ﻧﻄﺎق اﻟﻨﻈﺎم ﺷﺎﻣﻞ وﻗﺎ\ﻞ ﻟﻠﺘﻄﺒﻴﻖ ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺠﺎﻻت ذات اﻟﺼﻠﺔ.
c
@ ﻹدارة اﻟﺤﻮادث ISO 27001 yz؟** ** .61ﻣﺎ ﻫﻮ اﻟﻬﺪف اﻟﺮﺋ∞ z
أ( ﻣﻨﻊ ﺣﺪوث اﻟﺤﻮادث
o ُ J
ب( ﺿﻤﺎن أن ﺟﻤﻴﻊ اﻟﺤﻮادث ﺗUﻠﻎ إ rاﻟ}ﻃﺔ
c c
ج( إدارة واﻟﺘﺤgﻢ yzاﻟﺤﻮادث واﻟﻀﻌﻒ yzأﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ7ﺔ
د( Öﺴﺠ7ﻞ اﻟﺤﻮادث ﻷﻏﺮاض ﻗﺎﻧﻮﻧ7ﺔ ﻓﻘﻂ
**اﻹﺟﺎ\ﺔ :ج**
c c c
**اﻟ}oح **:ﺗﻬﺪف إدارة اﻟﺤﻮادث ISO 27001 yzإ rإدارة واﻟﺘﺤgﻢ yzاﻟﺤﻮادث واﻟﻀﻌﻒ yzأﻣﺎن
اﻟﻤﻌﻠﻮﻣﺎت \ﻔﻌﺎﻟ7ﺔ ،وﺗﻘﻠ7ﻞ ﺗﺄﺛibﻫﺎ وﻣﻨﻊ ﺗﻜﺮارﻫﺎ.
c
** .62أي وﺛ7ﻘﺔ -ﺠﺐ أن ﺗﺤﺪد اﻟﻤﺴﺆوﻟ7ﺎت واﻟﺴﻠﻄﺎت ﻟﻸدوار اﻟﻤﺘﻮرﻃﺔ yzﻧﻈﺎم إدارة أﻣﺎن
اﻟﻤﻌﻠﻮﻣﺎت؟**
أ( ﺳ7ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
ب( وﺛ7ﻘﺔ اﻟﻨﻄﺎق
ج( ﺗﻘ[Æﺮ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ
د ( ﺑ 7ﺎ ن ا ﻟ ﺘ ﻄ ﺒ 7ﻘ 7ﺔ
**اﻹﺟﺎ\ﺔ :أ**
By Mohammed AlSubayt
**اﻟ}oح- **:ﺠﺐ أن ﺗﺤﺪد ﺳ7ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺑﻮﺿ°ح اﻟﻤﺴﺆوﻟ7ﺎت واﻟﺴﻠﻄﺎت ﻟﻸدوار اﻟﻤﺘﻮرﻃﺔ
yz cإدارة ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻤﺎ -ﻀﻤﻦ وﺿ°ح اﻟﻤﺴﺎءﻟﺔ.
** .63ﻛ7ﻒ -ﺠﺐ ﻗ7ﺎس ﻓﻌﺎﻟ7ﺔ اﻟﻀﻮا\ﻂ اﻟﻤﻨﻔﺬة ﻛﺠﺰء ﻣﻦ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت؟**
أ( ﻣﻦ ﺧﻼل اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ واﻟﻤﺮاﺟﻌﺎت اﻟﻤﻨﺘﻈﻤﺔ
ً
ب( اﺳïﻨﺎدا ﻓﻘﻂ إ rﻋﺪد اﻧﺘﻬﺎÁﺎت اﻷﻣﺎن
ج( ﻋﻦ ﻃ[Æﻖ nﻋﺔ ﻓﺮق اﻻﺳﺘﺠﺎ\ﺔ اﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ
ً
د( اﺳïﻨﺎدا إ rاﻟﺘﺪﻗ7ﻘﺎت اﻟﺨﺎرﺟ7ﺔ ﻓﻘﻂ
**اﻹﺟﺎ\ﺔ :أ**
**اﻟ}oح- **:ﺠﺐ ﺗﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ اﻟﻀﻮا\ﻂ ﻣﻦ ﺧﻼل اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ واﻟﻤﺮاﺟﻌﺎت اﻟﻤﻨﺘﻈﻤﺔ
واﻟﺘﻘﻴ7ﻤﺎت اﻷداء ﻟﻀﻤﺎن أﻧﻬﺎ ﺗﻌﻤﻞ Mﻤﺎ ﻫﻮ ﻣﺘﻮﻗﻊ وﺗﻠ Ñzأﻫﺪاف اﻷﻣﺎن ﻟﻠﻤﺆﺳﺴﺔ.
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:ﺗﺘﻀﻤﻦ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ﺗﺤﺪ-ﺪ اﻹﺟﺮاءات ﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ،واﻟ Ñzﻗﺪ
j
Öﺸﻤﻞ ﺗﺨﻔ7ﻒ اﻟﻤﺨﺎﻃﺮ أو ﻗﺒﻮﻟﻬﺎ أو ﻧﻘﻠﻬﺎ أو ﺗﺠﻨﺒﻬﺎ ،اﻋﺘﻤﺎًدا ﻋ~ درﺟﺔ ﺧﻄﻮرﺗﻬﺎ وﺗﺄﺛibﻫﺎ.
ً
** .65ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ أن -ﻜﻮن ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﺘﻮاﻓﻘﺎ ﻣﻊ اﻷﻫﺪاف اﻟﺘﻨﻈ7ﻤ7ﺔ؟**
أ( ﻟﻀﻤﺎن أﻧﻪ -ﺨﺪم أﻫﺪاف إدارة ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻘﻂ
ب( ﻟﻠﺘﺄ ãﺪ ﻣﻦ أن ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت -ﺪﻋﻢ اﻷﻫﺪاف اﻟﻌﺎﻣﺔ ﻟﻸﻋﻤﺎل واﻻﺳijاﺗ7ﺠ7ﺔ
ج( ﻟﻼﻣﺘﺜﺎل ﻣﻊ اﻟﻤﻌﺎﻳ ibاﻟﺘﻜﻨﻮﻟﻮﺟ7ﺔ ﻓﻘﻂ
≈[ﺎ ﻋ~ اﻟﺘﻬﺪ-ﺪات اﻟﺨﺎرﺟ7ﺔد( ﻟﻠijﻛ icﺣ ً
b
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح- **:ﻀﻤﻦ ﺗﻮاﻓﻖ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﻊ اﻷﻫﺪاف اﻟﺘﻨﻈ7ﻤ7ﺔ أﻧﻪ -ﺪﻋﻢ اﺳijاj±
z
ﺟ7ﺔ اﻷﻋﻤﺎل اﻟﻌﺎﻣﺔ و[ﻀ7ﻒ ﻗ7ﻤﺔ ،ﻣﻤﺎ -ﻌﺰز ﻣﻮﻗﻒ اﻟﻤﺆﺳﺴﺔ ﻣﻦ اﻷﻣﺎن \ﻄ[Æﻘﺔ ﺗﻌﺰز أﻫﺪاﻓﻬﺎ.
c
** .66ﻣﺎ ﻫﻮ دور اﻟﻤﺮاﺟﻌﺔ اﻹدار[ﺔ yzﺳ7ﺎق ISO 27001؟**
Kﻟﻤﻮﻇ –z cاﻹدارة c j
أ( اﻟiﻛ ibﻋ~ اﻷداء اﻟﺸﺨ z
ب( ﺗﻘﻴ7ﻢ أداء وﺣﺎﻟﺔ وﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
ج( ﺗﻘﻴ7ﻢ رﺿﺎ اﻟﻌﻤﻼء ﻣﻊ اﻟﻤﺆﺳﺴﺔ
د ( ﺗﻘ ﺪ -ﻢ ا ﻟ ﺘ ﺪ ﻗ 7ﻘ ﺎ ت ا ﻟ ﻤ ﺎ ﻟ 7ﺔ
By Mohammed AlSubayt
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح **:ﺗﻌﺘ iﻣﺮاﺟﻌﺎت اﻹدارة ﺣﺮﺟﺔ ﺣ7ﺚ ﺗﻘ7ﻢ أداء وﺣﺎﻟﺔ وﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت،
ً ً ﻣﻤﺎ -ﺤﺪد اﻟﻔﺮص ﻟﻠﺘﺤﺴ c b
aو[ﻀﻤﻦ \ﻘﺎءە ﻓﻌﺎﻻ وﻣﺘﻮاﻓﻘﺎ ﻣﻊ اﺣﺘ7ﺎﺟﺎت اﻟﻤﺆﺳﺴﺔ.
** .67ﻣﺎ ﻫﻮ اﻟﺠﺪول اﻟﺰﻣ Ñz cاﻟﻤﻮ’ \ﻪ ﻟﺘﺤﺪ-ﺚ أو ﻣﺮاﺟﻌﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ أﺟﻞ
اﻟﻔ ﻌ ﺎﻟ7ﺔ؟* *
أ( ﻓﻘﻂ \ﻌﺪ ﺣﺪوث اﻧﺘﻬﺎك ﻟﻸﻣﺎن
ب( eﺸgﻞ ﻣﻨﺘﻈﻢ ،ﻣﻊ ﻣﺮاﻋﺎة ردود اﻟﻔﻌﻞ اﻟïﺸﻐ7ﻠ7ﺔ واﻟﺘﻐﻴibات اﻟﺒûﺌ7ﺔ
ج( ﻣﺮة Mﻞ ﺧﻤﺲ ﺳﻨﻮات
c
د( ﻋﻨﺪﻣﺎ -ﺤﺪث ﺗﻐﻴ yz ibإدارة ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح- **:ﺠﺐ ﻣﺮاﺟﻌﺔ وﺗﺤﺪ-ﺚ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت eﺸgﻞ ﻣﻨﺘﻈﻢ ،ﻣﻊ ﻣﺮاﻋﺎة ردود اﻟﻔﻌﻞ
اﻟïﺸﻐ7ﻠ7ﺔ واﻟﺘﻐﻴibات اﻟﺒûﺌ7ﺔ ،وﻧﺘﺎﺋﺞ اﻟﺘﺪﻗ7ﻘﺎت ﻟﻀﻤﺎن اﺳﺘﻤﺮار ﻣﻼءﻣﺘﻪ وﻛﻔﺎءﺗﻪ وﻓﻌﺎﻟﻴﺘﻪ.
ً c
** .68ﻣﺎ اﻟﺬي -ﺠﺐ ﺗﻀﻤﻴﻨﻪ yzﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر ISO 27001؟**
أ( ﻓﻘﻂ إدارة ﺗﻜﻨﻮﻟﻮﺟ7ﺎ اﻟﻤﻌﻠﻮﻣﺎت
ب( Mﻞ ﻣﻨﻄﻘﺔ ﺣ7ﺚ ﻳﺘﻢ ﻣﻌﺎﻟﺠﺔ اﻟﻤﻌﻠﻮﻣﺎت أو ﺗﺨ[sﻨﻬﺎ أو ﻧﻘﻠﻬﺎ
ج( ﺑ7ﺎﻧﺎت اﻟﻌﻤﻼء ﻓﻘﻂ
@ ﻓﻘﻂ o
د( ﻣﻜﺘﺐ اﻟ}ﻛﺔ اﻟﺮﺋ∞ z
**اﻹﺟﺎ\ﺔ :ب**
**اﻟ}oح- **:ﺠﺐ أن ™ﺸﻤﻞ ﻧﻄﺎق ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﺟﻤﻴﻊ اﻟﻤﺠﺎﻻت اﻟ Ñzﻳﺘﻢ ﻓﻴﻬﺎ ﻣﻌﺎﻟﺠﺔ
j
اﻟﻤﻌﻠﻮﻣﺎت أو ﺗﺨ[sﻨﻬﺎ أو ﻧﻘﻠﻬﺎ داﺧﻞ اﻟﻤﺆﺳﺴﺔ ،ﻣﻤﺎ -ﻀﻤﻦ ﺗﻐﻄ7ﺔ ﺷﺎﻣﻠﺔ ﻟﺠﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻷﻣﻨ7ﺔ
ا ﻟ ﻤ ﺤ ﺘ ﻤ ﻠ ﺔ.
c
@ ﻟﺘﺼ∫7ﻒ اﻟﻤﻌﻠﻮﻣﺎت ISO 27001 yz؟** ** .69ﻣﺎ ﻫﻮ اﻟﺴ“ﺐ اﻟﺮﺋ∞ z
أ( ﻟﺘﺤﺪ-ﺪ ﻧﻄﺎق اﻻﺳijاﺗ7ﺠ7ﺔ اﻟïﺴ[°ﻘ7ﺔ
ً
ب( ﻟﻀﻤﺎن ﺗﻄﺒﻴﻖ ﻣﺴﺘ[°ﺎت ﻣﻨﺎﺳUﺔ ﻣﻦ اﻷﻣﺎن اﺳïﻨﺎدا إ rاﻟﺤﺴﺎﺳ7ﺔ واﻟﻘ7ﻤﺔ
ج( ﻟﺠﻌﻞ اﻟﻤﻌﻠﻮم
**اﻹﺟﺎ\ﺔ :ب**
ً
**اﻟ}oح- **:ﻌﺘ iﺗﺼ∫7ﻒ اﻟﻤﻌﻠﻮﻣﺎت أﻣًﺮا ﻣﻬًﻤﺎ ﻟﻀﻤﺎن ﺗﻄﺒﻴﻖ اﻟﻀﻮا\ﻂ اﻷﻣﻨ7ﺔ اﻟﻤﻨﺎﺳUﺔ اﺳïﻨﺎدا إr
ً
ﺣﺴﺎﺳ7ﺔ وﻗ7ﻤﺔ اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻤﺎ -ﺤﻤﻴﻬﺎ وﻓﻘﺎ ﻷﻫﻤﻴﺘﻬﺎ ﻟﻠﻤﺆﺳﺴﺔ.
c
** .71ﻣﺎ اﻟﻐﺮض اﻟﺮﺋ∞ z
@ ﻣﻦ إﺟﺮاء ﺗﻘﻴ7ﻤﺎت اﻟﻤﺨﺎﻃﺮ ISO 27001 yz؟**
(Aﺗﺤﺪ-ﺪ اﻟﺤﻮادث اﻷﻣﻨ7ﺔ اﻟﻤﺤﺘﻤﻠﺔ
By Mohammed AlSubayt
(Bﺗﺤﺪ-ﺪ اﻷﺛﺮ اﻟﻤﺎ rzﻻﻧﺘﻬﺎÁﺎت اﻷﻣﺎن
(Cﺗﺤﺪ-ﺪ وﺗﻘﻴ7ﻢ وﺗﺮﺗ∞ﺐ ﻣﺨﺎﻃﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
(Dﺗﺨﺼ7ﺺ ﻣ ic bاﻧ7ﺔ ﻟﻀﻮا\ﻂ اﻷﻣﺎن
**اﻹﺟﺎ\ﺔ**C :
c
**اﻟ}oح **:ﺗﻬﺪف ﺗﻘﻴ7ﻤﺎت اﻟﻤﺨﺎﻃﺮ ISO 27001 yzإ rﺗﺤﺪ-ﺪ وﺗﻘﻴ7ﻢ وﺗﺮﺗ∞ﺐ أوﻟ[°ﺎت ﻣﺨﺎﻃﺮ
أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻟﻠﻤﺆﺳﺴﺔ ،ﻣﻤﺎ -ﻤﻜﻦ ﻣﻦ اﺗﺨﺎذ ﻗﺮارات ﻣﺴïﻨibة ﺣﻮل ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ.
c
** .72ﻣﺎذا ﺗﻤﺜﻞ دورة ISO 27001 yz PDCA؟**
(Aاﻟﺘﺨﻄ7ﻂ ،اﻟﺘﻄ[°ﺮ ،اﻟﺘﺤgﻢ ،اﻟﺘﻘﻴ7ﻢ
(Bاﻟﺘﺨﻄ7ﻂ ،اﻟﺘﻨﻔ7ﺬ ،اﻟﺘﺤﻘﻖ ،اﻟﺘﺤﺴcab
(Cا ﻟ ﺤ ﻤ ﺎ -ﺔ ،ا ﻟ Œﺸ ﻒ ،ا ﻟ ﺘ ﺼ ﺤ ﻴ ﺢ ،ا ﻟ ﺘ ﻜ 7ﻒ
(Dاﻹﻋﺪاد ،اﻟ∫ ،}oاﻟﺘ∫ﺴﻴﻖ ،اﻟﺘﺤﻠ7ﻞ
**اﻹﺟﺎ\ﺔ**B :
ُ
**اﻟ}oح **:ﺗﻤﺜﻞ دورة ) PDCAاﻟﺘﺨﻄ7ﻂ-اﻟﺘﻨﻔ7ﺬ-اﻟﺘﺤﻘﻖ-اﻟﺘﺤﺴ (abﻃ[Æﻘﺔ إدارة ﺗﺘﻜﻮن ﻣﻦ أر≠ ـﻊ
c
c ﺧﻄﻮات ﻳﺘﻢ اﺳﺘﺨﺪاﻣﻬﺎ ﻟﻠﺘﺤgﻢ واﻟﺘﺤﺴ c b
aاﻟﻤﺴﺘﻤﺮ ﻟﻠﻌﻤﻠ7ﺎت واﻟﻤﻨﺘﺠﺎت\ ،ﻤﺎ yzذﻟﻚ ﺗﻠﻚ اﻟﻤﺘﻌﻠﻘﺔ
c
ﺑflدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت .ISO 27001 yz
ً
** .73أي وﺛ7ﻘﺔ ﺗﻮﺿﺢ اﻟﻨ7ﺔ اﻟﻌﺎﻣﺔ واﻻﺗﺠﺎە اﻟ ~zÃﻟﻠﻤﺆﺳﺴﺔ eﺸﺄن إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﻓﻘﺎ ﻟﻤﻌ7ﺎر
ISO 27001؟**
(Aﺑ 7ﺎ ن ا ﻟ ﺘ ﻄ ﺒ ﻴ ﻖ
(Bﺗﻘ[Æﺮ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ
(Cﺳ7ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
(Dوﺛ7ﻘﺔ أﻫﺪاف اﻟﺘﺤgﻢ
**اﻹﺟﺎ\ﺔ**C :
**اﻟ}oح **:ﺗﻮﻓﺮ ﺳ7ﺎﺳﺔ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻧﻈﺮة ﻋﺎﻣﺔ ﻋﺎﻟ7ﺔ اﻟﻤﺴﺘﻮى ﻋﻦ ﻧﻮا-ﺎ اﻟﻤﺆﺳﺴﺔ واﺗﺠﺎﻫﻬﺎ
eﺸﺄن إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت\ ،ﻤﺎ yz cذﻟﻚ اﻟ ic jاﻣﻬﺎ \ﺤﻤﺎ-ﺔ أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت.
c
** .74ﻣﺎ ﻫﻮ دور "ﻟﺠﻨﺔ ﺗﻮﺟ7ﻪ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت" ISO 27001 yz؟**
(Aاﻹnoاف ﻋ~ ﺗﻨﻔ7ﺬ ﺿﻮا\ﻂ اﻷﻣﺎن
(Bاﺳﺘﻌﺮاض اﻟﺘﻘﺎر[ﺮ اﻟﻤﺎﻟ7ﺔ
a (CﻣﺮاﻗUﺔ إﻧﺘﺎﺟ7ﺔ اﻟﻤﻮﻇﻔ c b
(Dﺗﻮﺟ7ﻪ واﻹnoاف ﻋ~ ﺗﻄ[°ﺮ وﺻ7ﺎﻧﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
**اﻹﺟﺎ\ﺔ**D :
o
**اﻟ}oح **:ﺗﺘﺤﻤﻞ ﻟﺠﻨﺔ ﺗﻮﺟ7ﻪ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ﻣﺴﺆوﻟ7ﺔ ﺗﻮﺟ7ﻪ واﻹnاف ﻋ~ ﺗﻄ[°ﺮ وﺗﻨﻔ7ﺬ
وﺻ7ﺎﻧﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ،ﻣﻤﺎ -ﻀﻤﻦ ﺗﻮاﻓﻘﻪ ﻣﻊ أﻫﺪاف واﺳijاﺗﻴﺞ
By Mohammed AlSubayt
-ﺎت اﻟﻤﺆﺳﺴﺔ.
c
** .75أي ﻓﺌﺔ ﺿﻮا\ﻂ ISO 27001 yzﺗïﻨﺎول اﻟﻘﻠﻖ eﺸﺄن اﻷﻣﺎن اﻟﻔﻌ~z؟**
(Aأﻣﺎن اﻟﻤﻮارد اﻟ“[}oﺔ
c
(Bاﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل
(Cاﻷﻣﺎن اﻟﻔﻌ ~zواﻟﺒﻴ Ñz Í
(Dاﻟïﺸﻔib
**اﻹﺟﺎ\ﺔ**C :
c Í
**اﻟ}oح **:ﺗïﻨﺎول ﻓﺌﺔ اﻷﻣﺎن اﻟﻔﻌ ~zواﻟﺒﻴ ISO 27001 yz Ñzاﻟﻀﻮا\ﻂ اﻟﻤﺘﻌﻠﻘﺔ \ﺤﻤﺎ-ﺔ أﻧﻈﻤﺔ
اﻟﻤﻌﻠﻮﻣﺎت واﻟﻤﻌﺪات واﻟﻤﺮاﻓﻖ ﻣﻦ اﻟﺘﻬﺪ-ﺪات اﻟﻔﻌﻠ7ﺔ واﻟﻤﺨﺎﻃﺮ اﻟﺒûﺌ7ﺔ.
c
** .76ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ ISO 27001 yz؟**
(Aﺗﺤﺪ-ﺪ اﻟﺘﻬﺪ-ﺪات اﻟﺨﺎرﺟ7ﺔ ﻟﻠﻤﺆﺳﺴﺔ
(Bاﻟﺘﺤﻘﻖ ﻣﻦ اﻻﻣﺘﺜﺎل ﻟﻠﻤﺘﻄﻠUﺎت اﻟﻘﺎﻧﻮﻧ7ﺔ
(Cﺗﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﺗﺤﺪ-ﺪ اﻟﻤﺠﺎﻻت اﻟ Ñjﺗﺤﺘﺎج إ rﺗﺤﺴ c b
a z
(Dإﺟﺮاء ﺗﺪﻗ7ﻘﺎت ﻣﺎﻟ7ﺔ
**اﻹﺟﺎ\ﺔ**C :
c
**اﻟ}oح **:ﻳﺘﻢ إﺟﺮاء اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ ISO 27001 yzﻟﺘﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت،
واﻟﺘﺤﻘﻖ ﻣﻦ اﻻﻣﺘﺜﺎل ﻟﺴ7ﺎﺳﺎت وàﺟﺮاءات اﻟﻤﺆﺳﺴﺔ ،وﺗﺤﺪ-ﺪ اﻟﻤﺠﺎﻻت اﻟ Ñjﺗﺤﺘﺎج إ rﺗﺤﺴ c b
.a z
c
** .77ﻣﺎ أﻫﻤ7ﺔ "ﺗﺪر[ﺐ اﻟﺘﻮﻋ7ﺔ \ﺎﻷﻣﺎن" ISO 27001 yz؟**
(Aز[ﺎدة øﺴUﺔ دوران اﻟﻤﻮﻇﻔ c b
a
(Bﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻻﺳijاﺗ7ﺠ7ﺎت اﻟïﺴ[°ﻖ
\ aﻤﺨﺎﻃﺮ اﻷﻣﺎن وﻣﺴﺆوﻟ7ﺎﺗﻬﻢ (Cﺗﻮﻋ7ﺔ اﻟﻤﻮﻇﻔ c b
aرﺿﺎ اﻟﻌﻤﻼء (Dﺗ ﺤ ﺴ c b
**اﻹﺟﺎ\ﺔ**C :
ً ً c
**اﻟ}oح- **:ﻌﺪ ﺗﺪر[ﺐ اﻟﺘﻮﻋ7ﺔ \ﺎﻷﻣﺎن ISO 27001 yzأﻣﺮا أﺳﺎﺳ7ﺎ ﻟﺘﻮﻋ7ﺔ اﻟﻤﻮﻇﻔ\ abﻤﺨﺎﻃﺮ اﻷﻣﺎن
c
وأﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت ،وﻣﺴﺆوﻟ7ﺎﺗﻬﻢ yz cاﻟﺤﻔﺎظ ﻋ~ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ.
c
** .78ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺤﻠ7ﻞ اﻟﻔﺠﻮة yzﺗﻨﻔ7ﺬ ISO 27001؟**
(Aﺗﺤﺪ-ﺪ اﻟﻔﺮص ﻟ[sﺎدة اﻹﻳﺮادات
(Bﺗﻘﻴ7ﻢ ﻣﺴﺘﻮى ﻧﻀ°ج ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
aاﻟﻤﻤﺎرﺳﺎت اﻟﺤﺎﻟ7ﺔ وﻣﺘﻄﻠUﺎت ISO 27001 (Cﺗﺤﺪ-ﺪ اﻻﺧﺘﻼﻓﺎت ﺑ c b
a (Dﺗﻘﻴ7ﻢ أداء اﻟﻤﻮﻇﻔ c b
**اﻹﺟﺎ\ﺔ**C :
By Mohammed AlSubayt
**اﻟ}oح™ **:ﺴﺎﻋﺪ ﺗﺤﻠ7ﻞ اﻟﻔﺠﻮة ycﺗﻨﻔ7ﺬ ISO 27001ﻋ~ ﺗﺤﺪ-ﺪ اﻻﺧﺘﻼﻓﺎت ﺑ c b
aاﻟﻤﻤﺎرﺳﺎت
c z
اﻟﺤﺎﻟ7ﺔ ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت واﻟﻤﺘﻄﻠUﺎت اﻟﻤﻮﺟﻮدة yzﻣﻌ7ﺎر ،ISO 27001ﻣﻤﺎ ﻳﻮﺟﻪ ﻋﻤﻠ7ﺔ وﺿﻊ ﺧﻄﺔ
ﻋﻤﻞ ﻟﻼﻣﺘﺜﺎل.
**اﻹﺟﺎ\ﺔ**B :
c
**اﻟ}oح **:ﺗﺘﻀﻤﻦ ﺿﻮا\ﻂ إدارة اﻷﺻﻮل ISO 27001 yzإدارة اﺳﺘﺨﺪام وﺳﺎﺋﻂ اﻻﺳﺘﺨﺮاج ﻟﻤﻨﻊ
اﻟﻮﺻﻮل ﻏ ibاﻟﻤ≈ح \ﻪ أو اﻧﺘﻬﺎÁﺎت اﻟﺒ7ﺎﻧﺎت ﻋ iأﺟﻬﺰة اﻟﺘﺨ[sﻦ اﻟﻤﺤﻤﻮﻟﺔ.
c
** .80ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ إøﺸﺎء ﺧﻄﺔ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ISO 27001 yz؟**
(Aﺗﺠﻨﺐ اﻟﻤﺴﺆوﻟ7ﺎت اﻟﻘﺎﻧﻮﻧ7ﺔ
(Bﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻮاﺋﺢ اﻟﺤﻜﻮﻣ7ﺔ
(Cﺗﻘﻠ7ﻞ ﺗﺄﺛ ibاﻟﺤﻮادث اﻷﻣﻨ7ﺔ وﺗﻘﻠ7ﻞ وﻗﺖ اﻻﺳijداد
a (Dز[ﺎدة ﻋﺐء اﻟﻌﻤﻞ ﻋ~ اﻟﻤﻮﻇﻔ c b
**اﻹﺟﺎ\ﺔ**C :
c c
**اﻟ}oح **:إøﺸﺎء ﺧﻄﺔ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ¨ ISO 27001 yzوري ﻟﺘﻘﻠ7ﻞ ﺗﺄﺛ ibاﻟﺤﻮادث اﻷﻣﻨ7ﺔ،
وﺗﻘﻠ7ﻞ وﻗﺖ اﻻﺳijداد ،واﻟﺤﻔﺎظ ﻋ~ ﻗﺪرة اﻟﻤﺆﺳﺴﺔ ﻋ~ اﻟﺘﻌﺎ yz cﻣﻦ اﻟﺘﻬﺪ-ﺪات اﻷﻣﻨ7ﺔ.
c
** .81ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺤﻠ7ﻞ ﺗﺄﺛ ibاﻷﻋﻤﺎل )ISO 27001 yz (BIA؟**
(Aﺗﻘﻴ7ﻢ اﻟﺼﺤﺔ اﻟﻤﺎﻟ7ﺔ ﻟﻠﻤﺆﺳﺴﺔ
(Bﺗﺤﺪ-ﺪ وﻇﺎﺋﻒ اﻷﻋﻤﺎل اﻟﺤﺮﺟﺔ وﺗUﻌ7ﺎﺗﻬﺎ ﻋ~ أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت
a (Cﺗﻘﻴ7ﻢ رﺿﺎ اﻟﻤﻮﻇﻔ c b
(Dﻣﺮاﺟﻌﺔ اﺳijاﺗ7ﺠ7ﺎت اﻟïﺴ[°ﻖ
**اﻹﺟﺎ\ﺔ**B :
c
**اﻟ}oح **:اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺤﻠ7ﻞ ﺗﺄﺛ ibاﻷﻋﻤﺎل ) ISO 27001 yz (BIAﻫﻮ ﺗﺤﺪ-ﺪ وﻇﺎﺋﻒ اﻷﻋﻤﺎل
اﻟﺤﺮﺟﺔ وﺗUﻌ7ﺎﺗﻬﺎ ﻋ~ أﺻﻮل اﻟﻤﻌﻠﻮﻣﺎت ،ﻟﻠﻤﺴﺎﻋﺪة yz cﺗﺤﺪ-ﺪ ﺗﻮﺟ7ﻪ اﻟﻤﻮارد ﻟﻠﺤﻤﺎ-ﺔ واﻻﺳijداد.
c
® ﻣﻦ إﺟﺮاء ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ISO 27001 yz؟** ** .82ﻣﺎ ﻫﻮ اﻟﻬﺪف اﻷﺳﺎ z
(Aاﻟﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة
(Bﻧﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ rأﻃﺮاف ﺛﺎﻟﺜﺔ
(Cﺗﻘﻠ7ﻞ أو ﺗﺨﻔ7ﻒ أو ﻗﺒﻮل اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة إ rﻣﺴﺘﻮى ﻣﻘﺒﻮل
(Dﺗ ﺠ ﺎ ﻫ ﻞ ا ﻟ ﻤ ﺨ ﺎ ﻃ ﺮ ا ﻟ ﻤ ﺤ ﺪ د ة
By Mohammed AlSubayt
**اﻹﺟﺎ\ﺔ**C :
c
® ﻣﻦ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ISO 27001 yzﻫﻮ ﺗﻘﻠ7ﻞ أو ﺗﺨﻔ7ﻒ أو ﻗﺒﻮلz **اﻟ}oح **:اﻟﻬﺪف اﻷﺳﺎ
اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة إ rﻣﺴﺘﻮى ﻣﻘﺒﻮل ﺑﻨﺎًء ﻋ~ Öﺴﺎﻣﺢ اﻟﻤﺆﺳﺴﺔ ﻟﻠﻤﺨﺎﻃﺮ وأﻫﺪاﻓﻬﺎ.
** .83أي ﻓﺌﺔ ﺿﻮا\ﻂ ISO 27001ﺗﺮﻛﺰ ﻋ~ ﺿﻤﺎن ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻟﻮﺻﻮل ﻏ ibاﻟﻤ≈ح \ﻪ
واﻟŒﺸﻒ؟**
(Aأﻣﺎن اﻟﻤﻮارد اﻟ“[}oﺔ
c
(Bاﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل
(Cاﻟïﺸﻔib
(Dاﻷﻣﺎن اﻟﻔﻌ ~zواﻟﺒﻴ Ñz Í
**اﻹﺟﺎ\ﺔ**B :
c c
**اﻟ}oح **:ﺗﺮﻛﺰ ﻓﺌﺔ اﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل ISO 27001 yzﻋ~ ﺿﻤﺎن ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻟﻮﺻﻮل
ﻏ ibاﻟﻤ≈ح \ﻪ واﻟŒﺸﻒ ﻣﻦ ﺧﻼل ﺗﻨﻔ7ﺬ ﺗﺪاﺑ ibاﻟﺘﺤgﻢ yz cاﻟﻮﺻﻮل اﻟﻤﻨﺎﺳUﺔ.
c
** .84ﻣﺎ اﻟﻐﺮض ﻣﻦ إﺟﺮاء اﺳﺘﻌﺮاض إداري ISO 27001 yz؟**
(Aﻣﺮاﺟﻌﺔ ﺷgﺎوى اﻟﻌﻤﻼء
(Bﺗﻘﻴ7ﻢ أداء وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
(CﻣﺮاﻗUﺔ اﻟﻤﻨﺎﻓﺴ c b
a
(Dﺗﻘﻴ7ﻢ رﺿﺎ اﻟﻤﻮﻇﻔ c b
a
**اﻹﺟﺎ\ﺔ**B :
c
**اﻟ}oح **:اﻟﻐﺮض ﻣﻦ إﺟﺮاء اﺳﺘﻌﺮاض إداري ISO 27001 yzﻫﻮ ﺗﻘﻴ7ﻢ أداء وﻣﻼءﻣﺔ ﻧﻈﺎم إدارة أﻣﺎن
اﻟﻤﻌﻠﻮﻣﺎت ،ﻟﻀﻤﺎن ﻓﻌﺎﻟﻴﺘﻪ وﺗﻮاﻓﻘﻪ ﻣﻊ أﻫﺪاف اﻟﻤﺆﺳﺴﺔ.
c
** .85ﻣﺎ دور ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ISO 27001 yz؟**
(Aﻧﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ rأﻃﺮاف ﺛﺎﻟﺜﺔ
(Bإدارة واﻹnoاف ﻋ~ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة
(Cﺗ ﺠ ﺎ ﻫ ﻞ ا ﻟ ﻤ ﺨ ﺎ ﻃ ﺮ ا ﻟ ﻤ ﺤ ﺪ د ة
(Dﺗﺼﻌ7ﺪ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ rاﻹدارة اﻟﻌﻠ7ﺎ
**اﻹﺟﺎ\ﺔ**B :
o c
**اﻟ}oح **:دور ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ISO 27001 yzﻫﻮ إدارة واﻹnاف ﻋ~ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة،
ﻟﻀﻤﺎن اﺗﺨﺎذ اﻟﺘﺪاﺑ ibاﻟﻤﻨﺎﺳUﺔ ﻟﻤﻌﺎﻟﺠﺘﻬﺎ \ﻔﻌﺎﻟ7ﺔ.
c
** .86ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ إøﺸﺎء ﻓ[Æﻖ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ISO 27001 yz؟**
(Aﻟﻠﺘﻌﺎﻣﻞ ﻣﻊ ﺣﻤﻼت اﻟïﺴ[°ﻖ
(Bﻟﺘﻘﻠ7ﻞ ﺗﺄﺛ ibاﻟﺤﻮادث اﻷﻣﻨ7ﺔ وﺿﻤﺎن اﺳﺘﺠﺎ\ﺔ ﻣ∫ﺴﻘﺔ
(C
By Mohammed AlSubayt
aﻟﺘﻘﻴ7ﻢ إﻧﺘﺎﺟ7ﺔ اﻟﻤﻮﻇﻔ c b
(Dﻹدارة ﺷgﺎوى اﻟﻌﻤﻼء
**اﻹﺟﺎ\ﺔ**B :
c
**اﻟ}oح **:إøﺸﺎء ﻓ[Æﻖ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ISO 27001 yzﻣﻬﻢ ﻟﺘﻘﻠ7ﻞ ﺗﺄﺛ ibاﻟﺤﻮادث اﻷﻣﻨ7ﺔ
وﺿﻤﺎن اﺳﺘﺠﺎ\ﺔ ﻣ∫ﺴﻘﺔ ﻹدارة وﺗﺨﻔ7ﻒ اﻻﻧﺘﻬﺎÁﺎت اﻷﻣﻨ7ﺔ \ﻔﻌﺎﻟ7ﺔ.
c
** .87ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺪر[ﺐ ﺗﻮﻋ7ﺔ \ﺎﻷﻣﺎن ISO 27001 yz؟**
(Aز[ﺎدة øﺴUﺔ دوران اﻟﻤﻮﻇﻔ c b
a
(Bﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻻﺳijاﺗ7ﺠ7ﺎت اﻟïﺴ[°ﻖ
\ aﻤﺨﺎﻃﺮ اﻷﻣﺎن وﻣﺴﺆوﻟ7ﺎﺗﻬﻢ (Cﺗﻮﻋ7ﺔ اﻟﻤﻮﻇﻔ c b
aرﺿﺎ اﻟﻌﻤﻼء (Dﺗ ﺤ ﺴ c b
**اﻹﺟﺎ\ﺔ**C :
**اﻟ}oح **:اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﺗﺪر[ﺐ ﺗﻮﻋ7ﺔ \ﺎﻷﻣﺎن ISO 27001 ycﻫﻮ ﺗﻮﻋ7ﺔ اﻟﻤﻮﻇﻔ c b
\ aﻤ ﺨ ﺎﻃﺮ z
اﻷﻣﺎن وأﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت وﻣﺴﺆوﻟ7ﺎﺗﻬﻢ yz cاﻟﺤﻔﺎظ ﻋ~ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ.
** .88أي ﻓﺌﺔ ﺿﻮا\ﻂ ISO 27001ﺗïﻨﺎول ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت أﺛﻨﺎء اﻟﺘﺨ[sﻦ واﻟﻨﻘﻞ؟**
(Aأﻣﺎن اﻟﻤﻮارد اﻟ“[}oﺔ
(Bاﻟïﺸﻔib
Í
(Cاﻷﻣﺎن اﻟﻔﻌ ~zواﻟﺒﻴ Ñz
c
(Dاﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل
**اﻹﺟﺎ\ﺔ**B :
c
**اﻟ}oح **:ﺗïﻨﺎول ﻓﺌﺔ اﻟïﺸﻔ ISO 27001 yz ibاﻟﻀﻮا\ﻂ اﻟﻤﺘﻌﻠﻘﺔ \ﺤﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت أﺛﻨﺎء اﻟﺘﺨ[sﻦ
واﻟﻨﻘﻞ ﻣﻦ ﺧﻼل اﺳﺘﺨﺪام اﻟïﺸﻔ ibواﻟﺘﻘﻨ7ﺎت اﻟïﺸﻔ[ibﺔ.
c
® ﻣﻦ إﺟﺮاء اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ ISO 27001 yz؟** ** .89ﻣﺎ اﻟﻬﺪف اﻷﺳﺎ z
(Aﺗﺤﺪ-ﺪ اﻟﺘﻬﺪ-ﺪات اﻷﻣﻨ7ﺔ اﻟﻤﺤﺘﻤﻠﺔ
(Bﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻤﺘﻄﻠUﺎت اﻟﻘﺎﻧﻮﻧ7ﺔ
(Cﺗﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت وﺗﺤﺪ-ﺪ اﻟﻤﺠﺎﻻت اﻟ Ñjﺗﺤﺘﺎج إ rﺗﺤﺴ c b
a z
(Dإﺟﺮاء ﺗﺪﻗ7ﻘﺎت ﻣﺎﻟ7ﺔ
**اﻹﺟﺎ\ﺔ**C :
c o
**اﻟ}ح **:اﻟﻬﺪف اﻷﺳﺎ z
® ﻣﻦ إﺟﺮاء اﻟﺘﺪﻗ7ﻘﺎت اﻟﺪاﺧﻠ7ﺔ ISO 27001 yzﻫﻮ ﺗﻘﻴ7ﻢ ﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم
إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ،واﻟﺘﺤﻘﻖ ﻣﻦ اﻻﻣﺘﺜﺎل ﻟﺴ7ﺎﺳﺎت وàﺟﺮاءات اﻟﻤﺆﺳﺴﺔ ،وﺗﺤﺪ-ﺪ اﻟﻤﺠﺎﻻت اﻟ Ñz j
.aﺗﺤﺘﺎج إ rﺗﺤﺴ c b
c
** .90ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﺳ7ﺎﺳﺔ واﺿﺤﺔ ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ISO 27001 yz؟**
(Aﻟ[sﺎدة ﻋﺐء اﻟﻌﻤﻞ ﻋ~ اﻟﻤﻮﻇﻔ c b
a
By Mohammed AlSubayt
(Bﻟﻀﻤﺎن اﻻﻣﺘﺜﺎل ﻟﻠﻮاﺋﺢ اﻟﺤﻜﻮﻣ7ﺔ
(Cﻟﺘﻮﺟ7ﻪ وàﻋﻼم اﻟﻤﻮﻇﻔ c b
aﺑﺘﻮﻗﻌﺎت وﻣﺴﺆوﻟ7ﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
a (DﻟﻤﺮاﻗUﺔ أداء اﻟﻤﻮﻇﻔ c b
**اﻹﺟﺎ\ﺔ**C :
c
**اﻟ}oح **:ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﺳ7ﺎﺳﺔ واﺿﺤﺔ ﻷﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ISO 27001 yzﻟﺘﻮﺟ7ﻪ
وàﻋﻼم اﻟﻤﻮﻇﻔ c b
aﺑﺘﻮﻗﻌﺎت وﻣﺴﺆوﻟ7ﺎت أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ ،ﻟﻀﻤﺎن اﻟﺘﻤﺎﺳﻚ واﻻﻣﺘﺜﺎل.
c
** .91ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ ﻣﻨﻬﺞ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ ISO 27001 yz؟**
(Aﻟﻠﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة داﺧﻞ اﻟﻤﺆﺳﺴﺔ
(Bﻟﺘﺤﺪ-ﺪ اﻟﺘﺄﺛ ibاﻟﻤﺎ rzﻟﻠﻤﺨﺎﻃﺮ اﻟﻤﺤﺘﻤﻠﺔ
(Cﻟﺘﻮﻓ ibﻧﻬﺞ ﻣﻨﻈﻢ ﻟﺘﺤﺪ-ﺪ وﺗﺤﻠ7ﻞ وﺗﻘﻴ7ﻢ ﻣﺨﺎﻃﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
a (Dﻟﺘﻘﻴ7ﻢ ﻣﺴﺘ[°ﺎت إﻧﺘﺎﺟ7ﺔ اﻟﻤﻮﻇﻔ c b
**اﻹﺟﺎ\ﺔ**C :
ً ً c
**اﻟ}oح **:ﻣﻨﻬﺞ ﺗﻘﻴ7ﻢ اﻟﻤﺨﺎﻃﺮ ISO 27001 yzﻳﻮﻓﺮ ﻧﻬﺠﺎ ﻣﻨﻈﻤﺎ ﻟﺘﺤﺪ-ﺪ وﺗﺤﻠ7ﻞ وﺗﻘﻴ7ﻢ ﻣﺨﺎﻃﺮ
أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ.
** .92أي ﻓﺌﺔ ﻣﻦ ﺿﻮا\ﻂ ISO 27001ﺗﺮﻛﺰ ﻋ~ ﺿﻤﺎن ﺗﺤﺪ-ﺪ وàدارة اﻷﺻﻮل eﺸgﻞ ﻣﻨﺎﺳﺐ؟**
(Aإدارة اﻷﺻﻮل
c
(Bاﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل
(Cاﻟïﺸﻔib
(Dاﻷﻣﺎن اﻟﻔﻌ ~zواﻟﺒﻴ Ñz Í
**اﻹﺟﺎ\ﺔ**A :
c
**اﻟ}oح **:ﺗﺮﻛﺰ ﻓﺌﺔ إدارة اﻷﺻﻮل ISO 27001 yzﻋ~ ﺿﻤﺎن ﺗﺤﺪ-ﺪ وàدارة اﻷﺻﻮل eﺸgﻞ ﻣﻨﺎﺳﺐ
ﻋ~ ﻣﺮ اﻟﺪورة اﻟﺤ7ﺎة اﻟﺨﺎﺻﺔ ﺑﻬﺎ.
c
** .93ﻣﺎ ﻫﻮ دور ﻣﺪﻳﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ISO 27001 yz؟**
(Aﻟ ﻠ ﺘ ﻌ ﺎ ﻣ ﻞ ﻣ ﻊ ا ﻟ ﺘ ﺪ ﻗ 7ﻘ ﺎ ت ا ﻟ ﻤ ﺎ ﻟ 7ﺔ
(Bﻟﻺnoاف ﻋ~ ﺗﻨﻔ7ﺬ وﺻ7ﺎﻧﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
(Cﻹدارة ﺣﻤﻼت اﻟïﺴ[°ﻖ
(DﻟﻤﺮاﻗUﺔ أøﺸﻄﺔ اﻟﻤﻨﺎﻓﺴcab
**اﻹﺟﺎ\ﺔ**B :
c
**اﻟ}oح **:دور ﻣﺪﻳﺮ أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت ISO 27001 yzﻫﻮ اﻹnoاف ﻋ~ ﺗﻨﻔ7ﺬ وﺻ7ﺎﻧﺔ ﻧﻈﺎم إدارة
أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ.
** .94أي ﻓﺌﺔ ﻣﻦ ﺿﻮا\ﻂ ISO 27001ﺗﺮﻛﺰ ﻋ~ ﺿﻤﺎن ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻟﻮﺻﻮل واﻟﺘﻌﺪ-ﻞ ﻏib
اﻟﻤ≈ح \ﻪ؟**
By Mohammed AlSubayt
(Aأﻣﺎن اﻟﻤﻮارد اﻟ“[}oﺔ
c
(Bاﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل
(Cاﻟïﺸﻔib
(Dاﻷﻣﺎن اﻟﻔﻌ ~zواﻟﺒﻴ Ñz Í
**اﻹﺟﺎ\ﺔ**B :
c c
**اﻟ}oح **:ﺗﺮﻛﺰ ﻓﺌﺔ اﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل ISO 27001 yzﻋ~ ﺿﻤﺎن ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻣﻦ اﻟﻮﺻﻮل
واﻟﺘﻌﺪ-ﻞ ﻏ ibاﻟﻤ≈ح \ﻪ ﻣﻦ ﺧﻼل ﺗﻨﻔ7ﺬ وﺳﺎﺋﻞ اﻟﺘﺤgﻢ yz cاﻟﻮﺻﻮل اﻟﻤﻨﺎﺳUﺔ.
c
® ﻣﻦ إﺟﺮاء ﺗﺪر[ﺐ ﺗﻮﻋ7ﺔ \ﺎﻷﻣﺎن ISO 27001 yz؟**** .95ﻣﺎ ﻫﻮ اﻟﻬﺪف اﻷﺳﺎ z
(Aز[ﺎدة øﺴUﺔ دوران اﻟﻤﻮﻇﻔcab
(Bﺿﻤﺎن اﻻﻣﺘﺜﺎل ﻻﺳijاﺗ7ﺠ7ﺎت اﻟïﺴ[°ﻖ
\ aﻤﺨﺎﻃﺮ اﻷﻣﺎن وأﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت (Cﺗﻮﻋ7ﺔ اﻟﻤﻮﻇﻔ c b
aرﺿﺎ اﻟﻌﻤﻼء (Dﺗ ﺤ ﺴ c b
**اﻹﺟﺎ\ﺔ**C :
**اﻟ}oح **:اﻟﻬﺪف اﻷﺳﺎ® ﻣﻦ إﺟﺮاء ﺗﺪر[ﺐ ﺗﻮﻋ7ﺔ \ﺎﻷﻣﺎن ISO 27001 ycﻫﻮ ﺗﻮﻋ7ﺔ اﻟﻤﻮﻇﻔcab
z z
\ﻤﺨﺎﻃﺮ اﻷﻣﺎن واﻟﺘﻬﺪ-ﺪات وأﻓﻀﻞ اﻟﻤﻤﺎرﺳﺎت ﻟﺘﻌ[sﺰ ﻣﻮﻗﻒ اﻷﻣﺎن اﻟﻌﺎم ﻟﻠﻤﺆﺳﺴﺔ.
c
** .96ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ISO 27001 yz؟**
(Aﻟﺘ ﺠ ﺎ ﻫ ﻞ ا ﻟ ﻤ ﺨ ﺎ ﻃ ﺮ ا ﻟ ﻤ ﺤ ﺪ د ة
(Bﻟﻠﻘﻀﺎء ﻋ~ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة
(Cﻟﻨﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة إ rأﻃﺮاف ﺛﺎﻟﺜﺔ
(Dﻟﻤﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة ﻣﻦ ﺧﻼل اﻟﺘﺪاﺑ ibاﻟﻤﻨﺎﺳUﺔ
**اﻹﺟﺎ\ﺔ**D :
c
**اﻟ}oح **:ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﺧﻄﺔ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ ISO 27001 yzﻟﻤﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ
اﻟﻤﺤﺪدة ﻣﻦ ﺧﻼل اﻟﺘﺪاﺑ ibاﻟﻤﻨﺎﺳUﺔ ،ﻣﺜﻞ اﻟﺘﺨﻔ7ﻒ أو اﻟﻘﺒﻮل أو اﻹﺑﺘﻌﺎد.
c
** .97ﻣﺎ ﻫﻮ اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﻣﺮاﺟﻌﺎت اﻹدارة اﻟﺪور[ﺔ ISO 27001 yz؟**
(Aﻟﻤﺮاﺟﻌﺔ ﺷgﺎوى اﻟﻌﻤﻼء
(Bﻟﺘﻘﻴ7ﻢ أداء وﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت
(Cﻟﺘﻘﻴ7ﻢ ﻣﺴﺘ[°ﺎت إﻧﺘﺎﺟ7ﺔ اﻟﻤﻮﻇﻔ c b
a
(DﻟﻤﺮاﻗUﺔ أøﺸﻄﺔ اﻟﻢ
ﻧ ﺎﻓ ﺴ c b
a
**اﻹﺟﺎ\ﺔ**B :
c
**اﻟ}oح **:اﻟﻐﺮض ﻣﻦ إﺟﺮاء ﻣﺮاﺟﻌﺎت اﻹدارة اﻟﺪور[ﺔ ISO 27001 yzﻫﻮ ﺗﻘﻴ7ﻢ أداء وﻓﻌﺎﻟ7ﺔ ﻧﻈﺎم
إدارة أﻣﺎن اﻟﻤﻌﻠﻮﻣﺎت داﺧﻞ اﻟﻤﺆﺳﺴﺔ.
By Mohammed AlSubayt
** .98أي ﻓﺌﺔ ﻣﻦ ﺿﻮا\ﻂ ISO 27001ﺗﺮﻛﺰ ﻋ~ ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت أﺛﻨﺎء اﻟﺘﺨ[sﻦ واﻟﻨﻘﻞ؟**
(Aأﻣﺎن اﻟﻤﻮارد اﻟ“[}oﺔ
c
(Bاﻟﺘﺤgﻢ yzاﻟﻮﺻﻮل
(Cاﻟïﺸﻔib
Í
(Dاﻷﻣﺎن اﻟﻔﻌ ~zواﻟﺒﻴ Ñz
**اﻹﺟﺎ\ﺔ**C :
c
**اﻟ}oح **:ﺗﺮﻛﺰ ﻓﺌﺔ اﻟïﺸﻔ ISO 27001 yz ibﻋ~ ﺿﻤﺎن ﺣﻤﺎ-ﺔ اﻟﻤﻌﻠﻮﻣﺎت أﺛﻨﺎء اﻟﺘﺨ[sﻦ واﻟﻨﻘﻞ ﻣﻦ
ﺧﻼل اﺳﺘﺨﺪام ﺗﻘﻨ7ﺎت اﻟïﺸﻔ.ib
c
** .99ﻣﺎ ﻫﻮ دور ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ISO 27001 yz؟**
(Aﻟﻨﻘﻞ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ rأﻃﺮاف ﺛﺎﻟﺜﺔ
(Bﻹدارة واﻹnoاف ﻋ~ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة
(Cﻟﺘ ﺠ ﺎ ﻫ ﻞ ا ﻟ ﻤ ﺨ ﺎ ﻃ ﺮ ا ﻟ ﻤ ﺤ ﺪ د ة
(Dﻟﺘﺼﻌ7ﺪ ﺟﻤﻴﻊ اﻟﻤﺨﺎﻃﺮ إ rاﻹدارة اﻟﻌﻠ7ﺎ
**اﻹﺟﺎ\ﺔ**B :
o c
**اﻟ}oح **:دور ﻣﺎﻟﻚ اﻟﻤﺨﺎﻃﺮ ISO 27001 yzﻫﻮ إدارة واﻹnاف ﻋ~ ﻣﻌﺎﻟﺠﺔ اﻟﻤﺨﺎﻃﺮ اﻟﻤﺤﺪدة،
ﻣﻊ اﻟﺘﺄ ãﺪ ﻣﻦ اﺗﺨﺎذ اﻟﺘﺪاﺑ ibاﻟﻤﻨﺎﺳUﺔ ﻟﻤﻌﺎﻟﺠﺘﻬﺎ \ﻔﻌﺎﻟ7ﺔ.
c
** .100ﻟﻤﺎذا ﻣﻦ اﻟﻤﻬﻢ ﻟﻠﻤﺆﺳﺴﺔ وﺿﻊ ﻓ[Æﻖ اﺳﺘﺠﺎ\ﺔ ﻟﻠﺤﻮادث ISO 27001 yz؟**
(Aﻟ ﻠ ﺘ ﻌ ﺎ ﻣ ﻞ ﻣ ﻊ ا ﻟ ﺘ ﺪ ﻗ 7ﻘ ﺎ ت ا ﻟ ﻤ ﺎ ﻟ 7ﺔ
(Bﻟﺘﻘﻠ7ﻞ ﺗﺄﺛ ibﺣﻮادث اﻷﻣﺎن وﺿﻤﺎن اﺳﺘﺠﺎ\ﺔ ﻣ∫ﺴﻘﺔ
(Cﻟﻤﺮاﺟﻌﺔ ﺷgﺎوى اﻟﻌﻤﻼء
(Dﻟﺘﻘﻴ7ﻢ ﻣﺴﺘ[°ﺎت إﻧﺘﺎﺟ7ﺔ اﻟﻤﻮﻇﻔ c b
a
**اﻹﺟﺎ\ﺔ**B :
ﻟﺗﻘﻠﯾل ﺗﺄﺛﯾر ﺣوادث ** ISO 27001اﻟﺷرح **:ﻣن اﻟﻣﮭم ﻟﻠﻣؤﺳﺳﺔ وﺿﻊ ﻓرﯾق اﺳﺗﺟﺎﺑﺔ ﻟﻠﺣوادث ﻓﻲ
ا ﻷ ﻣ ﺎ ن و ﺿ ﻣ ﺎ ن ا ﺳ ﺗ ﺟ ﺎ ﺑ ﺔ ﻣ ﻧ ﺳ ﻘ ﺔ ﻹ د ار ة و ﺗ ﺧ ﻔ ﯾ ف ا ﻻ ﻧ ﺗ ﮭ ﺎ ﻛ ﺎ ت ا ﻷ ﻣ ﻧ ﯾ ﺔ ﺑ ﻔ ﻌ ﺎ ﻟ ﯾ ﺔ .