Definition of information security management system: An information security management system is a system in which an organization establishes information security policies and objectives in the whole or in a specific scope, and the methods adopted to accomplish these objectives. It is the result of direct management activities, which is manifested as a collection of principles, principles, objectives, methods, processes, lists and other elements.

Principles of information security management system:

Program documents generally do not involve pure technical details, and are usually clearly defined in work instructions or work instructions;

Procedural documents are provisions on the objectives and implementation of various activities that affect information security. They should clearly define the responsibilities, powers and relationships of managers, executors, auditors or examiners who affect information security, and explain the ways of implementing various activities, the documents to be adopted and the control methods to be adopted.

The scope and detail of the procedure documents should depend on the complexity of the safety work, the methods used and the skills, quality and training level of the personnel involved in the activity;

Program documents should be concise, clear and easy to understand, so as to make them operable and inspectable;

The program files should maintain a unified structure and format, so as to facilitate the understanding and use of the files.

Matters needing attention in information security management system:

The program documents should conform to the actual operation of the organization's business and be operable;

Checkability. An important sign of implementing the information security management system is the verification of effectiveness. The program documents mainly reflect the inspectability and have corresponding control standards when necessary;

Before the formal preparation of procedure documents, the organization should plan the number of procedure documents and their control points according to the requirements of standards, the results of risk assessment and the actual situation of the organization, so as to ensure the necessary connection between the procedures and avoid a lot of duplication of the same content between different procedures; In addition, the number of program files and the length of each program should be as small as possible under the premise of safety and controllability;

The procedure documents shall be agreed and accepted by the heads of relevant departments of this activity, and must be approved, and the revision and validity period shall be indicated.