Vietnam: What are the details of National Standard TCVN ISO/IEC 27001:2019 on information security management systems?

Main Content

• What is the overview of National Standard TCVN ISO/IEC 27001:2019 on information security management systems in Vietnam?
• What is the scope of regulation of National Standard TCVN ISO/IEC 27001:2019 in Vietnam?
• What are the regulations on the background of the organization under National Standard TCVN ISO/IEC 27001:2019 in Vietnam?

What is the overview of National Standard TCVN ISO/IEC 27001:2019 on information security management systems in Vietnam?

National Standard TCVN ISO/IEC 27001:2019 specifies requirements for the establishment, implementation, maintenance and continuous improvement of information security management systems.

The adoption of an information security management system is a strategic decision of the organization. The establishment and implementation of an organization's information security management system are influenced by its needs and goals, safety requirements, organization's used processes, and size and organizational structure. All of these influences are expected to change over time.

An information security management system ensures the confidentiality, integrity, and availability of information by adopting a risk management process and gives confidence to relevant parties that risks are adequately managed.

It is important that the information security management system is part of and integrated with the organization's processes and with the overall management structure and information security considered in the design of processes, information systems, and controls. It is expected that the implementation of an information security management system will be sized in accordance with the needs of the organization.

This National Standard can be used by internal and external departments to assess an organization's ability to meet its own information security requirements.

The order of requirements presented in this National Standard does not reflect their importance or imply the order in which they will be implemented. The categories listed are for reference purposes only.

ISO/IEC 27000 describes the overview and vocabulary of information security management systems, referencing the set of standards on information security management systems (including ISO/IEC 27003, ISO/IEC 27004, and ISO/IEC 27005), with related terms and definitions.

What is the scope of regulation of National Standard TCVN ISO/IEC 27001:2019 in Vietnam?

Pursuant to Section 1 of National Standard TCVN ISO/IEC 27001:2019, the scope of regulation of National Standard TCVN ISO/IEC 27001:2019 in Vietnam is determined as follows:

This National Standard specifies requirements for the establishment, implementation, maintenance, and continuous improvement of information security management systems in the background of an organization.

- This National Standard also includes requirements for the assessment and handling of information security risks in accordance with the requirements of the organization. The requirements set out in this National Standard are general in nature and are intended to apply to all organizations, regardless of type, size, or nature.

Articles 4 to 10 of this National Standard are mandatory if an organization declares conformity with this National Standard.

Accordingly, National Standard TCVN ISO/IEC 27001:2019 uses a reference document which is National Standard TCVN 11238: 2015 (ISO/IEC 27000: 2014), Information Technology - Security Techniques - Information Security Management Systems - Overview and Vocabulary.

This is the reference document essential for the application of this National Standard. For reference documents with the year of publication, the version stated shall be applied. For reference documents without the year of publication, the latest version shall be applied, including amendments and supplements (if any).

What are the regulations on the background of the organization under National Standard TCVN ISO/IEC 27001:2019 in Vietnam?

In Section 4 of National Standard TCVN ISO/IEC 27001:2019, there are the following provisions:

Background of the organization

4.1 Understanding the organization and its background

The organization must identify internal and external matters that relate to the purpose of the organization and that affect the ability of the organization's information security management system to achieve the desired results.

Note: The identification of matters related to the establishment of the organization's internal and external scope is set out in Article 5.3 of ISO 31000:2011 (ISO 31000:2009) [5].

4.2 Understand stakeholder needs and expectations

The organization must determine:

a/ Parties related to the information security management system;

b/ Information security requirements of these concerned parties.

Note: Stakeholder requirements may include legal requirements, regulatory regulations, and contractual obligations.

4.3 Define the scope of the information security management system

The organization shall determine the limits and applicability of the information security management system to establish the scope of the system.

In determining the scope of the system, the organization shall consider:

a) internal and external matters mentioned in Article 4.1;

b) the requirements set out in Article 4.2;

c) the interaction and dependencies between activities carried out by the organization, and those carried out by other organizations.

This scope must be available as textual information.

4.4 Information Security Management System

The organization shall establish, implement, maintain, and continuously improve an information security management system in accordance with the requirements of this National Standard.

Accordingly, the background of the organization shall follow the above-mentioned standard content.