隨著資訊科技日益普及，近年來資安事件仍層出不窮。行政院國家資通安全會報於94年5月，訂定「政府機關(構)資訊安全責任等級分級作業實施計畫」，針對各種資訊安全的潛在威脅，提出以建立管理機制並配合技術支援服務的方式，期能有效防護資訊資產，提昇資訊安全。其中管理面的具體措施為建構「資訊安全管理系統」（ISMS, Information Security Management System），並規範列屬資安責任等級為A或B級之機關，應在規定之期限內通過由第三方(third party)公正機構驗證符合資訊安全國際標準。根據行政院科技顧問組針對A、B級機關在2008年進行資安責任等級應辦事項調查顯示，B級機關在資安認證達成率只有43%，可見通過資安認證有其困難性。
本研究依據已通過資安認證的機關的經驗分享文獻，分析歸納導入ISMS所可能遭遇的主要問題，從而主張可以採用內容管理系統(CMS, Content Management System)的平台來協助組織導入ISMS。Drupal是一套結構簡單且具高擴展性模組化的開放源碼內容管理系統，不僅容易在其平台上建立客製化的應用系統，且有大量的社群可提供技術支援，故本研採用Drupal建置輔助系統，方便組織在導入符合國際標準的ISMS(如ISO 27001)時，可以集中管理各類相關資訊，評定資產價值，計算風險值，並提供組織申請ISO驗證時作為部份佐證資料的集中管理。

As information technology is widely used in our daily work and life, incidents of information security also occurs from time to time. In May of 2005, the National Information & Communication Security Taskforce of R.O.C. instituted “The operational plan for classifying the information security duty grade of the government agencies”. The plan demands government agencies to establish technological support services along with management mechanisms for all potential security threats to provide effective information security management. In addition, all agencies whose security grade belongs to the A or B levels must pass the third party certification for ISO Information Security Standard within a specific deadline. However, as shown in the investigation report released by the government technology advisors in 2008, the achievement rate for information security certification on grade B government agencies is only 43%. Therefore, it is perceived that there are some difficulties in passing the information security certification

This thesis analyzes and summarizes the main difficulties that organizations may encounter when establishing an ISMS by following the international IS standard ISO 27001. The analysis results show that document management is a key issue. Therefore, we claim that a content management platform is a good foundation to build an assistant for an organization to establish its ISMS. To demonstrate our proposal, we choose the open source content management platform, Drupal, to set up such an assistant. By fully utilizing the simpler yet extensible structures provided Drupal, we build up an assistant system that facilitates an organization to manage all related documents centrally, to assess asset values and calculate risk values by following the ISO 27001 information security international standard. These facilities will give the organization a very strong evidence of employing a centralized information security management system when applying for ISO certification

【1】 個人資料保護法, 行政院, 2008
【2】 CNS 27001－資訊安全管理之作業要點, 經濟部標準檢驗局, 2006
【3】 CNS 14929－資訊與通訊技術安全管理概念與模型, 經濟部標準檢驗局, 2008
【4】 教育部校園資訊安全服務網, http://cissnet.edu.tw/
【5】 經濟部標準檢驗局, http://www.bsmi.gov.tw/
【6】 經濟部標準檢驗局資訊安全管理系統導入經驗分享, http://www.dgbas.gov.tw/public/Data/97816385571.pdf
【7】 行政院人事行政局「資訊安全管理系統」認證經驗分享, http://www.dgbas.gov.tw/public/Data/7121216243271.pdf
【8】 世新大學 ISMS 經驗分享, 范修維, 2008
【9】 ISMS的導入與後續之落實, 蘇建郡, 2009
【10】 景文科技大學-建置ISMS經驗分享, 方鎮良, 2009
【11】 台灣大學資訊與網路中心電子報, http://www.cc.ntu.edu.tw/chinese/epaper/
【12】 Drupal Taiwan 正體中文支援站, http://drupaltaiwan.org/
【13】 drupal.org | Community plumbing, http://drupal.org/
【14】 Information technology -- Security techniques -- Information security management systems -- Requirements, ISO, 2005
【15】 ISMS Auditor/ Lead Auditor Training Course, BSI, 2009
【16】 Building powerful and robust websites with Drupal 6, David Mercer, 2008
【17】 Learning Drupal6 Module Development, Matt Butcher, 2008
【18】 Pro.Drupal.Development, John K. VanDyk and Matt Westgate, 2007
【19】 Comparing Open Source Content Management Systems: WordPress, Joomla, Drupal, and Plone
http://www.idealware.org/comparing_os_cms/
【20】 2008 Open Source CMS Market Share Survey http://waterandstone.com/downloads/2008OpenSourceCMSMarketSurvey.pdf