iso精選中英文對照

1、Information technology- Security techniques-Information security management systems-Requirements信息技術(shù) - 安全技術(shù) -信息安全管理體系-要求ForewordISO (the International Organization for Standardization) and IEC(the International Electro technical Commission) form the bodies that are members of ISO or IEC participate

2、in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.specializedsystem for worldwide standardization.Nation

3、alOther international organizations, governmental and nongovernmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technicalcommittee, ISO/IEC JTC 1.ISO （國際標準化組織）和IEC （國際電工委員會）是為國際標準化制定專門體制的國際組織。國家機構(gòu)是ISO 或 IEC

4、的成員，他們通過各自的組織建立技術(shù)委員會參與國際標準的制定，來處理特定領(lǐng)域的技術(shù)活動。ISO 和 IEC 技術(shù)委員會在共同感興趣的領(lǐng)域合作。其他國際組織、政府和非政府等機構(gòu)，通過聯(lián)絡(luò) ISO和IEC參與這項工作。ISO和IEC已經(jīng)在信息技 術(shù)領(lǐng)域建立了一個聯(lián)合技術(shù)委員會ISO/IECJTC1。International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.國際標準的制定遵循ISO/IEC 導(dǎo)則第 2部分的規(guī)則。The main task of the

5、 joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.聯(lián)合技

6、術(shù)委員會的主要任務(wù)是起草國際標準，并將國際標準草案提交給國家機構(gòu)投票表決。國際標準的出版發(fā)行必須至少75%以上的成員投票通過。Attention is drawn to the possibility that some of the elementsof this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.本文件中的某些內(nèi)容有可能涉及一些專利權(quán)問題，這一點應(yīng)該引起注意。

7、ISO和IEC不負責(zé) 識別任何這樣的專利權(quán)問題。ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IECJTC 1, Information technology, Subcommittee SC 27, IT Security techniques.ISO/IEC 27001 由聯(lián)合技術(shù)委員會ISO/IEC JTC1 （信息技術(shù)）分委員會SC27 （ 安 全 技 術(shù) ）起 草This second edition cancels and replaces the first edition(ISO/IEC 27001:20

8、05), which has been technically revised.第二版進行了技術(shù)上的修訂，并取消和替代第一版(ISO/IEC27001:2005)。0 Introduction引言1.1 General0.1 總則This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security managementsystem.The

9、adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization s information security management system is influenced by the organization s needs and objectives, security requirements, the organizational proc

10、esses used and the size and structure of the organization.All of these influencing factors are expected to change over time.本標準用于為建立、實施、 保持和持續(xù)改進信息安全管理體系提供要求。采用信息安全管理體系是組織的一項戰(zhàn)略性決策。一個組織信息安全管理體系的建立和實施受其需要和目標、安全要求、所采用的過程以及組織的規(guī)模和結(jié)構(gòu)的影響。所有這些影響因素會不斷發(fā)生變化。The informationsecurity management system preserves th

11、econfidentiality,integrity and availabilityof information byapplying a risk management process and gives confidence to interested parties that risks are adequately managed.信息安全管理體系通過應(yīng)用風(fēng)險管理過程來保持信息的保密性、完整性和可用性， 以充分管理風(fēng)險并給予相關(guān)方信心。It is important that the information security management systemis part of a

12、nd integrated with and overall management structure is considered in the design of and controls. It is expected management system implementation with the needs of the organization.theorganization sprocessesandthatinformationsecurityprocesses,informationsystems,thataninformationsecuritywillbescaled i

13、naccordance信息安全管理體系是組織過程和整體管理結(jié)構(gòu)的一部分并與其整合在一起是非常重要的。信 息安全在設(shè)計過程、信息系統(tǒng)、控制措施時就要考慮信息安全。 按照組織的需要實施信息安全管理體系，是本標準所期望的。This International Standard can be used by internal and external parties to assess the organization s ability to meet the organization s own information security requirements.本標準可被內(nèi)部和外部相關(guān)方使用，評

14、估組織的能力是否滿足組織自身信息The order inwhich requirementsare presentedin thisInternational Standard does not reflect their importance or imply the order in which they are to be implemented.The listitems are enumerated for reference purpose only.本標準中要求的順序并不能反映他們的重要性或意味著他們的實施順序。列舉的條目僅用于參考目的。ISO/IEC 27000 describ

15、es the overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 270032, ISO/IEC 270043 and ISO/IEC 270054), with related terms and definitions.ISO/IEC27000 描述了信息安全管理體系的概述和詞匯，參考了信息安全管 理體系標準族(包

16、括 ISO/IEC 27003 、 ISO/IEC 27004 和 ISO/IEC 27005 )以及相關(guān)的術(shù) 語和定義。1.2 Compatibility with other management system standards0.2 與其他管理體系的兼容性This International Standard applies the high-level structure, identical sub-clause titles, identical text, common terms,and coredefinitionsdefined in Annex SL of ISO/IE

17、CDirectives, Part 1, Consolidated ISO Supplement, and therefore maintains compatibility with other management system standards that have adopted the Annex SL.本標準應(yīng)用了ISO/IEC 導(dǎo)則第一部分ISO 補充部分附錄SL 中定義的高層結(jié)構(gòu)、相同的子章節(jié)標題、相同文本、通用術(shù)語和核心定義。因此保持了與其它采用附錄SL 的管理體系標準的兼容性。This common approach defined in the Annex SL will

18、 be useful forthose organizations that choose to operate a single management system that meets the requirements of two or more management system standards.附錄 SL 定義的通用方法對那些選擇運作單一管理體系（可同時滿足兩個或多個管理體系 標準要求）的組織來說是十分有益的。Information technology Security techniquesInformation security management systems Requ

19、irements信息技術(shù)-安全技術(shù)-信息安全管理體系-要求1 Scope1 范圍This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.本標準從組織環(huán)境的角度，為建立、實施、運行、保持和持續(xù)改進信息安 全管理體系規(guī)定了要求。This Inter

20、national Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size

21、or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this International Standard.本標準還規(guī)定了為適應(yīng)組織需要而定制的信息安全風(fēng)險評估和處置的要求。 本標準規(guī)定的要 求是通用的，適用于各種類型、規(guī)模和特性的組織。組織聲稱符合本標準時，對于第4 章 到第 10 章的要求不能刪減。2 Normative references3 規(guī)范性引用文件The follo

22、wing documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.下列文件的全部或部分內(nèi)容在本文件中

23、進行了規(guī)范引用，對于其應(yīng)用是必不可少的。凡是注日期的引用文件，只有引用的版本適用于本標準；凡是不注日期的引用文件，其最新版本(包 括任何修改)適用于本標準。ISO/IEC 27000, Information technology Security techniques Information securitymanagement systems Overview andvocabularyISO/IEC 27000 ，信息技術(shù)安全技術(shù)信息安全管理體系概述和詞匯4 Terms anddefinitions 3語和定For the purposes of this document, the t

24、erms and definitions given in ISO/IEC 27000 apply.ISO/IEC 27000 中的術(shù)語和定適用于本標準。4 Contextoftheorganization4 組織環(huán)境4.1 Understanding the organization and its context4.1 理解組織及其環(huán)境The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to ach

25、ieve the intended outcome(s) of its information security management system.組織應(yīng)確定與其目標相關(guān)并影響其實現(xiàn)信息安全管理體系預(yù)期結(jié)果的能力 的外部和內(nèi)部問題。NOTE Determining these issues refers to establishing the external and internal context ofthe organization considered inClause 5.3 of ISO 31000:20095. 注：確定這些問題涉及到建立組織的外部和內(nèi)部環(huán)境，在ISO 3100

26、0:20095 的 5.3 節(jié)考慮了這一事項。4.2 Understanding the needs and expectations of interested parties 4.2 理解相關(guān)方的需求和期望The organization shall determine:組織應(yīng)確定：a) interested parties that are relevant to the information security management system; andb) the requirements of these interested parties relevant to inform

27、ation security.a) 與信息安全管理體系有關(guān)的相關(guān)方；b) 這些相關(guān)方與信息安全有關(guān)的要求NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. 注：相關(guān)方的要求可能包括法律法規(guī)要求和合同義務(wù)。4.3 Determining the scope of the information security management system4.4 確定信息安全管理體系的范圍The organizations

28、halldetermine the boundaries andapplicability of the information security management system to establish its scope. 組織應(yīng)確定信息安全管理體系的邊界和適用性， 以建立其范圍。When determining this scope, the organization shall consider:當確定該范圍時，組織應(yīng)考慮：4.1 ;a) the external and internal issues referred to in4.2 ; andb) the requireme

29、nts referred to inc) i nterfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information.a) 在 4.1 中提及的外部和內(nèi)部問題；b) 在 4.2 中提及的要求；c) 組織所執(zhí)行的活動之間以及與其它組織的活動之間的接口和依賴性 范圍應(yīng)文件化并保持可用性。4.4 Infor

30、mation security management system4.5 信息安全管理體系The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.組織應(yīng)按照本標準的要求建立、實施、保持和持續(xù)改進信息安全管理體系。5 Leadership5 領(lǐng)導(dǎo)5.1 Leadership and

31、commitment 5.1 領(lǐng)導(dǎo)和承 諾Top management shall demonstrate leadership and commitment with respect to the information security management system by: 高層管理者應(yīng)通過下列方式展示其關(guān)于信息安全管理體系的領(lǐng)導(dǎo)力和承諾：a) ensuring the information security policy and the information security objectives are established and are compatible with

32、thestrategic direction of the organization;b) ensuring the integration of the information security management system requirements into the organization s processes;c) ensuring that the resources needed for the information security management system are available;d) communicating the importance of ef

33、fective information security management and of conforming to the information security management system requirements;e) ensuring that the information security management system achieves its intended outcome(s);f) directing and supporting persons to contribute to the effectiveness of the informations

34、ecurity management system;g) promoting continual improvement; andh) supporting other relevant management roles to demonstrate their leadership as it applies to their areas ofresponsibility.a) 確保建立信息安全方針和信息安全目標，并與組織的戰(zhàn)略方向保持一致；b) 確保將信息安全管理體系要求整合到組織的業(yè)務(wù)過程中；c) 確保信息安全管理體系所需資源可用；d) 傳達信息安全管理有效實施、符合信息安全管理體系要求

35、的重要性；e) 確保信息安全管理體系實現(xiàn)其預(yù)期結(jié)果；f) 指揮并支持人員為信息安全管理體系的有效實施作出貢獻；g) 促進持續(xù)改進；h) 支持其他相關(guān)管理角色在其職責(zé)范圍內(nèi)展示他們的領(lǐng)導(dǎo)力。5.2 Policy5.2 方針Top management shall establish an information security policy that:高層管理者應(yīng)建立信息安全方針，以：a) is appropriate to the purpose of the organization;b) includes information security objectives (see6.2 )

36、 orprovides the framework for settinginformation securityobjectives;c) includes a commitment to satisfy applicablesecurity;requirements related to informationimprovement ofd) includes a commitment to continual the information security management system. The information security policy shall:e) be av

37、ailable as documented information;f) be communicated within the organization; andg) be available to interested parties, as appropriate. a) 適于組織的目標；b) 包含信息安全目標(見6.2)或設(shè)置信息安全目標提供框架；c) 包含滿足適用的信息安全相關(guān)要求的承諾；d) 包含信息安全管理體系持續(xù)改進的承諾。信息安全方針應(yīng)：e) 文件化并保持可用性；f) 在組織內(nèi)部進行傳達；g) 適當時，對相關(guān)方可用。5.3 Organizational roles, respo

38、nsibilitiesand authorities 5.3 組織角色、職責(zé)和權(quán)限Top management shall ensure that the responsibilities andassigned and communicated. 高層管理者應(yīng)確保分配并傳達了信息安全 相關(guān)角色的職責(zé)和權(quán)限。Top management shall assign the responsibility and authority for:高層管理者應(yīng)分配下列職責(zé)和權(quán)限：a) ensuring that the information security management system conf

39、orms to the requirements of this International Standard; andb) r eporting on the performance of the information security management system to top management.a) 確保信息安全管理體系符合本標準的要求；b) 將信息安全管理體系的績效報告給高層管理者。NOTE Top management may also assign responsibilities and authorities for reporting performance of

40、 the information security management system within the organization.注：高層管理者可能還要分配在組織內(nèi)部報告信息安全管理體系績效的職責(zé)和權(quán)限。6 Planning6 規(guī)劃6.1 Actions to address risks and opportunities 6.1 應(yīng)對風(fēng)險和機會的 措施6.1.1 General6.1.2 總則When planning for the information securitymanagement system,the organization shall consider the is

41、sues referred to in 4.1 and the requirements referred to in4.2 and determine the risksand opportunities that need to be addressed to:當規(guī)劃信息安全管理體系時，組織應(yīng)考慮4.1 中提及的問題和4.2 中提及的要求，確定需要應(yīng)對的風(fēng)險和機會，以：a) ensure the information security management system can achieve its intended outcome(s);b) prevent, or reduce,

42、undesired effects; andc) achieve continualimprovement. Theorganization shall plan:d) actions to address these risks and opportunities; ande) how to1) integrate and implement the actions into its information security management system processes;2) evaluate the effectiveness ofthese actions. a) 確保信息安全

43、管理體系能實現(xiàn)其預(yù)期結(jié)果；b) 防止或減少意外的影響； c) 實現(xiàn)持續(xù)改進。 組織應(yīng)規(guī)劃：d) 應(yīng)對這些風(fēng)險和機會的措施；e) 如何1) 整合和實施這些措施并將其納入信息安全管理體系過程；2) 評價這些措施的有效性。6.1.2 Information security6.1.2 信息安全風(fēng)risk assessment險評估The organization shall define and apply an information security risk assessment process that:組織應(yīng)定義并應(yīng)用風(fēng)險評估過程，以：a) establishes and maintain

44、s information security risk criteria that include:1) the risk acceptance criteria; and2) criteria for performing information security risk assessments;b) ensures that repeated information security riskand comparable results;assessments produce consistent, validc) identifies the information security

45、risks:1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and2) identify the risk owners;d) analyses the information securit

46、y risks:1) assess the potential consequences that would result if therisks identified in 6.1.2 c) 1) were to materialize;2)assess the realistic likelihood of the occurrence of therisks identified in 6.1.2 c) 1); and3) determine the levels of risk;e) evaluates the information security risks:1) compar

47、e the results of risk analysis with the risk criteria established in 6.1.2 a); and2) prioritize the analysed risks for risk treatment.The organization shall retain documented information about thea) 建立并保持信息安全風(fēng)險準則，包括：1) 風(fēng)險接受準則；2) 執(zhí)行信息安全風(fēng)險評估的準則；b) 確保重復(fù)性的信息安全風(fēng)險評估可產(chǎn)生一致的、有效的和可比較的結(jié)果；c) 識別信息安全風(fēng)險：1) 應(yīng)用信息安全風(fēng)

48、險評估過程來識別信息安全管理體系范圍內(nèi)的信息喪失保密性、完整性和可用性的相關(guān)風(fēng)險；2) 識別風(fēng)險負責(zé)人；d) 分析信息安全風(fēng)險：1) 評估6.1.2 c ) 1)中所識別風(fēng)險發(fā)生后將導(dǎo)致的潛在影響；2) 評估6.1.2 c ) 1)中所識別風(fēng)險發(fā)生的現(xiàn)實可能性；3) 確定風(fēng)險級別；e) 評價信息安全風(fēng)險；1) 將風(fēng)險分析結(jié)果同6.1.2 a )建立的風(fēng)險準則進行比較；2) 為實施風(fēng)險處置確定已分析風(fēng)險的優(yōu)先級。組織應(yīng)定義并應(yīng)用組織應(yīng)保留信息安全風(fēng)險評估過程的文件記錄信風(fēng)險評估過程，以：6.1.3Information securityrisk treatment 6.1.3 信息安全風(fēng)險處置T

49、he organization shall define and apply an information securityrisk treatment process to:a) select appropriate information security risk treatmentoptions, taking account of the riskassessment results;b) determine all controls that are necessary to implement the information security risk treatment opt

50、ion(s) chosen;組織應(yīng)定義并應(yīng)用信息安全風(fēng)險處置過程，以：a) 在考慮風(fēng)險評估結(jié)果的前提下，選擇適當?shù)男畔踩L(fēng)險處置選項：b) 為實施所選擇的信息安全風(fēng)險處置選項，確定所有必需的控制措施；NOTE Organizations can design controls as required, or identify them from any source.注：組織可按要求設(shè)計控制措施，或從其他來源識別控制措施。c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify

51、that no necessary controls have been omitted;d) 將 6.1.3 b )所確定的控制措施與附錄A 的控制措施進行比較，以核實沒有遺漏必要的控制措施；NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this InternationalStandardare directed toAnnex A to ensure that no necessary controlsareoverlooked.NOTE 2 Control

52、 objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional controlobjectivesand controls may be needed.注 1： 附錄 A 包含了一份全面的控制目標和控制措施的列表。本標準用戶可利用附錄A以確保的批準。組織應(yīng)保留信息安全風(fēng)險處置過程的文件記錄信息。不會遺漏必要的控制措施。注 2：控制目標包含于所選擇的控制措施內(nèi)。附錄A

53、所列的控制目標和控制措施并不是所有的控制目標和控制措施，組織也可能需要另外的控制目標和控制措施。e) produce a Statement of Applicabilitythat contains thenecessary controls (see 6.1.3 b) and c) and justification for inclusions,whether they are implemented or not, and thejustification for exclusions of controls fromAnnex A;f) formulate an informatio

54、n security risk treatment plan; andf)obtain riskownersapproval of the informationsecurity risk treatment plan andacceptance of the residualinformation security risks.The organization shall retain documented information about the information security risk treatment process.d) 產(chǎn)生適用性聲明。適用性聲明要包含必要的控制措施(

55、見6.1.3 b )和c)、對包含的合理性說明(無論是否已實施)以及對附錄A 控制措施刪減的合理性說明；e) 制定信息安全風(fēng)險處置計劃；f) 獲得風(fēng)險負責(zé)人對信息安全風(fēng)險處置計劃以及接受信息安全殘余風(fēng)險NOTE The information security risk assessment and treatment process in this International Standardprinciples and generic guidelines provided in ISO注：本標準中的信息安全風(fēng)險評估和處置過程可與原則和通用指南相結(jié)合。6.2 Information sec

56、urity objectives and planning toaligns with the31000 5.ISO 310005 中規(guī)定的achieve them 6.2 信息安全目標和規(guī)劃實現(xiàn)The organization shall establish information security objectivesat relevant functions andlevels.The information securityobjectives shall:組織應(yīng)在相關(guān)職能和層次上建立信息安全目標。信息安全目標應(yīng)：a) be consistent with the information security policy;b) be measurable (if practicable);c) t ake into account applicable information securityrequirements, and results from riskassessment and risktreatment;d)be communicated; ande)be updated as appropriate.Theorganization shall retaindocumented inform