iso27001：中英文對(duì)照

1、Informationtechnology-Securitytechniques-Informationsecuritymanagementsystems-Requirements信息技術(shù)-安全技術(shù)-信息安全管理體系-要求ForewordStandardization)andIEC(theformthespecializedsystemforthataremembersofISOorIECparticipateinthedevelopmentofcommitteesestablishedbytherespectivefieldsoftechnicalactivity.ISOinfieldsof

2、ernmentalandnon-governmental,partinthework.InthefieldofInternationalStandardsthroughtechnicalorganizationtodealwithparticularandIECtechnicalcommitteescollaborateOtherinternationalorganizations,inliaisonwithISOandIEC,alsotakeinformationtechnology,ISOandIEChaveISO(theInternationalOrg

3、anizationforInternationalElectrotechnicalCommission)worldwidestandardization.Nationalbodiesestablishedajointtechnicalcommittee,ISO/IECJTC1.ISO（國際標(biāo)準(zhǔn)化組織）和IEC（國際電工委員會(huì)）是為國際標(biāo)準(zhǔn)化制定專門體制的國際組織。國家機(jī)構(gòu)是ISO或IEC的成員，他們通過各自的組織建立技術(shù)委員會(huì)參與國際標(biāo)準(zhǔn)的制定，來處理特定領(lǐng)域的技術(shù)活動(dòng)。ISO和IEC技術(shù)委員會(huì)在共同感興趣的領(lǐng)域合作。其他國際組織、政府和非政府等機(jī)構(gòu)，通過聯(lián)絡(luò)ISO和IEC參與這項(xiàng)工作。ISO

4、和IEC已經(jīng)在信息技術(shù)領(lǐng)域建立了一個(gè)聯(lián)合技術(shù)委員會(huì)ISO/IECJTC1。InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,Part2.國際標(biāo)準(zhǔn)的制定遵循ISO/IEC導(dǎo)則第2部分的規(guī)則。ThemaintaskofthejointtechnicalcommitteeistoprepareInternationalStandards.DraftInternationalStandardsadoptedbythejointtechnicalcommitteearecirculate

5、dtonationalbodiesforvoting.PublicationasanInternationalStandardrequiresapprovalbyatleast75%ofthenationalbodiescastingavote.聯(lián)合技術(shù)委員會(huì)的主要任務(wù)是起草國際標(biāo)準(zhǔn)，并將國際標(biāo)準(zhǔn)草案提交給國家機(jī)構(gòu)投票表決。國際標(biāo)準(zhǔn)的出版發(fā)行必須至少75%以上的成員投票通過。Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECshall

6、notbeheldresponsibleforidentifyinganyorallsuchpatentrights.本文件中的某些內(nèi)容有可能涉及一些專利權(quán)問題，這一點(diǎn)應(yīng)該引起注意ISO和IEC不負(fù)責(zé)識(shí)別任何這樣的專利權(quán)問題ISO/IEC27001waspreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnology,SubcommitteeSC27,ITSecuritytechniques.ISO/IEC27001由聯(lián)合技術(shù)委員會(huì)ISO/IECJTC1（信息技術(shù)）分委員會(huì)SC27（安全技術(shù)）起草Thissecondediti

7、oncancelsandreplacesthefirstedition(ISO/IEC27001:2005),whichhasbeentechnicallyrevised.第二版進(jìn)行了技術(shù)上的修訂，并取消和替代第一版(ISO/IEC27001:2005)。0Introduction引言1.1 General總則ThisInternationalStandardhasbeenpreparedtoproviderequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecurit

8、ymanagementsystem.Theadoptionofaninformationsecuritymanagementsystemisastrategicdecisionforanorganization.Theestablishmentandimplementationofanorganizationsinformationsecuritymanagementsystemisinfluencedbytheorganizationsneedsandobjectives,securityrequirements,theorganizationalprocessesusedandthesiz

9、eandstructureoftheorganization.Alloftheseinfluencingfactorsareexpectedtochangeovertime.本標(biāo)準(zhǔn)用于為建立、實(shí)施、保持和持續(xù)改進(jìn)信息安全管理體系提供要求。采用信息安全管理體系是組織的一項(xiàng)戰(zhàn)略性決策。一個(gè)組織信息安全管理體系的建立和實(shí)施受其需要和目標(biāo)、安全要求、所采用的過程以及組織的規(guī)模和結(jié)構(gòu)的影響。所有這些影響因素會(huì)不斷發(fā)生變化。Theinformationsecuritymanagementsystempreservestheconfidentiality,integrityandavailabilityof

10、informationbyapplyingariskmanagementprocessandgivesconfidencetointerestedpartiesthatrisksareadequatelymanaged.信息安全管理體系通過應(yīng)用風(fēng)險(xiǎn)管理過程來保持信息的保密性、完整性和可用性，以充分管理風(fēng)險(xiǎn)并給予相關(guān)方信心。Itisimportantthattheinformationsecuritymanagementsystemispartofandintegratedwiththeorganizationsprocessesandoverallmanagementstructureandt

11、hatinformationsecurityisconsideredinthedesignofprocesses,informationsystems,andcontrols.Itisexpectedthataninformationsecuritymanagementsystemimplementationwillbescaledinaccordancewiththeneedsoftheorganization.息安全在設(shè)計(jì)過程、信息系統(tǒng)、控制措施時(shí)就要考慮信息安全。按照組織的需要實(shí)施信息安全管理體系，是本標(biāo)準(zhǔn)所期望的。toThisInternationalStandardcanbeused

12、byinternalandexternalpartiesassesstheorganizationsabilitytomeettheorganizationsowninformationsecurityrequirements.本標(biāo)準(zhǔn)可被內(nèi)部和外部相關(guān)方使用，評(píng)估組織的能力是否滿足組織自身信息安全要求。TheorderinwhichrequirementsarepresentedinthisInternationalStandarddoesnotreflecttheirimportanceorimplytheorderinwhichtheyaretobeimplemented.Thelisti

13、temsareenumeratedforreferencepurposeonly.本標(biāo)準(zhǔn)中要求的順序并不能反映他們的重要性或意味著他們的實(shí)施順序。列舉的條目僅用于參考目的。ISO/IEC27000describestheoverviewandthevocabularyofinformationsecuritymanagementsystems,referencingtheinformationsecuritymanagementsystemfamilyofstandards(includingISO/IEC270032,ISO/IEC270043andISO/IEC270054),withre

14、latedtermsanddefinitions.ISO/IEC27000描述了信息安全管理體系的概述和詞匯，參考了信息安全管理體系標(biāo)準(zhǔn)族(包括ISO/IEC27003、ISO/IEC27004和ISO/IEC27005)以及相關(guān)的術(shù)語和定義。1.2 Compatibilitywithothermanagementsystemstandards與其他管理體系的兼容性ThisInternationalStandardappliesthehigh-levelstructure,identicalsubclausetitles,identicaltext,commonterms,andcoredef

15、initionsdefinedinAnnexSLofISO/IECDirectives,Part1,ConsolidatedISOSupplement,andthereforemaintainscompatibilitywithothermanagementsystemstandardsthathaveadoptedtheAnnexSL.本標(biāo)準(zhǔn)應(yīng)用了ISO/IEC導(dǎo)則第一部分ISO補(bǔ)充部分附錄SL中定義的高層結(jié)構(gòu)、相同的子章節(jié)標(biāo)題、相同文本、通用術(shù)語和核心定義。因此保持了與其它采用附錄SL的管理體系標(biāo)準(zhǔn)的兼容性。ThiscommonapproachdefinedintheAnnexSLwill

16、beusefulforthoseorganizationsthatchoosetooperateasinglemanagementsystemthatmeetstherequirementsoftwoormoremanagementsystemstandards.附錄SL定義的通用方法對(duì)那些選擇運(yùn)作單一管理體系(可同時(shí)滿足兩個(gè)或多個(gè)管理體系標(biāo)準(zhǔn)要求)的組織來說是十分有益的。InformationtechnologySecuritytechniquesInformationsecuritymanagementsystemsRequirements信息技術(shù)-安全技術(shù)-信息安全管理體系-要求1Sco

17、pe1 范圍ThisInternationalStandardspecifiestherequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystemwithinthecontextoftheorganization.本標(biāo)準(zhǔn)從組織環(huán)境的角度，為建立、實(shí)施、運(yùn)行、保持和持續(xù)改進(jìn)信息安全管理體系規(guī)定了要求。ThisInternationalStandardalsoincludesrequirementsfortheassessmentand

18、treatmentofinformationsecurityriskstailoredtotheneedsoftheorganization.TherequirementssetoutinthisInternationalStandardaregenericandareintendedtobeapplicabletoallorganizations,regardlessoftype,sizeornature.ExcludinganyoftherequirementsspecifiedinClauses4to10isnotacceptablewhenanorganizationclaimscon

19、formitytothisInternationalStandard.本標(biāo)準(zhǔn)還規(guī)定了為適應(yīng)組織需要而定制的信息安全風(fēng)險(xiǎn)評(píng)估和處置的要求。本標(biāo)準(zhǔn)規(guī)定的要求是通用的，適用于各種類型、規(guī)模和特性的組織。組織聲稱符合本標(biāo)準(zhǔn)時(shí)，對(duì)于第4章到第10章的要求不能刪減。2 Normativereferences3 規(guī)范性引用文件Thefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentandareindispensableforitsapplication.Fordatedreferences,onlytheedit

20、ioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendments)applies.下列文件的全部或部分內(nèi)容在本文件中進(jìn)行了規(guī)范引用，對(duì)于其應(yīng)用是必不可少的。凡是注日期的引用文件，只有引用的版本適用于本標(biāo)準(zhǔn)；凡是不注日期的引用文件，其最新版本(包括任何修改)適用于本標(biāo)準(zhǔn)。InformationISO/IEC27000,InformationtechnologySecuritytechniquessecuritymanagementsystemsOverviewan

21、dvocabularyISO/IEC27000，信息技術(shù)安全技術(shù)信息安全管理體系概述和詞匯4 Termsanddefinitions3術(shù)語和定義Forthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000apply.ISO/IEC27000中的術(shù)語和定義適用于本標(biāo)準(zhǔn)。5 Contextoftheorganization4組織環(huán)境5.1 Understandingtheorganizationanditscontext理解組織及其環(huán)境Theorganizationshalldetermineexternalandin

22、ternalissuesthatarerelevanttoitspurposeandthataffectitsabilitytoachievetheintendedoutcome(s)ofitsinformationsecuritymanagementsystem.組織應(yīng)確定與其目標(biāo)相關(guān)并影響其實(shí)現(xiàn)信息安全管理體系預(yù)期結(jié)果的能力的外部和內(nèi)部問題。NOTEDeterminingtheseissuesreferstoestablishingtheexternalandinternalcontextoftheorganizationconsideredinClauseofISO31000:20095

23、.注：確定這些問題涉及到建立組織的外部和內(nèi)部環(huán)境，在ISO31000:20095的節(jié)考慮了這一事項(xiàng)。5.2 Understandingtheneedsandexpectationsofinterestedparties理解相關(guān)方的需求和期望Theorganizationshalldetermine:組織應(yīng)確定：a) interestedpartiesthatarerelevanttotheinformationsecuritymanagementsystem;andb) therequirementsoftheseinterestedpartiesrelevanttoinformationse

24、curity.a)與信息安全管理體系有關(guān)的相關(guān)方；b)這些相關(guān)方與信息安全有關(guān)的要求NOTETherequirementsofinterestedpartiesmayincludelegalandregulatoryrequirementsandcontractualobligations.注：相關(guān)方的要求可能包括法律法規(guī)要求和合同義務(wù)。4.3DeterminingthescopeoftheinformationsecuritymanagementsystemTheorganizationshalldeterminetheboundariesandinformationsecuritymana

25、gementsystemtoestablishitsscope.安全管理體系的邊界和適用性，以建立其范圍。Whendeterminingthisscope,theorganizationshallconsider:當(dāng)確定該范圍時(shí)，組織應(yīng)考慮：a) theexternalandinternalissuesreferredtoin;b) therequirementsreferredtoin;andapplicabilityofthe組織應(yīng)確定信息performedbytheorganizations.Thescopec) interfacesanddependenciesbetweenactiv

26、itiesorganization,andthosethatareperformedbyothershallbeavailableasdocumentedinformation.a) 在中提及的外部和內(nèi)部問題；b) 在中提及的要求；c) 組織所執(zhí)行的活動(dòng)之間以及與其它組織的活動(dòng)之間的接口和依賴性范圍應(yīng)文件化并保持可用性。4.4Informationsecuritymanagementsystem信息安全管理體系Theorganizationshallestablish,implement,maintainandcontinuallyimproveaninformationsecurityman

27、agementsystem,inaccordancewiththerequirementsofthisInternationalStandard.組織應(yīng)按照本標(biāo)準(zhǔn)的要求建立、實(shí)施、保持和持續(xù)改進(jìn)信息安全管理體系。5 Leadership6 領(lǐng)導(dǎo)6.1 Leadershipandcommitment領(lǐng)導(dǎo)和承諾Topmanagementshalldemonstrateleadershipandcommitmentwithrespecttotheinformationsecuritymanagementsystemby:高層管理者應(yīng)通過下列方式展示其關(guān)于信息安全管理體系的領(lǐng)導(dǎo)力和承諾：a) ensu

28、ringtheinformationsecuritypolicyandtheinformationsecurityobjectivesareestablishedandarecompatiblewiththestrategicdirectionoftheorganization;b) ensuringtheintegrationoftheinformationsecuritymanagementsystemrequirementsintotheorganizationsprocesses;c) ensuringthattheresourcesneededfortheinformationsec

29、uritymanagementsystemareavailable;d) communicatingtheimportanceofeffectiveinformationsecuritymanagementandofconformingtotheinformationsecuritymanagementsystemrequirements;e) ensuringthattheinformationsecuritymanagementsystemachievesitsintendedoutcome(s);f) directingandsupportingpersonstocontributeto

30、theeffectivenessoftheinformationsecuritymanagementsystem;g) promotingcontinualimprovement;andh) supportingotherrelevantmanagementrolestodemonstratetheirleadershipasitappliestotheirareasofresponsibility.a) 確保建立信息安全方針和信息安全目標(biāo)，并與組織的戰(zhàn)略方向保持一致；b) 確保將信息安全管理體系要求整合到組織的業(yè)務(wù)過程中；c) 確保信息安全管理體系所需資源可用；d) 傳達(dá)信息安全管理有效實(shí)施

31、、符合信息安全管理體系要求的重要性；e) 確保信息安全管理體系實(shí)現(xiàn)其預(yù)期結(jié)果；f) 指揮并支持人員為信息安全管理體系的有效實(shí)施作出貢獻(xiàn)；g) 促進(jìn)持續(xù)改進(jìn)；h) 支持其他相關(guān)管理角色在其職責(zé)范圍內(nèi)展示他們的領(lǐng)導(dǎo)力。5.2Policy方針Topmanagementshallestablishaninformationsecuritypolicythat:高層管理者應(yīng)建立信息安全方針，以：a) isappropriatetothepurposeoftheorganization;b) includesinformationsecurityobjectives(seeorprovidesthefra

32、meworkforsettinginformationsecurityobjectives;c) includesacommitmenttosatisfyapplicablerequirementsrelatedtoinformationsecurity;d)includesacommitmenttocontinualimprovementoftheinformationsecuritymanagementsystem.Theinformationsecuritypolicyshall:e)beavailableasdocumentedinformation;f) becommunicated

33、withintheorganization;andg) beavailabletointerestedparties,asappropriate.a)適于組織的目標(biāo)；b) 包含信息安全目標(biāo)(見)或設(shè)置信息安全目標(biāo)提供框架；c) 包含滿足適用的信息安全相關(guān)要求的承諾；d) 包含信息安全管理體系持續(xù)改進(jìn)的承諾。信息安全方針應(yīng)：e) 文件化并保持可用性；f) 在組織內(nèi)部進(jìn)行傳達(dá)；g) 適當(dāng)時(shí)，對(duì)相關(guān)方可用。5.3Organizationalroles,responsibilitiesandauthorities組織角色、職責(zé)和權(quán)限Topmanagementshallensurethattheresp

34、onsibilitiesandauthoritiesforrolesrelevanttoinformationsecurityareassignedandcommunicated.高層管理者應(yīng)確保分配并傳達(dá)了信息安全相關(guān)角色的職責(zé)和權(quán)限。Topmanagementshallassigntheresponsibilityandauthorityfor:高層管理者應(yīng)分配下列職責(zé)和權(quán)限：a) ensuringthattheinformationsecuritymanagementsystemconformstotherequirementsofthisInternationalStandard;an

35、db) reportingontheperformanceoftheinformationsecuritymanagementsystemtotopmanagement.a)確保信息安全管理體系符合本標(biāo)準(zhǔn)的要求；b)將信息安全管理體系的績效報(bào)告給高層管理者。NOTETopmanagementmayalsoassignresponsibilitiesandauthoritiesforreportingperformanceoftheinformationsecuritymanagementsystemwithintheorganization.注：高層管理者可能還要分配在組織內(nèi)部報(bào)告信息安全管理

36、體系績效的職責(zé)和權(quán)限。6Planning6規(guī)劃6.1 Actionstoaddressrisksandopportunities應(yīng)對(duì)風(fēng)險(xiǎn)和機(jī)會(huì)的措施6.1.1 General總則Whenplanningfortheinformationsecuritymanagementsystem,theorganizationshallconsidertheissuesreferredtoinandtherequirementsreferredtoinanddeterminetherisksandopportunitiesthatneedtobeaddressedto:當(dāng)規(guī)劃信息安全管理體系時(shí)，組織應(yīng)考慮

37、中提及的問題和中提及的要求，確定需要應(yīng)對(duì)的風(fēng)險(xiǎn)和機(jī)會(huì)，以：a) ensuretheinformationsecuritymanagementsystemcanachieveitsintendedoutcome(s);b) prevent,orreduce,undesiredeffects;andc) achievecontinualimprovement.Theorganizationshallplan:d) actionstoaddresstheserisksandopportunities;ande) howto1) integrateandimplementtheactionsintoi

38、tsinformationsecuritymanagementsystemprocesses;2) evaluatetheeffectivenessoftheseactions.a)確保信息安全管理體系能實(shí)現(xiàn)其預(yù)期結(jié)果；b) 防止或減少意外的影響；c) 實(shí)現(xiàn)持續(xù)改進(jìn)。組織應(yīng)規(guī)劃：d) 應(yīng)對(duì)這些風(fēng)險(xiǎn)和機(jī)會(huì)的措施；e) 如何1) 整合和實(shí)施這些措施并將其納入信息安全管理體系過程；2) 評(píng)價(jià)這些措施的有效性。6.1.2Informationsecurityriskassessment信息安全風(fēng)險(xiǎn)評(píng)估Theorganizationshalldefineandapplyaninformationsecu

39、rityriskassessmentprocessthat:組織應(yīng)定義并應(yīng)用風(fēng)險(xiǎn)評(píng)估過程，以：a) establishesandmaintainsinformationsecurityriskcriteriathatinclude:1) theriskacceptancecriteria;and2) criteriaforperforminginformationsecurityriskassessments;b) ensuresthatrepeatedinformationsecurityriskassessmentsproduceconsistent,validandcomparabler

40、esults;c) identifiestheinformationsecurityrisks:1) applytheinformationsecurityriskassessmentprocesstoidentifyrisksassociatedwiththelossofconfidentiality,integrityandavailabilityforinformationwithinthescopeoftheinformationsecuritymanagementsystem;and2) identifytheriskowners;d) analysestheinformations

41、ecurityrisks:1) assessthepotentialconsequencesthatwouldresultiftherisksidentifiedinc)1)weretomaterialize;2) assesstherealisticlikelihoodoftheoccurrenceoftherisksidentifiedinc)1);and3) determinethelevelsofrisk;e) evaluatestheinformationsecurityrisks:1) comparetheresultsofriskanalysiswiththeriskcriter

42、iaestablishedina);and2) prioritizetheanalysedrisksforrisktreatment.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityriskassessmentprocess.a) 建立并保持信息安全風(fēng)險(xiǎn)準(zhǔn)則，包括：1) 風(fēng)險(xiǎn)接受準(zhǔn)則；2) 執(zhí)行信息安全風(fēng)險(xiǎn)評(píng)估的準(zhǔn)則；b) 確保重復(fù)性的信息安全風(fēng)險(xiǎn)評(píng)估可產(chǎn)生一致的、有效的和可比較的結(jié)果；c) 識(shí)別信息安全風(fēng)險(xiǎn)：1) 應(yīng)用信息安全風(fēng)險(xiǎn)評(píng)估過程來識(shí)別信息安全管理體系范圍內(nèi)的信息喪失保密性、完整性和可

43、用性的相關(guān)風(fēng)險(xiǎn)；2) 識(shí)別風(fēng)險(xiǎn)負(fù)責(zé)人；d) 分析信息安全風(fēng)險(xiǎn)：1) 評(píng)估c)1)中所識(shí)別風(fēng)險(xiǎn)發(fā)生后將導(dǎo)致的潛在影響；2) 評(píng)估c)1)中所識(shí)別風(fēng)險(xiǎn)發(fā)生的現(xiàn)實(shí)可能性；3) 確定風(fēng)險(xiǎn)級(jí)別；1) 將風(fēng)險(xiǎn)分析結(jié)果同a)建立的風(fēng)險(xiǎn)準(zhǔn)則進(jìn)行比較；組織應(yīng)定義并應(yīng)用風(fēng)險(xiǎn)評(píng)估過程，2) 為實(shí)施風(fēng)險(xiǎn)處置確定已分析風(fēng)險(xiǎn)的優(yōu)先級(jí)。以：組織應(yīng)保留信息安全風(fēng)險(xiǎn)評(píng)估過程的文件記錄信息。6.1.3Informationsecurityrisktreatment信息安全風(fēng)險(xiǎn)處置Theorganizationshalldefineandapplyaninformationsecurityrisktreatmentprocesst

44、o:a) selectappropriateinformationsecurityrisktreatmentoptions,takingaccountoftheriskassessmentresults;b) determineallcontrolsthatarenecessarytoimplementtheinformationsecurityrisktreatmentoption(s)chosen;組織應(yīng)定義并應(yīng)用信息安全風(fēng)險(xiǎn)處置過程，以：a) 在考慮風(fēng)險(xiǎn)評(píng)估結(jié)果的前提下，選擇適當(dāng)?shù)男畔踩L(fēng)險(xiǎn)處置選項(xiàng)：b) 為實(shí)施所選擇的信息安全風(fēng)險(xiǎn)處置選項(xiàng)，確定所有必需的控制措施；NOTEOrgani

45、zationscandesigncontrolsasrequired,oridentifythemfromanysource.注：組織可按要求設(shè)計(jì)控制措施，或從其他來源識(shí)別控制措施。c) comparethecontrolsdeterminedinb)abovewiththoseinAnnexAandverifythatnonecessarycontrolshavebeenomitted;d) 將b)所確定的控制措施與附錄A的控制措施進(jìn)行比較，以核實(shí)沒有遺漏必要的控制措施；NOTE1AnnexAcontainsacomprehensivelistofcontrolobjectivesandco

46、ntrols.UsersofthisInternationalStandardaredirectedtoAnnexAtoensurethatnonecessarycontrolsareoverlooked.NOTE2Controlobjectivesareimplicitlyincludedinthecontrolschosen.ThecontrolobjectivesandcontrolslistedinAnnexAarenotexhaustiveandadditionalcontrolobjectivesandcontrolsmaybeneeded.注1:附錄A包含了一份全面的控制目標(biāo)和控

47、制措施的列表。本標(biāo)準(zhǔn)用戶可利用附錄A以確保不會(huì)遺漏必要的控制措施。注2:控制目標(biāo)包含于所選擇的控制措施內(nèi)。附錄A所列的控制目標(biāo)和控制措施并不是所有的控制目標(biāo)和控制措施，組織也可能需要另外的控制目標(biāo)和控制措施。d)produceaStatementofApplicabilitythatcontainsthenecessarycontrols(seeb)andc)andjustificationforinclusions,whethertheyareimplementedornot,andthejustificationforexclusionsofcontrolsfromAnnexA;e) fo

48、rmulateaninformationsecurityrisktreatmentplan;andf) obtainriskownersapprovaloftheinformationsecurityrisktreatmentplanandacceptanceoftheresidualinformationsecurityrisks.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityrisktreatmentprocess.d)產(chǎn)生適用性聲明。適用性聲明要包含必要的控制措施(見b)和c)、對(duì)包含的

49、合理性說明(無論是否已實(shí)施)以及對(duì)附錄A控制措施刪減的合理性說明；組織應(yīng)f)獲得風(fēng)險(xiǎn)負(fù)責(zé)人對(duì)信息安全風(fēng)險(xiǎn)處置計(jì)劃以及接受信息安全殘余風(fēng)險(xiǎn)的批準(zhǔn)。保留信息安全風(fēng)險(xiǎn)處置過程的文件記錄信息。NOTETheinformationsecurityriskassessmentandtreatmentprocessinthisInternationalStandardalignswiththeprinciplesandgenericguidelinesprovidedinISO310005.注：本標(biāo)準(zhǔn)中的信息安全風(fēng)險(xiǎn)評(píng)估和處置過程可與ISO310005中規(guī)定的原則和通用指南相結(jié)合。Informationse

50、curityobjectivesandplanningtoachievethem信息安全目標(biāo)和規(guī)劃實(shí)現(xiàn)Theorganizationshallestablishinformationsecurityobjectivesatrelevantfunctionsandinformationsecurityobjectivesshall:組織應(yīng)在相關(guān)職能和層次上建立信息安全目標(biāo)。信息安全目標(biāo)應(yīng)：a) beconsistentwiththeinformationsecuritypolicy;b) bemeasurable(ifpracticable);c) takeintoaccountapplicab

51、leinformationsecurityrequirements,andresultsfromriskassessmentandrisktreatment;d) becommunicated;ande) beupdatedasappropriate.Theorganizationshallretaindocumentedinformationontheinformationsecurityobjectives.Whenplanninghowtoachieveitsinformationsecurityobjectives,theorganizationshalldetermine:f)wha

52、twillbedone;g) whatresourceswillberequired;h) whowillberesponsible;i) whenitwillbecompleted;andj) howtheresultswillbeevaluated.a)與信息安全方針一致；b) 可測量(如可行)；c) 考慮適用的信息安全要求以及風(fēng)險(xiǎn)評(píng)估和風(fēng)險(xiǎn)處置結(jié)果；d) 被傳達(dá)；e) 適當(dāng)時(shí)進(jìn)行更新。組織應(yīng)保留關(guān)于信息安全目標(biāo)的文件記錄信息。當(dāng)規(guī)劃如何實(shí)現(xiàn)其信息安全目標(biāo)時(shí)，組織應(yīng)確定：f)要做什么；g) 需要什么資源；h) 由誰負(fù)責(zé)；i) 什么時(shí)候完成；7Support7支持7.1 Resources資

53、源Theorganizationshalldetermineandprovidetheresourcesneededfortheestablishment,implementation,maintenanceandcontinualimprovementoftheinformationsecuritymanagementsystem.組織應(yīng)確定并提供建立、實(shí)施、保持和持續(xù)改進(jìn)信息安全管理體系所需的資源。7.2 Competence能力Theorganizationshall:a) determinethenecessarycompetenceofperson(s)doingworkunderi

54、tscontrolthataffectsitsinformationsecurityperformance;b) ensurethatthesepersonsarecompetentonthebasisofappropriateeducation,training,orexperience;c) whereapplicable,takeactionstoacquirethenecessarycompetence,andevaluatetheeffectivenessoftheactionstaken;andd) retainappropriatedocumentedinformationase

55、videnceofcompetence.組織應(yīng)：a) 確定從事影響信息安全執(zhí)行工作的人員在組織的控制下從事其工作的必要能力；b) 確保人員在適當(dāng)教育，培訓(xùn)和經(jīng)驗(yàn)的基礎(chǔ)上能夠勝任工作；c) 適用時(shí)，采取措施來獲得必要的能力，并評(píng)價(jià)所采取措施的有效性；d) 保留適當(dāng)?shù)奈募涗浶畔⒆鳛槟芰Ψ矫娴淖C據(jù)。NOTEApplicableactionsmayinclude,forexample:theprovisionoftrainingto,thementoringof,orthereassignmentofcurrentemployees;orthehiringorcontractingofcompete

56、ntpersons.注：例如適當(dāng)措施可能包括為現(xiàn)有員工提供培訓(xùn)、對(duì)其進(jìn)行指導(dǎo)或重新分配工作；雇用或簽約有能力的人員。7.3Awareness意識(shí)Personsdoingworkundertheorganizationscontrolshallbeawareof:a) theinformationsecuritypolicy;b) theircontributiontotheeffectivenessoftheinformationsecuritymanagementsystem,includingthebenefitsofimprovedinformationsecurityperforman

57、ce;andc) theimplicationsofnotconformingwiththeinformationsecuritymanagementsystemrequirements.人員在組織的控制下從事其工作時(shí)應(yīng)意識(shí)到：a) 信息安全方針；b) 他們對(duì)有效實(shí)施信息安全管理體系的貢獻(xiàn)，包括信息安全績效改進(jìn)后的益處；c)不符合信息安全管理體系要求可能的影響。7.4CommunicationTheorganizationshalldeterminetheneedforinternalandexternalcommunicationsrelevanttotheinformationsecuritymanagementsystemincluding:a)onwhattocommunicate;b) whentocommunicate;c) withwhomtocommunicate;d) whoshallcommunicate;