ISO新編中英文對照

ISO新編中英文對照ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersdevelopmentofInternationalStandardsthroughtechnicalcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-haveestablishedajointtechnicalcommittee,ISO/IECJTC1.ISO（國際標(biāo)準(zhǔn)化組織）和IEC（國際電工委員會）是為國際標(biāo)準(zhǔn)化制定專門體制的國際組織。國家機(jī)構(gòu)是ISO或IEC的成員，他們通過各自的組織建立技術(shù)委員會參與國際標(biāo)準(zhǔn)的制定，來處理特定領(lǐng)域的技術(shù)活動。ISO和IEC技術(shù)委員會在共同感興趣的領(lǐng)域合作。其他國際組織、政府信息技術(shù)領(lǐng)域建立了一個聯(lián)合技術(shù)委員會ISO/IECJTC1。InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,Part2.InternationalStandards.DraftInternationalStandardsadoptedbythejointtechnicalcommitteearecirculatedtonationalbodiesforvoting.PublicationasanInternationalStandardrequiresapprovalbyatleast75%ofcastingavote.聯(lián)合技術(shù)委員會的主要任務(wù)是起草國際標(biāo)準(zhǔn)，并將國際標(biāo)準(zhǔn)草案提交給國Attentionisdrawntothepossibilitythatsomeoftheelementssuchpatentrights.本文件中的某些內(nèi)容有可能涉及一些專利權(quán)問題，這一點(diǎn)應(yīng)該引起注意。ISO/IEC27001waspreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnology,techniques.ISO/IEC27001由聯(lián)合技術(shù)委員會SubcommitteeSC27,ITSecurityISO/IECJTC1（信息技術(shù)）分委員會Thissecondeditioncancelsandreplacesthefirstedition(ISO/IEC27001:2005),whichhasbeentechnicallyrevised.第二版進(jìn)行了技術(shù)上的修訂，并取消和替代第一版（ISO/IEC0IntroductionThisInternationalStandardhasbeenpreparedtoproviderequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystem.Theadoptionofaninformationsecuritymanagementsystemisastrategicdecisionforanorganization.Theestablishmentandimplementationofanorganization’sinformationsecuritymanagementsystemisinfluencedbytheorganization’sneedsandobjectives,securityrequirements,theorganizationalprocessesusedandthesizeandstructureoftheorganization.time.Theinformationsecuritymanagementsystempreservestheconfidentiality,integrityandavailabilityofinformationbyapplyingariskmanagementprocessandgivesconfidencetointerestedpartiesthatrisksareadequatelymanaged.信息安全管理體系通過應(yīng)用風(fēng)險(xiǎn)管理過程來保持信息的保密性、完整性和Itisimportantthattheinformationsecuritymanagementsystemispartofandintegratedwiththeorganization’sprocessesandoverallmanagementstructureandthatinformationsecurityisconsideredinthedesignofproandcontrols.Itisexpectedthataninformationsecuritymanagementsystemimplementationwillbescaledinaccordancewiththeneedsoftheorganization.信息安全管理體系是組織過程和整體管理結(jié)構(gòu)的一部分并與其整合在一起是非常重要的。信息安全在設(shè)計(jì)過程、信息系統(tǒng)、控制措施時就要考慮信息安全。按照組織的需要實(shí)施信息安全管理體系，是本標(biāo)準(zhǔn)所期望的。ThisInternationalStandardcanbeusedbyinternalandexternalpartiestoassesstheorganization’sabilitytomeettheorganization’sowninformationsecurityrequirements.本標(biāo)準(zhǔn)可被內(nèi)部和外部相關(guān)方使用，評估組織的能力是否滿足組織自身信息TheorderinwhichrequirementsarepreseInternationalStandarddoesnotreflecttheirimportanceoritemsareenumeratedforreferencepurposeonly.本標(biāo)準(zhǔn)中要求的順序并不能反映他們的重要性或意味著他們的實(shí)施順序。列舉的條目僅用于參考目的。informationsecuritymanagementsystems,referencingtheinformationsecuritymanagementsystemfamilyofstandards27005[4]),withrelatedtermsanddefinitions.ISO/IEC27000描述了信息安全管理體系的概述和詞匯，參考了信息安全管理體系標(biāo)準(zhǔn)族（包括ISO/IEC27003、ISO/IEC27004和ISO/IEC27005）以及相關(guān)的術(shù)1.2Compatibilitywithothermanagementsystemstandards0.2與其他管理體系的兼容性ThisInternationalStandardappliesthehigh-levelstructure,identicalsub-clausetitles,identicaltext,commonterms,Directives,Part1,ConsolidatedISOSupplement,andthereforemaintainscompatibilitywithothermanagementsystemstandardsthathaveadoptedtheAnnexSL.本標(biāo)準(zhǔn)應(yīng)用了ISO/IEC導(dǎo)則第一部分ISO補(bǔ)充部分附錄SL中定義的高層結(jié)構(gòu)、相同的子章節(jié)標(biāo)題、相同文本、通用術(shù)語和核心定義。因此保持了與其它采用附錄SL的管理體系標(biāo)準(zhǔn)的兼容性。ThiscommonapproachdefinedintheAnnexSLwillbeusefulforthoseorganizationsthatchoosetooperateasinglemanagementsystemthatmeetstherequirementsosystemstandards.附錄SL定義的通用方法對那些選擇運(yùn)作單一管理體系（可同時滿足兩Informationtechnology—Securitytechniques—Informationsecuritymanagementsystems—Requirements信息技術(shù)-安全技術(shù)-信息安全管理體系-要求ThisInternationalStandardspecifiestherequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystemwithinthecontextoftheorganization.本標(biāo)準(zhǔn)從組織環(huán)境的角度，為建立、實(shí)施、運(yùn)行、保持和持續(xù)改進(jìn)信息安全管理體系規(guī)定了ThisInternationalStandardalsoincludesrequirementsfortheassessmentandtreatmentofinformationsecurityriskstailoredapplicabletoallorganizations,regardlessoftype,sizeornature.ExcludinganyoftherequirementsspecifiedinconformitytothisInternationalStandard.本標(biāo)準(zhǔn)還規(guī)定了為適應(yīng)組織需要而定制的信息安全風(fēng)險(xiǎn)評估和處置的要求是通用的，適用于各種類型、規(guī)模和特性的組織。組織聲稱符合本標(biāo)準(zhǔn)2Normativereferences2規(guī)范性引用文件Thefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentandareindispensableforitsapplication.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendments)applies.下列文件的全部或部分內(nèi)容在本文件中進(jìn)行了規(guī)范引用，對于其應(yīng)用是必ISO/IEC27000,Informationtechnology—Securitytechniques—Informationsecuritymanagementsystems—OverviewandvocabularyISO/IEC27000，信息技術(shù)—安全技術(shù)—信息安全管理體系—概述和詞匯definitions3術(shù)語和定義Forthepurposesofthisdocument,thetermsanddefinitions4Contextoftheorganization4組織環(huán)境4.1Understandingtheorganizationanditscontext4.1理解組織及其環(huán)境Theorganizationshalldetermineexternalandinternalissmanagementsystem.組織應(yīng)確定與其目標(biāo)相關(guān)并影響其實(shí)現(xiàn)信息安全管理體系預(yù)期結(jié)果的能力的外部和內(nèi)部問NOTEDeterminingtheseissuesreferstoestablishingtheexternalandinternalcontextoftheorganizationconsideredinClause5.3ofISO31000:2009[5].注：確定這些問題涉及到建立組織的外部和內(nèi)部環(huán)境，在ISO31000:2009[5]的5.3節(jié)考慮了4.2Understandingtheneedsandexpectationsofinterestedparties4.2理解相關(guān)方的需求和期望Theorganizationshalldetermine:a)interestedpartiesthatarerelevanttotheinformationsecuritymanagementsystem;andb)therequirementsoftheseinterestedpartiesrelevanttoinformationsecurity.a)與信息安全管理體系b)這些相關(guān)方與信息安全有關(guān)的要求NOTETherequirementsofinterestedpartiesmayincludelegalandregulatoryrequirementsandcontractualobligations.注：相關(guān)方的要求可能包括法律法規(guī)要求和合同義務(wù)。4.3Determiningthescopeoftheinformationsecuritymanagement4.3確定信息安全管理體系的范圍Theorganizationshalldeterminetheboundariesandapplicabilityoftheinformationsecuritymanagementsystemtoestablishitsscope.組織應(yīng)確定信息安全管理體系的邊界和適用性，Whendeterminingthisscope,theorganizationshallconsider:a)theexternalandinternalissuesreferredtoinc)interfacesanddependenciesbetweenactivitiesperformedbytheorganization,andthosethatareperformedbyotherorganizations.Thescopeshallbeavailableasdocumentedinformation.c)組織所執(zhí)行的活動之間以及與其它組織的活動之間的接口和依賴性范圍應(yīng)文件化并保持可用性。4.4Informationsecuritymanagementsystem4.4信息安全管理體系Theorganizationshallestablish,implement,maintainandcontinuallyimproveaninformationsecuritymanagementsystem,inaccordancewiththerequirementsofthisInternationalStandard.組織應(yīng)按照本標(biāo)準(zhǔn)的要求建立、實(shí)施、保持和持續(xù)改進(jìn)信息安全管理體5Leadership5.1Leadershipandcommitment5.1領(lǐng)導(dǎo)和承諾Topmanagementshalldemonstrateleadershipandcommitmentwithrespecttotheinformationsecuritymanagementsystemby:高層管理者應(yīng)通過下列方式展示其關(guān)于信息安全管理體系的領(lǐng)導(dǎo)力和承a)ensuringtheinformationsecuritypolicyandtheinformationsecurityobjectivesareestablishedandarecompatiblewiththestrategicdirectionoftheorganization;b)ensuringtheintegrationoftheinformationsecuritymanagementsystemrequirementsintotheorganization’sprocesses;c)ensuringthattheresourcesneededfortheinformationsecuritymanagementsystemareavailable;d)communicatingtheimportanceofeffectiveinformationsecuritymanagementandofconformingtotheinformationsecuritymanagementsystemrequirements;e)ensuringthattheinformationsecuritymanagementsystemachievesitsintendedoutcome(s);f)directingandsupportingpersonstocontributetotheeffectivenessoftheinformationsecuritymanagementsystem;g)promotingcontinualimprovement;andh)supportingotherrelevantmanagementrolestodemonstratetheirleadershipasitappliestotheiraresponsibility.a)確保建立信息安全方針和信息安全目標(biāo)，并與組織的戰(zhàn)略方向保持一b)確保將信息安全管理體系要求整合到組織的業(yè)務(wù)過程中；c)確保信息安全管理體系所需資源可用；d)傳達(dá)信息安全管理有效實(shí)施、符合信息安全管理體系要求的重要性；e)確保信息安全管理體系實(shí)現(xiàn)其預(yù)期結(jié)果；f)指揮并支持人員為信息安全管理體系的有效實(shí)施作出貢獻(xiàn)；h)支持其他相關(guān)管理角色在其職責(zé)范圍內(nèi)展示他們的領(lǐng)導(dǎo)力。5.2Po針Topmanagementshallestablishaninformationsecuritypolicy高層管理者應(yīng)建立信息安全方針，以：a)isappropriatetothepurposeoftheorganization;b)includesinformationsecurityobjectives(see6.2)orprovidestheframeworkforsettinginformationsecurityobjectives;c)includesacommitmenttosatisfyapplicablerequirementsrelatedtoinformationsecurity;d)includesacommitmentttheinformationsecuritymanagementsystem.Theinformationsecuritypolicyshall:e)beavailableasdocumentedinformation;f)becommunicatedwithintheorganization;andg)beavailabletointerestedparties,asappropriate.a)適于組織b)包含信息安全目標(biāo)（見6.2）或設(shè)置信息安全目標(biāo)提供框架；c)包含滿足適用的信息安全相關(guān)要求5.3Organizationalroles,responsibilitiesandauthorities5.3組織角色、職責(zé)和權(quán)限Topmanagementshallensurethattheresponsibilitiesandauthoritiesforrolesrelevanttoinformationsecurityareassignedandcommunicated.高層管理者應(yīng)確保分配并傳達(dá)了信息安全相關(guān)角色的職責(zé)和權(quán)限。Topmanagementshallassigntheresponsibilityandauthorityfor:a)ensuringthattheinformationsecuritymanagementsystemconformstotherequirementsofthisInternationalStandard;andb)reportingontheperformanceoftheinformationsecuritymanagementsystemtotopmanagement.a)確保信息安全管理體系符合本標(biāo)準(zhǔn)的要求；b)將信息安全管理體系的績效報(bào)告給高層管理者。NOTETopmanagementmayalsoassignresponsibilitiesandauthoritiesforreportingperformanceoftheinformationsecuritymanagementsystemwithintheorganization.注：高層管理者可能還要分配在組織內(nèi)部報(bào)告信息安全管理體系績效的職責(zé)和權(quán)限。6Planning6.1Actionstoaddressrisksandopportunities6.1應(yīng)對風(fēng)險(xiǎn)和機(jī)會的措施6.1.1General6.1.1總則Whenplanningfortheinformationsecuritymanagementsystem,andtherequirementsreferredtoin4.2anddeterminetherisksandopportunitiesthatneedtobeaddressedto:當(dāng)規(guī)劃信息安全管理體系時，組織應(yīng)考慮4.1中提及的問題和4.2中提及a)ensuretheinformationsecuritymanagementsystemcanachieveitsintendedoutcome(s);b)prevent,orreduce,undesiredeffects;andc)achievecontinualimprovement.Theorganizationshallplan:d)actionstoaddresstheserisksandopportunities;andsecuritymanagementsystemprocesses;2)evaluatetheeffectivenessoftheseactions.a)確保信息安全管理b)防止或減少意外的d)應(yīng)對這些風(fēng)險(xiǎn)和機(jī)會的措施；1)整合和實(shí)施這些措施并將其納入信息安全管理體系過程；6.1.2Informationsecurityriskassessment6.1.2信息安全風(fēng)Theorganizationshalldefineandapplyaninformationsecurityriskassessmentprocessthat:組織應(yīng)定義并應(yīng)用風(fēng)險(xiǎn)評估過程，以：a)establishesandmaintainsinformationsecurityriskcriteria1)theriskacceptancecriteria;and2)criteriaforperforminginformationsecurityriskassessments;b)ensuresthatrepeatedinformationsecurityriskassessmentsproduceconsistent,validandcomparableresults;c)identifiestheinformationsecurityrisks:1)applytheinformationsecurityriskassessmentprocesstoidentifyrisksassociatedwiththelossofconfidentiality,integrityandavailabilityforinformationwithinthescopeoftheinformationsecuritymanagementsystem;and2)identifytheriskowners;d)analysestheinformationsecurityrisks:1)assessthepotentialconsequencesthatwouldresultiftherisksidentifiedin6.1.2c)1)weretomaterialize;2)assesstherealisticlikelihoodoftheoccurrenceoftherisksidentifiedin6.1.2c)1);and3)determinethelevelsofrisk;e)evaluatestheinformationsecurityrisks:1)comparetheresultsofriskanalysiswiththeriskcriteriaestablishedin6.1.2a);and2)prioritizetheanalysedrisksforrisktreatment.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityriskassessmentprocess.a)建立并保持信息安全風(fēng)險(xiǎn)準(zhǔn)則，包括：b)確保重復(fù)性的信息安全風(fēng)險(xiǎn)評估可產(chǎn)生一致的、有效的和可比較的結(jié)1)應(yīng)用信息安全風(fēng)險(xiǎn)評估過程來識別信息安全管理體系范圍內(nèi)的信息喪失保密性、完整性和可用性的相關(guān)風(fēng)險(xiǎn)；1)評估6.1.2c）1）中所識別風(fēng)險(xiǎn)發(fā)生后將導(dǎo)致的潛在影響；2)評估6.1.2c）1）中所識別風(fēng)險(xiǎn)發(fā)生的現(xiàn)實(shí)可能性；1)將風(fēng)險(xiǎn)分析結(jié)果同6.1.2a）建立的風(fēng)險(xiǎn)準(zhǔn)則進(jìn)行比較；6.1.3Informationsecurityrisktreatment6.1.3信息安全風(fēng)險(xiǎn)處置Theorganizationshalldefineandapplyaninformationsecurityrisktreatmentprocessto:a)selectappropriateinformationsecurityrisktreatmentoptions,takingaccountoftheriskassessmentresults;b)determineallcontrolsthatarenecessarytoimplementtheinformationsecurityrisktreatmentoption(s)chosen;組織應(yīng)定義并應(yīng)用信息安全風(fēng)險(xiǎn)處置過程，以：a)在考慮風(fēng)險(xiǎn)評估結(jié)果的前提下，選擇適當(dāng)?shù)男畔踩L(fēng)險(xiǎn)處置選項(xiàng)：b)為實(shí)施所選擇的信息安全風(fēng)險(xiǎn)處置選項(xiàng)，確定所有必需的控制措施；NOTEOrganizationscandesigncontrolsasrequired,oridentifythemfromanysource.注：組織可按要求設(shè)計(jì)控制措施，或從其他來源識別控制措施。c)comparethecontrolsdeterminedin6.1.3b)abovewiththoseinAnnexAandverifythatnonecessarycontrolshavebeenomitted;c)將6.1.3b）所確定的控制措施與附錄A的控制措施進(jìn)行比較，以核實(shí)沒有遺漏必要的NOTE1AnnexAcontainsacomprehensivelistofcontrolobjectivesandcontrols.UsersofthisInternationalStandardaredirectedtoAnnexAtoensurethatnonecessarycontrolsareoverlooked.NOTE2Controlobjectivesareimplicitlyincludedinthecontrolschosen.ThecontrolobjectivesandcontrolslistedinAnnexAarenotexhaustiveandadditionalcontrolobjectivesandcontrolsmaybeneeded.注1：附錄A包含了一份全面的控制目標(biāo)和控制措施的列表。本標(biāo)準(zhǔn)用戶可內(nèi)。附錄A所列的控制目標(biāo)和控制措施并不是所有的控制目標(biāo)和控制措施，組織也可能需要另外的控制目標(biāo)和控制措施。d)produceaStatementofApplicabilitythatcontainsthenecessarycontrols(see6.1.3b)andc))inclusions,whethertheyareimplementedornot,andthejustificationforexclusionsofcontrolsfromAnnexA;e)formulateaninformationsecurityrisktreatmentplan;andf)obtainriskowners’approvaloftheinformationsecurityrisktreatmentplanandacceptanceoftheresidualinformationsecurityrisks.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityrisktreatmentprocess.d)產(chǎn)生適用性聲明。適用性聲明要包含必要的控制措施（見6.1.3b）和理性說明（無論是否已實(shí)施）以及對附錄A控制措施刪減的合理性說明；f)獲得風(fēng)險(xiǎn)負(fù)責(zé)人對信息安全風(fēng)險(xiǎn)處置計(jì)劃以及接受信息安全殘余風(fēng)險(xiǎn)NOTETheinformationsecurityriskassessmentandtreatmentprocessinthisInternationalStandardalignswiththeprinciplesandgenericguidelinesprovidedinISO31000[5].注：本標(biāo)準(zhǔn)中的信息安全風(fēng)險(xiǎn)評估和處置過程可與ISO31000[5]中規(guī)定的原則和通用指南6.2Informationsecurityobjectivesandplanningtoachievethem6.2信息安全目標(biāo)和規(guī)劃實(shí)現(xiàn)Theorganizationshallestablishinformationsecurityobjectivesatrelevantfunctionsandlevels.Theinformationsecurityobjectivesshall:組織應(yīng)在相關(guān)職能和層次上建立信息安全目標(biāo)。a)beconsistentwiththeinformationsecuritypolicy;b)bemeasurable(ifpracticable);c)takeintoaccountapplicableinformationsecurityrequirements,andresultsfromriskassessmentandriskd)becommunicated;ande)beupdatedasappropriate.Theorganizationshallretaindocumentedinformationontheinformationsecurityobjectives.Whenplanninghowtoachieveitsinformationsecurityobjectives,theorganizationshalldetermine:f)whatwillbedone;g)whatresourceswillberequired;h)whowillberesponsible;i)whenitwillbecompleted;andj)howtheresultswillbeevaluated.a)與信息）；c)考慮適用的信息安全要求以及風(fēng)險(xiǎn)評估和風(fēng)險(xiǎn)處置結(jié)果；如何實(shí)現(xiàn)其信息安全目標(biāo)時，組織應(yīng)確7.1Resources7.1資源Theorganizationshalldetermineandprovidetheresourcesneededfortheestablishment,implementation,maintenanceandcontinualimprovementoftheinformationsecuritymanagement組織應(yīng)確定并提供建立、實(shí)施、保持和持續(xù)改進(jìn)信息安全管理體系所需的7.2Competence7.2能力Theorganizationshall:a)determinethenecessarycompetenceofperson(s)doingworkunderitscontrolthataffectsitsinformationsecurityperformance;b)ensurethatthesepersonsarappropriateeducation,training,orexperience;c)whereapplicable,takeactionstoacquirethenecessarycompetence,andevaluatetheeffectivenessoftheactionstaken;d)retainappropriatedocumentedinformationasevidenceofcompetence.a)確定從事影響信息安全執(zhí)行工作的人員在組織的控制下從事其工作的b)確保人員在適當(dāng)教育，培訓(xùn)和經(jīng)驗(yàn)的基礎(chǔ)上能夠勝任工作；c)適用時，采取措施來獲得必要的能力，并評價(jià)所采取措施的有效性；d)保留適當(dāng)?shù)奈募涗浶畔⒆鳛槟芰Ψ矫娴淖C據(jù)。NOTEApplicableactionsmayinclude,forexample:theprovisionoftrainingto,thementoringof,orreassignmentofcurrentemployees;orthehiringorcontractingofcompetentpersons.注：例如適當(dāng)措施可能包括為現(xiàn)有員工提供培訓(xùn)、對其進(jìn)行指導(dǎo)或重新分7.3Awareness7.3意識Personsdoingworkundertheorganization’scontrolshallbeawareof:a)theinformationsecuritypolicy;b)theircontributiontotheeffectivenessoftheinformationsecuritymanagementsystem,includingthebenefitsofimprovedinformationsecurityperformance;andc)theimplicationsofnotconformingwiththeinformationsecuritymanagementsystemrequirements.人員在組織的控制下從事其工作時應(yīng)意識到：b)他們對有效實(shí)施信息安全管理體系的貢獻(xiàn)，包括信息安全績效改進(jìn)后c)不符合信息安全管理體系要求可能的影響。7.4CommunicationTheorganizationshalldeterminetheneedexternalcommunicationsrelevanttotheinformationsecuritymanagementsystemincluding:a)onwhattocommunicate;b)whentocommunicate;c)withwhomtocommunicate;d)whoshallcommunicate;ande)theprocessesbywhichcommunicationshallbeeffected.組織應(yīng)確定有關(guān)信息安全管理體系在內(nèi)部和外b)什么時候溝通；c)跟誰7.5Documentedinformation7.5文件記錄信息7.5.1General7.5.1總則Theorganization’sinformationsecuritymanagementsystemshalla)documentedinformationrequiredbythisInternationalStandard;andb)documentedinformationdeterminedbytheorganizationasbeingnecessaryfortheeffectivenessoftheinformationsecuritymanagementsystem.組織的信息安全管理體系應(yīng)包括：b)組織為有效實(shí)施信息安全管理體系確定的必要的文件記錄信息。NOTETheextentofdocumentedinformationforaninformasecuritymanagementsystemcandifferfromoneorganizationtoanotherdueto:注：不同組織的信息安全管理體系文件記錄信息的詳略1)thesizeoforganizationanditstypeofprocesses,productsandservices;2)thecomplexityofprocessesandtheirinteractions;and3)thecompetenceofpersons.1)組織的規(guī)模及其活動、過程、產(chǎn)品和服務(wù)的類型；7.5.2Creatingandupdating7.5.2創(chuàng)建和更新Whencreatingandupdatingdocumentedinformationtheorganizationshallensureappropriate:a)identificationanddescription(e.g.atitle,date,author,orreferencenumber);b)format(e.g.language,softwareversion,graphics)andmediac)reviewandapprovalforsuitabilityandadequacy.創(chuàng)建和更新文件記錄信息時，組織應(yīng)確保適當(dāng)?shù)模篴)標(biāo)識和描述（例如：標(biāo)題、日期、作者或參考編號）；b)格式（例如：語言，軟件版本，圖表）和介質(zhì)（例如：紙質(zhì)介質(zhì)，電c)評審和批準(zhǔn)其適用性和充分性。7.5.3Controlofdocumentedinformation7.5.3文件記錄信息DocumentedinformationrequiredbytheinformationsecuritymanagementsystemandbythisInternationalStandardshallbecontrolledtoensure:a)itisavailableandsuitableforuse,whereandwhenitisneeded;andb)itisadequatelyprotected(e.g.fromlossofconfidentiality,improperuse,orlossofintegrity).信息安全管理體系和本標(biāo)準(zhǔn)所要求的文件記錄信息應(yīng)予以控制，以確保：a)無論何時何地需要，它都是可用并適合使用的；b)它被充分保護(hù)（例如避免喪失保密性、使用不當(dāng)或喪失完整性）。Forthecontrolofdocumentedinformation,theorganizationshalladdressthefollowingactivities,asapplicable:c)distribution,access,retrievalanduse;d)storageandpreservation,includingthepreservationoflegibility;e)controlofchanges(e.g.versioncontrolf)retentionanddisposition.對于文件記錄信息的控制，適用時，組織應(yīng)處理下列問題：）；Documentedinformationofexternalorigin,determinedbytheorganizationtobenecessaryfortheplanningandoperationoftheinformationsecuritymanagementsystem,shallbeidentifiedasappropriate,andcontrolled.組織為規(guī)劃和實(shí)施信息安全管理體系確定的必要的外部原始文件記錄信NOTEAccessimpliesadecisionregardingthepermissiontoviewthedocumentedinformationonly,orthepermissionauthoritytoviewandchangethedocumentedinformation,etc.8Operation8.1Operationalplanningandcontrol8.1運(yùn)行的規(guī)劃和控制Theorganizationshallplan,implementandcontroltheprocessesneededtomeetinformationsecurityrequirements,andtoimplementtheactionsdeterminedin6.1.Theorganizationshallalsoimplementplanstoachieveinformationsecurityobjectivesdeterminedin6.2.組織應(yīng)規(guī)劃、實(shí)施和控制滿足信息安全要求所需的過程，并實(shí)施6.1中確定的措施。組織還應(yīng)實(shí)施這些規(guī)劃來實(shí)現(xiàn)6.2中所確定的信息安全目標(biāo)。Theorganizationshallkeepdocumenextentnecessarytohaveconfidencethattheprocesseshavebeencarriedoutasplanned.Theorganizationshallcontrolplannedchangesandreviewtheconsequencesofunintendedchanges,takingactiontomitigateanyadverseeffects,asnecessary.Theorganizationshallensurethatoutsourcedprocessesaredeterminedandcontrolled.組織應(yīng)保持文件記錄信息達(dá)到必要的程度：8.2Informationsecurityriskassessment8.2信息安全風(fēng)險(xiǎn)評估Theorganizationshallperforminformationsecurityriskassessmentsatplannedintervalsorwhensignificantchangesestablishedin6.1.2a).考慮到6.1.2a）中建立的風(fēng)險(xiǎn)評估執(zhí)行準(zhǔn)則，組織應(yīng)按計(jì)劃的時間間隔執(zhí)行信息安全風(fēng)險(xiǎn)評估，當(dāng)重大變更被提出或發(fā)生時也應(yīng)執(zhí)行信息安全風(fēng)險(xiǎn)評估。Theorganizationshallretaindocumentedresultsoftheinformationsecurityriskassessments.組織應(yīng)保留信息安全風(fēng)險(xiǎn)評估結(jié)果的文件記錄信息。8.3Informationsecurityrisktreatment8.3信息安全風(fēng)險(xiǎn)處置Theorganizationshallimplementtheinformationtreatmentplan.Theorganizationshallretaindocumentedinforresultsoftheinformationsecurityrisktreatment.組織應(yīng)實(shí)施信息安全風(fēng)險(xiǎn)處置計(jì)劃。組織應(yīng)保留信息安全風(fēng)險(xiǎn)處置結(jié)果的文件記錄信息。9Performanceevaluation9績效評價(jià)9.1Monitoring,measurement,analysisandevaluation9.1監(jiān)視、測量、分析和評價(jià)Theorganizationshallevaluatetheinformationsecurityperformanceandtheeffectivenessoftheinformationsecuritymanagementsystem.Theorganizationshalldetermine:a)whatneedstobemonitoredandmeasured,includinginformationsecurityprocessesandcontrols;b)themethodsformonitoring,measurement,analysisandevaluation,asapplicable,toensurevalidresults;a)什么需要監(jiān)視和測量，包括信息安全過程和控制措施；b)監(jiān)視、測量、分析和評價(jià)的方法，適用時，確保結(jié)果有效；NOTEThemethodsselectedshouldproducecomparableandreproducibleresultstobeconsideredvalid.注：選擇的方法最好產(chǎn)生可比較和可再現(xiàn)的結(jié)果，這樣才能被認(rèn)為是有效的。c)whenthemonitoringandmeasuringshallbeperformed;d)whoshallmonitorandmeasure;e)whentheresultsfrommonitoringandmeasurementshallbeanalysedandevaluated;f)whoshallanalyseandevaluatetheseresults.Theorganizationshallretainappropriatedocumentedinformationasevidenceofthemonitoringandmeasurementresults.e)什么時候應(yīng)對監(jiān)視和測量的結(jié)果進(jìn)行分析和評價(jià)；視和測量結(jié)果的證據(jù)。9.2Internalaudit9.2內(nèi)部審核Theorganizationshallconductinternalauditsatplannedintervalstoprovideinformationonwhethertheinformationsecuritymanagementsystem:組織應(yīng)按計(jì)劃的時間間隔進(jìn)行內(nèi)部審核，以提供信息確定信息安全管理體系是否：a)符合1)theorganization’sownrequirementsforitsinformationsecuritymanagementsystem;2)therequirementsofthisInternationalStandard;1)組織自身b)iseffectivelyimplementedandmaintained.Theorganizationc)plan,establish,implementandmaintainanauditprogramme(s),includingthefrequency,methods,responsibilities,planningrequirementsandreporting.Theauditprogramme(s)shalltakeintoconsiderationtheimportanceoftconcernedandtheresultsofpreviousaudits;d)definetheauditcriteriaandscopeforeachaudit;e)selectauditorsandconductauditsthatensureobjectivityandtheimpartialityoftheauditprocess;relevantmanagement;andg)retaindocumentedinformationasevidenceoftheauditprogramme(s)andtheauditresults.b)得到有效的實(shí)施和保持。c)規(guī)劃、建立、實(shí)施和保持審核方案，包括頻次、方法、職責(zé)、計(jì)劃要求和報(bào)告。審核方案應(yīng)考慮所關(guān)注過程的重要性以及以往審核的結(jié)果；e)審核員的選擇和審核的實(shí)施應(yīng)確保審核過程的客觀性和公正性；g)保留文件記錄信息作為審核方案和審核結(jié)果的證據(jù)。9.3Managementreview9.3管理評審Topmanagementshallreviewtheorganization’sinformationsecuritymanagementsystematplannedintervalstoensureitscontinuingsuitability,adequacyandeffectiveness.Themanagementreviewshallincludeconsiderationof:管理者應(yīng)按計(jì)劃的時間間隔評審組織的信息安全管理體系，以確保其持續(xù)a)thestatusofactionsfrompreviousmanagementreviews;b)changesinexternalandinternalissuesthatarerelevanttotheinformationsecuritymanagementc)feedbackontheinformationsecurityperformance,including1)nonconformitiesandcorrectiveactions;2)monitoringandmeasurementresults;3)auditresults;4)fulfilmentofinformationsecurityobjectives;d)feedbackfrominterestedparties;e)resultsofriskassessmentandstatusofrisktreatmentplan;f)opportunitiesforcontinualimprovement.a)以b)與信息安全管理體系相關(guān)的外部和內(nèi)部問題的變更；c)信息安全績效的反饋，包括下列方面的趨勢：e)風(fēng)險(xiǎn)評估的結(jié)果和風(fēng)險(xiǎn)處置計(jì)劃的狀態(tài)；Theoutputsofthemanagementreviewshallincludedecisionsrelatedtocontinualimprovementopportunitiesandanyneedsforchangestotheinformationsecuritymanagementsystem.Theorganizationshallretaindocumentedinformationasevidenceoftheresultsofmanagementreviews.管理評審的輸出組織應(yīng)保留文件記錄信息作為管理評審結(jié)果的證據(jù)。10.1Nonconformityandcorrectiveaction10.1不符合和糾正措施Whenanonconformityoccurs,theorganizationshall:a)reacttothenonconformity,andasapplicable:2)dealwiththeconsequences;b)evaluatetheneedforactiontoeliminatethecausesofnonconformity,inorderthatitdoesnotrecuroroccurelsewhere,by:1)reviewingthenonconformity;2)determiningthecausesofthenonconformity;and3)determiningifsimilarnonconformitiesexist,orcouldpotentiallyoccur;b)為確保不符合不再發(fā)生或不在其他地方發(fā)生，通過下列方式評價(jià)消除3)確定是否存在或可能發(fā)生相似的不符合；c)implementanyactionneeded;d)reviewtheeffectivenessofanycorrectiveactiontaken;ande)makechangestotheinformationsecuritymanagementsystem,ifnecessary.Correctiveactionsshallbeappropriatetotheeffectsofthenonconformitiesencountered.Theorganizationshallretaindocumentedinformationasevidenceof:f)thenatureofthenonconformitiesandanysubsequentactionscorrectiveaction.c)實(shí)施e)必要時，對信息安全管理體系實(shí)施所有糾正措施的結(jié)果。10.2ContinualimprovementTheorganizationshallcontinuallyimprovethesuitability,adequacyandeffectivenessoftheinformationsecuritymanagementsystem.組織應(yīng)持續(xù)改進(jìn)信息安全管理體系的適宜性、充分性和有效性。TableA.1–ControlobjectivesandcontrolsA.5SecurityPoliciesA.5.1Managementdirectionforinformationsecurity信息安全管理指導(dǎo)Policiesforinformationsecurity信息bedefined,approvedbymanagement,publishedandcommunicatedtoemployeesandrelevantexternalThepoliciesforinformationsecurityspoliciesforreviewedatplannedintervalsorifsignifiinformationchangesoccurtoensuretheircontinuingA.6OrganisationofinformationsecurityA.6.1InternalorganisationInformationsecurityrolesSegregatioAllinformationsecurityresponsibilitiesshallbedefinedandallocated.Conflictingdutiesandareasofresponsibilitysha