ISO27001-2013-信息安全管理體系要求-中英對照版

ISO標(biāo)準(zhǔn)——IEC27001:2013信息安全管理體系——要求ReferencenumberISO/IEC27001:2013(E1范圍1Scope本國際標(biāo)準(zhǔn)規(guī)定了在組織背景下建立、實(shí)施、維護(hù)和持續(xù)改進(jìn)信息安全管理體系。本標(biāo)準(zhǔn)還包括信息安全風(fēng)險評估和處置要求,可裁剪以適用于組織。本國際標(biāo)準(zhǔn)的要求是通用的,適用于所有的組織,不考慮類型、規(guī)模和特征。當(dāng)組織聲稱符合本國際標(biāo)準(zhǔn)時,任何條款4-10的排除是不可接受的。ThisInternationalStandardspecifiestherequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystemwithinthecontextoftheorganization.ThisInternationalStandardalsoincludesrequirementsfortheassessmentandtreatmentofinformationsecurityriskstailoredtotheneedsoftheorganization.TherequirementssetoutinthisInternationalStandardaregenericandareintendedtobeapplicabletoallorganizations,regardlessoftype,sizeornature.ExcludinganyoftherequirementsspecifiedinClauses4to10isnotacceptablewhenanorganizationclaimsconformitytothisInternationalStandard.2規(guī)范性引用文件下列參考文件是本文件的標(biāo)準(zhǔn)參考,也是應(yīng)用本文件必不可缺的。對于標(biāo)注日期的引用文件,僅適用于引用版本。對于不標(biāo)注日期的引用文件,適用于最新版本的引用文件。ISO/IEC27000,信息技術(shù)—安全技術(shù)—信息安全管理體系-簡介和詞匯表。2NormativereferencesThefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentandareindispensableforitsapplication.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendmentsapplies.ISO/IEC27000,Informationtechnology—Securitytechniques—Informationsecuritymanagementsystems—Overviewandvocabulary3術(shù)語和定義ISO27000的術(shù)語和定義適用于本文件3TermsanddefinitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000apply.4.組織環(huán)境4.1理解組織及其環(huán)境組織應(yīng)當(dāng)確定與信息安全管理體系目的相關(guān)聯(lián)及影響其實(shí)現(xiàn)預(yù)期結(jié)果能力的外部及內(nèi)部環(huán)境。注:確定這些問題參考ISO31000:2009中5.3條款的建立組織外部和內(nèi)部環(huán)境;4.2理解相關(guān)方的需求和期望組織應(yīng)確定:a信息安全管理體系的利益相關(guān)方;b這些利益相關(guān)方的信息安全相關(guān)要求;注:利益相關(guān)方的要求可能包括法律、法規(guī)要求和合同責(zé)任。4.3確定信息安全管理體系范圍組織應(yīng)確定信息安全管理體系的邊界和應(yīng)用性,以建立其范圍。當(dāng)確定此范圍時,組織應(yīng)考慮:a4.1所提及的外部和內(nèi)部問題;b4.2所提及的要求;c接口和組織執(zhí)行的活動之間的依賴關(guān)系,以及其他組織執(zhí)行的活動。范圍應(yīng)成為文件化信息。4.4信息安全管理體系組織應(yīng)按照本國際標(biāo)準(zhǔn)的要求建立、實(shí)施、維護(hù)和持續(xù)改進(jìn)信息安全管理體系。4Contextoftheorganization4.1UnderstandingtheorganizationanditscontextTheorganizationshalldetermineexternalandinternalissuesthatarerelevanttoitspurposeandthataffectitsabilitytoachievetheintendedoutcome(sofitsinformationsecuritymanagementsystem.NOTE:DeterminingtheseissuesreferstoestablishingtheexternalandinternalcontextoftheorganizationconsideredinClause5.3ofISO31000:2009.4.2UnderstandingtheneedsandexpectationsofinterestedpartiesTheorganizationshalldetermine:ainterestedpartiesthatarerelevanttotheinformationsecuritymanagementsystem;andbtherequirementsoftheseinterestedpartiesrelevanttoinformationsecurity.NOTE:Therequirementsofinterestedpartiesmayincludelegalandregulatoryrequirementsandcontractualobligations.4.3DeterminingthescopeoftheinformationsecuritymanagementsystemTheorganizationshalldeterminetheboundariesandapplicabilityoftheinformationsecuritymanagementsystemtoestablishitsscope.Whendeterminingthisscope,theorganizationshallconsider:atheexternalandinternalissuesreferredtoin4.1;btherequirementsreferredtoin4.2;andcinterfacesanddependenciesbetweenactivitiesperformedbytheorganisation,andthosethatareperformedbyotherorganisations.Thescopeshallbeavailableasdocumentedinformation.4.4InformationsecuritymanagementsystemTheorganizationshallestablish,implement,maintainandcontinuallyimproveaninformationsecuritymanagementsystem,inaccordancewiththerequirementsofthisInternationalStandard.5.領(lǐng)導(dǎo)力5.1領(lǐng)導(dǎo)力和承諾最高管理者應(yīng)當(dāng)展示關(guān)注信息安全管理體系的領(lǐng)導(dǎo)力和承諾,通過:a確保建立信息安全方針和信息安全目標(biāo),并與組織的戰(zhàn)略方向兼容;b確保信息安全管理體系要求融合到組織的流程中;5Leadership5.1LeadershipandcommitmentTopmanagementshalldemonstrateleadershipandcommitmentwithrespecttotheinformationsecuritymanagementsystemby:aensuringtheinformationsecuritypolicyandtheinformationsecurityobjectivesareestablishedandarecompatiblewiththestrategicdirectionoftheorganization;bensuringtheintegrationoftheinformationsecuritymanagementc確保信息安全體系所需要的資源;d溝通有效信息安全管理的重要性,并符合信息安全管理體系的要求;e確保信息安全管理體系達(dá)到預(yù)期的成果;f指導(dǎo)和支持員工對信息安全管理體系的有效性做出貢獻(xiàn);g促進(jìn)持續(xù)改進(jìn);h支持其他相關(guān)管理角色來展示其領(lǐng)導(dǎo)力,當(dāng)適用其職責(zé)范圍時。5.2方針最高管理層應(yīng)建立一個信息安全方針:a與組織的目標(biāo)相關(guān)適應(yīng);b包括信息安全目標(biāo)(見6.2,或提供制定信息安全目標(biāo)的框架;c包括滿足適用信息安全要求的承諾;d包括信息安全管理體系持續(xù)改進(jìn)的承諾;信息安全方針應(yīng):e成為文件化的信息;f在組織內(nèi)部溝通;g適當(dāng)時,提供給利益相關(guān)方;5.3組織角色、職責(zé)和權(quán)限最高管理層應(yīng)確保信息安全相關(guān)角色的職責(zé)和權(quán)限的分配和溝通。最高管理層應(yīng)指定責(zé)任和授權(quán),以:a確保信息安全管理體系符合本國際標(biāo)準(zhǔn)的要求;b將信息安全管理體系績效報告給最高管理層;注:最高管理層可以為組織內(nèi)信息安全管理體系績效報告指派職責(zé)和授權(quán)。systemrequirementsintotheorganization’sprocesses;censuringthattheresourcesneededfortheinformationsecuritymanagementsystemareavailable;dcommunicatingtheimportanceofeffectiveinformationsecuritymanagementandconformingtotheinformationsecuritymanagementsystemrequirements;eensuringthattheinformationsecuritymanagementsystemachievesitsintendedoutcome(s;fdirectingandsupportingpersonstocontributetotheeffectivenessoftheinformationsecuritymanagementsystem;gpromotingcontinualimprovement;andhsupportingotherrelevantmanagementrolestodemonstratetheirleadershipasitappliestotheirareasofresponsibility.5.2PolicyTopmanagementshallestablishaninformationsecuritypolicythat:aisappropriatetothepurposeoftheorganization;bincludesinformationsecurityobjectives(see6.2orprovidestheframeworkforsettinginformationsecurityobjectives;cincludesacommitmenttosatisfyapplicablerequirementsrelatedtoinformationsecurity;anddincludesacommitmenttocontinualimprovementoftheinformationsecuritymanagementsystem.Theinformationsecuritypolicyshall:ebeavailableasdocumentedinformation;fbecommunicatedwithintheorganization;andgbeavailabletointerestedparties,asappropriate.5.3Organizationalroles,responsibilitiesandauthoritiesTopmanagementshallensurethattheresponsibilitiesandauthoritiesforrolesrelevanttoinformationsecurityareassignedandcommunicated.Topmanagementshallassigntheresponsibilityandauthorityfor:aensuringthattheinformationsecuritymanagementsystemconformstotherequirementsofthisInternationalStandard;andbreportingontheperformanceoftheinformationsecuritymanagementsystemtotopmanagement.NOTE:Topmanagementmayalsoassignresponsibilitiesandauthoritiesforreportingperformanceoftheinformationsecuritymanagementsystemwithintheorganization.6.策劃6.1針對風(fēng)險和機(jī)會所采取的措施6.1.1總則當(dāng)進(jìn)行信息安全管理體系策劃時,組織應(yīng)6Planning6.1Actionstoaddressrisksandopportunities6.1.1GeneralWhenplanningfortheinformationsecuritymanagementsystem,theorganization當(dāng)考慮在4.1條款中提到的事宜及4.2條款中規(guī)定的要求,并確定需要關(guān)注的風(fēng)險和機(jī)會,以:a確保信息安全管理體系能夠?qū)崿F(xiàn)其預(yù)期結(jié)果b預(yù)防或降低不希望得到的影響c實(shí)現(xiàn)持續(xù)改進(jìn)組織應(yīng)當(dāng)計劃:d針對這些風(fēng)險和機(jī)會所采取的措施,以及e如何1將這些措施整合進(jìn)信息安全管理體系過程之中,2評價這些措施的有效性6.1.2信息安全風(fēng)險評估組織應(yīng)定義和應(yīng)用信息安全風(fēng)險評估流程,以:a建立和維護(hù)信息安全標(biāo)準(zhǔn),包括1風(fēng)險接受準(zhǔn)則;2執(zhí)行信息安全風(fēng)險評估準(zhǔn)則;b確?？芍貜?fù)的信息安全風(fēng)險評估生成一致、有效和可比較的結(jié)果c識別信息安全風(fēng)險1應(yīng)用信息安全風(fēng)險評估流程,識別ISMS范圍內(nèi)信息保密性、完整性和可用性損失的風(fēng)險;2識別風(fēng)險所有者;d分析信息安全風(fēng)險1評估在6.1.2c1中識別風(fēng)險導(dǎo)致的潛在后果2評估在6.1.2c1中識別風(fēng)險發(fā)生的可能性3確定風(fēng)險等級e評估信息安全風(fēng)險1風(fēng)險分析結(jié)果與6.1.2a中建立的風(fēng)險準(zhǔn)則進(jìn)行比較2為風(fēng)險處置,建立風(fēng)險優(yōu)先級和分析組織應(yīng)保留文件化的信息安全風(fēng)險評估流程信息shallconsidertheissuesreferredtoin4.1andtherequirementsreferredtoin4.2anddeterminetherisksandopportunitiesthatneedtobeaddressedto:aensuretheinformationsecuritymanagementsystemcanachieveitsintendedoutcome(s;bprevent,orreduce,undesiredeffects;andcachievecontinualimprovement.Theorganizationshallplan:dactionstoaddresstheserisksandopportunities,andehowto1integrateandimplementtheactionsintoitsinformationsecuritymanagementsystemprocesses;and2evaluatetheeffectivenessoftheseactions.6.1.2InformationsecurityriskassessmentTheorganizationshalldefineandapplyaninformationsecurityriskassessmentprocessthat:aestablishesandmaintainsinformationsecuritycriteriathatinclude:1theriskacceptancecriteria;and2criteriaforperforminginformationsecurityriskassessments;bensuresthatrepeatedinformationsecurityriskassessmentsproduceconsistent,validandcomparableresults.cIdentifytheinformationsecurityrisks.1Applytheinformationsecurityriskassessmentprocesstoidentifyrisksassociatedwiththelossofconfidentiality,integrityandavailabilityforinformationwithinthescopeoftheinformationsecuritymanagementsystem;and2Identifytheriskowners.dAnalysestheinformationsecurityrisks.1Assessthepotentialconsequencesthatwouldresultiftherisksidentifiedin6.1.2c1weretomaterialize.2Assesstherealisticlikelihoodoftheoccurrenceoftherisksidentifiedin6.1.2c1.and3Determinethelevelsofrisk.eEvaluatetheinformationsecurityrisks.1Comparetheresultsofriskanalysiswiththeriskcriteriaestablishedin6.1.2a;and2prioritizetheanalysedrisksforrisktreatment.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityriskassessmentprocess.6.1.3信息安全風(fēng)險處置組織應(yīng)定義和應(yīng)用信息安全風(fēng)險處置流程,以:a選擇適當(dāng)?shù)男畔踩L(fēng)險處置選項(xiàng),考慮風(fēng)險評估結(jié)果;b確定實(shí)施所選信息安全風(fēng)險處置選項(xiàng)所需的所有控制措施;注:組織可設(shè)計所需的控制措施,或從任何來源中識別它們c比較6.1.3b中與附錄A中的措施項(xiàng),確認(rèn)沒有忽略必要的控制項(xiàng);注1:附錄A包含控制目標(biāo)和控制措施的完整列表。本國際標(biāo)準(zhǔn)的用戶應(yīng)確保附錄A的重要控制措施沒有被忽略注2:控制目標(biāo)隱含在所選擇的控制項(xiàng)中。附錄A中的控制目標(biāo)和控制措施并不全面,可能還需要額外的控制目標(biāo)和控制措施。d制作適用性聲明,包括必要的控制措施(見6.1.3b和c和選擇的理由,無論實(shí)施與否,應(yīng)說明刪減附錄A中控制措施的理由;e制定信息安全風(fēng)險處置計劃;f獲得風(fēng)險所有者批準(zhǔn)信息安全風(fēng)險處置計劃和殘余信息安全風(fēng)險接受標(biāo)準(zhǔn);組織應(yīng)保留信息安全風(fēng)險處置過程的文件化信息。注:本國際標(biāo)準(zhǔn)中信息安全風(fēng)險評估和處置過程與ISO31000中的原則和通用指南一致。6.2信息安全目標(biāo)及實(shí)現(xiàn)其目標(biāo)的策劃組織應(yīng)當(dāng)在相關(guān)職能及層次上建立信息安全目標(biāo)。信息安全目標(biāo)應(yīng):a與信息安全方針保持一致;b是可測量的(如果可行;c考慮適用的信息安全要求,以及風(fēng)險評估和風(fēng)險處置的結(jié)果;d是可溝通的;6.1.3InformationsecurityrisktreatmentTheorganizationshalldefineandapplyaninformationsecurityrisktreatmentprocessto:aselectappropriateinformationsecurityrisktreatmentoptions,takingaccountoftheriskassessmentresults;bdetermineallcontrolsthatarenecessarytoimplementtheinformationsecurityrisktreatmentoption(schosen;NOTE:Organizationscandesigncontrolsasrequired,oridentifythemfromanysource.ccomparethecontrolsdeterminedin6.1.3babovewiththoseinAnnexAandverifythatnonecessarycontrolshavebeenomitted;NOTE1:AnnexAcontainsacomprehensivelistofcontrolobjectivesandcontrols.UsersofthisInternationalStandardaredirectedtoAnnexAtoensurethatnoimportantcontrolareoverlookedNOTE2:Controlobjectivesareimplicitlyincludedinthecontrolschosen.ThecontrolobjectivesandcontrolslistedinAnnexAarenotexhaustiveandadditionalcontrolobjectivesandcontrolsmayalsobeneeded.dproduceaStatementofApplicabilitythatcontainsthenecessarycontrols(see6.1.3bandcandjustificationforinclusions,whethertheyareimplementedornot,andthejustificationforexclusionsofcontrolsinAnnexA;eformulateaninformationsecurityrisktreatmentplan;andfobtainriskowner’sapprovaloftheinformationsecurityrisktreatmentplanandtheacceptanceoftheresidualinformationsecurityrisks.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityrisktreatmentprocess.NOTE:TheinformationsecurityriskassessmentandtreatmentprocessinthisInternationalStandardalignswiththeprinciplesandgenericguidelinesprovidedinISO31000.6.2InformationsecurityobjectivesandplaningtoachievethemTheorganizationshallestablishinformationsecurityobjectivesatrelevantfunctionsandlevels.Theinformationsecurityobjectivesshall:abeconsistentwiththeinformationsecuritypolicy;bbemeasurable(ifpracticable;ctakeintoaccountapplicableinformationsecurityrequirements,andresultsfromriskassessmentandtreatmentresults;dbecommunicated,ande能適時更新;組織應(yīng)當(dāng)保持信息安全目標(biāo)的文件化信息。當(dāng)對實(shí)現(xiàn)其信息安全目標(biāo)進(jìn)行策劃時,組織應(yīng)當(dāng)確定:f將要做什么g將需要什么資源h將由誰來做i將在何時完成j將如何對結(jié)果進(jìn)行評價ebeupdatedasappropriate.Theorganizationshallretaindocumentedinformationontheinformationsecurityobjectives.Whenplanninghowtoachieveitsinformationsecurityobjectives,theorganizationshalldetermine:fwhatwillbedone;gwhatresourceswillberequired;hwhowillberesponsible;iwhenitwillbecompleted;andjhowtheresultswillbeevaluated.7.支持7.1資源組織應(yīng)確定和提供信息安全管理體系的建立、實(shí)施、維護(hù)和持續(xù)改進(jìn)所需的資源。7.2能力組織應(yīng):a確定影響組織信息安全績效的員工在ISMS管控中工作的必備能力;b確保這些員工在適當(dāng)?shù)呐嘤?、培?xùn)和經(jīng)驗(yàn)的基礎(chǔ)上是能勝任的;c適當(dāng)時,采取行動獲取所需能力,并評估所采取行動的有效性;d保留適當(dāng)文件化信息作為證據(jù);注:適當(dāng)?shù)男袆涌赡馨?如提供培訓(xùn)、指導(dǎo)、重新指派現(xiàn)有員工、或聘用或外包有能力的員工。7.3意識在組織控制中工作的人員應(yīng)了解:a信息安全方針;b信息安全管理體系有效性的貢獻(xiàn),包括提高信息安全績效的收益;c不符合信息安全管理體系要求的影響;7.4溝通組織應(yīng)當(dāng)確定與信息安全管理體系相關(guān)內(nèi)部和外部溝通需求,包括:a需要溝通內(nèi)容b何時進(jìn)行溝通7Support7.1ResourcesTheorganizationshalldetermineandprovidetheresourcesneededfortheestablishment,implementation,maintenanceandcontinualimprovementoftheinformationsecuritymanagementsystem.7.2CompetenceTheorganizationshall:adeterminethenecessarycompetenceofperson(sdoingworkunderitscontrolthataffectsitsinformationsecurityperformance;bensurethatthesepersonsarecompetentonthebasisofappropriateeducation,training,orexperience;cwhereapplicable,takeactionstoacquirethenecessarycompetence,andevaluatetheeffectivenessoftheactionstaken;anddretainappropriatedocumentedinformationasevidenceofcompetence.NOTE:Applicableactionsmayinclude,forexample:theprovisionoftrainingto,thementoringof,orthere-assignmentofcurrentemployees;orthehiringorcontractingofcompetentpersons.7.3AwarenessPersonsdoingworkundertheorganization’scontrolshallbeawareof:atheinformationsecuritypolicy;btheircontributiontotheeffectivenessoftheinformationsecuritymanagementsystem,includingthebenefitsofimprovedinformationsecurityperformance;andctheimplicationsofnotconformingwiththeinformationsecuritymanagementsystemrequirements.7.4CommunicationTheorganizationshalldeterminetheneedforinternalandexternalcommunicationsrelevanttotheinformationsecuritymanagementsystemincluding:aonwhattocommunicate;c與誰進(jìn)行溝通d誰應(yīng)該溝通e有效溝通的流程7.5文件化信息7.5.1總則組織的信息安全管理體系應(yīng)包括:a本國際標(biāo)準(zhǔn)所需要的文件化信息;b組織確定信息安全管理體系有效性所需要的信息;注:不同組織的信息安全管理體系文件化信息的程度取決于:1組織的規(guī)模、其活動類型、流程、產(chǎn)品和服務(wù);2流程及其他交互的復(fù)雜性;3人員的能力;7.5.2創(chuàng)建和更新當(dāng)創(chuàng)建和更新文件化信息時,組織應(yīng)確保應(yīng)當(dāng)?shù)?a識別和描述(如標(biāo)題、日期、作者或參考號碼;b格式(如語言、軟件版本、圖形和媒體(如紙張、電子;c評估和批準(zhǔn)適當(dāng)性和充分性。7.5.3文件化信息控制信息安全管理體系和本國際標(biāo)準(zhǔn)所要求的文件化信息應(yīng)被管控,以確保:a需要時,文件是可用和適用的;b得到充分的保護(hù)(如保密性喪失、不當(dāng)使用、或完整性喪失;對于文件化信息的控制,組織應(yīng)制定下列活動(如適用:c分配、訪問、檢索和使用;d存儲和保存,包括易讀性的保存;bwhentocommunicate;cwithwhomtocommunicate;dwhoshallcommunicate;andetheprocessesbywhichcommunicationshallbeeffected.7.5Documentedinformation7.5.1GeneralTheorganization’sinformationsecuritymanagementsystemshallinclude:adocumentedinformationrequiredbythisInternationalStandard;andbdocumentedinformationdeterminedbytheorganizationasbeingnecessaryfortheeffectivenessoftheinformationsecuritymanagementsystem.NOTE:Theextentofdocumentedinformationforaninformationsecuritymanagementsystemcandifferfromoneorganizationtoanotherdueto:1thesizeoforganizationanditstypeofactivities,processes,productsandservices;2thecomplexityofprocessesandtheirinteractions;and3thecompetenceofpersons.7.5.2CreatingandupdatingWhencreatingandupdatingdocumentedinformationtheorganizationshallensureappropriate:aidentificationanddescription(e.g.atitle,date,author,orreferencenumber;bformat(e.g.language,softwareversion,graphicsandmedia(e.g.paper,electronic;andcreviewandapprovalforsuitabilityandadequacy.7.5.3ControlofdocumentedinformationDocumentedinformationrequiredbytheinformationsecuritymanagementsystemandbythisInternationalStandardshallbecontrolledtoensure:aitisavailableandsuitableforuse,whereandwhenitisneeded;andbitisadequatelyprotected(e.g.fromlossofconfidentiality,improperuse,orlossofintegrity.Forthecontrolofdocumentedinformation,theorganizationshalladdressthefollowingactivities,asapplicable:cdistribution,access,retrievalanduse;dstorageandpreservation,includingthepreservationoflegibility;e變更管理(如版本控制;f保留和處置;組織信息安全管理體系的規(guī)劃和運(yùn)作所需的外來文件化信息,應(yīng)被適當(dāng)?shù)淖R別和管理;注:訪問表示有權(quán)查看文件化信息,或獲得權(quán)限或授權(quán)以查看和變更文件化信息等;econtrolofchanges(e.g.versioncontrol;andfretentionanddisposition.Documentedinformationofexternalorigin,determinedbytheorganizationtobenecessaryfortheplanningandoperationoftheinformationsecuritymanagementsystem,shallbeidentifiedasappropriate,andcontrolled.NOTE:Accessimpliesadecisionregardingthepermissiontoviewthedocumentedinformationonly,orthepermissionandauthoritytoviewandchangethedocumentedinformation,etc.8.運(yùn)行8.1運(yùn)行策劃和控制組織應(yīng)策劃、實(shí)施和控制滿足信息安全要求的流程,并實(shí)施在6.1中規(guī)定的措施。組織還應(yīng)實(shí)施計劃,以實(shí)現(xiàn)信息安全在6.2中確定的目標(biāo)。組織應(yīng)保存相關(guān)文件化信息,以保證流程已經(jīng)按照計劃實(shí)施。組織應(yīng)控制計劃變更,評審非計劃變更的后果,如需要,采取適當(dāng)措施減輕不良影響;組織應(yīng)確保外包活動被確定和受控。8.2信息安全風(fēng)險評估組織應(yīng)在定期或發(fā)生重大變化時執(zhí)行信息安全風(fēng)險評估,將6.1.2中建立的標(biāo)準(zhǔn)納入考慮范圍。組織應(yīng)保留信息安全風(fēng)險評估結(jié)果的相關(guān)文件化信息。8.3信息安全風(fēng)險處置組織應(yīng)實(shí)施信息安全風(fēng)險處置計劃。組織應(yīng)保留信息安全風(fēng)險處置結(jié)果的文件化信息。8Operation8.1OperationalplanningandcontrolTheorganizationshallplan,implementandcontroltheprocessesneededtomeetinformationsecurityrequirements,andtoimplementtheactionsdeterminedin6.1.Theorganizationshallalsoimplementplanstoachieveinformationsecurityobjectivesdeterminedin6.2.Theorganizationshallkeepdocumentedinformationtotheextentnecessarytohaveconfidencethattheprocesseshavebeencarriedoutasplanned.Theorganizationshallcontrolplannedchangesandreviewtheconsequencesofunintendedchanges,takingactiontomitigateanyadverseeffects,asnecessary.Theorganizationshallensurethatoutsourcedprocessesaredeterminedandcontrolled.8.2InformationsecurityriskassessmentTheorganizationshallperforminformationsecurityriskassessmentsatplannedintervalsorwhensignificantchangesareproposedoroccur,takingaccountofthecriteriaestablishedin6.1.2a.Theorganizationshallretaindocumentedinformationoftheresultsoftheinformationsecurityriskassessments.8.3InformationsecurityrisktreatmentTheorganizationshallimplementtheinformationsecurityrisktreatmentplan.Theorganizationshallretaindocumentedinformationoftheresultsoftheinformationsecurityrisktreatment.9.績效評價9.1監(jiān)視、測量、分析和評價組織應(yīng)評估信息安全績效和信息安全管理體系的有效性。組織應(yīng)當(dāng)確定:a什么需要監(jiān)控和測量,包括信息安全流程和控制9Performanceevaluation9.1Monitoring,measurement,analysisandevaluationTheorganizationshallevaluatetheinformationsecurityperformanceandtheeffectivenessoftheinformationsecuritymanagementsystem.Theorganizationshalldetermine:awhatneedstobemonitoredandmeasured,includinginformationsecurityprocessesandcontrols;b采用什么適宜方法來進(jìn)行監(jiān)控、測量、分析和評價,以確保結(jié)果有效注:生成可比較和可重復(fù)結(jié)果的所選方法被認(rèn)為是有效的c何時應(yīng)當(dāng)進(jìn)行監(jiān)控和測量d誰執(zhí)行監(jiān)控和測量e何時應(yīng)當(dāng)對監(jiān)控和測量結(jié)果進(jìn)行分析和評價f誰執(zhí)行分析和評估結(jié)果組織應(yīng)當(dāng)保持適當(dāng)?shù)奈募畔⒆鳛楸O(jiān)控和測量結(jié)果的證據(jù)。9.2內(nèi)部審核組織應(yīng)按照計劃的時間間隔進(jìn)行內(nèi)部審核,以確定信息安全管理體系:a符合1組織自身信息安全管理體系的要求;2本國際標(biāo)準(zhǔn)的要求b有效的實(shí)施和維護(hù);組織應(yīng):c計劃、建立、實(shí)施和維護(hù)審核方案,包括頻率、方法、職責(zé)、規(guī)劃要求和報告。審核方案應(yīng)考慮相關(guān)過程和以往審核結(jié)果的重要性;d定義每次審核準(zhǔn)則和范圍;e選擇審核員和執(zhí)行審核,確保審核過程的客觀和公正;f確保審核結(jié)果報告提交相關(guān)管理層;g保留審核方案和審核結(jié)果的文件化信息;9.3管理評審管理者應(yīng)按計劃的時間間隔評審組織的信息安全管理體系,以確保其持續(xù)的適宜性、充分性和有效性。管理評審應(yīng)考慮:a以往管理評審措施的狀態(tài);b信息安全管理體系相關(guān)的內(nèi)外部變化;c信息安全績效的反饋,包括:bthemethodsformonitoring,measurement,analysisandevaluation,asapplicable,toensurevalidresults;NOTE:Themethodsselectedshouldproducecomparableandreproducibleresultstobeconsideredvalid.cwhenthemonitoringandmeasuringshallbeperformed;dwhoshallmonitorandmeasure;ewhentheresultsfrommonitoringandmeasurementshallbeanalysedandevaluated;andfwhoshallanalyseandevaluatetheseresults.Theorganizationshallretainappropriatedocumentedinformationasevidenceofthemonitoringandmeasurementresults.9.2InternalauditTheorganizationshallconductinternalauditsatplannedintervalstoprovideinformationonwhethertheinformationsecuritymanagementsystem:aconformsto1theorganization’sownrequirementsforitsinformationsecuritymanagementsystem;and2therequirementsofthisInternationalStandard;biseffectivelyimplementedandmaintained.Theorganizationshall:cplan,establish,implementandmaintainanauditprogramme(s,includingthefrequency,methods,responsibilities,planningrequirementsandreporting.Theauditprogramme(sshalltakeintoconsiderationtheimportanceoftheprocessesconcernedandtheresultsofpreviousaudits;ddefinetheauditcriteriaandscopeforeachaudit;eselectauditorsandconductauditstoensureobjectivityandtheimpartialityoftheauditprocess;fensurethattheresultsoftheauditsarereportedtorelevantmanagement;andgretaindocumentedinformationasevidenceoftheauditprogramme(sandtheauditresults.9.3ManagementreviewTopmanagementshallreviewtheorganization'sinformationsecuritymanagementsystematplannedintervalstoensureitscontinuingsuitability,adequacyandeffectiveness.Themanagementreviewshallincludeconsiderationof:athestatusofactionsfrompreviousmanagementreviews;bchangesinexternalandinternalissuesthatarerelevanttotheinformationsecuritymanagementsystem;cfeedbackontheinformationsecurityperformance,including1不符合和糾正措施;2監(jiān)控和測量結(jié)果;3審核結(jié)果;4信息安全目標(biāo)的實(shí)現(xiàn);d相關(guān)方反饋;e風(fēng)險評估結(jié)果和風(fēng)險處置計劃的狀態(tài);f持續(xù)改進(jìn)的機(jī)會;管理評審的輸出應(yīng)包括持續(xù)改進(jìn)機(jī)會和任何信息安全管理體系變更所需的相關(guān)決定;組織應(yīng)保留管理評審結(jié)果的文件化信息作為證據(jù);trendsin:1nonconformitiesandcorrectiveactions;2monitoringandmeasurementresults;3auditresults;and4fulfilmentofinformationsecurityobjectives;dfeedbackfrominterestedparties;eresultsofriskassessmentandstatusofrisktreatmentplan;andfopportunitiesforcontinualimprovement.Theoutputsofthemanagementreviewshallincludedecisionsrelatedtocontinualimprovementopportunitiesandanyneedsforchangestotheinformationsecuritymanagementsystem.Theorganizationshallretaindocumentedinformationasevidenceoftheresultsofmanagementreviews.10.改進(jìn)10.1不合格和糾正措施當(dāng)出現(xiàn)不符合項(xiàng)時,組織應(yīng):a對不符合項(xiàng)作出反應(yīng),適用時:1采取措施控制和糾正;2處理后果;b評估采取措施的必要性,以消除不符合項(xiàng)的原因,使其不再發(fā)生或在其他地方發(fā)生,通過:1評審不符合項(xiàng);2確定不符合原因;3確定類似不符合性存在,或發(fā)生的可能;c實(shí)施所需的任何措施;d評審已采取糾正措施的有效性;e如需要,變更信息安全管理體系;糾正措施應(yīng)適當(dāng)?shù)挠绊懖环享?xiàng);組織應(yīng)保留文件化信息,作為下列證據(jù):f不符合項(xiàng)的特征和任何后續(xù)采取的措施;g任何糾正措施的結(jié)果;10.2持續(xù)改進(jìn)組織應(yīng)持續(xù)提高信息安全管理體系的適宜性、充分性和有效性;10Improvement10.1NonconformityandcorrectiveactionWhenanonconformityoccurs,theorganizationshall:areacttothenonconformity,andasapplicable:1takeactiontocontrolandcorrectit;and2dealwiththeconsequences;bevaluatetheneedforactiontoeliminatethecausesofnonconformity,inorderthatitdoesnotrecuroroccurelsewhere,by:1reviewingthenonconformity;2determiningthecausesofthenonconformity;and3determiningifsimilarnonconformitiesexist,orcouldpotentiallyoccur;cimplementanyactionneeded;dreviewtheeffectivenessofanycorrectiveactiontaken;andemakechangestotheinformationsecuritymanagementsystem,ifnecessary.Correctiveactionsshallbeappropriatetotheeffectsofthenonconformitiesencountered.Theorganizationshallretaindocumentedinformationasevidenceof:fthenatureofthenonconformitiesandanysubsequentactionstaken,andgtheresultsofanycorrectiveaction.10.2ContinualimprovementTheorganizationshallcontinuallyimprovethesuitability,adequacyandeffectivenessoftheinformationsecuritymanagementsystem.附錄A(引用控制目標(biāo)和控制措施表A.1所列的控制目標(biāo)和控制措施是直接源自并與ISO/IEC27002:2013第5到18章一致,并運(yùn)用于條款6.1.3的環(huán)境下。AnnexA(normativeReferencecontrolobjectivesandcontrolsThecontrolobjectivesandcontrolslistedinTableA.1aredirectlyderivedfromandalignedwiththoselistedinISO/IEC27002:2013Clauses5to18andaretobeusedincontextwithClause6.1.3.A.5安全方針A.5InformationsecuritypoliciesA.5.1管理信息安全方向控制目標(biāo):依據(jù)業(yè)務(wù)要求和相關(guān)法律法規(guī)提供管理指導(dǎo)并支持信息安全。A.5.1ManagementdirectionforinformationsecurityObjective:Toprovidemanagementdirectionandsupportforinformationsecurityinaccordancewithbusinessrequirementsandrelevantlawsandregulations.A.5.1.1信息安全方針控制措施一系列信息安全方針應(yīng)被定義、并由管理者批準(zhǔn)、發(fā)布并傳達(dá)給員工和外部相關(guān)方。A.5.1.2信息安全方針評審控制措施宜按計劃的時間間隔或當(dāng)重大變化發(fā)生時進(jìn)行信息安全方針評審,以確保它持續(xù)的適宜性、充分性和有效性。A.5.1.1PoliciesforinformationsecurityControlAsetofpoliciesforinformationsecurityshallbedefined,approvedbymanagement,publishedandcommunicatedtoemployeesandrelevantexternalpartiesA.5.1.2ReviewofthepoliciesforinformationsecurityControlThepoliciesforinformationsecurityshallbereviewedatplannedintervalsorifsignificantchangesoccurtoensuretheircontinuingsuitability,adequacyandeffectivenessA.6信息安全組織A.6OrganizationofinformationsecurityA.6.1內(nèi)部組織控制目標(biāo):建立管理架構(gòu),啟動和控制信息安全在組織內(nèi)的實(shí)施;A.6.1InternalorganizationObjective:ToestablishamanagementframeworktoinitiateandcontroltheimplementationandoperationofinformationsecuritywithintheorganizationA.6.1.1信息角色和職責(zé)控制措施所有信息安全職責(zé)應(yīng)被定義和分配;A.6.1.2責(zé)任分割控制措施沖突責(zé)任及職責(zé)范圍加以分割,以降低未授權(quán)或無意識的修改或者不當(dāng)使用組織資產(chǎn)的機(jī)會;A.6.1.3與政府部門的聯(lián)系控制措施應(yīng)保持與政府相關(guān)部門的適當(dāng)聯(lián)系;A.6.1.4與特定利益集團(tuán)的聯(lián)系控制措施應(yīng)保持與特定利益集團(tuán)、其他安全專家組和專業(yè)協(xié)會的適當(dāng)聯(lián)系;A.6.1.5項(xiàng)目管理中的信息安全控制措施無論項(xiàng)目類型,項(xiàng)目管理中均應(yīng)描述信息安全;A.6.1.1InformationsecurityrolesandresponsibilitiesControlAllinformationsecurityresponsibilitiesshallbedefinedandallocatedA.6.1.2SegregationofdutiesControlConflictingdutiesandareasofresponsibilityshallbesegregatedtoreduceopportunitiesforunauthorizedorunintentionalmodificationormisuseoftheorganization’sassets.A.6.1.3ContactwithauthoritiesControlAppropriatecontactswithrelevantauthoritiesshallbemaintainedA.6.1.4ContactwithspecialinterestgroupsControlAppropriatecontactswithspecialinterestgroupsorotherspecialistsecurityforumsandprofessionalassociationsshallbemaintainedA.6.1.5InformationsecurityinprojectmanagementControlInformationsecurityshallbeaddressedinprojectmanagement,regardlessofthetypeoftheprojectA.6.2移動設(shè)備和遠(yuǎn)程工作控制目標(biāo):確保使用移動設(shè)備的使用及遠(yuǎn)程工作的安全;A.6.2MobiledevicesandteleworkingObjective:ToensurethesecurityofteleworkinganduseofmobiledevicesA.6.2.1移動設(shè)備策略控制措施應(yīng)采用策略和相應(yīng)的安全測量,以防范使用移動設(shè)備時所造成的風(fēng)險;A.6.2.1MobiledevicepolicyControlApolicyandsupportingsecuritymeasuresshallbeadoptedtomanagetherisksintroducedbyusingmobiledevicesA.6.2.2遠(yuǎn)程工作控制措施應(yīng)實(shí)施策略和相應(yīng)的安全測量,以防保護(hù)信息的訪問、處理和存儲在遠(yuǎn)程站點(diǎn);A.6.2.2TeleworkingControlApolicyandsupportingsecuritymeasuresshallbeimplementedtoprotectinformationaccessed,processedorstoredonteleworkingsitesA.7人力資源安全A.7HumanresourcesecurityA.7.1任用之前控制目標(biāo):建立管理框架,以啟動和控制組織內(nèi)信息安全的實(shí)施;A.7.1PriortoemploymentObjective:Toensurethatemployeesandcontractorsunderstandtheirresponsibilitiesandaresuitablefortherolesforwhichtheyareconsidered.A.7.1.1審查控制措施所有任用候選者的背景驗(yàn)證檢查應(yīng)按照相關(guān)法律法規(guī)、道德規(guī)范和對應(yīng)的業(yè)務(wù)要求、被訪問信息的類別和察覺的風(fēng)險來執(zhí)行;A.7.1.2任用條款和條件控制措施與員工和合同方的合同應(yīng)聲明他們和組織的信息安全職責(zé);A.7.1.1ScreeningControlBackgroundverificationchecksonallcandidatesforemploymentshallbecarriedoutinaccordancewithrelevantlaws,regulationsandethicsandproportionaltothebusinessrequirements,theclassificationoftheinformationtobeaccessedandtheperceivedrisksA.7.1.2TermsandconditionsofemploymentControlThecontractualagreementswithemployeesandcontractorsshallstatetheirandtheorganization’sresponsibilitiesforinformationsecurityA.7.2任用中控制目標(biāo):確保雇員和合同方知悉和實(shí)施他們信息安全職責(zé);A.7.2DuringemploymentObjective:Toensurethatemployeesandcontractorsareawareofandfulfiltheirinformationsecurityresponsibi