精选文章

ISO/IEC27001:信息安全管理体系要求-规划(1)

2022-11-09 19:14:55 | 来源:企业IT培训
Information technology — Security techniques — Information security management systems — Requirements- Planning
信息安全管理体系要求-规划

5  Planning
5 规划
5.1 Actions to address risks and opportunities 
5.1  应对风险和机会的措施
5.1.1      General
5.1.1   总则
When planning for the information security  management  system,  the  organization  shall  consider  the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
当规划信息安全管理体系时,组织应考虑中提及的问题和中提及的要求,确定需要应对的风险和机会,以:
a)   ensure the information security management system can achieve its intended outcome(s);
b)   prevent, or reduce, undesired effects;
c) achieve continual improvement. The organization shall plan:
d)   actions to address these risks and opportunities; and
e)   how to
1)   integrate and implement the actions into its information security management system  processes; and
2)   evaluate the effectiveness of these actions.
a)   确保信息安全管理体系能实现其预期结果;
b)   防止或减少意外的影响;
c) 实现持续改进。 组织应规划:
d)   应对这些风险和机会的措施;
e)   如何
1)   整合和实施这些措施并将其纳入信息安全管理体系过程;
2)   评价这些措施的有效性。
5.1.2      Information security risk assessment 
5.1.2    信息安全风险评估
The organization shall define and apply an information security risk assessment process that:
组织应定义并应用风险评估过程,以:
a)   establishes and maintains information security risk criteria that include:
1)   the risk acceptance criteria; and
2)   criteria for performing information security risk assessments;
b)   ensures that repeated information security risk assessments produce consistent, valid and comparable results;
c) identifies the information security risks:
1)   apply the information security risk  assessment  process  to  identify  risks  associated  with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
2)   identify the risk owners;
d)   analyses the information security risks:
1)   assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;
2)   assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
3)   determine the levels of risk;
e)   evaluates the information security risks:
1)   compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2)   prioritize the analysed risks for risk treatment.
a)   建立并保持信息安全风险准则,包括:
1)   风险接受准则;
2)   执行信息安全风险评估的准则;
b)   确保重复性的信息安全风险评估可产生一致的、有效的和可比较的结果;
c) 识别信息安全风险:
1)   应用信息安全风险评估过程来识别信息安全管理体系范围内的信息丧失保密性、完整 性和可用性的相关风险;
2)   识别风险负责人;
d)   分析信息安全风险:
1)   评估  c)1)中所识别风险发生后将导致的潜在影响;
2)   评估  c)1)中所识别风险发生的现实可能性;
3)   确定风险级别;
e)   评价信息安全风险;
1)   将风险分析结果同 a)建立的风险准则进行比较;
2)   为实施风险处置确定已分析风险的优先级。
The organization shall retain documented information about the information security risk assessment process.
组织应保留信息安全风险评估过程的文件记录信息.

温馨提示:获取完整版ISO27001最新2022版中英文对照资料,可咨询中培课程顾问或拨打客服电话了解18513851518