Information technology — Security techniques — Information security management systems — Requirements- Support
信息安全管理体系要求-支持
6.4 Communication
6.4 沟通
The organization shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate.
组织应确定有关信息安全管理体系在内部和外部进行沟通的需求,包括:
a)什么需要沟通;
b) 何时进行沟通;
c)与谁进行沟通;
d) 如何沟通;
6.5 Documented information
6.5 文件记录信息
6.5.1 General
6.5.1 总则
The organization’s information security management system shall include:
a) documented information required by this document; and
b) documented information determined by the organization as being necessary for the effectiveness of the information security management system.
NOTE The extent of documented information for an information security management system can differ from one organization to another due to:
1) the size of organization and its type of activities, processes, products and services;
2) the complexity of processes and their interactions; and
3) the competence of persons.
组织的信息安全管理体系应包括:
a) 本标准要求的文件记录信息;
b) 组织为有效实施信息安全管理体系确定的必要的文件记录信息。
注:不同组织的信息安全管理体系文件记录信息的详略程度取决于:
1) 组织的规模及其活动、过程、产品和服务的类型;
2) 过程的复杂性及其相互作用;
3) 人员的能力。
6.5.2Creating and updating
6.5.2 创建和更新
When creating and updating documented information the organization shall ensure appropriate:
a)identification and description (e.g. a title, date, author, or reference number);
b)format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
c) review and approval for suitability and adequacy.
创建和更新文件记录信息时,组织应确保适当的:
a) 标识和描述(例如:标题、日期、作者或参考编号);
b) 格式(例如:语言,软件版本,图表)和介质(例如:纸质介质,电子介质);
c) 评审和批准其适用性和充分性。
6.5.3 Control of documented information
6.5.3 文件记录信息的控制
Documented information required by the information security management system and by this document shall be controlled to ensure:
信息安全管理体系和本标准所要求的文件记录信息应予以控制,以确保:
a)it is available and suitable for use, where and when it is needed; and
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable:
c) distribution, access, retrieval and use;
d) storage and preservation, including the preservation of legibility;
e) control of changes (e.g. version control); and
f) retention and disposition.
a) 无论何时何地需要,它都是可用并适合使用的;
b) 它被充分保护(例如避免丧失保密性、使用不当或丧失完整性)。
对于文件记录信息的控制,适用时,组织应处理下列问题:
c) 分发、访问、检索和使用;
d) 存储和保存,包括可读性的保持;
e) 变更控制(例如版本控制);
f) 保留和和处置。
Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled.
组织为规划和实施信息安全管理体系确定的必要的外部原始文件记录信息,适当时应予以识别并进行控制。
NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.
注:访问隐含一个权限决策:仅能查看文件记录信息,或有权去查看和变更文件记录信息等。
温馨提示:获取完整版ISO27001最新2022版中英文对照资料,可咨询中培课程顾问或拨打客服电话了解18513851518