Information technology — Security techniques — Information security management systems — Requirements- Performance evaluation
信息安全管理体系要求-绩效评价
8.2.2Internal audit programme
8.2.2内部审计方案
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.
组织应规划、建立、实施和保持审核方案,包括频次、方法、职责、计划要求和报告
When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.
审核方案应考虑所关注过程的重要性以及以往审核的结果;
The organization shall:
组织应:
a)define the audit criteria and scope for each audit;
b)select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c)ensure that the results of the audits are reported to relevant management;
a)定义审核的标准和范围;
b)为每次审核定义审核准则和审核范围;
c)审核员的选择和审核的实施应确保审核过程的客观性和公正性;
Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.
保留文件记录信息作为审核方案和审核结果的证据。
8.3Management review
8.3管理评审
8.3.1General
8.3.1 总则
Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
管理者应按计划的时间间隔评审组织的信息安全管理体系,以确保其持续的适宜性、充分性和有效性。
8.3.2Management review inputs
8.3.2管理评审输入
The management review shall include consideration of:
a)the status of actions from previous management reviews;
b)changes in external and internal issues that are relevant to the information security management system;
c)changes in needs and expectations of interested parties that are relevant to the information security management system;
d)feedback on the information security performance, including trends in:
1)nonconformities and corrective actions;
2)monitoring and measurement results;
3)audit results;
4)fulfilment of information security objectives;
e)feedback from interested parties;
f)results of risk assessment and status of risk treatment plan;
g)opportunities for continual improvement.
管理评审应包括以下考虑因素:
a)以往管理评审的措施的状态;
b)与信息安全管理体系相关的外部和内部问题的变更;
c)与信息安全管理体系相关的利益相关方的需求和期望的变化;
d)信息安全绩效的反馈,包括下列方面的趋势:
1)不符合和纠正措施;
2)监视和测量结果;
3)审核结果;
4)信息安全目标的实现;
e)相关方的反馈;
f)风险评估的结果和风险处置计划的状态;
g)持续改进的机会。
8.3.3Management review results
8.3.3管理评审结果
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.
管理评审的输出应包括与持续改进机会有关的决定,以及变更信息安全管理体系的所有需求。
组织应保留文件记录信息作为管理评审结果的证据。
温馨提示:获取完整版ISO27001最新2022版中英文对照资料,可咨询中培课程顾问或拨打客服电话了解18513851518