Information technology — Security techniques — Information security management systems — Requirements- Improvement
信息安全管理体系要求-改进
9 Improvement
9 改进
9.1 Continual improvement
9.1 持续改进
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.
组织应持续改进信息安全管理体系的适宜性、充分性和有效性。
9.2 Nonconformity and corrective action
9.2 不符合和纠正措施
When a nonconformity occurs, the organization shall:
当发生不符合时,组织应:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it;
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity; and
3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. Documented information shall be available as evidence of:
f) the nature of the nonconformities and any subsequent actions taken,
g) the results of any corrective action.
a) 对不符合作出反应,适用时:
1) 采取措施控制并纠正不符合;
2) 处理后果;
b) 为确保不符合不再发生或不在其他地方发生,通过下列方式评价消除不符合原因的措施 需求:
1) 评审不符合;
2) 确定不符合的原因;
3) 确定是否存在或可能发生相似的不符合;
c) 实施所需的措施;
d) 评审所采取纠正措施的有效性;
e) 必要时,对信息安全管理体系实施变更。 纠正措施应与所遇不符合的影响相适应。 组织应保留文件记录信息作为下列事项的证据:
f) 不符合的性质以及所采取的所有后续措施;
g) 所有纠正措施的结果。
温馨提示:获取完整版ISO27001最新2022版中英文对照资料,可咨询中培课程顾问或拨打客服电话了解18513851518