相关标准

联系尊龙凯时平台入口

公司电话:0757-86259545

q     q号:1822687379

联系人:

13925993655(程小姐)

e-mail:

[email protected]  

地址:广东省佛山市南海区狮山镇罗村大道以南福海广场d座518号


佛山iso27000标准-尊龙凯时平台入口

佛山iso27000标准

作者:   日期:2020-01-09  来源:  关注:145

信息技术-安全技术-信息安全管理体系-要求

foreword

前 言

iso (the international organization for standardization) and iec (the international electro

technical commission) form the specialized system for worldwide standardization.

national bodies that are members of iso or iec participate in the development of

international standards through technical committees established by the respective

organization to deal with particular fields of technical activity. iso and iec technical

committees collaborate in fields of mutual interest. other international organizations,

governmental and non-governmental, in liaison with iso and iec, also take part in the

work. in the field of information technology, iso and iec have established a joint technical

committee, iso/iec jtc 1.

iso(国际标准化组织)和iec(国际电工委员会)是为国际标准化制定专门体制的国际组

织。国家机构是iso或iec的成员,他们通过各自的组织建立技术委员会参与国际标准的制

定,来处理特定领域的技术活动。iso和iec技术委员会在共同感兴趣的领域合作。其他国

际组织、政府和非政府等机构,通过联络iso和iec参与这项工作。iso和iec已经在信息技

术领域建立了一个联合技术委员会iso/iecjtc1。

international standards are drafted in accordance with the rules given in the iso/iec

directives, part 2.

国际标准的制定遵循iso/iec 导则第2部分的规则。

the main task of the joint technical committee is to prepare international standards. draft

international standards adopted by the joint technical committee are circulated to national

bodies for voting. publication as an international standard requires approval by at least

75 % of the national bodies casting a vote.

联合技术委员会的主要任务是起草国际标准,并将国际标准草案提交给国家机构投票表决。

国际标准的出版发行必须至少75%以上的成员投票通过。

attention is drawn to the possibility that some of the elements of this document may be the

subject of patent rights. iso and iec shall not be held responsible for identifying any or all

such patent rights.

本文件中的某些内容有可能涉及一些专利权问题,这一点应该引起注意。iso和iec不负责

识别任何这样的专利权问题。

iso/iec 27001 was prepared by joint technical committee iso/iec jtc 1, information

technology, subcommittee sc 27, it security techniques.

iso/iec 27001 由联合技术委员会iso/iec jtc1(信息技术)分委员会sc27(安全技术)

起草。

this second edition cancels and replaces the first edition (iso/iec 27001:2005), which

has been technically revised.

第二版进行了技术上的修订,并取消和替代第一版(iso/iec 27001:2005)。

0 introduction

引 言

0.1 general

0.1 总则

this international standard has been prepared to provide requirements for establishing,

implementing, maintaining and continually improving an information security management

system. the adoption of an information security management system is a strategic

decision for an organization. the establishment and implementation of an organization’s

information security management system is influenced by the organization’s needs and

objectives, security requirements, the organizational processes used and the size and

structure of the organization. all of these influencing factors are expected to change over

time.

本标准用于为建立、实施、保持和持续改进信息安全管理体系提供要求。采用信息安全管理

体系是组织的一项战略性决策。一个组织信息安全管理体系的建立和实施受其需要和目标、

安全要求、所采用的过程以及组织的规模和结构的影响。所有这些影响因素会不断发生变化。

the information security management system preserves the confidentiality, integrity and

availability of information by applying a risk management process and gives confidence to

interested parties that risks are adequately managed.

信息安全管理体系通过应用风险管理过程来保持信息的保密性、完整性和可用性,以充分管

理风险并给予相关方信心。

it is important that the information security management system is part of and integrated

with the organization’s processes and overall management structure and that information

security is considered in the design of processes, information systems, and controls. it is

expected that an information security management system implementation will be scaled

in accordance with the needs of the organization.

信息安全管理体系是组织过程和整体管理结构的一部分并与其整合在一起是非常重要的。信

息安全在设计过程、信息系统、控制措施时就要考虑信息安全。按照组织的需要实施信息安

全管理体系,是本标准所期望的。

this international standard can be used by internal and external parties to assess the

organization’s ability to meet the organization’s own information security requirements.

本标准可被内部和外部相关方使用,评估组织的能力是否满足组织自身信息安全要求。

the order in which requirements are presented in this international standard does not

reflect their importance or imply the order in which they are to be implemented. the list

items are enumerated for reference purpose only.

本标准中要求的顺序并不能反映他们的重要性或意味着他们的实施顺序。列举的条目仅用于

参考目的。

iso/iec 27000 describes the overview and the vocabulary of information security

management systems, referencing the information security management system family of

standards (including iso/iec 27003[2], iso/iec 27004[3] and iso/iec 27005[4]), with

related terms and definitions.

iso/iec27000 描述了信息安全管理体系的概述和词汇,参考了信息安全管理体系标准族

(包括iso/iec 27003、iso/iec 27004 和iso/iec 27005)以及相关的术语和定义。

0.2 compatibility with other management system standards

0.2 与其他管理体系的兼容性

this international standard applies the high-level structure, identical sub-clause titles,

identical text, common terms, and core definitions defined in annex sl of iso/iec

directives, part 1, consolidated iso supplement, and therefore maintains compatibility

with other management system standards that have adopted the annex sl.

本标准应用了 iso/iec 导则第一部分 iso 补充部分附录 sl 中定义的高层结构、相同的子

章节标题、相同文本、通用术语和核心定义。因此保持了与其它采用附录 sl 的管理体系标

准的兼容性。

this common approach defined in the annex sl will be useful for those organizations that

choose to operate a single management system that meets the requirements of two or

more management system standards.

附录 sl 定义的通用方法对那些选择运作单一管理体系(可同时满足两个或多个管理体系

标准要求)的组织来说是十分有益的。

information technology — security techniques — information security

management systems — requirements

信息技术-安全技术-信息安全管理体系-要求

1 scope

1  范围

this international standard specifies the requirements for establishing, implementing,

maintaining and continually improving an information security management system within

the context of the organization.

本标准从组织环境的角度,为建立、实施、运行、保持和持续改进信息安全管理体系规定了

要求。

this international standard also includes requirements for the assessment and treatment

of information security risks tailored to the needs of the organization. the requirements

set out in this international standard are generic and are intended to be applicable to all

organizations, regardless of type, size or nature. excluding any of the requirements

specified in clauses 4 to 10 is not acceptable when an organization claims conformity to

this international standard.

本标准还规定了为适应组织需要而定制的信息安全风险评估和处置的要求。本标准规定的要

求是通用的,适用于各种类型、规模和特性的组织。组织声称符合本标准时,对于第4 章

到第10 章的要求不能删减。

2 normative references

2  规范性引用文件

the following documents, in whole or in part, are normatively referenced in this document

and are indispensable for its application. for dated references, only the edition cited

applies. for undated references, the latest edition of the referenced document (including

any amendments) applies.

下列文件的全部或部分内容在本文件中进行了规范引用,对于其应用是必不可少的。凡是注

日期的引用文件,只有引用的版本适用于本标准;凡是不注日期的引用文件,其最新版本(包

括任何修改)适用于本标准。

iso/iec 27000, information technology — security techniques — information security

management systems — overview and vocabulary

iso/iec 27000,信息技术—安全技术—信息安全管理体系—概述和词汇

3 terms and definitions

3  术语和定义

for the purposes of this document, the terms and definitions given in iso/iec 27000

apply.

iso/iec 27000中的术语和定义适用于本标准。

4 context of the organization

4  组织环境

4.1 understanding the organization and its context

4.1 理解组织及其环境

the organization shall determine external and internal issues that are relevant to its

purpose and that affect its ability to achieve the intended outcome(s) of its information

security management system.

组织应确定与其目标相关并影响其实现信息安全管理体系预期结果的能力的外部和内部问

题。

note determining these issues refers to establishing the external and internal context of

the organization considered in clause 5.3 of iso 31000:2009[5].

注:确定这些问题涉及到建立组织的外部和内部环境,在iso 31000:2009[5]的5.3节考虑了

这一事项。

4.2 understanding the needs and expectations of interested parties

4.2  理解相关方的需求和期望

the organization shall determine:

组织应确定:

a) interested parties that are relevant to the information security management system; and

b) the requirements of these interested parties relevant to information security.

a) 与信息安全管理体系有关的相关方;

b) 这些相关方与信息安全有关的要求

note the requirements of interested parties may include legal and regulatory

requirements and contractual obligations.

注:相关方的要求可能包括法律法规要求和合同义务。

4.3 determining the scope of the information security management system

4.3 确定信息安全管理体系的范围

the organization shall determine the boundaries and applicability of the information

security management system to establish its scope.

组织应确定信息安全管理体系的边界和适用性,以建立其范围。

when determining this scope, the organization shall consider:

当确定该范围时,组织应考虑:

a) the external and internal issues referred to in 4.1;

b) the requirements referred to in 4.2; and

c) interfaces and dependencies between activities performed by the organization, and

those that are performed by other organizations. the scope shall be available as

documented information.

a) 在 4.1 中提及的外部和内部问题;

b) 在 4.2 中提及的要求;

c) 组织所执行的活动之间以及与其它组织的活动之间的接口和依赖性

范围应文件化并保持可用性。

4.4 information security management system

4.4 信息安全管理体系

the organization shall establish, implement, maintain and continually improve an

information security management system, in accordance with the requirements of this

international standard.

组织应按照本标准的要求建立、实施、保持和持续改进信息安全管理体系。

5 leadership

5  领导

5.1 leadership and commitment

5.1  领导和承诺

top management shall demonstrate leadership and commitment with respect to the

information security management system by:

高层管理者应通过下列方式展示其关于信息安全管理体系的领导力和承诺:

a) ensuring the information security policy and the information security objectives are

established and are compatible with the strategic direction of the organization;

b) ensuring the integration of the information security management system requirements

into the organization’s processes;

c) ensuring that the resources needed for the information security management system

are available;

d) communicating the importance of effective information security management and of

conforming to the information security management system requirements;

e) ensuring that the information security management system achieves its intended

outcome(s);

f) directing and supporting persons to contribute to the effectiveness of the information

security management system;

g) promoting continual improvement; and

h) supporting other relevant management roles to demonstrate their leadership as it

applies to their areas of responsibility.

a) 确保建立信息安全方针和信息安全目标,并与组织的战略方向保持一致;

b) 确保将信息安全管理体系要求整合到组织的业务过程中;

c) 确保信息安全管理体系所需资源可用;

d) 传达信息安全管理有效实施、符合信息安全管理体系要求的重要性;

e) 确保信息安全管理体系实现其预期结果;

f) 指挥并支持人员为信息安全管理体系的有效实施作出贡献;

g) 促进持续改进;

h) 支持其他相关管理角色在其职责范围内展示他们的领导力。

5.2 policy

5.2  方针

top management shall establish an information security policy that:

高层管理者应建立信息安全方针,以:

a) is appropriate to the purpose of the organization;

b) includes information security objectives (see 6.2) or provides the framework for setting

information security objectives;

c) includes a commitment to satisfy applicable requirements related to information

security;

d) includes a commitment to continual improvement of the information security

management system. the information security policy shall:

e) be available as documented information;

f) be communicated within the organization; and

g) be available to interested parties, as appropriate.

a) 适于组织的目标;

b) 包含信息安全目标(见6.2)或设置信息安全目标提供框架;

c) 包含满足适用的信息安全相关要求的承诺;

d) 包含信息安全管理体系持续改进的承诺。

信息安全方针应:

e) 文件化并保持可用性;

f) 在组织内部进行传达;

g) 适当时,对相关方可用。

5.3 organizational roles, responsibilities and authorities

5.3  组织角色、职责和权限

top management shall ensure that the responsibilities and authorities for roles relevant to

information security are assigned and communicated.

高层管理者应确保分配并传达了信息安全相关角色的职责和权限。

top management shall assign the responsibility and authority for:

高层管理者应分配下列职责和权限:

a) ensuring that the information security management system conforms to the

requirements of this international standard; and

b) reporting on the performance of the information security management system to top

management.

a) 确保信息安全管理体系符合本标准的要求;

b) 将信息安全管理体系的绩效报告给高层管理者。

note top management may also assign responsibilities and authorities for reporting

performance of the information security management system within the organization.

注:高层管理者可能还要分配在组织内部报告信息安全管理体系绩效的职责和权限。

6 planning

6  规划

6.1 actions to address risks and opportunities

6.1  应对风险和机会的措施

6.1.1 general

6.1.1  总则

when planning for the information security management system, the organization shall

consider the issues referred to in 4.1 and the requirements referred to in 4.2 and

determine the risks and opportunities that need to be addressed to:

当规划信息安全管理体系时,组织应考虑4.1中提及的问题和4.2中提及的要求,确定需要应

对的风险和机会,以:

a) ensure the information security management system can achieve its intended

outcome(s);

b) prevent, or reduce, undesired effects; and

c) achieve continual improvement.

the organization shall plan:

d) actions to address these risks and opportunities; and

e) how to

1) integrate and implement the actions into its information security management system

processes;

2) evaluate the effectiveness of these actions.

a) 确保信息安全管理体系能实现其预期结果;

b) 防止或减少意外的影响;

c) 实现持续改进。

组织应规划:

d) 应对这些风险和机会的措施;

e) 如何

1) 整合和实施这些措施并将其纳入信息安全管理体系过程;

2) 评价这些措施的有效性。

6.1.2 information security risk assessment

6.1.2  信息安全风险评估

the organization shall define and apply an information security risk assessment process

that:

组织应定义并应用风险评估过程,以:

a) establishes and maintains information security risk criteria that include:

1) the risk acceptance criteria; and

2) criteria for performing information security risk assessments;

b) ensures that repeated information security risk assessments produce consistent, valid

and comparable results;

c) identifies the information security risks:

1) apply the information security risk assessment process to identify risks associated

with the loss of confidentiality, integrity and availability for information within the scope

of the information security management system; and

2) identify the risk owners;

d) analyses the information security risks:

1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1)

were to materialize;

2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1);

and

3) determine the levels of risk;

e) evaluates the information security risks:

1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and

2) prioritize the analysed risks for risk treatment.

the organization shall retain documented information about the information security risk

assessment process.

a) 建立并保持信息安全风险准则,包括:

1) 风险接受准则;

2) 执行信息安全风险评估的准则;

b) 确保重复性的信息安全风险评估可产生一致的、有效的和可比较的结果;

c) 识别信息安全风险:

1) 应用信息安全风险评估过程来识别信息安全管理体系范围内的信息丧失保密性、完整

性和可用性的相关风险;

2) 识别风险负责人;

d) 分析信息安全风险:

1) 评估 6.1.2 c)1)中所识别风险发生后将导致的潜在影响;

2) 评估 6.1.2 c)1)中所识别风险发生的现实可能性;

3) 确定风险级别;

e) 评价信息安全风险;

1) 将风险分析结果同6.1.2 a)建立的风险准则进行比较;

2) 为实施风险处置确定已分析风险的优先级。

组织应定义并应用风险评估过程,以:

组织应保留信息安全风险评估过程的文件记录信息。

6.1.3 information security risk treatment

6.1.3  信息安全风险处置

the organization shall define and apply an information security risk treatment process to:

a) select appropriate information security risk treatment options, taking account of the risk

assessment results;

b) determine all controls that are necessary to implement the information security risk

treatment option(s) chosen;

组织应定义并应用信息安全风险处置过程,以:

a) 在考虑风险评估结果的前提下,选择适当的信息安全风险处置选项:

b) 为实施所选择的信息安全风险处置选项,确定所有必需的控制措施;

note organizations can design controls as required, or identify them from any source.

注:组织可按要求设计控制措施,或从其他来源识别控制措施。

c) compare the controls determined in 6.1.3 b) above with those in annex a and verify that

no necessary controls have been omitted;

c) 将 6.1.3 b)所确定的控制措施与附录a 的控制措施进行比较,以核实没有遗漏必要的

控制措施;

note 1 annex a contains a comprehensive list of control objectives and controls. users

of this international standard are directed to annex a to ensure that no necessary controls

are overlooked.

note 2 control objectives are implicitly included in the controls chosen. the control

objectives and controls listed in annex a are not exhaustive and additional control

objectives and controls may be needed.

注1:附录a包含了一份全面的控制目标和控制措施的列表。本标准用户可利用附录a以确保

不会遗漏必要的控制措施。

注2:控制目标包含于所选择的控制措施内。附录a所列的控制目标和控制措施并不是所有

的控制目标和控制措施,组织也可能需要另外的控制目标和控制措施。

d) produce a statement of applicability that contains the necessary controls (see 6.1.3 b)

and c)) and justification for inclusions, whether they are implemented or not, and the

justification for exclusions of controls from annex a;

e) formulate an information security risk treatment plan; and

f) obtain risk owners’ approval of the information security risk treatment plan and

acceptance of the residual information security risks.

the organization shall retain documented information about the information security risk

treatment process.

d) 产生适用性声明。适用性声明要包含必要的控制措施(见6.1.3 b)和c))、对包含的合

理性说明(无论是否已实施)以及对附录a 控制措施删减的合理性说明;

e) 制定信息安全风险处置计划;

f) 获得风险负责人对信息安全风险处置计划以及接受信息安全残余风险的批准。

组织应保留信息安全风险处置过程的文件记录信息。

note the information security risk assessment and treatment process in this

international standard aligns with the principles and generic guidelines provided in iso

31000[5].

注:本标准中的信息安全风险评估和处置过程可与 iso 31000[5]中规定的原则和通用指南

相结合。

6.2 information security objectives and planning to achieve them

6.2  信息安全目标和规划实现

the organization shall establish information security objectives at relevant functions and

levels.the information security objectives shall:

组织应在相关职能和层次上建立信息安全目标。

信息安全目标应:

a) be consistent with the information security policy;

b) be measurable (if practicable);

c) take into account applicable information security requirements, and results from risk

assessment and risk treatment;

d) be communicated; and

e) be updated as appropriate.

the organization shall retain documented information on the information security

objectives. when planning how to achieve its information security objectives, the

organization shall determine:

f) what will be done;

g) what resources will be required;

h) who will be responsible;

i) when it will be completed; and

j) how the results will be evaluated.

a) 与信息安全方针一致;

b) 可测量(如可行);

c) 考虑适用的信息安全要求以及风险评估和风险处置结果;

d) 被传达;

e) 适当时进行更新。

组织应保留关于信息安全目标的文件记录信息。

当规划如何实现其信息安全目标时,组织应确定:

f) 要做什么;

g) 需要什么资源;

h) 由谁负责;

i) 什么时候完成;

j) 如何评价结果。

7 support

7  支持

7.1 resources

7.1  资源

the organization shall determine and provide the resources needed for the establishment,

implementation, maintenance and continual improvement of the information security

management system.

组织应确定并提供建立、实施、保持和持续改进信息安全管理体系所需的资源。

7.2 competence

7.2  能力

the organization shall:

a) determine the necessary competence of person(s) doing work under its control that

affects its information security performance;

b) ensure that these persons are competent on the basis of appropriate education,

training, or experience;

c) where applicable, take actions to acquire the necessary competence, and evaluate the

effectiveness of the actions taken; and

d) retain appropriate documented information as evidence of competence.

组织应:

a) 确定从事影响信息安全执行工作的人员在组织的控制下从事其工作的必要能力;

b) 确保人员在适当教育,培训和经验的基础上能够胜任工作;

c) 适用时,采取措施来获得必要的能力,并评价所采取措施的有效性;

d) 保留适当的文件记录信息作为能力方面的证据。

note applicable actions may include, for example: the provision of training to, the

mentoring of, or the reassignment of current employees; or the hiring or contracting of

competent persons.

注:例如适当措施可能包括为现有员工提供培训、对其进行指导或重新分配工作;雇用或签

约有能力的人员。

7.3 awareness

7.3  意识

persons doing work under the organization’s control shall be aware of:

a) the information security policy;

b) their contribution to the effectiveness of the information security management system,

including the benefits of improved information security performance; and

c) the implications of not conforming with the information security management system

requirements.

人员在组织的控制下从事其工作时应意识到:

a) 信息安全方针;

b) 他们对有效实施信息安全管理体系的贡献,包括信息安全绩效改进后的益处;

c) 不符合信息安全管理体系要求可能的影响。

7.4 communication

the organization shall determine the need for internal and external communications

relevant to the information security management system including:

a) on what to communicate;

b) when to communicate;

c) with whom to communicate;

d) who shall communicate; and

e) the processes by which communication shall be effected.

组织应确定有关信息安全管理体系在内部和外部进行沟通的需求,包括:

a) 什么需要沟通;

b) 什么时候沟通;

c) 跟谁进行沟通;

d) 由谁负责沟通;

e) 影响沟通的过程。

7.5 documented information

7.5  文件记录信息

7.5.1 general

7.5.1  总则

the organization’s information security management system shall include:

a) documented information required by this international standard; and

b) documented information determined by the organization as being necessary for the

effectiveness of the information security management system.

组织的信息安全管理体系应包括:

a) 本标准要求的文件记录信息;

b) 组织为有效实施信息安全管理体系确定的必要的文件记录信息。

note the extent of documented information for an information security management

system can differ from one organization to another due to:

注:不同组织的信息安全管理体系文件记录信息的详略程度取决于:

1) the size of organization and its type of activities, processes, products and services;

2) the complexity of processes and their interactions; and

3) the competence of persons.

1) 组织的规模及其活动、过程、产品和服务的类型;

2) 过程的复杂性及其相互作用;

3) 人员的能力。

7.5.2 creating and updating

7.5.2  创建和更新

when creating and updating documented information the organization shall ensure

appropriate:

a) identification and description (e.g. a title, date, author, or reference number);

b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);

c) review and approval for suitability and adequacy.

创建和更新文件记录信息时,组织应确保适当的:

a) 标识和描述(例如:标题、日期、作者或参考编号);

b) 格式(例如:语言,软件版本,图表)和介质(例如:纸质介质,电子介质);

c) 评审和批准其适用性和充分性。

7.5.3 control of documented information

7.5.3  文件记录信息的控制

documented information required by the information security management system and by

this international standard shall be controlled to ensure:

a) it is available and suitable for use, where and when it is needed; and

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of

integrity).

信息安全管理体系和本标准所要求的文件记录信息应予以控制,以确保:

a) 无论何时何地需要,它都是可用并适合使用的;

b) 它被充分保护(例如避免丧失保密性、使用不当或丧失完整性)。

for the control of documented information, the organization shall address the following

activities,as applicable:

c) distribution, access, retrieval and use;

d) storage and preservation, including the preservation of legibility;

e) control of changes (e.g. version control); and

f) retention and disposition.

对于文件记录信息的控制,适用时,组织应处理下列问题:

c) 分发、访问、检索和使用;

d) 存储和保存,包括可读性的保持;

e) 变更控制(例如版本控制);

f) 保留和和处置。

documented information of external origin, determined by the organization to be

necessary for the planning and operation of the information security management system,

shall be identified as appropriate, and controlled.

组织为规划和实施信息安全管理体系确定的必要的外部原始文件记录信息,适当时应予以识

别并进行控制。

note access implies a decision regarding the permission to view the documented

information only, or the permission and authority to view and change the documented

information, etc.

注:访问隐含一个权限决策:仅能查看文件记录信息,或有权去查看和变更文件记录信息等。

8 operation

8  运行

8.1 operational planning and control

8.1  运行的规划和控制

the organization shall plan, implement and control the processes needed to meet

information security requirements, and to implement the actions determined in 6.1.the

organization shall also implement plans to achieve information security objectives

determined in 6.2.

组织应规划、实施和控制满足信息安全要求所需的过程,并实施6.1中确定的措施。组织还

应实施这些规划来实现6.2中所确定的信息安全目标。

the organization shall keep documented information to the extent necessary to have

confidence that the processes have been carried out as planned.

the organization shall control planned changes and review the consequences of

unintended changes, taking action to mitigate any adverse effects, as necessary.

the organization shall ensure that outsourced processes are determined and controlled.

组织应保持文件记录信息达到必要的程度:有信心证明过程是按计划执行的。

组织应控制计划了的变更,评审非预期变更的后果,必要时采取措施减缓负面影响。

组织应确保外包的过程已确定,并处于可控状态。

8.2 information security risk assessment

8.2  信息安全风险评估

the organization shall perform information security risk assessments at planned intervals

or when significant changes are proposed or occur, taking account of the criteria

established in 6.1.2 a).

考虑到6.1.2 a)中建立的风险评估执行准则,组织应按计划的时间间隔执行信息安全风险

评估,当重大变更被提出或发生时也应执行信息安全风险评估。

the organization shall retain documented information of the results of the information

security risk assessments.

组织应保留信息安全风险评估结果的文件记录信息。

8.3 information security risk treatment

8.3  信息安全风险处置

the organization shall implement the information security risk treatment plan.

the organization shall retain documented information of the results of the information

security risk treatment.

组织应实施信息安全风险处置计划。

组织应保留信息安全风险处置结果的文件记录信息。

9 performance evaluation

9  绩效评价

9.1 monitoring, measurement, analysis and evaluation

9.1  监视、测量、分析和评价

the organization shall evaluate the information security performance and the

effectiveness of the information security management system.

the organization shall determine:

a) what needs to be monitored and measured, including information security processes

and controls;

b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to

ensure valid results;

a) 什么需要监视和测量,包括信息安全过程和控制措施;

b) 监视、测量、分析和评价的方法,适用时,确保结果有效;

note the methods selected should produce comparable and reproducible results to be

considered valid.

注:选择的方法最好产生可比较和可再现的结果,这样才能被认为是有效的。

c) when the monitoring and measuring shall be performed;

d) who shall monitor and measure;

e) when the results from monitoring and measurement shall be analysed and evaluated;

f) who shall analyse and evaluate these results.

the organization shall retain appropriate documented information as evidence of the

monitoring and measurement results.

c) 什么时候应执行监视和测量;

d) 谁应实施监视和测量;

e) 什么时候应对监视和测量的结果进行分析和评价;

f) 谁应分析和评价这些结果。

组织应保留适当的文件记录信息作为监视和测量结果的证据。

9.2 internal audit

9.2  内部审核

the organization shall conduct internal audits at planned intervals to provide information

on whether the information security management system:

组织应按计划的时间间隔进行内部审核,以提供信息确定信息安全管理体系是否:

a) conforms to

a)  符合

1) the organization’s own requirements for its information security management system;

2) the requirements of this international standard;

1) 组织自身信息安全管理体系的要求;

2) 本标准的要求;

b) is effectively implemented and maintained. the organization shall:

c) plan, establish, implement and maintain an audit program me(s), including the

frequency, methods, responsibilities, planning requirements and reporting. the audit

program me(s) shall take into consideration the importance of the processes concerned

and the results of previous audits;

d) define the audit criteria and scope for each audit;

e) select auditors and conduct audits that ensure objectivity and the impartiality of the

audit process;

f) ensure that the results of the audits are reported to relevant management; and

g) retain documented information as evidence of the audit program me(s) and the audit

results.

b) 得到有效的实施和保持。

组织应:

c) 规划、建立、实施和保持审核方案,包括频次、方法、职责、计划要求和报告。审核方

案应考

虑所关注过程的重要性以及以往审核的结果;

d) 为每次审核定义审核准则和审核范围;

e) 审核员的选择和审核的实施应确保审核过程的客观性和公正性;

f) 确保审核结果报告给相关的管理者;

g) 保留文件记录信息作为审核方案和审核结果的证据。

9.3 management review

9.3  管理评审

top management shall review the organization’s information security management

system at planned intervals to ensure its continuing suitability, adequacy and

effectiveness.the management review shall include consideration of:

管理者应按计划的时间间隔评审组织的信息安全管理体系,以确保其持续的适宜性、充分性

和有效性。

管理评审应包括下列方面的考虑:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the information security

management

system;

c) feedback on the information security performance, including trends in:

1) nonconformities and corrective actions;

2) monitoring and measurement results;

3) audit results;

4) fulfilment of information security objectives;

d) feedback from interested parties;

e) results of risk assessment and status of risk treatment plan; and

f) opportunities for continual improvement.

a) 以往管理评审的措施的状态;

b) 与信息安全管理体系相关的外部和内部问题的变更;

c) 信息安全绩效的反馈,包括下列方面的趋势:

1) 不符合和纠正措施;

2) 监视和测量结果;

3) 审核结果;

4) 信息安全目标的实现;

d) 相关方的反馈;

e) 风险评估的结果和风险处置计划的状态;

f) 持续改进的机会。

the outputs of the management review shall include decisions related to continual

improvement opportunities and any needs for changes to the information security

management system.

the organization shall retain documented information as evidence of the results of

management reviews.

管理评审的输出应包括与持续改进机会有关的决定,以及变更信息安全管理体系的所有需求。

组织应保留文件记录信息作为管理评审结果的证据。

10 improvement

10  改进

10.1 nonconformity and corrective action

10.1  不符合和纠正措施

when a nonconformity occurs, the organization shall:

a) react to the nonconformity, and as applicable:

1) take action to control and correct it; and

2) deal with the consequences;

当发生不符合时,组织应:

a) 对不符合作出反应,适用时:

1) 采取措施控制并纠正不符合;

2) 处理后果;

b) evaluate the need for action to eliminate the causes of nonconformity, in order that it

does not recur or occur elsewhere, by:

1) reviewing the nonconformity;

2) determining the causes of the nonconformity; and

3) determining if similar nonconformities exist, or could potentially occur;

b) 为确保不符合不再发生或不在其他地方发生,通过下列方式评价消除不符合原因的措施

需求:

1) 评审不符合;

2) 确定不符合的原因;

3) 确定是否存在或可能发生相似的不符合;

c) implement any action needed;

d) review the effectiveness of any corrective action taken; and

e) make changes to the information security management system, if necessary.

corrective actions shall be appropriate to the effects of the nonconformities encountered.

the organization shall retain documented information as evidence of:

f) the nature of the nonconformities and any subsequent actions taken, and

g) the results of any corrective action.

c) 实施所需的措施;

d) 评审所采取纠正措施的有效性;

e) 必要时,对信息安全管理体系实施变更。

纠正措施应与所遇不符合的影响相适应。

组织应保留文件记录信息作为下列事项的证据:

f) 不符合的性质以及所采取的所有后续措施;

g) 所有纠正措施的结果。

10.2 continual improvement

10.2 持续改进

the organization shall continually improve the suitability, adequacy and effectiveness of

the information security management system.

组织应持续改进信息安全管理体系的适宜性、充分性和有效性。

table a.1 – control objectives and controls

a.5 security policies

安全方针

a.5.1 management direction for information security

信息安全管理指导

objective: to provide management direction and support for information security in accordance with

business requirements and relevant laws and regulations.

目标:依据业务要求和相关法律法规提供管理指导并支持信息安全。

a.5.1.1

policies for

information security

信息安全方针

a set of policies for information security shall be defined, approved by

management, published and communicated to employees and

relevant external parties.

一组信息安全方针应被建立、由管理层批准、发布并传达给所有员工和

外部相关方。

a.5.1.2

review of the

policies for

information security

信息安全方针的评审

the policies for information security shall be reviewed at planned

intervals or if significant changes occur to ensure their continuing

suitability, adequacy and effectiveness.

宜按计划的时间间隔或当重大变化时进行信息安全方针评审,以确保它

持续的适宜性、充分性和有效性。

a.6 organisation of information security

信息安全组织

a.6.1 internal organisation

内部组织

objective: to establish a management framework to initiate and control the implementation and

operation of information security within the organisation.

目标:建立管理框架,启动和控制组织内信息安全的实施和运行。

a.6.1.1

information security

roles and

responsibilities

信息安全角色和职责

all information security responsibilities shall be defined and allocated.

所有的信息安全职责宜予以定义与分配。

a.6.1.2

segregation of

duties

职责分割

conflicting duties and areas of responsibility shall be segregated to

reduce opportunities for unauthorized or unintentional modification or

misuse of the organization’s assets.

冲突的责任及职责范围宜加以分割,以降低未授权或无意识的修改或者

不当使用组织资产的机会。

a.6.1.3

contact with

authorities

与政府部门的联系

appropriate contacts with relevant authorities shall be maintained.

宜保持与政府相关部门的适当联系。

a.6.1.4

contact with special

interest groups

与特定利益集团的联

appropriate contacts with special interest groups or other specialist

security forums and professional associations shall be maintained.

宜保持与特定利益集团、其他安全专家组和专业协会的适当联系。

a.6.1.5

information security

in project

management

项目管理中的信息安

information security shall be addressed in project management,

regardless of the type of the project.

无论何种类型的项目,宜将信息安全融入到项目管理中。

a.6.2 mobile devices and teleworking

移动设备和远程工作

objective: to ensure the security of teleworking and use of mobile devices.

目标:确保远程工作和移动设备使用的安全

a.6.2.1

mobile device policy

移动设备策略

a policy and supporting security measures shall be adopted to

manage against the risks introduced by using mobile devices.

宜采用策略及和支持性安全措施来管理使用移动设备所带来的风险。

a.6.2.2

teleworking

远程工作

a policy and supporting security measures shall be implemented to

protect information accessed, processed or stored on teleworking

sites.

宜实施策略和支持性安全措施来保护在远程站点访问、处理或存储的信

息。

a.7 human resource security

人力资源安全

a.7.1 prior to employment

任用之前

objective: to ensure that employees and contractors understand their responsibilities and are suit-able

for the roles for which they are considered.

目标:确保雇员、承包方人员理解其职责、考虑对其承担的角色是适合的。

a.7.1.1

screening

审查

background verification checks on all candidates for employment

shall be carried out in accordance with relevant laws, regulations and

ethics and shall be proportional to the business requirements, the

classification of the information to be accessed and the perceived

risks.

关于所有任用的候选者的背景验证核查应按照相关法律法规、道德规范

和对应的业务要求、被访问信息的类别和察觉的风险来执行。

a.7.1.2

terms and

conditions of

employment

任用条款和条件

the contractual agreements with employees and contractors shall

state their and the organization’s responsibilities for information

security.

与员工和承包商的合同协议应规定他们和组织的信息安全责任。

a.7.2 during employment

任用中

objective: to ensure that employees and contractors are aware of and fulfil their information security

responsibilities.

目标:确保所有的雇员和合同方意识到并履行其信息安全责任。

a.7.2.1

management

responsibilities

管理职责

management shall require all employees and external party users to

apply security in accordance with established policies and procedures

of the organization.

管理者宜要求所有雇员和外部用户按照组织已建立的方针策略和规程

对安全尽心尽力。

a.7.2.2

information security

awareness,

education and

training

信息安全意识、教育

和培训

all employees of the organization and, where relevant, contractors

shall receive appropriate awareness education and training and

regular updates in organizational policies and procedures, as relevant

for their job function.

组织的所有雇员,适当时,包括合同方,应受到与其工作职能相关的适

当的意识教育、培训和组织方针策略及规程的定期更新培训。

a.7.2.3

disciplinary process

纪律处理过程

there shall be a formal and communicated disciplinary process in

place to take action against employees who have committed an

information security breach.

宜有一个正式并已传达的纪律处理过程,以对于安全违规的雇员进行处

理。

a.7.3 termination and change of employment

任用的终止或变化

objective: to protect the organization’s interests as part of the process of changing or terminating

employment.

目标:宜将保护组织的利益融入到任用变化或终止的处理流程中。

a.7.3.1

termination or

change of

employment

responsibilities

任用终止或变化的职

information security responsibilities and duties that remain valid after

termination or change of employment shall be defined, communicated

to the employee or external party user and enforced.

任用终止或变化后仍然有效的信息安全责任和义务应被定义,并向雇员

与第三方人员进行传达与执行。

a.8 asset management

资产管理

a.8.1 responsibility for assets

对资产负责

objective: to achieve and maintain appropriate protection of organizational assets.

目标:实现和保持对组织资产的适当保护。

a.8.1.1

inventory of assets

资产清单

assets associated with information and information processing

facilities shall be identified and an inventory of these assets shall be

drawn up and maintained.

宜识别信息和信息处理设施相关的资产,编制并维护这些资产的清单。

a.8.1.2

ownership of assets

资产责任人

assets maintained in the inventory shall be owned.

资产清单中维护的信息资产宜指定责任人。

a.8.1.3

acceptable use of

assets

资产的可接受使用

rules for the acceptable use of information and assets associated

with information and information processing facilities shall be

identified, documented and implemented.

信息与信息及信息处理设施有关的资产可接受使用规则应被确定、形成

文件并加以实施。

a.8.1.4

return of assets

资产的归还

all employees and external party users shall return all of the

organizational assets in their possession upon termination of their

employment, contract or agreement.

所有的雇员、承包方人员和第三方人员在终止任用、合同或协议时,应

归还他们使用的所有组织资产。

a.8.2 information classification

信息分类

objective: to ensure that information receives an appropriate level of protection in accordance with its

importance to the organization.

目标:确保信息受到与其对组织的重要性保持一致适当级别的保护。

a.8.2.1

classification of

information

信息的分类

information shall be classified in terms of legal requirements value,

criticality and sensitivity to unauthorized disclosure or modification.

信息应按照它对组织的价值、法律要求、敏感性和关键性予以分类,以

保护信息免受未授权泄露或篡改。。

a.8.2.2

labeling of

information

信息标记

an appropriate set of procedures for information labeling shall be

developed and implemented in accordance with the information

classification scheme adopted by the organization.

应按照组织所采纳的分类机制建立和实施一组适合的信息标记规程。

a.8.2.3

handling of assets资

产处理

procedures for handling assets shall be developed and implemented

in accordance with the information classification scheme adopted by

the organization.

应按照组织所采纳的分类机制建立和实施一组适合的信息处理规程。

a.8.3 media handling

介质处置

objective: to prevent unauthorized disclosure, modification, removal or destruction of information stored

on media.

目标:防止存储在介质上的信息遭受未授权泄露、修改、移动或销毁。

a.8.3.1

management of

removable media 可

移动介质的管理

procedures shall be implemented for the management of removable

media in accordance with the classification scheme adopted by the

organization.

应根据组织所采用的分类方案来实施可移动介质管理程序。

a.8.3.2

disposal of media 介

质的处置

media shall be disposed of securely when no longer required, using

formal procedures.

不再需要的介质,应使用正式的程序安全地处置。

a.8.3.3

physical media

transfer

物理介质传输

media containing information shall be protected against unauthorized

access, misuse or corruption during transportation.

包含信息的介质在运送时,应防止未授权的访问、不当使用或损坏。

a.9 access control

访问控制

a.9.1 business requirements of access control

访问控制的业务要求

objective: to restrict access to information and information processing facilities.

目标:限制信息与信息处理设施的访问

a.9.1.1

access control policy

访问控制策略

an access control policy shall be established, documented and

reviewed based on business and security requirements.

访问控制策略应建立、形成文件,并基于业务和安全要求进行评审。

a.9.1.2

policy on the use of

network services

使用网络服务的策略

users shall only be provided with access to the network and network

services that they have been specifically authorized to use.

用户应只能访问已获专门授权使用的网络和网络服务服务。

a.9.2 user access management

用户访问管理

objective: to ensure authorized user access and to prevent unauthorized access to systems and

services.

目标:确保授权用户访问系统和服务,并防止未授权的访问。

a.9.2.1

user registration and

de-registration

用户注册和注销

a formal user registration and de-registration process shall be

implemented to enable assignment of access rights.

应实施正式的用户注册及注销流程来分配访问权限。

a.9.2.2

user access

provisioning

用户访问提供

a formal user access provisioning process shall be implemented to

assign or revoke access rights for all user types to all systems and

services.

无论什么类型的用户,在对其分配或撤销所有系统和服务的权限时,都

应实施一个正式的用户访问提供流程.

a.9.2.3

management of

privileged

access rights

特殊权限管理

the allocation and use of privileged access rights shall be restricted

and controlled.

应限制和控制特殊访问权限的分配及使用。

a.9.2.4

management of

secret authentication

information of users

用户安全鉴别信息的

管理

the allocation of secret authentication information shall be controlled

through a formal management process.

应通过一个正式的管理过程对安全鉴别信息的分配进行控制。

a.9.2.5

review of user

access rights

用户访问权的复查

asset owners shall review users’ access rights at regular intervals.

资产所有者应定期对用户的访问权进行复查。

a.9.2.6

removal or

adjustment of access

rights

撤销或调整访问权限

the access rights of all employees and external party users to

information and information processing facilities shall be removed

upon termination of their employment, contract or agreement, or

adjusted upon change.

所有雇员和第三方人员对信息和信息处理设施的访问权应在任用、合同

或协议终止时删除,或在变化时调整。

a.9.3 user responsibilities

用户职责

objective: to make users accountable for safeguarding their authentication information.

目标:确保用户对保护他们的鉴别信息负有责任。

a.9.3.1

use of secret

authentication

information

安全鉴别信息的使用

users shall be required to follow the organization’s security practices

in the use of secret authentication information.

应要求用户遵循组织的安全防护措施来使用安全鉴别信息。

a.9.4 system and application access control

系统和应用访问控制

objective: to prevent unauthorized access to systems and applications.

目标:防止对系统和应用的非授权访问。

a.9.4.1

information access

restriction

信息访问限制

access to information and application system functions shall be

restricted in accordance with the access control policy.

信息和应用系统功能的访问应依照访问控制策略加以限制。

a.9.4.2

secure log-on

procedures

安全登陆规程

where required by the access control policy, access to systems and

applications shall be controlled by a secure log-on procedure.

访问控制策略要求时,访问系统和应用应通过安全登录规程加以控制。

a.9.4.3

password

management system

口令管理系统

passwords management systems shall be interactive and shall

ensure quality passwords.

口令管理系统应是交互式的,并应确保优质的口令。

a.9.4.4

use of privileged

utility programs

特权使用程序的使用

the use of utility programs that might be capable of overriding system

and application controls shall be restricted and tightly controlled.

对于能超越系统和应用程序控制措施的实用工具的使用应加以限制并

严格控制。

a.9.4.5

access control to

program source

code

对程序源代码的访问

控制

access to program source code shall be restricted.

应限制访问程序源代码。

a.10 cryptography

密码学

a.10.1 cryptographic controls

密码控制

objective: to ensure proper and effective use of cryptography to protect the confidentiality authenticity

or integrity of information.

目标:确保适当并有效的密码的使用来保护信息的保密性、真实性或完整性。

a.10.1.1

policy on the use of

cryptographic

controls

使用密码控制的策略

a policy on the use of cryptographic controls for protection of

information shall be developed and implemented.

应开发和实施使用密码控制措施来保护信息的策略。

a.10.1.2

key management 密

钥管理

a policy on the use, protection and lifetime of cryptographic keys shall

be developed and implemented through their whole lifecycle.

应开发和实施一个贯穿生命周期的密码密钥使用、保护和生命期管理策

略。

a.11 physical and environmental security

物理和环境安全

a.11.1 secure areas

安全区域

objective: to prevent unauthorized physical access, damage and interference to the organization’s

information and information processing facilities.

目标:防止对组织信息和信息处理设施的未授权物理访问、损坏和干扰。

a.11.1.1

physical security

perimeter

物理安全周边

security perimeters shall be defined and used to protect areas that

contain either sensitive or or critical information and information

processing facilities.

应定义并使用安全周边来保护包含任何敏感或关键的信息和信息处理

设施的区域。

a.11.1.2

physical entry

controls

物理入口控制

secure areas shall be protected by appropriate entry controls to

ensure that only authorized personnel are allowed access.

安全区域应由适合的入口控制所保护,以确保只有授权的人员才允许访

问。

a.11.1.3

securing office,

room and facilities

办公室、房间和设施

physical security for offices, rooms and facilities shall be designed

and applied.

的安全保护  应为办公室、房间和设施设计并采取物理安全措施。

a.11.1.4

protecting against

external end

environmental

threats

外部和环境威胁的安

全防护

physical protection against natural disasters, malicious attack or

accidents shall be designed and applied.

为防止自然灾害,恶意攻击或以外事件引起的破坏,应设计和采取物理

保护措施。

a.11.1.5

working in secure

areas

在安全区域工作

procedures for working in secure areas shall be designed and applied

应设计和应用在安全区域工作的规程。

a.11.1.6

delivery and loading

areas

交接区

access points such as delivery and loading areas and other points

where unauthorized persons may enter the premises shall be

controlled and, if possible, isolated from information processing

facilities to avoid unauthorized access.

访问点(例如交接区)和未授权人员可进入办公场所的其他地点应加以

控制,如果可能,应与信息处理设施隔离,以避免未授权访问。

a.11.2 equipment

设备安全

objective: to prevent loss, damage, theft or compromise of assets and interruption to the organization’s

operations.

目标:防止资产的丢失、损坏、失窃或危及资产安全以及组织的运营。

a.11.2.1

equipment siting and

protection

设备安置和保护

equipment shall be sited and protected to reduce the risks from

environmental threats and hazards,and opportunities for unauthorized

access.

应安置或保护设备,以减少由环境威胁和危险所造成的各种风险以及未

授权访问的机会。

a.11.2.2

supporting utilities支

持性设施

equipment shall be protected from power failures and other

disruptions caused by failures in supporting utilities.

应保护设备使其免于由支持性设施的失败而引起的电源故障和其他中

断。

a.11.2.3

cabling security

布缆安全

power and telecommunications cabling carrying data or supporting

information services shall be protected from interception, interference

or damage.

应保证传输数据或支持信息服务的电源布缆和通信布缆免受窃听、干扰

或损坏。

a.11.2.4  equipment

equipment shall be correctly maintained to ensure its continued

maintenance

设备维护

availability and integrity.

设备应予以正确地维护,以确保其持续的可用性和完整性。

a.11.2.5

removal of assets资

产的移动

equipment, information or software shall not be taken off-site without

prior authorization.

设备、信息或软件在授权之前不应带出组织场所。

a.11.2.6

security of

equipment and

assets off-premises

组织场所外的设备和

资产安全

security shall be applied to off-site assets taking into account the

different risks of working outside the organization’s premises.

应对组织场所的设备采取安全措施,要考虑工作在组织场所以外的不同

风险。

a.11.2.7

secure disposal or

re-use of equipment

设备的安全处置或再

利用

all items of equipment containing storage media shall be verified to

ensure that any sensitive data and licensed software has been

removed or securely overwritten prior to disposal or re-use.

包含存储介质的设备的所有项目应进行验证,以确保在处置之前,任何

敏感信息和注册软件已被删除或安全地写覆盖。

a.11.2.8

unattended user

equipment

无人值守的用户设备

users shall ensure that unattended equipment has appropriate

protection.

用户应确保无人职守的用户设备有适当的保护。

a.11.2.9

clear desk and clear

screen policy

清空桌面和屏幕策略

a clear desk policy for papers and removable storage media and a

clear screen policy for information processing facilities shall be

adopted.

应采取清空桌面上文件、可移动存储介质的策略和清空信息处理设施屏

幕的策略。

a.12 operations security

操作安全

a.12.1 operational procedures and responsibilities

操作程序和职责

objective: to ensure correct and secure operations of information processing facilities.

目标:确保正确、安全的操作信息处理设施。

a.12.1.1

documented

operating

procedures

文件化的操作程序

operating procedures shall be documented and made available to all

users who need them.

操作程序应形成文件并对所有需要的用户可用。

a.12.1.2

change

management

changes to the organization, business processes, information

变更管理  processing facilities and systems that affect information security

shall be controlled.

对组织、业务流程、信息处理设施和系统中影响信息安全方面的变更应

加以控制。

a.12.1.3

capacity

management

容量管理

the use of resources shall be monitored, tuned and projections made

of future capacity requirements to ensure the required system

performance.

资源的使用应加以监视、调整,并作出对于未来容量要求的预测,以确

保拥有所需的系统性能。

a.12.1.4

separation of

development, testing

and operational

environments

开发、测试和运行设

施分离

development, testing, and operational environments shall be

separated to reduce the risks of unauthorized access or changes to

the operational environment.

开发、测试和运行环境应分离,以减少未授权访问或改变运行系统的风

险。

a12.2 protection from malware

防范恶意软件

objective: to ensure that information and information processing facilities are protected against

malware.

目标:确保对信息和信息处理设施的保护,防止恶意软件。

a.12.2.1

controls against

malware

控制恶意软件

detection, prevention and recovery controls to protect against

malware shall be implemented,combined with appropriate user

awareness.

应结合适当的用户意识实施恶意软件的检测、预防和恢复的控制措施。

a.12.3 backup

备份

objective: to protect against loss of data.

目标:防止数据丢失

a.12.3.1

information backup

信息备份

backup copies of information, software and system images shall be

taken and tested regularly in accordance with the agreed backup

policy.

应按照已设的备份策略,定期备份和测试信息、软件和系统镜像。

a.12.4 logging and monitoring

日志记录和监视

objective: to record events and generate evidence.

目标:记录事件并生成证据

a.12.4.1

event logging

事件日志

event logs recording user activities, exceptions, faults and information

security events shall be produced, kept and regularly reviewed.

应产生并保持记录用户活动、异常情况、故障和信息安全事态的审计日

志,并定期对事件日志进行评审。

a.12.4.2

protection of log

information

日志信息的保护

logging facilities and log information shall be protected against

tampering and unauthorized access

记录日志的设施和日志信息应加以保护,以防止篡改和未授权的访问。

a.12.4.3

administrator and

operator logs

管理员和操作员日志

system administrator and system operator activities shall be logged,

protected and regularly reviewed.

系统管理员和系统操作员活动应记入日志,并对其进行保护和定期评

审。

a.12.4.4

clock

synchronisaton

时钟同步

the clocks of all relevant information processing systems within an

organization or security domain shall be synchronized to single

reference time source.

一个组织或安全域内的所有相关信息处理设施的时钟应使用单一基准

时间源进行同步。

a.12.5 control of operational software

运行软件的控制

objective: to ensure the integrity of operational systems.

目标:确保运行系统的完整性

a.12.5.1

installation of

software on

operational systems

运行系统软件安装

procedures shall be implemented to control the installation of

software on operational systems.

应有规程来控制在运行系统上安装软件。

a.12.6 technical vulnerability management

技术脆弱性管理

objective: to prevent exploitation of technical vulnerabilities.

目标:防止技术脆弱性被利用

a.12.6.1

management of

technical

vulnerabilities

技术脆弱性管理

information about technical vulnerabilities of information systems

being used shall be obtained in a timely fashion, the organization's

exposure to such vulnerabilities evaluated and appropriate measures

taken to address the associated risk.

应及时得到现用信息系统技术脆弱性的信息,评价组织对这些脆弱性的

暴露程度,并采取适当的措施来处理相关的风险。

a.12.6.2

restrictions on

software installation

软件安装限制

rules governing the installation of software by users shall be

established and implemented.

应建立并实施用户安装软件控制规则。

a.12.7 information systems audit considerations

信息系统审计考虑

objective: to minimize the impact of audit activities on operational systems.

目标:将审计活动对运行系统的影响最小化。

a.12.7.1

information systems

audit controls

信息系统审计控制措

audit requirements and activities involving verification of operational

systems shall be carefully planned and agreed to minimize

disruptions to business processes.

涉及对运行系统核查的审计要求和活动,应谨慎地加以规划并取得批

准,以便最小化造成业务过程中断的风险。

a.13 communications security

通信安全

a.13.1 network security management

网络安全管理

objective: to ensure the protection of information in networks and its supporting information processing

facilities.

目标:确保网络及信息处理设施中信息收到保护。

a.13.1.1

network controls

网络控制

networks shall be managed and controlled to protect information in

systems and applications.

应对网络进行管理和控制,以保护系统及应用中的信息。

a.13.1.2

security of network

services

网络服务的安全

security mechanisms, service levels and management requirements

of all network services shall be identified and included in network

services agreements, whether these services are provided in-house

or outsourced.

安全机制、服务级别以及所有网络服务的管理要求应予以确定并包括在

所有网络服务协议中,无论这些服务是由内部提供的还是外包的。

a.13.1.3

segregation in

networks

网络隔离

groups of information services, users and information systems shall

be segregated on networks.

应在网络中隔离信息服务、用户和信息系统。

a.13.2 information transfer

信息传输

objective: to maintain the security of information transferred within an organization and with any

external entity.

目标:保持组织内以及与组织外信息传输的安全。

a.13.2.1

information transfer

policies and

procedures

信息交换策略和规程

formal transfer policies, procedures and controls shall be in place to

protect the transfer of information through the use of all types of

communication facilities.

应有正式的交换策略、规程和控制措施,以保护通过使用各种类型通信

设施的信息交换。

a.13.2.2

agreements on

information transfer

信息传输协议

agreements shall address the secure transfer of business information

between the organization and external parties.

应建立组织和外部各方之间的业务信息的安全传输协议。

a.13.2.3

electronic

messaging

电子消息发送

information involved in electronic messaging shall be appropriately

protected.

包含在电子消息发送中的信息应给予适当的保护。

a.13.2.4

confidentiality or

non-disclosure

agreements

保密或不泄露协议

requirements for confidentiality or non-disclosure agreements

reflecting the organization’s needs for the protection of information

shall be identified, regularly reviewed and documented.

应识别、定期评审反映组织信息保护需要的保密性或不泄露协议的要

求,并将其形成文档。

a.14 system acquisition, development and maintenance

系统获取、开发和维护

a.14.1 security requirements of information systems

信息系统的安全要求

objective: to ensure that security is an integral part of information systems across the entire

lifecycle.this includes in particular specific security requirement for information systems which provide

services over public networks.

目标:确保信息安全成为信息系统生命周期的组成部分,包括向公共网络提供服务的信息系统的特定安全

要求。

a.14.1.1

security

requirements

analysis and

the information security related requirements shall be included in the

requirements for new information systems or enhancements to

specification

安全要求分析和说明

existing information systems。

新建信息系统或改进现有信息系统要求中应包括信息安全相关的要求。

a.14.1.2

securing

applications services

on public networks

公共网络应用服务的

安全

information involved in application services passing over public

networks shall be protected from fraudulent activity, contract dispute

and unauthorized disclosure and modification.

应保护应用服务中通过公共网络传输的信息,以防止欺诈活动、合同纠

纷、未授权的泄露和修改。

a.14.1.3

protecting

application services

transactions

保护应用服务交易

information involved in application service transactions shall be

protected  to  prevent  incomplete  transmission,  mis-routing,

unauthorized  message  alteration,  unauthorized  disclosure,

unauthorized message duplication or replay.

应用服务中的信息应受保护,以防止不完全传输、错误路由、未授权的

信息篡改、未授权的泄露、未授权的信息复制或重放。

a.14.2 security in development and support processes

开发和支持过程中的安全

objective: to ensure that information security is designed and implemented within the development

lifecycle of information systems.

目标:确保在信息系统开发生命周期内设计与实施信息安全。

a.14.2.1

secure development

policy

安全开发策略

rules for the development of software and systems shall be

established and applied to developments within the organization.

应在组织内部建立并应用软件和系统的开发规则。

a.14.2.2

system change

control procedures

系统变更控制规程

changes to systems within the development lifecycle shall be

controlled by the use of formal change control procedures

应对软件包的修改进行劝阻,只限于必要的变更,且对所有的变更加以

严格控制。

a.14.2.3

technical review of

applications after

operating platform

changes

操作系统变更后应用

技术评审

when operating platforms are changed, business critical applications

shall be reviewed and tested to ensure there is no adverse impact on

organizational operations or security.

当操作系统发生变更时,应对业务的关键应用进行评审和测试,以确保

对组织的运行或安全没有负面影响。

a.14.2.4

restrictions on

changes to software

packages

软件包变更的限制

modifications to software packages shall be discouraged, limited to

necessary changes and all changes shall be strictly controlled.

应对软件包的修改进行劝阻,只限于必要的变更,且对所有的变更加以

严格控制。

a.14.2.5

secure system

engineering

principles

安全系统工程原则

principles for engineering secure systems shall be established,

documented, maintained and applied to any information system

development efforts.

工程安全系统原则应被建立、形成文档,并应用到任何信息系统开发工

作中。

a.14.2.6

secure development

environment

安全开发环境

organizations shall establish and appropriately protect secure

development environment for system development and integration

efforts that covers the entire system development lifecycle.

应在整个系统开发生命周期的系统开发和集成工作中,建立并适当保护

开发环境的安全。

a.14.2.7

outsourced

development

外包开发

the organization shall supervise and monitor the activity of

outsourced system development.

组织应监督、监视系统开发外包活动。

a.14.2.8

system security

testing

系统安全测试

tests of the security functionality shall be carried out during

development.

在开发过程中,应进行安全功能测试。

a.14.2.9

system acceptance

testing

系统验收测试

acceptance testing programs and related criteria shall be established

for new information systems,upgrades and new versions.

应建立新建信息系统、系统更新、版本升级验收测试规程和相关标准。

a.14.3 test data

测试数据

objective: to ensure the protection of data used for testing.

目标:确保测试数据的安全。

a.14.3.1

protection of test

data

保护测试数据

test data shall be selected carefully, protected and controlled.

测试数据应认真地加以选择、保护和控制。

a.15 supplier relationships

供应关系

a.15.1 security in supplier relationship

供应关系安全

objective: to ensure protection of the organization’s information that is accessible by suppliers.

目标:确保组织中被供应商访问信息的安全。

a.15.1.1

information security

policy for supplier

relationships

供应关系信息安全策

information security requirements for mitigating the risks associated

with supplier access to organization’s assets shall be agreed with the

supplier and documented.

用于减轻供应商访问组织的资产相关风险的信息安全要求应形成文档

并与供应商达成一致。

a.15.1.2

addressing security

within supplier

agreements

处理供应商协议中的

安全问题

all relevant information security requirements shall be established

and agreed with each supplier that may have access to, process,

store, communicate or provide it infrastructure components for the

organization’s information.

应与每个可能访问、处理、存储组织信息,与组织进行通信或为组织提

供 it 基础设施组件的供应商建立并协商所有信息安全相关要求。

a.15.1.3

information and

communication

technology supply

chain

信息和通信技术供应

agreements with suppliers shall include requirements to address the

information  security  risks  associated  with  information  and

communications technology services and product supply chain.

供应商协议应包括信息、通信技术服务和产品供应链的相关信息安全风

险。

a.15.2 supplier service delivery management

供应商服务交付管理

objective: to maintain an agreed level of information security and service delivery in line with supplier

agreements.

确保信息安全和服务交付水平与供应商协议保持一致。

a.15.2.1

monitoring and

review of supplier

services

供应商服务的监视和

评审

organizations shall regularly monitor, review and audit supplier

service delivery.

组织应定期监视、评审、审计供应商服务交付。

a.15.2.2

managing changes

to supplier services

供应商服务的变更管

changes to the provision of services by suppliers, including

maintaining and improving existing information security policies,

procedures and controls, shall be managed, taking account of the

criticality of business information, systems and processes involved

and re-assessment of risks.

应管理供应商提供服务的变更,包括保持和改进现有的信息安全策略、

规程和控制措施,并考虑到业务系统和涉及过程的关键程度及风险的再

评估。

a.16 information security incident management

信息安全事件管理

a.16.1 management of information security incidents and improvements

信息安全事件和改进的管理

objective: to ensure a consistent and effective approach to the management of information security

incidents, including communication on security events and weaknesses.

目标:确保对信息安全事件进行持续、有效地管理,包括信息安全事态和弱点的沟通。

a.16.1.1

responsibilities and

procedures

职责和规程

management responsibilities and procedures shall be established to

ensure a quick, effective and orderly response to information security

incidents.

应建立管理职责和规程,以确保快速、有效和有序地响应信息安全事件。

a.16.1.2

reporting

information security

events

报告信息安全事态

information security events shall be reported through appropriate

management channels as quickly as possible.

应通过适当的管理途径尽快地报告信息安全事态。

a.16.1.3

reporting

information security

weaknesses

报告信息安全弱点

employees and contractors using the organization’s information

systems and services shall be required to note and report any

observed or suspected information security weaknesses in systems

or services.

应要求使用组织信息系统和服务的所有雇员和合同方记录并报告他们

观察到的或怀疑的任何系统或服务的信息安全弱点。

a.16.1.4

assessment and

decision of

information security

events

信息安全事态评估与

决策

information security events shall be assessed and decided if they

shall be classified as information security incidents.

information security events shall be assessed and decided if they

shall be classified as information security incidents.

应对信息安全事态进行评估,以决定他们是否被归类为信息安全事件。

a.16.1.5

response to

information security

incidents

信息安全事件响应

information security incidents shall be responded to in accordance

with the documented procedures.

应按照文件化规程来响应信息安全事件。

a.16.1.6

learning from

information security

incidents

对信息安全事件的总

knowledge gained from analyzing and resolving information security

incidents shall be used to reduce the likelihood or impact of future

incidents.

分析和解决信息安全事件积累的知识应用来减少未来事件的可能性或

影响。

a.16.1.7

collection of

evidence

证据的收集

the organization shall define and apply procedures for the

identification, collection, acquisition and preservation of information,

which can serve as evidence.

组织应建立和应用规程以识别、收集、采集和保存可以作为证据的信息。

a.17 information security aspects of business continuity management

业务连续性管理的信息安全方面

a.17.1 information security continuity

信息安全连续性

objective: information security continuity shall be embedded in organization’s business continuity

management systems。

目标:信息安全的连续性应嵌入组织的业务连续性管理体系。

a.17.1.1

planning information

security continuity

策划信息安全连续性

the organization shall determine its requirements for information

security and continuity of information security management in

adverse situations, e.g. during a crisis or disaster.

组织应明确在不利情况下(如危机或灾难时)信息安全和信息安全管理

连续性的要求。

a.17.1.2

implementing

information security

continuity

实施信息安全连续性

the organization shall establish, document, implement and maintain

processes, procedures and controls to guarantee the required level of

continuity for information security during an adverse situation.

组织应建立,记录,实施,维护流程、程序和控制,以确保满足不利的

情况下信息安全连续性所要求的级别。

a.17.1.3

verify, review and

evaluate information

security continuity

验证、评审和评价信

息安全连续性

the organization shall verify the established and implemented

information security continuity controls at regular intervals in order to

ensure that they are valid and effective during adverse situations.

组织应定期验证已建立并实施的信息安全连续性控制,以确保它们在不

利条件下是适当并有效的。

a.17.2 redundancies

冗余

objective: to ensure availability of information processing facilities.

目标:确保信息处理设施的可用性。

a.17.2.1

availability of

information

processing facilities

信息处理设施的可用

information  processing  facilities  shall  be  implemented  with

redundancy sufficient to meet availability requirements.

信息处理设施应具备足够的冗余,以满足可用性要求。

a.18 compliance

符合性

a.18.1 compliance with legal and contractual requirements

符合法律与合同要求

objective: to avoid breaches of legal, statutory, regulatory or contractual obligations related to

information security and of any security requirements.

目标:避免违反任何信息安全相关的法律、法令、法规或合同义务以及任何安全要求。

a.18.1.1

identification of

applicable legislation

and contractual

requirements

可用法律与合同要求

的识别

all relevant legislative statutory, regulatory, contractual requirements

and the organization’s approach to meet these requirements shall be

explicitly identified, documented and kept up to date for each

information system and the organization.

对每一个信息系统和组织而言,所有相关的法律、法规和合同要求,以

及为满足这些要求组织所采用的方法,应加以明确地定义、形成文件并

保持更新。

a.18.1.2

intellectual property

rights

知识产权

appropriate procedures shall be implemented to ensure compliance

with legislative, regulatory and contractual requirements related to

intellectual property rights and use of proprietary software products.

应实施适当的规程、以确保在涉及知识产权和使用具有所有权的软件产

品时,符合法律、法规和合同的要求。

a.18.1.3

protection of records

保护记录

records shall be protected from loss, destruction, falsification,

unauthorized access and unauthorized release, in accordance with

statutory, regulatory, contractual and business requirements.

应防止记录的遗失、毁坏、伪造、未授权的访问与发布,以满足法令、

法规、合同和业务的要求。

a.18.1.4

privacy and

protection of

personally

identifiable

information

隐私和个人身份信息

保护

privacy and protection of personally identifiable information shall be

ensured as required in relevant legislation and regulation where

applicable.

应依照相关的法律、法规的要求,确保隐私和个人身份信息的保护。

a.18.1.5

regulation of

cryptographic

controls

密码控制措施的规则

cryptographic controls shall be used in compliance with all relevant

agreements legislation and regulations.

使用密码控制措施应遵从相关的协议、法律和法规。

a.18.2 information security reviews

信息安全评审

objective: to ensure that information security is implemented and operated in accordance with the

organisational policies and procedures

目标:确保信息安全依照组织策略和规程进行实施并运行。

a.18.2.1

independent review

of information

security

信息安全的独立评审

the organization’s approach to managing information security and its

implementation (i.e. control objectives, controls, policies, processes

and procedures for information security) shall be reviewed

independently at planned intervals or when significant changes to the

security implementation occur.

组织管理信息安全的方法及其实施(例如信息安全的控制目标、控制措

施、策略、过程和规程)应按计划的时间间隔进行独立评审,当安全实

施发生重大变化时,也要进行独立评审。

a.18.2.2

compliance with

security policies and

standards

符合安全策略和标准

managers shall regularly review the compliance of information

processing and procedures within their area of responsibility with the

appropriate security policies, standards and any other security

requirements.

管理层应定期评审信息处理和程序符合他们的责任范围内适当的安全

策略、标准和任何其他安全要求。

a.18.2.3

technical

compliance review技

术符合性评审

information systems shall be regularly reviewed for compliance with

the organisation’s information security policies and standards.

信息系统应被定期核查是否符合信息安全策略和标准。


© 2016 佛山市誉博企业管理咨询有限公司对该网站保留一切的权利    电话:0757-86259545    传真:0757-86259545     

地址:广东省佛山市南海区狮山镇罗村大道以南福海广场d座518号    e-mail:[email protected]    备案号:

本站声明:凡本网站使用的所有文章、图片、音频文件等资料尊龙凯时平台入口的版权归佛山市誉博企业管理咨询有限公司所有

yubo.jpg
  • qq在线客服
网站地图