佛山iso27000标准
作者: 日期:2020-01-09 来源: 关注:514
信息技术-安全技术-信息安全管理体系-要求
foreword
前 言
iso (the international organization for standardization) and iec (the international electro
technical commission) form the specialized system for worldwide standardization.
national bodies that are members of iso or iec participate in the development of
international standards through technical committees established by the respective
organization to deal with particular fields of technical activity. iso and iec technical
committees collaborate in fields of mutual interest. other international organizations,
governmental and non-governmental, in liaison with iso and iec, also take part in the
work. in the field of information technology, iso and iec have established a joint technical
committee, iso/iec jtc 1.
iso(国际标准化组织)和iec(国际电工委员会)是为国际标准化制定专门体制的国际组
织。国家机构是iso或iec的成员,他们通过各自的组织建立技术委员会参与国际标准的制
定,来处理特定领域的技术活动。iso和iec技术委员会在共同感兴趣的领域合作。其他国
际组织、政府和非政府等机构,通过联络iso和iec参与这项工作。iso和iec已经在信息技
术领域建立了一个联合技术委员会iso/iecjtc1。
international standards are drafted in accordance with the rules given in the iso/iec
directives, part 2.
国际标准的制定遵循iso/iec 导则第2部分的规则。
the main task of the joint technical committee is to prepare international standards. draft
international standards adopted by the joint technical committee are circulated to national
bodies for voting. publication as an international standard requires approval by at least
75 % of the national bodies casting a vote.
联合技术委员会的主要任务是起草国际标准,并将国际标准草案提交给国家机构投票表决。
国际标准的出版发行必须至少75%以上的成员投票通过。
attention is drawn to the possibility that some of the elements of this document may be the
subject of patent rights. iso and iec shall not be held responsible for identifying any or all
such patent rights.
本文件中的某些内容有可能涉及一些专利权问题,这一点应该引起注意。iso和iec不负责
识别任何这样的专利权问题。
iso/iec 27001 was prepared by joint technical committee iso/iec jtc 1, information
technology, subcommittee sc 27, it security techniques.
iso/iec 27001 由联合技术委员会iso/iec jtc1(信息技术)分委员会sc27(安全技术)
起草。
this second edition cancels and replaces the first edition (iso/iec 27001:2005), which
has been technically revised.
第二版进行了技术上的修订,并取消和替代第一版(iso/iec 27001:2005)。
0 introduction
引 言
0.1 general
0.1 总则
this international standard has been prepared to provide requirements for establishing,
implementing, maintaining and continually improving an information security management
system. the adoption of an information security management system is a strategic
decision for an organization. the establishment and implementation of an organization’s
information security management system is influenced by the organization’s needs and
objectives, security requirements, the organizational processes used and the size and
structure of the organization. all of these influencing factors are expected to change over
time.
本标准用于为建立、实施、保持和持续改进信息安全管理体系提供要求。采用信息安全管理
体系是组织的一项战略性决策。一个组织信息安全管理体系的建立和实施受其需要和目标、
安全要求、所采用的过程以及组织的规模和结构的影响。所有这些影响因素会不断发生变化。
the information security management system preserves the confidentiality, integrity and
availability of information by applying a risk management process and gives confidence to
interested parties that risks are adequately managed.
信息安全管理体系通过应用风险管理过程来保持信息的保密性、完整性和可用性,以充分管
理风险并给予相关方信心。
it is important that the information security management system is part of and integrated
with the organization’s processes and overall management structure and that information
security is considered in the design of processes, information systems, and controls. it is
expected that an information security management system implementation will be scaled
in accordance with the needs of the organization.
信息安全管理体系是组织过程和整体管理结构的一部分并与其整合在一起是非常重要的。信
息安全在设计过程、信息系统、控制措施时就要考虑信息安全。按照组织的需要实施信息安
全管理体系,是本标准所期望的。
this international standard can be used by internal and external parties to assess the
organization’s ability to meet the organization’s own information security requirements.
本标准可被内部和外部相关方使用,评估组织的能力是否满足组织自身信息安全要求。
the order in which requirements are presented in this international standard does not
reflect their importance or imply the order in which they are to be implemented. the list
items are enumerated for reference purpose only.
本标准中要求的顺序并不能反映他们的重要性或意味着他们的实施顺序。列举的条目仅用于
参考目的。
iso/iec 27000 describes the overview and the vocabulary of information security
management systems, referencing the information security management system family of
standards (including iso/iec 27003[2], iso/iec 27004[3] and iso/iec 27005[4]), with
related terms and definitions.
iso/iec27000 描述了信息安全管理体系的概述和词汇,参考了信息安全管理体系标准族
(包括iso/iec 27003、iso/iec 27004 和iso/iec 27005)以及相关的术语和定义。
0.2 compatibility with other management system standards
0.2 与其他管理体系的兼容性
this international standard applies the high-level structure, identical sub-clause titles,
identical text, common terms, and core definitions defined in annex sl of iso/iec
directives, part 1, consolidated iso supplement, and therefore maintains compatibility
with other management system standards that have adopted the annex sl.
本标准应用了 iso/iec 导则第一部分 iso 补充部分附录 sl 中定义的高层结构、相同的子
章节标题、相同文本、通用术语和核心定义。因此保持了与其它采用附录 sl 的管理体系标
准的兼容性。
this common approach defined in the annex sl will be useful for those organizations that
choose to operate a single management system that meets the requirements of two or
more management system standards.
附录 sl 定义的通用方法对那些选择运作单一管理体系(可同时满足两个或多个管理体系
标准要求)的组织来说是十分有益的。
information technology — security techniques — information security
management systems — requirements
信息技术-安全技术-信息安全管理体系-要求
1 scope
1 范围
this international standard specifies the requirements for establishing, implementing,
maintaining and continually improving an information security management system within
the context of the organization.
本标准从组织环境的角度,为建立、实施、运行、保持和持续改进信息安全管理体系规定了
要求。
this international standard also includes requirements for the assessment and treatment
of information security risks tailored to the needs of the organization. the requirements
set out in this international standard are generic and are intended to be applicable to all
organizations, regardless of type, size or nature. excluding any of the requirements
specified in clauses 4 to 10 is not acceptable when an organization claims conformity to
this international standard.
本标准还规定了为适应组织需要而定制的信息安全风险评估和处置的要求。本标准规定的要
求是通用的,适用于各种类型、规模和特性的组织。组织声称符合本标准时,对于第4 章
到第10 章的要求不能删减。
2 normative references
2 规范性引用文件
the following documents, in whole or in part, are normatively referenced in this document
and are indispensable for its application. for dated references, only the edition cited
applies. for undated references, the latest edition of the referenced document (including
any amendments) applies.
下列文件的全部或部分内容在本文件中进行了规范引用,对于其应用是必不可少的。凡是注
日期的引用文件,只有引用的版本适用于本标准;凡是不注日期的引用文件,其最新版本(包
括任何修改)适用于本标准。
iso/iec 27000, information technology — security techniques — information security
management systems — overview and vocabulary
iso/iec 27000,信息技术—安全技术—信息安全管理体系—概述和词汇
3 terms and definitions
3 术语和定义
for the purposes of this document, the terms and definitions given in iso/iec 27000
apply.
iso/iec 27000中的术语和定义适用于本标准。
4 context of the organization
4 组织环境
4.1 understanding the organization and its context
4.1 理解组织及其环境
the organization shall determine external and internal issues that are relevant to its
purpose and that affect its ability to achieve the intended outcome(s) of its information
security management system.
组织应确定与其目标相关并影响其实现信息安全管理体系预期结果的能力的外部和内部问
题。
note determining these issues refers to establishing the external and internal context of
the organization considered in clause 5.3 of iso 31000:2009[5].
注:确定这些问题涉及到建立组织的外部和内部环境,在iso 31000:2009[5]的5.3节考虑了
这一事项。
4.2 understanding the needs and expectations of interested parties
4.2 理解相关方的需求和期望
the organization shall determine:
组织应确定:
a) interested parties that are relevant to the information security management system; and
b) the requirements of these interested parties relevant to information security.
a) 与信息安全管理体系有关的相关方;
b) 这些相关方与信息安全有关的要求
note the requirements of interested parties may include legal and regulatory
requirements and contractual obligations.
注:相关方的要求可能包括法律法规要求和合同义务。
4.3 determining the scope of the information security management system
4.3 确定信息安全管理体系的范围
the organization shall determine the boundaries and applicability of the information
security management system to establish its scope.
组织应确定信息安全管理体系的边界和适用性,以建立其范围。
when determining this scope, the organization shall consider:
当确定该范围时,组织应考虑:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2; and
c) interfaces and dependencies between activities performed by the organization, and
those that are performed by other organizations. the scope shall be available as
documented information.
a) 在 4.1 中提及的外部和内部问题;
b) 在 4.2 中提及的要求;
c) 组织所执行的活动之间以及与其它组织的活动之间的接口和依赖性
范围应文件化并保持可用性。
4.4 information security management system
4.4 信息安全管理体系
the organization shall establish, implement, maintain and continually improve an
information security management system, in accordance with the requirements of this
international standard.
组织应按照本标准的要求建立、实施、保持和持续改进信息安全管理体系。
5 leadership
5 领导
5.1 leadership and commitment
5.1 领导和承诺
top management shall demonstrate leadership and commitment with respect to the
information security management system by:
高层管理者应通过下列方式展示其关于信息安全管理体系的领导力和承诺:
a) ensuring the information security policy and the information security objectives are
established and are compatible with the strategic direction of the organization;
b) ensuring the integration of the information security management system requirements
into the organization’s processes;
c) ensuring that the resources needed for the information security management system
are available;
d) communicating the importance of effective information security management and of
conforming to the information security management system requirements;
e) ensuring that the information security management system achieves its intended
outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the information
security management system;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it
applies to their areas of responsibility.
a) 确保建立信息安全方针和信息安全目标,并与组织的战略方向保持一致;
b) 确保将信息安全管理体系要求整合到组织的业务过程中;
c) 确保信息安全管理体系所需资源可用;
d) 传达信息安全管理有效实施、符合信息安全管理体系要求的重要性;
e) 确保信息安全管理体系实现其预期结果;
f) 指挥并支持人员为信息安全管理体系的有效实施作出贡献;
g) 促进持续改进;
h) 支持其他相关管理角色在其职责范围内展示他们的领导力。
5.2 policy
5.2 方针
top management shall establish an information security policy that:
高层管理者应建立信息安全方针,以:
a) is appropriate to the purpose of the organization;
b) includes information security objectives (see 6.2) or provides the framework for setting
information security objectives;
c) includes a commitment to satisfy applicable requirements related to information
security;
d) includes a commitment to continual improvement of the information security
management system. the information security policy shall:
e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate.
a) 适于组织的目标;
b) 包含信息安全目标(见6.2)或设置信息安全目标提供框架;
c) 包含满足适用的信息安全相关要求的承诺;
d) 包含信息安全管理体系持续改进的承诺。
信息安全方针应:
e) 文件化并保持可用性;
f) 在组织内部进行传达;
g) 适当时,对相关方可用。
5.3 organizational roles, responsibilities and authorities
5.3 组织角色、职责和权限
top management shall ensure that the responsibilities and authorities for roles relevant to
information security are assigned and communicated.
高层管理者应确保分配并传达了信息安全相关角色的职责和权限。
top management shall assign the responsibility and authority for:
高层管理者应分配下列职责和权限:
a) ensuring that the information security management system conforms to the
requirements of this international standard; and
b) reporting on the performance of the information security management system to top
management.
a) 确保信息安全管理体系符合本标准的要求;
b) 将信息安全管理体系的绩效报告给高层管理者。
note top management may also assign responsibilities and authorities for reporting
performance of the information security management system within the organization.
注:高层管理者可能还要分配在组织内部报告信息安全管理体系绩效的职责和权限。
6 planning
6 规划
6.1 actions to address risks and opportunities
6.1 应对风险和机会的措施
6.1.1 general
6.1.1 总则
when planning for the information security management system, the organization shall
consider the issues referred to in 4.1 and the requirements referred to in 4.2 and
determine the risks and opportunities that need to be addressed to:
当规划信息安全管理体系时,组织应考虑4.1中提及的问题和4.2中提及的要求,确定需要应
对的风险和机会,以:
a) ensure the information security management system can achieve its intended
outcome(s);
b) prevent, or reduce, undesired effects; and
c) achieve continual improvement.
the organization shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement the actions into its information security management system
processes;
2) evaluate the effectiveness of these actions.
a) 确保信息安全管理体系能实现其预期结果;
b) 防止或减少意外的影响;
c) 实现持续改进。
组织应规划:
d) 应对这些风险和机会的措施;
e) 如何
1) 整合和实施这些措施并将其纳入信息安全管理体系过程;
2) 评价这些措施的有效性。
6.1.2 information security risk assessment
6.1.2 信息安全风险评估
the organization shall define and apply an information security risk assessment process
that:
组织应定义并应用风险评估过程,以:
a) establishes and maintains information security risk criteria that include:
1) the risk acceptance criteria; and
2) criteria for performing information security risk assessments;
b) ensures that repeated information security risk assessments produce consistent, valid
and comparable results;
c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated
with the loss of confidentiality, integrity and availability for information within the scope
of the information security management system; and
2) identify the risk owners;
d) analyses the information security risks:
1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1)
were to materialize;
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1);
and
3) determine the levels of risk;
e) evaluates the information security risks:
1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2) prioritize the analysed risks for risk treatment.
the organization shall retain documented information about the information security risk
assessment process.
a) 建立并保持信息安全风险准则,包括:
1) 风险接受准则;
2) 执行信息安全风险评估的准则;
b) 确保重复性的信息安全风险评估可产生一致的、有效的和可比较的结果;
c) 识别信息安全风险:
1) 应用信息安全风险评估过程来识别信息安全管理体系范围内的信息丧失保密性、完整
性和可用性的相关风险;
2) 识别风险负责人;
d) 分析信息安全风险:
1) 评估 6.1.2 c)1)中所识别风险发生后将导致的潜在影响;
2) 评估 6.1.2 c)1)中所识别风险发生的现实可能性;
3) 确定风险级别;
e) 评价信息安全风险;
1) 将风险分析结果同6.1.2 a)建立的风险准则进行比较;
2) 为实施风险处置确定已分析风险的优先级。
组织应定义并应用风险评估过程,以:
组织应保留信息安全风险评估过程的文件记录信息。
6.1.3 information security risk treatment
6.1.3 信息安全风险处置
the organization shall define and apply an information security risk treatment process to:
a) select appropriate information security risk treatment options, taking account of the risk
assessment results;
b) determine all controls that are necessary to implement the information security risk
treatment option(s) chosen;
组织应定义并应用信息安全风险处置过程,以:
a) 在考虑风险评估结果的前提下,选择适当的信息安全风险处置选项:
b) 为实施所选择的信息安全风险处置选项,确定所有必需的控制措施;
note organizations can design controls as required, or identify them from any source.
注:组织可按要求设计控制措施,或从其他来源识别控制措施。
c) compare the controls determined in 6.1.3 b) above with those in annex a and verify that
no necessary controls have been omitted;
c) 将 6.1.3 b)所确定的控制措施与附录a 的控制措施进行比较,以核实没有遗漏必要的
控制措施;
note 1 annex a contains a comprehensive list of control objectives and controls. users
of this international standard are directed to annex a to ensure that no necessary controls
are overlooked.
note 2 control objectives are implicitly included in the controls chosen. the control
objectives and controls listed in annex a are not exhaustive and additional control
objectives and controls may be needed.
注1:附录a包含了一份全面的控制目标和控制措施的列表。本标准用户可利用附录a以确保
不会遗漏必要的控制措施。
注2:控制目标包含于所选择的控制措施内。附录a所列的控制目标和控制措施并不是所有
的控制目标和控制措施,组织也可能需要另外的控制目标和控制措施。
d) produce a statement of applicability that contains the necessary controls (see 6.1.3 b)
and c)) and justification for inclusions, whether they are implemented or not, and the
justification for exclusions of controls from annex a;
e) formulate an information security risk treatment plan; and
f) obtain risk owners’ approval of the information security risk treatment plan and
acceptance of the residual information security risks.
the organization shall retain documented information about the information security risk
treatment process.
d) 产生适用性声明。适用性声明要包含必要的控制措施(见6.1.3 b)和c))、对包含的合
理性说明(无论是否已实施)以及对附录a 控制措施删减的合理性说明;
e) 制定信息安全风险处置计划;
f) 获得风险负责人对信息安全风险处置计划以及接受信息安全残余风险的批准。
组织应保留信息安全风险处置过程的文件记录信息。
note the information security risk assessment and treatment process in this
international standard aligns with the principles and generic guidelines provided in iso
31000[5].
注:本标准中的信息安全风险评估和处置过程可与 iso 31000[5]中规定的原则和通用指南
相结合。
6.2 information security objectives and planning to achieve them
6.2 信息安全目标和规划实现
the organization shall establish information security objectives at relevant functions and
levels.the information security objectives shall:
组织应在相关职能和层次上建立信息安全目标。
信息安全目标应:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and results from risk
assessment and risk treatment;
d) be communicated; and
e) be updated as appropriate.
the organization shall retain documented information on the information security
objectives. when planning how to achieve its information security objectives, the
organization shall determine:
f) what will be done;
g) what resources will be required;
h) who will be responsible;
i) when it will be completed; and
j) how the results will be evaluated.
a) 与信息安全方针一致;
b) 可测量(如可行);
c) 考虑适用的信息安全要求以及风险评估和风险处置结果;
d) 被传达;
e) 适当时进行更新。
组织应保留关于信息安全目标的文件记录信息。
当规划如何实现其信息安全目标时,组织应确定:
f) 要做什么;
g) 需要什么资源;
h) 由谁负责;
i) 什么时候完成;
j) 如何评价结果。
7 support
7 支持
7.1 resources
7.1 资源
the organization shall determine and provide the resources needed for the establishment,
implementation, maintenance and continual improvement of the information security
management system.
组织应确定并提供建立、实施、保持和持续改进信息安全管理体系所需的资源。
7.2 competence
7.2 能力
the organization shall:
a) determine the necessary competence of person(s) doing work under its control that
affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education,
training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the
effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
组织应:
a) 确定从事影响信息安全执行工作的人员在组织的控制下从事其工作的必要能力;
b) 确保人员在适当教育,培训和经验的基础上能够胜任工作;
c) 适用时,采取措施来获得必要的能力,并评价所采取措施的有效性;
d) 保留适当的文件记录信息作为能力方面的证据。
note applicable actions may include, for example: the provision of training to, the
mentoring of, or the reassignment of current employees; or the hiring or contracting of
competent persons.
注:例如适当措施可能包括为现有员工提供培训、对其进行指导或重新分配工作;雇用或签
约有能力的人员。
7.3 awareness
7.3 意识
persons doing work under the organization’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system,
including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system
requirements.
人员在组织的控制下从事其工作时应意识到:
a) 信息安全方针;
b) 他们对有效实施信息安全管理体系的贡献,包括信息安全绩效改进后的益处;
c) 不符合信息安全管理体系要求可能的影响。
7.4 communication
the organization shall determine the need for internal and external communications
relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.
组织应确定有关信息安全管理体系在内部和外部进行沟通的需求,包括:
a) 什么需要沟通;
b) 什么时候沟通;
c) 跟谁进行沟通;
d) 由谁负责沟通;
e) 影响沟通的过程。
7.5 documented information
7.5 文件记录信息
7.5.1 general
7.5.1 总则
the organization’s information security management system shall include:
a) documented information required by this international standard; and
b) documented information determined by the organization as being necessary for the
effectiveness of the information security management system.
组织的信息安全管理体系应包括:
a) 本标准要求的文件记录信息;
b) 组织为有效实施信息安全管理体系确定的必要的文件记录信息。
note the extent of documented information for an information security management
system can differ from one organization to another due to:
注:不同组织的信息安全管理体系文件记录信息的详略程度取决于:
1) the size of organization and its type of activities, processes, products and services;
2) the complexity of processes and their interactions; and
3) the competence of persons.
1) 组织的规模及其活动、过程、产品和服务的类型;
2) 过程的复杂性及其相互作用;
3) 人员的能力。
7.5.2 creating and updating
7.5.2 创建和更新
when creating and updating documented information the organization shall ensure
appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
c) review and approval for suitability and adequacy.
创建和更新文件记录信息时,组织应确保适当的:
a) 标识和描述(例如:标题、日期、作者或参考编号);
b) 格式(例如:语言,软件版本,图表)和介质(例如:纸质介质,电子介质);
c) 评审和批准其适用性和充分性。
7.5.3 control of documented information
7.5.3 文件记录信息的控制
documented information required by the information security management system and by
this international standard shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed; and
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of
integrity).
信息安全管理体系和本标准所要求的文件记录信息应予以控制,以确保:
a) 无论何时何地需要,它都是可用并适合使用的;
b) 它被充分保护(例如避免丧失保密性、使用不当或丧失完整性)。
for the control of documented information, the organization shall address the following
activities,as applicable:
c) distribution, access, retrieval and use;
d) storage and preservation, including the preservation of legibility;
e) control of changes (e.g. version control); and
f) retention and disposition.
对于文件记录信息的控制,适用时,组织应处理下列问题:
c) 分发、访问、检索和使用;
d) 存储和保存,包括可读性的保持;
e) 变更控制(例如版本控制);
f) 保留和和处置。
documented information of external origin, determined by the organization to be
necessary for the planning and operation of the information security management system,
shall be identified as appropriate, and controlled.
组织为规划和实施信息安全管理体系确定的必要的外部原始文件记录信息,适当时应予以识
别并进行控制。
note access implies a decision regarding the permission to view the documented
information only, or the permission and authority to view and change the documented
information, etc.
注:访问隐含一个权限决策:仅能查看文件记录信息,或有权去查看和变更文件记录信息等。
8 operation
8 运行
8.1 operational planning and control
8.1 运行的规划和控制
the organization shall plan, implement and control the processes needed to meet
information security requirements, and to implement the actions determined in 6.1.the
organization shall also implement plans to achieve information security objectives
determined in 6.2.
组织应规划、实施和控制满足信息安全要求所需的过程,并实施6.1中确定的措施。组织还
应实施这些规划来实现6.2中所确定的信息安全目标。
the organization shall keep documented information to the extent necessary to have
confidence that the processes have been carried out as planned.
the organization shall control planned changes and review the consequences of
unintended changes, taking action to mitigate any adverse effects, as necessary.
the organization shall ensure that outsourced processes are determined and controlled.
组织应保持文件记录信息达到必要的程度:有信心证明过程是按计划执行的。
组织应控制计划了的变更,评审非预期变更的后果,必要时采取措施减缓负面影响。
组织应确保外包的过程已确定,并处于可控状态。
8.2 information security risk assessment
8.2 信息安全风险评估
the organization shall perform information security risk assessments at planned intervals
or when significant changes are proposed or occur, taking account of the criteria
established in 6.1.2 a).
考虑到6.1.2 a)中建立的风险评估执行准则,组织应按计划的时间间隔执行信息安全风险
评估,当重大变更被提出或发生时也应执行信息安全风险评估。
the organization shall retain documented information of the results of the information
security risk assessments.
组织应保留信息安全风险评估结果的文件记录信息。
8.3 information security risk treatment
8.3 信息安全风险处置
the organization shall implement the information security risk treatment plan.
the organization shall retain documented information of the results of the information
security risk treatment.
组织应实施信息安全风险处置计划。
组织应保留信息安全风险处置结果的文件记录信息。
9 performance evaluation
9 绩效评价
9.1 monitoring, measurement, analysis and evaluation
9.1 监视、测量、分析和评价
the organization shall evaluate the information security performance and the
effectiveness of the information security management system.
the organization shall determine:
a) what needs to be monitored and measured, including information security processes
and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to
ensure valid results;
a) 什么需要监视和测量,包括信息安全过程和控制措施;
b) 监视、测量、分析和评价的方法,适用时,确保结果有效;
note the methods selected should produce comparable and reproducible results to be
considered valid.
注:选择的方法最好产生可比较和可再现的结果,这样才能被认为是有效的。
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated;
f) who shall analyse and evaluate these results.
the organization shall retain appropriate documented information as evidence of the
monitoring and measurement results.
c) 什么时候应执行监视和测量;
d) 谁应实施监视和测量;
e) 什么时候应对监视和测量的结果进行分析和评价;
f) 谁应分析和评价这些结果。
组织应保留适当的文件记录信息作为监视和测量结果的证据。
9.2 internal audit
9.2 内部审核
the organization shall conduct internal audits at planned intervals to provide information
on whether the information security management system:
组织应按计划的时间间隔进行内部审核,以提供信息确定信息安全管理体系是否:
a) conforms to
a) 符合
1) the organization’s own requirements for its information security management system;
2) the requirements of this international standard;
1) 组织自身信息安全管理体系的要求;
2) 本标准的要求;
b) is effectively implemented and maintained. the organization shall:
c) plan, establish, implement and maintain an audit program me(s), including the
frequency, methods, responsibilities, planning requirements and reporting. the audit
program me(s) shall take into consideration the importance of the processes concerned
and the results of previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the
audit process;
f) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit program me(s) and the audit
results.
b) 得到有效的实施和保持。
组织应:
c) 规划、建立、实施和保持审核方案,包括频次、方法、职责、计划要求和报告。审核方
案应考
虑所关注过程的重要性以及以往审核的结果;
d) 为每次审核定义审核准则和审核范围;
e) 审核员的选择和审核的实施应确保审核过程的客观性和公正性;
f) 确保审核结果报告给相关的管理者;
g) 保留文件记录信息作为审核方案和审核结果的证据。
9.3 management review
9.3 管理评审
top management shall review the organization’s information security management
system at planned intervals to ensure its continuing suitability, adequacy and
effectiveness.the management review shall include consideration of:
管理者应按计划的时间间隔评审组织的信息安全管理体系,以确保其持续的适宜性、充分性
和有效性。
管理评审应包括下列方面的考虑:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security
management
system;
c) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives;
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f) opportunities for continual improvement.
a) 以往管理评审的措施的状态;
b) 与信息安全管理体系相关的外部和内部问题的变更;
c) 信息安全绩效的反馈,包括下列方面的趋势:
1) 不符合和纠正措施;
2) 监视和测量结果;
3) 审核结果;
4) 信息安全目标的实现;
d) 相关方的反馈;
e) 风险评估的结果和风险处置计划的状态;
f) 持续改进的机会。
the outputs of the management review shall include decisions related to continual
improvement opportunities and any needs for changes to the information security
management system.
the organization shall retain documented information as evidence of the results of
management reviews.
管理评审的输出应包括与持续改进机会有关的决定,以及变更信息安全管理体系的所有需求。
组织应保留文件记录信息作为管理评审结果的证据。
10 improvement
10 改进
10.1 nonconformity and corrective action
10.1 不符合和纠正措施
when a nonconformity occurs, the organization shall:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it; and
2) deal with the consequences;
当发生不符合时,组织应:
a) 对不符合作出反应,适用时:
1) 采取措施控制并纠正不符合;
2) 处理后果;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it
does not recur or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity; and
3) determining if similar nonconformities exist, or could potentially occur;
b) 为确保不符合不再发生或不在其他地方发生,通过下列方式评价消除不符合原因的措施
需求:
1) 评审不符合;
2) 确定不符合的原因;
3) 确定是否存在或可能发生相似的不符合;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
corrective actions shall be appropriate to the effects of the nonconformities encountered.
the organization shall retain documented information as evidence of:
f) the nature of the nonconformities and any subsequent actions taken, and
g) the results of any corrective action.
c) 实施所需的措施;
d) 评审所采取纠正措施的有效性;
e) 必要时,对信息安全管理体系实施变更。
纠正措施应与所遇不符合的影响相适应。
组织应保留文件记录信息作为下列事项的证据:
f) 不符合的性质以及所采取的所有后续措施;
g) 所有纠正措施的结果。
10.2 continual improvement
10.2 持续改进
the organization shall continually improve the suitability, adequacy and effectiveness of
the information security management system.
组织应持续改进信息安全管理体系的适宜性、充分性和有效性。
table a.1 – control objectives and controls
a.5 security policies
安全方针
a.5.1 management direction for information security
信息安全管理指导
objective: to provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations.
目标:依据业务要求和相关法律法规提供管理指导并支持信息安全。
a.5.1.1
policies for
information security
信息安全方针
a set of policies for information security shall be defined, approved by
management, published and communicated to employees and
relevant external parties.
一组信息安全方针应被建立、由管理层批准、发布并传达给所有员工和
外部相关方。
a.5.1.2
review of the
policies for
information security
信息安全方针的评审
the policies for information security shall be reviewed at planned
intervals or if significant changes occur to ensure their continuing
suitability, adequacy and effectiveness.
宜按计划的时间间隔或当重大变化时进行信息安全方针评审,以确保它
持续的适宜性、充分性和有效性。
a.6 organisation of information security
信息安全组织
a.6.1 internal organisation
内部组织
objective: to establish a management framework to initiate and control the implementation and
operation of information security within the organisation.
目标:建立管理框架,启动和控制组织内信息安全的实施和运行。
a.6.1.1
information security
roles and
responsibilities
信息安全角色和职责
all information security responsibilities shall be defined and allocated.
所有的信息安全职责宜予以定义与分配。
a.6.1.2
segregation of
duties
职责分割
conflicting duties and areas of responsibility shall be segregated to
reduce opportunities for unauthorized or unintentional modification or
misuse of the organization’s assets.
冲突的责任及职责范围宜加以分割,以降低未授权或无意识的修改或者
不当使用组织资产的机会。
a.6.1.3
contact with
authorities
与政府部门的联系
appropriate contacts with relevant authorities shall be maintained.
宜保持与政府相关部门的适当联系。
a.6.1.4
contact with special
interest groups
与特定利益集团的联
系
appropriate contacts with special interest groups or other specialist
security forums and professional associations shall be maintained.
宜保持与特定利益集团、其他安全专家组和专业协会的适当联系。
a.6.1.5
information security
in project
management
项目管理中的信息安
全
information security shall be addressed in project management,
regardless of the type of the project.
无论何种类型的项目,宜将信息安全融入到项目管理中。
a.6.2 mobile devices and teleworking
移动设备和远程工作
objective: to ensure the security of teleworking and use of mobile devices.
目标:确保远程工作和移动设备使用的安全
a.6.2.1
mobile device policy
移动设备策略
a policy and supporting security measures shall be adopted to
manage against the risks introduced by using mobile devices.
宜采用策略及和支持性安全措施来管理使用移动设备所带来的风险。
a.6.2.2
teleworking
远程工作
a policy and supporting security measures shall be implemented to
protect information accessed, processed or stored on teleworking
sites.
宜实施策略和支持性安全措施来保护在远程站点访问、处理或存储的信
息。
a.7 human resource security
人力资源安全
a.7.1 prior to employment
任用之前
objective: to ensure that employees and contractors understand their responsibilities and are suit-able
for the roles for which they are considered.
目标:确保雇员、承包方人员理解其职责、考虑对其承担的角色是适合的。
a.7.1.1
screening
审查
background verification checks on all candidates for employment
shall be carried out in accordance with relevant laws, regulations and
ethics and shall be proportional to the business requirements, the
classification of the information to be accessed and the perceived
risks.
关于所有任用的候选者的背景验证核查应按照相关法律法规、道德规范
和对应的业务要求、被访问信息的类别和察觉的风险来执行。
a.7.1.2
terms and
conditions of
employment
任用条款和条件
the contractual agreements with employees and contractors shall
state their and the organization’s responsibilities for information
security.
与员工和承包商的合同协议应规定他们和组织的信息安全责任。
a.7.2 during employment
任用中
objective: to ensure that employees and contractors are aware of and fulfil their information security
responsibilities.
目标:确保所有的雇员和合同方意识到并履行其信息安全责任。
a.7.2.1
management
responsibilities
管理职责
management shall require all employees and external party users to
apply security in accordance with established policies and procedures
of the organization.
管理者宜要求所有雇员和外部用户按照组织已建立的方针策略和规程
对安全尽心尽力。
a.7.2.2
information security
awareness,
education and
training
信息安全意识、教育
和培训
all employees of the organization and, where relevant, contractors
shall receive appropriate awareness education and training and
regular updates in organizational policies and procedures, as relevant
for their job function.
组织的所有雇员,适当时,包括合同方,应受到与其工作职能相关的适
当的意识教育、培训和组织方针策略及规程的定期更新培训。
a.7.2.3
disciplinary process
纪律处理过程
there shall be a formal and communicated disciplinary process in
place to take action against employees who have committed an
information security breach.
宜有一个正式并已传达的纪律处理过程,以对于安全违规的雇员进行处
理。
a.7.3 termination and change of employment
任用的终止或变化
objective: to protect the organization’s interests as part of the process of changing or terminating
employment.
目标:宜将保护组织的利益融入到任用变化或终止的处理流程中。
a.7.3.1
termination or
change of
employment
responsibilities
任用终止或变化的职
责
information security responsibilities and duties that remain valid after
termination or change of employment shall be defined, communicated
to the employee or external party user and enforced.
任用终止或变化后仍然有效的信息安全责任和义务应被定义,并向雇员
与第三方人员进行传达与执行。
a.8 asset management
资产管理
a.8.1 responsibility for assets
对资产负责
objective: to achieve and maintain appropriate protection of organizational assets.
目标:实现和保持对组织资产的适当保护。
a.8.1.1
inventory of assets
资产清单
assets associated with information and information processing
facilities shall be identified and an inventory of these assets shall be
drawn up and maintained.
宜识别信息和信息处理设施相关的资产,编制并维护这些资产的清单。
a.8.1.2
ownership of assets
资产责任人
assets maintained in the inventory shall be owned.
资产清单中维护的信息资产宜指定责任人。
a.8.1.3
acceptable use of
assets
资产的可接受使用
rules for the acceptable use of information and assets associated
with information and information processing facilities shall be
identified, documented and implemented.
信息与信息及信息处理设施有关的资产可接受使用规则应被确定、形成
文件并加以实施。
a.8.1.4
return of assets
资产的归还
all employees and external party users shall return all of the
organizational assets in their possession upon termination of their
employment, contract or agreement.
所有的雇员、承包方人员和第三方人员在终止任用、合同或协议时,应
归还他们使用的所有组织资产。
a.8.2 information classification
信息分类
objective: to ensure that information receives an appropriate level of protection in accordance with its
importance to the organization.
目标:确保信息受到与其对组织的重要性保持一致适当级别的保护。
a.8.2.1
classification of
information
信息的分类
information shall be classified in terms of legal requirements value,
criticality and sensitivity to unauthorized disclosure or modification.
信息应按照它对组织的价值、法律要求、敏感性和关键性予以分类,以
保护信息免受未授权泄露或篡改。。
a.8.2.2
labeling of
information
信息标记
an appropriate set of procedures for information labeling shall be
developed and implemented in accordance with the information
classification scheme adopted by the organization.
应按照组织所采纳的分类机制建立和实施一组适合的信息标记规程。
a.8.2.3
handling of assets资
产处理
procedures for handling assets shall be developed and implemented
in accordance with the information classification scheme adopted by
the organization.
应按照组织所采纳的分类机制建立和实施一组适合的信息处理规程。
a.8.3 media handling
介质处置
objective: to prevent unauthorized disclosure, modification, removal or destruction of information stored
on media.
目标:防止存储在介质上的信息遭受未授权泄露、修改、移动或销毁。
a.8.3.1
management of
removable media 可
移动介质的管理
procedures shall be implemented for the management of removable
media in accordance with the classification scheme adopted by the
organization.
应根据组织所采用的分类方案来实施可移动介质管理程序。
a.8.3.2
disposal of media 介
质的处置
media shall be disposed of securely when no longer required, using
formal procedures.
不再需要的介质,应使用正式的程序安全地处置。
a.8.3.3
physical media
transfer
物理介质传输
media containing information shall be protected against unauthorized
access, misuse or corruption during transportation.
包含信息的介质在运送时,应防止未授权的访问、不当使用或损坏。
a.9 access control
访问控制
a.9.1 business requirements of access control
访问控制的业务要求
objective: to restrict access to information and information processing facilities.
目标:限制信息与信息处理设施的访问
a.9.1.1
access control policy
访问控制策略
an access control policy shall be established, documented and
reviewed based on business and security requirements.
访问控制策略应建立、形成文件,并基于业务和安全要求进行评审。
a.9.1.2
policy on the use of
network services
使用网络服务的策略
users shall only be provided with access to the network and network
services that they have been specifically authorized to use.
用户应只能访问已获专门授权使用的网络和网络服务服务。
a.9.2 user access management
用户访问管理
objective: to ensure authorized user access and to prevent unauthorized access to systems and
services.
目标:确保授权用户访问系统和服务,并防止未授权的访问。
a.9.2.1
user registration and
de-registration
用户注册和注销
a formal user registration and de-registration process shall be
implemented to enable assignment of access rights.
应实施正式的用户注册及注销流程来分配访问权限。
a.9.2.2
user access
provisioning
用户访问提供
a formal user access provisioning process shall be implemented to
assign or revoke access rights for all user types to all systems and
services.
无论什么类型的用户,在对其分配或撤销所有系统和服务的权限时,都
应实施一个正式的用户访问提供流程.
a.9.2.3
management of
privileged
access rights
特殊权限管理
the allocation and use of privileged access rights shall be restricted
and controlled.
应限制和控制特殊访问权限的分配及使用。
a.9.2.4
management of
secret authentication
information of users
用户安全鉴别信息的
管理
the allocation of secret authentication information shall be controlled
through a formal management process.
应通过一个正式的管理过程对安全鉴别信息的分配进行控制。
a.9.2.5
review of user
access rights
用户访问权的复查
asset owners shall review users’ access rights at regular intervals.
资产所有者应定期对用户的访问权进行复查。
a.9.2.6
removal or
adjustment of access
rights
撤销或调整访问权限
the access rights of all employees and external party users to
information and information processing facilities shall be removed
upon termination of their employment, contract or agreement, or
adjusted upon change.
所有雇员和第三方人员对信息和信息处理设施的访问权应在任用、合同
或协议终止时删除,或在变化时调整。
a.9.3 user responsibilities
用户职责
objective: to make users accountable for safeguarding their authentication information.
目标:确保用户对保护他们的鉴别信息负有责任。
a.9.3.1
use of secret
authentication
information
安全鉴别信息的使用
users shall be required to follow the organization’s security practices
in the use of secret authentication information.
应要求用户遵循组织的安全防护措施来使用安全鉴别信息。
a.9.4 system and application access control
系统和应用访问控制
objective: to prevent unauthorized access to systems and applications.
目标:防止对系统和应用的非授权访问。
a.9.4.1
information access
restriction
信息访问限制
access to information and application system functions shall be
restricted in accordance with the access control policy.
信息和应用系统功能的访问应依照访问控制策略加以限制。
a.9.4.2
secure log-on
procedures
安全登陆规程
where required by the access control policy, access to systems and
applications shall be controlled by a secure log-on procedure.
访问控制策略要求时,访问系统和应用应通过安全登录规程加以控制。
a.9.4.3
password
management system
口令管理系统
passwords management systems shall be interactive and shall
ensure quality passwords.
口令管理系统应是交互式的,并应确保优质的口令。
a.9.4.4
use of privileged
utility programs
特权使用程序的使用
the use of utility programs that might be capable of overriding system
and application controls shall be restricted and tightly controlled.
对于能超越系统和应用程序控制措施的实用工具的使用应加以限制并
严格控制。
a.9.4.5
access control to
program source
code
对程序源代码的访问
控制
access to program source code shall be restricted.
应限制访问程序源代码。
a.10 cryptography
密码学
a.10.1 cryptographic controls
密码控制
objective: to ensure proper and effective use of cryptography to protect the confidentiality authenticity
or integrity of information.
目标:确保适当并有效的密码的使用来保护信息的保密性、真实性或完整性。
a.10.1.1
policy on the use of
cryptographic
controls
使用密码控制的策略
a policy on the use of cryptographic controls for protection of
information shall be developed and implemented.
应开发和实施使用密码控制措施来保护信息的策略。
a.10.1.2
key management 密
钥管理
a policy on the use, protection and lifetime of cryptographic keys shall
be developed and implemented through their whole lifecycle.
应开发和实施一个贯穿生命周期的密码密钥使用、保护和生命期管理策
略。
a.11 physical and environmental security
物理和环境安全
a.11.1 secure areas
安全区域
objective: to prevent unauthorized physical access, damage and interference to the organization’s
information and information processing facilities.
目标:防止对组织信息和信息处理设施的未授权物理访问、损坏和干扰。
a.11.1.1
physical security
perimeter
物理安全周边
security perimeters shall be defined and used to protect areas that
contain either sensitive or or critical information and information
processing facilities.
应定义并使用安全周边来保护包含任何敏感或关键的信息和信息处理
设施的区域。
a.11.1.2
physical entry
controls
物理入口控制
secure areas shall be protected by appropriate entry controls to
ensure that only authorized personnel are allowed access.
安全区域应由适合的入口控制所保护,以确保只有授权的人员才允许访
问。
a.11.1.3
securing office,
room and facilities
办公室、房间和设施
physical security for offices, rooms and facilities shall be designed
and applied.
的安全保护 应为办公室、房间和设施设计并采取物理安全措施。
a.11.1.4
protecting against
external end
environmental
threats
外部和环境威胁的安
全防护
physical protection against natural disasters, malicious attack or
accidents shall be designed and applied.
为防止自然灾害,恶意攻击或以外事件引起的破坏,应设计和采取物理
保护措施。
a.11.1.5
working in secure
areas
在安全区域工作
procedures for working in secure areas shall be designed and applied
应设计和应用在安全区域工作的规程。
a.11.1.6
delivery and loading
areas
交接区
access points such as delivery and loading areas and other points
where unauthorized persons may enter the premises shall be
controlled and, if possible, isolated from information processing
facilities to avoid unauthorized access.
访问点(例如交接区)和未授权人员可进入办公场所的其他地点应加以
控制,如果可能,应与信息处理设施隔离,以避免未授权访问。
a.11.2 equipment
设备安全
objective: to prevent loss, damage, theft or compromise of assets and interruption to the organization’s
operations.
目标:防止资产的丢失、损坏、失窃或危及资产安全以及组织的运营。
a.11.2.1
equipment siting and
protection
设备安置和保护
equipment shall be sited and protected to reduce the risks from
environmental threats and hazards,and opportunities for unauthorized
access.
应安置或保护设备,以减少由环境威胁和危险所造成的各种风险以及未
授权访问的机会。
a.11.2.2
supporting utilities支
持性设施
equipment shall be protected from power failures and other
disruptions caused by failures in supporting utilities.
应保护设备使其免于由支持性设施的失败而引起的电源故障和其他中
断。
a.11.2.3
cabling security
布缆安全
power and telecommunications cabling carrying data or supporting
information services shall be protected from interception, interference
or damage.
应保证传输数据或支持信息服务的电源布缆和通信布缆免受窃听、干扰
或损坏。
a.11.2.4 equipment
equipment shall be correctly maintained to ensure its continued
maintenance
设备维护
availability and integrity.
设备应予以正确地维护,以确保其持续的可用性和完整性。
a.11.2.5
removal of assets资
产的移动
equipment, information or software shall not be taken off-site without
prior authorization.
设备、信息或软件在授权之前不应带出组织场所。
a.11.2.6
security of
equipment and
assets off-premises
组织场所外的设备和
资产安全
security shall be applied to off-site assets taking into account the
different risks of working outside the organization’s premises.
应对组织场所的设备采取安全措施,要考虑工作在组织场所以外的不同
风险。
a.11.2.7
secure disposal or
re-use of equipment
设备的安全处置或再
利用
all items of equipment containing storage media shall be verified to
ensure that any sensitive data and licensed software has been
removed or securely overwritten prior to disposal or re-use.
包含存储介质的设备的所有项目应进行验证,以确保在处置之前,任何
敏感信息和注册软件已被删除或安全地写覆盖。
a.11.2.8
unattended user
equipment
无人值守的用户设备
users shall ensure that unattended equipment has appropriate
protection.
用户应确保无人职守的用户设备有适当的保护。
a.11.2.9
clear desk and clear
screen policy
清空桌面和屏幕策略
a clear desk policy for papers and removable storage media and a
clear screen policy for information processing facilities shall be
adopted.
应采取清空桌面上文件、可移动存储介质的策略和清空信息处理设施屏
幕的策略。
a.12 operations security
操作安全
a.12.1 operational procedures and responsibilities
操作程序和职责
objective: to ensure correct and secure operations of information processing facilities.
目标:确保正确、安全的操作信息处理设施。
a.12.1.1
documented
operating
procedures
文件化的操作程序
operating procedures shall be documented and made available to all
users who need them.
操作程序应形成文件并对所有需要的用户可用。
a.12.1.2
change
management
changes to the organization, business processes, information
变更管理 processing facilities and systems that affect information security
shall be controlled.
对组织、业务流程、信息处理设施和系统中影响信息安全方面的变更应
加以控制。
a.12.1.3
capacity
management
容量管理
the use of resources shall be monitored, tuned and projections made
of future capacity requirements to ensure the required system
performance.
资源的使用应加以监视、调整,并作出对于未来容量要求的预测,以确
保拥有所需的系统性能。
a.12.1.4
separation of
development, testing
and operational
environments
开发、测试和运行设
施分离
development, testing, and operational environments shall be
separated to reduce the risks of unauthorized access or changes to
the operational environment.
开发、测试和运行环境应分离,以减少未授权访问或改变运行系统的风
险。
a12.2 protection from malware
防范恶意软件
objective: to ensure that information and information processing facilities are protected against
malware.
目标:确保对信息和信息处理设施的保护,防止恶意软件。
a.12.2.1
controls against
malware
控制恶意软件
detection, prevention and recovery controls to protect against
malware shall be implemented,combined with appropriate user
awareness.
应结合适当的用户意识实施恶意软件的检测、预防和恢复的控制措施。
a.12.3 backup
备份
objective: to protect against loss of data.
目标:防止数据丢失
a.12.3.1
information backup
信息备份
backup copies of information, software and system images shall be
taken and tested regularly in accordance with the agreed backup
policy.
应按照已设的备份策略,定期备份和测试信息、软件和系统镜像。
a.12.4 logging and monitoring
日志记录和监视
objective: to record events and generate evidence.
目标:记录事件并生成证据
a.12.4.1
event logging
事件日志
event logs recording user activities, exceptions, faults and information
security events shall be produced, kept and regularly reviewed.
应产生并保持记录用户活动、异常情况、故障和信息安全事态的审计日
志,并定期对事件日志进行评审。
a.12.4.2
protection of log
information
日志信息的保护
logging facilities and log information shall be protected against
tampering and unauthorized access
记录日志的设施和日志信息应加以保护,以防止篡改和未授权的访问。
a.12.4.3
administrator and
operator logs
管理员和操作员日志
system administrator and system operator activities shall be logged,
protected and regularly reviewed.
系统管理员和系统操作员活动应记入日志,并对其进行保护和定期评
审。
a.12.4.4
clock
synchronisaton
时钟同步
the clocks of all relevant information processing systems within an
organization or security domain shall be synchronized to single
reference time source.
一个组织或安全域内的所有相关信息处理设施的时钟应使用单一基准
时间源进行同步。
a.12.5 control of operational software
运行软件的控制
objective: to ensure the integrity of operational systems.
目标:确保运行系统的完整性
a.12.5.1
installation of
software on
operational systems
运行系统软件安装
procedures shall be implemented to control the installation of
software on operational systems.
应有规程来控制在运行系统上安装软件。
a.12.6 technical vulnerability management
技术脆弱性管理
objective: to prevent exploitation of technical vulnerabilities.
目标:防止技术脆弱性被利用
a.12.6.1
management of
technical
vulnerabilities
技术脆弱性管理
information about technical vulnerabilities of information systems
being used shall be obtained in a timely fashion, the organization's
exposure to such vulnerabilities evaluated and appropriate measures
taken to address the associated risk.
应及时得到现用信息系统技术脆弱性的信息,评价组织对这些脆弱性的
暴露程度,并采取适当的措施来处理相关的风险。
a.12.6.2
restrictions on
software installation
软件安装限制
rules governing the installation of software by users shall be
established and implemented.
应建立并实施用户安装软件控制规则。
a.12.7 information systems audit considerations
信息系统审计考虑
objective: to minimize the impact of audit activities on operational systems.
目标:将审计活动对运行系统的影响最小化。
a.12.7.1
information systems
audit controls
信息系统审计控制措
施
audit requirements and activities involving verification of operational
systems shall be carefully planned and agreed to minimize
disruptions to business processes.
涉及对运行系统核查的审计要求和活动,应谨慎地加以规划并取得批
准,以便最小化造成业务过程中断的风险。
a.13 communications security
通信安全
a.13.1 network security management
网络安全管理
objective: to ensure the protection of information in networks and its supporting information processing
facilities.
目标:确保网络及信息处理设施中信息收到保护。
a.13.1.1
network controls
网络控制
networks shall be managed and controlled to protect information in
systems and applications.
应对网络进行管理和控制,以保护系统及应用中的信息。
a.13.1.2
security of network
services
网络服务的安全
security mechanisms, service levels and management requirements
of all network services shall be identified and included in network
services agreements, whether these services are provided in-house
or outsourced.
安全机制、服务级别以及所有网络服务的管理要求应予以确定并包括在
所有网络服务协议中,无论这些服务是由内部提供的还是外包的。
a.13.1.3
segregation in
networks
网络隔离
groups of information services, users and information systems shall
be segregated on networks.
应在网络中隔离信息服务、用户和信息系统。
a.13.2 information transfer
信息传输
objective: to maintain the security of information transferred within an organization and with any
external entity.
目标:保持组织内以及与组织外信息传输的安全。
a.13.2.1
information transfer
policies and
procedures
信息交换策略和规程
formal transfer policies, procedures and controls shall be in place to
protect the transfer of information through the use of all types of
communication facilities.
应有正式的交换策略、规程和控制措施,以保护通过使用各种类型通信
设施的信息交换。
a.13.2.2
agreements on
information transfer
信息传输协议
agreements shall address the secure transfer of business information
between the organization and external parties.
应建立组织和外部各方之间的业务信息的安全传输协议。
a.13.2.3
electronic
messaging
电子消息发送
information involved in electronic messaging shall be appropriately
protected.
包含在电子消息发送中的信息应给予适当的保护。
a.13.2.4
confidentiality or
non-disclosure
agreements
保密或不泄露协议
requirements for confidentiality or non-disclosure agreements
reflecting the organization’s needs for the protection of information
shall be identified, regularly reviewed and documented.
应识别、定期评审反映组织信息保护需要的保密性或不泄露协议的要
求,并将其形成文档。
a.14 system acquisition, development and maintenance
系统获取、开发和维护
a.14.1 security requirements of information systems
信息系统的安全要求
objective: to ensure that security is an integral part of information systems across the entire
lifecycle.this includes in particular specific security requirement for information systems which provide
services over public networks.
目标:确保信息安全成为信息系统生命周期的组成部分,包括向公共网络提供服务的信息系统的特定安全
要求。
a.14.1.1
security
requirements
analysis and
the information security related requirements shall be included in the
requirements for new information systems or enhancements to
specification
安全要求分析和说明
existing information systems。
新建信息系统或改进现有信息系统要求中应包括信息安全相关的要求。
a.14.1.2
securing
applications services
on public networks
公共网络应用服务的
安全
information involved in application services passing over public
networks shall be protected from fraudulent activity, contract dispute
and unauthorized disclosure and modification.
应保护应用服务中通过公共网络传输的信息,以防止欺诈活动、合同纠
纷、未授权的泄露和修改。
a.14.1.3
protecting
application services
transactions
保护应用服务交易
information involved in application service transactions shall be
protected to prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized disclosure,
unauthorized message duplication or replay.
应用服务中的信息应受保护,以防止不完全传输、错误路由、未授权的
信息篡改、未授权的泄露、未授权的信息复制或重放。
a.14.2 security in development and support processes
开发和支持过程中的安全
objective: to ensure that information security is designed and implemented within the development
lifecycle of information systems.
目标:确保在信息系统开发生命周期内设计与实施信息安全。
a.14.2.1
secure development
policy
安全开发策略
rules for the development of software and systems shall be
established and applied to developments within the organization.
应在组织内部建立并应用软件和系统的开发规则。
a.14.2.2
system change
control procedures
系统变更控制规程
changes to systems within the development lifecycle shall be
controlled by the use of formal change control procedures
应对软件包的修改进行劝阻,只限于必要的变更,且对所有的变更加以
严格控制。
a.14.2.3
technical review of
applications after
operating platform
changes
操作系统变更后应用
技术评审
when operating platforms are changed, business critical applications
shall be reviewed and tested to ensure there is no adverse impact on
organizational operations or security.
当操作系统发生变更时,应对业务的关键应用进行评审和测试,以确保
对组织的运行或安全没有负面影响。
a.14.2.4
restrictions on
changes to software
packages
软件包变更的限制
modifications to software packages shall be discouraged, limited to
necessary changes and all changes shall be strictly controlled.
应对软件包的修改进行劝阻,只限于必要的变更,且对所有的变更加以
严格控制。
a.14.2.5
secure system
engineering
principles
安全系统工程原则
principles for engineering secure systems shall be established,
documented, maintained and applied to any information system
development efforts.
工程安全系统原则应被建立、形成文档,并应用到任何信息系统开发工
作中。
a.14.2.6
secure development
environment
安全开发环境
organizations shall establish and appropriately protect secure
development environment for system development and integration
efforts that covers the entire system development lifecycle.
应在整个系统开发生命周期的系统开发和集成工作中,建立并适当保护
开发环境的安全。
a.14.2.7
outsourced
development
外包开发
the organization shall supervise and monitor the activity of
outsourced system development.
组织应监督、监视系统开发外包活动。
a.14.2.8
system security
testing
系统安全测试
tests of the security functionality shall be carried out during
development.
在开发过程中,应进行安全功能测试。
a.14.2.9
system acceptance
testing
系统验收测试
acceptance testing programs and related criteria shall be established
for new information systems,upgrades and new versions.
应建立新建信息系统、系统更新、版本升级验收测试规程和相关标准。
a.14.3 test data
测试数据
objective: to ensure the protection of data used for testing.
目标:确保测试数据的安全。
a.14.3.1
protection of test
data
保护测试数据
test data shall be selected carefully, protected and controlled.
测试数据应认真地加以选择、保护和控制。
a.15 supplier relationships
供应关系
a.15.1 security in supplier relationship
供应关系安全
objective: to ensure protection of the organization’s information that is accessible by suppliers.
目标:确保组织中被供应商访问信息的安全。
a.15.1.1
information security
policy for supplier
relationships
供应关系信息安全策
略
information security requirements for mitigating the risks associated
with supplier access to organization’s assets shall be agreed with the
supplier and documented.
用于减轻供应商访问组织的资产相关风险的信息安全要求应形成文档
并与供应商达成一致。
a.15.1.2
addressing security
within supplier
agreements
处理供应商协议中的
安全问题
all relevant information security requirements shall be established
and agreed with each supplier that may have access to, process,
store, communicate or provide it infrastructure components for the
organization’s information.
应与每个可能访问、处理、存储组织信息,与组织进行通信或为组织提
供 it 基础设施组件的供应商建立并协商所有信息安全相关要求。
a.15.1.3
information and
communication
technology supply
chain
信息和通信技术供应
链
agreements with suppliers shall include requirements to address the
information security risks associated with information and
communications technology services and product supply chain.
供应商协议应包括信息、通信技术服务和产品供应链的相关信息安全风
险。
a.15.2 supplier service delivery management
供应商服务交付管理
objective: to maintain an agreed level of information security and service delivery in line with supplier
agreements.
确保信息安全和服务交付水平与供应商协议保持一致。
a.15.2.1
monitoring and
review of supplier
services
供应商服务的监视和
评审
organizations shall regularly monitor, review and audit supplier
service delivery.
组织应定期监视、评审、审计供应商服务交付。
a.15.2.2
managing changes
to supplier services
供应商服务的变更管
理
changes to the provision of services by suppliers, including
maintaining and improving existing information security policies,
procedures and controls, shall be managed, taking account of the
criticality of business information, systems and processes involved
and re-assessment of risks.
应管理供应商提供服务的变更,包括保持和改进现有的信息安全策略、
规程和控制措施,并考虑到业务系统和涉及过程的关键程度及风险的再
评估。
a.16 information security incident management
信息安全事件管理
a.16.1 management of information security incidents and improvements
信息安全事件和改进的管理
objective: to ensure a consistent and effective approach to the management of information security
incidents, including communication on security events and weaknesses.
目标:确保对信息安全事件进行持续、有效地管理,包括信息安全事态和弱点的沟通。
a.16.1.1
responsibilities and
procedures
职责和规程
management responsibilities and procedures shall be established to
ensure a quick, effective and orderly response to information security
incidents.
应建立管理职责和规程,以确保快速、有效和有序地响应信息安全事件。
a.16.1.2
reporting
information security
events
报告信息安全事态
information security events shall be reported through appropriate
management channels as quickly as possible.
应通过适当的管理途径尽快地报告信息安全事态。
a.16.1.3
reporting
information security
weaknesses
报告信息安全弱点
employees and contractors using the organization’s information
systems and services shall be required to note and report any
observed or suspected information security weaknesses in systems
or services.
应要求使用组织信息系统和服务的所有雇员和合同方记录并报告他们
观察到的或怀疑的任何系统或服务的信息安全弱点。
a.16.1.4
assessment and
decision of
information security
events
信息安全事态评估与
决策
information security events shall be assessed and decided if they
shall be classified as information security incidents.
information security events shall be assessed and decided if they
shall be classified as information security incidents.
应对信息安全事态进行评估,以决定他们是否被归类为信息安全事件。
a.16.1.5
response to
information security
incidents
信息安全事件响应
information security incidents shall be responded to in accordance
with the documented procedures.
应按照文件化规程来响应信息安全事件。
a.16.1.6
learning from
information security
incidents
对信息安全事件的总
结
knowledge gained from analyzing and resolving information security
incidents shall be used to reduce the likelihood or impact of future
incidents.
分析和解决信息安全事件积累的知识应用来减少未来事件的可能性或
影响。
a.16.1.7
collection of
evidence
证据的收集
the organization shall define and apply procedures for the
identification, collection, acquisition and preservation of information,
which can serve as evidence.
组织应建立和应用规程以识别、收集、采集和保存可以作为证据的信息。
a.17 information security aspects of business continuity management
业务连续性管理的信息安全方面
a.17.1 information security continuity
信息安全连续性
objective: information security continuity shall be embedded in organization’s business continuity
management systems。
目标:信息安全的连续性应嵌入组织的业务连续性管理体系。
a.17.1.1
planning information
security continuity
策划信息安全连续性
the organization shall determine its requirements for information
security and continuity of information security management in
adverse situations, e.g. during a crisis or disaster.
组织应明确在不利情况下(如危机或灾难时)信息安全和信息安全管理
连续性的要求。
a.17.1.2
implementing
information security
continuity
实施信息安全连续性
the organization shall establish, document, implement and maintain
processes, procedures and controls to guarantee the required level of
continuity for information security during an adverse situation.
组织应建立,记录,实施,维护流程、程序和控制,以确保满足不利的
情况下信息安全连续性所要求的级别。
a.17.1.3
verify, review and
evaluate information
security continuity
验证、评审和评价信
息安全连续性
the organization shall verify the established and implemented
information security continuity controls at regular intervals in order to
ensure that they are valid and effective during adverse situations.
组织应定期验证已建立并实施的信息安全连续性控制,以确保它们在不
利条件下是适当并有效的。
a.17.2 redundancies
冗余
objective: to ensure availability of information processing facilities.
目标:确保信息处理设施的可用性。
a.17.2.1
availability of
information
processing facilities
信息处理设施的可用
性
information processing facilities shall be implemented with
redundancy sufficient to meet availability requirements.
信息处理设施应具备足够的冗余,以满足可用性要求。
a.18 compliance
符合性
a.18.1 compliance with legal and contractual requirements
符合法律与合同要求
objective: to avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and of any security requirements.
目标:避免违反任何信息安全相关的法律、法令、法规或合同义务以及任何安全要求。
a.18.1.1
identification of
applicable legislation
and contractual
requirements
可用法律与合同要求
的识别
all relevant legislative statutory, regulatory, contractual requirements
and the organization’s approach to meet these requirements shall be
explicitly identified, documented and kept up to date for each
information system and the organization.
对每一个信息系统和组织而言,所有相关的法律、法规和合同要求,以
及为满足这些要求组织所采用的方法,应加以明确地定义、形成文件并
保持更新。
a.18.1.2
intellectual property
rights
知识产权
appropriate procedures shall be implemented to ensure compliance
with legislative, regulatory and contractual requirements related to
intellectual property rights and use of proprietary software products.
应实施适当的规程、以确保在涉及知识产权和使用具有所有权的软件产
品时,符合法律、法规和合同的要求。
a.18.1.3
protection of records
保护记录
records shall be protected from loss, destruction, falsification,
unauthorized access and unauthorized release, in accordance with
statutory, regulatory, contractual and business requirements.
应防止记录的遗失、毁坏、伪造、未授权的访问与发布,以满足法令、
法规、合同和业务的要求。
a.18.1.4
privacy and
protection of
personally
identifiable
information
隐私和个人身份信息
保护
privacy and protection of personally identifiable information shall be
ensured as required in relevant legislation and regulation where
applicable.
应依照相关的法律、法规的要求,确保隐私和个人身份信息的保护。
a.18.1.5
regulation of
cryptographic
controls
密码控制措施的规则
cryptographic controls shall be used in compliance with all relevant
agreements legislation and regulations.
使用密码控制措施应遵从相关的协议、法律和法规。
a.18.2 information security reviews
信息安全评审
objective: to ensure that information security is implemented and operated in accordance with the
organisational policies and procedures
目标:确保信息安全依照组织策略和规程进行实施并运行。
a.18.2.1
independent review
of information
security
信息安全的独立评审
the organization’s approach to managing information security and its
implementation (i.e. control objectives, controls, policies, processes
and procedures for information security) shall be reviewed
independently at planned intervals or when significant changes to the
security implementation occur.
组织管理信息安全的方法及其实施(例如信息安全的控制目标、控制措
施、策略、过程和规程)应按计划的时间间隔进行独立评审,当安全实
施发生重大变化时,也要进行独立评审。
a.18.2.2
compliance with
security policies and
standards
符合安全策略和标准
managers shall regularly review the compliance of information
processing and procedures within their area of responsibility with the
appropriate security policies, standards and any other security
requirements.
管理层应定期评审信息处理和程序符合他们的责任范围内适当的安全
策略、标准和任何其他安全要求。
a.18.2.3
technical
compliance review技
术符合性评审
information systems shall be regularly reviewed for compliance with
the organisation’s information security policies and standards.
信息系统应被定期核查是否符合信息安全策略和标准。