ISO27001-2013信息安全管理体系要求中英对照版v1.7

1、1ISO/IEC 27001:2013(E)ISO 标准 IEC 27001:2013信息安全管理体系要求Reference numberISO/IEC 27001:2013(E)? ISO/IEC 2013All rights reserved2ISO/IEC 27001:2013(E)1 范围1 Scope本国际标准规定了在组织背景下建立、ThisInternational Standard specifiestherequirements for实施、维护和持续改进信息安全管理体establishing, implementing, maintainingandcontinuallyim

2、proving系。本标准还包括信息安全风险评估和aninformation securitymanagementsystem withinthe context处置要求，可裁剪以适用于组织。本国ofthe organization. This International Standard also includes际标准的要求是通用的， 适用于所有的requirements for the assessment and treatmentof information security risks组织，不考虑类型、规模和特征。当组tailored to the needs of the orga

3、nization. The requirements set out in this织声称符合本国际标准时，任何条款International Standard are generic and areintended to be applicable to4-10 的排除是不可接受的。all organizations, regardlessof type, size or nature. Excluding any of therequirements specified in Clauses 4 to 10 is not acceptablewhen anorganization clai

4、ms conformity to this International Standard.2 规范性引用文件2 Normative references下列参考文件是本文件的标准参考，也The following documents,in whole orin part, are normatively是应用本文件必不可缺的。 对于标注日referencedinthis document andare indispensablefor its期的引用文件，仅适用于引用版本。对application.Fordatedreferences,only the editioncited于不标注日期的引

5、用文件， 适用于最新applies. For undated references, the latest edition of the referenced版本的引用文件。document (including any amendments) applies.ISO/IEC 27000 ，信息技术安全技术ISO/IEC 27000, Information technology Security techniques 信息安全管理体系简介和词汇表。Information security management systems Overview and vocabulary3 术语和定义3Te

6、rms and definitions的术语和定义适用于For the purposes of this document, the terms and definitions given in本文件ISO/IEC 27000 apply.? ISO/IEC 2013All rights reserved3ISO/IEC 27001:2013(E)4. 组织环境4 Context of the organization4.1理解组织及其环境4.1 Understanding the organization and its context组织应当确定与信息安全管理体系目的The organiz

7、ationshall determineexternaland internal issues相关联及影响其实现预期结果能力的外that arerelevanttoits purposeandthataffect itsability to部及内部环境。achievethe intendedoutcome(s)ofitsinformationsecuritymanagement system.注：确定这些问题参考 ISO31000:2009中NOTE:Determiningthese issuesrefersto establishing the5.3条款的建立组织外部和内部环境；extern

8、al and internal context of the organization considered inClause 5.3 of ISO 31000:2009.4.2理解相关方的需求和期望4.2 Understandingthe needs andexpectations ofinterestedparties组织应确定：a) 信息安全管理体系的利益相关方；b) 这些利益相关方的信息安全相关要求；注：利益相关方的要求可能包括法律、法规要求和合同责任。4.3确定信息安全管理体系范围组织应确定信息安全管理体系的边界和应用性，以建立其范围。当确定此范围时，组织应考虑：a) 4.1 所提及

9、的外部和内部问题；b) 4.2 所提及的要求；c) 接口和组织执行的活动之间的依赖关系，以及其他组织执行的活动。范围应成为文件化信息。4.4信息安全管理体系组织应按照本国际标准的要求建立、实施、维护和持续改进信息安全管理体系。The organization shall determine:a) interested parties that are relevant to the information security management system; andb) the requirements of these interested parties relevant to info

10、rmation security.NOTE: The requirements of interested parties may include legal and regulatory requirements and contractual obligations.4.3 Determining the scope of the information security management systemThe organization shall determine the boundaries and applicability of the information security

11、 management system to establish its scope. When determining this scope, the organization shall consider:a) the external and internal issues referred to in 4.1;b) the requirements referred to in 4.2; andc) interfaces and dependencies between activities performed by the organisation, and those that ar

12、e performed by other organisations. The scope shall be available as documented information.4.4Information security management systemThe organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this Int

13、ernational Standard.5. 领导力5.1领导力和承诺最高管理者应当展示关注信息安全管理体系的领导力和承诺，通过：a) 确保建立信息安全方针和信息安全目标，并与组织的战略方向兼容；b) 确保信息安全管理体系要求融合到组织的流程中；5 Leadership5.1Leadership and commitmentTop management shall demonstrate leadership and commitment with respect to the information security management system by:a) ensuring the

14、information security policy and the informationsecurity objectives are established and are compatible with the strategic direction of the organization;b) ensuring the integration of the information security management? ISO/IEC 2013All rights reserved4ISO/IEC 27001:2013(E)c) 确保信息安全体系所需要的资源；d) 沟通有效信息安

15、全管理的重要性，符合信息安全管理体系的要求；e) 确保信息安全管理体系达到预期的成果；f) 指导和支持员工对信息安全管理体系的有效性做出贡献；g) 促进持续改进；h) 支持其他相关管理角色来展示其领导力，当适用其职责范围时。system requirements into the organization s processes;并c)ensuring that the resources needed for the informationsecuritymanagement system are available;d) communicating the importance of ef

16、fective information security management and conforming to the information security management system requirements;e) ensuring that the information security management systemachieves its intended outcome(s);f) directing and supporting persons to contribute to the effectiveness of the information secu

17、rity management system;g) promoting continual improvement; andh) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.5.2方针最高管理层应建立一个信息安全方针：a) 与组织的目标相关适应；b) 包括信息安全目标（见6.2 ），或提供制定信息安全目标的框架；c) 包括满足适用信息安全要求的承诺；d) 包括信息安全管理体系持续改进的承诺；信息安

18、全方针应：e) 成为文件化的信息；f) 在组织内部沟通；g) 适当时，提供给利益相关方；5.3组织角色、职责和权限最高管理层应确保信息安全相关角色的职责和权限的分配和沟通。最高管理层应指定责任和授权，以：a) 确保信息安全管理体系符合本国际标准的要求；b) 将信息安全管理体系绩效报告给最高管理层；注：最高管理层可以为组织内信息安全管理体系绩效报告指派职责和授权。6. 策划6.1针对风险和机会所采取的措施6.1.1总则当进行信息安全管理体系策划时，组织应5.2 PolicyTop management shall establish an information security policy

19、that:a) is appropriate to the purpose of the organization;b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives;c) includes a commitment to satisfy applicable requirements related to information security; andd) includes a commitme

20、nt to continual improvement of the information security management system.The information security policy shall:e) be available as documented information;f) be communicated within the organization; andg) be available to interested parties, as appropriate.5.3Organizational roles, responsibilities and

21、 authoritiesTop management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated.Top management shall assign the responsibility and authority for:a) ensuring that the information security management system conforms to the requ

22、irements of this International Standard; andb) reporting on the performance of the information security management system to top management.NOTE: Top management may also assign responsibilities and authorities for reporting performance of the information security management system within the organiz

23、ation.6 Planning6.1Actions to address risks and opportunities6.1.1 GeneralWhen planning for the information security management system, the organization? ISO/IEC 2013All rights reserved5当考虑在 4.1 条款中提到的事宜及 4.2 条款中规定的要求， 并确定需要关注的风险和机会，以：a) 确保信息安全管理体系能够实现其预期结果b) 预防或降低不希望得到的影响c) 实现持续改进组织应当计划：d) 针对这些风险和机

24、会所采取的措施，以及e) 如何1) 将这些措施整合进信息安全管理体系过程之中，2) 评价这些措施的有效性6.1.2信息安全风险评估组织应定义和应用信息安全风险评估流程，以：a) 建立和维护信息安全标准，包括1) 风险接受准则；2) 执行信息安全风险评估准则；b) 确保可重复的信息安全风险评估生成一致、有效和可比较的结果c) 识别信息安全风险1) 应用信息安全风险评估流程， 识别 ISMS 范围内信息保密性、完整性和可用性损失的风险；2) 识别风险所有者；d) 分析信息安全风险1)评估在 6.1.2 c) 1)中识别风险导致的潜在后果2)评估在 6.1.2 c) 1)中识别风险发生的可能性3)确

25、定风险等级e)评估信息安全风险1)风险分析结果与6.1.2 a) 中建立的风险准则进行比较2) 为风险处置， 建立风险优先级和分析组织应保留文件化的信息安全风险评估流程信息ISO/IEC 27001:2013(E)shall consider the issues referred to in 4.1 and the requirements referredto in 4.2and determine the risks and opportunities that need to be addressed to:a) ensure the information security mana

26、gement system can achieve its intended outcome(s);b) prevent, or reduce, undesired effects; andc) achieve continual improvement.The organization shall plan:d) actions to address these risks and opportunities, ande) how to1) integrate and implement the actions into its information security management

27、 system processes; and2) evaluate the effectiveness of these actions.6.1.2Information security risk assessmentThe organization shall define and apply an information security risk assessment process that:a) establishes and maintains information security criteria that include:1) the risk acceptance cr

28、iteria; and2) criteria for performing information security risk assessments;b) ensures that repeated information security risk assessmentsproduce consistent, valid and comparable results.c) Identify the information security risks.1) Apply the information security risk assessment process toidentify r

29、isks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system ; and2) Identify the risk owners.d) Analyses the information security risks.1) Assess the potential consequences that would result if the risks

30、identified in 6.1.2 c) 1) were to materialize.2) Assess the realistic likelihood of the occurrence of the risks identified in 6.1. 2 c) 1). and3) Determine the levels of risk.e) Evaluate the information security risks.1) Compare the results of risk analysis with the risk criteria established in 6.1.

31、2 a) ;and2) prioritize the analysed risks for risk treatment.The organization shall retain documented information about the information security risk assessment process.? ISO/IEC 2013All rights reserved6ISO/IEC 27001:2013(E)6.1.3信息安全风险处置组织应定义和应用信息安全风险处置流程，以：a) 选择适当的信息安全风险处置选项，考虑风险评估结果；b) 确定实施所选信息安全风

32、险处置选项所需的所有控制措施；注：组织可设计所需的控制措施，或从任何来源中识别它们c) 比较 6.1.3 b) 中与附录 A 中的措施项，确认没有忽略必要的控制项；注 1：附录 A 包含控制目标和控制措施的完整列表。 本国际标准的用户应确保附录A 的重要控制措施没有被忽略注 2：控制目标隐含在所选择的控制项中。附录 A 中的控制目标和控制措施并不全面，可能还需要额外的控制目标和控制措施。d) 制作适用性声明，包括必要的控制措施（见 6.1.3 b）和 c) 和选择的理由，无论实施与否，应说明删减附录 A 中控制措施的理由；e) 制定信息安全风险处置计划；f) 获得风险所有者批准信息安全风险处置

33、计划和残余信息安全风险接受标准；组织应保留信息安全风险处置过程的文件化信息。注：本国际标准中信息安全风险评估和处置过程与 ISO31000 中的原则和通用指南一致。6.2 信息安全目标及实现其目标的策划组织应当在相关职能及层次上建立信息安全目标。信息安全目标应：a) 与信息安全方针保持一致；b) 是可测量的（如果可行） ；c) 考虑适用的信息安全要求，以及风险评估和风险处置的结果；d) 是可沟通的；6.1.3Information security risk treatmentThe organization shall define and apply an information secu

34、rity risk treatment process to:a) select appropriate information security risk treatment options, taking account of the risk assessment results;b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;NOTE: Organizations can design controls a

35、s required, or identify them from any source.c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;NOTE 1: Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are d

36、irected to Annex A to ensure that no important control are overlookedNOTE 2: Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be needed.d) produce a Stat

37、ement of Applicability that contains the necessary controls (see 6.1.3 b) and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls in Annex A;e) formulate an information security risk treatment plan; andf) obtain risk owner approv

38、als of the information security risk treatment plan and the acceptance of the residual information security risks.The organization shall retain documented information about the information security risk treatment process.NOTE: The information security risk assessment and treatment process in this In

39、ternational Standard aligns with the principles and generic guidelines provided in ISO 31000.6.2Information security objectives and planing to achieve themThe organization shall establish information security objectives at relevant functions and levels.The information security objectives shall:a) be

40、 consistent with the information security policy;b) be measurable (if practicable);c) take into account applicable information security requirements, and results from risk assessment and treatment results;d) be communicated, and? ISO/IEC 2013All rights reserved7ISO/IEC 27001:2013(E)e) 能适时更新；组织应当保持信息

41、安全目标的文件化信息。当对实现其信息安全目标进行策划时，织应当确定：f) 将要做什么g) 将需要什么资源h) 将由谁来做i) 将在何时完成j) 将如何对结果进行评价7. 支持7.1资源组织应确定和提供信息安全管理体系的建立、实施、维护和持续改进所需的资源。e) be updated as appropriate.The organization shall retain documented information on the information security objectives.组 When planning how to achieve its information secu

42、rity objectives, the organization shall determine:f) what will be done;g) what resources will be required;h) who will be responsible;i) when it will be completed; andj) how the results will be evaluated.7 Support7.1 ResourcesThe organization shall determine and provide the resources needed for the e

43、stablishment, implementation, maintenance and continual improvement of the information security management system.7.2能力组织应：a) 确定影响组织信息安全绩效的员工在 ISMS 管控中工作的必备能力；b) 确保这些员工在适当的培育、培训和经验的基础上是能胜任的；c) 适当时，采取行动获取所需能力，并评估所采取行动的有效性；d) 保留适当文件化信息作为证据；7.2CompetenceThe organization shall:a) determine the necessary

44、 competence of person(s) doing work under its control that affects its information security performance;b) ensure that these persons are competent on the basis ofappropriate education, training, or experience;c) where applicable, take actions to acquire the necessary competence, and evaluate the eff

45、ectiveness of the actions taken; andd) retain appropriate documented information as evidence of competence.注：适当的行动可能包括 ，如提供培训、指导、重新指派现有员工、或聘用或外包有能力的员工。7.3意识在组织控制中工作的人员应了解：a) 信息安全方针；b) 信息安全管理体系有效性的贡献，包括提高信息安全绩效的收益；c) 不符合信息安全管理体系要求的影响；NOTE: Applicableactions mayinclude, for example: theprovisionof tra

46、ining to,thementoringof, or there-assignmentof currentemployees; or the hiring or contracting of competent persons.7.3 AwarenessPersons doingworkunder the organizationcontrols shall be awareof:a) the information security policy;b) their contribution to the effectiveness of the information security m

47、anagement system, including the benefits of improved information security performance; andc) the implications of not conforming with the information security management system requirements.7.4沟通组织应当确定与信息安全管理体系相关内部和外部沟通需求，包括：a) 需要沟通内容b) 何时进行沟通7.4 CommunicationThe organization shall determine the need

48、 for internal and external communications relevant to the information security management system including:a) on what to communicate;? ISO/IEC 2013All rights reserved8ISO/IEC 27001:2013(E)c) 与谁进行沟通d) 谁应该沟通e) 有效沟通的流程7.5文件化信息7.5.1总则组织的信息安全管理体系应包括：a) 本国际标准所需要的文件化信息；b) 组织确定信息安全管理体系有效性所需要的信息；注：不同组织的信息安全管

49、理体系文件化信息的程度取决于：1) 组织的规模、 其活动类型、 流程、产品和服务；2) 流程及其他交互的复杂性；3) 人员的能力；7.5.2创建和更新当创建和更新文件化信息时， 组织应确保应当的：a) 识别和描述（如标题、日期、作者或参考号码）；b) 格式（如语言、软件版本、图形）和媒体（如纸张、电子） ；c) 评估和批准适当性和充分性。7.5.3文件化信息控制信息安全管理体系和本国际标准所要求的文件化信息应被管控，以确保：a) 需要时，文件是可用和适用的；b) 得到 充分的保护（如保密性丧失、不当使用、或完整性丧失） ；对于文件化信息的控制，组织应制定下列活动（如适用） ：c) 分配、访问、

50、检索和使用；d) 存储和保存，包括易读性的保存；b) when to communicate;c) with whom to communicate;d) who shall communicate; ande) the processes by which communication shall be effected.7.5 Documented information7.5.1 GeneralThe organizationinformationssecurity management system shallinclude:a) documented information requi

51、red by this International Standard;andb) documented information determined by the organization as being necessary for the effectiveness of the information security management system.NOTE: The extent of documented information for an information security management system can differ from one organization to anotherdue to:1) the size of organization and its type of activities, processes, products and services;2) the complexity of processes and their interactions; and3) the competence of persons.7.5.2Creating and updatingWhen creating and updating documented information the or