ISO標準——IEC27001:2013信息安全管理體系——要求ReferencenumberISO/IEC27001:2013(E1范圍1Scope本國際標準規定了在組織背景下建立、實施、維護和持續改進信息安全管理體系。本標準還包括信息安全風險評估和處置要求,可裁剪以適用于組織。本國際標準的要求是通用的,適用于所有的組織,不考慮類型、規模和特征。當組織聲稱符合本國際標準時,任何條款4-10的排除是不可接受的。ThisInternationalStandardspecifiestherequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystemwithinthecontextoftheorganization.ThisInternationalStandardalsoincludesrequirementsfortheassessmentandtreatmentofinformationsecurityriskstailoredtotheneedsoftheorganization.TherequirementssetoutinthisInternationalStandardaregenericandareintendedtobeapplicabletoallorganizations,regardlessoftype,sizeornature.ExcludinganyoftherequirementsspecifiedinClauses4to10isnotacceptablewhenanorganizationclaimsconformitytothisInternationalStandard.2規范性引用文件下列參考文件是本文件的標準參考,也是應用本文件必不可缺的。對于標注日期的引用文件,僅適用于引用版本。對于不標注日期的引用文件,適用于最新版本的引用文件。ISO/IEC27000,信息技術—安全技術—信息安全管理體系-簡介和詞匯表。2NormativereferencesThefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentandareindispensableforitsapplication.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendmentsapplies.ISO/IEC27000,Informationtechnology—Securitytechniques—Informationsecuritymanagementsystems—Overviewandvocabulary3術語和定義ISO27000的術語和定義適用于本文件3TermsanddefinitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000apply.4.組織環境4.1理解組織及其環境組織應當確定與信息安全管理體系目的相關聯及影響其實現預期結果能力的外部及內部環境。注:確定這些問題參考ISO31000:2009中5.3條款的建立組織外部和內部環境;4.2理解相關方的需求和期望組織應確定:a信息安全管理體系的利益相關方;b這些利益相關方的信息安全相關要求;注:利益相關方的要求可能包括法律、法規要求和合同責任。4.3確定信息安全管理體系范圍組織應確定信息安全管理體系的邊界和應用性,以建立其范圍。當確定此范圍時,組織應考慮:a4.1所提及的外部和內部問題;b4.2所提及的要求;c接口和組織執行的活動之間的依賴關系,以及其他組織執行的活動。范圍應成為文件化信息。4.4信息安全管理體系組織應按照本國際標準的要求建立、實施、維護和持續改進信息安全管理體系。4Contextoftheorganization4.1UnderstandingtheorganizationanditscontextTheorganizationshalldetermineexternalandinternalissuesthatarerelevanttoitspurposeandthataffectitsabilitytoachievetheintendedoutcome(sofitsinformationsecuritymanagementsystem.NOTE:DeterminingtheseissuesreferstoestablishingtheexternalandinternalcontextoftheorganizationconsideredinClause5.3ofISO31000:2009.4.2UnderstandingtheneedsandexpectationsofinterestedpartiesTheorganizationshalldetermine:ainterestedpartiesthatarerelevanttotheinformationsecuritymanagementsystem;andbtherequirementsoftheseinterestedpartiesrelevanttoinformationsecurity.NOTE:Therequirementsofinterestedpartiesmayincludelegalandregulatoryrequirementsandcontractualobligations.4.3DeterminingthescopeoftheinformationsecuritymanagementsystemTheorganizationshalldeterminetheboundariesandapplicabilityoftheinformationsecuritymanagementsystemtoestablishitsscope.Whendeterminingthisscope,theorganizationshallconsider:atheexternalandinternalissuesreferredtoin4.1;btherequirementsreferredtoin4.2;andcinterfacesanddependenciesbetweenactivitiesperformedbytheorganisation,andthosethatareperformedbyotherorganisations.Thescopeshallbeavailableasdocumentedinformation.4.4InformationsecuritymanagementsystemTheorganizationshallestablish,implement,maintainandcontinuallyimproveaninformationsecuritymanagementsystem,inaccordancewiththerequirementsofthisInternationalStandard.5.領導力5.1領導力和承諾最高管理者應當展示關注信息安全管理體系的領導力和承諾,通過:a確保建立信息安全方針和信息安全目標,并與組織的戰略方向兼容;b確保信息安全管理體系要求融合到組織的流程中;5Leadership5.1LeadershipandcommitmentTopmanagementshalldemonstrateleadershipandcommitmentwithrespecttotheinformationsecuritymanagementsystemby:aensuringtheinformationsecuritypolicyandtheinformationsecurityobjectivesareestablishedandarecompatiblewiththestrategicdirectionoftheorganization;bensuringtheintegrationoftheinformationsecuritymanagementc確保信息安全體系所需要的資源;d溝通有效信息安全管理的重要性,并符合信息安全管理體系的要求;e確保信息安全管理體系達到預期的成果;f指導和支持員工對信息安全管理體系的有效性做出貢獻;g促進持續改進;h支持其他相關管理角色來展示其領導力,當適用其職責范圍時。5.2方針最高管理層應建立一個信息安全方針:a與組織的目標相關適應;b包括信息安全目標(見6.2,或提供制定信息安全目標的框架;c包括滿足適用信息安全要求的承諾;d包括信息安全管理體系持續改進的承諾;信息安全方針應:e成為文件化的信息;f在組織內部溝通;g適當時,提供給利益相關方;5.3組織角色、職責和權限最高管理層應確保信息安全相關角色的職責和權限的分配和溝通。最高管理層應指定責任和授權,以:a確保信息安全管理體系符合本國際標準的要求;b將信息安全管理體系績效報告給最高管理層;注:最高管理層可以為組織內信息安全管理體系績效報告指派職責和授權。systemrequirementsintotheorganization’sprocesses;censuringthattheresourcesneededfortheinformationsecuritymanagementsystemareavailable;dcommunicatingtheimportanceofeffectiveinformationsecuritymanagementandconformingtotheinformationsecuritymanagementsystemrequirements;eensuringthattheinformationsecuritymanagementsystemachievesitsintendedoutcome(s;fdirectingandsupportingpersonstocontributetotheeffectivenessoftheinformationsecuritymanagementsystem;gpromotingcontinualimprovement;andhsupportingotherrelevantmanagementrolestodemonstratetheirleadershipasitappliestotheirareasofresponsibility.5.2PolicyTopmanagementshallestablishaninformationsecuritypolicythat:aisappropriatetothepurposeoftheorganization;bincludesinformationsecurityobjectives(see6.2orprovidestheframeworkforsettinginformationsecurityobjectives;cincludesacommitmenttosatisfyapplicablerequirementsrelatedtoinformationsecurity;anddincludesacommitmenttocontinualimprovementoftheinformationsecuritymanagementsystem.Theinformationsecuritypolicyshall:ebeavailableasdocumentedinformation;fbecommunicatedwithintheorganization;andgbeavailabletointerestedparties,asappropriate.5.3Organizationalroles,responsibilitiesandauthoritiesTopmanagementshallensurethattheresponsibilitiesandauthoritiesforrolesrelevanttoinformationsecurityareassignedandcommunicated.Topmanagementshallassigntheresponsibilityandauthorityfor:aensuringthattheinformationsecuritymanagementsystemconformstotherequirementsofthisInternationalStandard;andbreportingontheperformanceoftheinformationsecuritymanagementsystemtotopmanagement.NOTE:Topmanagementmayalsoassignresponsibilitiesandauthoritiesforreportingperformanceoftheinformationsecuritymanagementsystemwithintheorganization.6.策劃6.1針對風險和機會所采取的措施6.1.1總則當進行信息安全管理體系策劃時,組織應6Planning6.1Actionstoaddressrisksandopportunities6.1.1GeneralWhenplanningfortheinformationsecuritymanagementsystem,theorganization當考慮在4.1條款中提到的事宜及4.2條款中規定的要求,并確定需要關注的風險和機會,以:a確保信息安全管理體系能夠實現其預期結果b預防或降低不希望得到的影響c實現持續改進組織應當計劃:d針對這些風險和機會所采取的措施,以及e如何1將這些措施整合進信息安全管理體系過程之中,2評價這些措施的有效性6.1.2信息安全風險評估組織應定義和應用信息安全風險評估流程,以:a建立和維護信息安全標準,包括1風險接受準則;2執行信息安全風險評估準則;b確保可重復的信息安全風險評估生成一致、有效和可比較的結果c識別信息安全風險1應用信息安全風險評估流程,識別ISMS范圍內信息保密性、完整性和可用性損失的風險;2識別風險所有者;d分析信息安全風險1評估在6.1.2c1中識別風險導致的潛在后果2評估在6.1.2c1中識別風險發生的可能性3確定風險等級e評估信息安全風險1風險分析結果與6.1.2a中建立的風險準則進行比較2為風險處置,建立風險優先級和分析組織應保留文件化的信息安全風險評估流程信息shallconsidertheissuesreferredtoin4.1andtherequirementsreferredtoin4.2anddeterminetherisksandopportunitiesthatneedtobeaddressedto:aensuretheinformationsecuritymanagementsystemcanachieveitsintendedoutcome(s;bprevent,orreduce,undesiredeffects;andcachievecontinualimprovement.Theorganizationshallplan:dactionstoaddresstheserisksandopportunities,andehowto1integrateandimplementtheactionsintoitsinformationsecuritymanagementsystemprocesses;and2evaluatetheeffectivenessoftheseactions.6.1.2InformationsecurityriskassessmentTheorganizationshalldefineandapplyaninformationsecurityriskassessmentprocessthat:aestablishesandmaintainsinformationsecuritycriteriathatinclude:1theriskacceptancecriteria;and2criteriaforperforminginformationsecurityriskassessments;bensuresthatrepeatedinformationsecurityriskassessmentsproduceconsistent,validandcomparableresults.cIdentifytheinformationsecurityrisks.1Applytheinformationsecurityriskassessmentprocesstoidentifyrisksassociatedwiththelossofconfidentiality,integrityandavailabilityforinformationwithinthescopeoftheinformationsecuritymanagementsystem;and2Identifytheriskowners.dAnalysestheinformationsecurityrisks.1Assessthepotentialconsequencesthatwouldresultiftherisksidentifiedin6.1.2c1weretomaterialize.2Assesstherealisticlikelihoodoftheoccurrenceoftherisksidentifiedin6.1.2c1.and3Determinethelevelsofrisk.eEvaluatetheinformationsecurityrisks.1Comparetheresultsofriskanalysiswiththeriskcriteriaestablishedin6.1.2a;and2prioritizetheanalysedrisksforrisktreatment.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityriskassessmentprocess.6.1.3信息安全風險處置組織應定義和應用信息安全風險處置流程,以:a選擇適當的信息安全風險處置選項,考慮風險評估結果;b確定實施所選信息安全風險處置選項所需的所有控制措施;注:組織可設計所需的控制措施,或從任何來源中識別它們c比較6.1.3b中與附錄A中的措施項,確認沒有忽略必要的控制項;注1:附錄A包含控制目標和控制措施的完整列表。本國際標準的用戶應確保附錄A的重要控制措施沒有被忽略注2:控制目標隱含在所選擇的控制項中。附錄A中的控制目標和控制措施并不全面,可能還需要額外的控制目標和控制措施。d制作適用性聲明,包括必要的控制措施(見6.1.3b和c和選擇的理由,無論實施與否,應說明刪減附錄A中控制措施的理由;e制定信息安全風險處置計劃;f獲得風險所有者批準信息安全風險處置計劃和殘余信息安全風險接受標準;組織應保留信息安全風險處置過程的文件化信息。注:本國際標準中信息安全風險評估和處置過程與ISO31000中的原則和通用指南一致。6.2信息安全目標及實現其目標的策劃組織應當在相關職能及層次上建立信息安全目標。信息安全目標應:a與信息安全方針保持一致;b是可測量的(如果可行;c考慮適用的信息安全要求,以及風險評估和風險處置的結果;d是可溝通的;6.1.3InformationsecurityrisktreatmentTheorganizationshalldefineandapplyaninformationsecurityrisktreatmentprocessto:aselectappropriateinformationsecurityrisktreatmentoptions,takingaccountoftheriskassessmentresults;bdetermineallcontrolsthatarenecessarytoimplementtheinformationsecurityrisktreatmentoption(schosen;NOTE:Organizationscandesigncontrolsasrequired,oridentifythemfromanysource.ccomparethecontrolsdeterminedin6.1.3babovewiththoseinAnnexAandverifythatnonecessarycontrolshavebeenomitted;NOTE1:AnnexAcontainsacomprehensivelistofcontrolobjectivesandcontrols.UsersofthisInternationalStandardaredirectedtoAnnexAtoensurethatnoimportantcontrolareoverlookedNOTE2:Controlobjectivesareimplicitlyincludedinthecontrolschosen.ThecontrolobjectivesandcontrolslistedinAnnexAarenotexhaustiveandadditionalcontrolobjectivesandcontrolsmayalsobeneeded.dproduceaStatementofApplicabilitythatcontainsthenecessarycontrols(see6.1.3bandcandjustificationforinclusions,whethertheyareimplementedornot,andthejustificationforexclusionsofcontrolsinAnnexA;eformulateaninformationsecurityrisktreatmentplan;andfobtainriskowner’sapprovaloftheinformationsecurityrisktreatmentplanandtheacceptanceoftheresidualinformationsecurityrisks.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityrisktreatmentprocess.NOTE:TheinformationsecurityriskassessmentandtreatmentprocessinthisInternationalStandardalignswiththeprinciplesandgenericguidelinesprovidedinISO31000.6.2InformationsecurityobjectivesandplaningtoachievethemTheorganizationshallestablishinformationsecurityobjectivesatrelevantfunctionsandlevels.Theinformationsecurityobjectivesshall:abeconsistentwiththeinformationsecuritypolicy;bbemeasurable(ifpracticable;ctakeintoaccountapplicableinformationsecurityrequirements,andresultsfromriskassessmentandtreatmentresults;dbecommunicated,ande能適時更新;組織應當保持信息安全目標的文件化信息。當對實現其信息安全目標進行策劃時,組織應當確定:f將要做什么g將需要什么資源h將由誰來做i將在何時完成j將如何對結果進行評價ebeupdatedasappropriate.Theorganizationshallretaindocumentedinformationontheinformationsecurityobjectives.Whenplanninghowtoachieveitsinformationsecurityobjectives,theorganizationshalldetermine:fwhatwillbedone;gwhatresourceswillberequired;hwhowillberesponsible;iwhenitwillbecompleted;andjhowtheresultswillbeevaluated.7.支持7.1資源組織應確定和提供信息安全管理體系的建立、實施、維護和持續改進所需的資源。7.2能力組織應:a確定影響組織信息安全績效的員工在ISMS管控中工作的必備能力;b確保這些員工在適當的培育、培訓和經驗的基礎上是能勝任的;c適當時,采取行動獲取所需能力,并評估所采取行動的有效性;d保留適當文件化信息作為證據;注:適當的行動可能包括,如提供培訓、指導、重新指派現有員工、或聘用或外包有能力的員工。7.3意識在組織控制中工作的人員應了解:a信息安全方針;b信息安全管理體系有效性的貢獻,包括提高信息安全績效的收益;c不符合信息安全管理體系要求的影響;7.4溝通組織應當確定與信息安全管理體系相關內部和外部溝通需求,包括:a需要溝通內容b何時進行溝通7Support7.1ResourcesTheorganizationshalldetermineandprovidetheresourcesneededfortheestablishment,implementation,maintenanceandcontinualimprovementoftheinformationsecuritymanagementsystem.7.2CompetenceTheorganizationshall:adeterminethenecessarycompetenceofperson(sdoingworkunderitscontrolthataffectsitsinformationsecurityperformance;bensurethatthesepersonsarecompetentonthebasisofappropriateeducation,training,orexperience;cwhereapplicable,takeactionstoacquirethenecessarycompetence,andevaluatetheeffectivenessoftheactionstaken;anddretainappropriatedocumentedinformationasevidenceofcompetence.NOTE:Applicableactionsmayinclude,forexample:theprovisionoftrainingto,thementoringof,orthere-assignmentofcurrentemployees;orthehiringorcontractingofcompetentpersons.7.3AwarenessPersonsdoingworkundertheorganization’scontrolshallbeawareof:atheinformationsecuritypolicy;btheircontributiontotheeffectivenessoftheinformationsecuritymanagementsystem,includingthebenefitsofimprovedinformationsecurityperformance;andctheimplicationsofnotconformingwiththeinformationsecuritymanagementsystemrequirements.7.4CommunicationTheorganizationshalldeterminetheneedforinternalandexternalcommunicationsrelevanttotheinformationsecuritymanagementsystemincluding:aonwhattocommunicate;c與誰進行溝通d誰應該溝通e有效溝通的流程7.5文件化信息7.5.1總則組織的信息安全管理體系應包括:a本國際標準所需要的文件化信息;b組織確定信息安全管理體系有效性所需要的信息;注:不同組織的信息安全管理體系文件化信息的程度取決于:1組織的規模、其活動類型、流程、產品和服務;2流程及其他交互的復雜性;3人員的能力;7.5.2創建和更新當創建和更新文件化信息時,組織應確保應當的:a識別和描述(如標題、日期、作者或參考號碼;b格式(如語言、軟件版本、圖形和媒體(如紙張、電子;c評估和批準適當性和充分性。7.5.3文件化信息控制信息安全管理體系和本國際標準所要求的文件化信息應被管控,以確保:a需要時,文件是可用和適用的;b得到充分的保護(如保密性喪失、不當使用、或完整性喪失;對于文件化信息的控制,組織應制定下列活動(如適用:c分配、訪問、檢索和使用;d存儲和保存,包括易讀性的保存;bwhentocommunicate;cwithwhomtocommunicate;dwhoshallcommunicate;andetheprocessesbywhichcommunicationshallbeeffected.7.5Documentedinformation7.5.1GeneralTheorganization’sinformationsecuritymanagementsystemshallinclude:adocumentedinformationrequiredbythisInternationalStandard;andbdocumentedinformationdeterminedbytheorganizationasbeingnecessaryfortheeffectivenessoftheinformationsecuritymanagementsystem.NOTE:Theextentofdocumentedinformationforaninformationsecuritymanagementsystemcandifferfromoneorganizationtoanotherdueto:1thesizeoforganizationanditstypeofactivities,processes,productsandservices;2thecomplexityofprocessesandtheirinteractions;and3thecompetenceofpersons.7.5.2CreatingandupdatingWhencreatingandupdatingdocumentedinformationtheorganizationshallensureappropriate:aidentificationanddescription(e.g.atitle,date,author,orreferencenumber;bformat(e.g.language,softwareversion,graphicsandmedia(e.g.paper,electronic;andcreviewandapprovalforsuitabilityandadequacy.7.5.3ControlofdocumentedinformationDocumentedinformationrequiredbytheinformationsecuritymanagementsystemandbythisInternationalStandardshallbecontrolledtoensure:aitisavailableandsuitableforuse,whereandwhenitisneeded;andbitisadequatelyprotected(e.g.fromlossofconfidentiality,improperuse,orlossofintegrity.Forthecontrolofdocumentedinformation,theorganizationshalladdressthefollowingactivities,asapplicable:cdistribution,access,retrievalanduse;dstorageandpreservation,includingthepreservationoflegibility;e變更管理(如版本控制;f保留和處置;組織信息安全管理體系的規劃和運作所需的外來文件化信息,應被適當的識別和管理;注:訪問表示有權查看文件化信息,或獲得權限或授權以查看和變更文件化信息等;econtrolofchanges(e.g.versioncontrol;andfretentionanddisposition.Documentedinformationofexternalorigin,determinedbytheorganizationtobenecessaryfortheplanningandoperationoftheinformationsecuritymanagementsystem,shallbeidentifiedasappropriate,andcontrolled.NOTE:Accessimpliesadecisionregardingthepermissiontoviewthedocumentedinformationonly,orthepermissionandauthoritytoviewandchangethedocumentedinformation,etc.8.運行8.1運行策劃和控制組織應策劃、實施和控制滿足信息安全要求的流程,并實施在6.1中規定的措施。組織還應實施計劃,以實現信息安全在6.2中確定的目標。組織應保存相關文件化信息,以保證流程已經按照計劃實施。組織應控制計劃變更,評審非計劃變更的后果,如需要,采取適當措施減輕不良影響;組織應確保外包活動被確定和受控。8.2信息安全風險評估組織應在定期或發生重大變化時執行信息安全風險評估,將6.1.2中建立的標準納入考慮范圍。組織應保留信息安全風險評估結果的相關文件化信息。8.3信息安全風險處置組織應實施信息安全風險處置計劃。組織應保留信息安全風險處置結果的文件化信息。8Operation8.1OperationalplanningandcontrolTheorganizationshallplan,implementandcontroltheprocessesneededtomeetinformationsecurityrequirements,andtoimplementtheactionsdeterminedin6.1.Theorganizationshallalsoimplementplanstoachieveinformationsecurityobjectivesdeterminedin6.2.Theorganizationshallkeepdocumentedinformationtotheextentnecessarytohaveconfidencethattheprocesseshavebeencarriedoutasplanned.Theorganizationshallcontrolplannedchangesandreviewtheconsequencesofunintendedchanges,takingactiontomitigateanyadverseeffects,asnecessary.Theorganizationshallensurethatoutsourcedprocessesaredeterminedandcontrolled.8.2InformationsecurityriskassessmentTheorganizationshallperforminformationsecurityriskassessmentsatplannedintervalsorwhensignificantchangesareproposedoroccur,takingaccountofthecriteriaestablishedin6.1.2a.Theorganizationshallretaindocumentedinformationoftheresultsoftheinformationsecurityriskassessments.8.3InformationsecurityrisktreatmentTheorganizationshallimplementtheinformationsecurityrisktreatmentplan.Theorganizationshallretaindocumentedinformationoftheresultsoftheinformationsecurityrisktreatment.9.績效評價9.1監視、測量、分析和評價組織應評估信息安全績效和信息安全管理體系的有效性。組織應當確定:a什么需要監控和測量,包括信息安全流程和控制9Performanceevaluation9.1Monitoring,measurement,analysisandevaluationTheorganizationshallevaluatetheinformationsecurityperformanceandtheeffectivenessoftheinformationsecuritymanagementsystem.Theorganizationshalldetermine:awhatneedstobemonitoredandmeasured,includinginformationsecurityprocessesandcontrols;b采用什么適宜方法來進行監控、測量、分析和評價,以確保結果有效注:生成可比較和可重復結果的所選方法被認為是有效的c何時應當進行監控和測量d誰執行監控和測量e何時應當對監控和測量結果進行分析和評價f誰執行分析和評估結果組織應當保持適當的文件化信息作為監控和測量結果的證據。9.2內部審核組織應按照計劃的時間間隔進行內部審核,以確定信息安全管理體系:a符合1組織自身信息安全管理體系的要求;2本國際標準的要求b有效的實施和維護;組織應:c計劃、建立、實施和維護審核方案,包括頻率、方法、職責、規劃要求和報告。審核方案應考慮相關過程和以往審核結果的重要性;d定義每次審核準則和范圍;e選擇審核員和執行審核,確保審核過程的客觀和公正;f確保審核結果報告提交相關管理層;g保留審核方案和審核結果的文件化信息;9.3管理評審管理者應按計劃的時間間隔評審組織的信息安全管理體系,以確保其持續的適宜性、充分性和有效性。管理評審應考慮:a以往管理評審措施的狀態;b信息安全管理體系相關的內外部變化;c信息安全績效的反饋,包括:bthemethodsformonitoring,measurement,analysisandevaluation,asapplicable,toensurevalidresults;NOTE:Themethodsselectedshouldproducecomparableandreproducibleresultstobeconsideredvalid.cwhenthemonitoringandmeasuringshallbeperformed;dwhoshallmonitorandmeasure;ewhentheresultsfrommonitoringandmeasurementshallbeanalysedandevaluated;andfwhoshallanalyseandevaluatetheseresults.Theorganizationshallretainappropriatedocumentedinformationasevidenceofthemonitoringandmeasurementresults.9.2InternalauditTheorganizationshallconductinternalauditsatplannedintervalstoprovideinformationonwhethertheinformationsecuritymanagementsystem:aconformsto1theorganization’sownrequirementsforitsinformationsecuritymanagementsystem;and2therequirementsofthisInternationalStandard;biseffectivelyimplementedandmaintained.Theorganizationshall:cplan,establish,implementandmaintainanauditprogramme(s,includingthefrequency,methods,responsibilities,planningrequirementsandreporting.Theauditprogramme(sshalltakeintoconsiderationtheimportanceoftheprocessesconcernedandtheresultsofpreviousaudits;ddefinetheauditcriteriaandscopeforeachaudit;eselectauditorsandconductauditstoensureobjectivityandtheimpartialityoftheauditprocess;fensurethattheresultsoftheauditsarereportedtorelevantmanagement;andgretaindocumentedinformationasevidenceoftheauditprogramme(sandtheauditresults.9.3ManagementreviewTopmanagementshallreviewtheorganization'sinformationsecuritymanagementsystematplannedintervalstoensureitscontinuingsuitability,adequacyandeffectiveness.Themanagementreviewshallincludeconsiderationof:athestatusofactionsfrompreviousmanagementreviews;bchangesinexternalandinternalissuesthatarerelevanttotheinformationsecuritymanagementsystem;cfeedbackontheinformationsecurityperformance,including1不符合和糾正措施;2監控和測量結果;3審核結果;4信息安全目標的實現;d相關方反饋;e風險評估結果和風險處置計劃的狀態;f持續改進的機會;管理評審的輸出應包括持續改進機會和任何信息安全管理體系變更所需的相關決定;組織應保留管理評審結果的文件化信息作為證據;trendsin:1nonconformitiesandcorrectiveactions;2monitoringandmeasurementresults;3auditresults;and4fulfilmentofinformationsecurityobjectives;dfeedbackfrominterestedparties;eresultsofriskassessmentandstatusofrisktreatmentplan;andfopportunitiesforcontinualimprovement.Theoutputsofthemanagementreviewshallincludedecisionsrelatedtocontinualimprovementopportunitiesandanyneedsforchangestotheinformationsecuritymanagementsystem.Theorganizationshallretaindocumentedinformationasevidenceoftheresultsofmanagementreviews.10.改進10.1不合格和糾正措施當出現不符合項時,組織應:a對不符合項作出反應,適用時:1采取措施控制和糾正;2處理后果;b評估采取措施的必要性,以消除不符合項的原因,使其不再發生或在其他地方發生,通過:1評審不符合項;2確定不符合原因;3確定類似不符合性存在,或發生的可能;c實施所需的任何措施;d評審已采取糾正措施的有效性;e如需要,變更信息安全管理體系;糾正措施應適當的影響不符合項;組織應保留文件化信息,作為下列證據:f不符合項的特征和任何后續采取的措施;g任何糾正措施的結果;10.2持續改進組織應持續提高信息安全管理體系的適宜性、充分性和有效性;10Improvement10.1NonconformityandcorrectiveactionWhenanonconformityoccurs,theorganizationshall:areacttothenonconformity,andasapplicable:1takeactiontocontrolandcorrectit;and2dealwiththeconsequences;bevaluatetheneedforactiontoeliminatethecausesofnonconformity,inorderthatitdoesnotrecuroroccurelsewhere,by:1reviewingthenonconformity;2determiningthecausesofthenonconformity;and3determiningifsimilarnonconformitiesexist,orcouldpotentiallyoccur;cimplementanyactionneeded;dreviewtheeffectivenessofanycorrectiveactiontaken;andemakechangestotheinformationsecuritymanagementsystem,ifnecessary.Correctiveactionsshallbeappropriatetotheeffectsofthenonconformitiesencountered.Theorganizationshallretaindocumentedinformationasevidenceof:fthenatureofthenonconformitiesandanysubsequentactionstaken,andgtheresultsofanycorrectiveaction.10.2ContinualimprovementTheorganizationshallcontinuallyimprovethesuitability,adequacyandeffectivenessoftheinformationsecuritymanagementsystem.附錄A(引用控制目標和控制措施表A.1所列的控制目標和控制措施是直接源自并與ISO/IEC27002:2013第5到18章一致,并運用于條款6.1.3的環境下。AnnexA(normativeReferencecontrolobjectivesandcontrolsThecontrolobjectivesandcontrolslistedinTableA.1aredirectlyderivedfromandalignedwiththoselistedinISO/IEC27002:2013Clauses5to18andaretobeusedincontextwithClause6.1.3.A.5安全方針A.5InformationsecuritypoliciesA.5.1管理信息安全方向控制目標:依據業務要求和相關法律法規提供管理指導并支持信息安全。A.5.1ManagementdirectionforinformationsecurityObjective:Toprovidemanagementdirectionandsupportforinformationsecurityinaccordancewithbusinessrequirementsandrelevantlawsandregulations.A.5.1.1信息安全方針控制措施一系列信息安全方針應被定義、并由管理者批準、發布并傳達給員工和外部相關方。A.5.1.2信息安全方針評審控制措施宜按計劃的時間間隔或當重大變化發生時進行信息安全方針評審,以確保它持續的適宜性、充分性和有效性。A.5.1.1PoliciesforinformationsecurityControlAsetofpoliciesforinformationsecurityshallbedefined,approvedbymanagement,publishedandcommunicatedtoemployeesandrelevantexternalpartiesA.5.1.2ReviewofthepoliciesforinformationsecurityControlThepoliciesforinformationsecurityshallbereviewedatplannedintervalsorifsignificantchangesoccurtoensuretheircontinuingsuitability,adequacyandeffectivenessA.6信息安全組織A.6OrganizationofinformationsecurityA.6.1內部組織控制目標:建立管理架構,啟動和控制信息安全在組織內的實施;A.6.1InternalorganizationObjective:ToestablishamanagementframeworktoinitiateandcontroltheimplementationandoperationofinformationsecuritywithintheorganizationA.6.1.1信息角色和職責控制措施所有信息安全職責應被定義和分配;A.6.1.2責任分割控制措施沖突責任及職責范圍加以分割,以降低未授權或無意識的修改或者不當使用組織資產的機會;A.6.1.3與政府部門的聯系控制措施應保持與政府相關部門的適當聯系;A.6.1.4與特定利益集團的聯系控制措施應保持與特定利益集團、其他安全專家組和專業協會的適當聯系;A.6.1.5項目管理中的信息安全控制措施無論項目類型,項目管理中均應描述信息安全;A.6.1.1InformationsecurityrolesandresponsibilitiesControlAllinformationsecurityresponsibilitiesshallbedefinedandallocatedA.6.1.2SegregationofdutiesControlConflictingdutiesandareasofresponsibilityshallbesegregatedtoreduceopportunitiesforunauthorizedorunintentionalmodificationormisuseoftheorganization’sassets.A.6.1.3ContactwithauthoritiesControlAppropriatecontactswithrelevantauthoritiesshallbemaintainedA.6.1.4ContactwithspecialinterestgroupsControlAppropriatecontactswithspecialinterestgroupsorotherspecialistsecurityforumsandprofessionalassociationsshallbemaintainedA.6.1.5InformationsecurityinprojectmanagementControlInformationsecurityshallbeaddressedinprojectmanagement,regardlessofthetypeoftheprojectA.6.2移動設備和遠程工作控制目標:確保使用移動設備的使用及遠程工作的安全;A.6.2MobiledevicesandteleworkingObjective:ToensurethesecurityofteleworkinganduseofmobiledevicesA.6.2.1移動設備策略控制措施應采用策略和相應的安全測量,以防范使用移動設備時所造成的風險;A.6.2.1MobiledevicepolicyControlApolicyandsupportingsecuritymeasuresshallbeadoptedtomanagetherisksintroducedbyusingmobiledevicesA.6.2.2遠程工作控制措施應實施策略和相應的安全測量,以防保護信息的訪問、處理和存儲在遠程站點;A.6.2.2TeleworkingControlApolicyandsupportingsecuritymeasuresshallbeimplementedtoprotectinformationaccessed,processedorstoredonteleworkingsitesA.7人力資源安全A.7HumanresourcesecurityA.7.1任用之前控制目標:建立管理框架,以啟動和控制組織內信息安全的實施;A.7.1PriortoemploymentObjective:Toensurethatemployeesandcontractorsunderstandtheirresponsibilitiesandaresuitablefortherolesforwhichtheyareconsidered.A.7.1.1審查控制措施所有任用候選者的背景驗證檢查應按照相關法律法規、道德規范和對應的業務要求、被訪問信息的類別和察覺的風險來執行;A.7.1.2任用條款和條件控制措施與員工和合同方的合同應聲明他們和組織的信息安全職責;A.7.1.1ScreeningControlBackgroundverificationchecksonallcandidatesforemploymentshallbecarriedoutinaccordancewithrelevantlaws,regulationsandethicsandproportionaltothebusinessrequirements,theclassificationoftheinformationtobeaccessedandtheperceivedrisksA.7.1.2TermsandconditionsofemploymentControlThecontractualagreementswithemployeesandcontractorsshallstatetheirandtheorganization’sresponsibilitiesforinformationsecurityA.7.2任用中控制目標:確保雇員和合同方知悉和實施他們信息安全職責;A.7.2DuringemploymentObjective:Toensurethatemployeesandcontractorsareawareofandfulfiltheirinformationsecurityresponsibi