ISO27001：2013中英文對照版

1、Information technology- Security techniques-Information security management systems-Requirements信息技術(shù)-安全技術(shù)-信息安全管理體系-要求Foreword前 言ISO (the International Organization for Standardization) and IEC (the International Electro technical Commission) form the specialized system for worldwide standardization.

2、 National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual int

3、erest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.ISO（國際標準化組織）和IEC（國際電工委員會）是為國際標準化制定專門體制的國際組織。國家機構(gòu)是ISO或I

4、EC的成員，他們通過各自的組織建立技術(shù)委員會參與國際標準的制定，來處理特定領(lǐng)域的技術(shù)活動。ISO和IEC技術(shù)委員會在共同感興趣的領(lǐng)域合作。其他國際組織、政府和非政府等機構(gòu)，通過聯(lián)絡(luò)ISO和IEC參與這項工作。ISO和IEC已經(jīng)在信息技術(shù)領(lǐng)域建立了一個聯(lián)合技術(shù)委員會ISO/IECJTC1。International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.國際標準的制定遵循ISO/IEC 導則第2部分的規(guī)則。The main task of the joi

5、nt technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.聯(lián)合技術(shù)委員會

6、的主要任務(wù)是起草國際標準，并將國際標準草案提交給國家機構(gòu)投票表決。國際標準的出版發(fā)行必須至少75%以上的成員投票通過。Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.本文件中的某些內(nèi)容有可能涉及一些專利權(quán)問題，這一點應(yīng)該引起注意。ISO

7、和IEC不負責識別任何這樣的專利權(quán)問題。ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.ISO/IEC 27001 由聯(lián)合技術(shù)委員會ISO/IEC JTC1（信息技術(shù)）分委員會SC27（安全技術(shù)） 起草。This second edition cancels and replaces the first edition (ISO/IEC 27001:2005), whi

8、ch has been technically revised.第二版進行了技術(shù)上的修訂，并取消和替代第一版（ISO/IEC 27001:2005）。0 Introduction引 言0.1 General0.1 總則This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adop

9、tion of an information security management system is a strategic decision for an organization. The establishment and implementation of an organizations information security management system is influenced by the organizations needs and objectives, security requirements, the organizational processes

10、used and the size and structure of the organization. All of these influencing factors are expected to change over time.本標準用于為建立、實施、保持和持續(xù)改進信息安全管理體系提供要求。采用信息安全管理體系是組織的一項戰(zhàn)略性決策。一個組織信息安全管理體系的建立和實施受其需要和目標、安全要求、所采用的過程以及組織的規(guī)模和結(jié)構(gòu)的影響。所有這些影響因素會不斷發(fā)生變化。The information security management system preserves the con

11、fidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.信息安全管理體系通過應(yīng)用風險管理過程來保持信息的保密性、完整性和可用性，以充分管理風險并給予相關(guān)方信心。It is important that the information security management system is part of an

12、d integrated with the organizations processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the

13、 needs of the organization.信息安全管理體系是組織過程和整體管理結(jié)構(gòu)的一部分并與其整合在一起是非常重要的。信息安全在設(shè)計過程、信息系統(tǒng)、控制措施時就要考慮信息安全。按照組織的需要實施信息安全管理體系，是本標準所期望的。This International Standard can be used by internal and external parties to assess the organizations ability to meet the organizations own information security requirements.本標準可被

14、內(nèi)部和外部相關(guān)方使用，評估組織的能力是否滿足組織自身信息安全要求。The order in which requirements are presented in this International Standard does not reflect their importance or imply the order in which they are to be implemented. The list items are enumerated for reference purpose only.本標準中要求的順序并不能反映他們的重要性或意味著他們的實施順序。列舉的條目僅用于參考目

15、的。ISO/IEC 27000 describes the overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 270032, ISO/IEC 270043 and ISO/IEC 270054), with related terms and definitions.ISO/IEC27000 描述了信息安全管理體系的

16、概述和詞匯，參考了信息安全管理體系標準族（包括ISO/IEC 27003、ISO/IEC 27004 和ISO/IEC 27005）以及相關(guān)的術(shù)語和定義。0.2 Compatibility with other management system standards0.2 與其他管理體系的兼容性This International Standard applies the high-level structure, identical sub-clause titles, identical text, common terms, and core definitions defined in

17、 Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, and therefore maintains compatibility with other management system standards that have adopted the Annex SL.本標準應(yīng)用了 ISO/IEC 導則第一部分 ISO 補充部分附錄 SL 中定義的高層結(jié)構(gòu)、相同的子章節(jié)標題、相同文本、通用術(shù)語和核心定義。因此保持了與其它采用附錄 SL 的管理體系標準的兼容性。This common approach defi

18、ned in the Annex SL will be useful for those organizations that choose to operate a single management system that meets the requirements of two or more management system standards.附錄 SL 定義的通用方法對那些選擇運作單一管理體系（可同時滿足兩個或多個管理體系標準要求）的組織來說是十分有益的。Information technology Security techniques Information securit

19、y management systems Requirements信息技術(shù)-安全技術(shù)-信息安全管理體系-要求1 Scope1 范圍This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.本標準從組織環(huán)境的角度，為建立、實施、運行、保持和持續(xù)改進

20、信息安全管理體系規(guī)定了要求。This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, r

21、egardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this International Standard.本標準還規(guī)定了為適應(yīng)組織需要而定制的信息安全風險評估和處置的要求。本標準規(guī)定的要求是通用的，適用于各種類型、規(guī)模和特性的組織。組織聲稱符合本標準時，對于第4 章到第10 章的要求不能刪減。2 Normative referenc

22、es2 規(guī)范性引用文件The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) appli

23、es.下列文件的全部或部分內(nèi)容在本文件中進行了規(guī)范引用，對于其應(yīng)用是必不可少的。凡是注日期的引用文件，只有引用的版本適用于本標準；凡是不注日期的引用文件，其最新版本（包括任何修改）適用于本標準。ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabularyISO/IEC 27000，信息技術(shù)安全技術(shù)信息安全管理體系概述和詞匯3 Terms and definitions 3 術(shù)語和定義For the purposes

24、 of this document, the terms and definitions given in ISO/IEC 27000 apply.ISO/IEC 27000中的術(shù)語和定義適用于本標準。4 Context of the organization4 組織環(huán)境4.1 Understanding the organization and its context4.1 理解組織及其環(huán)境The organization shall determine external and internal issues that are relevant to its purpose and tha

25、t affect its ability to achieve the intended outcome(s) of its information security management system.組織應(yīng)確定與其目標相關(guān)并影響其實現(xiàn)信息安全管理體系預期結(jié)果的能力的外部和內(nèi)部問題。NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.3 of ISO 31000:20095.注：確定這些

26、問題涉及到建立組織的外部和內(nèi)部環(huán)境，在ISO 31000:20095的5.3節(jié)考慮了這一事項。4.2 Understanding the needs and expectations of interested parties4.2 理解相關(guān)方的需求和期望The organization shall determine:組織應(yīng)確定：a) interested parties that are relevant to the information security management system; andb) the requirements of these interested par

27、ties relevant to information security.a) 與信息安全管理體系有關(guān)的相關(guān)方；b) 這些相關(guān)方與信息安全有關(guān)的要求NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.注：相關(guān)方的要求可能包括法律法規(guī)要求和合同義務(wù)。4.3 Determining the scope of the information security management system4.3 確定信息安全管理

28、體系的范圍The organization shall determine the boundaries and applicability of the information security management system to establish its scope.組織應(yīng)確定信息安全管理體系的邊界和適用性，以建立其范圍。When determining this scope, the organization shall consider:當確定該范圍時，組織應(yīng)考慮：a) the external and internal issues referred to in 4.1;b)

29、 the requirements referred to in 4.2; andc) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information.a) 在 4.1 中提及的外部和內(nèi)部問題；b) 在 4.2 中提及的要求；c) 組織所執(zhí)行的活動之間以及與其它組織的活動之間的接口和依賴性范

30、圍應(yīng)文件化并保持可用性。4.4 Information security management system4.4 信息安全管理體系The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.組織應(yīng)按照本標準的要求建立、實施、保持和持續(xù)改進信息安全管理體系。5 Leadership5

31、 領(lǐng)導5.1 Leadership and commitment5.1 領(lǐng)導和承諾Top management shall demonstrate leadership and commitment with respect to the information security management system by:高層管理者應(yīng)通過下列方式展示其關(guān)于信息安全管理體系的領(lǐng)導力和承諾：a) ensuring the information security policy and the information security objectives are established and a

32、re compatible with the strategic direction of the organization;b) ensuring the integration of the information security management system requirements into the organizations processes;c) ensuring that the resources needed for the information security management system are available;d) communicating t

33、he importance of effective information security management and of conforming to the information security management system requirements;e) ensuring that the information security management system achieves its intended outcome(s);f) directing and supporting persons to contribute to the effectiveness

34、of the information security management system;g) promoting continual improvement; andh) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.a) 確保建立信息安全方針和信息安全目標，并與組織的戰(zhàn)略方向保持一致；b) 確保將信息安全管理體系要求整合到組織的業(yè)務(wù)過程中；c) 確保信息安全管理體系所需資源可用；d) 傳達信息

35、安全管理有效實施、符合信息安全管理體系要求的重要性；e) 確保信息安全管理體系實現(xiàn)其預期結(jié)果；f) 指揮并支持人員為信息安全管理體系的有效實施作出貢獻；g) 促進持續(xù)改進；h) 支持其他相關(guān)管理角色在其職責范圍內(nèi)展示他們的領(lǐng)導力。5.2 Policy5.2 方針Top management shall establish an information security policy that:高層管理者應(yīng)建立信息安全方針，以：a) is appropriate to the purpose of the organization;b) includes information security

36、 objectives (see 6.2) or provides the framework for setting information security objectives;c) includes a commitment to satisfy applicable requirements related to information security;d) includes a commitment to continual improvement of the information security management system. The information sec

37、urity policy shall:e) be available as documented information;f) be communicated within the organization; andg) be available to interested parties, as appropriate.a) 適于組織的目標；b) 包含信息安全目標（見6.2）或設(shè)置信息安全目標提供框架；c) 包含滿足適用的信息安全相關(guān)要求的承諾；d) 包含信息安全管理體系持續(xù)改進的承諾。信息安全方針應(yīng)：e) 文件化并保持可用性；f) 在組織內(nèi)部進行傳達；g) 適當時，對相關(guān)方可用。5.3 O

38、rganizational roles, responsibilities and authorities5.3 組織角色、職責和權(quán)限Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated.高層管理者應(yīng)確保分配并傳達了信息安全相關(guān)角色的職責和權(quán)限。Top management shall assign the responsibility and authority

39、for: 高層管理者應(yīng)分配下列職責和權(quán)限：a) ensuring that the information security management system conforms to the requirements of this International Standard; andb) reporting on the performance of the information security management system to top management.a) 確保信息安全管理體系符合本標準的要求；b) 將信息安全管理體系的績效報告給高層管理者。NOTE Top mana

40、gement may also assign responsibilities and authorities for reporting performance of the information security management system within the organization.注：高層管理者可能還要分配在組織內(nèi)部報告信息安全管理體系績效的職責和權(quán)限。6 Planning6 規(guī)劃6.1 Actions to address risks and opportunities6.1 應(yīng)對風險和機會的措施6.1.1 General6.1.1 總則When planning fo

41、r the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:當規(guī)劃信息安全管理體系時，組織應(yīng)考慮4.1中提及的問題和4.2中提及的要求，確定需要應(yīng)對的風險和機會，以：a) ensure the information se

42、curity management system can achieve its intended outcome(s);b) prevent, or reduce, undesired effects; andc) achieve continual improvement. The organization shall plan:d) actions to address these risks and opportunities; ande) how to1) integrate and implement the actions into its information securit

43、y management system processes;2) evaluate the effectiveness of these actions.a) 確保信息安全管理體系能實現(xiàn)其預期結(jié)果；b) 防止或減少意外的影響；c) 實現(xiàn)持續(xù)改進。組織應(yīng)規(guī)劃：d) 應(yīng)對這些風險和機會的措施；e) 如何1) 整合和實施這些措施并將其納入信息安全管理體系過程；2) 評價這些措施的有效性。6.1.2 Information security risk assessment6.1.2 信息安全風險評估The organization shall define and apply an informati

44、on security risk assessment process that:組織應(yīng)定義并應(yīng)用風險評估過程，以：a) establishes and maintains information security risk criteria that include:1) the risk acceptance criteria; and2) criteria for performing information security risk assessments;b) ensures that repeated information security risk assessments p

45、roduce consistent, valid and comparable results;c) identifies the information security risks:1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information securit

46、y management system; and2) identify the risk owners;d) analyses the information security risks:1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1)

47、; and3) determine the levels of risk;e) evaluates the information security risks:1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and2) prioritize the analysed risks for risk treatment.The organization shall retain documented information about the information s

48、ecurity risk assessment process.a) 建立并保持信息安全風險準則，包括：1) 風險接受準則；2) 執(zhí)行信息安全風險評估的準則；b) 確保重復性的信息安全風險評估可產(chǎn)生一致的、有效的和可比較的結(jié)果；c) 識別信息安全風險：1) 應(yīng)用信息安全風險評估過程來識別信息安全管理體系范圍內(nèi)的信息喪失保密性、完整性和可用性的相關(guān)風險；2) 識別風險負責人；d) 分析信息安全風險：1) 評估 6.1.2 c）1）中所識別風險發(fā)生后將導致的潛在影響；2) 評估 6.1.2 c）1）中所識別風險發(fā)生的現(xiàn)實可能性；3) 確定風險級別；e) 評價信息安全風險；1) 將風險分析結(jié)果同6.

49、1.2 a）建立的風險準則進行比較；2) 為實施風險處置確定已分析風險的優(yōu)先級。組織應(yīng)定義并應(yīng)用風險評估過程，以：組織應(yīng)保留信息安全風險評估過程的文件記錄信息。6.1.3 Information security risk treatment6.1.3 信息安全風險處置The organization shall define and apply an information security risk treatment process to:a) select appropriate information security risk treatment options, taking a

50、ccount of the risk assessment results;b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;組織應(yīng)定義并應(yīng)用信息安全風險處置過程，以：a) 在考慮風險評估結(jié)果的前提下，選擇適當?shù)男畔踩L險處置選項：b) 為實施所選擇的信息安全風險處置選項，確定所有必需的控制措施；NOTE Organizations can design controls as required, or ident

51、ify them from any source.注：組織可按要求設(shè)計控制措施，或從其他來源識別控制措施。c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;c) 將 6.1.3 b）所確定的控制措施與附錄A 的控制措施進行比較，以核實沒有遺漏必要的控制措施；NOTE 1 Annex A contains a comprehensive list of control objective

52、s and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked.NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control o

53、bjectives and controls may be needed.注1：附錄A包含了一份全面的控制目標和控制措施的列表。本標準用戶可利用附錄A以確保不會遺漏必要的控制措施。注2：控制目標包含于所選擇的控制措施內(nèi)。附錄A所列的控制目標和控制措施并不是所有的控制目標和控制措施，組織也可能需要另外的控制目標和控制措施。d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c) and justification for inclusions, whether

54、 they are implemented or not, and the justification for exclusions of controls from Annex A;e) formulate an information security risk treatment plan; andf) obtain risk owners approval of the information security risk treatment plan and acceptance of the residual information security risks.The organi

55、zation shall retain documented information about the information security risk treatment process.d) 產(chǎn)生適用性聲明。適用性聲明要包含必要的控制措施（見6.1.3 b）和c）、對包含的合理性說明（無論是否已實施）以及對附錄A 控制措施刪減的合理性說明；e) 制定信息安全風險處置計劃；f) 獲得風險負責人對信息安全風險處置計劃以及接受信息安全殘余風險的批準。組織應(yīng)保留信息安全風險處置過程的文件記錄信息。NOTE The information security risk assessment and

56、 treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 310005.注：本標準中的信息安全風險評估和處置過程可與 ISO 310005中規(guī)定的原則和通用指南相結(jié)合。6.2 Information security objectives and planning to achieve them6.2 信息安全目標和規(guī)劃實現(xiàn)The organization shall establish information secur

57、ity objectives at relevant functions and levels.The information security objectives shall:組織應(yīng)在相關(guān)職能和層次上建立信息安全目標。信息安全目標應(yīng)：a) be consistent with the information security policy;b) be measurable (if practicable);c) take into account applicable information security requirements, and results from risk assessment and risk treatment;d) be communicated; ande) be updated as appropriate.The organization shall retain documented information on the information security objectives. When pl