8 Operation of the service management system 服务管理体系的运行/8.7 Service assurance 服务保证/8.7.3 Information security management 信息安全管理 |
8.7.3.1 Information security policy 8.7.3.1 信息安全策略 Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). 具有适宜权限的管理层应批准适用于组织的信息安全策略。信息安全策略应被文件化,并考虑服务要求和6.3 c)中的义务。 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: 适宜时,信息安全策略应是可获得的。组织应向以下范围内的适宜人员传达符合信息安全策略的重要性和对服务管理体系(SMS)和服务的适用性: a) the organization; a) 组织; b) customers and users; b) 顾客和用户; c) external suppliers, internal suppliers and other interested parties. c) 外部供应商,内部供应商和其他相关方。 8.7.3.2 Information security controls 8.7.3.2 信息安全控制 At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. 应按照策划的时间间隔应对服务管理体系(SMS)和服务进行信息安全风险评估,并对其文件化。应确定,实施和运行信息安全控制措施,以支持信息安全策略和应对信息安全风险。信息安全控制措施的决策应被文件化。 The organization shall agree and implement information security controls to address information security risks related to external organizations. 组织应约定和实施应对外部组织的信息安全风险的信息安全控制措施。 The organization shall monitor and review the effectiveness of information security controls and take necessary actions. 组织应对信息安全控制措施的有效性进行监视和评审,并采取必要的行动。 8.7.3.3 Information security incidents 8.7.3.3 信息安全事件 Information security incidents shall be: 信息安全事件应: a) recorded and classified; a) 被记录和被分级; b) prioritized taking into consideration the information security risk; b) 按照优先次序被处理,考虑信息安全风险; c) escalated if needed; c) 被升级处理,如果有需要; d) resolved; d) 被解决; e) closed. e) 被关闭。 The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. 组织应按信息安全事件的类型,数量及其对服务管理体系(SMS),服务和相关方的影响进行分析。应对信息安全事件进行报告和评审,以识别改进的机遇。 NOTE The ISO/IEC 27000 series specifies requirements and provides guidance to support the implementation and operation of an information security management system. ISO/IEC 27013 provides guidance on the integration of ISO/IEC 27001 and ISO/IEC 20000-1 (this document). 注,ISO/IEC 27000系列标准明了要求和提供了指南,以支持信息安全管理体系的实施和运行。ISO/IEC 27013提供了ISO/IEC 27001 和 ISO/IEC 20000-1(本文件)整合的指南。 |
【标准理解】
(1)组织应参照6.3 c)中的义务,编制适用于服务管理体系(SMS)和服务的信息安全策略,并由适宜的管理层进行批准。
欲阅读更多内容,需要前往该链接购买付费合集: