ISO27001：2021中英文對(duì)照

1、iso27001：2021中英文對(duì)照 information technology- security techniques -information security management systems-requirements 信息技術(shù)-平安技術(shù)-信息平安管理體系-要求 foreword 前 言 iso (the international organization for standardization) and iec (the international electro technical commission) form the specialized system for wo

2、rldwide standardization. national bodies that are members of iso or iec participate in the development of international standards through technical committees established by the respective organization to deal with particular fields of technical activity. iso and iec technical committees collaborate

3、 in fields of mutual interest. other international organizations, governmental and non-governmental, in liaison with iso and iec, also take part in the work. in the field of information technology, iso and iec have established a joint technical committee, iso/iec jtc 1. iso（國(guó)際標(biāo)準(zhǔn)化組織）和iec（國(guó)際電工委員會(huì)）是為國(guó)際

4、標(biāo)準(zhǔn)化制定特地體制的國(guó)際組 織。國(guó)家機(jī)構(gòu)是iso或iec的成員，他們通過(guò)各自的組織建立技術(shù)委員會(huì)參加國(guó)際標(biāo)準(zhǔn)的 制 定，來(lái)處理特定領(lǐng)域的技術(shù)活動(dòng)。iso和iec技術(shù)委員會(huì)在共同感愛(ài)好的領(lǐng)域合作。其 他國(guó) 際組織、政府和非政府等機(jī)構(gòu)，通過(guò)聯(lián)絡(luò)iso和iec參加這項(xiàng)工作。iso和iec已經(jīng) 在信息技 術(shù)領(lǐng)域建立了一個(gè)聯(lián)合技術(shù)委員會(huì)iso/iecjtc1。 international standards are drafted in accordance with the rules given in the iso/iec directives, part 2. 國(guó)際標(biāo)準(zhǔn)的制定遵循iso/iec

5、導(dǎo)則第2部分的規(guī)章。 the main task of the joint technical committee is to prepare international standards. draft international standards adopted by the joint technical committee are circulated to national bodies for voting. publication as an international standard requires approval by at least 75 % of the nat

6、ional bodies casting a vote. 聯(lián)合技術(shù)委員會(huì)的主要任務(wù)是起草國(guó)際標(biāo)準(zhǔn)，并將國(guó)際標(biāo)準(zhǔn)草案提交給國(guó)家機(jī)構(gòu)投票表決。 國(guó)際標(biāo)準(zhǔn)的出版發(fā)行必需至少75%以上的成員投票通過(guò)。 attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. iso and iec shall not be held responsible for identifying any or all such patent righ

7、ts. 本文件中的某些內(nèi)容有可能涉及一些專(zhuān)利權(quán)問(wèn)題，這一點(diǎn)應(yīng)當(dāng)引起留意。iso和iec不負(fù) 責(zé) 識(shí)別任何這樣的專(zhuān)利權(quán)問(wèn)題。 iso/iec 27001 was prepared by joint technical committee iso/iec jtc 1, information technology, subcommittee sc 27, it security techniques. iso/iec 27001 由聯(lián)合技術(shù)委員會(huì)iso/iec jtc1（信息技術(shù)）分委員會(huì)sc27（平安技術(shù)） 起草。 this second edition cancels and replaces

8、 the first edition (iso/iec 27001:2021), which has been technically revised. 其次版進(jìn)行了技術(shù)上的修訂，并取消和替代第一版（iso/iec 27001:2021）。 0 introduction 引 言 general 0.1 總則 this international standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an in

9、formation security management system. the adoption of an information security management system is a strategic decision for an organization. the establishment and implementation of an organizations information security management system is influenced by the organizations needs and objectives, securi

10、ty requirements, the organizational processes used and the size and structure of the organization. all of these influencing factors are expected to change over time. 本標(biāo)準(zhǔn)用于為建立、實(shí)施、保持和持續(xù)改進(jìn)信息平安管理體系供應(yīng)要求。采納信息平安管理 體系是組織的一項(xiàng)戰(zhàn)略性決策。一個(gè)組織信息平安管理體系的建立和實(shí)施受其需要和目標(biāo)、 平安要求、所采納的過(guò)程以及組織的規(guī)模和結(jié)構(gòu)的影響。全部這些影響因素會(huì)不斷發(fā)生變化。 the inform

11、ation security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. 信息平安管理體系通過(guò)應(yīng)用風(fēng)險(xiǎn)管理過(guò)程來(lái)保持信息的保密性、完整性和可用性，以充分管 理風(fēng)險(xiǎn)并賜予相關(guān)方信念。 it is important that the

12、 information security management system is part of and integrated with the organizations processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. it is expected that an information security management system

13、 implementation will be scaled in accordance with the needs of the organization. 信息平安管理體系是組織過(guò)程和整體管理結(jié)構(gòu)的一部分并與其整合在一起是特別重要的。信 息平安在設(shè)計(jì)過(guò)程、信息系統(tǒng)、掌握措施時(shí)就要考慮信息平安。根據(jù)組織的需要實(shí)施信息安 全管理體系，是本標(biāo)準(zhǔn)所期望的。 this international standard can be used by internal and external parties to assess the organizations ability to meet the

14、organizations own information security requirements. 本標(biāo)準(zhǔn)可被內(nèi)部和外部相關(guān)方使用，評(píng)估組織的力量是否滿意組織自身信息平安要求。 the order in which requirements are presented in this international standard does not reflect their importance or imply the order in which they are to be implemented. the list items are enumerated for referen

15、ce purpose only. 本標(biāo)準(zhǔn)中要求的挨次并不能反映他們的重要性或意味著他們的實(shí)施挨次。列舉的條目?jī)H用于 參考目的。 iso/iec 27000 describes the overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including iso/iec 270032, iso/iec 270043 and iso/iec 270054)

16、, with related terms and definitions. iso/iec27000 描述了信息平安管理體系的概述和詞匯，參考了信息平安管理體系標(biāo)準(zhǔn)族 （包括iso/iec 27003、iso/iec 27004 和iso/iec 27005）以及相關(guān)的術(shù)語(yǔ)和定義。 compatibility with other management system standards 0.2 與其他管理體系的兼容性 this international standard applies the high-level structure, identical sub-clause titles

17、, identical text, common terms, and core definitions defined in annex sl of iso/iec directives, part 1, consolidated iso supplement, and therefore maintains compatibility with other management system standards that have adopted the annex sl. 本標(biāo)準(zhǔn)應(yīng)用了 iso/iec 導(dǎo)則第一部分 iso 補(bǔ)充部分附錄 sl 中定義的高層結(jié)構(gòu)、相同的子 章節(jié)標(biāo)題、相同文

18、本、通用術(shù)語(yǔ)和核心定義。因此保持了與其它采納附錄 sl 的管理體系標(biāo) 準(zhǔn)的兼容性。 this common approach defined in the annex sl will be useful for those organizations that choose to operate a single management system that meets the requirements of two or more management system standards. 附錄 sl 定義的通用方法對(duì)那些選擇運(yùn)作單一管理體系（可同時(shí)滿意兩個(gè)或多個(gè)管理體系 標(biāo)準(zhǔn)要求）的組織來(lái)說(shuō)

19、是非常有益的。 information technology security techniques information security management systems requirements 信息技術(shù)-平安技術(shù)-信息平安管理體系-要求 1 scope 1 范圍 this international standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management s

20、ystem within the context of the organization. 本標(biāo)準(zhǔn)從組織環(huán)境的角度，為建立、實(shí)施、運(yùn)行、保持和持續(xù)改進(jìn)信息平安管理體系規(guī)定了 要求。 this international standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. the requirements set out in this international s

21、tandard are generic and are intended to be applicable to all organizations, regardless of type, size or nature. excluding any of the requirements specified in clauses 4 to 10 is not acceptable when an organization claims conformity to this international standard. 本標(biāo)準(zhǔn)還規(guī)定了為適應(yīng)組織需要而定制的信息平安風(fēng)險(xiǎn)評(píng)估和處置的要求。本標(biāo)準(zhǔn)

22、規(guī)定的要 求是通用的，適用于各種類(lèi)型、規(guī)模和特性的組織。組織聲稱(chēng)符合本標(biāo)準(zhǔn)時(shí)，對(duì)于第4 章 到第10 章的要求不能刪減。 2 normative references 2 規(guī)范性引用文件 the following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. for dated references, only the edition cited applies. for undated referen

23、ces, the latest edition of the referenced document (including any amendments) applies. 下列文件的全部或部分內(nèi)容在本文件中進(jìn)行了規(guī)范引用，對(duì)于其應(yīng)用是必不行少的。凡是注 日期的引用文件，只有引用的版本適用于本標(biāo)準(zhǔn)；凡是不注日期的引用文件，其最新版本（包 括任何修改）適用于本標(biāo)準(zhǔn)。 iso/iec 27000, information technology security techniques information security management systems overview and vocab

24、ulary iso/iec 27000，信息技術(shù)平安技術(shù)信息平安管理體系概述和詞匯 3 terms and definitions 3 術(shù)語(yǔ)和定義 for the purposes of this document, the terms and definitions given in iso/iec 27000 apply. iso/iec 27000中的術(shù)語(yǔ)和定義適用于本標(biāo)準(zhǔn)。 4 context of the organization 4 組織環(huán)境 understanding the organization and its context 4.1 理解組織及其環(huán)境 the organi

25、zation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. 組織應(yīng)確定與其目標(biāo)相關(guān)并影響其實(shí)現(xiàn)信息平安管理體系預(yù)期結(jié)果的力量的外部和內(nèi)部問(wèn) 題。 note determining these issues refers to establishing the exter

26、nal and internal context of the organization considered in clause 5.3 of iso 31000:20215. 注：確定這些問(wèn)題涉及到 建立組織的外部和內(nèi)部環(huán)境，在iso 31000:20215的5.3節(jié)考慮了 這一事項(xiàng)。 understanding the needs and expectations of interested parties 4.2 理解相關(guān)方的需求和期望 the organization shall determine: 組織應(yīng)確定： a) interested parties that are rel

27、evant to the information security management system; and b) the requirements of these interested parties relevant to information security. a) 與信息平安管理體系有關(guān)的相關(guān)方； b) 這些相關(guān)方與信息平安有關(guān)的要求 note the requirements of interested parties may include legal and regulatory requirements and contractual obligations. 注：相

28、關(guān)方的要求可能包括法律法規(guī)要求和合同 義務(wù)。 determining the scope of the information security management system 4.3 確定信息平安管理體系的范圍 the organization shall determine the boundaries and applicability of the information security management system to establish its scope. 組織應(yīng)確定信息平安管理體系的邊界 和適用性，以建立其范圍。 when determining this sco

29、pe, the organization shall consider: 當(dāng)確定該范圍時(shí)，組織應(yīng)考慮： a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2; and c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. the scope shal

30、l be available as documented information. a) 在 4.1 中提及的外部和內(nèi)部問(wèn)題； b) 在 4.2 中提及的要求； c) 組織所執(zhí)行的活動(dòng)之間以及與其它組織的活動(dòng)之間的接口和依靠性 范圍應(yīng)文件化并保 持可用性。 information security management system 4.4 信息平安管理體系 the organization shall establish, implement, maintain and continually improve an information security management system

31、, in accordance with the requirements of this international standard. 組織應(yīng)根據(jù)本標(biāo)準(zhǔn)的要求建立、實(shí)施、保持和持續(xù)改進(jìn)信息平安管理體系。 5 leadership 5 領(lǐng)導(dǎo) leadership and commitment 5.1 領(lǐng)導(dǎo)和承諾 top management shall demonstrate leadership and commitment with respect to the information security management system by: 高層管理者應(yīng)通過(guò)下列方式展現(xiàn)其關(guān)于信息

32、平安管理體系的領(lǐng)導(dǎo)力和承諾： a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; b) ensuring the integration of the information security management system requirements into the organizations proces

33、ses; c) ensuring that the resources needed for the information security management system are available; d) communicating the importance of effective information security management and of conforming to the information security management system requirements; e) ensuring that the information securit

34、y management system achieves its intended outcome(s); f) directing and supporting persons to contribute to the effectiveness of the information security management system; g) promoting continual improvement; and h) supporting other relevant management roles to demonstrate their leadership as it appl

35、ies to their areas of responsibility. a) 確保建立信息平安方針和信息平安目標(biāo)，并與組織的戰(zhàn)略方向保持全都； b) 確保將信息平安管理體系要求整合到組織的業(yè)務(wù)過(guò)程中； c) 確保信息平安管理體系所需資源可用； d) 傳達(dá)信息平安管理有效實(shí)施、符合信息平安管理體系要求的重要性； e) 確保信息平安管理體系實(shí)現(xiàn)其預(yù)期結(jié)果； f) 指揮并支持人員為信息平安管理體系的有效實(shí)施作出貢獻(xiàn)； g) 促進(jìn)持續(xù)改進(jìn)； h) 支持其他相關(guān)管理角色在其職責(zé)范圍內(nèi)展現(xiàn)他們的領(lǐng)導(dǎo)力。 policy 5.2 方針 top management shall establish an i

36、nformation security policy that: 高層管理者應(yīng)建立信息平安方針，以： a) is appropriate to the purpose of the organization; b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives; c) includes a commitment to satisfy applicable requirements related to

37、 information security; d) includes a commitment to continual improvement of the information security management system. the information security policy shall: e) be available as documented information; f) be communicated within the organization; and g) be available to interested parties, as appropri

38、ate. a) 適于組織的目標(biāo)； b) 包含信息平安目標(biāo)（見(jiàn)6.2）或設(shè)置信息平安目標(biāo)供應(yīng)框架； c) 包含滿意適用的信息平安相關(guān)要求的承諾； d) 包含信息平安管理體系持續(xù)改進(jìn)的承諾。 信 息平安方針應(yīng)： e) 文件化并保持可用性； f) 在組織內(nèi)部進(jìn)行傳達(dá)； g) 適當(dāng)時(shí)，對(duì)相關(guān)方可用。 organizational roles, responsibilities and authorities 5.3 組織角色、職責(zé)和權(quán)限 top management shall ensure that the responsibilities and authorities for roles rel

39、evant to information security are assigned and communicated. 高層管理者應(yīng)確保安排并傳達(dá)了信 息平安相關(guān)角色的職責(zé)和權(quán)限。 top management shall assign the responsibility and authority for: 高層管理者應(yīng)安排下列職責(zé)和權(quán)限： a) ensuring that the information security management system conforms to the requirements of this international standard; and

40、b) reporting on the performance of the information security management system to top management. a) 確保信息平安管理體系符合本標(biāo)準(zhǔn)的要求； b) 將信息平安管理體系的績(jī)效報(bào)告給高層管理者。 note top management may also assign responsibilities and authorities for reporting performance of the information security management system within the org

41、anization. 注： 高層管理者可能還要安排在組織內(nèi)部報(bào)告信息平安管理體系績(jī)效的職責(zé)和權(quán)限。 6 planning 6 規(guī)劃 actions to address risks and opportunities 6.1 應(yīng)對(duì)風(fēng)險(xiǎn)和機(jī)會(huì)的措施 general 6.1.1 總則 when planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in

42、 4.2 and determine the risks and opportunities that need to be addressed to: 當(dāng)規(guī)劃信息平安管理體系時(shí)，組織應(yīng)考慮4.1中提及的問(wèn)題和4.2中提及的要求，確定需要 應(yīng) 對(duì)的風(fēng)險(xiǎn)和機(jī)會(huì)，以： a) ensure the information security management system can achieve its intended outcome(s); b) prevent, or reduce, undesired effects; and c) achieve continual improvemen

43、t. the organization shall plan: d) actions to address these risks and opportunities; and e) how to 1) integrate and implement the actions into its information security management system processes; 2) evaluate the effectiveness of these actions. a) 確保信息平安管理體系能實(shí)現(xiàn)其預(yù)期結(jié)果； b) 防止或削減意外的影響； c) 實(shí)現(xiàn)持續(xù)改進(jìn)。 組織應(yīng)規(guī) 劃

44、： d) 應(yīng)對(duì)這些風(fēng)險(xiǎn)和機(jī)會(huì)的措施； e) 如何 1) 整合和實(shí)施這些措施并將其納入信息平安管理體系過(guò)程； 2) 評(píng)價(jià)這些措施的有效性。 information security risk assessment 6.1.2 信息平安風(fēng)險(xiǎn)評(píng)估 the organization shall define and apply an information security risk assessment process that: 組織應(yīng)定義并應(yīng)用風(fēng)險(xiǎn)評(píng)估過(guò)程，以： a) establishes and maintains information security risk criteria tha

45、t include: 1) the risk acceptance criteria; and 2) criteria for performing information security risk assessments; b) ensures that repeated information security risk assessments produce consistent, valid and comparable results; c) identifies the information security risks: 1) apply the information se

46、curity risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and 2) identify the risk owners; d) analyses the information security risks: 1) assess the potentia

47、l consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and 3) determine the levels of risk; e) evaluates the information security risks: 1) compare the results of risk a

48、nalysis with the risk criteria established in 6.1.2 a); and 2) prioritize the analysed risks for risk treatment. the organization shall retain documented information about the information security risk assessment process. a) 建立并保持信息平安風(fēng)險(xiǎn)準(zhǔn)則，包括： 1) 風(fēng)險(xiǎn)接受準(zhǔn)則； 2) 執(zhí)行信息平安風(fēng)險(xiǎn)評(píng)估的準(zhǔn)則； b) 確保重復(fù)性的信息平安風(fēng)險(xiǎn)評(píng)估可產(chǎn)生全都的、有效的和

49、可比較的結(jié)果； c) 識(shí)別信息平安風(fēng)險(xiǎn)： 1) 應(yīng)用信息平安風(fēng)險(xiǎn)評(píng)估過(guò)程來(lái)識(shí)別信息平安管理體系范圍內(nèi)的信息丟失保密性、完整 性和可用性的相關(guān)風(fēng)險(xiǎn)； 2) 識(shí)別風(fēng)險(xiǎn)負(fù)責(zé)人； d) 分析信息平安風(fēng)險(xiǎn)： 1) 評(píng)估 6.1.2 c）1）中所識(shí)別風(fēng)險(xiǎn)發(fā)生后將導(dǎo)致的潛在影響； 2) 評(píng)估 6.1.2 c）1）中所識(shí)別風(fēng)險(xiǎn)發(fā)生的現(xiàn)實(shí)可能性； 3) 確定風(fēng)險(xiǎn)級(jí)別； e) 評(píng)價(jià)信息平安風(fēng)險(xiǎn)； 1) 將風(fēng)險(xiǎn)分析結(jié)果同6.1.2 a）建立的風(fēng)險(xiǎn)準(zhǔn)則進(jìn)行比較； 2) 為實(shí)施風(fēng)險(xiǎn)處置確定已分析風(fēng)險(xiǎn)的優(yōu)先級(jí)。 組織應(yīng)定義并應(yīng)用風(fēng)險(xiǎn)評(píng)估過(guò)程，以： 組織應(yīng)保留信息平安風(fēng)險(xiǎn)評(píng)估過(guò)程的文件記錄信息。 information s

50、ecurity risk treatment 6.1.3 信息平安風(fēng)險(xiǎn)處置 the organization shall define and apply an information security risk treatment process to: a) select appropriate information security risk treatment options, taking account of the risk assessment results; b) determine all controls that are necessary to implement

51、 the information security risk treatment option(s) chosen; 組織應(yīng)定義并應(yīng)用信息平安風(fēng)險(xiǎn)處置過(guò)程，以： a) 在考慮風(fēng)險(xiǎn)評(píng)估結(jié)果的前提下，選擇適當(dāng)?shù)男畔⑵桨诧L(fēng)險(xiǎn)處置選項(xiàng)： b) 為實(shí)施所選擇的信息平安風(fēng)險(xiǎn)處置選項(xiàng)，確定全部必需的掌握措施； note organizations can design controls as required, or identify them from any source. 注：組織可按要求設(shè)計(jì)掌握措施，或從其他來(lái)源識(shí)別掌握措施。 c) compare the controls determined i

52、n 6.1.3 b) above with those in annex a and verify that no necessary controls have been omitted; c) 將 6.1.3 b）所確定的掌握措施與附錄a 的掌握措施進(jìn)行比較，以核實(shí)沒(méi)有遺漏必要的 掌握措施； note 1 annex a contains a comprehensive list of control objectives and controls. users of this international standard are directed to annex a to ensure

53、 that no necessary controls are overlooked. note 2 control objectives are implicitly included in the controls chosen. the control objectives and controls listed in annex a are not exhaustive and additional control objectives and controls may be needed. 注1：附錄a包含了一份全面的掌握目標(biāo)和掌握措施的列表。本標(biāo)準(zhǔn)用戶可利用附錄a以確 保 不會(huì)遺漏必要的掌握措施。 注2：掌握目標(biāo)包含于所選擇的掌握措施內(nèi)。附錄a所列的控 制目標(biāo)和掌握措施并不是全部 的掌握目標(biāo)和掌握措施，組織也可能需要另外的掌握目標(biāo) 和掌握措施。 d) produce a statement of applicability that contains the necessary controls (see 6.1.3 b) and c) and justification for inclusions, whether they are implemented or not, an