ISO27001标准.docx

1、ISO27001标准ISO27001-2013标准Information technology- Security techniques-Information security management systems-Requirements信息技术-安全技术-信息安全管理体系-要求Foreword前 言ISO (the International Organization for Standardization) and IEC (the International Electro technical Commission) form the specialized system for w

2、orldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborat

3、e in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.ISO（国际标准化组织）和IEC（国际电工委员会）是为国际

4、标准化制定专门体制的国际组织。国家机构是ISO或IEC的成员，他们通过各自的组织建立技术委员会参与国际标准的制定，来处理特定领域的技术活动。ISO和IEC技术委员会在共同感兴趣的领域合作。其他国际组织、政府和非政府等机构，通过联络ISO和IEC参与这项工作。ISO和IEC已经在信息技术领域建立了一个联合技术委员会ISO/IECJTC1。International Standards are drafted in accordance with the rules given in the ISO/IECDirectives, Part 2.国际标准的制定遵循ISO/IEC 导则第2部分的规则。

5、The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodie

6、s casting a vote.联合技术委员会的主要任务是起草国际标准，并将国际标准草案提交给国家机构投票表决。国际标准的出版发行必须至少75%以上的成员投票通过。Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.本文件中的某些内容有可

7、能涉及一些专利权问题，这一点应该引起注意。ISO和IEC不负责识别任何这样的专利权问题。ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.ISO/IEC 27001 由联合技术委员会ISO/IEC JTC1（信息技术）分委员会SC27（安全技术）起草。This second edition cancels and replaces the first edition (I

8、SO/IEC 27001:2005), which has been technically revised.第二版进行了技术上的修订，并取消和替代第一版（ISO/IEC 27001:2005）。Information technology Security techniques Information security management systems Requirements信息技术-安全技术-信息安全管理体系-要求1 Scope1 范围This International Standard specifies the requirements for establishing, im

9、plementing, maintaining and continually improving an information security management system within the context of the organization.本标准从组织环境的角度，为建立、实施、运行、保持和持续改进信息安全管理体系规定了要求。This International Standard also includes requirements for the assessment and treatment of information security risks tailored

10、 to the needs of the organization. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization cla

11、ims conformity to this International Standard.本标准还规定了为适应组织需要而定制的信息安全风险评估和处置的要求。本标准规定的要求是通用的，适用于各种类型、规模和特性的组织。组织声称符合本标准时，对于第4 章到第10 章的要求不能删减。2 Normative references2 规范性引用文件The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its applicati

12、on. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.下列文件的全部或部分内容在本文件中进行了规范引用，对于其应用是必不可少的。凡是注日期的引用文件，只有引用的版本适用于本标准；凡是不注日期的引用文件，其最新版本（包括任何修改）适用于本标准。ISO/IEC 27000, Information technology Secur

13、ity techniques Information security management systems Overview and vocabularyISO/IEC 27000，信息技术安全技术信息安全管理体系概述和词汇3 Terms and definitions3 术语和定义For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.ISO/IEC 27000中的术语和定义适用于本标准。4 Context of the organization4 组织环境4.1 U

14、nderstanding the organization and its context4.1 理解组织及其环境The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.组织应确定与其目标相关并影响其实现信息安全管理体系预期结果的能力的外部和内部问

15、题。NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.3 of ISO 31000:20095.注：确定这些问题涉及到建立组织的外部和内部环境，在ISO 31000:20095的5.3节考虑了这一事项。4.2 Understanding the needs and expectations of interested parties4.2 理解相关方的需求和期望The organizat

16、ion shall determine:组织应确定：a) interested parties that are relevant to the information security management system; andb) the requirements of these interested parties relevant to information security.a) 与信息安全管理体系有关的相关方；b) 这些相关方与信息安全有关的要求NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.注：相关方的