Information technology — Security techniques — Information security management systems — Requirements- Planning
信息安全管理體系要求-規(guī)劃

5  Planning
5 規(guī)劃
5.1 Actions to address risks and opportunities 
5.1  應(yīng)對(duì)風(fēng)險(xiǎn)和機(jī)會(huì)的措施
5.1.1      General
5.1.1   總則
When planning for the information security  management  system,  the  organization  shall  consider  the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
當(dāng)規(guī)劃信息安全管理體系時(shí)，組織應(yīng)考慮中提及的問(wèn)題和中提及的要求，確定需要應(yīng)對(duì)的風(fēng)險(xiǎn)和機(jī)會(huì)，以：
a)   ensure the information security management system can achieve its intended outcome(s);
b)   prevent, or reduce, undesired effects;
c) achieve continual improvement. The organization shall plan:
d)   actions to address these risks and opportunities; and
e)   how to
1)   integrate and implement the actions into its information security management system  processes; and
2)   evaluate the effectiveness of these actions.
a)   確保信息安全管理體系能實(shí)現(xiàn)其預(yù)期結(jié)果；
b)   防止或減少意外的影響；
c) 實(shí)現(xiàn)持續(xù)改進(jìn)。 組織應(yīng)規(guī)劃：
d)   應(yīng)對(duì)這些風(fēng)險(xiǎn)和機(jī)會(huì)的措施；
e)   如何
1)   整合和實(shí)施這些措施并將其納入信息安全管理體系過(guò)程；
2)   評(píng)價(jià)這些措施的有效性。
5.1.2      Information security risk assessment 
5.1.2    信息安全風(fēng)險(xiǎn)評(píng)估
The organization shall define and apply an information security risk assessment process that:
組織應(yīng)定義并應(yīng)用風(fēng)險(xiǎn)評(píng)估過(guò)程，以：
a)   establishes and maintains information security risk criteria that include:
1)   the risk acceptance criteria; and
2)   criteria for performing information security risk assessments;
b)   ensures that repeated information security risk assessments produce consistent, valid and comparable results;
c) identifies the information security risks:
1)   apply the information security risk  assessment  process  to  identify  risks  associated  with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
2)   identify the risk owners;
d)   analyses the information security risks:
1)   assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;
2)   assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
3)   determine the levels of risk;
e)   evaluates the information security risks:
1)   compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2)   prioritize the analysed risks for risk treatment.
a)   建立并保持信息安全風(fēng)險(xiǎn)準(zhǔn)則，包括：
1)   風(fēng)險(xiǎn)接受準(zhǔn)則；
2)   執(zhí)行信息安全風(fēng)險(xiǎn)評(píng)估的準(zhǔn)則；
b)   確保重復(fù)性的信息安全風(fēng)險(xiǎn)評(píng)估可產(chǎn)生一致的、有效的和可比較的結(jié)果；
c) 識(shí)別信息安全風(fēng)險(xiǎn)：
1)   應(yīng)用信息安全風(fēng)險(xiǎn)評(píng)估過(guò)程來(lái)識(shí)別信息安全管理體系范圍內(nèi)的信息喪失保密性、完整 性和可用性的相關(guān)風(fēng)險(xiǎn)；
2)   識(shí)別風(fēng)險(xiǎn)負(fù)責(zé)人；
d)   分析信息安全風(fēng)險(xiǎn)：
1)   評(píng)估  c）1）中所識(shí)別風(fēng)險(xiǎn)發(fā)生后將導(dǎo)致的潛在影響；
2)   評(píng)估  c）1）中所識(shí)別風(fēng)險(xiǎn)發(fā)生的現(xiàn)實(shí)可能性；
3)   確定風(fēng)險(xiǎn)級(jí)別；
e)   評(píng)價(jià)信息安全風(fēng)險(xiǎn)；
1)   將風(fēng)險(xiǎn)分析結(jié)果同 a）建立的風(fēng)險(xiǎn)準(zhǔn)則進(jìn)行比較；
2)   為實(shí)施風(fēng)險(xiǎn)處置確定已分析風(fēng)險(xiǎn)的優(yōu)先級(jí)。
The organization shall retain documented information about the information security risk assessment process.
組織應(yīng)保留信息安全風(fēng)險(xiǎn)評(píng)估過(guò)程的文件記錄信息.

溫馨提示：獲取完整版ISO27001最新2022版中英文對(duì)照資料，可咨詢中培課程顧問(wèn)或撥打客服電話了解18513851518