8 Operation of the service management system 服务管理体系的运行/8.7Service assurance 服务保证/8.7.3 Information security management 信息安全管理
8.7.3.1 Information security policy
8.7.3.1 信息安全策略
Management with appropriate authority shall approve an informationsecurity policy relevant to the organization. The informationsecurity policy shall be documented and take into consideration theservice requirements and the obligations in 6.3 c).
具有适宜权限的管理层应批准适用于组织的信息安全策略。信息安全策略应被文件化,并考虑服务要求和6.3 c)中的义务。
The information security policy shall be made available asappropriate. The organization shall communicate the importance ofconforming to the information security policy and its applicabilityto the SMS and the services to appropriate persons within:
适宜时,信息安全策略应是可获得的。组织应向以下范围内的适宜人员传达符合信息安全策略的重要性和对服务管理体系(SMS)和服务的适用性:
a) the organization;
a) 组织;
b) customers and users;
b) 顾客和用户;
c) external suppliers, internal suppliers and other interestedparties.
c) 外部供应商,内部供应商和其他相关方。
8.7.3.2 Information security controls
8.7.3.2 信息安全控制
At planned intervals, the information security risks to the SMS andthe services shall be assessed and documented. Information securitycontrols shall be determined, implemented and operated to supportthe information security policy and address identified informationsecurity risks. Decisions about information security controls shallbe documented.
应按照策划的时间间隔应对服务管理体系(SMS)和服务进行信息安全风险评估,并对其文件化。应确定,实施和运行信息安全控制措施,以支持信息安全策略和应对信息安全风险。信息安全控制措施的决策应被文件化。
The organization shall agree and implement information securitycontrols to address information security risks related to externalorganizations.
组织应约定和实施应对外部组织的信息安全风险的信息安全控制措施。
The organization shall monitor and review the effectiveness ofinformation security controls and take necessary actions.
组织应对信息安全控制措施的有效性进行监视和评审,并采取必要的行动。
8.7.3.3 Information security incidents
8.7.3.3 信息安全事件
Information security incidents shall be:
信息安全事件应:
a) recorded and classified;
a) 被记录和被分级;
b) prioritized taking into consideration the information securityrisk;
b) 按照优先次序被处理,考虑信息安全风险;
c) escalated if needed;
c) 被升级处理,如果有需要;
d) resolved;
d) 被解决;
e) closed.
e) 被关闭。
The organization shall analyse the information security incidentsby type, volume and impact on the SMS, services and interestedparties. Information security incidents shall be reported andreviewed to identify opportunities for improvement.
组织应按信息安全事件的类型,数量及其对服务管理体系(SMS),服务和相关方的影响进行分析。应对信息安全事件进行报告和评审,以识别改进的机遇。
NOTE The ISO/IEC 27000 series specifies requirements and providesguidance to support the implementation and operation of aninformation security management system. ISO/IEC 27013 providesguidance on the integration of ISO/IEC 27001 and ISO/IEC 20000-1(this document).
注,ISO/IEC 27000系列标准明了要求和提供了指南,以支持信息安全管理体系的实施和运行。ISO/IEC27013提供了ISO/IEC 27001 和 ISO/IEC 20000-1(本文件)整合的指南。
