f) opportunities for continual improvement. a) 以往管理评审的措施的状态;
b) 与信息安全管理体系相关的外部和内部问题的变更; c) 信息安全绩效的反馈,包括下列方面的趋势: 1) 不符合和纠正措施; 2) 监视和测量结果; 3) 审核结果;
4) 信息安全目标的实现; d) 相关方的反馈;
e) 风险评估的结果和风险处置计划的状态; f) 持续改进的机会。
The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. 管理评审的输出应包括与持续改进机会有关的决定,以及变更信息安全管理体系的所有需求。
组织应保留文件记录信息作为管理评审结果的证据。
10 Improvement 10 改进
Nonconformity and corrective action 10.1 不符合和纠正措施
When a nonconformity occurs, the organization shall: a) react to the nonconformity, and as applicable: 1) take action to control and correct it; and 2) deal with the consequences; 当发生不符合时,组织应:
a) 对不符合作出反应,适用时: 1) 采取措施控制并纠正不符合; 2) 处理后果;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing the nonconformity;
2) determining the causes of the nonconformity; and
3) determining if similar nonconformities exist, or could potentially occur;
b) 为确保不符合不再发生或不在其他地方发生,通过下列方式评价消除不符合原因的措施 需求:
1) 评审不符合;
2) 确定不符合的原因;
3) 确定是否存在或可能发生相似的不符合;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of:
f) the nature of the nonconformities and any subsequent actions taken, and g) the results of any corrective action. c) 实施所需的措施;
d) 评审所采取纠正措施的有效性;
e) 必要时,对信息安全管理体系实施变更。 纠正措施应与所遇不符合的影响相适应。 组织应保留文件记录信息作为下列事项的证据: f) 不符合的性质以及所采取的所有后续措施; g) 所有纠正措施的结果。
Continual improvement 10.2 持续改进
The organization shall continually improve the suitability, adequacy and effectiveness of
the information security management system.
组织应持续改进信息安全管理体系的适宜性、充分性和有效性。
Table A.1 – Control objectives and controls
A.5 Security Policies 安全方针 A.5.1 Management direction for information security 信息安全管理指导 Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. 目标:依据业务要求和相关法律法规提供管理指导并支持信息安全。 A.5.1.1 Policies for information security 信息安全方针 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. 一组信息安全方针应被建立、由管理层批准、发布并传达给所有员工和 外部相关方。 A.5.1.2 The policies for information security shall be reviewed at planned Review of the intervals or if significant changes occur to ensure their continuing policies for suitability, adequacy and effectiveness. information security 以确保它 信息安全方针的评审 宜按计划的时间间隔或当重大变化时进行信息安全方针评审,持续的适宜性、充分性和有效性。 A.6 Organisation of information security 信息安全组织 A.6.1 Internal organisation 内部组织 Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organisation. 目标:建立管理框架,启动和控制组织内信息安全的实施和运行。 A.6.1.1 Information security All information security responsibilities shall be defined and allocated. roles and responsibilities 所有的信息安全职责宜予以定义与分配。 信息安全角色和职责 A.6.1.2 Segregation of duties 职责分割 Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. 冲突的责任及职责范围宜加以分割,以降低未授权或无意识的修改或者 Contact with authorities 与政府部门的联系 不当使用组织资产的机会。 A.6.1.3 Appropriate contacts with relevant authorities shall be maintained. 宜保持与政府相关部门的适当联系。 A.6.1.4 Contact with special Appropriate contacts with special interest groups or other specialist interest groups 与特security forums and professional associations shall be maintained. 定利益集团的联 宜保持与特定利益集团、其他安全专家组和专业协会的适当联系。 系 Information security in project management 项目管理中的信息安 全 A.6.1.5 Information security shall be addressed in project management, regardless of the type of the project. 无论何种类型的项目,宜将信息安全融入到项目管理中。 A.6.2 Mobile devices and teleworking 移动设备和远程工作 Objective: To ensure the security of teleworking and use of mobile devices. 目标:确保远程工作和移动设备使用的安全 A.6.2.1 Mobile device policy 移动设备策略 A policy and supporting security measures shall be adopted to manage against the risks introduced by using mobile devices. 宜采用策略及和支持性安全措施来管理使用移动设备所带来的风险。 A policy and supporting security measures shall be implemented to Teleworking 远程工作 protect information accessed, processed or stored on teleworking sites. 宜实施策略和支持性安全措施来保护在远程站点访问、处理或存储的信 息。 A.6.2.2 A.7 Human resource security 人力资源安全 A.7.1 Prior to employment 任用之前 Objective: To ensure that employees and contractors understand their responsibilities and are suit-able for the roles for which they are considered. 目标:确保雇员、承包方人员理解其职责、考虑对其承担的角色是适合的。 A.7.1.1 Screening 审查 Background verification checks on all candidates for employment