ISO27001：2013中英文对照 - 图文(9)

taken to address the associated risk. 应及时得到现用信息系统技术脆弱性的信息，评价组织对这些脆弱性的 暴露程度，并采取适当的措施来处理相关的风险。 Restrictions on A.12.6.2 software installation 软件安装限制 Rules governing the installation of software by users shall be established and implemented. 应建立并实施用户安装软件控制规则。 A.12.7 Information systems audit considerations 信息系统审计考虑 Objective: To minimize the impact of audit activities on operational systems. 目标：将审计活动对运行系统的影响最小化。 A.12.7.1 Information systems audit controls 信息系统审计控制措 施 Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes. 涉及对运行系统核查的审计要求和活动，应谨慎地加以规划并取得批 准，以便最小化造成业务过程中断的风险。 A.13 Communications security 通信安全 A.13.1 Network security management 网络安全管理 Objective: To ensure the protection of information in networks and its supporting information processing facilities. 目标：确保网络及信息处理设施中信息收到保护。 Network controls A.13.1.1 网络控制 Networks shall be managed and controlled to protect information in systems and applications. 应对网络进行管理和控制，以保护系统及应用中的信息。 Security of network A.13.1.2 services 网络服务的安全 Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. 安全机制、服务级别以及所有网络服务的管理要求应予以确定并包括在 所有网络服务协议中，无论这些服务是由内部提供的还是外包的。 Segregation in A.13.1.3 networks 网络隔离 Groups of information services, users and information systems shall be segregated on networks. A.13.2 Information transfer 信息传输 应在网络中隔离信息服务、用户和信息系统。 Objective: To maintain the security of information transferred within an organization and with any external entity. 目标：保持组织内以及与组织外信息传输的安全。 Formal transfer policies, procedures and controls shall be in place to Information transfer protect the transfer of information through the use of all types of policies and A.13.2.1 communication facilities. procedures 信息交换策略和规程 应有正式的交换策略、规程和控制措施，以保护通过使用各种类型通信 设施的信息交换。 Agreements on A.13.2.2 information transfer 信息传输协议 Agreements shall address the secure transfer of business information between the organization and external parties. 应建立组织和外部各方之间的业务信息的安全传输协议。 Information involved in electronic messaging shall be appropriately protected. 包含在电子消息发送中的信息应给予适当的保护。 Electronic A.13.2.3 messaging 电子消息发送 Confidentiality or non-disclosure A.13.2.4 agreements 保密或不泄露协议 Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. 应识别、定期评审反映组织信息保护需要的保密性或不泄露协议的要 求，并将其形成文档。 A.14 System acquisition, development and maintenance 系统获取、开发和维护 A.14.1 Security requirements of information systems 信息系统的安全要求 Objective: To ensure that security is an integral part of information systems across the entire lifecycle.This includes in particular specific security requirement for information systems which provide services over public networks. 目标：确保信息安全成为信息系统生命周期的组成部分，包括向公共网络提供服务的信息系统的特定安全 要求。 Security A.14.1.1 requirements analysis and The information security related requirements shall be included in the requirements for new information systems or enhancements to specification existing information systems。 安全要求分析和说明 新建信息系统或改进现有信息系统要求中应包括信息安全相关的要求。 Securing applications services A.14.1.2 on public networks 公共网络应用服务的 安全 Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. 应保护应用服务中通过公共网络传输的信息，以防止欺诈活动、合同纠 纷、未授权的泄露和修改。 Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. 应用服务中的信息应受保护，以防止不完全传输、错误路由、未授权的 信息篡改、未授权的泄露、未授权的信息复制或重放。 Protecting application services A.14.1.3 transactions 保护应用服务交易 A.14.2 Security in development and support processes 开发和支持过程中的安全 Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. 目标：确保在信息系统开发生命周期内设计与实施信息安全。 Secure development Rules for the development of software and systems shall be A.14.2.1 policy established and applied to developments within the organization. 安全开发策略 应在组织内部建立并应用软件和系统的开发规则。 System change A.14.2.2 control procedures 系统变更控制规程 Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures 应对软件包的修改进行劝阻，只限于必要的变更，且对所有的变更加以 严格控制。 Technical review of applications after operating platform A.14.2.3 changes 操作系统变更后应用 技术评审 When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. 当操作系统发生变更时，应对业务的关键应用进行评审和测试，以确保 对组织的运行或安全没有负面影响。 Restrictions on Modifications to software packages shall be discouraged, limited to changes to software A.14.2.4 necessary changes and all changes shall be strictly controlled. packages 应对软件包的修改进行劝阻，只限于必要的变更，且对所有的变更加以 软件包变更的限制 严格控制。 Secure system engineering A.14.2.5 principles 安全系统工程原则 Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development efforts. 工程安全系统原则应被建立、形成文档，并应用到任何信息系统开发工 作中。 Organizations shall establish and appropriately protect secure Secure development development environment for system development and integration A.14.2.6 environment 安全开efforts that covers the entire system development lifecycle. 发环境 应在整个系统开发生命周期的系统开发和集成工作中，建立并适当保护 开发环境的安全。 Outsourced A.14.2.7 development 外包开发 The organization shall supervise and monitor the activity of outsourced system development. 组织应监督、监视系统开发外包活动。 Tests of the security functionality shall be carried out during development. 在开发过程中，应进行安全功能测试。 System security A.14.2.8 testing 系统安全测试 System acceptance A.14.2.9 testing 系统验收测试 Acceptance testing programs and related criteria shall be established for new information systems,upgrades and new versions. 应建立新建信息系统、系统更新、版本升级验收测试规程和相关标准。 A.14.3 Test data 测试数据 Objective: To ensure the protection of data used for testing. 目标：确保测试数据的安全。 Protection of test A.14.3.1 data 保护测试数据 Test data shall be selected carefully, protected and controlled. 测试数据应认真地加以选择、保护和控制。 A.15 Supplier relationships 供应关系 A.15.1 Security in supplier relationship 供应关系安全 Objective: To ensure protection of the organization’s information that is accessible by suppliers. 目标：确保组织中被供应商访问信息的安全。 Information security policy for supplier A.15.1.1 relationships 供应关系信息安全策 略 Information security requirements for mitigating the risks associated with supplier access to organization’s assets shall be agreed with the supplier and documented. 用于减轻供应商访问组织的资产相关风险的信息安全要求应形成文档 并与供应商达成一致。 All relevant information security requirements shall be established and agreed with each supplier that may have access to, process, store, communicate or provide IT infrastructure components for the organization’s information. 应与每个可能访问、处理、存储组织信息，与组织进行通信或为组织提 供 IT 基础设施组件的供应商建立并协商所有信息安全相关要求。 Addressing security within supplier A.15.1.2 agreements 处理供应商协议中的 安全问题 Information and communication technology supply A.15.1.3 chain 信息和通信技术供应 链 Agreements with suppliers shall include requirements to address the information security risks associated with Information and Communications Technology services and product supply chain. 供应商协议应包括信息、通信技术服务和产品供应链的相关信息安全风 险。 A.15.2 Supplier service delivery management 供应商服务交付管理 Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. 确保信息安全和服务交付水平与供应商协议保持一致。 Monitoring and review of supplier A.15.2.1 services 供应商服务的监视和 评审 Organizations shall regularly monitor, review and audit supplier service delivery. 组织应定期监视、评审、审计供应商服务交付。 Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, Managing changes procedures and controls, shall be managed, taking account of the to supplier services criticality of business information, systems and processes involved A.15.2.2 供应商服务的变更管 and re-assessment of risks. 理 应管理供应商提供服务的变更，包括保持和改进现有的信息安全策略、 规程和控制措施，并考虑到业务系统和涉及过程的关键程度及风险的再 评估。 A.16 Information security incident management 信息安全事件管理