isoiec270012013信息安全管理体系要求.docVIP

INTERNATIONAL STANDAR D ISO/IEC 27001 Second edition 2013-10-01 Information technology — Security techniques — Information security management systems — Requirements Technologies de l’information — Techniques de sécurité — Systèmes de management de la sécurité de l’information — Exigences Reference number ISO/IEC 27001:2013(E) ? ISO/IEC 2013 ISO/IEC 27001 信息技术-安全技术-信息安全管理体系-要求 Information technology- Security techniques -Information security management systems-Requirements ISO/IEC 27001:2013(E) Contents Page Foreword1 0 Introduction3 1 Scope5 2 Normative references5 3 Terms and definitions5 4 Context of the organization5 4.1 Understanding the organization and its context5 4.2 Understanding the needs and expectations of interested parties5 4.3 Determining the scope of the information security management system5 4.4 Information security management system7 5 Leadership7 5.1 Leadership and commitment 7 5.2 Policy 7 5.3 Organizational roles, responsibilities and authorities9 6 Planning9 6.1 Actions to address risks and opportunities 9 6.2 Information security objectives and planning to achieve them 13 7 Support13 7.1 Resources13 7.2 Competence13 7.3 Awareness13 7.4 Communication15 7.5 Documented information15 8 Operation 17 8.1 Operational planning and control 17 8.2 Information security risk assessment17 8.3 Information security risk treatment 17 9 Performance evaluation 17 9.1 Monitoring, measurement, analysis and evaluation17 9.2 Internal audit19 9.3 Management review19 10 Improvement21 10.1 Nonconformity and corrective action 21 10.2 Continual improvement 21 Annex A (normative) Reference control objectives and controls23 Bibliography49 目 次 前 言 2 引 言 4 1 范围 6 2 规范性引用文件 6 3 术语和定义 6 4 组织环境 6 5 领导 8 6 规划 10 7 支持 14 8 运行 18 9 绩效评价 18 10 改进 22 附 录 A （规范性附录） 参考控制目标和控制措施 24 参考文献 50 ISO/IEC 27001:2013(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the sp