A.16.1 Management of information security incidents and improvements 信息安全事件和改进的管理 Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. 目标:确保对信息安全事件进行持续、有效地管理,包括信息安全事态和弱点的沟通。 Responsibilities and A.16.1.1 procedures 职责和规程 Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. 应建立管理职责和规程,以确保快速、有效和有序地响应信息安全事件。 Reporting information security A.16.1.2 events 报告信息安全事态 Information security events shall be reported through appropriate management channels as quickly as possible. 应通过适当的管理途径尽快地报告信息安全事态。 Reporting information security A.16.1.3 weaknesses 报告信息安全弱点 Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. 应要求使用组织信息系统和服务的所有雇员和合同方记录并报告他们 观察到的或怀疑的任何系统或服务的信息安全弱点。 Assessment and decision of information security A.16.1.4 events 信息安全事态评估与 决策 Information security events shall be assessed and decided if they shall be classified as information security incidents. Information security events shall be assessed and decided if they shall be classified as information security incidents. 应对信息安全事态进行评估,以决定他们是否被归类为信息安全事件。 Response to information security A.16.1.5 incidents 信息安全事件响应 Information security incidents shall be responded to in accordance with the documented procedures. 应按照文件化规程来响应信息安全事件。 Learning from information security A.16.1.6 incidents 对信息安全事件的总 结 Collection of A.16.1.7 evidence 证据的收集 Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. 分析和解决信息安全事件积累的知识应用来减少未来事件的可能性或 影响。 The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. 组织应建立和应用规程以识别、收集、采集和保存可以作为证据的信息。 A.17 Information security aspects of business continuity management 业务连续性管理的信息安全方面 A.17.1 Information security continuity 信息安全连续性 Objective: Information security continuity shall be embedded in organization’s business continuity management systems。 目标:信息安全的连续性应嵌入组织的业务连续性管理体系。 Planning information A.17.1.1 security continuity 策划信息安全连续性 The organization shall determine its requirements for information security and continuity of information security management in adverse situations, e.g. during a crisis or disaster. 组织应明确在不利情况下(如危机或灾难时)信息安全和信息安全管理 连续性的要求。 The organization shall establish, document, implement and maintain Implementing processes, procedures and controls to guarantee the required level of information security A.17.1.2 continuity for information security during an adverse situation. continuity 实施信息安全连续性 组织应建立,记录,实施,维护流程、程序和控制,以确保满足不利的 情况下信息安全连续性所要求的级别。 Verify, review and evaluate information A.17.1.3 security continuity 验证、评审和评价信 息安全连续性 A.17.2 Redundancies 冗余 The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. 组织应定期验证已建立并实施的信息安全连续性控制,以确保它们在不 利条件下是适当并有效的。 Objective: To ensure availability of information processing facilities. 目标:确保信息处理设施的可用性。 Availability of information A.17.2.1 processing facilities 信息处理设施的可用 性 Information processing facilities shall be implemented redundancy sufficient to meet availability requirements. 信息处理设施应具备足够的冗余,以满足可用性要求。 with
A.18 Compliance 符合性 A.18.1 Compliance with legal and contractual requirements 符合法律与合同要求 Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. 目标:避免违反任何信息安全相关的法律、法令、法规或合同义务以及任何安全要求。 Identification of applicable legislation and contractual A.18.1.1 requirements 可用法律与合同要求 的识别 All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. 对每一个信息系统和组织而言,所有相关的法律、法规和合同要求,以 及为满足这些要求组织所采用的方法,应加以明确地定义、形成文件并 保持更新。 Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. 应实施适当的规程、以确保在涉及知识产权和使用具有所有权的软件产 品时,符合法律、法规和合同的要求。 Intellectual property A.18.1.2 rights 知识产权 Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with Protection of records A.18.1.3 statutory, regulatory, contractual and business requirements. 保护记录 应防止记录的遗失、毁坏、伪造、未授权的访问与发布,以满足法令、 法规、合同和业务的要求。 Privacy and protection of personally A.18.1.4 identifiable information 隐私和个人身份信息 保护 Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. 应依照相关的法律、法规的要求,确保隐私和个人身份信息的保护。 Regulation of cryptographic A.18.1.5 controls 密码控制措施的规则 Cryptographic controls shall be used in compliance with all relevant agreements legislation and regulations. 使用密码控制措施应遵从相关的协议、法律和法规。 A.18.2 Information security reviews
信息安全评审 Objective: To ensure that information security is implemented and operated in accordance with the organisational policies and procedures 目标:确保信息安全依照组织策略和规程进行实施并运行。 Independent review of information A.18.2.1 security 信息安全的独立评审 组织管理信息安全的方法及其实施(例如信息安全的控制目标、控制措 施、策略、过程和规程)应按计划的时间间隔进行独立评审,当安全实 施发生重大变化时,也要进行独立评审。 The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes to the security implementation occur. Compliance with security policies and A.18.2.2 standards 符合安全策略和标准 管理层应定期评审信息处理和程序符合他们的责任范围内适当的安全 策略、标准和任何其他安全要求。 Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. Technical Information systems shall be regularly reviewed for compliance with A.18.2.3 compliance review 技 the organisation’s information security policies and standards. 术符合性评审 信息系统应被定期核查是否符合信息安全策略和标准。