ISO27001：2013中英文对照(11)

6 Planning

6 规划

Actions to address risks and opportunities

6.1 应对风险和机会的措施

General

6.1.1 总则

When planning for the information security management system, the organization shall

consider the issues referred to in 4.1 and the requirements referred to in 4.2 and

determine the risks and opportunities that need to be addressed to:

当规划信息安全管理体系时，组织应考虑4.1中提及的问题和4.2中提及的要求，确定需要

应

对的风险和机会，以：

a) ensure the information security management system can achieve its intended

outcome(s);

b) prevent, or reduce, undesired effects; and

c) achieve continual improvement.

The organization shall plan:

d) actions to address these risks and opportunities; and

e) how to

1) integrate and implement the actions into its information security management system

processes;

2) evaluate the effectiveness of these actions.

a) 确保信息安全管理体系能实现其预期结果；

b) 防止或减少意外的影响；

c) 实现持续改进。 组织应规

划：

d) 应对这些风险和机会的措施；

e) 如何

1) 整合和实施这些措施并将其纳入信息安全管理体系过程；

2) 评价这些措施的有效性。

Information security risk assessment 6.1.2

信息安全风险评估

The organization shall define and apply an information security risk assessment process

that:

组织应定义并应用风险评估过程，以：

a) establishes and maintains information security risk criteria that include:

1) the risk acceptance criteria; and

2) criteria for performing information security risk assessments;

b) ensures that repeated information security risk assessments produce consistent, valid

and comparable results;