ISO27001：2013中英文对照(12)

c) identifies the information security risks:

1) apply the information security risk assessment process to identify risks associated

with the loss of confidentiality, integrity and availability for information within the scope

of the information security management system; and

2) identify the risk owners;

d) analyses the information security risks:

1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1)

were to materialize;

2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1);

and

3) determine the levels of risk;

e) evaluates the information security risks:

1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and

2) prioritize the analysed risks for risk treatment.

The organization shall retain documented information about the information security risk

assessment process.

a) 建立并保持信息安全风险准则，包括：

1) 风险接受准则；

2) 执行信息安全风险评估的准则；

b) 确保重复性的信息安全风险评估可产生一致的、有效的和可比较的结果；

c) 识别信息安全风险：

1) 应用信息安全风险评估过程来识别信息安全管理体系范围内的信息丧失保密性、完整

性和可用性的相关风险；

2) 识别风险负责人；

d) 分析信息安全风险：

1) 评估 6.1.2 c）1）中所识别风险发生后将导致的潜在影响；

2) 评估 6.1.2 c）1）中所识别风险发生的现实可能性；

3) 确定风险级别；

e) 评价信息安全风险；

1) 将风险分析结果同6.1.2 a）建立的风险准则进行比较；

2) 为实施风险处置确定已分析风险的优先级。 组织应定义并应用风险评估过程，以：

组织应保留信息安全风险评估过程的文件记录信息。

Information security risk treatment

6.1.3 信息安全风险处置

The organization shall define and apply an information security risk treatment process to:

a) select appropriate information security risk treatment options, taking account of the risk

assessment results;

b) determine all controls that are necessary to implement the information security risk

treatment option(s) chosen;

组织应定义并应用信息安全风险处置过程，以：

a) 在考虑风险评估结果的前提下，选择适当的信息安全风险处置选项：