b) 为实施所选择的信息安全风险处置选项,确定所有必需的控制措施;
NOTE Organizations can design controls as required, or identify them from any source.
注:组织可按要求设计控制措施,或从其他来源识别控制措施。
c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that
no necessary controls have been omitted;
c) 将 6.1.3 b)所确定的控制措施与附录A 的控制措施进行比较,以核实没有遗漏必要的
控制措施;
NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users
of this International Standard are directed to Annex A to ensure that no necessary controls
are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control
objectives and controls listed in Annex A are not exhaustive and additional control
objectives and controls may be needed.
注1:附录A包含了一份全面的控制目标和控制措施的列表。本标准用户可利用附录A以确
保
不会遗漏必要的控制措施。 注2:控制目标包含于所选择的控制措施内。附录A所列的控
制目标和控制措施并不是所有 的控制目标和控制措施,组织也可能需要另外的控制目标
和控制措施。
d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b)
and c)) and justification for inclusions, whether they are implemented or not, and the
justification for exclusions of controls from Annex A;
e) formulate an information security risk treatment plan; and
f) obtain risk owners’ approval of the information security risk treatment plan and
acceptance of the residual information security risks.
The organization shall retain documented information about the information security risk
treatment process.
d) 产生适用性声明。适用性声明要包含必要的控制措施(见6.1.3 b)和c))、对包含的合
理性说明(无论是否已实施)以及对附录A 控制措施删减的合理性说明;
e) 制定信息安全风险处置计划;
f) 获得风险负责人对信息安全风险处置计划以及接受信息安全残余风险的批准。 组织应
保留信息安全风险处置过程的文件记录信息。
NOTE The information security risk assessment and treatment process in this
International Standard aligns with the principles and generic guidelines provided in ISO
31000[5].
注:本标准中的信息安全风险评估和处置过程可与 ISO 31000[5]中规定的原则和通用指南
相结合。
6.2 Information security objectives and planning to achieve them
6.2 信息安全目标和规划实现
,请把【付款记录详情】截图给客服,同时把您购买的文章【网址】发给客服。客服会在24小时内把文档发送给您。
