ISO27001：2013中英文对照(18)

8 Operation

8 运行

Operational planning and control

8.1 运行的规划和控制

The organization shall plan, implement and control the processes needed to meet

information security requirements, and to implement the actions determined in 6.1.The

organization shall also implement plans to achieve information security objectives

determined in 6.2.

组织应规划、实施和控制满足信息安全要求所需的过程，并实施6.1中确定的措施。组织还

应实施这些规划来实现6.2中所确定的信息安全目标。

The organization shall keep documented information to the extent necessary to have

confidence that the processes have been carried out as planned.

The organization shall control planned changes and review the consequences of

unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are determined and controlled. 组

织应保持文件记录信息达到必要的程度：有信心证明过程是按计划执行的。 组织应控制计

划了的变更，评审非预期变更的后果，必要时采取措施减缓负面影响。 组织应确保外包的

过程已确定，并处于可控状态。

Information security risk assessment

8.2 信息安全风险评估

The organization shall perform information security risk assessments at planned intervals

or when significant changes are proposed or occur, taking account of the criteria

established in 6.1.2 a).

考虑到6.1.2 a）中建立的风险评估执行准则，组织应按计划的时间间隔执行信息安全风险

评估，当重大变更被提出或发生时也应执行信息安全风险评估。

The organization shall retain documented information of the results of the information

security risk assessments.

组织应保留信息安全风险评估结果的文件记录信息。

Information security risk treatment

8.3 信息安全风险处置

The organization shall implement the information security risk treatment plan.

The organization shall retain documented information of the results of the information

security risk treatment.

组织应实施信息安全风险处置计划。

组织应保留信息安全风险处置结果的文件记录信息。

9 Performance evaluation