ISO27001：2013中英文对照(7)

4 组织环境

Understanding the organization and its context

4.1 理解组织及其环境

The organization shall determine external and internal issues that are relevant to its

purpose and that affect its ability to achieve the intended outcome(s) of its information

security management system.

组织应确定与其目标相关并影响其实现信息安全管理体系预期结果的能力的外部和内部问

题。

NOTE Determining these issues refers to establishing the external and internal context of

the organization considered in Clause 5.3 of ISO 31000:2009[5]. 注：确定这些问题涉及到

建立组织的外部和内部环境，在ISO 31000:2009[5]的5.3节考虑了

这一事项。

Understanding the needs and expectations of interested parties

4.2 理解相关方的需求和期望

The organization shall determine:

组织应确定：

a) interested parties that are relevant to the information security management system; and

b) the requirements of these interested parties relevant to information security.

a) 与信息安全管理体系有关的相关方；

b) 这些相关方与信息安全有关的要求

NOTE The requirements of interested parties may include legal and regulatory

requirements and contractual obligations. 注：相关方的要求可能包括法律法规要求和合同

义务。

Determining the scope of the information security management system

4.3 确定信息安全管理体系的范围

The organization shall determine the boundaries and applicability of the information

security management system to establish its scope. 组织应确定信息安全管理体系的边界

和适用性，以建立其范围。

When determining this scope, the organization shall consider:

当确定该范围时，组织应考虑：

a) the external and internal issues referred to in 4.1;

b) the requirements referred to in 4.2; and

c) interfaces and dependencies between activities performed by the organization, and

those that are performed by other organizations. The scope shall be available as

documented information.