Information technology — Security techniques — Information security management systems — Requirements- Planning
信息安全管理體系要求-規(guī)劃(2)

5.1.3  Information security risk treatment 
5.1.3  信息安全風(fēng)險(xiǎn)處置
The organization shall define and apply an information security risk treatment process to:
組織應(yīng)定義并應(yīng)用信息安全風(fēng)險(xiǎn)處置過程，以：
a)   select appropriate information security risk treatment options, taking account of the risk assessment results;
b)   determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
NOTE 1    Organizations can design controls as required, or identify them from any source.
c)   compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;
NOTE 2    Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.
NOTE 3    The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.
d)   produce a Statement of Applicability that contains:
—  the necessary controls (see 6.1.3 b) and c));
—  justification for their inclusion;
—  whether the necessary controls are implemented or not; and
—  the justification for excluding any of the Annex A controls.
e)   formulate an information security risk treatment plan; and
f)    obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
—  whether the necessary controls are implemented or not; and
—  the justification for excluding any of the Annex A controls.
e)   formulate an information security risk treatment plan; and
f)    obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
a)   在考慮風(fēng)險(xiǎn)評估結(jié)果的前提下，選擇適當(dāng)?shù)男畔踩L(fēng)險(xiǎn)處置選項(xiàng)：
b)   為實(shí)施所選擇的信息安全風(fēng)險(xiǎn)處置選項(xiàng)，確定所有必需的控制措施；
注1：組織可按要求設(shè)計(jì)控制措施，或從其他來源識別控制措施。
c)   將 6.1.3   b）所確定的控制措施與附錄A 的控制措施進(jìn)行比較，以核實(shí)沒有遺漏必要的控制措施；
注2：附錄A包含了一份全面的控制目標(biāo)和控制措施的列表。本標(biāo)準(zhǔn)用戶可利用附錄A以確保不會遺漏必要的控制措施。
注3：控制目標(biāo)包含于所選擇的控制措施內(nèi)。附錄A所列的控制目標(biāo)和控制措施并不是所有 的控制目標(biāo)和控制措施，組織也可能需要另外的控制目標(biāo)和控制措施。
d)   產(chǎn)生適用性聲明。
—  適用性聲明要包含必要的控制措施(見 6.1.3 b）和c))；
—  對包含的合理性說明（無論是否已實(shí)施），以及；
—  對附錄A 控制措施刪減的合理性說明；
e)   制定信息安全風(fēng)險(xiǎn)處置計(jì)劃；
f)    獲得風(fēng)險(xiǎn)負(fù)責(zé)人對信息安全風(fēng)險(xiǎn)處置計(jì)劃以及接受信息安全殘余風(fēng)險(xiǎn)的批準(zhǔn)。 組織應(yīng)保留信息安全風(fēng)險(xiǎn)處置過程的文件記錄信息。
NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000[5].
注：本標(biāo)準(zhǔn)中的信息安全風(fēng)險(xiǎn)評估和處置過程可與 ISO 31000[5]中規(guī)定的原則和通用指南相結(jié)合。

溫馨提示：獲取完整版ISO27001最新2022版中英文對照資料，可咨詢中培課程顧問或撥打客服電話了解18513851518