信息安全风险处置计划是在前面制定的
201这一句调整了顺序,实际原文为:The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established ).这与ISO/IEC 27005保持了一致,与ISO/IEC 27001:2005的要求也是一样的。
202条款8.2与8.3描述都比较简单,是真正关注“运行”,对流程和方法的要求在6.1.2和6.1.3中,基本的逻辑关系如下图所示:
203信息安全风险处置计划是在前面制定的。
204注意这两种说法,“信息安全绩效(the information security performance)”和“信息安全管理体系有效性(the effec -tiveness of the information security management system)".
205这节内容比较容易理解,跟前面的信息安全风险计划等要素都是一样的,原文为:a)what needs to be monitored and measured, including information security processes and controls;b) the methods for monitoring, measurement, analysis and e -valuation, as applicable, to ensure valid results;c) when the monitoring and measuring shall be performed;d) who shall monitor and measure;e) when the results from monitoring and measurement shall be analysed and evaluated; and f) who shall analyse and evaluate these resultS。
206可比较和可再现的结果,comparable and reproducible resultSo在ISO/IEC 27005: 2005中是说信息安全风险评估的,在ISO/IEC 27005: 2013中对信息安全风险评估中没提这个要求,倒转移到监视和评审章节上了。
想了解更多IT资讯,请访问中培教育官网:中培教育