19原文为:organization's needs and objectives,security requirements,the organizational processes used and the size and struc -
ture of the organizationo此处描述与1SO/IEC 27001:2005稍有变化,不同之处是the processes employed,修改为the or ganizational processes usedO两者区别不大,就是指代关系更清楚了一些。
20本句为新加。这句话比较原则性,用哲学语言讲就是世界是变化的。ISO/IEC 27001:2005本来有一句很实在的话,反
倒被删除了,如下:例如,简单的情况可采用简单的ISMS解决方案(e.g.a simple situation requires a simple ISMS solu- tion)。
21保密性、完整性和可用性,对应词汇为confidentiality, integrity and availabilityo注意,不是信息安全定义中的7个属
性,ISO/IEC 27001:2013和ISO/IEC 27001:2005 -样,反复被强调的是3个属性。另外4个属性为:真实性(authen- ticity)、可核查性(accountability)、不可否认性(non-repudiation)和可靠性(reliability)等。
22在ISO/IEC 27001:2013中对信息安全只强调保密性、完整性和可用性是有其逻辑的,因为ISO/IEC 27000:2009中将其
定义为:preservation of confidentiality (2.9),integrity (2. 25) and availability (2.7)of information.NOTE In addition, other voperties, such as authenticity《2.6k accountability《2.2),non-repudiation《2. 27), and reliability(2- 33) can also be involvea.注意斜体部分,其他4个属性是以“备注”的形式给出来的。但是在ISO/IEC 27001:2005中只强调这3个属性不太符合逻辑,因为在其术语与定义中引用ISO/IEC 27002:2005将信息安全定义为:preservation of confidentiality, integrity and availability of information;}in addition,,other properties,such as authenticity, accountability,non-repudiation,and reliability cari also be involved。斜体部分讨论这4个属性时,是并列关系。
23相关利益方,interested parties。这是标准中出现比较频繁的术语。 24此处程度副词用的是adequately。