13同样是文件化的要求,这里的原文描述是:The organization shall retain documented information about the.nformation se -curity risk assessment process。对比前文用的则是The scope shall be available as documented information。
135句式与原文与6.1.2基本相同。
136本句原文为:select appropriate information security risk treatment options,taking account of the risk assessment results,考虑风险评估的结果没有专门强调,而是直接用伴随状语。
137信息安全风险处置选项[information security risk treatment option (s)],上一条款中也有这个词汇,在ISO/IEC 27001:2005中包括:1)风险处理(applying appropriate controls);2)风险接受(knowingly and objectively accepting risks,pro - viding they ciearly satisfy the organization's policies and the criteria for accepting risks);3)风险规避(avoiding risks);4)风险转移(transferring the associated business risks to other parties,e.g.insurers,s uppliers)。在ISO/IEC 27001中讨论这几个选项其实没必要,因为ISO/IEC 27005中有详细的介绍。
138本句原文为:determine all controls that are necessary to implement the information security risk treatment option (s) chosen。 139这句翻译的不是很清晰,原文为:Organizations can design controls as required,or identify them from any source。句子中用的can,不是may,语气重一些。该备注强调的重点是,控制措施能自己设汁,也可以从任何来源中识别。当然, 来源就包括很多了,例如,本标准的附录A是最基本的,COBIT (Control Objectives for Information and related Technolo- gy, http: //www.isaca.org/)、NIST(National Institute of Standards and Technology,美国国家标准与技术研究院)公布的相关技术文档等都可以。
想了解更多IT资讯,请访问中培教育官网:中培教育