260“终止和变更”,在目标里面就成了“变更或终止”,在A.7.3.1中又成了“终止或变更”,“变更”和“终止”到底谁在前、谁在后,飘忽不定。
261该句的原文为:Information security responsibilities and duties that remain valid after termination or change of employment shall be defined,communicated to the employee or contractor and enforced。这一这句中用的“执行(enforce)”有“强制执行”的意思。
262这里有一个特别有意思的改变,在ISO/IEC 27001:2005中描述为:实现和保持对组织资产的适当保护(To ensure that information receives an appropriate level of protection),而在ISO/IEC 27001: 2013中描述为:To limit access to.nformation and information processing facilities。在ISO/IEC 27001: 2005中强调的是对资产的保护,而在ISO/IEC 27001: 2013中强调的是保护责任。
263信息处理设施,information processing facilities。
264这里又一处重大变化。在ISO/IEC 27001:2005中要求编制清单的是“重要资产清产(an inventory of all important as- sets)”,但是ISO/IEC 27001:2013范围扩大了,要求“所有与信息或信息处理设施相关的资产(Assets associated with information and information processing facilities)”都要编制在资产清单之内。
265这句话英文中描述极为洁,如下:Assets maintained in the inventory 简shall be owned。