372这里满足不是用的meet,而是in accordance with。 这两个词还是有区别的,“符合”更强调两个东西之间的一致性。
374在ISO/IEC 27002: 2013的“其他信息”中:ISO/IEC 27007[12],‘‘Guidelines for information security management systems audi- ting" and ISO/IEC TR 27008[13l, "Guidelines for auditors on information security controls" also provide guidance for carrying out the independent review。这里必须分清几个概念的不同,A.18.2.1中所说的独立评审,其实类似于audit(就是管理体系审核的概念),而在A.12.7.1中讨论的audit,从ISO/IEC 27002: 2013判断则比较专注于细节。从ISO/IEC 27001: 2013 中,这几个概念就很容易混淆。因为在正文中就有9.3内部审核(internal audit),要求跟A.18.3.1 Independent review of information security多有相似之处,尤其都可以参考ISO/IEC 27007和ISO/IEC TA 27008,但是用了同一个词汇的
A.12.7.1Information systems audit controls则描述的是不同的事。
375在ISO/IEC 27001: 2005中用的是check(核查),ISO/IEC 27001: 2005修改成了review(评审)。
SEl/IEE己7DEll:己口i]标准f&i卖及改版分析
参考文献卵6
[1] ISO/IEC 27002: 2013, Information technology - Security Techniques - Code of practice for information security controls.
[2] ISO/IEC 27003, Information technology - Security techniques - Information security management system implementation guidance.
[3] ISO/IEC 27004, Information technology - Security techniques -- Information security management - Measurement.
[4] ISO/IEC 27005, Information technology - Security techniques - Information security risk management.
[5] IS0 31000: 2009, Risk management - Principles and guidelines.
[6] ISO/IEC Directives,'Part l, Consolidated ISO Supplement - Procedures spe - cific to ISO, 2012.