Information technology — Security techniques — Information security management systems — Requirements- Planning
信息安全管理体系要求-规划(2)

5.1.3  Information security risk treatment 
5.1.3  信息安全风险处置
The organization shall define and apply an information security risk treatment process to:
组织应定义并应用信息安全风险处置过程，以：
a)   select appropriate information security risk treatment options, taking account of the risk assessment results;
b)   determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
NOTE 1    Organizations can design controls as required, or identify them from any source.
c)   compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;
NOTE 2    Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.
NOTE 3    The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.
d)   produce a Statement of Applicability that contains:
—  the necessary controls (see 6.1.3 b) and c));
—  justification for their inclusion;
—  whether the necessary controls are implemented or not; and
—  the justification for excluding any of the Annex A controls.
e)   formulate an information security risk treatment plan; and
f)    obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
—  whether the necessary controls are implemented or not; and
—  the justification for excluding any of the Annex A controls.
e)   formulate an information security risk treatment plan; and
f)    obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
a)   在考虑风险评估结果的前提下，选择适当的信息安全风险处置选项：
b)   为实施所选择的信息安全风险处置选项，确定所有必需的控制措施；
注1：组织可按要求设计控制措施，或从其他来源识别控制措施。
c)   将 6.1.3   b）所确定的控制措施与附录A 的控制措施进行比较，以核实没有遗漏必要的控制措施；
注2：附录A包含了一份全面的控制目标和控制措施的列表。本标准用户可利用附录A以确保不会遗漏必要的控制措施。
注3：控制目标包含于所选择的控制措施内。附录A所列的控制目标和控制措施并不是所有 的控制目标和控制措施，组织也可能需要另外的控制目标和控制措施。
d)   产生适用性声明。
—  适用性声明要包含必要的控制措施(见 6.1.3 b）和c))；
—  对包含的合理性说明（无论是否已实施），以及；
—  对附录A 控制措施删减的合理性说明；
e)   制定信息安全风险处置计划；
f)    获得风险负责人对信息安全风险处置计划以及接受信息安全残余风险的批准。 组织应保留信息安全风险处置过程的文件记录信息。
NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000[5].
注：本标准中的信息安全风险评估和处置过程可与 ISO 31000[5]中规定的原则和通用指南相结合。

温馨提示：获取完整版ISO27001最新2022版中英文对照资料，可咨询中培课程顾问或拨打客服电话了解18513851518