7 Operation
7 运行
7.1 Operational planning and control 
7.1 运行的规划和控制
The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:
— establishing criteria for the processes;
— implementing control of the processes in accordance with the criteria.
组织应规划、实施和控制满足信息安全要求所需的过程，并实施第6条中确定的措施。
— 制定相关流程的标准；
— 按照标准实施对过程的控制。
Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.
组织应保持文件记录信息达到必要的程度：有信心证明过程是按计划执行的。
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
组织应控制计划了的变更，评审非预期变更的后果，必要时采取措施减缓负面影响。
The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.
组织应确保对外部提供的与信息安全管理系统相关的流程、产品或服务进行控制。
7.2 Information security risk assessment 
7.2 信息安全风险评估
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
考虑到6.1.2  a）中建立的风险评估执行准则，组织应按计划的时间间隔执行信息安全风险
评估，当重大变更被提出或发生时也应执行信息安全风险评估。
The organization shall retain documented information of the results of the information security risk assessments.
组织应保留信息安全风险评估结果的文件记录信息。
7.3 Information security risk treatment 
7.3信息安全风险处置
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security risk treatment.
组织应实施信息安全风险处置计划。
组织应保留信息安全风险处置结果的文件记录信息。

温馨提示：获取完整版ISO27001最新2022版中英文对照资料，可咨询中培课程顾问或拨打客服电话了解18513851518