Information technology — Security techniques — Information security management systems — Requirements-Leadership
信息安全管理體系要求-領導

4Requirements-Leadership
4領導
4.1Leadership and commitment 
領導和承諾
Top management shall demonstrate leadership and commitment with respect to the information security management system by:
高層管理者應通過下列方式展示其關于信息安全管理體系的領導力和承諾：
a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
b) ensuring the integration of the information security management system requirements into the organization’s processes;
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming  to the information security management system requirements;
e) ensuring that the information security management system achieves its intended outcome(s);
f)  directing and supporting persons to contribute to the effectiveness of the information security management system;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
a) 確保建立信息安全政策和信息安全目標，并與組織的戰略方向保持一致；
b) 確保將信息安全管理體系要求整合到組織的業務過程中；
c) 確保信息安全管理體系所需資源可用；
d) 傳達信息安全管理有效實施、符合信息安全管理體系要求的重要性；
e) 確保信息安全管理體系實現其預期結果；
f)  指揮并支持人員為信息安全管理體系的有效實施作出貢獻；
g)  促進持續改進；
h)  支持其他相關管理角色在其職責范圍內展示他們的領導力。
NOTE   Reference to “business” in this document can be interpreted broadly to mean those activities that are  core to the purposes of the organization’s existence.
注：本標準中提及的“業務”可以廣義地解釋為指本組織存在目的的核心活動。

4.2Policy 
4.2政策
Top management shall establish an information security policy that:
a)  is appropriate to the purpose of the organization;
b)  includes information security objectives (see 6.2) or provides the framework for setting information security objectives;
c) includes a commitment to satisfy applicable requirements related to information security;
d) includes a commitment to continual improvement of the information security management system. The information security policy shall:
e)be available as documented  information;
f) be communicated within the organization;
g) be available to interested parties, as appropriate.
高層管理者應建立信息安全政策，以：
a) 適于組織的目標；
b) 包含信息安全目標（見）或設置信息安全目標提供框架；
c) 包含滿足適用的信息安全相關要求的承諾； d) 包含信息安全管理體系持續改進的承諾。 信息安全政策應：
d) 文件化并保持可用性；
e) 在組織內部進行傳達；
f)  適當時，對相關方可用。
4.3Organizational roles, responsibilities and authorities 
4.3  組織角色、職責和權限
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization.
Top management shall assign the responsibility and authority for:
高層管理者應確保分配并傳達了信息安全相關角色的職責和權限。
高層管理者應分配下列職責和權限：
a) ensuring that the information security management system conforms to the requirements of this document;
b) reporting on the performance of the information security management system to top management.
a) 確保信息安全管理體系符合本標準的要求；
b) 將信息安全管理體系的績效報告給高層管理者。
NOTE Top management can also assign responsibilities and authorities for reporting performance of the information security management system within the organization.
注：高層管理者可能還要分配在組織內部報告信息安全管理體系績效的職責和權限。
 
溫馨提示：獲取完整版ISO27001最新2022版中英文對照資料，可咨詢中培課程顧問或撥打客服電話了解18513851518