Information technology — Security techniques — Information security management systems — Requirements- Planning
信息安全管理體系要求-規劃(2)

5.1.3  Information security risk treatment 
5.1.3  信息安全風險處置
The organization shall define and apply an information security risk treatment process to:
組織應定義并應用信息安全風險處置過程，以：
a)   select appropriate information security risk treatment options, taking account of the risk assessment results;
b)   determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
NOTE 1    Organizations can design controls as required, or identify them from any source.
c)   compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;
NOTE 2    Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.
NOTE 3    The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.
d)   produce a Statement of Applicability that contains:
—  the necessary controls (see 6.1.3 b) and c));
—  justification for their inclusion;
—  whether the necessary controls are implemented or not; and
—  the justification for excluding any of the Annex A controls.
e)   formulate an information security risk treatment plan; and
f)    obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
—  whether the necessary controls are implemented or not; and
—  the justification for excluding any of the Annex A controls.
e)   formulate an information security risk treatment plan; and
f)    obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
a)   在考慮風險評估結果的前提下，選擇適當的信息安全風險處置選項：
b)   為實施所選擇的信息安全風險處置選項，確定所有必需的控制措施；
注1：組織可按要求設計控制措施，或從其他來源識別控制措施。
c)   將 6.1.3   b）所確定的控制措施與附錄A 的控制措施進行比較，以核實沒有遺漏必要的控制措施；
注2：附錄A包含了一份全面的控制目標和控制措施的列表。本標準用戶可利用附錄A以確保不會遺漏必要的控制措施。
注3：控制目標包含于所選擇的控制措施內。附錄A所列的控制目標和控制措施并不是所有 的控制目標和控制措施，組織也可能需要另外的控制目標和控制措施。
d)   產生適用性聲明。
—  適用性聲明要包含必要的控制措施(見 6.1.3 b）和c))；
—  對包含的合理性說明（無論是否已實施），以及；
—  對附錄A 控制措施刪減的合理性說明；
e)   制定信息安全風險處置計劃；
f)    獲得風險負責人對信息安全風險處置計劃以及接受信息安全殘余風險的批準。 組織應保留信息安全風險處置過程的文件記錄信息。
NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000[5].
注：本標準中的信息安全風險評估和處置過程可與 ISO 31000[5]中規定的原則和通用指南相結合。

溫馨提示：獲取完整版ISO27001最新2022版中英文對照資料，可咨詢中培課程顧問或撥打客服電話了解18513851518