7 Operation
7 運行
7.1 Operational planning and control 
7.1 運行的規劃和控制
The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:
— establishing criteria for the processes;
— implementing control of the processes in accordance with the criteria.
組織應規劃、實施和控制滿足信息安全要求所需的過程，并實施第6條中確定的措施。
— 制定相關流程的標準；
— 按照標準實施對過程的控制。
Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.
組織應保持文件記錄信息達到必要的程度：有信心證明過程是按計劃執行的。
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
組織應控制計劃了的變更，評審非預期變更的后果，必要時采取措施減緩負面影響。
The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.
組織應確保對外部提供的與信息安全管理系統相關的流程、產品或服務進行控制。
7.2 Information security risk assessment 
7.2 信息安全風險評估
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
考慮到6.1.2  a）中建立的風險評估執行準則，組織應按計劃的時間間隔執行信息安全風險
評估，當重大變更被提出或發生時也應執行信息安全風險評估。
The organization shall retain documented information of the results of the information security risk assessments.
組織應保留信息安全風險評估結果的文件記錄信息。
7.3 Information security risk treatment 
7.3信息安全風險處置
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security risk treatment.
組織應實施信息安全風險處置計劃。
組織應保留信息安全風險處置結果的文件記錄信息。

溫馨提示：獲取完整版ISO27001最新2022版中英文對照資料，可咨詢中培課程顧問或撥打客服電話了解18513851518