Information technology — Security techniques — Information security management systems — Requirements- Performance evaluation
信息安全管理體系要求-績效評價
 
8.2.2Internal audit programme
8.2.2內部審計方案
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.
組織應規劃、建立、實施和保持審核方案，包括頻次、方法、職責、計劃要求和報告
When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.
審核方案應考慮所關注過程的重要性以及以往審核的結果；
The organization shall:
組織應：
a)define the audit criteria and scope for each audit;
b)select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c)ensure that the results of the audits are reported to relevant management;
a)定義審核的標準和范圍；
b)為每次審核定義審核準則和審核范圍；
c)審核員的選擇和審核的實施應確保審核過程的客觀性和公正性；
Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.
保留文件記錄信息作為審核方案和審核結果的證據。
8.3Management review 
8.3管理評審
8.3.1General
8.3.1 總則
Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
管理者應按計劃的時間間隔評審組織的信息安全管理體系，以確保其持續的適宜性、充分性和有效性。
8.3.2Management review inputs
8.3.2管理評審輸入
The management review shall include consideration of:
a)the status of actions from previous management reviews;
b)changes in external and internal issues that are relevant to the information security management system;
c)changes in needs and expectations of interested parties that are relevant to the information security management system;
d)feedback on the information security performance, including trends in:
1)nonconformities and corrective actions;
2)monitoring and measurement results;
3)audit results;
4)fulfilment of information security objectives;
e)feedback from interested parties;
f)results of risk assessment and status of risk treatment plan;
g)opportunities for continual improvement.
管理評審應包括以下考慮因素：
a)以往管理評審的措施的狀態；
b)與信息安全管理體系相關的外部和內部問題的變更；
c)與信息安全管理體系相關的利益相關方的需求和期望的變化；
d)信息安全績效的反饋，包括下列方面的趨勢：
1)不符合和糾正措施；
2)監視和測量結果；
3)審核結果；
4)信息安全目標的實現；
e)相關方的反饋；
f)風險評估的結果和風險處置計劃的狀態；
g)持續改進的機會。
8.3.3Management review results
8.3.3管理評審結果
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.
管理評審的輸出應包括與持續改進機會有關的決定，以及變更信息安全管理體系的所有需求。
組織應保留文件記錄信息作為管理評審結果的證據。

溫馨提示：獲取完整版ISO27001最新2022版中英文對照資料，可咨詢中培課程顧問或撥打客服電話了解18513851518