Information technology — Security techniques — Information security management systems — Requirements- Performance evaluation
信息安全管理體系要求-績(jī)效評(píng)價(jià)
 
8.2.2Internal audit programme
8.2.2內(nèi)部審計(jì)方案
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.
組織應(yīng)規(guī)劃、建立、實(shí)施和保持審核方案，包括頻次、方法、職責(zé)、計(jì)劃要求和報(bào)告
When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.
審核方案應(yīng)考慮所關(guān)注過(guò)程的重要性以及以往審核的結(jié)果；
The organization shall:
組織應(yīng)：
a)define the audit criteria and scope for each audit;
b)select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c)ensure that the results of the audits are reported to relevant management;
a)定義審核的標(biāo)準(zhǔn)和范圍；
b)為每次審核定義審核準(zhǔn)則和審核范圍；
c)審核員的選擇和審核的實(shí)施應(yīng)確保審核過(guò)程的客觀性和公正性；
Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.
保留文件記錄信息作為審核方案和審核結(jié)果的證據(jù)。
8.3Management review 
8.3管理評(píng)審
8.3.1General
8.3.1 總則
Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
管理者應(yīng)按計(jì)劃的時(shí)間間隔評(píng)審組織的信息安全管理體系，以確保其持續(xù)的適宜性、充分性和有效性。
8.3.2Management review inputs
8.3.2管理評(píng)審輸入
The management review shall include consideration of:
a)the status of actions from previous management reviews;
b)changes in external and internal issues that are relevant to the information security management system;
c)changes in needs and expectations of interested parties that are relevant to the information security management system;
d)feedback on the information security performance, including trends in:
1)nonconformities and corrective actions;
2)monitoring and measurement results;
3)audit results;
4)fulfilment of information security objectives;
e)feedback from interested parties;
f)results of risk assessment and status of risk treatment plan;
g)opportunities for continual improvement.
管理評(píng)審應(yīng)包括以下考慮因素：
a)以往管理評(píng)審的措施的狀態(tài)；
b)與信息安全管理體系相關(guān)的外部和內(nèi)部問(wèn)題的變更；
c)與信息安全管理體系相關(guān)的利益相關(guān)方的需求和期望的變化；
d)信息安全績(jī)效的反饋，包括下列方面的趨勢(shì)：
1)不符合和糾正措施；
2)監(jiān)視和測(cè)量結(jié)果；
3)審核結(jié)果；
4)信息安全目標(biāo)的實(shí)現(xiàn)；
e)相關(guān)方的反饋；
f)風(fēng)險(xiǎn)評(píng)估的結(jié)果和風(fēng)險(xiǎn)處置計(jì)劃的狀態(tài)；
g)持續(xù)改進(jìn)的機(jī)會(huì)。
8.3.3Management review results
8.3.3管理評(píng)審結(jié)果
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.
管理評(píng)審的輸出應(yīng)包括與持續(xù)改進(jìn)機(jī)會(huì)有關(guān)的決定，以及變更信息安全管理體系的所有需求。
組織應(yīng)保留文件記錄信息作為管理評(píng)審結(jié)果的證據(jù)。

溫馨提示：獲取完整版ISO27001最新2022版中英文對(duì)照資料，可咨詢中培課程顧問(wèn)或撥打客服電話了解18513851518