201這一句調(diào)整了順序，實(shí)際原文為：The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established ）.這與ISO/IEC 27005保持了一致，與ISO/IEC 27001：2005的要求也是一樣的。

202條款8.2與8.3描述都比較簡(jiǎn)單，是真正關(guān)注“運(yùn)行”，對(duì)流程和方法的要求在6.1.2和6.1.3中，基本的邏輯關(guān)系如下圖所示：

203信息安全風(fēng)險(xiǎn)處置計(jì)劃是在前面制定的。

204注意這兩種說(shuō)法，“信息安全績(jī)效（the information security performance）”和“信息安全管理體系有效性(the effec -tiveness of the information security management system)".

205這節(jié)內(nèi)容比較容易理解，跟前面的信息安全風(fēng)險(xiǎn)計(jì)劃等要素都是一樣的，原文為：a）what needs to be monitored and measured, including information security processes and controls;b) the methods for monitoring, measurement, analysis and e -valuation, as applicable, to ensure valid results;c) when the monitoring and measuring shall be performed;d) who shall monitor and measure;e) when the results from monitoring and measurement shall be analysed and evaluated; and f) who shall analyse and evaluate these resultS。

206可比較和可再現(xiàn)的結(jié)果，comparable and reproducible resultSo在ISO/IEC 27005: 2005中是說(shuō)信息安全風(fēng)險(xiǎn)評(píng)估的，在ISO/IEC 27005: 2013中對(duì)信息安全風(fēng)險(xiǎn)評(píng)估中沒(méi)提這個(gè)要求，倒轉(zhuǎn)移到監(jiān)視和評(píng)審章節(jié)上了。

想了解更多IT資訊，請(qǐng)?jiān)L問(wèn)中培偉業(yè)官網(wǎng)：中培偉業(yè)