ISO-27001-中英文对照-checklist

ISO 27001 Compliance Checklist Vinod Kumar Page 12019/5/11 ReferenceAudit area, objective and question【审审计计范范围围、目目标标和和问问题题】 Checklist StandardSection【章章节节】Audit Question【审审计计问问题题】 Security Policy【安安全全方方针针】 1.15.1Information Security Policy【信信息息安安全全方方针针】 .1 Information security policy document 【信信息息安安全全策策略略文文档档】 Whether there exists an Information security policy, which is approved by the management, published and communicated as appropriate to all employees. 【是是否否存存在在经经过过管管理理层层批批准准的的信信息息安安全全方方针针，并并发发布布和和 传传达达给给所所有有员员工工？】 Whether the policy states management commitment and sets out the organizational approach to managing information security. 【安安全全方方针针是是否否陈陈述述了了管管理理层层承承诺诺，并并设设定定了了组组织织信信息息 安安全全管管理理的的目目标标？】 .2 Review of Informational Security Policy 【信信息息安安全全策策略略评评审审】 Whether the Information Security Policy is reviewed at planned intervals, or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness. 【是是否否按按照照计计划划的的时时间间间间隔隔或或者者发发生生重重大大变变化化时时评评审审信信 息息安安全全方方针针，以以确确保保方方针针的的持持续续性性、有有效效性性和和充充分分性性？ 】 Whether the Information Security policy has an owner, who has approved management responsibility for development, review and evaluation of the security policy. 【信信息息安安全全方方针针是是否否具具有有所所有有者者，其其是是否否肩肩负负着着起起草草、 评评审审和和评评估估信信息息安安全全方方针针的的管管理理责责任任？】 Whether any defined Information Security Policy review procedures exist and do they include requirements for the management review. 【是是否否存存在在制制定定好好的的信信息息安安全全方方针针评评审审程程序序，该该程程序序是是 否否包包括括管管理理评评审审的的要要求求？】 Whether the results of the management review are taken into account. 【有有没没有有重重视视或或考考虑虑管管理理评评审审的的结结果果】 Whether management approval is obtained for the revised policy. 【修修订订的的信信息息安安全全方方针针是是否否得得到到管管理理层层的的批批准准】 ISO 27001 Compliance Checklist Vinod Kumar Page 22019/5/11 Organization of Information Security【组组织织信信息息安安全全】 2.16.1Internal Organization【内内部部组组织织】 2.116.11 Management Commitment to Informaiton Security 【信信息息安安全全承承诺诺】 Whether management demonstrates active support for security measures within the organization. This can be done via clear direction, demonstrated【说明显示】 commitment【承诺】, explicit iksplisit】明确的assignment and acknowledgement of information security responsibilities. 【管管理理部部门门是是否否积积极极支支持持组组织织内内部部的的安安全全措措施施？是是否否有有 明明确确的的方方向向，可可证证实实的的承承诺诺以以及及确确认认信信息息安安全全责责任任】 .2 Information Security coordination 【信信息息安安全全协协调调】 Whether information security activities are coordinated by representatives from diverse parts of the organization, with pertinent p:tinnt】相关的roles and responsibilities 【组组织织各各个个部部门门是是否否指指派派具具有有合合适适角角色色和和职职责责的的代代表表参参 与与协协调调信信息息安安全全活活动动？】 .3 Allocation of Information Security responsibilities 【信信息息安安全全职职责责分分配配 Whether responsibilities for the protection of individual assets, and for carrying out specific security processes, were clearly identified and defined. 【是是否否清清晰晰地地识识别别和和定定义义保保护护各各种种资资产产，以以及及执执行行特特定定 安安全全过过程程的的职职责责？】 .4Authorization process for Information processing facilities Whether management authorization process is defined and implemented for any new information processing facility within the organization. 【是是否否定定义义和和实实施施对对组组织织内内任任何何新新的的信信息息处处理理设设施施的的管管 理理授授权权程程序序？】 .5 Confidentiality Agreements 【保保密密协协议议】 Whether the organizations need for Confidentiality or Non-Disclosure Agreement (NDA) for protection of information is clearly defined and regularly reviewed. 【 是是否否清清楚楚地地定定义义并并有有规规律律地地评评审审组组织织的的保保密密性性需需求求或或 用用于于保保护护信信息息的的保保密密协协议议？】 Does this address the requirement to protect the confidential information using legal enforceable terms 【措辞】 【有有没没有有用用合合适适的的法法律律用用词词指指出出保保护护机机密密信信息息的的需需求求】 ISO 27001 Compliance Checklist Vinod Kumar Page 32019/5/11 .6 Contact with Authorities 【与与政政府府部部门门的的联联系系】 Whether there exists a procedure that describes when, and by whom: relevant authorities such as Law enforcement, fire department etc., should be contacted, and how the incident should be reported 【是是否否存存在在一一个个流流程程描描述述了了在在什什么么时时间间，应应该该由由谁谁联联系系 哪哪个个政政府府部部门门，比比如如公公安安局局、消消防防局局，以以及及如如何何上上报报事事 件件？】 .7 Contact with special interest groups 【联联系系特特殊殊利利益益团团体体】 Whether appropriate contacts with special interest groups or other specialist security forums, and professional associations are maintained. 【是是否否与与特特殊殊利利益益团团体体比比如如安安全全专专家家论论坛坛和和安安全全专专业业团团 体体保保持持适适当当的的联联系系】 .8 Independent review of Information Security 【信信息息安安全全的的独独立立评评审审】 Whether the organizations approach to managing information security, and its implementation, is reviewed independently at planned intervals, or when major changes to security implementation occur. 【有有没没有有按按照照计计划划的的时时间间间间隔隔，或或者者在在安安全全实实施施发发生生重重 大大改改变变时时，对对组组织织的的信信息息安安全全管管理理目目标标及及其其实实现现进进行行独独 立立评评审审？】 2.26.2External Parties【外外部部组组织织】 .1 Identification of risks related to external parties 【识识别别与与外外部部组组织织相相关关的的风风险险】 Whether risks to the organizations information and information processing facility, from a process involving external party access, is identified and appropriate control measures implemented before granting access. 【在在外外部部组组织织需需要要访访问问组组织织内内的的信信息息和和信信息息处处理理设设施施时时 ，有有没没有有在在授授予予访访问问权权限限前前识识别别访访问问导导致致的的风风险险，并并采采 取取适适当当的的控控制制措措施施？】 .2 Addressing security while dealing with customers 【与与客客户户沟沟通通时时强强调调安安全全】 Whether all identified security requirements are fulfilled before granting customer access to the organizations information or assets. 【在在授授予予客客户户对对组组织织的的信信息息或或资资产产的的访访问问权权限限前前，是是否否 确确保保所所有有的的安安全全需需求求得得到到了了满满足足？】 ISO 27001 Compliance Checklist Vinod Kumar Page 42019/5/11 .3 Addressing security in third party agreements 【在在第第三三方方协协议议里里强强调调安安全全】 Whether the agreement with third parties, involving accessing, processing, communicating or managing the organizations information or information processing facility, or introducing products or services to information processing facility, complies with all appropriate security requirements. 【第第三三方方协协议议中中是是否否要要求求在在访访问问、处处理理、通通信信或或者者管管理理 组组织织的的信信息息或或信信息息处处理理设设施施、介介绍绍产产品品或或服服务务时时，必必须须 符符合合所所有有适适用用的的安安全全要要求求？】 Asset Management【资资产产管管理理】 3.17.1Responsibility for assets【对对资资产产的的责责任任】 .1 Inventory【invntri】资产清单 of Assets 【资资产产清清单单】 Whether all assets are identified and an inventory or register is maintained with all the important assets. 【是是不不是是已已经经识识别别了了所所有有资资产产，重重要要资资产产清清单单或或者者登登记记 表表是是否否一一直直进进行行维维护护】 .2 Ownership of Assets 【资资产产所所有有者者】 Whether each asset identified has an owner, a defined and agreed-upon security classification, and access restrictions that are periodically reviewed. 【每每个个已已识识别别的的资资产产是是否否都都有有所所有有者者，已已定定义义的的、一一致致 同同意意的的安安全全分分类类和和访访问问权权限限是是否否定定期期审审查查】 .3 Acceptable use of assets 【资资产产的的可可适适用用性性】 Whether regulations for acceptable use of information and assets associated with an information processing facility were identified, documented and implemented 【有有没没有有确确定定、文文档档化化并并实实施施资资产产的的可可适适用用性性的的相相关关规规 定定】 3.27.2Information Classification【信信息息分分类类】 .1 Classification guidelines 【分分类类指指南南】 Whether the information is classified in terms of its value, legal requirements, sensitivity and criticality to the organization. 【组组织织是是否否按按照照信信息息的的价价值值、法法律律法法规规的的要要求求、敏敏感感和和 重重要要程程度度进进行行了了分分类类】 .2 Information labelling and handling 【信信息息标标记记和和处处理理】 Whether an appropriate set of procedures are defined for information labelling and handling, in accordance with the classification scheme【计划、方案】 adopted by the organization. 【是是否否根根据据组组织织采采用用的的分分类类方方案案制制定定了了一一系系列列合合适适的的程程 序序来来进进行行信信息息标标记记和和处处理理】 Human resources security【人人力力资资源源安安全全】 4.18.1Prior to employment【任任用用前前】 ISO 27001 Compliance Checklist Vinod Kumar Page 52019/5/11 .1 Roles and responsibilities 【角角色色和和职职责责】 Whether employee security roles and responsibilities, contractors and third party users were defined and documented in accordance with the organizations information security policy. 【是是否否根根据据组组织织的的信信息息安安全全策策略略定定义义和和记记录录员员工工、承承包包 商商和和第第三三方方用用户户的的安安全全角角色色和和职职责责】 Were the roles and responsibilities defined and clearly communicated to job candidates during the pre- employment process 【在在雇雇用用前前过过程程中中是是否否就就岗岗位位的的的的角角色色和和职职责责与与职职位位的的 候候选选人人进进行行明明确确的的沟沟通通】 .2 Screening 【审审查查】 Whether background verification checks for all candidates for employment, contractors, and third party users were carried out in accordance to the relevant regulations. 【是是否否根根据据组组织织的的相相关关规规定定对对所所有有职职位位的的雇雇员员、承承包包商商 和和第第三三方方人人员员进进行行背背景景调调查查？】 Does the check include character reference, confirmation of claimed academic and professional qualifications and independent identity checks 【调调查查是是否否包包括括身身份份证证明明、声声称称的的学学术术和和专专业业资资质质证证明明 以以及及独独立立的的身身份份审审查查】 .3 Terms and conditions of employment 【雇雇佣佣条条款款和和条条件件】 Whether employee, contractors and third party users are asked to sign confidentiality or non-disclosure agreement as a part of their initial terms and conditions of the employment contract. 【是是否否要要求求雇雇员员、承承包包商商和和第第三三方方用用户户签签署署保保密密协协议议】 Whether this agreement covers the information security responsibility of the organization and the employee, third party users and contractors. 【保保密密协协议议是是否否涵涵盖盖组组织织、雇雇员员、承承包包商商和和第第三三方方人人员员 的的安安全全职职责责】 4.28.2During Employment【任任职职中中】 .1 Management Responsibilities 【管管理理责责任任】 Whether the management requires employees, contractors and third party users to apply security in accordance with the established policies and procedures of the organization. 【管管理理层层是是否否要要求求雇雇员员、承承包包商商和和第第三三方方人人员员根根据据组组织织 建建立立的的策策略略和和程程序序来来实实施施安安全全】 ISO 27001 Compliance Checklist Vinod Kumar Page 62019/5/11 .2 Infromation security awareness, education and training 【信信息息安安全全意意识识教教育育和和培培训训】 Whether all employees in the organization, and where relevant, contractors and third party users, receive appropriate security awareness training and regular updates in organizational policies and procedures as it pertains【从属，相关】 to their job function. 【组组织织的的所所有有员员工工、承承包包商商和和第第三三方方人人员员是是否否接接受受了了与与 其其工工作作相相关关的的信信息息安安全全意意识识培培训训和和组组织织方方针针及及程程序序的的定定 期期更更新新培培训训】 .3 Disciplinary process 【惩惩罚罚过过程程】 Whether there is a formal disciplinary process for the employees who have committed a security breach. 【有有没没有有正正式式的的惩惩罚罚措措施施】 4.38.3Termination or change of employment【离离职职或或者者调调岗岗】 .1 Termination responsibilities 【终终止止职职责责】 Whether responsibilities for performing employment termination, or change of employment, are clearly defined and assigned. 【是是否否清清楚楚定定义义和和分分配配离离职职或或调调岗岗的的责责任任】 .2 Return of assets 【归归还还资资产产】 Whether there is a process in place that ensures all employees, contractors and third party users surrender all of the organizations assets in their possession upon termination of their employment, contract or agreement. 【有有没没有有适适当当的的程程序序确确保保当当员员工工、合合同同方方以以及及第第三三方方人人 员员协协议议终终止止时时还还所所使使用用的的组组织织资资产产】 .3 Removal of access rights 【撤撤销销访访问问权权限限】 Whether access rights of all employees, contractors and third party users, to information and information processing facilities, will be removed upon termination of their employment, contract or agreement, or will be adjusted upon change. 【当当雇雇佣佣、合合同同或或协协议议终终止止时时，有有没没有有撤撤销销员员工工、合合同同 方方和和第第三三方方人人员员对对信信息息和和信信息息处处理理设设施施的的访访问问权权限限，或或 根根据据变变化化调调整整】 Physical and Environmental security【物物理理和和环环境境安安全全】 5.19.1Secure Areas【安安全全区区域域】 .1 Physical security perimeter primit】围墙 【物物理理安安全全边边界界】 Whether a physical border security facility has been implemented to protect the information processing service. Some examples of such security facilities are card control entry gates, walls, manned reception, etc 【是是否否使使用用物物理理边边界界安安全全设设施施来来保保护护信信息息处处理理服服务务】 ISO 27001 Compliance Checklist Vinod Kumar Page 72019/5/11 .2 Physical entry controls 【物物理理访访问问控控制制】 Whether entry controls are in place to allow only authorized personnel into various areas within the organization. 【是是否否采采取取适适当当的的进进入入控控制制程程序序确确保保只只有有经经过过授授权权的的人人 员员才才可可以以访访问问组组织织内内部部区区域域】 .3 Securing offices, rooms and facilities 【办办公公室室、房房间间和和设设施施安安全全】 Whether the rooms, which have the information processing service, are locked or have lockable cabinets or safes. 【提提供供信信息息出出路路服服务务的的房房间间有有没没有有上上锁锁或或者者有有可可以以上上锁锁 的的柜柜子子、保保险险箱箱】 .4 Protecting against external and enviornmental threats 【防防范范外外部部和和环环境境威威胁胁】 Whether the physical protection against damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster should be designed and applied. 【是是否否设设计计并并实实施施针针对对火火灾灾、水水灾灾、地地震震、爆爆炸炸、骚骚乱乱 和和其其他他形形式式的的自自然然或或人人为为灾灾难难的的物物理理安安全全措措施施】 Whether there is any potential threat from neighbouring premises. 【邻邻近近区区域域 是是否否存存在在潜潜在在的的威威胁胁】 .5 Working in secure areas 【在在安安全全区区域域工工作作】 Whether physical protection and guidelines for working in secure areas is designed and implemented 【有有没没有有设设计计并并实实施施在在安安全全区区域域工工作作的的物物理理保保护护措措施施和和 指指南南】 .6 Public access delivery and loading areas 【公公共共访访问问和和装装卸卸区区域域】 【对对于于装装卸卸或或其其他他未未经经授授权权人人员员可可以以进进入入的的公公共共访访问问区区 域域有有没没有有加加以以控控制制，那那里里的的信信息息处处理理设设施施有有没没有有加加以以隔隔 离离以以防防止止非非授授权权的的访访问问】 5.29.2Equipment Security【设设备备安安全全】 .1 Equipment siting and protection 【设设备备安安装装和和保保护护】 Whether the equipment is protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. 【是是否否采采取取安安全全措措施施保保护护设设备备以以降降低低来来自自环环境境的的危危害害和和 威威胁胁，并并减减少少未未授授权权访访问问的的机机会会】 .2 Supporting utilities 【支支持持性性设设施施】 Whether the equipment is protected from power failures and other disruptions caused by failures in supporting utilities. 【是是否否采采取取措措施施保保护护设设备备防防止止电电力力中中断断或或者者其其他他支支持持性性 设设施施失失效效所所导导致致的的中中断断】 ISO 27001 Compliance Checklist Vinod Kumar Page 82019/5/11 Whether permanence of power supplies, such as a multiple feed, an Uninterruptible Power Supply (ups), a backup generator, etc. are being utilized 【是是否否采采取取某某些些持持续续供供电电措措施施，如如多多路路供供电电、UPS、备备 用用发发电电机机等等】 .3 Cabling security 【电电缆缆安安全全】 Whether the power and telecommunications cable, carrying data or supporting information services, is protected from interception or damage 【是是否否采采取取安安全全措措施施保保护护承承载载数数据据或或支支持持信信息息服服务务的的电电 力力和和通通讯讯电电缆缆免免遭遭中中断断或或破破坏坏】 Whether there are any additional security controls in place for sensitive or critical information 【对对于于敏敏感感或或关关键键的的系系统统，有有没没有有采采取取进进一一步步的的安安全全控控 制制】 .4 Equipment Maintenance 【设设备备维维护护】 Whether the equipment is correctly maintained to ensure its continued availability and integrity. 【是是否否正正确确的的维维护护设设备备以以保保证证其其持持续续可可用用性性和和完完整整性性】 Whether the equipment is maintained, as per the suppliers recommended service intervals and specifications. 【设设备备是是否否按按照照供供应应商商推推荐荐的的服服务务时时间间间间隔隔和和规规范范进进行行 维维护护】 Whether the maintenance is carried out only by authorized personnel. 【是是否否只只有有经经过过授授权权的的人人员员才才能能进进行行设设备备维维护护】 Whether logs are maintained with all suspected or actual faults and all preventive and corrective measures. 【是是否否保保存存所所有有可可疑疑的的或或实实际际的的故故障障以以及及所所有有预预防防和和纠纠 正正措措施施的的日日志志记记录录】 Whether appropriate controls are implemented while sending equipment off premises. Are the equipment covered by insurance and the insurance requirements satisfied 【对对于于离离场场设设备备有有没没有有进进行行适适当当的的控控制制；是是否否所所有有的的设设 备备都都有有保保险险，是是否否遵遵守守保保险险方方面面的的要要求求】 .2 Supporting utilities 【支支持持性性设设施施】 ISO 27001 Compliance Checklist Vinod Kumar Page 92019/5/11 .5 Securiing of equipment off-premises 【场场外外设设备备安安全全】 Whether risks were assessed with regards to any equipment usage outside an organizations premises, and mitigation controls implemented. 【有有没没有有评评估估场场外外设设备备的的风风险险并并采采取取降降低低风风险险的的控控制制措措 施施】 Whether the usage of an information processing facility outside the organization has been authorized by the management. 【在在组组织织外外使使用用信信息息处处理理设设施施有有没没有有得得到到管管理理层层授授权权】 .6 Secure disposal or re-use of equipment 【设设备备安安全全处处置置和和重重使使用用】 Whether all equipment, containing storage media, is checked to ensure that any sensitive information or licensed software is physically destroyed, or securely over-written, prior to disposal or reuse. 【有有没没有有检检查查所所有有含含存存储储介介质质的的设设备备，以以确确保保在在销销毁毁或或 重重用用设设备备前前物物理理摧摧毁毁或或者者安安全全重重写写所所有有敏敏感感数数据据或或授授权权 软软件件】 .7 Removal of property 【资资产产转转移移】 Whether any controls are in place so that equipment, information and software is not taken off-site without prior authorization. 【是是否否采采取取控控制制措措施施，确确保保未未经经授授权权，不不能能将将设设备备、信信 息息和和软软件件带带离离工工作作场场所所】 Communication and Operations Management【通通信信和和操操作作管管理理】 6.110.1Operational procedures and responsibilites【操操作作流流程程和和责责任任】 .1 Documented Operating procedures 【文文档档化化的的操操作作流流程程】 Whether the operating procedure is documented, maintained and available to all users who need it. 【操操作作流流程程是是否否文文档档化化，并并时时常常进进行行维维护护且且所所有有需需要要的的 用用户户都都可可以以获获得得】 Whether such procedures are treated as formal documents, and therefore any changes made need management authorization. 【这这些些操操作作流流程程是是否否视视为为正正式式的的文文件件，且且任任何何变变更更都都需需 要要管管理理层层的的授授权权】 .2 Change Management 【变变更更管管理理】 Whether all changes to information processing facilities and systems are controlled. 【是是否否所所有有对对于于信信息息处处理理设设施施和和系系统统的的变变更更都都处处于于控控制制 之之中中】 ISO 27001 Compliance Checklist Vinod Kumar Page 102019/5/11 6.1.310.1.3 Segregation of dutiessegrigein 【职职责责分分离离】 Whether duties and areas of responsibility are separated, in order to reduce opportunities for unauthorized modification or misuse of information, or services. 【是是否否将将职职责责和和责责任任范范围围进进行行分分离离，以以降降低低未未授授权权修修改改 或或滥滥用用组组织织的的信信息息和和服服务务的的机机会会】 6.1.410.1.4 Seperation of development, test and operational facilities 【开开发发、测测试试和和运运营营设设施施分分离离】 Whether the development and testing facilities are isolated from operational facilities. For example, development and production software should be run on different comp