7 Operation
7 運行
7.1 Operational planning and control 
7.1 運行的規(guī)劃和控制
The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:
— establishing criteria for the processes;
— implementing control of the processes in accordance with the criteria.
組織應(yīng)規(guī)劃、實施和控制滿足信息安全要求所需的過程，并實施第6條中確定的措施。
— 制定相關(guān)流程的標準；
— 按照標準實施對過程的控制。
Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.
組織應(yīng)保持文件記錄信息達到必要的程度：有信心證明過程是按計劃執(zhí)行的。
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
組織應(yīng)控制計劃了的變更，評審非預(yù)期變更的后果，必要時采取措施減緩負面影響。
The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.
組織應(yīng)確保對外部提供的與信息安全管理系統(tǒng)相關(guān)的流程、產(chǎn)品或服務(wù)進行控制。
7.2 Information security risk assessment 
7.2 信息安全風(fēng)險評估
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
考慮到6.1.2  a）中建立的風(fēng)險評估執(zhí)行準則，組織應(yīng)按計劃的時間間隔執(zhí)行信息安全風(fēng)險
評估，當重大變更被提出或發(fā)生時也應(yīng)執(zhí)行信息安全風(fēng)險評估。
The organization shall retain documented information of the results of the information security risk assessments.
組織應(yīng)保留信息安全風(fēng)險評估結(jié)果的文件記錄信息。
7.3 Information security risk treatment 
7.3信息安全風(fēng)險處置
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security risk treatment.
組織應(yīng)實施信息安全風(fēng)險處置計劃。
組織應(yīng)保留信息安全風(fēng)險處置結(jié)果的文件記錄信息。

溫馨提示：獲取完整版ISO27001最新2022版中英文對照資料，可咨詢中培課程顧問或撥打客服電話了解18513851518