Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.The management review shall include consideration of:
管理者应按计划的时间间隔评审组织的信息安全管理体系,以确保其持续的适宜性、充分性
和有效性。 管理评审应包括下列方面的考虑:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management
system;
c) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives;
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f) opportunities for continual improvement. a) 以往管理评审的措施的状态;
b) 与信息安全管理体系相关的外部和内部问题的变更;
c) 信息安全绩效的反馈,包括下列方面的趋势:
1) 不符合和纠正措施;
2) 监视和测量结果;
3) 审核结果;
4) 信息安全目标的实现;
d) 相关方的反馈;
e) 风险评估的结果和风险处置计划的状态;
f) 持续改进的机会。
The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. 管理评审的输出应包括与持续改进机会有关的决定,以及变更信息安全管理体系的所有需求。
组织应保留文件记录信息作为管理评审结果的证据。
10 Improvement
10 改进
10.1 Nonconformity and corrective action