Security Policy: Difference between revisions

Line 247:

=== Operational planning and control===

The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2.

The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 3.1. The organization shall also implement plans to achieve information security objectives determined in 3.2.

The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are determined and controlled.

=== Information security risk assessment===

The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).

The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 3.1.2.1.

The organization shall retain documented information of the results of the information security risk assessments.

@@ Line 247: / Line 247: @@
 === Operational planning and control===
-The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2.
+The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 3.1. The organization shall also implement plans to achieve information security objectives determined in 3.2.
 The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned.
 The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
 The organization shall ensure that outsourced processes are determined and controlled.
 === Information security risk assessment===
-The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
+The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 3.1.2.1.
 The organization shall retain documented information of the results of the information security risk assessments.

Security Policy: Difference between revisions

Navigation menu

Search