6 PIMS-specific guidance related to ISO/IEC 27002 与ISO/IEC 27002相关的隐私信息管理体系(PIMS)的特定指南/6.9 Operations security 运行安全/6.9.3 Backup 备份/6.9.3.1 Information backup 信息备份

6.9.3.1 Information backup 信息备份

The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 12.3.1 and the following additional guidance applies:
在ISO/IEC 27002:2013, 12.3.1中陈述的控制项,实施指南和其他信息,以及以下附加的指南适用:

Additional implementation guidance for 12.3.1, Information backup, of ISO/IEC 27002:2013 is:
附加到ISO/IEC 27002:2013中的“12.3.1 信息备份”的实施指南是:

The organization should have a policy which addresses the requirements for backup, recovery and restoration of PII (which can be part of an overall information backup policy) and any further requirements (e.g. contractual and/or legal requirements) for the erasure of PII contained in information held for backup requirements.
组织宜制定策略(可以是总的信息备份策略的一部分)以明确个人身份信息(PII)的备份,恢复和还原要求,以及按备份要求保存的信息中的个人身份信息(PII)的清除的其他要求(例如,合同和/或法律要求)。

PII-specific responsibilities in this respect can depend on the customer. The organization should ensure that the customer has been informed of the limits of the service regarding backup.
在备份这方面,个人身份信息(PII)特定的责任可以却决于顾客。组织宜确保有关备份服务的范围已被告知给顾客。

Where the organization explicitly provides backup and restore services to customers, the organization should provide them with clear information about their capabilities with respect to backup and restoration of PII.
当组织明确地对顾客提供备份和还原服务时,组织宜将个人身份信息(PII)的备份和还原能力的相关的明确信息提供给顾客。

Some jurisdictions impose specific requirements regarding the frequency of backups of PII, the frequency of reviews and tests of backup, or regarding the recovery procedures for PII. Organizations operating in these jurisdictions should demonstrate compliance with these requirements.
一些司法管辖区强制推行了与个人身份信息(PII)备份频率,备份检查和测试频率相关的要求,或与个人身份信息(PII)恢复规程的相关要求。在这些司法管辖区运营的组织宜证实其符合这些要求。

There can be occasions where PII needs to be restored, perhaps due to a system malfunction, attack or disaster. When PII is restored (typically from backup media), processes need to be in place to ensure that the PII is restored into a state where the integrity of PII can be assured, and/or where PII inaccuracy and/or incompleteness is identified and processes put in place to resolve them (which can involve the PII principal).
可能有些场景需要对个人身份信息(PII)进行还原,或许是由于系统故障,攻击或灾难。当还原(通常从备份介质)个人身份信息(PII)时,需要实施流程以确保将个人身份信息(PII)还原到其完整性是有保障的状态,和/或其错误和/或不完整是被识别的状态以及采取流程以处理这些错误和不完整(可能涉及到个人身份信息(PII)主体)。

The organization should have a procedure for, and a log of, PII restoration efforts. At a minimum, the log of the PII restoration efforts should contain:
组织宜有个人身份信息(PII)还原操作的规程和日志。个人身份信息(PII)还原操作的日志至少包含:

— the name of the person responsible for the restoration;
— 负责还原操作人员的姓名;

— a description of the restored PII.
— 还原的个人身份信息(PII)的描述。

Some jurisdictions prescribe the content of the logs of PII restoration efforts. Organizations should be able to document compliance with any applicable jurisdiction-specific requirements for restoration log content. The conclusions of such deliberations should be included in documented information.
一些司法管辖区规定了个人身份信息(PII)还原操作日志的内容。组织宜能够对还原日志内容的所有适用的司法管辖区的特定要求的符合性进行记录。这类审议的结论宜被包含在文件化的信息中。

The use of subcontractors to store replicated or backup copies of PII processed is covered by the controls in this document applying to subcontracted PII processing (see 6.5.3.3, 6.12.1.2). Where physical media transfers take place related to backups and restoration, this is also covered by controls in this document (6.10.2.1).
对于存储处理的个人身份信息(PII)的复制或备份拷贝的分包商使用的控制可以参考本文件适用于个人身份信息(PII)分包处理的条款(见6.5.3.3和6.12.1.2)。如果有与备份和还原相关的物理介质转移的情况发生,这类情况的控制也可以参考本文件的相关条款(见6.10.2.1)。
ISO/IEC 27002:2013,12.3.1 信息备份

12.3.1 信息备份

控制

宜按照既定的备份策略,对信息、软件和系统镜像进行备份,并定期测试。。

实施指南

<略>

其他信息

<略>

【标准理解】

(1)本条款(6.9.3.1)是以ISO/IEC 27002: 2013中的“12.3.1 信息备份”为内核,有额外附加的实施指南,没有额外附加的其他信息。

欲阅读更多内容,需要付费购买【公众号付费合集文章(200篇文章,超30万字)

ISO/IEC 27701: 2019标准理解与实施最全面,最详尽,最精准的学习资料(20小时视频讲解+30万字解读文章),现在购买微信公众号付费合集文章(3800微信豆,200篇文章,30万字),赠送20小时讲解视频(https://video.27001.cn/course-10.html),文章内容更多,但视频里也有文章没有的内容,视频和文章可以相互补充。

对于一般咨询辅导提供的ISO/IEC 27701标准培训,一般只有1-2小时,哪怕花费数千上万的费用去参加机构的培训,一般也只有1-2天时间,其中还把内审和风险评估等内容参杂在里面,所以我提供的这个资料对于真正想学习ISO/IEC 27701的人绝对是不容错过的机会。所有已经确定收费的资料,后面都不会公开的。

虽然ISO/IEC 27701: 2025已经发布了,但是只是标准的结构变化了,其核心内容和底层逻辑是一样的,购买本次资料,后续可以抵扣ISO/IEC 27701: 2025相关学习资料的部分费用。

【行动要点】

本部分内容需要付费

【输出文档】

本部分内容需要付费

【审核要点】

本部分内容需要付费