6 PIMS-specific guidance related to ISO/IEC 27002 与ISO/IEC 27002相关的隐私信息管理体系(PIMS)的特定指南/6.13 Information security incident management 信息安全事件管理/6.13.1 Management of information security incidents and improvements 信息安全事件和改进的管理/6.13.1.5 Response to information security incidents 信息安全事件的响应

6.13.1.5 Response to information security incidents 信息安全事件的响应

The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.5 and the following additional guidance applies:
在ISO/IEC 27002:2013, 16.1.5中陈述的控制项,实施指南和其他信息,以及以下附加的指南适用:

Additional implementation guidance for 16.1.5, Response to information security incidents, of ISO/IEC 27002:2013 is:
附加到ISO/IEC 27002:2013中的“16.1.5 信息安全事件的响应”的实施指南是:

Implementation guidance for PII controllers
个人身份信息(PII)控制者的实施指南

An incident that involves PII should trigger a review by the organization, as part of its information security incident management process, to determine if a breach involving PII that requires a response has taken place.
若发生涉及个人身份信息(PII)的事件时,宜触发组织对事件进行评审,这作为组织信息安全事件管理过程的一部分,宜确定达到响应要求的涉及个人身份信息(PII)的破坏行为是否已经发生。

An event does not necessarily trigger such a review.
事态不一定触发此类评审。

NOTE 1 An information security event does not necessarily result in actual, or the significant probability of, unauthorized access to PII or to any of the organization’s equipment or facilities storing PII. These can include, but are not limited to, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks and packet sniffing.
注1,信息安全事态不一定导致实际的或显著概率的未授权访问个人身份信息(PII)或存储个人身份信息(PII)的所有的组织的设备或设施。这些事态可以包括但不限于:pings攻击以及其他在防火墙或边缘服务器上的广播攻击,端口扫描,未成功的登录尝试,拒绝服务攻击和数据包监测。

When a breach of PII has occurred, response procedures should include relevant notifications and records.
若已发生个人身份信息(PII)的破坏事件,响应规程宜包含适宜的通知和记录。

Some jurisdictions define cases when the breach should be notified to the supervisory authority, and when it should be notified to PII principals.
一些司法管辖区定义了破坏事件宜被通知给监管机构,以及宜被通知给个人身份信息(PII)主体的情形。

Notifications should be clear and can be required.
通知宜是清晰的和被要求的。

NOTE 2 Notification can contain details such as:
注2,通知可以包含如下细节:

— a contact point where more information can be obtained;
— 能够获得更多信息的联络点;

— a description of and the likely consequences of the breach;
— 破坏事件的描述和可能产生的后果;

— a description of the breach including the number of individuals concerned as well as the number of records concerned;
— 包含相关人员的编号和相关记录的编号的破环事件的描述;

— measures taken or planned to be taken.
— 已采取的措施或计划采取的措施。

NOTE 3 Information on the management of security incidents can be found in the ISO/IEC 27035 series.
注3,有关安全事件管理的信息可以参考ISO/IEC 27035系列标准。

Where a breach involving PII has occurred, a record should be maintained with sufficient information to provide a report for regulatory and/or forensic purposes, such as:
若涉及个人身份信息(PII)的破环事件发生,宜保持足够信息的记录,以便为管理和/或法律的目的提供报告,如:

— a description of the incident;
— 事件的描述;

— the time period;
— 时间段;

— the consequences of the incident;
— 事件的后果;

— the name of the reporter;
— 报告人的姓名;

— to whom the incident was reported;
— 向谁报告了事件;

— the steps taken to resolve the incident (including the person in charge and the data recovered);
— 处理事件所采取的步骤(包含负责人和数据恢复);

— the fact that the incident resulted in unavailability, loss, disclosure or alteration of PII.
— 事件导致个人身份信息(PII)的不可用,丢失,泄露或篡改的事实。

In the event that a breach involving PII has occurred, the record should also include a description of the PII compromised, if known; and if notifications were performed, the steps taken to notify PII principals, regulatory agencies or customers.
在已经发生涉及个人身份信息(PII)破坏事态中,相关记录宜包含个人身份信息(PII)破坏的描述(如果知道);如果通知已经被执行了,那么所采取的步骤宜通知给个人身份信息(PII)主体,监管机构或顾客。

Implementation guidance for PII processors
个人身份信息(PII)处理者的实施指南

Provisions covering the notification of a breach involving PII should form part of the contract between the organization and the customer. The contract should specify how the organization will provide the information necessary for the customer to fulfil their obligation to notify relevant authorities. This notification obligation does not extend to a breach caused by the customer or PII principal or within system components for which they are responsible. The contract should also define expected and externally mandated limits for notification response times.
覆盖涉及个人身份信息(PII)破坏事件通知的规定宜是组织与顾客之间的合同的一部分。合同宜明确组织如何为顾客提供必要的信息,以便顾客履行其通知有关当局的义务。通知义务不扩展到由顾客或个人身份信息(PII)主体或在其(顾客或个人身份信息(PII)主体)负责的系统组件导致或发生的破坏事件。合同也宜为通知的响应时间定义预期和外部强制的限值。

In some jurisdictions, the PII processor should notify the PII controller of the existence of a breach without undue delay (i.e. as soon as possible), preferably, as soon as it is discovered so that the PII controller can take the appropriate actions.
在一些司法管辖区,个人身份信息(PII)处理者宜毫无延迟(尽早)地将破坏的存在通知到个人身份信息(PII)控制者,最好是,一经发现破坏的存在,个人身份信息(PII)控制者就能够采取适当的行动。

Where a breach involving PII has occurred, a record should be maintained with sufficient information to provide a report for regulatory and/or forensic purposes, such as:
若涉及个人身份信息(PII)的破环事件发生,宜保持足够信息的记录,以便为管理和/或法律的目的提供报告,如:

— a description of the incident;
— 事件的描述;

— the time period;
— 时间段;

— the consequences of the incident;
— 事件的后果;

— the name of the reporter;
— 报告人的姓名;

— to whom the incident was reported;
— 向谁报告了事件;

— the steps taken to resolve the incident (including the person in charge and the data recovered);
— 处理事件所采取的步骤(包含负责人和数据恢复);

— the fact that the incident resulted in unavailability, loss, disclosure or alteration of PII.
— 事件导致个人身份信息(PII)的不可用,丢失,泄露或篡改的事实。

In the event that a breach involving PII has occurred, the record should also include a description of the PII compromised, if known; and if notifications were performed, the steps taken to notify PII principals, regulatory agencies or customers.
在已经发生涉及个人身份信息(PII)破坏事态中,相关记录宜包含个人身份信息(PII)破坏的描述(如果知道);如果通知已经被执行了,那么所采取的步骤宜通知给个人身份信息(PII)主体,监管机构或顾客。

In some jurisdictions, applicable legislation and/or regulation can require the organization to directly notify appropriate regulatory authorities (e.g. a PII protection authority) of a breach involving PII.
在一些司法管辖区,适用的法律和/或法规可能要求组织将涉及个人身份信息(PII)的破坏事件直接通知到适当的监管机构(如个人身份信息(PII)保护局)。
ISO/IEC 27002:2013,16.1.5 信息安全事件的响应

16.1.5 信息安全事件的响应

控制

宜按照文件化的规程响应信息安全事件。

实施指南

<略>

其他信息

<略>

【标准理解】

(1)本条款(6.13.1.5)是以ISO/IEC 27002: 2013中的“16.1.5 信息安全事件的响应”为内核,有额外附加的实施指南,没有额外附加的其他信息。

欲阅读更多内容,需要付费购买【公众号付费合集文章(200篇文章,超30万字)

ISO/IEC 27701: 2019标准理解与实施最全面,最详尽,最精准的学习资料(20小时视频讲解+30万字解读文章),现在购买微信公众号付费合集文章(3800微信豆,200篇文章,30万字),赠送20小时讲解视频(https://video.27001.cn/course-10.html),文章内容更多,但视频里也有文章没有的内容,视频和文章可以相互补充。

对于一般咨询辅导提供的ISO/IEC 27701标准培训,一般只有1-2小时,哪怕花费数千上万的费用去参加机构的培训,一般也只有1-2天时间,其中还把内审和风险评估等内容参杂在里面,所以我提供的这个资料对于真正想学习ISO/IEC 27701的人绝对是不容错过的机会。所有已经确定收费的资料,后面都不会公开的。

虽然ISO/IEC 27701: 2025已经发布了,但是只是标准的结构变化了,其核心内容和底层逻辑是一样的,购买本次资料,后续可以抵扣ISO/IEC 27701: 2025相关学习资料的部分费用。

【行动要点】

本部分内容需要付费

【输出文档】

本部分内容需要付费

【审核要点】

本部分内容需要付费