本产品提供4小时免费咨询，由对基本标准有第一手知识的专家提供，以回答标准和清单上的问题，有效期为购买产品后60天。控制信息安全的任务是艰巨的。一个组织在其安全管理操作中最不希望看到的事情是召集一个通知机构进行认证，并发现该组织缺少供审计员检查的正确记录或文件。如果您没有正确阅读标准，可能会导致安全问题，或者可能会增加认证成本。 这就是为什么我们认为清单很重要。作者仔细审查了标准ISO/IEC 27018:2014，并根据该分类方案定义了所需的物证。SEPT的工程部门已经对完整的清单进行了第二次审查，以确保文件的制作人没有遗漏“通情达理的人”期望找到的实物证据。可以肯定地说，如果文件没有提出，那么就没有必要这样做；然而，如果一个组织使用该标准来改进其流程，那么识别缺失的文档是有意义的。 因此，本检查表中规定的一些文件是本标准暗示的，尽管本标准没有明确指出，但它们在本检查表中用星号（*）表示。如果一份文件被多次调用，则只规定第一次引用。有时，一个程序或文件不一定是单独的，可以包含在另一个文件中。例如，“安全监控日志信息记录”可以是“安全监控和运行诊断日志信息记录”的一部分。 “作者分别列出了这些单独的项目，以确保组织不会忽视物证的任何方面。如果组织不需要单独的文件，并且一个项目可以是另一个文件或记录的子集，那么这个事实应该在该项目清单的详细部分中注明。这应该以声明的形式进行。”表明本文件的信息可在文件XYZ的第XX节中找到。如果组织要求不要求为项目提供此类实物证据，则还应使用一份声明表示，说明不需要此类实物证据以及原因。 本声明中应明确说明不需要证据的原因。介绍的详细步骤部分提供了有关此步骤的更多详细信息。根据项目或业务需求的大小和复杂性，这些文件的大小可能因段落和卷而异。

This product comes with 4 hours of free consultation, from experts that have firsthand knowledge of the underlying standard, to answer questions on the standards and checklists and is valid for 60 days after purchase of the product.The task of getting information security under control is daunting. The last thing an organization wants in its security management operation is to call in a Notified Body for certification and to find out that the organization is lacking the correct records or documents for the auditor to examine. If you do not read the standard correctly it could cause a security problem or could increase the cost to become certified. That is why we believe a checklist is important.The authors have carefully reviewed the Standard ISO/IEC 27018:2014 and defined the physical evidence required based upon this classification scheme. SEPT's engineering department has conducted a second review of the complete list to ensure that the documents' producers did not leave out a physical piece of evidence that a "reasonable person" would expect to find. It could certainly be argued that if the document did not call it out then it is not required; however, if the standard was used by an organization to improve its process, then it would make sense to recognize missing documents. Therefore, there are documents specified in this checklist that are implied by the standard, though not specifically called out by it, and they are designated by an asterisk (*) throughout this checklist. If a document is called out more than one time, only the first reference is stipulated.There are occasional situations in which a procedure or document is not necessarily separate and could be contained within another document. For example, the "Security Monitoring Log Information Record" could be a part of the "Security Monitoring and Operational Diagnostics Log Information Record." The authors have called out these individual items separately to ensure that the organization does not overlook any facet of physical evidence. If the organization does not require a separate document, and an item can be a subset of another document or record, then this fact should be denoted in the detail section of the checklist for that item. This should be done in the form of a statement reflecting that the information for this document may be found in section XX of Document XYZ. If the organizational requirements do not call for this physical evidence for a project, this should also be denoted with a statement reflecting that this physical evidence is not required and why. The reasons for the evidence not being required should be clearly presented in this statement. Further details on this step are provided in the Detail Steps section of the introduction. The size of these documents could vary from paragraphs to volumes depending upon the size and complexity of the project or business requirements.