Close Panel




Introduction to ISO/IEC 27002

By IPSECS Admin. Posted in Management | Comments Off

ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the ‘ISO/IEC 27000 series’ is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled Information technology – Security techniques – Code of practice for information security management. The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.

ISO 27002 introduction

ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:

The preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required).

the standard contains the following twelve main sections:

  1. Risk assessment
  2. Security policy – management direction
  3. Organization of information security – governance of information security
  4. Asset management – inventory and classification of information assets
  5. Human resources security – security aspects for employees joining, moving and leaving an organization
  6. Physical and environmental security – protection of the computer facilities
  7. Communications and operations management – management of technical security controls in systems and networks
  8. Access control – restriction of access rights to networks, systems, applications, functions and data
  9. Information systems acquisition, development and maintenance – building security into applications
  10. Information security incident management – anticipating and responding appropriately to information security breaches
  11. Business continuity management – protecting, maintaining and recovering business-critical processes and systems
  12. Compliance – ensuring conformance with information security policies, standards, laws and regulations

Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided.

Reference :

Email this author | All posts by | Subscribe to Entries (RSS)


» Comments are closed.