ISO/IEC 27002:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2005 contains best practices of control objectives and controls in the following areas of information security management:

ISO / IEC 27002


The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001...
The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".

Introduction to ISO27002


2) Which ISO27002 controls are most important?
That largely depends upon the individual organization. However, ISO27002 does give some guidance, in the form of 'legislative essentials' and 'common best practice' under the IS "starting point" section. These are:
- intellectual property rights (12.1.2)
- safeguarding of organizational records (12.1.3)
- data protection and privacy of personal information (12.1.4)
- information security policy document (3.1.1)
- allocation of information security responsibilities (4.1.3)

ISO 27002 FAQ


Sound information security is the cornerstone of sensible corporate governance. The emergence of an international standard to support this, was perhaps, inevitable. However, it took until the second half of the 1990's for this process to really take shape.

ISO 17799 is often used as a generic term to describe what are actually two different documents: ISO17799 (aka ISO 27002), which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard 'specification' for an Information Security Management System (an ISMS) More

ISO 17799 ISO/IEC 27002

Definition:  The ISO/IEC 27000 series (including the 27002) is an information security standard for the management of Information Security and is part of the ISO/IEC Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).


ISO IEC 27702 | ISO 17799


The ISO IEC 27000 comprises broad recommendations for the best practices in managing information security. It includes ISO 27002 (standards for the control and improvement of the Security Management System), ISO 27005 (to assist implementing of IT security based on risk management approach) and ISO 27006 (a guide to the certification and registration process)

They are also called the IEC27002, IEC27005 and the IEC27006.

ISO / IEC 27002

The ISO27002 Standard contains 12 main sections:

1. Risk assessment
2. Security policy - management direction
3. Organization /governance of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

This site provides a useful guide to achieving the certification.


It was originally called the ISO/IEC 17799:2005 (previously called just ISO 17799) and subsequently renumbered ISO/IEC 27002:2005. Originally the standard was a reflection of the British Standard (BS) 7799-1:1999.

ISO 17799

The standard was a risk based approach to managing information security. Information is a valuable asset and being certified to ISO 17799 showed an organisation's commitment to the security of its information even through disasters and unexpected business downtime.

ISO 17799 was technology independent and concentrated on the management aspect of information security. ISO 17799 was actually a comprehensive set of controls comprising best practices in information security.

Information security is characterized as the preservation of confidentiality (ensuring that information is accessible only to those authorised to do so), integrity (safeguarding the accuracy and completeness of information), and availability (ensuring that authorised users have access to information when required).

The ISO 17799 standard comprised ten prime sections: 
Security Policy 
System Access Control 
Computer & Operations Management 
System Development and Maintenance 
Physical and Environmental Security 
Personnel Security 
Security Organization 
Asset Classification and Control 
Business Continuity Management (BCM)

A certificate normally lasted for 3 years after which it needed to be renewed. During the life of the certificate annual audits needed to be maintained.