ISO/IEC 27002:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2005 contains best practices of control objectives and controls in the following areas of information security management:
The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of
practice for information security. It basically outlines hundreds of potential
controls and control mechanisms, which may be implemented, in theory, subject to
the guidance provided within ISO 27001...
The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".
2) Which ISO27002 controls are most important?
That largely depends upon the individual organization. However, ISO27002 does give some guidance, in the form of 'legislative essentials' and 'common best practice' under the IS "starting point" section. These are:
- intellectual property rights (12.1.2)
- safeguarding of organizational records (12.1.3)
- data protection and privacy of personal information (12.1.4)
- information security policy document (3.1.1)
- allocation of information security responsibilities (4.1.3)
Sound information security is the cornerstone of sensible corporate governance.
The emergence of an international standard to support this, was perhaps,
inevitable. However, it took until the second half of the 1990's for this
process to really take shape.
ISO 17799 is often used as a generic term to describe what are actually two different documents: ISO17799 (aka ISO 27002), which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard 'specification' for an Information Security Management System (an ISMS) More
ISO 17799 ISO/IEC 27002
Definition: The ISO/IEC 27000 series (including the 27002) is an information security standard for the management of Information Security and is part of the ISO/IEC Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The ISO IEC 27000 comprises broad recommendations for the best practices in managing information security. It includes ISO 27002 (standards for the control and improvement of the Security Management System), ISO 27005 (to assist implementing of IT security based on risk management approach) and ISO 27006 (a guide to the certification and registration process)
They are also called the IEC27002, IEC27005 and the IEC27006.
ISO / IEC 27002
The ISO27002 Standard contains 12 main sections:
1. Risk assessment
It was originally called the ISO/IEC 17799:2005 (previously called just ISO 17799) and subsequently renumbered ISO/IEC 27002:2005. Originally the standard was a reflection of the British Standard (BS) 7799-1:1999.
The standard was a risk based approach to managing information security. Information is a valuable asset and being certified to ISO 17799 showed an organisation's commitment to the security of its information even through disasters and unexpected business downtime.
ISO 17799 was technology independent and concentrated on the management aspect of information security. ISO 17799 was actually a comprehensive set of controls comprising best practices in information security.
Information security is characterized as the preservation of confidentiality (ensuring that information is accessible only to those authorised to do so), integrity (safeguarding the accuracy and completeness of information), and availability (ensuring that authorised users have access to information when required).
The ISO 17799 standard comprised ten prime sections:
A certificate normally lasted for 3 years after which it needed to be renewed. During the life of the certificate annual audits needed to be maintained.