ISO/IEC 27002

ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled "Information technology - Security techniques - Code of practice for information security management". The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.

ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad: :"the preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required)".

Outline of the Standard

After the introductory sections, the standard contains the following twelve main sections:

# Risk assessment
# Security policy - management direction
# Organization of information security - governance of information security
# Asset management - inventory and classification of information assets
# Human resources security - security aspects for employees joining, moving and leaving an organization
# Physical and environmental security - protection of the computer facilities
# Communications and operations management - management of technical security controls in systems and networks
# Access control - restriction of access rights to networks, systems, applications, functions and data
# Information systems acquisition, development and maintenance - building security into applications
# Information security incident management - anticipating and responding appropriately to information security breaches
# Business continuity management - protecting, maintaining and recovering business-critical processes and systems
# Compliance - ensuring conformance with information security policies, standards, laws and regulations

Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:
# Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO/IEC 27005.
# It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidelines for ISO/IEC 27001 and '27002 are anticipated to give advice tailored to organizations in the telecomms, financial services, healthcare and other industries.

National Equivalent Standards

ISO/IEC 27002 has directly equivalent national standards in several countries. Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released, but the national standard bodies go to great lengths to ensure that the translated content accurately and completely reflects ISO/IEC 27002.


ISO/IEC 27001 ("Information technology - Security techniques - Information security management systems - Requirements") specifies a number of requirements for establishing, implementing, maintaining and improving an information security management system consistent with the best practices outlined in ISO/IEC 27002.

ee also

* ISO/IEC_27000-series
*BS 7799, the original British Standard from which ISO/IEC 17799 and then ISO/IEC 27002 was derived
* List of ISO standards
*Standard of Good Practice published by the Information Security Forum
* IT baseline protection

External links

* [ ISO 27002 Source from BSI]
* [ ISO 27002 Wiki]
* [ The ISO 17799 Newsletter]

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • ISO/IEC 27002 — стандарт информационной безопасности, опубликованный организациями ISO и IEC. Он озаглавлен Информационные технологии Технологии безопасности Практические правила менеджмента информационной безопасности (англ. Information technology Security… …   Википедия

  • ISO/IEC 27002 — DIN ISO/IEC 27002 Bereich Informationstechnik Titel IT Sicherheitsverfahren Leitfaden für das Informationssicherheits Management …   Deutsch Wikipedia

  • ISO/IEC 27002:2005 — DIN ISO/IEC 27002 Bereich Informationstechnik Regelt IT Sicherheitsverfahren Leitfaden für das Informationssicherheits Management …   Deutsch Wikipedia

  • ISO/IEC 27002:2005 — изд.1 XA JTC 1/SC 27 Информационные технологии. Свод правил по управлению защитой информации раздел 35.040 …   Стандарты Международной организации по стандартизации (ИСО)

  • DIN ISO/IEC 27002 — Bereich Informationstechnik Regelt IT Sicherheitsverfahren Leitfaden für das Informationssicherheits Management …   Deutsch Wikipedia

  • ISO/CEI 27002 — Suite ISO/CEI 27000 ISO/CEI 27000:2009 ISO/CEI 27001:2005 ISO/CEI 27002:2005 ISO/CEI 27003:2010 ISO/CEI 27004:2009 ISO/CEI 27005:2011 …   Wikipédia en Français

  • ISO/IEC 27001 — ISO/IEC 27001, part of the growing ISO/IEC 27000 series of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International… …   Wikipedia

  • ISO/IEC 27000 — part of a growing family of ISO/IEC ISMS standards, the ISO/IEC 27000 series is the number reserved for a new international standard, which currently has the provisional title: Information technology Security techniques Information security… …   Wikipedia

  • ISO/IEC 20000 — is the first international standard for IT Service Management. It is based on and is intended to supersede the earlier British Standard, BS 15000.Formally: ISO 20000 1 ( part 1 ) promotes the adoption of an integrated process approach to… …   Wikipedia

  • ISO/IEC 17799 — Se ha sugerido que este artículo sea renombrado como ISO 27002 . Motivo: La norma se ha actualizado y su denominación ISO/IEC 17799 ya no está vigente. Es necesario mantener la Wikipedia actualizada, no tendría porque tener información obsoleta… …   Wikipedia Español

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”