ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), entitled Information technology - Security techniques - Code of practice for information security management.
ISO/IEC 27002:2005 has developed from BS7799, published in the mid-1990s. The British Standard was adopted by ISO/IEC as ISO/IEC 17799:2000, revised in 2005, and renumbered (but otherwise unchanged) in 2007 to align with the other ISO/IEC 27000-series standards.
ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:
- the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).
Outline
After the introductory sections, the standard contains the following twelve main sections:
- Risk assessment
- Security policy - management direction
- Organization of information security - governance of information security
- Asset management - inventory and classification of information assets
- Human resources security - security aspects for employees joining, moving and leaving an organization
- Physical and environmental security - protection of the computer facilities
- Communications and operations management - management of technical security controls in systems and networks
- Access control - restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance - building security into applications
- Information security incident management - anticipating and responding appropriately to information security breaches
- Business continuity management - protecting, maintaining and recovering business-critical processes and systems
- Compliance - ensuring conformance with information security policies, standards, laws and regulations
Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:
- Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO/IEC 27005. The use of information security risk analysis to drive the selection and implementation of information security controls is an important feature of the ISO/IEC 27000-series standards: it means that the generic good practice advice in this standard gets tailored to the specific context of each user organization, rather than being applied by rote. Not all of the 39 control objectives are necessarily relevant to every organization for instance, hence entire categories of control may not be deemed necessary. The standards are also open ended in the sense that the information security controls are 'suggested', leaving the door open for users to adopt alternative controls if they wish, just so long as the key control objectives relating to the mitigation of information security risks, are satisfied. This helps keep the standard relevant despite the evolving nature of information security threats, vulnerabilities and impacts, and trends in the use of certain information security controls.
- It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidelines for ISO/IEC 27001 and ISO/IEC 27002 offer advice tailored to organizations in the telecomms industry (see ISO/IEC 27011) and healthcare (see ISO 27799), with additional guidelines for the financial services and other industries in preparation.
National Equivalent Standards
ISO/IEC 27002 has directly equivalent national standards in several countries. Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released, but the national standard bodies go to great lengths to ensure that the translated content accurately and completely reflects ISO/IEC 27002.
| Countries | Equivalent Standard |
|---|---|
| Australia and New Zealand | AS/NZS ISO/IEC 27002:2006 |
| Brazil | ISO/IEC NBR 17799/2007 - 27002 |
| Chile | NCH2777 ISO/IEC 17799/2000 |
| China | GB/T 22081-2008 |
| Czech Republic | ČSN ISO/IEC 27002:2006 |
| Denmark | DS484:2005 |
| Estonia | EVS-ISO/IEC 17799:2003, 2005 version in translation |
| Japan | JIS Q 27002 |
| Lithuania | LST ISO/IEC 27002:2009 (adopted ISO/IEC 27002:2005, ISO/IEC 17799:2005) |
| Netherlands | NEN-ISO/IEC 27002:2005 |
| Peru | NTP-ISO/IEC 17799:2007 |
| Poland | PN-ISO/IEC 17799:2007, based on ISO/IEC 17799:2005 |
| Russia | ГОСТ/Р ИСО МЭК 17799-2005 |
| Slovakia | STN ISO/IEC 27002:2006 |
| South Africa | SANS 17799:2005 |
| Spain | UNE 71501 |
| Sweden | SS 627799 |
| Turkey | TS ISO/IEC 27002 |
| Ukraine | СОУ Н НБУ 65.1 СУІБ 2.0:2010 |
| United Kingdom | BS ISO/IEC 27002:2005 |
| Uruguay | UNIT/ISO 17799:2005 |
Certification
ISO/IEC 27002 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the information security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes.
ISO/IEC 27001 (Information technology - Security techniques - Information security management systems - Requirements) is a certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS, and lays out in Annex A a suite of 133 information security controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls in Annex A are derived from and aligned with ISO/IEC 27002.
Ongoing development
Both ISO/IEC 27001 and ISO/IEC 27002 are currently being revised by ISO/IEC JTC1/SC27. This is a routine activity every few years for ISO/IEC standards, in order to keep them current and relevant. It involves, for instance, incorporating references to other issued security standards (such as ISO/IEC 27000, ISO/IEC 27004 and ISO/IEC 27005) and various good security practices that have emerged in the field since they were last published. Due to the significant 'installed base' of organizations already using ISO/IEC 27002, particularly in relation to the information security controls supporting an ISMS that complies with ISO/IEC 27001, any changes have to be justified and, wherever possible, evolutionary rather than revolutionary in nature. The revised standards are expected to be published in 2011 or 2012 if everything goes to plan.
See also
- BS 7799, the original British Standard from which ISO/IEC 17799 and then ISO/IEC 27002 was derived
- Information security professionalism
- ISO/IEC 27000-series
- IT baseline protection
- IT risk management
- List of ISO standards
- Sarbanes–Oxley Act
- Standard of Good Practice published by the Information Security Forum