ISO IEC 27002 2005

TRANSLATED INTO PLAIN ENGLISH

ISO IEC 27002 2005 is now OBSOLETE. Please see ISO IEC 27002 2013.

5. Security Policy Management

 

5.1  Establish
an
information
security policy

5.1.1  Develop an information
security policy document.

5.1.2  Review your information
security policy document.

 

6. Corporate Security Management

 

6.1  Establish an
internal security
organization

6.1.1  Make an active commitment
to
information security.

6.1.2  Coordinate information
security implementation.

6.1.3  Allocate information security
responsibilities and authorities.

6.1.4  Establish an authorization
process for new facilities.

6.1.5  Use confidentiality agreements
to protect your information.

6.1.6  Maintain relationships
with other organizations.

6.1.7  Maintain relationships with
your special interest groups.

6.1.8  Perform independent
information system reviews.

 

 

6.2  Control external
party use of your
information

6.2.1  Identify risks related to
the use of external parties.

6.2.2  Address security before
customers are given access.

6.2.3  Address security using
third party agreements.

 

7. Organizational Asset Management

 

7.1  Establish
responsibility
for your assets

7.1.1  Compile an inventory
of organizational
assets.

7.1.2  Select owners for your
information and assets.

7.1.3  Establish acceptable-use rules
for information and assets.

 

 

7.2  Use an
information
classification
system

7.2.1  Develop information
classification guidelines.

7.2.2  Use information handling
and labeling procedures.

 

8. Human Resource Security Management

 

8.1  Emphasize
security prior to
employment

8.1.1  Define all security roles
and responsibilities.

8.1.2  Verify the backgrounds
of all new personnel.

8.1.3  Use contracts to protect
your information assets.

 

 

8.2  Emphasize
security during
employment

8.2.1  Expect your managers
to emphasize security.

8.2.2  Deliver relevant information
security training programs.

8.2.3  Set up an official disciplinary
process for security breaches.

 

 

8.3  Emphasize
security at the
termination  of
employment

8.3.1  Assign responsibility for
termination or reassignment.

8.3.2  Make sure that assets are
returned at termination.

8.3.3  Remove information access
rights at termination.

 

9. Physical and Environmental Security Management

 

9.1  Use security
areas to protect
your facilities

9.1.1  Use physical security
perimeters to protect areas.

9.1.2  Use physical entry controls
to protect secure areas.

9.1.3  Secure your organizationís
offices, rooms, and facilities.

9.1.4  Protect your facilities from
natural and human threats.

9.1.5  Use work guidelines to
protect secure areas.

9.1.6  Isolate and control
public access points.

 

 

9.2  Protect
equipment

9.2.1  Use equipment siting
and protection strategies.

9.2.2  Make sure that supporting
utilities are reliable.

9.2.3  Secure all power and
telecommunications cables.

9.2.4  Maintain your equipment.

9.2.5  Protect off‑site equipment.

9.2.6  Control disposal and re‑use.

9.2.7  Control use of assets off‑site.

 

10. Communications and Operations Management

 

10.1  Establish
procedures and
responsibilities

10.1.1  Document all of your
operating procedures.

10.1.2  Control changes to
facilities and systems.

10.1.3  Segregate all duties
and responsibilities.

10.1.4  Separate development
and operations activities.

 

 

10.2  Control third
party service
delivery

10.2.1  Manage third party
service agreements.

10.2.2  Monitor third party
service delivery.

10.2.3  Control changes to
third party services.

 

 

10.3  Carry out
system planning
activities

10.3.1  Monitor usage and carry
out capacity planning.

10.3.2  Use acceptance criteria
to test your systems.

 

 

10.4  Protect
against malicious
and mobile code

10.4.1  Establish controls to
handle malicious code.

10.4.2  Control the use of
mobile code.

 

 

10.5  Establish your
backup procedures

10.5.1  Backup your information
and software assets.

 

 

10.6  Protect your
computer networks

10.6.1  Establish network
security controls.

10.6.2  Control network
service providers.

 

 

10.7  Control
how media are
handled

10.7.1  Manage removable media.

10.7.2  Manage the disposal of
your organizationís media.

10.7.3  Control information
handling and storage.

10.7.4  Protect your system
documentation.

 

 

10.8  Protect
exchange of
information

10.8.1  Establish information exchange
policies and procedures.

10.8.2  Establish information and
software exchange agreements.

10.8.3  Safeguard the transportation
of your physical media.

10.8.4  Protect your electronic
messaging and messages.

10.8.5  Protect interconnected
information systems.

 

 

10.9  Protect
electronic
commerce
services

10.9.1  Protect information that
is involved in ecommerce.

10.9.2  Protect your on‑line
transaction information.

10.9.3  Protect all information
available on public systems.

 

 

10.10  Monitor
information
processing
facilities

10.10.1  Establish audit logs.

10.10.2  Monitor information
processing facilities
.

10.10.3  Protect logging facilities
and log information.

10.10.4  Log system administrator
and operator activities.

10.10.5  Log information processing
and communication faults.

10.10.6  Synchronize your
system clocks.

 

11. Information Access Control Management

 

11.1  Control access
to information

11.1.1  Develop a policy to control
access to information.

 

 

11.2  Manage user
access rights

11.2.1  Establish a user access
control procedure.

11.2.2  Control the management
of system privileges.

11.2.3  Establish a process to
manage passwords.

11.2.4  Review user access
rights and privileges.

 

 

11.3  Encourage
good access
practices

11.3.1  Expect users to protect
their passwords.

11.3.2  Expect users to protect
their equipment.

11.3.3  Establish a clear‑desk
and clear‑screen policy.

 

 

11.4  Control access
to your networked
services

11.4.1  Formulate a policy on
the use of networks.

11.4.2  Authenticate remote
user connections.

11.4.3  Use automatic equipment
identification methods.

11.4.4  Control access to diagnostic
and configuration ports.

11.4.5  Use segregation methods
to protect your networks.

11.4.6  Restrict connection
to shared networks.

11.4.7  Establish network
routing controls.

 

 

11.5  Control access
to your operating
systems

11.5.1  Establish secure
log‑on procedures.

11.5.2  Identify and authenticate
all network users.

11.5.3  Establish a password
management system.

11.5.4  Control the use of
all system utilities.

11.5.5  Use session time‑outs
to protect information.

11.5.6  Restrict connection times
in high‑risk areas.

 

 

11.6  Control access
to applications and
information

11.6.1  Restrict access by users
and support personnel.

11.6.2  Isolate all sensitive
application systems.

 

 

11.7  Protect mobile
and teleworking
facilities

11.7.1  Protect mobile computing
and communications.

11.7.2  Protect and control all
teleworking activities.

 

12. Information Systems Security Management

 

12.1  Identify
requirements

12.1.1  Identify security controls
and requirements.

 

12.2  Make sure
that applications
process your
information
correctly

12.2.1  Validate data input
into your applications.

12.2.2  Protect message integrity
and authenticity.

12.2.3  Validate output data.

 

 

12.3  Use
cryptographic
controls to protect
your information

12.3.1  Implement a policy on use
of cryptographic controls.

12.3.2  Establish a secure key
management system.

 

 

12.4  Protect
and control
system files

12.4.1  Control the installation
of operational software.

12.4.2  Control the use of system
data for testing purposes.

12.4.3  Control access to
program source code.

 

 

12.5  Control
development
and support
processes

12.5.1  Establish formal change
control procedures.

12.5.2  Review applications after
operating system changes.

12.5.3  Restrict changes to
software packages.

12.5.4  Prevent information
leakage opportunities.

12.5.5  Control outsourced
software development.

 

 

12.6  Control
vulnerability

12.6.1  Control your technical
system vulnerabilities.

 

13. Information Security Incident Management <SAMPLE PDF

 

13.1  Report
security
events
and weaknesses

13.1.1  Report information security
events as quickly as possible.

13.1.2  Report security weaknesses
in systems and services.

 

 

13.2  Manage
security
incidents
and improvements

13.2.1  Establish incident response
responsibilities and procedures.

13.2.2  Learn from information
security incidents.

13.2.3  Collect evidence to
support your actions.

 

14. Business Continuity Management

 

14.1  Use continuity
management to
protect information

14.1.1  Establish a business continuity
process for your information.

14.1.2  Identify the events that
could interrupt your business.

14.1.3  Develop and implement
your business continuity plans.

14.1.4  Establish business continuity
planning framework.

14.1.5 Test and update your
business continuity plans.

 

15. Compliance Management

 

15.1  Comply with
legal requirements

15.1.1  Identify all relevant
legal requirements.

15.1.2  Protect your records.

15.1.3  Protect the privacy of
personal information.

15.1.4  Prevent misuse of data
processing facilities.

15.1.5  Control the use of
cryptographic controls.

 

 

15.2  Perform
compliance
reviews

15.2.1  Review compliance with
policies and standards.

15.2.2  Review technical
security compliance.

 

 

15.3  Carry
out information
system audits

15.3.1  Control the audit of
information systems.

15.3.2  Protect information
system audit tools.

 

ISO IEC 17799 2005 is now obsolete. It was replaced by ISO IEC 27002 2013.


ISO IEC 27002 2013 PAGES

ISO 27002 2013 Introduction

Overview of ISO IEC 27002 2013

Information Security Control Objectives

How to Use ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 Translated into Plain English

ISO IEC 27002 2013 Information Security Audit Tool

Plain English ISO IEC 27002 2013 Security Checklist

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27000 Definitions in Plain English

ISO IEC 27001 2013 PAGES

Introduction to ISO IEC 27001 2013

Plain English Outline of ISO IEC 27001 2013

Plain English Overview of ISO IEC 27001 2013

ISO IEC 27000 2012 Definitions in Plain English

ISO IEC 27001 2013 versus ISO IEC 27001 2005

ISO IEC 27001 2013 Translated into Plain English

Overview of ISO IEC 27001 2013 Annex A Controls

RELATED RESOURCES

ISO 31000 Risk Management Library

ISO 22301 Business Continuity Library

ISO 28000 Supply Chain Security Library


Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited     help@praxiom.com      780-461-4514

Updated on May 3, 2014. First published on December 22, 2005.

 Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2006 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited