ISO IEC 27002 2005

TRANSLATED INTO PLAIN ENGLISH

ISO IEC 27002 2005 was previously known as ISO IEC 17799 2005.
However, nothing else has changed. The content is exactly the same.

5. Security Policy Management

5.1.1  Develop an information
security policy document.

5.1.2  Review your information
security policy document.

6. Corporate Security Management

6.1.1  Make an active commitment
to information security.

6.1.2  Coordinate information
security implementation.

6.1.3  Allocate information security
responsibilities and authorities.

6.1.4  Establish an authorization
process for new facilities.

6.1.5  Use confidentiality agreements
to protect your information.

6.1.6  Maintain relationships
with other organizations.

6.1.7  Maintain relationships with
your special interest groups.

6.1.8  Perform independent
information system reviews.

6.2.1  Identify risks related to
the use of external parties.

6.2.2  Address security before
customers are given access.

6.2.3  Address security using
third party agreements.

7. Organizational Asset Management

7.1.1  Compile an inventory
of organizational assets.

7.1.2  Select owners for your
information and assets.

7.1.3  Establish acceptable-use rules
for information and assets.

7.2.1  Develop information
classification guidelines.

7.2.2  Use information handling
and labeling procedures.

8. Human Resource Security Management

8.1.1  Define all security roles
and responsibilities.

8.1.2  Verify the backgrounds
of all new personnel.

8.1.3  Use contracts to protect
your information assets.

8.2.1  Expect your managers
to emphasize security.

8.2.2  Deliver relevant information
security training programs.

8.2.3  Set up an official disciplinary
process for security breaches.

8.3.1  Assign responsibility for
termination or reassignment.

8.3.2  Make sure that assets are
returned at termination.

8.3.3  Remove information access
rights at termination.

9. Physical and Environmental Security Management

9.1.1  Use physical security
perimeters to protect areas.

9.1.2  Use physical entry controls
to protect secure areas.

9.1.3  Secure your organization’s
offices, rooms, and facilities.

9.1.4  Protect your facilities from
natural and human threats.

9.1.5  Use work guidelines to
protect secure areas.

9.1.6  Isolate and control
public access points.

9.2.1  Use equipment siting
and protection strategies.

9.2.2  Make sure that supporting
utilities are reliable.

9.2.3  Secure all power and
telecommunications cables.

9.2.4  Maintain your equipment.

9.2.5  Protect off‑site equipment.

9.2.6  Control disposal and re‑use.

9.2.7  Control use of assets off‑site.

10. Communications and Operations Management

10.1.1  Document all of your
operating procedures.

10.1.2  Control changes to
facilities and systems.

10.1.3  Segregate all duties
and responsibilities.

10.1.4  Separate development
and operations activities.

10.2.1  Manage third party
service agreements.

10.2.2  Monitor third party
service delivery.

10.2.3  Control changes to
third party services.

10.3.1  Monitor usage and carry
out capacity planning.

10.3.2  Use acceptance criteria
to test your systems.

10.4.1  Establish controls to
handle malicious code.

10.4.2  Control the use of
mobile code.

10.5.1  Backup your information
and software assets.

10.6.1  Establish network
security controls.

10.6.2  Control network
service providers.

10.7.1  Manage removable media.

10.7.2  Manage the disposal of
your organization’s media.

10.7.3  Control information
handling and storage.

10.7.4  Protect your system
documentation.

10.8.1  Establish information exchange
policies and procedures.

10.8.2  Establish information and
software exchange agreements.

10.8.3  Safeguard the transportation
of your physical media.

10.8.4  Protect your electronic
messaging and messages.

10.8.5  Protect interconnected
information systems.

10.9.1  Protect information that
is involved in ecommerce.

10.9.2  Protect your on‑line
transaction information.

10.9.3  Protect all information
available on public systems.

10.10.1  Establish audit logs.

10.10.2  Monitor information
processing facilities.

10.10.3  Protect logging facilities
and log information.

10.10.4  Log system administrator
and operator activities.

10.10.5  Log information processing
and communication faults.

10.10.6  Synchronize your
system clocks.

11. Information Access Control Management

11.1.1  Develop a policy to control
access to information.

11.2.1  Establish a user access
control procedure.

11.2.2  Control the management
of system privileges.

11.2.3  Establish a process to
manage passwords.

11.2.4  Review user access
rights and privileges.

11.3.1  Expect users to protect
their passwords.

11.3.2  Expect users to protect
their equipment.

11.3.3  Establish a clear‑desk
and clear‑screen policy.

11.4.1  Formulate a policy on
the use of networks.

11.4.2  Authenticate remote
user connections.

11.4.3  Use automatic equipment
identification methods.

11.4.4  Control access to diagnostic
and configuration ports.

11.4.5  Use segregation methods
to protect your networks.

11.4.6  Restrict connection
to shared networks.

11.4.7  Establish network
routing controls.

11.5.1  Establish secure
log‑on procedures.

11.5.2  Identify and authenticate
all network users.

11.5.3  Establish a password
management system.

11.5.4  Control the use of
all system utilities.

11.5.5  Use session time‑outs
to protect information.

11.5.6  Restrict connection times
in high‑risk areas.

11.6.1  Restrict access by users
and support personnel.

11.6.2  Isolate all sensitive
application systems.

11.7.1  Protect mobile computing
and communications.

11.7.2  Protect and control all
teleworking activities.

12. Information Systems Security Management

12.1.1  Identify security controls
and requirements.

12.2.1  Validate data input
into your applications.

12.2.2  Use validation checks
to control processing.

12.2.3  Protect message integrity
and authenticity.

12.2.4  Validate output data.

12.3.1  Implement a policy on use
of cryptographic controls.

12.3.2  Establish a secure key
management system.

12.4.1  Control the installation
of operational software.

12.4.2  Control the use of system
data for testing purposes.

12.4.3  Control access to
program source code.

12.5.1  Establish formal change
control procedures.

12.5.2  Review applications after
operating system changes.

12.5.3  Restrict changes to
software packages.

12.5.4  Prevent information
leakage opportunities.

12.5.5  Control outsourced
software development.

12.6.1  Control your technical
system vulnerabilities.

13. Information Security Incident Management <SAMPLE PDF

13.1.1  Report information security
events as quickly as possible.

13.1.2  Report security weaknesses
in systems and services.

13.2.1  Establish incident response
responsibilities and procedures.

13.2.2  Learn from information
security incidents.

13.2.3  Collect evidence to
support your actions.

14. Business Continuity Management

14.1.1  Establish a business continuity
process for your information.

14.1.2  Identify the events that
could interrupt your business.

14.1.3  Develop and implement
your business continuity plans.

14.1.4  Establish business continuity
planning framework.

14.1.5 Test and update your
business continuity plans.

15. Compliance Management

15.1.1  Identify all relevant
legal requirements.

15.1.2  Respect intellectual
property rights (IPR).

15.1.3  Protect your records.

15.1.4  Protect the privacy of
personal information.

15.1.5  Prevent misuse of data
processing facilities.

15.1.6  Control the use of
cryptographic controls.

15.2.1  Review compliance with
policies and standards.

15.2.2  Review technical
security compliance.

15.3.1  Control the audit of
information systems.

15.3.2  Protect information
system audit tools.