ISO IEC 27002 2005*

INFORMATION SECURITY STANDARD

TRANSLATED INTO PLAIN ENGLISH

*ISO IEC 27002 2005 was previously known as ISO IEC 17799 2005.
However, nothing else has changed. The content is the same.

ISO 17799 (27002) Informtion Security Standard in Plain English

The ISO 27002 2005 standard is all-encompassing. It takes a very broad
approach to information security. In the context of this standard, the term
information
includes all forms of data, documents, communications,
conversations, messages, recordings, and photographs. It includes
everything from digital data and email to faxes and telephone
conversations.
It includes all forms of information.


The ISO/IEC 27002 2005 standard, and our interpretation of it, consists of
recommended information security practices
.
These recommended practices
are found in sections 5 to 15. Since these recommendations start in section 5,
the following material also starts in section 5. Sections 1 and 4 cover a variety
of introductory and explanatory topics which are also covered in our Title 37.

This page presents a preview of ISO/IEC 27002 2005. It does not present the entire
standard. If you need the entire detailed standard, please consider purchasing our

Title 37: ISO IEC 27002 (17799) Translated into Plain English (see SAMPLE pdf)
!
Our Title 37 includes all security control objectives, controls,
implementation guidelines, and additional notes.

ISO IEC 17799 2005 (27002) Information Security Standard in Plain English

ISO IEC 27002 (17799)

5. Security Policy Management

 

5.1 Establish a comprehensive information security policy

5.1.1 Develop an information security policy document

5.1.2 Review your information security policy

 

ISO IEC 27002 (17799)

6. Corporate Security Management

 

6.1 Establish an internal
security organization

6.1.1 Make an active commitment to information security

6.1.2 Coordinate information security implementation

6.1.3 Allocate information security responsibilities

6.1.4 Establish an authorization process for new facilities

6.1.5 Use confidentiality agreements to protect information

6.1.6 Maintain relationships with other organizations

6.1.7 Maintain relationships with special interest groups

6.1.8 Perform independent information system reviews

 

 

6.2 Control external party
use of your information

6.2.1 Identify risks related to the use of external parties

6.2.2 Address security before customers are given access

6.2.3 Address security using third party agreements

 

ISO IEC 27002 (17799)

7. Organizational Asset Management

 

7.1 Establish responsibility for
your organization’s assets

7.1.1 Compile an inventory of organizational assets

7.1.2 Select owners for your information and assets

7.1.3 Establish acceptable use rules for information and assets

 

 

7.2 Use an information
classification system

7.2.1 Develop information classification guidelines

7.2.2 Use information handling and labeling procedures

 

ISO IEC 27002 (17799)

8. Human Resource Security Management

 

8.1 Emphasize security
prior to employment

8.1.1 Define your security roles and responsibilities

8.1.2 Verify the backgrounds of all new personnel

8.1.3 Use contracts to protect your organization’s information

 

 

8.2 Emphasize security
during employment

8.2.1 Expect your managers to emphasize security

8.2.2 Deliver information security training programs

8.2.3 Set up a disciplinary process for security breaches

 

 

8.3 Emphasize security at termination of employment

8.3.1 Assign responsibility for termination or reassignment

8.3.2 Make sure that assets are returned at termination

8.3.3 Remove information access rights at termination

 

ISO IEC 27002 (17799)

9. Physical and Environmental Security Management

 

9.1 Use security areas
to protect facilities

9.1.1 Use physical security perimeters to protect areas

9.1.2 Use physical entry controls to protect secure areas

9.1.3 Secure your organization’s offices, rooms, and facilities

9.1.4 Protect your facilities from natural and human threats

9.1.5 Use work guidelines to protect secure areas

9.1.6 Isolate and control public access points

 

 

9.2 Protect your equipment

9.2.1 Use equipment siting and protection strategies

9.2.2 Make sure that supporting utilities are reliable

9.2.3 Secure power and telecommunications cables

9.2.4 Maintain your organization’s equipment

9.2.5 Protect your organization’s off‑site equipment

9.2.6 Control equipment disposal and re‑use

9.2.7 Control the use of assets off‑site

 

ISO IEC 27002 (17799)

10. Communications and Operations Management

 

10.1 Establish procedures
and responsibilities

10.1.1 Document your operating procedures

10.1.2 Control changes to facilities and systems

10.1.3 Segregate duties and responsibilities

10.1.4 Separate development and operations

 

 

10.2 Control third
party service delivery

10.2.1 Manage third party service agreements

10.2.2 Monitor third party service delivery

10.2.3 Control changes to third party services

 

 

10.3 Carry out future
system planning activities

10.3.1 Monitor usage and carry out capacity planning

10.3.2 Use acceptance criteria to test your systems

 

 

10.4 Protect against
malicious & mobile code

10.4.1 Establish controls to handle malicious code

10.4.2 Control the use of mobile code

 

 

10.5 Establish
backup procedures

10.5.1 Backup your information and software

 

 

10.6 Protect
computer networks

10.6.1 Establish network security controls

10.6.2 Control network service providers

 

 

10.7 Control how
media are handled

10.7.1 Manage your organization’s removable media

10.7.2 Manage the disposal of your organization’s media

10.7.3 Control information handling and storage

10.7.4 Protect your system documentation

 

 

10.8 Protect exchange
of information

10.8.1 Establish information exchange policies and procedures

10.8.2 Establish information and software exchange agreements

10.8.3 Safeguard the transportation of physical media

10.8.4 Protect electronic messaging and messages

10.8.5 Protect interconnected business information systems

 

 

10.9 Protect electronic
commerce services

10.9.1 Protect information involved in ecommerce

10.9.2 Protect on‑line transaction information

10.9.3 Protect information available on public systems

 

 

10.10 Monitor information processing facilities

10.10.1 Establish and maintain audit logs

10.10.2 Monitor information processing facilities

10.10.3 Protect logging facilities and log information

10.10.4 Log system administrator and operator activities

10.10.5 Log information processing and communication faults

10.10.6 Synchronize your system clocks

 

ISO IEC 27002 (17799)

11. Information Access Control Management

 

11.1 Control access
to information

11.1.1 Develop a policy to control access to information

 

 

11.2 Manage user
access rights

11.2.1 Establish a user access control procedure

11.2.2 Control the management of system privileges

11.2.3 Establish a process to manage passwords

11.2.4 Review user access rights and privileges

 

 

11.3 Encourage good
access practices

11.3.1 Expect users to protect their passwords

11.3.2 Expect users to protect their equipment

11.3.3 Establish a clear‑desk and clear‑screen policy

 

 

11.4 Control access
to networked services

11.4.1 Formulate a policy on the use of networks

11.4.2 Authenticate remote user connections

11.4.3 Use automatic equipment identification methods

11.4.4 Control access to diagnostic and configuration ports

11.4.5 Use segregation methods to protect your networks

11.4.6 Restrict connection to shared networks

11.4.7 Establish network routing controls

 

 

11.5 Control access
to operating systems

11.5.1 Establish secure log‑on procedures

11.5.2 Identify and authenticate all users

11.5.3 Establish a password management system

11.5.4 Control the use of all system utilities

11.5.5 Use session time‑outs to protect information

11.5.6 Restrict connection times in high‑risk areas

 

 

11.6 Control access to
applications and information

11.6.1 Restrict access by users and support personnel

11.6.2 Isolate sensitive application systems

 

 

11.7 Protect mobile and teleworking facilities

11.7.1 Protect mobile computing and communications

11.7.2 Protect and control teleworking activities

 

ISO IEC 27002 (17799)

12. Information Systems Security Management

 

12.1 Identify information
system security requirements

12.1.1 Identify security controls and requirements

 

 

12.2 Make sure applications
process information correctly

12.2.1 Validate data input into your applications

12.2.2 Use validation checks to control processing

12.2.3 Protect message integrity and authenticity

12.2.4 Validate your applications’ output data

 

 

12.3 Use cryptographic controls
to protect your information

12.3.1 Implement a policy on the use of cryptographic controls

12.3.2 Establish a secure key management system

 

 

12.4 Protect and control your organization’s system files

12.4.1 Control the installation of operational software

12.4.2 Control the use of system data for testing

12.4.3 Control access to program source code

 

 

12.5 Control development
and support processes

12.5.1 Establish formal change control procedures

12.5.2 Review applications after operating system changes

12.5.3 Restrict changes to software packages

12.5.4 Prevent information leakage opportunities

12.5.5 Control outsourced software development

 

 

12.6 Establish technical vulnerability management

12.6.1 Control your technical system vulnerabilities

 

ISO IEC 27002 (17799)

13. Information Security Incident Management <<< SAMPLE pdf

 

13.1 Report information security events and weaknesses

13.1.1 Report information security events as quickly as possible

13.1.2 Report security weaknesses in systems and services

 

 

13.2 Manage information security incidents and improvements

13.2.1 Establish incident response responsibilities and procedures

13.2.2 Learn from your information security incidents

13.2.3 Collect evidence to support your actions

 

ISO IEC 27002 (17799)

14. Business Continuity Management

 

14.1 Use continuity management
to protect your information

14.1.1 Establish a business continuity process for information

14.1.2 Identify the events that could interrupt your business

14.1.3 Develop and implement your business continuity plans

14.1.4 Establish a business continuity planning framework

14.1.5 Test and update your business continuity plans

 

ISO IEC 27002 (17799)

15. Compliance Management

 

15.1 Comply with
legal requirements

15.1.1 Identify all relevant legal requirements

15.1.2 Respect intellectual property rights (IPR)

15.1.3 Protect your organization’s records

15.1.4 Protect the privacy of personal information

15.1.5 Prevent misuse of data processing facilities

15.1.6 Control the use of cryptographic controls

 

 

15.2 Perform security
compliance reviews

15.2.1 Review compliance with security policies and standards

15.2.2 Review technical security compliance

 

 

15.3 Carry out controlled information system audits

15.3.1 Control the audit of information systems

15.3.2 Protect information system audit tools

 

ISO IEC 27002 (17799)

 

ISO 17799 2005

ATTENTION

This page summarizes the ISO IEC 27002 (17799) standard.
It highlights the main points. It does not present detail.

If you need a detailed and complete interpretation of
ISO IEC 27002 (17799)
,  please consider purchasing our
Title 37: 
ISO 27002 (17799) Translated into Plain English.
Our plain English ISO 27002 standard is 263 pages long.
It includes all information security objectives, controls, implementation guidelines, and supporting notes.

Check out our Title 37 Table of Contents.
Check out a Sample of our Title 37 (pdf).
Check our PricesPlace an Order.
Contact Praxiom Research
.

 Our Title 37 provides a detailed, accurate, and complete
interpretation of  ISO IEC 27002 (17799). It uses language that
is clear, precise, and easy to understand.
We guarantee it

ISO 17799 2005 Security Management Standard

ISO 17799 BS7799 NAVIGATION GUIDE

       
Home Page Table of Contents Alphabetical Index Site Map
       
How to Order Our Products Our Prices Our Guarantee
       
OTHER INFORMATION SECURITY WEB PAGES

Introduction to ISO 27002 (17799) Information Security Standard

Overview of the ISO 27002 (17799) Information Security Standard

ISO 27002 (17799) Plain English Information Security Definitions

Complete list of ISO 27002 (17799) Information Security Control Objectives

ISO 27002 (17799) Information Security Management Audit Tool

Overview of ISO 17799 2000 Information Security Standard

Detailed ISO 17799 2000 Information Security Standard

ISO 27001 Information Security Management Library

 

ISO 17799

 
CONTACT INFORMATION
 
Praxiom Research Group Limited
9619 - 100A Street, Edmonton,
Alberta, Canada, T5K 0V7
Phone: (780)461-4514
Fax: (780)463-6034

info@praxiom.com
 

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use.   But, you are not
 legally authorized to print or produce additional copies, or to copy and paste
 any of our material onto another web site.  If you would like to purchase our
 material, please contact our Sales Desk. Our staff would be very pleased to
 take your order or to answer any questions you might have.

Copyright © 2005 - 2008 by Praxiom Research Group Limited. All Rights Reserved.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
  developing this electronic publication. We make no representation or warranties
  with respect to accuracy or completeness of the contents of this publication and
  specifically disclaim any implied warranties or merchantability or fitness for any
  particular purpose and shall in no event be liable for any loss of profit or any
  other commercial damage, including but not limited to special, incidental,
  consequential, or other damages.

On the Web since May 25, 1997.  Updated on April 5, 2008.

ISO 17799 2005 Information Security Management