ISO 27002 2005*

INTRODUCTION

*ISO IEC 27002 2005 was previously known as ISO IEC 17799 2005.
However, nothing else has changed. The content is the same.

ISO IEC 27002 (17799) is a comprehensive
Information Security Management Standard

ISO and IEC

ISO is the International Organization for Standardization. It was set up in 1947 and is located in Geneva, Switzerland. Its purpose is to develop standards that support and facilitate international trade. IEC is the International Electrotechnical Commission. It was set up in 1906 and is also located in Geneva, Switzerland. Its purpose is to develop standards for all types of electrotechnologies. Both ISO and IEC are supported by national member bodies. These member bodies participate in the standards development process through technical committees.

Name Change

When the standard was officially published on June 15, 2005, it was known as ISO/IEC 17799 2005. On July 1, 2007, the name was formally changed to ISO/IEC 27002 2005. However, nothing else has changed. The content is still exactly the same. The name was changed in order to make it clear that ISO/IEC 17799 belongs with the ISO/IEC 27000 series of information security standards.
ISO/IEC 17799

The ISO/IEC 17799 2005 standard (now known as ISO/IEC 27002 2005) was developed by the IT Security Subcommittee (SC 27) of the Joint Technical Committee on Information Technology (ISO/IEC JTC 1). It cancels and replaces the old ISO/IEC 17799 2000 standard which is now obsolete. While much of the content is the same, the new ISO/IEC 17799 2005 (27002) standard has been entirely rewritten, reorganized, and updated in order to address new and emerging information security issues. In addition, one new section has been added on information security incident management (section 13).

Security Practices

ISO/IEC 27002 2005 can be used by any organization that needs to establish a comprehensive information security management program or improve its current information security practices. According to the official title page, ISO/IEC27002 is a “code of practice for information security management”. ISO/IEC recommends that you consider each of these practices as you establish or improve your organization’s information security management program.

However, you don’t have to implement every recommended security practice. It all depends on your unique information security risks and requirements. If a particular practice helps you to address a serious information security risk or to meet an important information security requirement, then use it.  If it doesn’t, ignore it.

Types of Information

The ISO27002 standard is all about information. Since information can exist in many forms, the ISO27002 standard takes a very broad approach. In the context of this standard, the term information includes at least the following:

  • Electronic files
    • Software files
    • Data files
  • Paper documents
    • Printed materials
    • Hand written notes
    • Photographs
  • Recordings
    • Video recordings
    • Audio recordings
  • Communications
    • Conversations
      • Telephone conversations
      • Cell phone conversations
      • Face to face conversations
    • Messages
      • Email messages
      • Fax messages
      • Video messages
      • Instant messages
      • Physical messages

Information Security

From the standpoint of an organization, information has value and is therefore an asset. It therefore needs to be protected just like any other corporate asset. And because information must be protected, the infrastructure that supports information must also be protected. This infrastructure includes all the networks, systems, and functions that allow an organization to manage and control its information assets. The big question is how do you protect your information assets? That’s where the ISO IEC27002 standard comes in. It explains what you can do to protect your organization’s information assets.

But why should information assets need to be protected? Information needs to be protected because modern organizations are faced with a wide range of security threats. These threats include everything from human error and equipment failure to theft, fraud, vandalism, sabotage, fire, flood, and even terrorism.

And because most modern organizations operate in a complex, interconnected, technological world, information is also vulnerable to an entirely new set of high-tech threats and attacks. Because of their interconnectedness, modern organizations are also threatened by computer hackers, malicious code, and denial of service attacks.

According to ISO27002, information can be protected using a wide variety of controls. In addition to hardware and software functions, controls include things like policies, procedures, processes, and organizational structures. In order to protect their information, organizations must develop, implement, monitor, evaluate, and improve these types of security controls.

Your Security Requirements

But how and where do you start? ISO IEC suggests that you begin by identifying your organization’s information security needs and requirements. They suggest that you identify your security needs and requirements in the following way:

  1. Perform a risk assessment. Identify major security threats and vulnerabilities. Then determine how likely it is that each threat and vulnerability will cause a security incident. Then evaluate the potential impact each incident could have on your organization given your overall business objectives and strategies. This will help you to pinpoint your organization’s unique information security needs and requirements.

  2. Study your legal requirements. Study all the legal, statutory, regulatory, and contractual requirements that your organization, its trading partners, contractors, and service providers must meet. Look for all the information security requirements that must be met. This will help you to identify your organization’s unique legal information security needs and requirements.

  3. Examine your own requirements. Examine your organization’s own information processing principles, objectives, and requirements. Study the information processing methods and practices that your organization has developed in order to support its operations. This will help you to identify and refine your organization’s unique information security needs and requirements.

Your Security Program

Once you’ve identified your information security needs and requirements, you can begin to establish or improve your own information security program. Choose from the security practices recommended by the ISO IEC 27002 2005 standard. Select the practices that meet your organization's unique security needs and requirements, and ignore the ones that don't.

ISO IEC suggests that the following security practices are a good place to start, and therefore ought to be at the center of your information security program:

  • Common best practices:

    • Allocate responsibility for information security.

    • Develop an information security policy document.

    • Make sure applications process information correctly.

    • Manage information security incidents and improvements.

    • Establish a technical vulnerability management process.

    • Provide security training, education, and awareness.

    • Develop a continuity management process.

  • Common legislated practices:

    • Respect intellectual property rights.

    • Safeguard your organization’s records.

    • Protect the privacy of personal information.

Your Success Factors

According to ISO IEC, your organization’s information security program will be more successful if you accept the following suggestions:

  • Make sure that your senior management visibly supports and is committed to your information security program.

  • Make sure that your management has agreed to fund your organization's information security management activities.

  • Make sure that your approach to information security is consistent with your organization’s corporate culture.

  • Make sure that your information security policy, objectives, and activities reflect your organization’s business objectives.

  • Make sure that your organization understands its own unique information security needs and requirements.

  • Make sure that your organization understands why risk management is central to your program and why a risk assessment should be performed.

  • Make sure that your information security program is explained to all managers and employees and that they understand why it’s important.

  • Make sure that you distribute information that explains your information security policy and standards to all employees and other interested parties.

  • Make sure that you provide appropriate security training, education, and awareness programs.

  • Make sure that your organization establishes an effective information security incident management process.

  • Make sure that you encourage people to provide feedback and to suggest ways of improving the performance of your information security program.

  • Make sure that you develop a balanced and comprehensive way of measuring the performance of your information security program.
STRUCTURE OF ISO/IEC 27002

Each section of the ISO/IEC 27002 2005 standard has been structured in the same basic way. Each section uses the same four categories: Objective, Control, Implementation guidance, and Other information. Each section begins with one or more objectives. This is followed by a discussion of the controls that should be used to achieve these objectives. This control oriented discussion is immediately followed by detailed implementation guidance that explains how the controls can be implemented. In most cases each section also ends with other information that further explains what the section is about.

While our publications have preserved this general four part structure, we have shortened the headings to save space. Our headings are as follows:

GOAL. Goals are security objectives that should be achieved.
CTRL. Controls explain how goals (objectives) can be achieved.
GUIDE. Guidelines explain how controls can be implemented.
NOTE. Notes add helpful hints and explanations.
 

ISO 17799 2005

ISO 17799 NAVIGATION GUIDE

       
Home Page Table of Contents Alphabetical Index Site Map
       
How to Order Our Products Our Prices Our Guarantee
       
OTHER INFORMATION SECURITY WEB PAGES

Overview of the ISO IEC 27002 (17799) Information Security Standard

ISO 27002 (17799) Security Standard Translated into Plain English

ISO 27002 (17799) Plain English Information Security Definitions

Complete list of ISO IEC 27002 (17799) Security Control Objectives

ISO IEC 27002 (17799) Information Security Management Audit Tool

ISO17799 2000 Information Security Translated into Plain English

Also see our ISO 27001 Information Security Management Library
 

ISO 17799 2005

 
CONTACT INFORMATION
 
Praxiom Research Group Limited
9619 - 100A Street, Edmonton,
Alberta, T5K 0V7, Canada
Phone: (780)461-4514
Fax: (780)463-6034
info@praxiom.com
 

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use.   But, you are not
 legally authorized to print or produce additional copies, or to copy and paste
 any of our material onto another web site.  If you would like to purchase our
 material, please contact our Sales Desk. Our staff would be very pleased to
 take your order or to answer any questions you might have.

Copyright © 2005 - 2008 by Praxiom Research Group Limited. All Rights Reserved.

ISO 17799 BS7799

This web page was updated on April 5, 2008.  On the Web since May 25, 1997.