EXECUTIVE SUMMARY
ISO IEC 27002 2005 is a generic information security
management
standard. It can be used by any organization that
needs to
establish
a comprehensive information security management program
or improve
its current information security practices. According to the
official title
page,
ISO IEC 27002 2005 is a “code of practice for information
security
management”.
ISO/IEC recommends that you consider each
of these
practices as you
establish or improve your organization’s
information
security management
program.
However, you don’t have to implement every recommended
security
practice. It all depends on your unique information security risks and
requirements. If a particular practice helps you to address a serious
information security risk or to meet an important information security
requirement, then use it. If it doesn’t, ignore it. |
ISO AND IEC
ISO is the International
Organization for Standardization. It was set up
in 1947 and is
located in Geneva, Switzerland. Its purpose
is to develop
standards
that support and facilitate international trade.
IEC is
the International Electrotechnical Commission. It was set up in
1906
and
is also located in Geneva, Switzerland. Its purpose is to develop
standards
for all types of electrotechnologies. Both ISO and IEC are
supported
by national member bodies. These member bodies participate
in the
standards development process through technical committees.
|
ISO IEC 17799
When the standard was officially published on
June 15, 2005, it was
known as ISO IEC 17799 2005. On July 1, 2007,
the name was formally
changed to ISO IEC 27002 2005. However, nothing
else has changed.
The content is still exactly the same. The name was
changed in order
to make it clear that ISO IEC 17799 belongs with the
ISO IEC 27000
series of information security standards.
The ISO IEC 17799 2005 standard (now known as
ISO IEC 27002 2005)
was developed by the IT
Security Subcommittee (SC 27)
of the Joint
Technical Committee on
Information Technology (ISO/IEC JTC 1).
It cancels
and replaces the old ISO IEC
17799 2000 standard which
is now obsolete.
While much of the content is
the same, the new
ISO IEC 17799 2005 (27002)
standard has been entirely rewritten,
reorganized, and updated in
order to address new and emerging
information security issues. In
addition, one new section has been
added on information security
incident management (section 13). |
TYPES OF INFORMATION
The ISO 27002 standard is all about
information. Since information
can exist in many forms, the ISO 27002 standard takes a very broad
approach. In the context of this standard, the term information
includes at least
the
following:
- Electronic files
- Software files
- Data files
- Paper documents
- Printed materials
- Hand written notes
- Photographs
- Recordings
- Video recordings
- Audio recordings
- Communications
- Conversations
- Telephone conversations
- Cell phone conversations
- Face to face conversations
- Messages
- Email messages
- Fax messages
- Video messages
- Instant messages
- Physical messages
|
INFORMATION SECURITY
From the standpoint of an organization, information has
value and
is therefore an
asset. It therefore needs to be protected just like
any
other corporate asset. And because information must be protected, the
infrastructure that
supports
information must also be protected.
This
infrastructure includes all the
networks, systems, and functions
that allow an
organization to manage and control its information
assets.
The big question is
how do you protect your information assets? That’s
where the
ISO IEC 27002
standard comes in. It explains what you
can do to protect your
organization’s information assets.
But why should information assets need to be protected?
Information
needs to be protected
because modern organizations are faced with
a wide range of security threats. These
threats include everything
from human
error and equipment failure to theft, fraud, vandalism,
sabotage, fire, flood,
and even terrorism.
And because most modern organizations operate in a
complex,
interconnected, technological world, information is also vulnerable to
an entirely new set of high-tech threats and attacks. Because of their
interconnectedness, modern organizations are also threatened by
computer
hackers, malicious code, and denial of service attacks.
According to ISO 27002, information can be protected
using a wide
variety of
controls. In addition to hardware and software
functions,
controls include things like policies, procedures, processes,
and
organizational structures. In order to
protect their information,
organizations must develop, implement,
monitor, evaluate, and
improve these types of security controls. |
YOUR SECURITY REQUIREMENTS
But how and where do you start? ISO IEC suggests that you begin
by identifying your
organization’s information security needs and
requirements. They suggest
that you identify your security needs
and requirements in the following way:
- Perform a
risk assessment.
Identify major security threats and
vulnerabilities. Then determine how likely
it is that each threat
and vulnerability will cause a
security incident. Then evaluate the
potential impact each incident could have on your
organization
given your overall business objectives and strategies. This will
help you to pinpoint your organization’s unique
information
security needs and requirements.
-
Study
your legal requirements. Study all the legal, statutory,
regulatory, and contractual requirements that your organization,
its trading
partners, contractors, and service providers must
meet. Look for all the
information security requirements
that must be met. This will help you to
identify your organization’s
unique legal information security needs and
requirements.
-
Examine your own requirements. Examine your organization’s own
information processing principles, objectives, and requirements.
Study the
information processing
methods and practices that
your organization has
developed in order to support its operations.
This will help you to identify
and refine your organization’s unique
information security needs and
requirements.
|
YOUR SECURITY PROGRAM
Once you’ve identified your information security needs
and requirements,
you can begin to establish or improve your own
information
security
program. Choose from the security
practices recommended by the
ISO IEC 27002 2005 standard. Select the
practices that meet your
organization's unique security needs and requirements,
and
ignore the ones that don't.
ISO IEC suggests that the following security practices
are a good
place to start, and therefore ought to be at the center of your
information security program:
|
YOUR SUCCESS FACTORS
According to ISO IEC, your organization’s information security program
will be
more successful if you accept the following suggestions:
•
Make sure that your senior management
visibly supports
and is committed to your
information security program.
• Make sure that your
management has agreed to fund your
organization's information security
management activities.
• Make sure that your approach to information
security is
consistent with your organization’s corporate culture.
• Make sure that your information security policy, objectives,
and activities
reflect your organization’s business objectives.
• Make sure that your organization understands its own
unique information
security needs and requirements.
• Make sure that your organization understands why
risk
management is central to
your program and why a risk
assessment should be performed.
• Make sure that your information security program
is
explained to all managers and employees and
that
they understand why it’s important.
• Make sure that you distribute information that
explains
your information security policy and
standards to all
employees and other interested parties.
• Make sure that you provide appropriate
security
training, education, and awareness programs.
• Make sure that your organization establishes an effective
information security
incident management process.
• Make sure that you encourage people to provide feedback
and to suggest ways of
improving the performance of your
information security program.
• Make sure that you
develop a balanced and comprehensive
way of measuring the performance of your
information
security
program.
|
STRUCTURE OF ISO IEC 27002
Each section of the ISO IEC 27002 2005 standard has been
structured
in the same basic way. Each section uses the
same four categories:
Objective,
Control, Implementation guidance,
and Other information.
Each section begins
with one or more objectives. This is
followed
by a discussion of the controls that should be used to achieve these
objectives. This control oriented discussion is immediately followed
by detailed
implementation guidance that explains how the controls
can be
implemented. In most cases each section
also ends with
other information that further explains what the section is
about.
While our publications have preserved this general four
part structure,
we have shortened the headings to save space. Our headings are
as follows:
•
GOAL.
Goals are security objectives that should be achieved.
• CTRL.
Controls explain how goals (objectives) can be achieved.
• GUIDE. Guidelines explain how
controls can be implemented.
• NOTE.
Notes add helpful hints and explanations.
|
