ISO IEC 27002 2005 is a generic information security
standard. It can be used by any organization that
a comprehensive information security management program
its current information security practices. According to the
ISO IEC 27002 2005 is a “code of practice for information
ISO/IEC recommends that you consider each
practices as you
establish or improve your organization’s
However, you don’t have to implement every recommended
practice. It all depends on your unique information security risks and
requirements. If a particular practice helps you to address a serious
information security risk or to meet an important information security
requirement, then use it. If it doesn’t, ignore it.
ISO AND IEC
ISO is the International
Organization for Standardization. It was set up
in 1947 and is
located in Geneva, Switzerland. Its purpose
is to develop
that support and facilitate international trade.
the International Electrotechnical Commission. It was set up in
is also located in Geneva, Switzerland. Its purpose is to develop
for all types of electrotechnologies. Both ISO and IEC are
by national member bodies. These member bodies participate
standards development process through technical committees.
ISO IEC 17799
When the standard was officially published on
June 15, 2005, it was
known as ISO IEC 17799 2005. On July 1, 2007,
the name was formally
changed to ISO IEC 27002 2005. However, nothing
else has changed.
The content is still exactly the same. The name was
changed in order
to make it clear that ISO IEC 17799 belongs with the
ISO IEC 27000
series of information security standards.
The ISO IEC 17799 2005 standard (now known as
ISO IEC 27002 2005)
was developed by the IT
Security Subcommittee (SC 27)
of the Joint
Technical Committee on
Information Technology (ISO/IEC JTC 1).
and replaces the old ISO IEC
17799 2000 standard which
is now obsolete.
While much of the content is
the same, the new
ISO IEC 17799 2005 (27002)
standard has been entirely rewritten,
reorganized, and updated in
order to address new and emerging
information security issues. In
addition, one new section has been
added on information security
incident management (section 13).
TYPES OF INFORMATION
The ISO 27002 standard is all about
information. Since information
can exist in many forms, the ISO 27002 standard takes a very broad
approach. In the context of this standard, the term information
includes at least
- Electronic files
- Software files
- Data files
- Paper documents
- Printed materials
- Hand written notes
- Video recordings
- Audio recordings
- Telephone conversations
- Cell phone conversations
- Face to face conversations
- Email messages
- Fax messages
- Video messages
- Instant messages
- Physical messages
From the standpoint of an organization, information has
is therefore an
asset. It therefore needs to be protected just like
other corporate asset. And because information must be protected, the
information must also be protected.
infrastructure includes all the
networks, systems, and functions
that allow an
organization to manage and control its information
The big question is
how do you protect your information assets? That’s
ISO IEC 27002
standard comes in. It explains what you
can do to protect your
organization’s information assets.
But why should information assets need to be protected?
needs to be protected
because modern organizations are faced with
a wide range of security threats. These
threats include everything
error and equipment failure to theft, fraud, vandalism,
sabotage, fire, flood,
and even terrorism.
And because most modern organizations operate in a
interconnected, technological world, information is also vulnerable to
an entirely new set of high-tech threats and attacks. Because of their
interconnectedness, modern organizations are also threatened by
hackers, malicious code, and denial of service attacks.
According to ISO 27002, information can be protected
using a wide
controls. In addition to hardware and software
controls include things like policies, procedures, processes,
organizational structures. In order to
protect their information,
organizations must develop, implement,
monitor, evaluate, and
improve these types of security controls.
YOUR SECURITY REQUIREMENTS
But how and where do you start? ISO IEC suggests that you begin
by identifying your
organization’s information security needs and
requirements. They suggest
that you identify your security needs
and requirements in the following way:
- Perform a
Identify major security threats and
vulnerabilities. Then determine how likely
it is that each threat
and vulnerability will cause a
security incident. Then evaluate the
potential impact each incident could have on your
given your overall business objectives and strategies. This will
help you to pinpoint your organization’s unique
security needs and requirements.
your legal requirements. Study all the legal, statutory,
regulatory, and contractual requirements that your organization,
partners, contractors, and service providers must
meet. Look for all the
information security requirements
that must be met. This will help you to
identify your organization’s
unique legal information security needs and
Examine your own requirements. Examine your organization’s own
information processing principles, objectives, and requirements.
methods and practices that
your organization has
developed in order to support its operations.
This will help you to identify
and refine your organization’s unique
information security needs and
YOUR SECURITY PROGRAM
Once you’ve identified your information security needs
you can begin to establish or improve your own
program. Choose from the security
practices recommended by the
ISO IEC 27002 2005 standard. Select the
practices that meet your
organization's unique security needs and requirements,
ignore the ones that don't.
ISO IEC suggests that the following security practices
are a good
place to start, and therefore ought to be at the center of your
information security program:
YOUR SUCCESS FACTORS
According to ISO IEC, your organization’s information security program
more successful if you accept the following suggestions:
Make sure that your senior management
and is committed to your
information security program.
• Make sure that your
management has agreed to fund your
organization's information security
• Make sure that your approach to information
consistent with your organization’s corporate culture.
• Make sure that your information security policy, objectives,
reflect your organization’s business objectives.
• Make sure that your organization understands its own
security needs and requirements.
• Make sure that your organization understands why
management is central to
your program and why a risk
assessment should be performed.
• Make sure that your information security program
explained to all managers and employees and
they understand why it’s important.
• Make sure that you distribute information that
your information security policy and
standards to all
employees and other interested parties.
• Make sure that you provide appropriate
training, education, and awareness programs.
• Make sure that your organization establishes an effective
incident management process.
• Make sure that you encourage people to provide feedback
and to suggest ways of
improving the performance of your
information security program.
• Make sure that you
develop a balanced and comprehensive
way of measuring the performance of your
STRUCTURE OF ISO IEC 27002
Each section of the ISO IEC 27002 2005 standard has been
in the same basic way. Each section uses the
same four categories:
Control, Implementation guidance,
and Other information.
Each section begins
with one or more objectives. This is
by a discussion of the controls that should be used to achieve these
objectives. This control oriented discussion is immediately followed
implementation guidance that explains how the controls
implemented. In most cases each section
also ends with
other information that further explains what the section is
While our publications have preserved this general four
we have shortened the headings to save space. Our headings are
Goals are security objectives that should be achieved.
Controls explain how goals (objectives) can be achieved.
• GUIDE. Guidelines explain how
controls can be implemented.
Notes add helpful hints and explanations.