ISO IEC 27002 can be used in at least three ways: you
can use it to select
controls in order to implement an ISO IEC
information security management system (ISMS), you can use it to select
generally accepted controls without implementing an ISO IEC 27001 ISMS,
you can use it to develop information security guidelines or standards
your own organization or for an entire industrial sector. So, you can
ISO IEC 27001 if you wish to do so.
But if you have chosen to use
ISO IEC 27001
you need to pay close
attention to section 6.1.3. It expects you to
use ISO IEC 27002, and any
sources, to prepare a detailed Statement of
(A Statement of Applicability is a
document that lists security
If youíve chosen to use the ISO IEC 27001
standard, your task is to use
ISO IEC 27002 to select all the
information security controls that you need
in order to implement the
options that you have chosen and
treatment plan that you have developed using
ISO IEC 27001.
If youíve chosen this option, you also need to
justify all of your control decisions, both inclusions and exclusions.
However, before you can select security
controls, you need to assess
your organizationís security risks and
identify its security requirements.
In order to do so, you need to
You need to
identify your information security
how likely it is that each threat or vulnerability will
cause a security
incident, and evaluate the impact each incident could have.
In addition, you need to study your legal
requirements. You need to
identify and study all relevant
statutory, regulatory, and contractual
requirements that your organization, its trading partners, and service
providers must comply with.
And finally, you need to consider your own
information security needs
You need to examine your organizationís unique
information management principles, objectives, and requirements,
and you need to study the information processing
methods that your
Once youíve done all of this youíre ready to
Youíre ready to select information security controls that address your
organizationís unique information security risks and meet its particular
information security requirements. According to ISO IEC 27002, you can
select your controls from the ISO IEC 27002 standard or any other
suitable source, or you can develop your own controls.
A comprehensive list of information security
controls can be found in
ISO IEC 27002
sections 5 to 18. For each control, youíll also find a wide
of implementation guidelines and supporting explanations.