Assembling a security policy can be a difficult task without guidance.
The International Organization for Standardization (ISO) published a
security standard called ISO/IEC 27002. This document refers to
information technology related security issues and outlines a code of
practice for IT security management. ISO/IEC 27002 provides a guideline
for developing organizational security standards and security
- Risk assessment
- Security policy - management direction
- Organization of information security - governance of information security
- Asset management - inventory and classification of information assets
- Human resources security - security aspects for employees joining, moving and leaving an organization
- Physical and environmental security - protection of the computer facilities
- Communications and operations management - management of technical security controls in systems and networks
- Access control - restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance - building security into applications
- Information security incident management - anticipating and responding appropriately to information security breaches
- Business continuity management - protecting, maintaining and recovering business-critical processes and systems
- Compliance - ensuring conformance with information security policies, standards, laws and regulations
Within each section, information security controls and their objectives are specified and outlined. The information security controls are regarded as a best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:
- Each organization is expected to undertake a structured information security risk assessment to determine its requirements before selecting controls that are appropriate to its specific circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO/IEC 27005.
- Industry-specific implementation guidelines for ISO/IEC 27002 are designed to advise organizations in the telecomms, financial services, healthcare and legal industries.