IT Security Standards ISO/IEC 27002

By donmc, 26 May, 2009

Assembling a security policy can be a difficult task without guidance. The International Organization for Standardization (ISO) published a security standard called ISO/IEC 27002. This document refers to information technology related security issues and outlines a code of practice for IT security management. ISO/IEC 27002 provides a guideline for developing organizational security standards and security management practices.

The ISO 27002 document consists of 12 sections:
  1. Risk assessment
  2. Security policy - management direction
  3. Organization of information security - governance of information security
  4. Asset management - inventory and classification of information assets
  5. Human resources security - security aspects for employees joining, moving and leaving an organization
  6. Physical and environmental security - protection of the computer facilities
  7. Communications and operations management - management of technical security controls in systems and networks
  8. Access control - restriction of access rights to networks, systems, applications, functions and data
  9. Information systems acquisition, development and maintenance - building security into applications
  10. Information security incident management - anticipating and responding appropriately to information security breaches
  11. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
  12. Compliance - ensuring conformance with information security policies, standards, laws and regulations

Within each section, information security controls and their objectives are specified and outlined. The information security controls are regarded as a best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:

  1. Each organization is expected to undertake a structured information security risk assessment to determine its requirements before selecting controls that are appropriate to its specific circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO/IEC 27005.
  2. Industry-specific implementation guidelines for ISO/IEC 27002 are designed to advise organizations in the telecomms, financial services, healthcare and legal industries.