ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security controls.
The ISO/IEC 27000-series standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s . The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. It was revised again in 2013.
ISO/IEC 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:
The standard starts with 5 introductory chapters:
These are followed by 14 main chapters:
Within each chapter, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided.
Specific controls are not mandated since:
Most organizations implement a wide range of information security-related controls, many of which are recommended in general terms by ISO/IEC 27002. Structuring the information security controls infrastructure in accordance with ISO/IEC 27002 may be advantageous since it:
Here are a few examples of typical information security policies and other controls relating to three parts of ISO/IEC 27002. (Note: this is merely an illustration. The list of example controls is incomplete and not universally applicable.)
ISO/IEC 27002 has directly equivalent national standards in several countries. Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released, but the national standard bodies go to great lengths to ensure that the translated content accurately and completely reflects ISO/IEC 27002.
|Australia||AS/NZS ISO/IEC 27002:2006|
|Brazil||ISO/IEC NBR 17799/2007 – 27002|
|Indonesia||SNI ISO/IEC 27002:2014|
|Chile||NCH2777 ISO/IEC 17799/2000|
|Czech Republic||ČSN ISO/IEC 27002:2006|
|Croatia||HRN ISO/IEC 27002:2013|
|Estonia||EVS-ISO/IEC 17799:2003, 2005 version in translation|
|Germany||DIN ISO/IEC 27002:2008|
|Japan||JIS Q 27002|
|Lithuania||LST ISO/IEC 27002:2009 (adopted ISO/IEC 27002:2005, ISO/IEC 17799:2005)|
|Poland||PN-ISO/IEC 17799:2007, based on ISO/IEC 17799:2005|
|Russia||ГОСТ Р ИСО/МЭК 27002-2012, based on ISO/IEC 27002:2005|
|Slovakia||STN ISO/IEC 27002:2006|
|South Africa||SANS 27002:2014/ISO/IEC 27002:2013|
|Turkey||TS ISO/IEC 27002|
|Ukraine||СОУ Н НБУ 65.1 СУІБ 2.0:2010|
|United Kingdom||BS ISO/IEC 27002:2005|
ISO/IEC 27002 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the information security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes.
ISO/IEC 27001:2013 (Information technology – Security techniques – Information security management systems – Requirements) is a widely recognized certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS, and in Annex A there is a suite of information security controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls in Annex A are derived from and aligned with ISO/IEC 27002.
Both ISO/IEC 27001:2013 and ISO/IEC 27002 are revised by ISO/IEC JTC1/SC27 every few years in order to keep them current and relevant. Revision involves, for instance, incorporating references to other issued security standards (such as ISO/IEC 27000, ISO/IEC 27004 and ISO/IEC 27005) and various good security practices that have emerged in the field since they were last published. Due to the significant 'installed base' of organizations already using ISO/IEC 27002, particularly in relation to the information security controls supporting an ISMS that complies with ISO/IEC 27001, any changes have to be justified and, wherever possible, evolutionary rather than revolutionary in nature.
BS 7799 was a standard originally published by BSI Group (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and consisted of several parts.
The first part, containing the best practices for Information Security Management, was revised in 1998; after a lengthy discussion in the worldwide standards bodies, was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of practice for information security management." in 2000. ISO/IEC 17799 was then revised in June 2005 and finally incorporated in the ISO 27000 series of standards as ISO/IEC 27002 in July 2007.
The second part to BS 7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled "Information Security Management Systems - Specification with guidance for use." BS 7799-2 focused on how to implement an information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2, which later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.Cyber security standards
Cybersecurity standards (also styled cyber security standards) are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes,
information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. The principal objective is to reduce the risks, including prevention or mitigation of cyber-attacks. These published materials consist of collections of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies.Data security
Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.Disaster recovery
Disaster recovery involves a set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery focuses on the IT or technology systems supporting critical business functions, as opposed to business continuity, which involves keeping all essential aspects of a business functioning despite significant disruptive events. Disaster recovery can therefore be considered as a subset of business continuity.First Investment Bank (PJSC)
Public Join-Stock Company First Investment Bank, commonly known as PJSC First Investment Bank (Ukrainian: Pershyi Investytsiynyi Bankroman) is the Ukrainian bank that offers a full range of banking services to private and corporate customers. The bank was registered on 20 June 1997 with its headquarters at 6 Moskovskiy Avenue, Kiev. There are over 30 branches in 11 regions of Ukraine.Holistic Information Security Practitioner
The Holistic Information Security Practitioner certification course is an integration course that provides practical education on the integration of best practices for Information Security Management, Information Systems Auditing, and multiple Regulatory Compliance requirements as well as how to map multiple regulatory requirements to the internationally accepted framework of ISO/IEC 27002. The class introduces ISO/IEC 27002:2013, CobiT, COSO and ITIL, and then explains a methodology to map regulations such as Data Protection Act 1998 (UK), EU Directive on Privacy, Basel II, HIPAA, U.S. Federal Financial Institutions Examination Council, GLB Act, FIPS 200, Sarbanes-Oxley, FACT Act, PCI Data Security, California SB 1386, OSFI, PIPEDA, PIPA, Canadian Bill C-168 to the ISO 27002 framework.
The Holistic Information Security Practitioner (HISP) Certification Course was originally authored by eFortresses, Inc.: an Atlanta, Georgia-based Cyber Security & Governance, Risk management and Compliance solutions company, specializing in Information Security and Regulatory Compliance. The training aspect of the HISP Certification Course was delivered by eFortresses and a number of authorized training partners including BSI Management Systems, currently the training and certification aspect is managed exclusively by the Holistic Information Security Practitioner Institute, an independently run organization.
The Holistic Information Security Practitioner Institute is also the oversight body of the Cloud Assurance Assessor Program (CAAP).
The CAAP provides assurance of the qualifications for those purporting to have the necessary skills as independent Cloud Assessors.ISO/IEC 27000
ISO/IEC 27000 is part of a growing family of ISO/IEC Information Security Management Systems (ISMS) standards, the 'ISO/IEC 27000 series'. ISO/IEC 27000 is an international standard entitled: Information technology — Security techniques — Information security management systems — Overview and vocabulary.
The standard was developed by subcommittee 27 (SC27) of the first Joint Technical Committee (JTC1) of the International Organization for Standardization and the International Electrotechnical Commission.ISO/IEC 27000 provides:
An overview of and introduction to the entire ISO/IEC 27000 family of Information Security Management Systems (ISMS) standards.
A glossary or vocabulary of fundamental terms and definitions used throughout the ISO/IEC 27000 family.ISO/IEC 27000 is available via the ITTF website. (free download)ISO/IEC 27000-series
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27K' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).The series provides best practice recommendations on information security management - the management of information risks through information security controls - within the context of an overall Information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series), environmental protection (the ISO 14000 series) and other management systems.The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT/technical/cybersecurity issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information risks, then treat them (typically using information security controls) according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information risk and security, the ISMS concept incorporates continuous feedback and improvement activities to respond to changes in the threats, vulnerabilities or impacts of incidents.
The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Subcommittee 27), an international body that meets in person twice a year.
The ISO/IEC standards are sold directly by ISO, mostly in English, French and Chinese. Sales outlets associated with various national standards bodies also sell directly translated versions in other languages.ISO/IEC 27552
ISO/IEC 27552 is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The draft standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.While the standard is currently still in draft, ISO/IEC 27552 is intended to be a certifiable extension to ISO/IEC 27001 certifications. In other words, organizations planning to seek an ISO/IEC 27552 certification will also need to an ISO/IEC 27001 certification.ISO/IEC JTC 1/SC 27
ISO/IEC JTC 1/SC 27 IT Security techniques is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information and IT security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address both information security and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.ISO/TC 215
The ISO/TC 215 is the International Organization for Standardization's (ISO) Technical Committee (TC) on health informatics. TC 215 works on the standardization of Health Information and Communications Technology (ICT), to allow for compatibility and interoperability between independent systems.Information Security Forum
The Information Security Forum (ISF) is an independent information security body.Information assurance
Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical, and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital, but also analog or physical form. These protections apply to data in transit, both physical and electronic forms, as well as data at rest in various types of physical and electronic storage facilities.
Information assurance as a field has grown from the practice of information security.Information security management
Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. By extension, ISM includes information risk management, a process which involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This of course requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.Information security standards
The term "standard" is sometimes used within the context of information security policies to distinguish between written policies, standards and procedures. Organizations should maintain all three levels of documentation to help secure their environment. Information security policies are high-level statements or rules about protecting people or systems. (For example, a policy would state that "Company X will maintain secure passwords") A "standard" is a low-level prescription for the various ways the company will enforce the given policy. (For example, "Passwords will be at least 8 characters, and require at least one number.") A "procedure" can describe a step-by-step method to implementing various standards. (For example, "Company X will enable password length controls on all production Windows systems.")
This use of the term "standard" differs from use of the term as it relates to information security and privacy frameworks, such as ISO/IEC 27002 or COBIT.List of International Organization for Standardization standards, 26000-27999
This is a list of published International Organization for Standardization (ISO) standards and other deliverables. For a complete and up-to-date list of all the ISO standards, see the ISO catalogue.The standards are protected by copyright and most of them must be purchased. However, about 300 of the standards produced by ISO and IEC's Joint Technical Committee 1 (JTC1) have been made freely and publicly available.MEHARI
MEHARI (MEthod for Harmonized Analysis of RIsk) is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.
MEHARI enables business managers, information security/risk management professionals and other stakeholders to evaluate and manage the organization's risks relating to information, information systems and information processes (not just IT). It is designed to align with and support information security risk management according to ISO/IEC 27005, particularly in the context of an ISO/IEC 27001-compliant Information Security Management System (ISMS) or a similar overarching security management or governance framework.Master of Science in Information Assurance
A Master of Science in Information Assurance (abbreviated MSIA) is a type of postgraduate academic master's degree awarded by universities in many countries. This degree is typically studied for in information assurance.Standard of Good Practice for Information Security
The Standard of Good Practice for Information Security, published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.
The most recent edition is 2018, an update of the 2016 edition.
Upon release, the 2011 Standard was the most significant update of the standard for four years. It covers information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing.
The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO/IEC 27000-series standards, and provides wider and deeper coverage of ISO/IEC 27002 control topics, as well as cloud computing, information leakage, consumer devices and security governance.
In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, to enable compliance with these standards too.
The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes.
The 2018 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF.
ISO standards by standard number