ISO/IEC 27002 also described as ISO/IEC
27002:2005 establishes guidelines and general principles for initiating,
implementing, maintaining, and improving information security management in an
organization. The objectives outlined provide general guidance on the commonly
accepted goals of information security management. ISO/IEC 27002:2005 contains
best practices of control objectives and controls in the following areas of
information security management:
27002:2005 establishes guidelines and general principles for initiating,
implementing, maintaining, and improving information security management in an
organization. The objectives outlined provide general guidance on the commonly
accepted goals of information security management. ISO/IEC 27002:2005 contains
best practices of control objectives and controls in the following areas of
information security management:
·
security policy;
security policy;
·
organization of information security;
organization of information security;
·
asset management;
asset management;
·
human resources security;
human resources security;
·
physical and environmental security;
physical and environmental security;
·
communications and operations management;
communications and operations management;
·
access control;
access control;
·
information systems acquisition, development and
maintenance;
information systems acquisition, development and
maintenance;
·
information security incident management;
information security incident management;
·
business continuity management;
business continuity management;
·
compliance.
compliance.
The control objectives and controls in ISO/IEC
27002:2005 are intended to be implemented to meet the requirements identified
by a risk assessment. ISO/IEC 27002:2005 is intended as a common basis and
practical guideline for developing organizational security standards and
effective security management practices, and to help build confidence in
inter-organizational activities.
27002:2005 are intended to be implemented to meet the requirements identified
by a risk assessment. ISO/IEC 27002:2005 is intended as a common basis and
practical guideline for developing organizational security standards and
effective security management practices, and to help build confidence in
inter-organizational activities.
In 2013, ISO/IEC 27002 was reviewed to ISO/IEC
27002:2013 gives guidelines for organizational information security standards
and information security management practices including the selection,
implementation and management of controls taking into consideration the
organization’s information security risk environment(s).
27002:2013 gives guidelines for organizational information security standards
and information security management practices including the selection,
implementation and management of controls taking into consideration the
organization’s information security risk environment(s).
It is designed to be used by organizations that
intend to:
intend to:
1.
select controls within the process of implementing
an Information Security Management System based on ISO/IEC 27001;
select controls within the process of implementing
an Information Security Management System based on ISO/IEC 27001;
2.
implement commonly accepted information security
controls;
implement commonly accepted information security
controls;
3.
develop their own information security management
guidelines.
develop their own information security management
guidelines.