ISO/IEC 27002 explained

ISO/IEC 27002
Domain:Information security management
Status:Published
Organization:International Organization for Standardization
Series:ISO/IEC 27000 family
Version:3
Version Date:Mar 2022
Committee:ISO/IEC JTC 1/SC 27

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000 family of standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s.[1] The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. It was revised again in 2013 and in 2022.[2] Later in 2015 the ISO/IEC 27017 was created from that standard in order to suggest additional security controls for the cloud which were not completely defined in ISO/IEC 27002.

ISO/IEC 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the CIA triad:

the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).[3]

Outline

Outline for ISO/IEC 27002:2022

The standard starts with 4 introductory chapters:

  1. Scope
  2. Normative Reference
  3. Terms, definitions, and abbreviated terms
  4. Structure of this document

These are followed by 4 main chapters:

  1. Organizational controls
  2. People controls
  3. Physical controls
  4. Technological controls

Outline for ISO/IEC 27002:2013

The standard starts with 5 introductory chapters:

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Structure of this standard

These are followed by 14 main chapters:

  1. Information Security Policies
  2. Organization of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and environmental security
  8. Operation Security- procedures and responsibilities, Protection from malware, Backup, Logging and monitoring, Control of operational software, Technical vulnerability management and Information systems audit coordination
  9. Communication security - Network security management and Information transfer
  10. System acquisition, development and maintenance - Security requirements of information systems, Security in development and support processes and Test data
  11. Supplier relationships - Information security in supplier relationships and Supplier service delivery management
  12. Information security incident management - Management of information security incidents and improvements
  13. Information security aspects of business continuity management - Information security continuity and Redundancies
  14. Compliance - Compliance with legal and contractual requirements and Information security reviews

Controls

Within each chapter, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided.

Specific controls are not mandated since:

  1. Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO/IEC 27005. The use of information security risk analysis to drive the selection and implementation of information security controls is an important feature of the ISO/IEC 27000-series standards: it means that the generic good practice advice in this standard gets tailored to the specific context of each user organization, rather than being applied by rote. Not all of the 39 control objectives are necessarily relevant to every organization for instance, hence entire categories of control may not be deemed necessary. The standards are also open ended in the sense that the information security controls are 'suggested', leaving the door open for users to adopt alternative controls if they wish, just so long as the key control objectives relating to the mitigation of information security risks, are satisfied. This helps keep the standard relevant despite the evolving nature of information security threats, vulnerabilities and impacts, and trends in the use of certain information security controls.
  2. It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidelines for and ISO/IEC 27002 offer advice tailored to organizations in the telecomms industry (see ISO/IEC 27011) and healthcare (see ISO 27799).

Most organizations implement a wide range of information security-related controls, many of which are recommended in general terms by ISO/IEC 27002. Structuring the information security controls infrastructure in accordance with ISO/IEC 27002 may be advantageous since it:

Implementation example of ISO/IEC 27002

Here are a few examples of typical information security policies and other controls relating to three parts of ISO/IEC 27002. (Note: this is merely an illustration. The list of example controls is incomplete and not universally applicable.)

Physical and Environmental security

Human Resource security

Access control

History

YearDescription
2005 ISO/IEC 27002 (1st Edition)
2013 ISO/IEC 27002 (2nd Edition)
2022 ISO/IEC 27002 (3rd Edition)

National equivalent standards

ISO/IEC 27002 has directly equivalent national standards in several countries. Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released, but the national standard bodies go to great lengths to ensure that the translated content accurately and completely reflects ISO/IEC 27002.

CountriesEquivalent Standard
ArgentinaIRAM-ISO-IEC 27002:2008
Australia New ZealandAS/NZS ISO/IEC 27002:2006
BrazilISO/IEC NBR 17799/2007 – 27002
IndonesiaSNI ISO/IEC 27002:2014
ChileNCH2777 ISO/IEC 17799/2000
ChinaGB/T 22081-2008
Czech RepublicČSN ISO/IEC 27002:2006
CroatiaHRN ISO/IEC 27002:2013
DenmarkDS/ISO27002:2022 (DK)
EstoniaEVS-ISO/IEC 17799:2003, 2005 version in translation
FranceNF ISO/CEI 27002:2014
GermanyDIN ISO/IEC 27002:2008
JapanJIS Q 27002
LithuaniaLST ISO/IEC 27002:2009 (adopted ISO/IEC 27002:2005, ISO/IEC 17799:2005)
MexicoNMX-I-27002-NYCE-2015
NetherlandsNEN-ISO/IEC 27002:2013
PeruNTP-ISO/IEC 17799:2007
PolandPN-ISO/IEC 17799:2007, based on ISO/IEC 17799:2005
ГОСТ Р ИСО/МЭК 27002-2012, based on ISO/IEC 27002:2005
SlovakiaSTN ISO/IEC 27002:2006
South AfricaSANS 27002:2014/ISO/IEC 27002:2013[4]
SpainUNE 71501
SwedenSS-ISO/IEC 27002:2014
TurkeyTS ISO/IEC 27002
ThailandUNIT/ISO
UkraineДСТУ ISO/IEC 27002:2015
United KingdomBS ISO/IEC 27002:2005
UruguayUNIT/ISO 17799:2005

Certification

ISO/IEC 27002 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the information security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes.

(Information technology – Security techniques – Information security management systems – Requirements) is a widely recognized certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS, and in Annex A there is a suite of information security controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls in Annex A are derived from and aligned with ISO/IEC 27002.

Ongoing development

Both ISO/IEC 27001 and ISO/IEC 27002 are revised by ISO/IEC JTC1/SC27 every few years in order to keep them current and relevant. Revision involves, for instance, incorporating references to other issued security standards (such as ISO/IEC 27000, ISO/IEC 27004 and ISO/IEC 27005) and various good security practices that have emerged in the field since they were last published. Due to the significant 'installed base' of organizations already using ISO/IEC 27002, particularly in relation to the information security controls supporting an ISMS that complies with ISO/IEC 27001, any changes have to be justified and, wherever possible, evolutionary rather than revolutionary in nature.

See also

External links

Notes and References

  1. Web site: ISO27k timeline. ISO27001security.com. IsecT Ltd.. 9 March 2016. timeline.
  2. Web site: An important information security standard has been revised . www.bsigroup.com . BSI Group . 13 December 2022.
  3. Book: ISC CISSP Official Study Guide. 15 September 2015. 978-1119042716. SYBEX.. 1 November 2016. timeline.
  4. Web site: SANS 27002:2014 (Ed. 2.00). SABS Web Store. 25 May 2015.