Professional Documents
Culture Documents
The organization should be in a position to understand what information assets it holds, and to
manage their security appropriately.
All [information] assets should be accounted for and have a nominated owner. An inventory of
information assets (IT hardware, software, data, system documentation, storage media,
supporting assets such as computer room air conditioners and UPSs, and ICT services) should be
maintained. The inventory should record ownership and location of the assets, and owners
should identify acceptable uses.
Information should be classified according to its need for security protection and labeled
accordingly. [While this is clearly most relevant to military and government organizations
handling ‘protectively marked information’ (Top Secret etc.), the concept of identifying
important assets, classifying/grouping them, and applying controls that are judged suitable for
assets of that nature, is broadly applicable.]
Quick links
0. Introduction
1. Scope
15. Compliance
Introduction
ISO/IEC 27002 has evolved through several changes. Working backwards from
The ’27002 editors are busy consolidating a large number (256 pages!) of
text, and hence do not propose to issue another working draft until
WD is anticipated to have a simpler and more accurate scope, reflecting the actu
ISO/IEC 27001 which specifies the management system. It may
management” or even simpler “Information security controls” but this will be di
Get involved
Please contact your national standards body (e.g. BSI, NIST) or ISO/IEC directl
your assistance with the standards development process and ISO/IEC JTC 1/SC
chance to get involved and influence the future direction of this well-respected i
released.
In June 2005, the 2000 version was significantly updated with new sections con
management and many other revisions sprinkled liberally throughout.
‘implementation guidance’ under each control.
Following a BSI review process, the standard was revised and reissued in 1999.
The previous British Standard 7799 was joined by a new part 2 (that later becam
certification standard, so the original standard was renamed “Part 1” in 1998.
The British Standards Institute BSI (now known as BSI British Standards, part o
Standard 7799.
Pending its release as an official British Standard, the guts of BS 7799 were, in
Department of Trade and Industry as a free informational item called BSI-DISC
Delivering Information Solutions to Customers - Public Document 003).
National Computing Centre (NCC) and a nascent community of information sec
evolved into the ISMS International User Group, a loose association of ISMS us
developing PD003 and hence BS 7799. BSI-DISC released some nifty free acco
(PD005) had a neat one-page flowchart summarising the implementation proces
the current-day ISO27k materials. The DTI later became BERR, the Departmen
Regulatory Reform, and still supports the ISO27k standards today.
Using Shell’s donor document, the UK Department of Trade and Industry’s Com
developed this information security guide for their members. The CCSC also w
assistance from the UK Government's Communications Electronics Security Gr
ITSEC (IT Security Evaluation and Certification) scheme for certification of se
BS 7799 and hence ISO27k owes its existence to this internal document generou
Shell. The original emphasis on mainframe security concepts and lack of explic
origin in the previous decade or so.
The standard is explicitly concerned with information security, meaning the sec
IT/systems security per se. The IT Department is merely the custodian of a goo
information assets and is commonly charged with securing them by the informa
managers who are accountable for the assets. However a large proportion of wr
the knowledge and experience of non-IT workers) is nothing to do with IT.
39 control objectives
After the introduction, scope, terminology and structure sections, the remaind
control objectives to protect information assets against threats to their confiden
control objectives in effect comprise a generic functional requirement
information security management controls architecture.
There is one control objective for each second level heading in sections 6 thro
the first level headings in the main sections with no second levels(
Few people would quarrel with most of the control objectives, or, to put that an
that the organization should not conform with the stated objectives in general
every case and the generic wording of the standard is unlikely to reflect each org
In our experience, the control objectives make an excellent starting point to def
high level principles for information security policies with only slight re-wordin
Whereas ISO/IEC 27001 Annex A refers to 139 “controls”, they are in fact ju
which propose multiple security controls. ISO/IEC 27002 suggests literally
security control measures that organizations should consider to satisfy the sta
often quoted is highly misleading.
Like ISO/IEC 27001, ’27002 does not mandate specific controls but leaves
controls that suit them, using a risk-assessment process to identify the most
requirements. They are also free to select controls not listed in the standard, ju
satisfied. We treat the ISO/IEC standard as a generic controls checklist -
select their own set or a la carte meals.
Not mandating specific controls is a master stroke that makes the standard bro
and security risks change, and gives users tremendous flexibility in the implem
difficult for the certification bodies to assess whether an organization is fully c
are no formal compliance certificates against ISO/IEC 27002 itself.
security governance/management processes, meaning the Information Secu
certified against ISO/IEC 27001 which describes the process for assessing
managing specific security controls from ISO/IEC 27002 or indeed other source
Section 0: Introduction
Section 1: Scope
This page simply explains that the guts of the standard contain contro
implementation guidance.
ISO/IEC 27002 covers the topic of risk management in just a page and a half, w
complex and central element of information security. [When ISO/IEC 2700
ISO/IEC 27005 here although it has been suggested that the risk management
’27002 and moved to ’27001. In keeping with the style of ’27002, ’27005 g
using appropriate methods to analyze information security risk - it does
‘appropriate’ depends on context.]
Management should define a policy to clarify their direction of, and support for
high-level information security policy statement laying down the key informat
the entire organization. This is normally supported by a comprehensive suite
security policies, typically in the form of an information security policy manual
by a set of information security standards, procedures and guidelines.
Although the standards are somewhat ambiguous on this point, the information
is generally understood to be separate and different from the ISMS policy re
policy is seen by some as a strategy or governance paper laying out managemen
fact it may be as short at a statement by the CEO.
All [information] assets should be accounted for and have a nominated owner.
hardware, software, data, system documentation, storage media, supportin
conditioners and UPSs, and ICT services) should be maintained. The inventory
the assets, and owners should identify acceptable uses.
The organization should manage system access rights etc. for ‘joiners, mov
suitable security awareness, training and educational activities.
Security aspects of a person’s exit from the organization (e.g. the return of
rights) or change of responsibilities should be managed.
This section describes the need for concentric layers of physical controls
unauthorized access.
This lengthy, detailed section of the standard describes security controls for syst
Security requirements should be taken into account in third party service del
outsourcing), from contractual terms to ongoing monitoring and change mana
clauses in the contract with your ISP?
10.5 Back-up
10.10 Monitoring
Operating system access control facilities and utilities (such as user authentica
passwords, recording use of privileges and system security alarms) should be u
should be controlled and inactivity timeouts should be applied.
There should be formal policies covering the secure use of portable PCs, PDAs
(“working from home”, “road warriors” and other forms of mobile or remote wo
Data entry, processing and output validation controls and message authentica
associated integrity risks.
Access to system files (both executable programs and source code) and test data
The organization must comply with applicable legislation such as copyright, dat
and other vital records, cryptography restrictions, rules of evidence
15.2 Compliance with security policies and standards, and technical compl
Managers and system owners must ensure compliance with security policies and
platform security reviews, penetration tests etc. undertaken by competent testers
Other resources