ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short comprises Information security standards published jointly by the International Information security means protecting information and information systems from unauthorized access use disclosure disruption modification or destruction The International Electrotechnical Commission ( IEC) is a not-for-profit, non-governmental international Standards organization that prepares and publishes The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short comprises Information security standards published jointly by the International It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999. 2000 ( MM) was a Leap year that started on Saturday of the Common Era, in accordance with the Gregorian calendar.

ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Best Practice is an idea that asserts that there is a technique, method process activity incentive or reward that is more effective at delivering a particular outcome than Information technology management (or IT management) is a combination of two branches of study Information technology and Management. An Information Security Management System (ISMS is as the name suggests a set of policies concerned with information security management Information security is defined within the standard in the context of the C-I-A triad:

the preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required). Information security means protecting information and information systems from unauthorized access use disclosure disruption modification or destruction Integrity is Consistency of actions values methods measures and principles In Telecommunications and Reliability theory, the term availability has the following meanings 1

Contents 1 Outline of the Standard 2 National Equivalent Standards 3 Certification 4 See also 5 External links

Outline of the Standard

After the introductory sections, the standard contains the following twelve main sections:

• 1: Risk Assessment
• 2: Security policy - management direction
• 3: Organization of information security - governance of information security
• 4: Asset management - inventory and classification of information assets
• 5: Human resources security - security aspects for employees joining, moving and leaving an organization
• 6: Physical and environmental security - protection of the computer facilities
• 7: Communications and operations management - management of technical security controls in systems and networks
• 8: Access control - restriction of access rights to networks, systems, applications, functions and data
• 9: Information systems acquisition, development and maintenance - building security into applications
• 10: Information security incident management - anticipating and responding appropriately to information security breaches
• 11: Business continuity management - protecting, maintaining and recovering business-critical processes and systems
• 12: Compliance - ensuring conformance with information security policies, standards, laws and regulations

Within each section, information security controls and their objectives are specified and outlined. Security policy is a definition of what it means to be secure for a system organization or other entity IT asset management (ITAM is the set of business practices that join financial contractual and inventory functions to support life cycle management and strategic decision making Physical security describes measures that prevent or deter Attackers from accessing a facility resource or information stored on physical media Access control is the ability to permit or deny the use of a particular resource by a particular entity Systems Development Life Cycle, or Software Development Life Cycle (SDLC relates to models or Methodologies that people use to develop systems generally Computer systems Business Continuity Planning ( BCP) is an Interdisciplinary Concept used to create and validate a practiced Logistical Plan for how Security controls are safeguards or countermeasures to avoid counteract or minimize security Risks. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:

1. Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO Technical Report TR 13335 GMITS Part 3 - Guidelines for the management of IT security - Security Techniques, and BS 7799 Part 3. BS 7799 was a standard originally published by the British Standards Institute (BSI in 1995.
2. It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidance for ISO/IEC 27001 and 27002 are anticipated to give advice tailored to organizations in the telecomms, financial services, healthcare, lotteries and other industries.

National Equivalent Standards

ISO/IEC 27002 has directly equivalent national standards in countries such as Australia and New Zealand (AS/NZS ISO/IEC 17799:2006), the Netherlands (NEN-ISO/IEC 17799:2002 nl, 2005 version in translation), Denmark (DS484:2005), Sweden (SS 627799), Japan (JIS Q 27002), UNE 71501 (Spain), the United Kingdom (BS ISO/IEC 27002:2005), Uruguay (UNIT/ISO 17799:2005), Estonia (EVS-ISO/IEC 17799:2003, 2005 version in translation) and Brasil (ISO/IEC NBR 17799/2007 - 27002). Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released but the national standard bodies go to great lengths to ensure that the translated content accurately and completely reflects ISO/IEC 27002.

Certification

ISO/IEC 27001 (Information technology - Security techniques - Information security management systems - Requirements) specifies a number of requirements for establishing, implementing, maintaining and improving an information security management system consistent with the best practices outlined in ISO/IEC 27002. ISO/IEC 27001, part of the growing ISO/IEC 27000 series of standards is an Information security Management system ( ISMS) standard published

See also

• ISO/IEC_27000-series
• BS 7799, the original British Standard from which ISO/IEC 17799 and then ISO/IEC 27002 was derived
• List of ISO standards
• Standard of Good Practice published by the Information Security Forum

External links

• ISO 27002 Source from BSI
• ISO 27002 Wiki
• The ISO 17799 Newsletter

The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short comprises Information security standards published jointly by the International BS 7799 was a standard originally published by the British Standards Institute (BSI in 1995. This is a list of ISO standards that are discussed in Wikipedia articles The Standard of Good Practice (SoGP is a detailed documentation of best practice for Information security. The Information Security Forum (ISF is an international independent not-for-profit organization dedicated to benchmarking and best practices in Information security.

---

© 2009 citizendia.org; parts available under the terms of GNU Free Documentation License, from http://en.wikipedia.org
Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic