ISO 27002 (ISO 17799)
ISO 27002 is the new name for the standard that used to be named ISO 17799.
Code of practice for information security management
ISO 27002, previously called ISO17799, also BS7799 is a widely accepted standard for information security
management. It is a great tool for the fundamentals of security management
and also helps in promoting information security to top management.
When ISO adopted the British standard BS7799 it became ISO17799. The
latest version of ISO17799 was released 2005. In 2008 the name was changed to ISO27002 to be part of the ISO27000 series. Nothing else was changed at this point.
The standard has 16 sections (0 - 15) as outlined below
Section 0 - Introduction
Section 1 - Scope
Section 2 - Terms and Definitions
Section 3 - Structure of the Standard
Section 4 - Risk Assessment and Treatment
Section 4.2 shows on the possible options for risk treatment, including:
The objective of a policy is identified as a management guidance with clarity.
Section 5.1 Information security policy covers the policy document, and policy review.
Section 6 - Organizing Information Security
Section 6.1 covers internal organization while section 6.2 dicusses external parties.
Section 7 - Asset Management
Seciton 7.1 discusses responsibility for assets. Section 7.2 is about information classification.
Section 8 -Human Resources Security
Section 8.1 is about th3e time before employment while section 8.2 is about the employment period and section 8.3 is about termination or change of employment.
Section 9 - Physical and Environmental Security
Section 9.1 is about secure areas and section 9.2 is about equipment security.
Section 10 - Communications and Operations Management
Section 10.1 is about operational procedures and responsibilities while section 10.2 is about external parties delivering services (outsourcing) and section 10.3 is about system planning and acceptance. Section 10.4 is about malicious and mobile code and section 10.5 is about backups and section 10.6 is about network security management. Section 10.7 covers media handling and section 10.8 covers exchanges of information. Section 10.9 is about e-commerce while section 10.10 is about monitoring things.
Section 11 - Access Control
Section 11.1 is about business requirements while section 11.2 is about user controls and section 11.3 is about user responsibilities. Section 11.4 drills down into network access control, section 11.5 examines operating system access controls, section 11.6 is about applicaiton level controls, and section 11.7 is focussed on mobile computing.
Section 12 - Information Systems Acquisition, Development and Maintenance
Section 12.1 focuses on security requirements while Section 12.2 focuses on correct processing. Section 12.3 is about cryptographic controls while section 12.4 is about control of system files. Section 12.5 focuses on the development and support processes, section 12.6 centers around vulnerability management.
Section 13 - Information Security Incident Management
Section 13.1 is about reporting security events and weaknesses. Section 13.2 is about managing incidents and improvements.
Section 14 - Business Continuity Management
Section 14.1 covers information security aspects of business continuity management.
Section 15 - Compliance
Section 15.1 is about compliance with legal requirements while section 15.2 is about compliance with policies, standards, and technical specifications. Section 15.3 is about audit considerations.
ISO 27002 is published by ISO. The
standard is not free, it has to be purchased. The ISO 27002 standard can
be downloaded as part of the ISO-17799
Toolkit stand alone from the ISO17799
Shop, or from ISO.
SANS have published an Audit Check List for ISO 17799:2005. It is available as an MS Word file here.
The ISO-17799 forum page contains much useful information about the standard.