| Menu | |
|
: Home |
|
| Search | |
|
|
ISO 27002 (ISO 17799)
ISO 27002 is the new name for the standard that used to be named ISO 17799.
Code of practice for information security management
Auditing for ISO 27002 compliance
ISO 27002 Overview
ISO 27002, previously called ISO17799, also BS7799 is a widely accepted standard for information security
management. It is a great tool for the fundamentals of security management
and also helps in promoting information security to top management.
When ISO adopted the British standard BS7799 it became ISO17799. The
latest version of ISO17799 was released 2005. In 2008 the name was changed to ISO27002 to be part of the ISO27000 series. Nothing else was changed at this point.
The standard has 16 sections (0 - 15) as outlined below
Section 0 - Introduction
The introduction discuses what information security is, why it is important,
and outlines how to work with information security, and how ISO27002 is
a good starting point.
Section 1 - Scope
Says that the standard establishes general guidelines for implementing
and working with information security, and that risk assessments are required
to make good use of the standard.
Section 2 - Terms and Definitions
Defines terminology used in the standard. The following terms are defined:
asset, control, guideline, information processing facilities, information
security, information security event, information security incident, policy,
risk, risk analysis, risk assessment, risk evaluation, risk management,
risk treatment, third party, threat, and vulnerability.
Section 3 - Structure of the Standard
Describes the structure of the standard. Identifies the eleven security
control clauses:
Section 5 to 15 below.
Section 4 - Risk Assessment and Treatment
Section 4.1 describes how risk assessment needs to be performed periodically,
and is the basis for implementing security controls.
Section 4.2 shows on the possible options for risk treatment, including:
- applying appropriate controls to reduce the risks;
- knowingly and objectively accepting risks, providing they clearly satisfy
the organization's policy and criteria for risk acceptance;
- avoiding risks by not allowing actions that would cause the risks to
occur;
- transferring the associated risks to other parties, e.g. insurers or
suppliers.
Further, it is pointed out that there is no single solution that will
fit all. Organisations have to find controls that are appropriate for
them.
The objective of a policy is identified as a management guidance with clarity.
Section 5.1 Information security policy covers the policy document, and policy review.
Section 6 - Organizing Information Security
Section 6.1 covers internal organization while section 6.2 dicusses external parties.
Section 7 - Asset Management
Seciton 7.1 discusses responsibility for assets. Section 7.2 is about information classification.
Section 8 -Human Resources Security
Section 8.1 is about th3e time before employment while section 8.2 is about the employment period and section 8.3 is about termination or change of employment.
Section 9 - Physical and Environmental Security
Section 9.1 is about secure areas and section 9.2 is about equipment security.
Section 10 - Communications and Operations Management
Section 10.1 is about operational procedures and responsibilities while section 10.2 is about external parties delivering services (outsourcing) and section 10.3 is about system planning and acceptance. Section 10.4 is about malicious and mobile code and section 10.5 is about backups and section 10.6 is about network security management. Section 10.7 covers media handling and section 10.8 covers exchanges of information. Section 10.9 is about e-commerce while section 10.10 is about monitoring things.
Section 11 - Access Control
Section 11.1 is about business requirements while section 11.2 is about user controls and section 11.3 is about user responsibilities. Section 11.4 drills down into network access control, section 11.5 examines operating system access controls, section 11.6 is about applicaiton level controls, and section 11.7 is focussed on mobile computing.
Section 12 - Information Systems Acquisition, Development and Maintenance
Section 12.1 focuses on security requirements while Section 12.2 focuses on correct processing. Section 12.3 is about cryptographic controls while section 12.4 is about control of system files. Section 12.5 focuses on the development and support processes, section 12.6 centers around vulnerability management.
Section 13 - Information Security Incident Management
Section 13.1 is about reporting security events and weaknesses. Section 13.2 is about managing incidents and improvements.
Section 14 - Business Continuity Management
Section 14.1 covers information security aspects of business continuity management.
Section 15 - Compliance
Section 15.1 is about compliance with legal requirements while section 15.2 is about compliance with policies, standards, and technical specifications. Section 15.3 is about audit considerations.
Obtaining ISO 27002
ISO 27002 is published by ISO. The
standard is not free, it has to be purchased. The ISO 27002 standard can
be downloaded as part of the ISO-17799
Toolkit stand alone from the ISO17799
Shop, or from ISO.
Auditing for ISO 27002 compliance
SANS have published an Audit Check List for ISO 17799:2005. It is available as an MS Word file here.
Certification
Certification for organisations is currently available against ISO 27001 and is granted through an Accredited Certification Body. As a worldwide standard, the number of certified entities is increasing, with representation across the world.ISO 17799 Links
The ISO-17799 forum page contains much useful information about the standard.
| Copyright 2006-2008. All Rights Reserved. | Something missing on this page? Let us know |