ISO 27002 is an international standard and provides guidance for information security management. The standard is part of the ISO 27000 series of standards and provides general guidelines and recommendations for improved information security management in organizations. The current version of the standard is ISO/IEC 27002:2013 and consists of 14 different domains.
What is ISO 27002?
The full name and English title of ISO 27002 is ISO/IEC 27002 “Information technology – Security techniques – Code of practice for information security management.” It is an ISO/IEC standard created by ISO (International Organization for Standardization) and JTC (Joint Technical Committee), based on the British Standard BS7799, and serves as a guide for information security management.
The standard is part of the ISO 27000 series of standards that address different levels of information security management systems (ISMS). The content of the standard is divided into 14 areas. Within each area are general guidelines and recommendations for improved information security management in companies or organizations.
ISO 27002 can be seen as a kind of practice guideline for the development of organization-specific security standards. The standard refers to ISO 27001, Annex A, and takes up the security measures described there in terms of practical implementation. Certification to ISO 27002 is not possible, as it is a supplementary standard that only contains recommendations.
ISO 27002 is aimed at IT security officers and presents information security as an overall task. The guidelines and recommendations included are rather general in nature and applicable to various organizations of any size. The current edition of the standard is from 2013 and is called ISO/IEC 27002:2013. New versions include Cor 1:2014 and Cor 2:2015 adaptations, and a German version is available as EN ISO/IEC 27002:2017.
Contents of the ISO/IEC 27002:2013 standard
The ISO/IEC 27002:2013 standard comprises a total of 80 pages and can be obtained from the ISO homepage for a fee. Logically, the standard is divided into 14 different areas. The following is a brief overview of the 14 monitoring areas:
- Security policy
- Organization of information security
- Human resources security
- Asset management
- Access control
- Cryptography (encryption – cryptography)
- Physical and environmental security
- Operations security
- Communications security
- Information systems acquisition, development, maintenance 10.
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity
- Compliance (adherence to requirements)
ISO 27002 and other security standards
ISO 27002 is a component of numerous other security standards. For example, BSI Standard 200-1 (general requirements for an information security management system – ISMS) takes into account the recommendations from ISO 27002 and is compatible with ISO 27001.
The development of COBIT 5 was also based on existing security management standards such as ISO 27002. The practice-oriented guide from the Information Security Forum (ISF) also covers the requirements from ISO 27002.