Services & Solutions

ISO 27002 Certification

ISO/IEC 27002 

About ISO/IEC 27002

The ISO/IEC 27002 standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Some refer to it by the old title, ISO/IEC 17799:2005; in 2007 this was renumbered to ISO/IEC 27002:2005 for alignment with the 27000-series standards. ISO/IEC 27002 includes 11 areas outlined below. Each of these specifies controls and objectives for "initiating, implementing, maintaining, and improving information security management in an organization." ISO/IEC considers 27002 to be a general purpose security standard, so 27002 presents best practices instead of specifying granular controls. Other ISO/IEC standards provide specific control implementation guidelines.

Why ISO/IEC 27002 Matters to Your Organization

ISO/IEC 27002 is important because it provides organizations with an international framework that auditors rely on for verification of compliance with security mandates. Typically, public mandates focus on setting policy and leave implementation details to standards set by accredited organizations. For example, a huge driver for IT security in public corporations is the U.S. Sarbanes-Oxley Act of 2002. The Act requires improving and safeguarding the reliability and transparency of accounting statements and regulatory filings, but its key Section 404 contains less than 75 words about internal controls and procedures. Section 404 does not even mention information technology or IT security! ISO/IEC 27002 helps fill in the blanks by specifying a comprehensive framework of best practices for compliance.

Considerations for Using ISO/IEC 27002

Implementation of ISO/IEC 27002 entails understanding and using its key concepts, principles and controls. These begin with the 11 sections of best practices outlined below, which address an organization's requirements exposed by a formal Risk Assessment. Each section presents information in four categories: Objective (or objectives), Control (or controls) that help meet the objective, Implementation Guidance, and Other Information. According to ISO/IEC, the standard "is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities."

Toward this end, many countries have their own equivalent national standard comparable to ISO/IEC 27002. These are summarized in the table below, from Wikipedia.

ISO/IEC 27002 Requirements
5. Security Policy

5.1 Information Security Policy (5.1.1-2)


6. Organization of Information Security

6.1 Internal Organization (6.1.1-2, 6.1.4-5, 6.1.8)

6.2 External Parties (6.2.1-3)


7. Asset Management

7.1 Responsibility for Assets (7.1.1-2)

7.2 Information Classification (7.2.1-2)


8. Human Resources Security

8.1 Prior to Employment (8.1.1)

8.3 Termination or Change of Employment (8.3.3)


9. Physical and Environmental Security

9.2 Equipment Security (9.2.4)


10. Communications and Operations Management

10.1 Operational Procedures and Responsibilities (10.1.2-4)

10.3 System Planning and Acceptance (10.3.1)

10.4 Protection Against Malicious and Mobile Code (10.4.1-2)

10.5 Backup-Up (10.5.1)

10.6 Network Security Management (10.6.1-2)

10.7 Media Handling (10.7.1-4)

10.8 Exchange of Information (10.8.1-4)

10.9 Electronic Commerce Services (10.9.1)

10.10 Monitoring (10.10.1-6)

11. Access Control

11.1 Business Requirements for Access Control (11.1.1)

11.2 User Access Management (11.2.1-4)

11.3 User Responsibilities (11.3.1)

11.4 Network Access Control (11.4.1-7)

11.5 Operating System Access Control (11.5.1-6)

11.6 Application and Information Access Control (11.6.1-2)


12. Information Systems Acquisition, Development and Maintenance

12.1 Security Requirements of Information Systems (12.1.1)

12.2 Correct Processing In Applications (12.2.1, 12.2.3-4)

12.3 Cryptographic Controls (12.3.1-2)

12.4 Security of System Files (12.4.1-3)

12.5 Security in Development and Support Processes (12.5.1-3)

12.6 Technical Vulnerability Management (12.6.1)


13. Information Security Incident Management

13.1 Reporting Information Security Events and Weaknesses (13.1.1-2)

13.2 Management of Information Security Incidents and Improvements (13.2.3)


14. Business Continuity Management

14.1 Information Security Aspects of Business Continuity Management (14.1.1-2)


15. Compliance

15.1 Compliance with Legal Requirements (15.1.2-3, 15.1.5-6)

15.2 Compliance with Security Policies and Standards, and Technical Compliance (15.2.1-2)

15.3 Information Systems Audit Considerations (15.3.1-2)