This article needs additional citations for
verification. (January 2013) |
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.
The ISO/IEC 27000-series standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s. [1] The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. It was revised again in 2013 and in 2022. [2] Later in 2015 the ISO/IEC 27017 was created from that standard in order to suggest additional security controls for the cloud which were not completely defined in ISO/IEC 27002.
ISO/IEC 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the CIA triad:
The standard starts with 4 introductory chapters:
These are followed by 4 main chapters:
The standard starts with 5 introductory chapters:
These are followed by 14 main chapters:
Within each chapter, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided.
Specific controls are not mandated since:
Most organizations implement a wide range of information security-related controls, many of which are recommended in general terms by ISO/IEC 27002. Structuring the information security controls infrastructure in accordance with ISO/IEC 27002 may be advantageous since it:
Here are a few examples of typical information security policies and other controls relating to three parts of ISO/IEC 27002. (Note: this is merely an illustration. The list of example controls is incomplete and not universally applicable.)
Year | Description | |
---|---|---|
2005 | ISO/IEC 27002 (1st Edition) | |
2013 | ISO/IEC 27002 (2nd Edition) | |
2022 | ISO/IEC 27002 (3rd Edition) |
ISO/IEC 27002 has directly equivalent national standards in several countries. Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released, but the national standard bodies go to great lengths to ensure that the translated content accurately and completely reflects ISO/IEC 27002.
Countries | Equivalent Standard |
---|---|
Argentina | IRAM-ISO-IEC 27002:2008 |
Australia | AS/NZS ISO/IEC 27002:2006 |
Brazil | ISO/IEC NBR 17799/2007 – 27002 |
Indonesia | SNI ISO/IEC 27002:2014 |
Chile | NCH2777 ISO/IEC 17799/2000 |
China | GB/T 22081-2008 |
Czech Republic | ČSN ISO/IEC 27002:2006 |
Croatia | HRN ISO/IEC 27002:2013 |
Denmark | DS/ISO27002:2022 (DK) |
Estonia | EVS-ISO/IEC 17799:2003, 2005 version in translation |
France | NF ISO/CEI 27002:2014 |
Germany | DIN ISO/IEC 27002:2008 |
Japan | JIS Q 27002 |
Lithuania | LST ISO/IEC 27002:2009 (adopted ISO/IEC 27002:2005, ISO/IEC 17799:2005) |
Mexico | NMX-I-27002-NYCE-2015 |
Netherlands | NEN-ISO/IEC 27002:2013 |
Peru | NTP-ISO/IEC 17799:2007 |
Poland | PN-ISO/IEC 17799:2007, based on ISO/IEC 17799:2005 |
Russia | ГОСТ Р ИСО/МЭК 27002-2012, based on ISO/IEC 27002:2005 |
Slovakia | STN ISO/IEC 27002:2006 |
South Africa | SANS 27002:2014/ISO/IEC 27002:2013 [4] |
Spain | UNE 71501 |
Sweden | SS-ISO/IEC 27002:2014 |
Turkey | TS ISO/IEC 27002 |
Thailand | UNIT/ISO |
Ukraine | ДСТУ ISO/IEC 27002:2015 |
United Kingdom | BS ISO/IEC 27002:2005 |
Uruguay | UNIT/ISO 17799:2005 |
ISO/IEC 27002 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the information security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes.
ISO/IEC 27001:2013 (Information technology – Security techniques – Information security management systems – Requirements) is a widely recognized certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS, and in Annex A there is a suite of information security controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls in Annex A are derived from and aligned with ISO/IEC 27002.
Both ISO/IEC 27001 and ISO/IEC 27002 are revised by ISO/IEC JTC1/SC27 every few years in order to keep them current and relevant. Revision involves, for instance, incorporating references to other issued security standards (such as ISO/IEC 27000, ISO/IEC 27004 and ISO/IEC 27005) and various good security practices that have emerged in the field since they were last published. Due to the significant 'installed base' of organizations already using ISO/IEC 27002, particularly in relation to the information security controls supporting an ISMS that complies with ISO/IEC 27001, any changes have to be justified and, wherever possible, evolutionary rather than revolutionary in nature.
This article needs additional citations for
verification. (January 2013) |
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.
The ISO/IEC 27000-series standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s. [1] The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. It was revised again in 2013 and in 2022. [2] Later in 2015 the ISO/IEC 27017 was created from that standard in order to suggest additional security controls for the cloud which were not completely defined in ISO/IEC 27002.
ISO/IEC 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the CIA triad:
The standard starts with 4 introductory chapters:
These are followed by 4 main chapters:
The standard starts with 5 introductory chapters:
These are followed by 14 main chapters:
Within each chapter, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided.
Specific controls are not mandated since:
Most organizations implement a wide range of information security-related controls, many of which are recommended in general terms by ISO/IEC 27002. Structuring the information security controls infrastructure in accordance with ISO/IEC 27002 may be advantageous since it:
Here are a few examples of typical information security policies and other controls relating to three parts of ISO/IEC 27002. (Note: this is merely an illustration. The list of example controls is incomplete and not universally applicable.)
Year | Description | |
---|---|---|
2005 | ISO/IEC 27002 (1st Edition) | |
2013 | ISO/IEC 27002 (2nd Edition) | |
2022 | ISO/IEC 27002 (3rd Edition) |
ISO/IEC 27002 has directly equivalent national standards in several countries. Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released, but the national standard bodies go to great lengths to ensure that the translated content accurately and completely reflects ISO/IEC 27002.
Countries | Equivalent Standard |
---|---|
Argentina | IRAM-ISO-IEC 27002:2008 |
Australia | AS/NZS ISO/IEC 27002:2006 |
Brazil | ISO/IEC NBR 17799/2007 – 27002 |
Indonesia | SNI ISO/IEC 27002:2014 |
Chile | NCH2777 ISO/IEC 17799/2000 |
China | GB/T 22081-2008 |
Czech Republic | ČSN ISO/IEC 27002:2006 |
Croatia | HRN ISO/IEC 27002:2013 |
Denmark | DS/ISO27002:2022 (DK) |
Estonia | EVS-ISO/IEC 17799:2003, 2005 version in translation |
France | NF ISO/CEI 27002:2014 |
Germany | DIN ISO/IEC 27002:2008 |
Japan | JIS Q 27002 |
Lithuania | LST ISO/IEC 27002:2009 (adopted ISO/IEC 27002:2005, ISO/IEC 17799:2005) |
Mexico | NMX-I-27002-NYCE-2015 |
Netherlands | NEN-ISO/IEC 27002:2013 |
Peru | NTP-ISO/IEC 17799:2007 |
Poland | PN-ISO/IEC 17799:2007, based on ISO/IEC 17799:2005 |
Russia | ГОСТ Р ИСО/МЭК 27002-2012, based on ISO/IEC 27002:2005 |
Slovakia | STN ISO/IEC 27002:2006 |
South Africa | SANS 27002:2014/ISO/IEC 27002:2013 [4] |
Spain | UNE 71501 |
Sweden | SS-ISO/IEC 27002:2014 |
Turkey | TS ISO/IEC 27002 |
Thailand | UNIT/ISO |
Ukraine | ДСТУ ISO/IEC 27002:2015 |
United Kingdom | BS ISO/IEC 27002:2005 |
Uruguay | UNIT/ISO 17799:2005 |
ISO/IEC 27002 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the information security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes.
ISO/IEC 27001:2013 (Information technology – Security techniques – Information security management systems – Requirements) is a widely recognized certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS, and in Annex A there is a suite of information security controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls in Annex A are derived from and aligned with ISO/IEC 27002.
Both ISO/IEC 27001 and ISO/IEC 27002 are revised by ISO/IEC JTC1/SC27 every few years in order to keep them current and relevant. Revision involves, for instance, incorporating references to other issued security standards (such as ISO/IEC 27000, ISO/IEC 27004 and ISO/IEC 27005) and various good security practices that have emerged in the field since they were last published. Due to the significant 'installed base' of organizations already using ISO/IEC 27002, particularly in relation to the information security controls supporting an ISMS that complies with ISO/IEC 27001, any changes have to be justified and, wherever possible, evolutionary rather than revolutionary in nature.