The ISO/IEC 27002 standard is part of a family of international standards (ISO 27000) for the management of information security. It includes the best industry practices to protect the availability, integrity and confidentiality of information. A risk assessment is initially necessary to identify priority controls to be implemented within a company in order to improve the information’s security level.
This standard is the indisputable benchmark in information security management. It consists of 11 sections, 39 control objectives and 133 recommended security controls. Here is a brief description of sections 5 to 15.
5. Security Policy: Implementation and review of an information security policy covering security objectives for the entire organization.
6. Organization of information security: Defining a framework for managing and approving the security policy as well as the roles and responsibilities of management.
7. Asset management: Inventory and classification of information assets in order to identify the needs and the desired level of protection of such assets. It also includes the assignment of assets to their owners.
8. Human resources security: Knowledge of the roles and responsibilities of the various stakeholders (staff, subcontractors and third parties) prior to hiring. Training and educating them on the various threats that may impact information security as well as the rules and behaviors to adopt in order to adequately protect information.
9. Physical and environmental security: Physical protection of facilities and premises containing sensitive information in order to restrict access to authorized personnel only and to minimize damage caused by disasters (e.g. flood, fire, etc.). Equipment security to minimize the risks of theft, damage as well as leaks or loss of information.
10. Communications and operations management: Assignment of responsibilities and appropriate procedures to securely manage information and any changes made to informational assets, including the provision of services by third parties, protection from malware, backups, network security, handling of media, monitoring, etc.
11. Access control: Restrict access to information (networks, operating systems, information systems, files, etc.) to authorized persons only and those who require it as part of their work duties. Granting and restriction of the minimum required privileges. Management and secure use of passwords and authentication mechanisms.
12. Information systems acquisition, development and maintenance: Specifications required to ensure the security of systems throughout their life cycle. Ensuring the proper operation of systems and validating the integrity of information. Cryptographic measures to protect the confidentiality of sensitive information. Management of technical vulnerabilities that have been published.
13. Information security incident management: Formal procedures for reporting incidents and flaws related to information security. Continuous improvement process to ensure the implementation of corrective measures and monitoring.
14. Business continuity management: Protection of critical business processes against impacts caused by a system failure or disaster so as to ensure prompt recovery (for the implementation of business continuity plans).
15. Compliance: Compliance with legal, regulatory (e.g. PCI-DSS), security or other obligations and requirements; especially as they relate to the protection of information confidentiality, intellectual property, sensitive corporate information and privacy. Compliance with security policies and standards.
An update of the ISO/IEC 27002 standard will take place by the end of 2013. Although these are not major changes, here are the main adjustments expected. First, the ISO 27002 standard will expand from 11 to 14 sections. Indeed, the sections about cryptography, communications security as well as supplier relations were removed from their original sections and have become three distinct sections. The number of controls will decrease from 133 to 113. Some will be added while others have become obsolete.
To obtain a copy of the ISO 27002 standard or for more information on this standard, please consult the following websites:
To learn more about the upcoming changes on the ISO 27002 standard, please consult the following website:
By Patrick Paradis, Information Security Advisor