Go home
ISO/IEC 27000-family

IsecT consultants have grown up with ISO/IEC 27002. The original Code of Practice for Information Security Management started as a structured collection of good practice advice and “key controls”, based largely on an internal security policy manual used by the Royal Dutch/Shell Group. We have tracked and (in small measure) contributed to the development of the standard through the British and New Zealand standards bodies, starting from before it was first published as British Standard BS 7799 in 1995.

The twelve main sections of ISO/IEC 27002 [numbered 4-15] are as follows:

Section 4: Risk assessment and treatment

ISO/IEC 27002’s coverage in this area is a short 1½-page section just before the main body of the standard. Although better than previous versions, the coverage remains woefully inadequate for such a complex and important subject, since decisions on information security risks drive the selection of appropriate controls. We are hoping for great things from ISO/IEC 27003, the ISO27k risk management standard currently under development.

Section 5: Security policy

Management should define a policy to clarify their direction of, and support for, information security.

Section 6: Organization of information security

A suitable information security governance structure should be designed and implemented.

Section 7: Asset management

The organization should be in a position to understand what information assets it holds, and to manage their security appropriately.

Section 8: Human resources security

The organization should manage system access rights etc. for ‘joiners, movers and leavers’, and should undertake suitable security awareness, training and educational activities.

Section 9: Physical and environmental security

Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.

Section 10: Communications and operations management

This lengthy section describes security controls relating to systems and network management operations.

Section 11: Access control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use.

Section 12: Information systems acquisition, development and maintenance

Information security must be taken into account in the processes for specifying, building/acquiring, testing and implementing IT systems.

Section 13: Information security incident management

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

Section 14: Business continuity management

This section describes the relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 15: Compliance

The organization must comply with legal and regulatory obligations as well as comply with its own internal security policies.

For more information on implementing the standards, visit ISO27001security.com or if you are already using them join the ISO27k implementers’ discussion group to share your experience with peers:

 
Google Groups
ISO 27001 security
Visit this group

 

Contact IsecT for assistance with the planning and delivery of an ISO/IEC 27002-compliant Information Security Management System that is certifiable against ISO/IEC 27001. Applying our accumulated experience, our consultants will show you the most direct route to best practice, helping you to:

  • Undertake an independent audit of your current situation (“gap analysis”) to identify the key things your organization must do to be certified against ISO/IEC 27001;
  • Prepare a pragmatic project plan and help persuade management to fund and support it;
  • Write and implement formal information security policies, standards and procedures (a comprehensive information security policy manual based on ISO/IEC 27002 is available to purchase today);
  • Initiate an information security awareness program to accompany the formal documentation, create a security culture and leverage the investment in technical, procedural, physical and legal controls;
  • Prepare for and facilitate third-party assessment by an accredited ISO/IEC 27001 certification body (the certification body and implementation consultants must not be related: we do not do certification);
  • Optimise the business value obtained from the ISO27k standards.

There are clear parallels with ISO 9000 in the way ISO27k is developing: the quality assurance standard was created by an enthusiastic team of early adopters, became BS 5750, was taken up by governments, became an ISO standard, was specified as a requirement for government suppliers, and then spread almost universally over the next few years to the point that it is now a fundamental business requirement in many industries. Having started life as BS 7799, ISO27k is essentially heading the same way. Click here for more thoughts on the relationship between quality assurance, governance and ISO27k, and visit our information site on the ISO27k information security management standards.

Finally, if are still not convinced about the value of implementing ISO27k, think about it as a tool to aide compliance with IT/information security-related laws, regulations and standards such as various privacy acts, PCI DSS, HIPAA, PIPEDA, computer misuse, copyright, freedom of information and many more. ISO27k compliance will also help meet the recommendations of the OECD Information Security Guidelines of 2002 and the Basel Committee paper “Sound Practices for the Management and Supervision of Operational Risk.” 

Copyright © 2008 IsecT Ltd.