|
|
|
|
|
|
|
|
|
ISO/IEC 27002
is an information security standard published by the International Organization
for Standardization (ISO) and by the International Electrotechnical Commission (IEC),
entitled Information technology - Security techniques - Code of practice for information
security management
ISO/IEC 27002:2005 has developed from BS7799, published in the
mid-1990's. The British Standard was adopted by ISO/IEC as ISO/IEC 17799:2000, revised
in 2005, and renumbered (but otherwise unchanged) in 2007 to align with the other
ISO/IEC 27000-series standards. ISO/IEC 27002 provides best practice recommendations
on information security management for use by those responsible for initiating,
implementing or maintaining Information Security Management Systems (ISMS). Information
security is defined within the standard in the context of the C-I-A triad:
ISO/IEC 27002 is an advisory standard that is meant to be interpreted
and applied to
all types and sizes of organization according to the
particular information
security risks they face. In practice, this flexibility gives users a lot of latitude
to adopt the information security controls that make sense to them, but makes it
unsuitable for the relatively straightforward compliance testing implicit in most
formal certification schemes.
ISO/IEC 27001 (Information technology - Security techniques - Information
security management systems - Requirements) is a certifiable standard. ISO/IEC 27001
specifies a number of firm requirements for establishing, implementing, maintaining
and improving an ISMS, and lays out in Annex A a suite of 133 information security
controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls in Annex A are derived from and aligned with ISO/IEC 27002.
Ongoing development
Both ISO/IEC 27001 and ISO/IEC 27002
are currently being revised by ISO/IEC JTC1/SC27. This is a routine activity every
few years for ISO/IEC standards, in order to keep them current and relevant. It
involves, for instance, incorporating references to other issued security standards
(such as ISO/IEC 27000, ISO/IEC 27004 and ISO/IEC 27005) and various good security
practices that have emerged in the field since they were last published. Due to
the significant 'installed base' of organizations already using ISO/IEC 27002, particularly
in relation to the information security controls supporting an ISMS that complies
with ISO/IEC 27001, any changes have to be justified and, wherever possible, evolutionary
rather than revolutionary in nature. The revised standards are expected to be published
in 2011 or 2012 if everything goes to plan.Both ISO/IEC 27001 and ISO/IEC 27002
are currently being revised by ISO/IEC JTC1/SC27. This is a routine activity every
few years for ISO/IEC standards, in order to keep them current and relevant. It
involves, for instance, incorporating references to other issued security standards
(such as ISO/IEC 27000, ISO/IEC 27004 and ISO/IEC 27005) and various good security
practices that have emerged in the field since they were last published. Due to
the significant 'installed base' of organizations already using ISO/IEC 27002, particularly
in relation to the information security controls supporting an ISMS that complies
with ISO/IEC 27001, any changes have to be justified and, wherever possible, evolutionary
rather than revolutionary in nature. The revised standards are expected to be published
in 2011 or 2012 if everything goes to plan. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|