 |
 |
What is ISO/IEC 27002?: ISO/IEC 27002 is an International Standard called "Code of practice for Information Security Management" (the recently renumbered ISO/IEC 17799:2005) is the revised version of ISO/IEC17799:2000, which is used successfully around the world. It includes 134 controls grouped in 11 areas to achieve information security. These controls are based on industry experience and best practice, and most of them should be suitable and helpful to almost all organizations, irrespective of their size or the business they are in. ISO/IEC 17799 has been renumbered to highlight its inclusion in the 27000 series. Please note that the text of the standard has not been changed in this renumbering. The application of ISO/IEC 27002 to improve information security, especially in connection with the ISMS standard ISO/IEC 27001 to establish an ISMS, has proved a business benefit to many different organizations of all sizes and types of businesses, independent in which part of the world they are situated. Currently, ISO/IEC JTC1 SC27 has started the revision of ISO/IEC 27001 - this is a normal process for standards and the version published in 2005 will remain valid until the new version is published. This Web site will keep you updated about the results of the revision process. More information about ISO/IEC 27002, the ISMS standard ISO/IEC 27001 and the other standards in the 27000 series can also be obtained by participating in courses and tutorials (see the Training page). 27000 Series of Standards: In addition to the development of ISO/IEC 27002, ISO/IEC JTC1 SC 27 is working on several other standards that will all be included in the 27000 series of standards - in analogy to the other management system standards, such as ISO 9000. The standards in the 27000 series are: - ISO/IEC 27000: Information security management system fundamentals and vocabulary (under development) - ISO/IEC 27001: Information security management system - Requirements (published) - ISO/IEC 27002: Code of practice for Information Security Management (published) - ISO/IEC 27003: Information security management system implementation guidance (under development) - ISO/IEC 27004: Information security management measurement (under development) - ISO/IEC 27005: Information security risk management (under development) - ISO/IEC 27006: Requirements for bodies providing audit and certification of information security management systems (published) - ISO/IEC 27007: Guidelines for information security management systems auditing (under development) - ISO/IEC 27008: Guidance for auditors on information security management systems controls In addition, there are several sector-specific ISMS standards which are currently under development: - ISO/IEC 27010: Information Security Management for Inter-Sector Communications (under development) - ISO/IEC 27011(X.1051): Information security management guidelines for telecommunications (published) - ISO/IEC 27013: Guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 - ISO/IEC 27014: Information security governance framework - ISO/IEC 27015: Information security management system for financial and insurance services sector The next SC 27 meeting is in autumn, this site will keep you updated about the developments. Useful Documents: Useful documents for the application of ISO/IEC 27001, ISO/IEC 27002 and other ISMS standards are the following BIPs (more about these BIPs at the BSI Web site, for BIP 0070 or the indiviual BIPs): - BIP 0070: A CD containing the standards ISO/IEC 27001 and ISO/IEC 27002, the BIPs quoted below, and much more - BIP 0071: Guidelines on requirements and preparation for ISMS certification based on ISO/IEC 27001 - BIP 0072 – Are you ready for an ISMS Audit based on ISO/IEC 27001? - BIP 0073 – Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001 - BIP 0074 – Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001 ISO/IEC 27002 Content: ISO/IEC 27002 contains controls in the following best practice control areas. - Security policy - Organization of information security - Asset management - Human resources security - Physical and environmental security - Communications and operations management - Access control - Information systems acquisition, development and maintenance - Information security incident management - Business continuity management - Compliance History of ISO/IEC 27002 BS 7799, the "Code of practice for Information Security Management" was first published as a UK standard in 1995 containing best practice security controls to support industry and government in the implementation and enhancement of information security. Once BS 7799 was published, organisations all over the world became aware that BS 7799 provides a common language to address information security management. As more and more organisations around the world applied and implemented BS 7799, other countries started to publish it a national standard, including the Netherlands (SPE20003), Australia/New Zealand (AS/NZS 4444), Denmark and Sweden (SS627799). BS 7799 was also translated in many different languages, and it can now be obtained in French, German, Finish, Dutch, Chinese (Mandarin), Norwegian, Danish, Swedish, Portuguese, Korean and Japanese. Shortly after the development of BS 7799 Part 1 the process of establishing of an ISMS was developed which then became the theme of BS 7799 Part 2: "Specifications for Information Security Management Systems". In 1998, BS 7799 was up for review. The reviewing and enhancing standards is a process that is common to all standards, and occurs every 3-5 years. Aims of the BS 7799 review were to make improvements and updates where necessary, and add new controls to take account of new developments such as e-commerce, mobile computing and third party arrangements, and make it more international (i.e. remove any UK specific references). The revision process included major contributions from businesses and organizations from different parts of the world. Ted Humphreys from XiSEC was the editor of this revised version and Angelika Plate from ÆXIS was one of the senior development consultants on the project. A new version was finally published in March 1999. The international interest in BS 7799 lead to its submission into ISO, where it was finally made an international standard in December 2000. As BS 7799 was submitted into ISO using a "Fast Track" procedure, it remained unchanged except very few editorial changes. Within ISO, ISO/IEC 17799 is looked after in Working Group 1 of the information security committee ISO/IEC JTC1 SC27 "IT Security Techniques", and in 2001 Angelika Plate from ÆXIS has been appointed as editor (together with O. Weissmann from HelpAG) for ISO/IEC 17799. ISO/IEC 17799:2000 was revised in ISO to update the control areas and controls, to adapt the standard t the latest developments, and to take account of international viewpoints and experiences. The revision of ISO/IEC 17799:2000 was finalised in 2005, and the new version ISO/IEC 17799:2005 is now published. It has recently been decided to change the number of this standard into ISO/IEC 27002 to make its inclusion in the 27000 series of standards more visible. Please note that this is a mere number change and that that no changes were made to the text of ISO/IEC 17799:2005. For more information about the revision, choose your favourite way of getting updated on the ÆXIS main page.
|
 |