ISO/IEC 27002 - Outline

Outline

After the 3 introductory sections, the standard contains the following twelve main sections:

4. Risk assessment
5. Security policy - management direction
6. Organization of information security - governance of information security
7. Asset management - inventory and classification of information assets
8. Human resources security - security aspects for employees joining, moving and leaving an organization
9. Physical and environmental security - protection of the computer facilities
10. Communications and operations management - management of technical security controls in systems and networks
11. Access control - restriction of access rights to networks, systems, applications, functions and data
12. Information systems acquisition, development and maintenance - building security into applications
13. Information security incident management - anticipating and responding appropriately to information security breaches
14. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
15. Compliance - ensuring conformance with information security policies, standards, laws and regulations

Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:

1. Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO/IEC 27005. The use of information security risk analysis to drive the selection and implementation of information security controls is an important feature of the ISO/IEC 27000-series standards: it means that the generic good practice advice in this standard gets tailored to the specific context of each user organization, rather than being applied by rote. Not all of the 39 control objectives are necessarily relevant to every organization for instance, hence entire categories of control may not be deemed necessary. The standards are also open ended in the sense that the information security controls are 'suggested', leaving the door open for users to adopt alternative controls if they wish, just so long as the key control objectives relating to the mitigation of information security risks, are satisfied. This helps keep the standard relevant despite the evolving nature of information security threats, vulnerabilities and impacts, and trends in the use of certain information security controls.
2. It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidelines for ISO/IEC 27001 and ISO/IEC 27002 offer advice tailored to organizations in the telecomms industry (see ISO/IEC 27011) and healthcare (see ISO 27799), with additional guidelines for the financial services and other industries in preparation.