ISO/IEC 27002 Best Practice for Information Management System

In Brief

The ISO/IEC 27001 standard describes a process approach for the implementation of an ISMS (Information Security Management System). Although it sets the objective to be obtained, it does not specify exactly how to go about it. The ISO 27002 standard presents a series of concrete specifications that cover both technical and organisational aspects.

The standard sets out a code of best practice intended for use by the managers responsible for implementing or maintaining an information security management system. Information security is defined as being ‘the preservation of confidentiality, integrity and availability of information’.

The standard suggests 11 primary domains for security, including 133 security objectives (controls):

• Information security policy
• Organisation of information security
• Asset management
• Security related to human resources
• Physical and environmental security
• Use and management of communications
• Access control
• Acquisition, development and maintenance of the information systems
• Incident management
• Business continuity management
• Compliance