Information security is defined within the standard in the context of the CIA triad: ISO/IEC 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Later in 2015 the ISO/IEC 27017 was created from that standard in order to suggest additional security controls for the cloud which were not completely defined in ISO/IEC 27002. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000.
The ISO/IEC 27000-series standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s.
Iso 27002 code#
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security controls.
Iso 27002 how to#
To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.This article needs additional citations for verification. To conclude, one could say that without the details provided in ISO 27002, controls defined in Annex A of ISO 27001 could not be implemented however, without the management framework from ISO 27001, ISO 27002 would remain just an isolated effort of a few information security enthusiasts, with no acceptance from the top management and therefore with no real impact on the organization.
Iso 27002 series#
Which standard to use from the ISO 27000 series and whenĮvery standard from the ISO 27000 series is designed with a certain focus – if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001 if you want to implement controls, you should use ISO 27002, if you want to carry out risk assessment and risk treatment, you should use ISO 27005 etc. The question is: why is it that those two standards exist separately, why haven’t they been merged, bringing together the positive sides of both standards? The answer is usability – if it was a single standard, it would be too complex and too large for practical use.
On the other hand, ISO 27001 prescribes a risk assessment to be performed in order to identify for each control whether it is required to decrease the risks, and if it is, to which extent it should be applied. The controls in ISO 27002 are named the same as in Annex A of ISO 27001 – for instance, in ISO 27002, control 6.1.2 is named “Segregation of duties,” while in ISO 27001 it is “A.6.1.2 Segregation of duties.” But, the difference is in the level of detail – on average, ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control.įinally, the difference is that ISO 27002 does not make a distinction between controls applicable to a particular organization, and those which are not. The differences between the controls in ISO 27002 and ISO 27001
0 kommentar(er)
