ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Overview of ISO Standard 27002 for IT Security

Updated on July 8, 2020
tamarawilhite profile image

Tamara Wilhite is a technical writer, an industrial engineer, a mother of two, and a published sci-fi and horror author.

An Introduction to ISO 27002

ISO standard 27002 describes the recommended controls in areas such as access control, asset management, business continuity and how to handle security breaches. Each section of the ISO 27002 standard begins with the objective of that section. It then describes the recommended control, guidance in implementing the control and then any other pertinent information. ISO 27002 controls include policies, procedures, IT organizational structures and internal processes. ISO 27002 consists of twelve sections.

ISO 27002 sets the standards for maintaining the IT security of your network.
ISO 27002 sets the standards for maintaining the IT security of your network. | Source

The Main Sections of the ISO 27002 Standard

The first section of ISO 27002 contains information on how to perform a risk assessment. What information needs to be kept secure, and how secure is it today? Where is your network vulnerable? What are your current IT controls?

The second section gives an overview of security policies for managers. Security policies can describe who should be allowed access to information and who has the authority to approve access. Security policies may also outline what group or individual is responsible for reporting and tracking down security incidents.

The third section describes the recommendations for governing information security and how an information security organization can be set up. The fourth section involves asset management such as keeping an inventory of computers, servers and laptops. The fifth section addresses human resources security.

The sixth section covers physical and environmental security. Physical and environmental security management includes the use of secure facilities to enforce control of corporate assets. Locating servers in secured areas only accessible to those with the correct badge, verifying the location of all computers periodically, limiting access to the building to approved personnel are all forms of physical and environmental security management. The seventh section outlines recommended communications and operations management.

The eighth section describes information access controls. Information access control is the IT equivalent to physical and environmental security management. Information access control management gives guidance on how user accounts are to be verified, set up, maintained and monitored. ISO 27002 also details recommended procedures on securing information and information technologies such as networks, operating systems, software applications and wireless access points.

The ninth section is called information systems acquisition, development and maintenance. This section outlines how information security can be built into software applications. Is the user required to enter a password to access the application as well as their computer? Are software applications systematically upgraded as soon as security vulnerabilities are discovered? This section also includes security testing of software as it is developed.

The tenth section addresses information security incident management. This covers how security breaches are to be reported and handled. Recording all security breaches is the first step to ensuring the corrective action process of ISO 27002 is followed to improve IT security later.

The eleventh section of ISO 27002 provides procedures for business continuity. Business continuity is the plan to be followed if the primary IT systems or data are unavailable. Business continuity can include regular backups, back up servers, alternate sites and replacements for key personnel. Other solutions include mobile work environments so that loss of one building or network does not prevent staff from moving to another building and accessing files stored on the network or restored from backup to another computer.

The twelfth section is compliance management. Compliance management is the process of verifying and enforcing IT policies and procedures. Security audits and account audits are part and parcel with IS 27002. Audits are performed by qualified individuals who did not maintain the system or application.

The History of ISO Standard 27002

ISO 27002 provides the detailed recommendations on how to meet the IT security standards called out in ISO standard 27001. ISO standard 27002 is barely changed from the original IT security standard ISO 17799 standard, though it is now one of the leading industry standards for information technology.

ISO 27002 was submitted to ISO by the International Electrotechnical Commission (IEC) and is commonly referred to as ISO/IEC 27002.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)