Overview of ISO Standard 27002 for IT Security

ISO standard 27002 describes the recommended controls in areas such as access control, asset management, business continuity and how to handle security breaches. Each section of the ISO 27002 standard begins with the objective of that section. It then describes the recommended control, guidance in implementing the control and then any other pertinent information. ISO 27002 controls include policies, procedures, IT organizational structures and internal processes. ISO 27002 consists of twelve sections.

The first section of ISO 27002 contains information on how to perform a risk assessment. What information needs to be kept secure, and how secure is it today? Where is your network vulnerable? What are your current IT controls?

The second section gives an overview of security policies for managers. Security policies can describe who should be allowed access to information and who has the authority to approve access. Security policies may also outline what group or individual is responsible for reporting and tracking down security incidents.

The third section describes the recommendations for governing information security and how an information security organization can be set up. The fourth section involves asset management such as keeping an inventory of computers, servers and laptops. The fifth section addresses human resources security.

The sixth section covers physical and environmental security. Physical and environmental security management includes the use of secure facilities to enforce control of corporate assets. Locating servers in secured areas only accessible to those with the correct badge, verifying the location of all computers periodically, limiting access to the building to approved personnel are all forms of physical and environmental security management. The seventh section outlines recommended communications and operations management.

The eighth section describes information access controls. Information access control is the IT equivalent to physical and environmental security management. Information access control management gives guidance on how user accounts are to be verified, set up, maintained and monitored. ISO 27002 also details recommended procedures on securing information and information technologies such as networks, operating systems, software applications and wireless access points.

The ninth section is called information systems acquisition, development and maintenance. This section outlines how information security can be built into software applications. Is the user required to enter a password to access the application as well as their computer? Are software applications systematically upgraded as soon as security vulnerabilities are discovered? This section also includes security testing of software as it is developed.

The tenth section addresses information security incident management. This covers how security breaches are to be reported and handled. Recording all security breaches is the first step to ensuring the corrective action process of ISO 27002 is followed to improve IT security later.

The eleventh section of ISO 27002 provides procedures for business continuity. Business continuity is the plan to be followed if the primary IT systems or data are unavailable. Business continuity can include regular backups, back up servers, alternate sites and replacements for key personnel. Other solutions include mobile work environments so that loss of one building or network does not prevent staff from moving to another building and accessing files stored on the network or restored from backup to another computer.

The twelfth section is compliance management. Compliance management is the process of verifying and enforcing IT policies and procedures. Security audits and account audits are part and parcel with IS 27002. Audits are performed by qualified individuals who did not maintain the system or application.

ISO 27002 provides the detailed recommendations on how to meet the IT security standards called out in ISO standard 27001. ISO standard 27002 is barely changed from the original IT security standard ISO 17799 standard, though it is now one of the leading industry standards for information technology.

ISO 27002 was submitted to ISO by the International Electrotechnical Commission (IEC) and is commonly referred to as ISO/IEC 27002.