CHAPTER 7: OVERVIEW OF ISO/IEC 27002:2013

This Standard’s title is ‘Information technology – Security techniques – Code of practice for information security management’. Published in October 2013, it replaced the previous edition, ISO/IEC 27002:2005.

It is a code of practice, not a specification. It uses words like ‘should’ and ‘may’: It ‘may be regarded as a starting point for developing organisation-specific guidelines’.1

ISO27002 is more than twice as long as ISO27001, with 90 pages, 8 of which are introductory material. Some 78 pages deal, in detail, with information security controls. This standard has 18 clauses, as shown below:

•  Foreword

0. Introduction

1. Scope

2. Normative references

3. Terms and definitions

4. Structure of this standard

5. Information security policies

6. Organisation of information security

7. Human resource security

8. Asset management

9. Access control

10. Cryptography

11. Physical and environmental security

12. Operations security

13. Communications security

14. System acquisition, development and maintenance

15. Supplier relationships

16. Information security incident management

17. Information security aspects of business continuity management

18. Compliance

• Bibliography

The 14 clauses numbered from five to eighteen contain the controls that are specified in Annex A of ISO27001. These clauses collectively contain 35 security categories. The numbering of the controls is exactly the same in both Standards. There is no significance to the order of the clauses; ‘depending on the circumstances, security controls from any or all clauses could be important’.2

The security categories

Each security category contains:

•  a control objective, stating what has to be achieved

•  one or more controls that can be deployed to achieve that stated objective.

Each control within each security category is laid out in exactly the same way. There is:

•  a control statement, which describes (in the context of the control objective) what the control is for;

•  implementation guidance, which is detailed guidance which may (or may not) help individual organisations implement the control;

•  other information that needs to be considered, including reference to other standards.

1 ISO/IEC 27002:2013, 0.4: Introduction, Developing your own guidelines; added emphasis.

2 ISO/IEC 27002:2013, Clause 4.1.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset