ISO / IEC 27002

	DIN ISO / IEC 27002
Area	Information technology
title	IT Security Practices - Guide to Information Security Management
Latest edition	2013-10
ISO	ISO / IEC 27002: 2013

The ISO / IEC 27002 (to July 1, 2007: ISO / IEC 17799) is an international standard, the recommendations for various control mechanisms for information security involves. It is about security against attacks (English security ). The corresponding standard (Engl. For functional safety safety ) is the ISO / IEC 90003, see ISO 9001 . The standard is part of the ISO / IEC 27000 series .

Certification according to ISO / IEC 27002 is generally not possible because the standard is a collection of proposals ("should") and not requirements ("must") acts. If an information security management system (ISMS) is to be certified, this is only possible by fulfilling the requirements of ISO / IEC 27001 .

Historical development

Originated at the British Standards Institution

The basis for the standardization was a collection of experience, procedures and methods from practice, thus similar to ITIL, in order to achieve a "best practice" approach. This collection appeared in September 1993 as the DTI Code of Practice as a result of the efforts of an industry working group that started operating in January 1993 . This practical guideline was the basis for the creation of BS 7799.

In February 1995 the BSI ( British Standards Institution ) published BS 7799-1: 1995, the first standard in the area of ​​information security to address the security aspects in connection with the emerging e-commerce . However, due to some current issues like the upcoming Y2K issue , the penetration was rather low. This did not change with the issue of the second standard BS 7799-2: 1998 in February 1998, which describes the requirements for a safety management system. It only changed when the BSI presented a completely revised version of both standards in April 1999 (BS 7799-1: 1999 and BS 7799-2: 1999) and thus aroused the interest of ISO again.

Transfer to an ISO standard

The ISO adopted BS 7799-1: 1999 with unchanged content as a standard and published it in 2000 under the name ISO / IEC 17799: 2000. In 2007 the standard was renamed ISO / IEC 27002 and thus also included by name in the ISO / IEC 27000 series . As of the September 2008 edition, the standard is also available as the DIN standard DIN ISO / IEC 27002. The family of standards deals with different levels of information security management systems (ISMS).

Support in Germany

The German part of this international standardization work of ISO / IEC JTC 1 / SC 27 Information Technology - Security Techniques is supervised by DIN NIA-01-27 IT security procedures.

Versions and contents

Edition ISO / IEC 17799: 2000

As part of the revision of ISO / IEC 17799: 2000, new main categories and security measures were added. In the course of this revision, the standard was also slightly restructured with regard to its structure. i.e. it was u. a. a new monitoring area was created (information security incident management - dealing with security incidents). It builds on content that was previously in a different chapter.

Edition ISO / IEC 27002: 2005

ISO / IEC 27002: 2005 deals with the following 11 monitoring areas:

1. Information Security Policy - Instructions and guidelines for information security
2. Organization of information security - organizational security measures and management process
3. Asset management - responsibility and classification of information values
4. Human resources security
5. Physical and Environmental Security - Physical security and public utility services
6. Communications and Operations Management - Network and operational security (data and telephony)
7. Access Control - access control
8. Information systems acquisition, development and maintenance
9. Information security incident management - dealing with security incidents
10. Business Continuity Management - contingency planning
11. Compliance - compliance with legal requirements, security guidelines and reviews through audits

These 11 monitoring areas are subdivided into 39 main categories, so-called control objectives. These are supported by a total of 133 security measures, the application of which supports the achievement of the control objectives.

Edition ISO / IEC 27002: 2013

ISO / IEC 27002: 2013 deals with the following 14 monitoring areas:

1. Security Policy
2. Organization of Information Security
3. Human Resources Security
4. Asset management
5. Access Control
6. Cryptography
7. Physical and Environmental Security
8. Operations security
9. Communications Security
10. Information Systems Acquisition, Development, Maintenance
11. Supplier Relationships
12. Information security incident management
13. Information Security Aspects of Business Continuity
14. Compliance

These 14 monitoring areas are subdivided into 35 main categories, so-called control objectives. These are supported by a total of 114 security measures, the application of which supports the achievement of the control objectives.

Web links

• Official ISO website of the publication of ISO 27002: 2013 (English)
• DIN standards committee for information technology and applications NA 043-01-27 AA IT security procedures
• ISO / IEC JTC 1 / SC 27 IT Security Techniques
• International Organization for Standardization (ISO)
• International Electrotechnical Commission (IEC)
• ISO 17799 Wiki (English)
• Table of contents of DIN ISO / IEC 27002 at Beuth Verlag