3. What is ISO 27002 and do you have information security and operational specific policy and procedure documents relating to this well-known standard?
Another common question we receive is "what is ISO 27002" and how does it differ from ISO 27001. First and foremost, ISO 27002 is an international standard - but specifically - a code of practices that "establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization." The official standard is known as ISO 27002:2013 | Information technology - security techniques - Code of practice for information security controls. As such, the ISO 27002 publication consists of the following areas that pertain to information systems:
The ISO 27002:2013 standard publication contains the following areas:
- Normative references
- Terms and definitions
- Structure of this standard
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
ISO 27002 Sections and Security Control Clauses
While the first four (4) areas merely explain and provide reference material for the publication itself, it's the remaining areas of sections 5 through 18 that essentially contain the fourteen (14) "security control clauses", with each "clause" containing security categories within them. For example, the "Access Control" is one of the fourteen (14) "security control" clauses, containing four (4) "security categories" within the clause itself, which are the following:
1. Business Requirement of Access Control
2. User Access Management
3. User Responsibilities
4. System and Application Access Control
Thus, you'll see that all the other "security control clauses" also have various "security categories" also.
Your ISO 27002 Consulting Experts | Contact Us Today
ISO 27002 is an incredibly detailed document, and one which is vital for helping organizations implement an Information Security Management System (ISMS) in accordance with ISO 27001. But remember that certification can only be had for ISO 27001, not ISO 27002. Even with that said, they both work in unison with each other. Learn more about our ISO 27001 and 27002 services and the ISO 27001 and ISO 27002 framework today. Flat Iron Technologies, LLC offers comprehensive, industry leading information security policies and procedures and consulting services relating to the ISO 27000 standards, such as IS) 27001 and others.
Learn more about our signature product, the Global Information Security Compliance Packet (GISCP), the world's most complete security policy packet containing over 2,850 + pages of in-depth information security policies, procedures, forms, checklists, templates, provisioning and hardening documents, and much more.
Learn more today about the GISCP by viewing sample policies, forms, hardening documents, and more.