ISO/IEC 27002:2013 is technically known as "Information technology - Security techniques - Code of practice for information security controls", and came about after being revised and ultimately adopted by ISO as a standard, which allowed it to be included within the ISO 2700 series of standards as that of ISO | EIC 27002. Unlike ISO 27001, for which organizations can certify against, ISO 27002 does not allow for certification, thus it's seen as a standard that "establishes guidelines and general principles for initiating, implementing, maintaining, and improving security management within an organization." This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been technically and structurally revised.
Learn more about our signature product, the Global Information Security Compliance Packet (GISCP), the world's most complete security policy packet containing over 2,850 + pages of in-depth information security policies, procedures, forms, checklists, templates, provisioning and hardening documents, and much more.
Learn more today about the GISCP by viewing sample policies, forms, hardening documents, and more.
Additionally, the ISO 27002 standard contains control objectives for helping organizations meet requirements identified by a risk assessment, while also providing guidance for developing security standards, along with effective security management practices for organizations. The ISO 27002 standard is an excellent publication in many regards, because it not only provides technical information relating to information security, but also discusses the following issues:
- What is information security
- Why information security is needed
- How to establish security requirements
- Assessing security risks
- Selecting controls
- Information security starting point
- Critical success factors
- Developing one's own guidelines
Specifically, the ISO 27002:2013 standard publication contains the following areas:
- Normative references
- Terms and definitions
- Structure of this standard
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
The first four (4) areas (1. Scope. 2. Normative References. 3. Terms and Definitions. 4. Structure of the Standard.) merely define basic information regarding the standard and the publication, such as terms, definitions, structure of the standard, along with general provisions about risk assessment. The remaining fourteen (14) areas (sections 5 through 18) are actually the 14 "security control clauses" that contain a number of security categories (35, to be exact), each with a control objective stating what is to be achieved, the controls that can be applied to achieve the control objective itself, along with other supporting information, such as "implementation guidance" and "other information".
The Relationship between ISO 27001 and ISO 27002 | Learn More
And there's a clear relationship between ISO 27001 and ISO 27002, as they both are dependent on one-another. Specifically, because ISO 27001 allows for organizations to be certified against the standard, where are many of the security management practices, control objectives, and implementation guidance initiatives going to come from for ensuring that an ISO 27001 Information Security Management System (ISMS) is in place? From the comprehensive list of "security control clauses" and supporting security categories from ISO 27002, that's where! ISO 27001 gives organizations the requirements and framework needed for an ISMS - but it's ISO 27002 that provides much of the details in helping ensure many of the controls are in place. They work in unison.
Information Security Policies and Procedures | Critical for ISO 27001 and 27002
The set of policies, procedures, forms, checklists, templates, and provisioning and hardening documents available for purchase and immediate download from Flat Iron Technologies, LLC are essential when looking to define, build, deploy, maintain, and document an ISMS. But even more, when you look at all the "security control clauses" and supporting security categories within the ISO 27002 standard, organizations will have to find a trusted, competent, and well-regarded source for providing documentation in meeting many of these explicit requirements. That very source is Flat Iron Technologies, LLC. Purchase the Global Information Security Compliance Packet (GISCP) today and immediately download all the material. Additionally, learn more about our ISO 27001 and 27002 services.