ISO/IEC 27002 - People(dot)tuke(dot)sk

advertisement
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
ISO/IEC 27002
From Wikipedia, the free encyclopedia
(Redirected from ISO 17799)
Jump to: navigation, search
ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000
series' is an information security standard published by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC) as
ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007,
bringing it into line with the other ISO/IEC 27000-series standards. It is entitled
Information technology - Security techniques - Code of practice for information security
management. The current standard is a revision of the version first published by ISO/IEC
in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.
ISO/IEC 27002 provides best practice recommendations on information security
management for use by those who are responsible for initiating, implementing or
maintaining Information Security Management Systems (ISMS). Information security is
defined within the standard in the context of the C-I-A triad:
the preservation of confidentiality (ensuring that information is accessible only to those
authorised to have access), integrity (safeguarding the accuracy and completeness of
information and processing methods) and availability (ensuring that authorised users have
access to information and associated assets when required).
Contents
[hide]





1 Outline of the Standard
2 National Equivalent Standards
3 Certification
4 External links
5 See also
[edit] Outline of the Standard
After the introductory sections, the standard contains the following twelve main sections:



1: Risk Assessment
2: Security policy - management direction
3: Organization of information security - governance of information security
1 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series









4: Asset management - inventory and classification of information assets
5: Human resources security - security aspects for employees joining, moving and leaving
an organization
6: Physical and environmental security - protection of the computer facilities
7: Communications and operations management - management of technical security
controls in systems and networks
8: Access control - restriction of access rights to networks, systems, applications, functions
and data
9: Information systems acquisition, development and maintenance - building security into
applications
10: Information security incident management - anticipating and responding appropriately
to information security breaches
11: Business continuity management - protecting, maintaining and recovering businesscritical processes and systems
12: Compliance - ensuring conformance with information security policies, standards, laws
and regulations
Within each section, information security controls and their objectives are specified and
outlined. The information security controls are generally regarded as best practice means
of achieving those objectives. For each of the controls, implementation guidance is
provided. Specific controls are not mandated since:
1. Each organization is expected to undertake a structured information security risk
assessment process to determine its specific requirements before selecting controls that are
appropriate to its particular circumstances. The introduction section outlines a risk
assessment process although there are more specific standards covering this area such as
ISO Technical Report TR 13335 GMITS Part 3 - Guidelines for the management of IT
security - Security Techniques, and BS 7799 Part 3.
2. It is practically impossible to list all conceivable controls in a general purpose standard.
Industry-specific implementation guidance for ISO/IEC 27001 and 27002 are anticipated to
give advice tailored to organizations in the telecomms, financial services, healthcare,
lotteries and other industries.
[edit] National Equivalent Standards
ISO/IEC 27002 has directly equivalent national standards in countries such as Australia
and New Zealand (AS/NZS ISO/IEC 17799:2006), the Netherlands (NEN-ISO/IEC
17799:2002 nl, 2005 version in translation), Denmark (DS484:2005), Sweden (SS
627799), Japan (JIS Q 27002), UNE 71501 (Spain), the United Kingdom (BS ISO/IEC
27002:2005), Uruguay (UNIT/ISO 17799:2005) and Estonia (EVS-ISO/IEC 17799:2003,
2005 version in translation). Translation and local publication often results in several
months' delay after the main ISO/IEC standard is revised and released but the national
standard bodies go to great lengths to ensure that the translated content accurately and
completely reflects ISO/IEC 27002.
2 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
[edit] Certification
ISO/IEC 27001 (Information technology - Security techniques - Information security
management systems - Requirements) specifies a number of requirements for
establishing, implementing, maintaining and improving an information security
management system consistent with the best practices outlined in ISO/IEC 27002.
[edit] External links



ISO 27002 Source from BSI
ISO 27002 Wiki
The ISO 17799 Newsletter
[edit] See also



ISO/IEC_27000-series
BS 7799, the original British Standard from which ISO/IEC 17799 and then ISO/IEC
27002 was derived
Standard of Good Practice published by the Information Security Forum
Retrieved from "http://en.wikipedia.org/wiki/ISO/IEC_27002"
Categories: ISO standards | IEC standards


This page was last modified on 5 March 2008, at 09:49.
All text is available under the terms of the GNU Free
3 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
ISO/IEC 27000-series
From Wikipedia, the free encyclopedia
Jump to: navigation, search
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for
short) comprises information security standards published jointly by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC).
The series contains best practice recommendations on information security management
for use by IT management for initiating, implementing or maintaining Information Security
Management Systems (ISMS) and a growing family of related ISO/IEC ISMS standards.
Contents
[hide]




1 Published standards
2 In preparation
3 External links
4 See also
[edit] Published standards



ISO/IEC 27001 - the certification standard against which organizations' ISMS may be
certified (published in 2005)
ISO/IEC 27002 - the code of practice with good practice advice on ISMS (previously
known as ISO 17799 and before that BS 7799 Part 1 (last revised in 2005, and renumbered
ISO/IEC 27002:2005 in July 2007)
ISO/IEC 27006 - a guide to the certification/registration process (published in 2007)
[edit] In preparation







ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus a
glossary of common terms
ISO/IEC 27003 - an ISMS implementation guide
ISO/IEC 27004 - a standard for information security management measurements
ISO/IEC 27005 - a standard for information security risk management
ISO/IEC 27007 - a guideline for auditing ISMSs
ISO/IEC 27011 - a guideline for ISMSs in the telecommunications industry
ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry
4 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
[edit] External links



ISO 17799 Source from BSI
ISO 17799 Wiki
The ISO 17799 Newsletter
[edit] See also


BS 7799, the original British Standard from which ISO/IEC 17799 and then ISO/IEC
27002 was derived
Standard of Good Practice published by the Information Security Forum
This standards- or measurement-related article is a stub. You can help Wikipedia by expanding it.
Retrieved from "http://en.wikipedia.org/wiki/ISO/IEC_27000-series"
Categories: ISO standards | IEC standards | Information technology management | Standards and
measurement stubs
5 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
BS 7799
From Wikipedia, the free encyclopedia
Jump to: navigation, search
BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards
Institute (BSI) in 1995. It was written by the United Kingdom Government's Department of
Trade and Industry (DTI), and after several revisions, was eventually adopted by ISO as
ISO/IEC 17799, "Information Technology - Code of practice for information security
management." in 2000. ISO/IEC 17799 was most recently revised in June 2005 and was
renamed to ISO/IEC 27002 in July 2007.
A second part to BS7799 was first published by BSI in 1999, known as BS 7799 Part 2,
titled "Information Security Management Systems - Specification with guidance for use."
BS 7799-2 focused on how to implement an Information security management system
(ISMS), referring to the information security management structure and controls identified
in BS 7799-2, which later became ISO/IEC 27001. The 2002 version of BS 7799-2
introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it
with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as
ISO/IEC 27001 in November 2005.
BS7799 Part 3 was published in 2005, covering risk analysis and management. It aligns
with ISO/IEC 27001.
[edit] References



ISO/IEC 27001:2005
ISO/IEC 27002:2005
ISO/IEC 27000 (not yet published)
[edit] See also


Cyber security standards
ISO/IEC 27002, the internationalized version of BS 7799
[edit] External links


Source of BS 7799 from BSI Outlet
BS7799 & ISO 17799 Wiki
6 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series



British Standards Institute
Certificate register
BS 7799 Part 2 PDCA Methodology
Retrieved from "http://en.wikipedia.org/wiki/BS_7799"
Categories: British Standards
7 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
Welcome to the International ISO 27001
and ISO 27002 (ISO 17799) Community
Forum
Welcome to the ISO 27001 and ISO 27002 community
portal. Here we will publish news, articles and other
information related to the ISO 27000 information security
standards. However, primarily the Community Forum is
intended to serve as an interactive resource, and is
designed to enable the free exchange of related
information.
You are therefore invited to join our growing community, free of charge, and share in
this rapidly developing security project.
Forums Now Open
The Discussion Forums for ISO27001, ISO27002 and ISO 17799
are now open, and include international language threads.
Please feel free to contribute and participate.
Posted by sarahol on Tuesday, January 13 @ 03:20:44 EST
(5468 reads)
(Read More... | Score: 0)
Latest ISO 27001 and ISO 27002 FAQ
The latest edition of this FAQ has been published, and
8 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
contains the following additional frequently asked questions:
1) Why has ISO 17799 been renamed to ISO 27002?
The rename was initiated by ISO, who wanted to align the information security standards
under a common naming structure (the 'ISO 27000 series').
2) Which ISO27002 controls are most important?
That largely depends upon the individual organization. However, ISO27002 does give
some guidance, in the form of 'legislative essentials' and 'common best practice' under
the IS "starting point" section. These are:
- intellectual property rights (12.1.2)
- safeguarding of organizational records (12.1.3)
- data protection and privacy of personal information (12.1.4)
- information security policy document (3.1.1)
- allocation of information security responsibilities (4.1.3)
- information security education and training (6.2.1)
- reporting security incidents (6.3.1)
- business continuity management (11.1)
3) What is a Certification body?
An accredited certification body is a third party organization that assesses/certifies the IS
management system against the standard (BS7799-2 / ISO 27001).
4) Who are the Accredited Certification bodies for the standard?
There are a growing number of organizations accredited to grant certification against
ISO27001. The following are amongst them: BSI, Certification Europe, DNV, JACO IS,
KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH
5) How do I become a certified auditor?
The International Register for Certified Auditors operates a certification scheme for ISMS
auditors.
6) How does this standard fit with ISO 9000?
ISO27001 is actually being "harmonized" with other management standards, including
ISO 9000 and ISO 14000. Watch this space!
7) Who originally wrote the security standard?
9 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
Originally a BSI/DISC committee, which included representatives from a wide section of
industry/commerce. It was reviewed subsequently by an ISO (International Standards
Organization)committee and ultimately emerged through the ISO publication process.
8) What is the ISO 27000 Toolkit?
This is the main support resource for the standard, including the standard itself, ISO
27002 policy, etc. See top right panel for a more complete description.
9) What is ISO/IEC Guide 62?
This is largely for those bodies operating certification schemes and contains general
requirements applicable to them.
10) What is ISO 27001?
BS7799-2, the original specification for an information security management system, was
'fast tracked' by ISO to become ISO 27001 in 2005.
10 / 11
http://en.wikipedia.org/wiki/ISO/IEC_27000-series
11 / 11
Download