The ISO 27002 standard is a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management.
ISO 27002 provides hundreds of potential controls and control mechanisms that are designed to be implemented with guidance provided within ISO 27001. The suggested controls listed in the standard are intended to address specific issues identified during a formal risk assessment. The standard is also intended to provide a guide for the development of security standards and effective security management practices.
ISO 27002 is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27002 was originally named ISO/IEC 1779, and published in 2000. It was updated in 2005, when it was accompanied by the newly published ISO 27001. The two standards are intended to be used together, with one complimenting the other. The standards are updated regularly to incorporate references to other ISO/IEC issued security standards such as ISO/IEC 27000 and ISO/IEC 27005, in addition to add information security best practices that emerged since previous publications. These include the selection, implementation and management of controls based on an organization's unique information security risk environment.
The 2013 publication of ISO 27002 contains 114 controls, including those for:
- Security policies
- Organization of information security
- Human resources security
- IT asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- Information systems acquisition, development, maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity