Description
ISO/IEC 27002:2013 Information Technology – Security Techniques - Code of Practice for Information Security Controls
ISO 27002:2013 is the international Standard which supports the implementation of an Information Security Management System (ISMS) based on the requirements of ISO/IEC 27001:2013. It establishes the guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organisation.
Buy this Standard with its accompanying Standard, ISO/IEC 27001:2013, together in one package here.
What are the differences between 2005 and 2013 editions of ISO/IEC 27002?
ISO/IEC 27002:2013 has been updated to reflect the many changes which have taken effect in ISO/IEC 27001, and is fully aligned to the new 2013 version of ISO 27001.
For example:
- The number of controls in ISO/IEC 27002 has been changed to match the number in ISO/IEC 27001, and ISO 27002 now specifies 35 control objectives, each of which is supported by at least one control, giving a total number of 114.
- As the structure of Annex A in ISO 27001 has been updated, so ISO 27002 has been updated to reflect the new structure.
- The terminology used in the standard has been revised to be aligned with that in ISO 27001.
Updated outline for ISO 27002
Introduction
- Scope
- Normative references
- Terms and definitions
- Structure of this standard - Clauses and Control categories
- Information security policies - Management direction for information security
- Organisation of information security - Internal organisation and Mobile devices and teleworking
- Human resource security - Prior to employment, During employment, Termination and change of employment
- Asset management - Responsibility for assets, Information classification and Media handling
- Access control - Business requirements of access control, User access management, User responsibilities and System and application access control
- Cryptography - Cryptographic controls
- Physical and environmental security - Secure areas and Equipment
- Operations security - Operational procedures and responsibilities, Production from malware, Backup, Logging and monitoring, Control of operational software, Technical vulnerability management and Information systems audit coordination
- Communication security - Network security management and Information transfer
- System acquisition, development and maintenance - Security requirements of information systems, Security in development and support processes and Test data
- Supplier relationships - Information security in supplier relationships and Supplier service delivery management
- Information security incident management - Management of information security incidents and improvements
- Information security aspects of business continuity management - Information security continuity and Redundancies
- Compliance – compliance with legal and contractual requirements and Information security reviews
Corrigenda
Please note that two Technical Corrigenda have been issued since ISO/IEC 27002:2013 was published. These can be downloaded free of charge direct from ISO via the following links:
Technical Corrigendum 1 (ISO/IEC 27002:2013/Cor.1:2014) >>
Technical Corrigendum 2 (ISO/IEC 27002:2013/Cor.2:2015) >>