ISO 27002 (17799) Information Security Standard in Plain English

The ISO 27002 2005 standard is all-encompassing. It takes a very broad
approach to information security. In the context of this standard, the term
information includes all forms of data, documents, communications,
conversations, messages, recordings, and photographs. It includes
everything from digital data and email to faxes and telephone
conversations. It includes all forms of information.

This page presents a preview of ISO IEC 27002 2005. It does not present
the entire standard. If you need the entire detailed standard, please consider
purchasing our Title 37: ISO IEC 27002 (17799) Translated into Plain English.
Title 37 includes all security control objectives, controls, implementation
guidelines, and additional notes, all presented in plain English.

The ISO IEC 27002 2005 standard, and our interpretation of it, consists of
recommended information security practices. These recommended practices
are found in sections 5 to 15. Since these recommendations start in section 5,
the following material also starts in section 5. Sections 1 and 4 cover a variety
of introductory and explanatory topics which are also covered in our Title 37.

ISO IEC 27002 (17799) IN PLAIN ENGLISH
5. Security Policy Management
	5.1 Establish an information security policy	5.1.1 Develop an information security policy document 5.1.2 Review your information security policy

ISO IEC 27002 (17799) IN PLAIN ENGLISH
6. Corporate Security Management
	6.1 Establish an internal security organization	6.1.1 Make an active commitment to information security 6.1.2 Coordinate information security implementation 6.1.3 Allocate information security responsibilities 6.1.4 Establish an authorization process for new facilities 6.1.5 Use confidentiality agreements to protect information 6.1.6 Maintain relationships with other organizations 6.1.7 Maintain relationships with special interest groups 6.1.8 Perform independent information system reviews
	6.2 Control external party use of your information	6.2.1 Identify risks related to the use of external parties 6.2.2 Address security before customers are given access 6.2.3 Address security using third party agreements

ISO IEC 27002 (17799) IN PLAIN ENGLISH
7. Organizational Asset Management
	7.1 Establish responsibility for your assets	7.1.1 Compile an inventory of organizational assets 7.1.2 Select owners for your information and assets 7.1.3 Establish acceptable use rules for information and assets
	7.2 Use an information classification system	7.2.1 Develop information classification guidelines 7.2.2 Use information handling and labeling procedures

ISO IEC 27002 (17799) IN PLAIN ENGLISH
8. Human Resource Security Management
	8.1 Emphasize security prior to employment	8.1.1 Define your security roles and responsibilities 8.1.2 Verify the backgrounds of all new personnel 8.1.3 Use contracts to protect your organization’s information
	8.2 Emphasize security during employment	8.2.1 Expect your managers to emphasize security 8.2.2 Deliver information security training programs 8.2.3 Set up a disciplinary process for security breaches
	8.3 Emphasize security at termination of employment	8.3.1 Assign responsibility for termination or reassignment 8.3.2 Make sure that assets are returned at termination 8.3.3 Remove information access rights at termination

ISO IEC 27002 (17799) IN PLAIN ENGLISH
9. Physical and Environmental Security Management
	9.1 Use security areas to protect facilities	9.1.1 Use physical security perimeters to protect areas 9.1.2 Use physical entry controls to protect secure areas 9.1.3 Secure your organization’s offices, rooms, and facilities 9.1.4 Protect your facilities from natural and human threats 9.1.5 Use work guidelines to protect secure areas 9.1.6 Isolate and control public access points
	9.2 Protect your equipment	9.2.1 Use equipment siting and protection strategies 9.2.2 Make sure that supporting utilities are reliable 9.2.3 Secure power and telecommunications cables 9.2.4 Maintain your organization’s equipment 9.2.5 Protect your organization’s off‑site equipment 9.2.6 Control equipment disposal and re‑use 9.2.7 Control the use of assets off‑site

ISO IEC 27002 (17799) IN PLAIN ENGLISH
10. Communications and Operations Management
	10.1 Establish procedures and responsibilities	10.1.1 Document your operating procedures 10.1.2 Control changes to facilities and systems 10.1.3 Segregate duties and responsibilities 10.1.4 Separate development and operations
	10.2 Control third party service delivery	10.2.1 Manage third party service agreements 10.2.2 Monitor third party service delivery 10.2.3 Control changes to third party services
	10.3 Carry out system planning activities	10.3.1 Monitor usage and carry out capacity planning 10.3.2 Use acceptance criteria to test your systems
	10.4 Protect against malicious and mobile code	10.4.1 Establish controls to handle malicious code 10.4.2 Control the use of mobile code
	10.5 Establish backup procedures	10.5.1 Backup your information and software
	10.6 Protect computer networks	10.6.1 Establish network security controls 10.6.2 Control network service providers
	10.7 Control how media are handled	10.7.1 Manage your organization’s removable media 10.7.2 Manage the disposal of your organization’s media 10.7.3 Control information handling and storage 10.7.4 Protect your system documentation
	10.8 Protect exchange of information	10.8.1 Establish information exchange policies and procedures 10.8.2 Establish information and software exchange agreements 10.8.3 Safeguard the transportation of physical media 10.8.4 Protect electronic messaging and messages 10.8.5 Protect interconnected business information systems
	10.9 Protect electronic commerce services	10.9.1 Protect information involved in ecommerce 10.9.2 Protect on‑line transaction information 10.9.3 Protect information available on public systems
	10.10 Monitor information processing facilities	10.10.1 Establish and maintain audit logs 10.10.2 Monitor information processing facilities 10.10.3 Protect logging facilities and log information 10.10.4 Log system administrator and operator activities 10.10.5 Log information processing and communication faults 10.10.6 Synchronize your system clocks

ISO IEC 27002 (17799) IN PLAIN ENGLISH
11. Information Access Control Management
	11.1 Control access to information	11.1.1 Develop a policy to control access to information
	11.2 Manage user access rights	11.2.1 Establish a user access control procedure 11.2.2 Control the management of system privileges 11.2.3 Establish a process to manage passwords 11.2.4 Review user access rights and privileges
	11.3 Encourage good access practices	11.3.1 Expect users to protect their passwords 11.3.2 Expect users to protect their equipment 11.3.3 Establish a clear‑desk and clear‑screen policy
	11.4 Control access to your networked services	11.4.1 Formulate a policy on the use of networks 11.4.2 Authenticate remote user connections 11.4.3 Use automatic equipment identification methods 11.4.4 Control access to diagnostic and configuration ports 11.4.5 Use segregation methods to protect your networks 11.4.6 Restrict connection to shared networks 11.4.7 Establish network routing controls
	11.5 Control access to your operating systems	11.5.1 Establish secure log‑on procedures 11.5.2 Identify and authenticate all users 11.5.3 Establish a password management system 11.5.4 Control the use of all system utilities 11.5.5 Use session time‑outs to protect information 11.5.6 Restrict connection times in high‑risk areas
	11.6 Control access to applications and information	11.6.1 Restrict access by users and support personnel 11.6.2 Isolate sensitive application systems
	11.7 Protect mobile and teleworking facilities	11.7.1 Protect mobile computing and communications 11.7.2 Protect and control teleworking activities

ISO IEC 27002 (17799) IN PLAIN ENGLISH
12. Information Systems Security Management
	12.1 Identify requirements	12.1.1 Identify security controls and requirements
	12.2 Make sure that applications process your information correctly	12.2.1 Validate data input into your applications 12.2.2 Use validation checks to control processing 12.2.3 Protect message integrity and authenticity 12.2.4 Validate your applications’ output data
	12.3 Use cryptographic controls to protect your information	12.3.1 Implement a policy on the use of cryptographic controls 12.3.2 Establish a secure key management system
	12.4 Protect and control system files	12.4.1 Control the installation of operational software 12.4.2 Control the use of system data for testing 12.4.3 Control access to program source code
	12.5 Control development and support processes	12.5.1 Establish formal change control procedures 12.5.2 Review applications after operating system changes 12.5.3 Restrict changes to software packages 12.5.4 Prevent information leakage opportunities 12.5.5 Control outsourced software development
	12.6 Control vulnerability	12.6.1 Control your technical system vulnerabilities

ISO IEC 27002 (17799) IN PLAIN ENGLISH
13. Information Security Incident Management <<< SAMPLE pdf
	13.1 Report security events and weaknesses	13.1.1 Report information security events as quickly as possible 13.1.2 Report security weaknesses in systems and services
	13.2 Manage security incidents and improvements	13.2.1 Establish incident response responsibilities and procedures 13.2.2 Learn from your information security incidents 13.2.3 Collect evidence to support your actions

ISO IEC 27002 (17799) IN PLAIN ENGLISH
14. Business Continuity Management
	14.1 Use continuity management to protect information	14.1.1 Establish a business continuity process for information 14.1.2 Identify the events that could interrupt your business 14.1.3 Develop and implement your business continuity plans 14.1.4 Establish a business continuity planning framework 14.1.5 Test and update your business continuity plans

ISO IEC 27002 (17799) IN PLAIN ENGLISH
15. Compliance Management
	15.1 Comply with legal requirements	15.1.1 Identify all relevant legal requirements 15.1.2 Respect intellectual property rights (IPR) 15.1.3 Protect your organization’s records 15.1.4 Protect the privacy of personal information 15.1.5 Prevent misuse of data processing facilities 15.1.6 Control the use of cryptographic controls
	15.2 Perform compliance reviews	15.2.1 Review compliance with security policies and standards 15.2.2 Review technical security compliance
	15.3 Carry out information system audits	15.3.1 Control the audit of information systems 15.3.2 Protect information system audit tools

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
developing this electronic publication. We make no representation or warranties
with respect to accuracy or completeness of the contents of this publication and
specifically disclaim any implied warranties or merchantability or fitness for any
particular purpose and shall in no event be liable for any loss of profit or any
other commercial damage, including but not limited to special, incidental,
consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you keep intact
all copyright notices, you are also welcome to print or make one copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies, or to copy and paste
any of our material onto another web site. If you would like to purchase our
material, please contact our Sales Desk. Our staff would be very pleased to
take your order or to answer any questions you might have.

Home Page	Our Libraries	A to Z Index	Our Customers
How to Order	Our Products	Our Prices	Our Guarantee
PRAXIOM RESEARCH GROUP LIMITED 9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada Telephone: (780)461-4514 info@praxiom.com
Updated on January 6, 2010. On the Web since May 25, 1997.

ISO IEC 27002 2005*

INFORMATION SECURITY STANDARD

TRANSLATED INTO PLAIN ENGLISH