PLAIN ENGLISH ISO IEC 27002 2005

INFORMATION SECURITY CONTROL OBJECTIVES

ISO IEC 27002 2005 is now OBSOLETE. See ISO IEC 27002 2013 Objectives.

5. Security Policy Management Objectives

5.1 To establish an information security policy.

  1. To make sure that your information security policy provides
    clear direction for your information security program.

  2. To make sure that your information security policy shows
    that your management is committed to information security.

  3. To make sure that your management supports
    your organizationís information security policy.

  4. To make sure that your information security policy
    shows that your management is prepared to support
    an ongoing commitment to information security.

  5. To make sure that your information security policy
    is consistent with your business objectives.

  6. To make sure that your information security policy
    meets your organizationís business requirements.

  7. To make sure that your information security policy
    complies with all relevant laws and regulations.

6. Corporate Security Management Objectives

6.1 To establish an internal security organization.

  1. To establish a management framework to control how
    your organization implements information security.

  2. To make sure that your management approves
    your organizationís information security policy.

  3. To make sure that management assigns security roles.

  4. To make sure that your management coordinates the
    implementation of security across your organization.

  5. To make sure that your management reviews the
    implementation of security across your organization.

  6. To make sure that you have access to information security
    experts and advisors within your own organization.

  7. To make sure that your internal experts are able
    to provide specialized information security advice.

  8. To make sure that you have access to external
    security experts, advisors, and authorities.

  9. To use your external advisors to help you
    monitor changes in security standards.

  10. To use your external advisors to help you monitor
    changes in security assessment methods.

  11. To use your external advisors to help you
    keep up with industrial security trends.

  12. To make sure that your external information security experts
    and advisors can help you to deal with security incidents.

  13. To make sure that your organization encourages the use
    of a multi-disciplinary approach to information security.

6.2 To control external party use of your information.

  1. To maintain the security of your organizationís information
    whenever it is being accessed by external parties.

  2. To maintain the security of your organizationís information
    whenever it is being processed by external parties.

  3. To maintain the security of your organizationís information
    whenever it is being managed by external parties.

  4. To maintain the security of your organizationís
    information processing facilities whenever
    they are being managed by external parties.

  5. To maintain the security of your organizationís
    information processing facilities whenever
    they are being accessed by external parties.

  6. To maintain the security of your organizationís
    information processing facilities whenever
    information is processed by external parties.

  7. To maintain the security of your information
    processing facilities whenever external parties
    are allowed to communicate with these facilities.

  8. To make sure that the security of your organizationís
    information processing facilities is not compromised
    by the influence of external party products or services.

  9. To make sure that the security of your information is
    not compromised by external party products or services.

  10. To control external party access to your information.

  11. To control external party access to
    your information processing facilities.

  12. To control how external parties process your information.

  13. To control how external parties use your organizationís
    information for communication purposes.

  14. To carry out a risk assessment whenever there is
    a business need to allow external parties to access
    your organizationís information processing facilities.

  15. To make sure that your risk assessments examine security
    implications whenever there is a need to allow external
    parties to access your information processing facilities.

  16. To make sure that your risk assessments identify your control
    requirements whenever there is a need to allow external
    parties to access your information processing facilities.

  17. To establish agreements that identify the controls that
    must be applied whenever there is a need to allow external
    parties to access your information processing facilities.

  18. To carry out a risk assessment whenever there is a business
    need to allow external parties to access your information.

  19. To make sure that your risk assessments examine security
    implications whenever there is a need to allow external
    parties to access your information.

  20. To make sure that your risk assessments identify your
    control requirements whenever there is a need to allow
    external parties to access your information.

  21. To establish agreements that identify the controls that
    must be applied whenever there is a need to allow
    external parties to access your information.

7. Organizational Asset Management Objectives

7.1 To establish responsibility for your organization's assets.

  1. To protect your organizationís assets.

  2. To use controls to protect your assets.

  3. To account for your organizationís assets.

  4. To nominate owners for all organizational assets.

  5. To make nominated owners responsible for
    protecting your organizationís assets.

  6. To assign responsibility for the maintenance of asset controls.

  7. To make your asset owners responsible for protecting
    your organizationís assets even though owners may have
    delegated the responsibility for implementing controls.

7.2 To use an information classification system.

  1. To provide an appropriate level of protection
    for your organizationís information.

  2. To establish an information classification system.

  3. To use your classification system to define security levels.

  4. To specify how much protection is expected at each level.

  5. To assign a security priority to each information security level.

  6. To use your organizationís information classification system
    to specify how information should be protected at each level.

  7. To use your organizationís information classification system
    to specify how information should be handled at each level.

8. Human Resource Security Management Objectives

8.1 To emphasize security prior to employment.

  1. To reduce the risk of theft, fraud, or misuse of facilities by
    making sure that all prospective employees understand
    their responsibilities before you hire them.

  2. To reduce the risk of theft, fraud, or misuse of facilities by
    making sure that all prospective contractors understand
    their responsibilities before you hire them.

  3. To reduce the risk of theft, fraud, or misuse of facilities by
    making sure that all third-party users understand their
    responsibilities before you allow them to use your facilities.

  4. To reduce the risk of theft, fraud, or misuse of facilities by
    making sure that all prospective employees are suitable
    given the roles that they will be asked to carry out.

  5. To reduce the risk of theft, fraud, or misuse of facilities by
    making sure that all prospective contractors are suitable
    given the tasks that they will be asked to carry out.

  6. To reduce the risk of theft, fraud, or misuse of facilities by
    making sure that all third party users are suitable before
    you allow them to use your facilities.

  7. To use job descriptions to specify the security responsibilities
    that new personnel will be asked to carry out.

  8. To use employment terms and conditions to specify the security
    responsibilities that new personnel will be asked to carry out.

  9. To screen all employees before you hire them, especially
    when they will be asked to perform sensitive jobs.

  10. To screen all contractors before you hire them, especially
    when they will be asked to provide sensitive services.

  11. To screen all third-party users, especially when they
    will be allowed to access sensitive information.

  12. To ask prospective employees to sign agreements that
    specify what their security roles and responsibilities are.

  13. To ask prospective contractors to sign agreements that
    specify what their security roles and responsibilities are.

  14. To ask prospective third-party users to sign agreements that
    specify what their security roles and responsibilities are.

8.2 To emphasize security during employment.

  1. To emphasize the need to protect your information.

  2. To emphasize the need to reduce risk of human error.

  3. To make employees aware of information
    security threats and concerns.

  4. To make contractors aware of information
    security threats and concerns.

  5. To make third party users aware of information
    security threats and concerns.

  6. To make employees aware of their
    information security responsibilities.

  7. To make contractors aware of their
    information security responsibilities.

  8. To make third party users aware of their
    information security responsibilities.

  9. To make employees aware of their
    information security liabilities.

  10. To make contractors aware of their
    information security liabilities.

  11. To make third party users aware of
    their information security liabilities.

  12. To make sure that employees know how to support and
    apply your security policy during the course of their work.

  13. To make sure that contractors know how to support and
    apply your security policy during the course of their work.

  14. To make sure that third party users know how to support and
    apply your security policy during the course of their work.

  15. To make managers responsible for ensuring that employees
    carry out their security responsibilities throughout the
    course of their employment with your organization.

  16. To provide an adequate level of security education
    and training to your organizationís employees.

  17. To provide an adequate level of security education
    and training to your organizationís contractors.

  18. To provide an adequate level of security education
    and training to all third party users.

  19. To minimize your security risk by ensuring that employees
    know how to use your organizationís security procedures.

  20. To minimize your security risk by ensuring that contractors
    know how to use your organizationís security procedures.

  21. To minimize your security risk by ensuring that third party
    users know how to use your security procedures.

  22. To minimize your security risk by ensuring that employees
    know how to use your information processing facilities.

  23. To minimize your security risk by ensuring that contractors
    know how to use your information processing facilities.

  24. To minimize your security risk by ensuring that third party
    users know how to use your information processing facilities.

  25. To establish a formal disciplinary process that
    must be used to handle security breaches.

8.3 To emphasize security at termination of employment.

  1. To control how employees are terminated.

  2. To control how contractors are terminated.

  3. To control how third party users are terminated.

  4. To control how employees are reassigned.

  5. To control how contractors are reassigned.

  6. To control how third party users are reassigned.

  7. To make sure that employees, contractors, and third
    party users exit your organization in an orderly manner.

  8. To make sure that employees, contractors, and third party
    users change their work assignments in an orderly manner.

  9. To make managers responsible for controlling how employees, contractors, and third party users are terminated or reassigned.

  10. To make sure that all equipment is returned when
    employees, contractors, or third party users
    are terminated or reassigned.

  11. To make sure that all access rights and privileges
    are removed when employees, contractors, or
    third party users are terminated or reassigned.

9. Physical and Environmental Security Management Objectives

9.1 To use secure areas to protect facilities.

  1. To use physical methods to prevent unauthorized
    access to your organizationís information and premises.

  2. To use physical methods to prevent people from
    damaging your information and premises.

  3. To use physical methods to prevent people from
    interfering with your information and premises.

  4. To keep your organizationís critical or sensitive
    information processing facilities in secure areas.

  5. To use defined security perimeters to protect your
    critical or sensitive information processing facilities.

  6. To use appropriate security barriers to protect your
    critical or sensitive information processing facilities.

  7. To use entry controls to protect your critical or
    sensitive information processing facilities.

  8. To make sure that your physical protection methods
    are commensurate with identified security risks.

9.2 To protect your organization's equipment.

  1. To prevent damage to your organizationís equipment.

  2. To prevent the loss of your organizationís equipment.

  3. To prevent the theft of your organizationís equipment.

  4. To protect your equipment from physical threats.

  5. To protect your equipment from environmental threats.

  6. To protect equipment in order to avoid work interruptions.

  7. To protect equipment in order to avoid unauthorized
    access to your organizationís information.

  8. To protect your equipment through proper disposal.

  9. To use secure siting strategies to protect your equipment.

  10. To use special controls to safeguard supporting facilities.

10. Communications and Operations Management Objectives

10.1 To establish procedures and responsibilities.

  1. To define responsibilities that explain how information
    processing facilities should be managed and operated.

  2. To assign responsibility for the management and operation
    of your organizationís information processing facilities.

  3. To establish procedures to operate and control your
    organizationís information processing facilities.

  4. To use procedures to ensure that information processing
    facilities are always secure and operated correctly.

  5. To segregate information processing duties in order to
    prevent damage or misuse caused by negligence or sabotage.

10.2 To control third party service delivery.

  1. To control how third parties deliver
    services to your organization.

  2. To make sure that third parties comply with
    your information security requirements.

  3. To make sure that third parties comply with
    third party service delivery agreements.

  4. To make sure that third parties maintain an appropriate level
    of information security for the duration of their contracts.

  5. To monitor third parties in order to ensure that service
    delivery continues to comply with third party agreements.

  6. To control changes to third party service delivery agreements
    in order to ensure that they comply with all requirements.

10.3 To carry out future system planning activities.

  1. To avoid future system failures by developing plans to
    ensure that adequate information processing capacity
    and resources will be available in the future.

  2. To avoid future system failures by projecting what your
    system performance requirements will be in the future.

  3. To avoid future system overloads by projecting what
    your information processing capacity and resource
    requirements will be in the future.

  4. To establish the operational requirements of
    new systems prior to their acceptance and use.

  5. To document the operational requirements of
    new systems prior to their acceptance and use.

  6. To test the operational requirements of new
    systems prior to their acceptance and use.

10.4 To protect against malicious and mobile code.

  1. To protect the integrity of your software.

  2. To protect the integrity of your information.

  3. To prevent the introduction of malicious
    code and unauthorized mobile code.

  4. To detect the introduction of malicious
    code and unauthorized mobile code.

  5. To protect your organization's software and information
    processing facilities against computer viruses.

  6. To protect your software and information
    processing facilities against network worms.

  7. To protect your software and information
    processing facilities against Trojan horses.

  8. To protect your software and information
    processing facilities against logic bombs.

  9. To make users aware of the dangers and the
    damage that malicious code can cause.

  10. To make sure that your managers have established
    controls that staff can use to prevent malicious code.

  11. To make sure that your managers have established controls
    that staff can use to detect the existence of malicious code.

  12. To make sure that your managers have established
    controls that staff can use to remove malicious code.

  13. To make sure that your managers have
    taken steps to control mobile code.

10.5 To establish backup procedures.

  1. To maintain the availability and integrity of your information
    and information processing facilities by backing up your data.

  2. To develop procedures to implement
    your data backup policy and strategy.

  3. To develop data restoration procedures and make
    sure that restoration activities are rehearsed.

10.6 To protect computer networks.

  1. To protect the information on your networks.

  2. To protect the infrastructure that supports your networks.

  3. To protect networks that span organizational boundaries.

  4. To protect sensitive information passing over public networks.

10.7 To control how media are handled.

  1. To control your organizationís media.

  2. To protect your organizationís media.

  3. To prevent unauthorized disclosure by protecting your media.

  4. To prevent unauthorized modifications by protecting your media.

  5. To prevent the removal of assets by protecting your media.

  6. To prevent the destruction of assets by protecting your media.

  7. To prevent business interruptions by protecting your media.

  8. To establish operating procedures to protect your documents.

  9. To establish operating procedures to protect computer media.

  10. To establish operating procedures to protect input/output data.

  11. To establish procedures to protect system documentation.

  12. To make sure that your operating procedures
    prevent unauthorized disclosures.

  13. To make sure that your operating procedures
    prevent the unauthorized modification of your media.

  14. To make sure that your operating procedures
    prevent the unauthorized destruction of your media.

  15. To make sure that your operating procedures
    prevent the unauthorized removal of your media.

10.8 To protect the exchange of information.

  1. To protect and control the exchange of
    information within your own organization.

  2. To protect and control the exchange of
    software within your own organization.

  3. To protect and control the exchange of information between
    your organization and other external organizations.

  4. To protect and control the exchange of software between
    your organization and other external organizations.

  5. To establish a formal policy to control how information
    and software is exchanged between organizations.

  6. To use formal agreements to control how information
    and software is exchanged between organizations.

  7. To comply with all relevant legislation that governs
    and controls the exchange of information and software
    between organizations (also see clause 15 below).

  8. To establish procedures to protect information and physical
    media exchanged within or between organizations.

  9. To establish standards to protect information and physical
    media exchanged within or between organizations.

10.9 To protect electronic commerce services.

  1. To make sure that your organizationís electronic
    commerce (ecommerce) services are secure.

  2. To make sure that ecommerce service usage is secure.

  3. To consider security if you use ecommerce services.

  4. To consider security if you process online transactions.

  5. To protect the integrity of information that is
    published using publicly accessible systems.

  6. To protect the availability of information that is
    published using publicly accessible systems.

  7. To establish controls to protect ecommerce activities.

10.10 To monitor information processing facilities.

  1. To monitor information processing systems
    in order to detect unauthorized activities.

  2. To record your information security events.

  3. To use operator logs to detect information system problems.

  4. To use fault logging to detect information system problems.

  5. To make sure that your information monitoring and logging
    activities comply with all relevant legal requirements.

  6. To use system monitoring to check how effective controls are.

  7. To use system monitoring to verify that information processing
    activities comply with your organizationís access policy.

11. Information Access Control Management Objectives

11.1 To control access to information.

  1. To control access to your organizationís information.

  2. To make sure that your information access controls
    meet your organizationís business requirements.

  3. To make sure that your information access controls
    meet your organizationís security requirements.

  4. To control access to information processing facilities.

  5. To make sure that your facility access controls
    meet your organizationís business requirements.

  6. To make sure that your facility access controls
    meet your organizationís security requirements.

  7. To control access to your business processes.

  8. To make sure that your process access controls
    meet your organizationís business requirements.

  9. To make sure that your process access controls
    meet your organizationís security requirements.

  10. To make sure that your access control rules comply
    with your information dissemination policies.

  11. To make sure that your access control rules comply
    with your information authorization policies.

11.2 To manage user access rights.

  1. To control authorized access to information systems.

  2. To prevent unauthorized access to information systems.

  3. To establish formal procedures to control how the right
    to access information systems and services is allocated.

  4. To ensure that your access allocation procedure controls
    all stages of the usersí access life cycle from initial user
    registration to final de-registration.

  5. To ensure that your access allocation procedure pays special
    attention to the allocation of privileged access rights which
    allow users to override normal system controls.

11.3 To encourage good access practices.

  1. To prevent unauthorized user access to your
    information and information processing facilities.

  2. To prevent information and information processing
    facilities from being exposed to possible loss or damage.

  3. To prevent the theft of information and information facilities.

  4. To ask authorized users to help you control access to your
    information systems and information processing facilities.

  5. To make authorized users responsible for helping you to control
    access to information and information processing facilities.

  6. To make users aware of what they must do to control access.

  7. To make users aware of what they must do to protect passwords.

  8. To make users aware of what they must do to protect equipment.

  9. To reduce the risk of unauthorized access or damage to papers,
    media, and facilities by implementing a clear desk policy.

  10. To reduce the risk of unauthorized access or damage to papers,
    media, and facilities by implementing a clear screen policy.

11.4 To control access to network services.

  1. To prevent unauthorized access to internal networked services.

  2. To prevent unauthorized access to external networked services.

  3. To control access to internal networked services.

  4. To control access to external networked services.

  5. To control access by using the appropriate interfaces between
    your network and networks owned by other organizations.

  6. To control access by using the appropriate interfaces
    between your network and public networks.

  7. To control access to networks by using the appropriate
    authentication mechanisms for users and equipment.

  8. To control user access to information services.

11.5 To control access to operating systems.

  1. To prevent unauthorized access to your operating systems.

  2. To restrict operating system access to authorized users.

  3. To establish ways of controlling access to operating systems.

  4. To make sure that your operating system access control
    methods comply with your access control policy.

  5. To make sure that your access control methods
    are capable of authenticating authorized users.

  6. To make sure that your access control methods are capable
    of recording successful and failed authentication attempts.

  7. To make sure that your access control methods are capable
    of recording the use and abuse of special system privileges.

  8. To make sure that your access control methods are capable
    of issuing alarms when system security policies are violated.

  9. To make sure that your access control methods are capable
    of restricting user connection time when appropriate.

11.6 To control access to applications and systems.

  1. To prevent unauthorized access to information
    held in your organizationís application systems.

  2. To use security facilities to restrict logical access
    to your organizationís application systems.

  3. To use security facilities to restrict logical access
    within your organizationís application systems.

  4. To make sure that access to your application systems
    and information is regulated by a formal business
    access control policy.

  5. To make sure that your application systems control
    user access to application system functions.

  6. To make sure that your application systems control user
    access to information held within application systems.

  7. To make sure that application systems can prevent utilities,
    that are capable of overriding or bypassing system or
    application controls, from having unauthorized access.

  8. To make sure that your application systems can prevent
    operating system software, that is capable of overriding
    or bypassing controls, from having unauthorized access.

  9. To make sure that your application systems can prevent
    malicious software, that is capable of overriding or bypassing
    controls, from having unauthorized access.

  10. To make sure that your application systems do not compromise
    the security of other interrelated application systems.

11.7 To protect mobile and teleworking facilities.

  1. To make sure that information is protected when
    mobile computing facilities are being used.

  2. To make sure that your security initiatives address
    the risks that your mobile computing activities create.

  3. To make sure that your mobile security initiatives
    address the risks associated with having to work
    in an unprotected environment.

  4. To make sure that information is protected
    when teleworking facilities are being used.

  5. To make sure that your security initiatives address
    the risks that your teleworking activities create.

  6. To take steps to protect your teleworking sites.

  7. To establish arrangements that support and
    protect your organizationís teleworking activities.

12. Systems Development and Maintenance Objectives

12.1 To identify information system security requirements.

  1. To make sure that security is part of your information systems.

  2. To identify the security requirements that your organizationís
    information systems must meet before you start the system
    development process.

  3. To identify the security requirements that your information
    systems must meet before you implement these systems.

  4. To identify the security requirements that operating systems
    must meet before you develop or implement such systems.

  5. To identify the security requirements that business applications
    must meet before you develop or implement them.

  6. To identify the security requirements that user developed
    applications must meet before you implement them.

  7. To identify the security requirements that off-the-shelf
    products must meet before you implement or install them.

  8. To identify the security requirements that infrastructure must
    meet before you develop or implement your infrastructure.

  9. To identify the security requirements that services must
    meet before you develop or implement these services.

  10. To document the security requirements
    that your information systems must meet.

  11. To make sure that your documentation justifies and
    explains why security requirements must be met.

  12. To make sure that security is part of the business justification
    for developing or implementing your information systems.

12.2 To make sure applications process information correctly.

  1. To make sure that applications process information correctly.

  2. To prevent errors from occurring in applications.

  3. To prevent the loss of information in applications.

  4. To prevent the misuse of information in applications.

  5. To prevent the unauthorized modification of information.

  6. To make sure security controls are designed into applications.

  7. To design security controls into user developed applications.

  8. To use security controls to validate your input data.

  9. To use security controls to validate internal processing.

  10. To use security controls to validate your output data.

  11. To design additional security controls into systems that
    process valuable, sensitive, or critical information.

  12. To design additional security controls into systems that
    have an impact on valuable, sensitive, or critical assets.

  13. To use security risk assessments to identify security
    requirements and to select controls for systems.

12.3 To use cryptographic controls to protect your information.

  1. To use cryptographic controls to protect the confidentiality,
    authenticity, and integrity of your organizationís information.

  2. To establish a policy on the use of cryptographic controls.

12.4 To protect and control your organization's system files.

  1. To ensure the security of your organizationís system files.

  2. To control access to your organizationís system files.

  3. To control access to your program source code.

  4. To make sure that IT projects and support activities
    do not compromise the security of your system files.

  5. To make sure that sensitive or critical data
    is not exposed in test environments.

12.5 To control development and support processes.

  1. To control your organizationís information system
    development projects and support environments.

  2. To maintain the security of application system
    software throughout the development process.

  3. To maintain the security of information
    throughout the development process.

  4. To make sure that application system managers
    are also responsible for the security of development
    projects and support environments.

  5. To make sure that application system managers
    are responsible for ensuring that all system changes
    are checked in order to ensure that they do not
    compromise the security of the system.

  6. To make sure that application system managers
    are responsible for ensuring that all system changes
    are checked to ensure that they do not compromise
    the security of the operating environment.

13. Information Security Incident Management Objectives

13.1 To report information security events and weaknesses.

  1. To make sure that information system
    security incidents are promptly reported.

  2. To make sure that information system security
    events and weaknesses are promptly communicated.

  3. To make sure that information security incident reports and
    communications allow timely corrective actions to be taken.

  4. To establish formal security event reporting procedures.

  5. To establish formal security escalation procedures.

  6. To make sure that all employees know how to
    report information security events and weaknesses.

  7. To make sure that all contractors know how to
    report information security events and weaknesses.

  8. To make sure that all third party users know how to
    report information security events and weaknesses.

  9. To make sure that employees are officially required
    to report information security events and weaknesses
    to a designated point of contact.

  10. To make sure that contractors are officially required
    to report information security events and weaknesses
    to a designated point of contact.

  11. To make sure that third party users are officially required
    to report information security events and weaknesses
    to a designated point of contact.

13.2 To manage information security incidents and improvements.

  1. To make sure that your organization's information security incident
    management approach is both effective and consistently applied.

  2. To make people responsible for handling information security
    events and weaknesses once they have been reported.

  3. To establish procedures for handling information security
    events and weaknesses once they have been reported.

  4. To continually improve how you manage your
    organizationís information security incidents.

  5. To continually improve how you respond to your
    organizationís information security incidents.

  6. To continually improve how you monitor your
    organizationís information security incidents.

  7. To continually improve how you evaluate your
    organizationís information security incidents.

  8. To collect evidence about information security incidents
    whenever it is required in order to support legal action.

14. Business Continuity Management Objectives

14.1 To use continuity management to protect your information.

  1. To establish a business continuity management process.

  2. To use your business continuity management process
    to counteract interruptions in your business activities.

  3. To use your business continuity management process
    to protect your critical business processes during
    major information system failures.

  4. To use your business continuity management process
    to minimize the impact on your organization during
    major information system failures.

  5. To use your business continuity management process
    to ensure that essential operations are resumed
    as quickly as possible.

  6. To use your business continuity management process
    to ensure that lost information assets are recovered
    as quickly as possible.

  7. To use your business continuity management process
    to recover information assets that have been lost or
    damaged by natural disasters.

  8. To use your business continuity management process
    to recover information assets that have been lost or
    damaged by equipment failures.

  9. To use your business continuity management process
    to recover information assets that have been lost or
    damaged by deliberate action.

  10. To use your business continuity management process
    to recover information assets that have been lost or
    damaged by accidents.

  11. To use your business continuity management process
    to integrate the need to restore critical business
    processes with the need to also restore information
    assets after a business interruption.

  12. To use your business continuity management process
    to integrate the need to restore critical operations
    with the need to also restore information assets
    after a business interruption.

  13. To use your business continuity management process
    to integrate the need to restore critical facilities with
    the need to also restore information assets after
    a business interruption.

  14. To use your business continuity management process
    to integrate the need to restore critical materials with
    the need to also restore information assets after
    a business interruption.

  15. To use your business continuity management process
    to integrate the need to restore critical staffing levels
    with the need to also restore information assets after
    a business interruption.

  16. To use your business continuity management process
    to integrate the need to restore critical transportation
    systems with the need to also restore information
    assets after a business interruption.

  17. To carry out a business impact analysis in order to identify
    and evaluate the impact that major destructive events
    could have on your critical business processes.

  18. To analyze the impact that disasters could
    have on your critical business processes.

  19. To analyze the impact that security failures
    could have on critical business processes.

  20. To analyze the impact that a loss of service
    could have on critical business processes.

  21. To analyze the impact that unavailable services
    could have on critical business processes.

  22. To develop and implement business continuity plans
    in order to ensure that essential operations can be
    restored within a reasonable period of time.

  23. To make sure that information security is integrated into
    your organizationís overall business continuity process.

  24. To make sure that information security is integrated into
    your organizationís many management processes.

  25. To establish preventive controls that you can use
    to help prevent the loss of information assets.

  26. To establish recovery controls that you can use to help
    restore information assets after a business interruption.

  27. To establish controls that can help you to identify risks.

  28. To establish controls that can help you to reduce risks.

  29. To establish controls that can help you to limit the
    damage that serious incidents could cause.

  30. To establish controls that can help you to ensure that
    business process information is readily available.

15. Compliance Management Objectives

15.1 To comply with legal requirements.

  1. To make sure that your information systems comply
    with all relevant statutory security requirements.

  2. To make sure that your information systems comply
    with all relevant regulatory security requirements.

  3. To make sure that your information systems comply
    with all relevant contractual security requirements.

  4. To design your information systems in compliance
    with all relevant statutory, regulatory, and
    contractual security requirements.

  5. To operate your information systems in compliance
    with all relevant statutory, regulatory, and
    contractual security requirements.

  6. To manage your information systems in compliance
    with all relevant statutory, regulatory, and
    contractual security requirements.

  7. To make sure that the users of your information systems
    comply with all relevant statutory, regulatory, and
    contractual security requirements.

  8. To consult with legal experts in order to ensure that your
    information systems comply with all relevant national
    and international legal security requirements.

15.2 To perform security compliance reviews.

  1. To make sure that your systems comply
    with your organizationís security policies.

  2. To make sure that your systems comply with
    your organizationís security standards.

  3. To review the security of your information systems.

  4. To make sure that your information security
    reviews are carried out on a regular basis.

  5. To review the security of your information systems by
    examining how well they comply with security policies.

  6. To audit your technical platforms and information systems
    by examining how well they comply with relevant security
    implementation standards.

  7. To audit your technical platforms and information systems
    by examining how well they comply with documented
    security control requirements.

15.3 To carry out controlled information system audits.

  1. To perform audits of your information systems.

  2. To establish controls to safeguard operational systems
    while information system audits are being performed.

  3. To establish controls to safeguard audit software and data
    files while information system audits are being performed.

  4. To establish controls to safeguard the integrity of audit tools.

  5. To establish controls to prevent the misuse of audit tools.


ISO IEC 27002 2013 PAGES

ISO 27002 2013 Introduction

Overview of ISO IEC 27002 2013

Information Security Control Objectives

How to Use ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 Translated into Plain English

Plain English ISO IEC 27002 2013 Security Checklist

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27000 Definitions in Plain English

ISO IEC 27001 2013 PAGES

Introduction to ISO IEC 27001 2013

Plain English Outline of ISO IEC 27001 2013

Plain English Overview of ISO IEC 27001 2013

ISO IEC 27000 2012 Definitions in Plain English

ISO IEC 27001 2013 versus ISO IEC 27001 2005

ISO IEC 27001 2013 Translated into Plain English

Overview of ISO IEC 27001 2013 Annex A Controls

Updated on March 27, 2014. First published on January 10, 2006.

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited       780-461-4514       help@praxiom.com


Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2006 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited