ISO 27002 (17799)*

PLAIN ENGLISH INFORMATION

SECURITY CONTROL OBJECTIVES

5. Security Policy Management Objectives

5.1 Establish a comprehensive information security policy.

1. Establish a comprehensive information security policy.

2. Make sure that your information security policy provides
   clear direction for your information security program.

3. Make sure that your information security policy shows that
   your management is committed to information security.

4. Make sure that your management supports
   your organization’s information security policy.

5. Make sure that your information security policy
   shows that your management is prepared to support
   an ongoing commitment to information security.

6. Make sure that your information security policy
   is consistent with your business objectives.

7. Make sure that your information security policy
   meets your organization’s business requirements.

8. Make sure that your information security policy
   complies with all relevant laws and regulations.

6. Corporate Security Management Objectives

6.1 Establish an internal security organization.

1. Establish a management framework to control how
   your organization implements information security.

2. Make sure that your management approves
   your organization’s information security policy.

3. Make sure that management assigns security roles.

4. Make sure that your management coordinates the
   implementation of security across your organization.

5. Make sure that your management reviews the
   implementation of security across your organization.

6. Make sure that you have access to information security
   experts and advisors within your own organization.

7. Make sure that your internal experts are able to
   provide specialized information security advice.

8. Make sure that you have access to external
   security experts, advisors, and authorities.

9. Use your external advisors to help you
   monitor changes in security standards.

10. Use your external advisors to help you monitor
    changes in security assessment methods.

11. Use your external advisors to help you
    keep up with industrial security trends.

12. Make sure that your external information security experts
    and advisors can help you to deal with security incidents.

13. Make sure that your organization encourages the use
    of a multi disciplinary approach to information security.

6.2 Control external party use of your information.

1. Maintain the security of your organization’s information
   whenever it is being accessed by external parties.

2. Maintain the security of your organization’s information
   whenever it is being processed by external parties.

3. Maintain the security of your organization’s information
   whenever it is being managed by external parties.

4. Maintain the security of your organization’s
   information processing facilities whenever
   they are being managed by external parties.

5. Maintain the security of your organization’s
   information processing facilities whenever
   they are being accessed by external parties.

6. Maintain the security of your organization’s
   information processing facilities whenever
   information is processed by external parties.

7. Maintain the security of your information processing
   facilities whenever external parties are allowed to
   communicate with these facilities.

8. Make sure that the security of your organization’s
   information processing facilities is not compromised
   by the influence of external party products or services.

9. Make sure that the security of your information is not
   compromised by external party products or services.

10. Control external party access to your information.

11. Control external party access to your
    information processing facilities.

12. Control how external parties process your information.

13. Control how external parties use your organization’s
    information for communication purposes.

14. Carry out a risk assessment whenever there is
    a business need to allow external parties to access
    your organization’s information processing facilities.

15. Make sure that your risk assessments examine security
    implications whenever there is a need to allow external
    parties to access your information processing facilities.

16. Make sure that your risk assessments identify your control
    requirements whenever there is a need to allow external
    parties to access your information processing facilities.

17. Establish agreements that identify the controls that must
    be applied whenever there is a need to allow external
    parties to access your information processing facilities.

18. Carry out a risk assessment whenever there is a business
    need to allow external parties to access your information.

19. Make sure that your risk assessments examine security
    implications whenever there is a need to allow external
    parties to access your information.

20. Make sure that your risk assessments identify your control
    requirements whenever there is a need to allow external
    parties to access your information.

21. Establish agreements that identify the controls that must
    be applied whenever there is a need to allow external
    parties to access your information.

7. Organizational Asset Management Objectives

7.1 Establish responsibility for your organization's assets.

1. Protect your organization’s assets.

2. Use controls to protect your assets.

3. Account for your organization’s assets.

4. Nominate owners for all organizational assets.

5. Make nominated owners responsible for
   protecting your organization’s assets.

6. Assign responsibility for the maintenance of asset controls.

7. Make your asset owners responsible for protecting your
   organization’s assets even though owners may have
   delegated the responsibility for implementing controls.

7.2 Use an information classification system.

1. Provide an appropriate level of protection
   for your organization’s information.

2. Establish an information classification system.

3. Use your classification system to define security levels.

4. Specify how much protection is expected at each level.

5. Assign a security priority to each information security level.

6. Use your organization’s information classification system
   to specify how information should be protected at each level.

7. Use your organization’s information classification system
   to specify how information should be handled at each level.

8. Human Resource Security Management Objectives

8.1 Emphasize security prior to employment.

1. Reduce the risk of theft, fraud, or misuse of facilities by
   making sure that all prospective employees understand
   their responsibilities before you hire them.

2. Reduce the risk of theft, fraud, or misuse of facilities by
   making sure that all prospective contractors understand
   their responsibilities before you hire them.

3. Reduce the risk of theft, fraud, or misuse of facilities by
   making sure that all third-party users understand their
   responsibilities before you allow them to use your facilities.

4. Reduce the risk of theft, fraud, or misuse of facilities by
   making sure that all prospective employees are suitable
   given the roles that they will be asked to carry out.

5. Reduce the risk of theft, fraud, or misuse of facilities by
   making sure that all prospective contractors are suitable
   given the tasks that they will be asked to carry out.

6. Reduce the risk of theft, fraud, or misuse of facilities by
   making sure that all third party users are suitable before
   you allow them to use your facilities.

7. Use job descriptions to specify the security responsibilities
   that new personnel will be asked to carry out.

8. Use employment terms and conditions to specify the security
   responsibilities that new personnel will be asked to carry out.

9. Screen all employees before you hire them, especially
   when they will be asked to perform sensitive jobs.

10. Screen all contractors before you hire them, especially
    when they will be asked to provide sensitive services.

11. Screen all third-party users, especially when they
    will be allowed to access sensitive information.

12. Ask prospective employees to sign agreements that
    specify what their security roles and responsibilities are.

13. Ask prospective contractors to sign agreements that
    specify what their security roles and responsibilities are.

14. Ask prospective third-party users to sign agreements that
    specify what their security roles and responsibilities are.

8.2 Emphasize security during employment.

1. Emphasize the need to protect your information.

2. Emphasize the need to reduce risk of human error.

3. Make employees aware of information
   security threats and concerns.

4. Make contractors aware of information
   security threats and concerns.

5. Make third party users aware of information
   security threats and concerns.

6. Make employees aware of their
   information security responsibilities.

7. Make contractors aware of their
   information security responsibilities.

8. Make third party users aware of their
   information security responsibilities.

9. Make employees aware of their
   information security liabilities.

10. Make contractors aware of their
    information security liabilities.

11. Make third party users aware of
    their information security liabilities.

12. Make sure that employees know how to support and
    apply your security policy during the course of their work.

13. Make sure that contractors know how to support and
    apply your security policy during the course of their work.

14. Make sure that third party users know how to support and
    apply your security policy during the course of their work.

15. Make managers responsible for ensuring that employees
    carry out their security responsibilities throughout the
    course of their employment with your organization.

16. Provide an adequate level of security education
    and training to your organization’s employees.

17. Provide an adequate level of security education
    and training to your organization’s contractors.

18. Provide an adequate level of security education
    and training to all third party users.

19. Minimize your security risk by ensuring that employees
    know how to use your organization’s security procedures.

20. Minimize your security risk by ensuring that contractors
    know how to use your organization’s security procedures.

21. Minimize your security risk by ensuring that third party
    users know how to use your security procedures.

22. Minimize your security risk by ensuring that employees
    know how to use your information processing facilities.

23. Minimize your security risk by ensuring that contractors
    know how to use your information processing facilities.

24. Minimize your security risk by ensuring that third party users
    know how to use your information processing facilities.

25. Establish a formal disciplinary process that
    must be used to handle security breaches.

8.3 Emphasize security at termination of employment.

1. Control how employees are terminated.

2. Control how contractors are terminated.

3. Control how third party users are terminated.

4. Control how employees are reassigned.

5. Control how contractors are reassigned.

6. Control how third party users are reassigned.

7. Make sure that employees, contractors, and third party
   users exit your organization in an orderly manner.

8. Make sure that employees, contractors, and third party
   users change their work assignments in an orderly manner.

9. Make managers responsible for controlling how employees,
   contractors, and third party users are terminated or reassigned.

10. Make sure that all equipment is returned when
    employees, contractors, or third party users
    are terminated or reassigned.

11. Make sure that all access rights and privileges
    are removed when employees, contractors, or
    third party users are terminated or reassigned.

9. Physical and Environmental Security Management Objectives

9.1 Use secure areas to protect facilities.

1. Use physical methods to prevent unauthorized access
   to your organization’s information and premises.

2. Use physical methods to prevent people from
   damaging your information and premises.

3. Use physical methods to prevent people from
   interfering with your information and premises.

4. Keep your organization’s critical or sensitive
   information processing facilities in secure areas.

5. Use defined security perimeters to protect your
   critical or sensitive information processing facilities.

6. Use appropriate security barriers to protect your
   critical or sensitive information processing facilities.

7. Use entry controls to protect your critical or
   sensitive information processing facilities.

8. Make sure that your physical protection methods
   are commensurate with identified security risks.

9.2 Protect your organization's equipment.

1. Prevent damage to your organization’s equipment.

2. Prevent the loss of your organization’s equipment.

3. Prevent the theft of your organization’s equipment.

4. Protect your equipment from physical threats.

5. Protect your equipment from environmental threats.

6. Protect equipment in order to avoid work interruptions.

7. Protect equipment in order to avoid unauthorized
   access to your organization’s information.

8. Protect your equipment through proper disposal.

9. Use secure siting strategies to protect your equipment.

10. Use special controls to safeguard supporting facilities.

10. Communications and Operations Management Objectives

10.1 Establish procedures and responsibilities.

1. Define responsibilities that explain how information
   processing facilities should be managed and operated.

2. Assign responsibility for the management and operation
   of your organization’s information processing facilities.

3. Establish procedures to operate and control your
   organization’s information processing facilities.

4. Use procedures to ensure that information processing
   facilities are always secure and operated correctly.

5. Segregate information processing duties in order to prevent
   damage or misuse caused by negligence or sabotage.

10.2 Control third party service delivery.

1. Control how third parties deliver
   services to your organization.

2. Make sure that third parties comply with
   your information security requirements.

3. Make sure that third parties comply with
   third party service delivery agreements.

4. Make sure that third parties maintain an appropriate level
   of information security for the duration of their contracts.

5. Monitor third parties in order to ensure that service
   delivery continues to comply with third party agreements.

6. Control changes to third party service delivery agreements
   in order to ensure that they comply with all requirements.

10.3 Carry out future system planning activities.

1. Avoid future system failures by developing plans to
   ensure that adequate information processing capacity
   and resources will be available in the future.

2. Avoid future system failures by projecting what your
   system performance requirements will be in the future.

3. Avoid future system overloads by projecting what
   your information processing capacity and resource
   requirements will be in the future.

4. Establish the operational requirements of new
   systems prior to their acceptance and use.

5. Document the operational requirements of new
   systems prior to their acceptance and use.

6. Test the operational requirements of new
   systems prior to their acceptance and use.

10.4 Protect against malicious and mobile code.

1. Protect the integrity of your software.

2. Protect the integrity of your information.

3. Prevent the introduction of malicious
   code and unauthorized mobile code.

4. Detect the introduction of malicious
   code and unauthorized mobile code.

5. Protect your organization's software and information
   processing facilities against computer viruses.

6. Protect your software and information
   processing facilities against network worms.

7. Protect your software and information
   processing facilities against Trojan horses.

8. Protect your software and information
   processing facilities against logic bombs.

9. Make users aware of the dangers and the
   damage that malicious code can cause.

10. Make sure that your managers have established
    controls that staff can use to prevent malicious code.

11. Make sure that your managers have established controls
    that staff can use to detect the existence of malicious code.

12. Make sure that your managers have established
    controls that staff can use to remove malicious code.

13. Make sure that your managers have
    taken steps to control mobile code.

10.5 Establish backup procedures.

1. Maintain the availability and integrity of your information and
   information processing facilities by backing up your data.

2. Develop procedures to implement your
   data backup policy and strategy.

3. Develop data restoration procedures and make
   sure that restoration activities are rehearsed.

10.6 Protect computer networks.

1. Protect the information on your networks.

2. Protect the infrastructure that supports your networks.

3. Protect networks that span organizational boundaries.

4. Protect sensitive information passing over public networks.

10.7 Control how media are handled.

1. Control your organization’s media.

2. Protect your organization’s media.

3. Prevent unauthorized disclosure by protecting your media.

4. Prevent unauthorized modifications by protecting your media.

5. Prevent the removal of assets by protecting your media.

6. Prevent the destruction of assets by protecting your media.

7. Prevent business interruptions by protecting your media.

8. Establish operating procedures to protect your documents.

9. Establish operating procedures to protect computer media.

10. Establish operating procedures to protect input/output data.

11. Establish procedures to protect system documentation.

12. Make sure that your operating procedures
    prevent unauthorized disclosures.

13. Make sure that your operating procedures prevent
    the unauthorized modification of your media.

14. Make sure that your operating procedures prevent
    the unauthorized destruction of your media.

15. Make sure that your operating procedures prevent
    the unauthorized removal of your media.

10.8 Protect exchange of information.

1. Protect and control the exchange of
   information within your own organization.

2. Protect and control the exchange of
   software within your own organization.

3. Protect and control the exchange of information between
   your organization and other external organizations.

4. Protect and control the exchange of software between
   your organization and other external organizations.

5. Establish a formal policy to control how information
   and software is exchanged between organizations.

6. Use formal agreements to control how information
   and software is exchanged between organizations.

7. Comply with all relevant legislation that governs and
   controls the exchange of information and software
   between organizations (also see clause 15 below).

8. Establish procedures to protect information and physical
   media exchanged within or between organizations.

9. Establish standards to protect information and physical
   media exchanged within or between organizations.

10.9 Protect electronic commerce services.

1. Make sure that your organization’s electronic
   commerce (ecommerce) services are secure.

2. Make sure that ecommerce service usage is secure.

3. Consider security if you use ecommerce services.

4. Consider security if you process online transactions.

5. Protect the integrity of information that is
   published using publicly accessible systems.

6. Protect the availability of information that is
   published using publicly accessible systems.

7. Establish controls to protect ecommerce activities.

10.10 Monitor information processing facilities.

1. Monitor information processing systems
   in order to detect unauthorized activities.

2. Record your information security events.

3. Use operator logs to detect information system problems.

4. Use fault logging to detect information system problems.

5. Make sure that your information monitoring and logging
   activities comply with all relevant legal requirements.

6. Use system monitoring to check how effective controls are.

7. Use system monitoring to verify that information processing
   activities comply with your organization’s access policy.

11. Information Access Control Management Objectives

11.1 Control access to information.

1. Control access to your organization’s information.

2. Make sure that your information access controls
   meet your organization’s business requirements.

3. Make sure that your information access controls
   meet your organization’s security requirements.

4. Control access to information processing facilities.

5. Make sure that your facility access controls meet
   your organization’s business requirements.

6. Make sure that your facility access controls meet
   your organization’s security requirements.

7. Control access to your business processes.

8. Make sure that your process access controls
   meet your organization’s business requirements.

9. Make sure that your process access controls
   meet your organization’s security requirements.

10. Make sure that your access control rules comply
    with your information dissemination policies.

11. Make sure that your access control rules comply
    with your information authorization policies.

11.2 Manage user access rights.

1. Control authorized access to information systems.

2. Prevent unauthorized access to information systems.

3. Establish formal procedures to control how the right to
   access information systems and services is allocated.

4. Ensure that your access allocation procedure controls
   all stages of the users’ access life cycle from initial user
   registration to final de-registration.

5. Ensure that your access allocation procedure pays special
   attention to the allocation of privileged access rights which
   allow users to override normal system controls.

11.3 Encourage good access practices.

1. Prevent unauthorized user access to your
   information and information processing facilities.

2. Prevent information and information processing facilities
   from being exposed to possible loss or damage.

3. Prevent the theft of information and information facilities.

4. Ask authorized users to help you control access to your
   information systems and information processing facilities.

5. Make authorized users responsible for helping you to control
   access to information and information processing facilities.

6. Make users aware of what they must do to control access.

7. Make users aware of what they must do to protect passwords.

8. Make users aware of what they must do to protect equipment.

9. Reduce the risk of unauthorized access or damage to papers,
   media, and facilities by implementing a clear desk policy.

10. Reduce the risk of unauthorized access or damage to papers,
    media, and facilities by implementing a clear screen policy.

11.4 Control access to network services.

1. Prevent unauthorized access to internal networked services.

2. Prevent unauthorized access to external networked services.

3. Control access to internal networked services.

4. Control access to external networked services.

5. Control access by using the appropriate interfaces between
   your network and networks owned by other organizations.

6. Control access by using the appropriate interfaces
   between your network and public networks.

7. Control access to networks by using the appropriate
   authentication mechanisms for users and equipment.

8. Control user access to information services.

11.5 Control access to operating systems.

1. Prevent unauthorized access to your operating systems.

2. Restrict operating system access to authorized users.

3. Establish ways of controlling access to operating systems.

4. Make sure that your operating system access control
   methods comply with your access control policy.

5. Make sure that your access control methods
   are capable of authenticating authorized users.

6. Make sure that your access control methods are capable
   of recording successful and failed authentication attempts.

7. Make sure that your access control methods are capable
   of recording the use and abuse of special system privileges.

8. Make sure that your access control methods are capable
   of issuing alarms when system security policies are violated.

9. Make sure that your access control methods are capable
   of restricting user connection time when appropriate.

11.6 Control access to applications and systems.

1. Prevent unauthorized access to information
   held in your organization’s application systems.

2. Use security facilities to restrict logical access
   to your organization’s application systems.

3. Use security facilities to restrict logical access
   within your organization’s application systems.

4. Make sure that access to your application systems
   and information is regulated by a formal business
   access control policy.

5. Make sure that your application systems control
   user access to application system functions.

6. Make sure that your application systems control user
   access to information held within application systems.

7. Make sure that application systems can prevent utilities,
   that are capable of overriding or bypassing system or
   application controls, from having unauthorized access.

8. Make sure that your application systems can prevent
   operating system software, that is capable of overriding
   or bypassing controls, from having unauthorized access.

9. Make sure that your application systems can prevent malicious
   software, that is capable of overriding or bypassing controls,
   from having unauthorized access.

10. Make sure that your application systems do not compromise
    the security of other interrelated application systems.

11.7 Protect mobile and teleworking facilities.

1. Make sure that information is protected when
   mobile computing facilities are being used.

2. Make sure that your security initiatives address the
   risks that your mobile computing activities create.

3. Make sure that your mobile security initiatives
   address the risks associated with having to work
   in an unprotected environment.

4. Make sure that information is protected
   when teleworking facilities are being used.

5. Make sure that your security initiatives address
   the risks that your teleworking activities create.

6. Take steps to protect your teleworking sites.

7. Establish arrangements that support and protect
   your organization’s teleworking activities.

12. Systems Development and Maintenance Objectives

12.1 Identify information system security requirements.

1. Make sure that security is part of your information systems.

2. Identify the security requirements that your organization’s
   information systems must meet before you start the system
   development process.

3. Identify the security requirements that your information
   systems must meet before you implement these systems.

4. Identify the security requirements that operating systems
   must meet before you develop or implement such systems.

5. Identify the security requirements that business applications
   must meet before you develop or implement them.

6. Identify the security requirements that user developed
   applications must meet before you implement them.

7. Identify the security requirements that off-the-shelf
   products must meet before you implement or install them.

8. Identify the security requirements that infrastructure must
   meet before you develop or implement your infrastructure.

9. Identify the security requirements that services must
   meet before you develop or implement these services.

10. Document the security requirements that
    your information systems must meet.

11. Make sure that your documentation justifies and
    explains why security requirements must be met.

12. Make sure that security is part of the business justification
    for developing or implementing your information systems.

12.2 Make sure applications process information correctly.

1. Make sure that applications process information correctly.

2. Prevent errors from occurring in applications.

3. Prevent the loss of information in applications.

4. Prevent the misuse of information in applications.

5. Prevent the unauthorized modification of information.

6. Make sure security controls are designed into applications.

7. Design security controls into user developed applications.

8. Use security controls to validate your input data.

9. Use security controls to validate internal processing.

10. Use security controls to validate your output data.

11. Design additional security controls into systems that
    process valuable, sensitive, or critical information.

12. Design additional security controls into systems that
    have an impact on valuable, sensitive, or critical assets.

13. Use security risk assessments to identify security
    requirements and to select controls for systems.

12.3 Use cryptographic controls to protect your information.

1. Use cryptographic controls to protect the confidentiality,
   authenticity, and integrity of your organization’s information.

2. Establish a policy on the use of cryptographic controls.

12.4 Protect and control your organization's system files.

1. Ensure the security of your organization’s system files.

2. Control access to your organization’s system files.

3. Control access to your program source code.

4. Make sure that IT projects and support activities do
   not compromise the security of your system files.

5. Make sure that sensitive or critical data
   is not exposed in test environments.

12.5 Control development and support processes.

1. Control your organization’s information system
   development projects and support environments.

2. Maintain the security of application system
   software throughout the development process.

3. Maintain the security of information
   throughout the development process.

4. Make sure that application system managers are
   also responsible for the security of development
   projects and support environments.

5. Make sure that application system managers are
   responsible for ensuring that all system changes
   are checked in order to ensure that they do not
   compromise the security of the system.

6. Make sure that application system managers are
   responsible for ensuring that all system changes
   are checked to ensure that they do not compromise
   the security of the operating environment.

13. Information Security Incident Management Objectives

13.1 Report information security events and weaknesses.

1. Make sure that information system
   security incidents are promptly reported.

2. Make sure that information system security events
   and weaknesses are promptly communicated.

3. Make sure that information security incident reports and
   communications allow timely corrective actions to be taken.

4. Establish formal security event reporting procedures.

5. Establish formal security escalation procedures.

6. Make sure that all employees know how to report
   information security events and weaknesses.

7. Make sure that all contractors know how to report
   information security events and weaknesses.

8. Make sure that all third party users know how to
   report information security events and weaknesses.

9. Make sure that employees are officially required to
   report information security events and weaknesses
   to a designated point of contact.

10. Make sure that contractors are officially required to
    report information security events and weaknesses
    to a designated point of contact.

11. Make sure that third party users are officially required
    to report information security events and weaknesses
    to a designated point of contact.

13.2 Manage information security incidents and improvements.

1. Make sure that your organization's information security incident
   management approach is both effective and consistently applied.

2. Make people responsible for handling information security
   events and weaknesses once they have been reported.

3. Establish procedures for handling information security
   events and weaknesses once they have been reported.

4. Continually improve how you manage your
   organization’s information security incidents.

5. Continually improve how you respond to your
   organization’s information security incidents.

6. Continually improve how you monitor your
   organization’s information security incidents.

7. Continually improve how you evaluate your
   organization’s information security incidents.

8. Collect evidence about information security incidents
   whenever it is required in order to support legal action.

14. Business Continuity Management Objectives

14.1 Use continuity management to protect your information.

1. Establish a business continuity management process.

2. Use your business continuity management process
   to counteract interruptions in your business activities.

3. Use your business continuity management process
   to protect your critical business processes during
   major information system failures.

4. Use your business continuity management process
   to minimize the impact on your organization during
   major information system failures.

5. Use your business continuity management process
   to ensure that essential operations are resumed
   as quickly as possible.

6. Use your business continuity management process
   to ensure that lost information assets are recovered
   as quickly as possible.

7. Use your business continuity management process
   to recover information assets that have been lost or
   damaged by natural disasters.

8. Use your business continuity management process
   to recover information assets that have been lost or
   damaged by equipment failures.

9. Use your business continuity management process
   to recover information assets that have been lost or
   damaged by deliberate action.

10. Use your business continuity management process
    to recover information assets that have been lost or
    damaged by accidents.

11. Use your business continuity management process
    to integrate the need to restore critical business
    processes with the need to also restore information
    assets after a business interruption.

12. Use your business continuity management process
    to integrate the need to restore critical operations
    with the need to also restore information assets
    after a business interruption.

13. Use your business continuity management process
    to integrate the need to restore critical facilities with
    the need to also restore information assets after
    a business interruption.

14. Use your business continuity management process
    to integrate the need to restore critical materials with
    the need to also restore information assets after
    a business interruption.

15. Use your business continuity management process
    to integrate the need to restore critical staffing levels
    with the need to also restore information assets after
    a business interruption.

16. Use your business continuity management process
    to integrate the need to restore critical transportation
    systems with the need to also restore information
    assets after a business interruption.

17. Carry out a business impact analysis in order to identify
    and evaluate the impact that major destructive events
    could have on your critical business processes.

18. Analyze the impact that disasters could
    have on your critical business processes.

19. Analyze the impact that security failures
    could have on critical business processes.

20. Analyze the impact that a loss of service
    could have on critical business processes.

21. Analyze the impact that unavailable services
    could have on critical business processes.

22. Develop and implement business continuity plans
    in order to ensure that essential operations can be
    restored within a reasonable period of time.

23. Make sure that information security is integrated into
    your organization’s overall business continuity process.

24. Make sure that information security is integrated into
    your organization’s many management processes.

25. Establish preventive controls that you can use
    to help prevent the loss of information assets.

26. Establish recovery controls that you can use to help
    restore information assets after a business interruption.

27. Establish controls that can help you to identify risks.

28. Establish controls that can help you to reduce risks.

29. Establish controls that can help you to limit the
    damage that serious incidents could cause.

30. Establish controls that can help you to ensure that
    business process information is readily available.

15. Compliance Management Objectives

15.1 Comply with legal requirements.

1. Make sure that your information systems comply
   with all relevant statutory security requirements.

2. Make sure that your information systems comply
   with all relevant regulatory security requirements.

3. Make sure that your information systems comply
   with all relevant contractual security requirements.

4. Design your information systems in compliance
   with all relevant statutory, regulatory, and
   contractual security requirements.

5. Operate your information systems in compliance
   with all relevant statutory, regulatory, and
   contractual security requirements.

6. Manage your information systems in compliance
   with all relevant statutory, regulatory, and
   contractual security requirements.

7. Make sure that the users of your information systems
   comply with all relevant statutory, regulatory, and
   contractual security requirements.

8. Consult with legal experts in order to ensure that your
   information systems comply with all relevant national
   and international legal security requirements.

15.2 Perform security compliance reviews.

1. Make sure that your systems comply
   with your organization’s security policies.

2. Make sure that your systems comply with
   your organization’s security standards.

3. Review the security of your information systems.

4. Make sure that your information security
   reviews are carried out on a regular basis.

5. Review the security of your information systems by
   examining how well they comply with security policies.

6. Audit your technical platforms and information systems
   by examining how well they comply with relevant security
   implementation standards.

7. Audit your technical platforms and information systems
   by examining how well they comply with documented
   security control requirements.

15.3 Carry out controlled information system audits.

1. Perform audits of your information systems.

2. Establish controls to safeguard operational systems
   while information system audits are being performed.

3. Establish controls to safeguard audit software and data
   files while information system audits are being performed.

4. Establish controls to safeguard the integrity of audit tools.

5. Establish controls to prevent the misuse of audit tools.

If you need a detailed and complete interpretation
of ISO IEC 27002 2005, please consider purchasing our
Title 37: ISO IEC 27002 (17799) Translated into Plain English.

Our plain English ISO 27002 standard is 263 pages long.
It includes all information security objectives, controls,
implementation guidelines, and supporting notes.

Check out our Title 37 Table of Contents
Preview a detailed SAMPLE of Title 37
Check our Prices. Place an Order
Check our License Agreement.

 Our Title 37 provides a detailed, accurate, and complete
interpretation of  ISO IEC 27002 2005. It uses language that
is clear, precise, and easy to understand. We guarantee it! 

Introduction to ISO 27002 (17799) Information Security Standard

Overview of the ISO 27002 (17799) Information Security Standard

ISO 27002 (17799) Information Security Translated into Plain English

ISO 27002 (17799) Information Security Management Audit Tool

Introduction to ISO 27001 Information Security

Comparison of ISO 27001 2005 and ISO 17799 2005

Overview of ISO 27001 2005 Information Security Standard

ISO 27001 2005 Information Security Standard in Plain English

ISO 27001 2005 Information Security Management Gap Analysis Tool

PRAXIOM RESEARCH GROUP LIMITED
9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada
Telephone: (780)461-4514 info@praxiom.com

Updated on October 21, 2009. On the Web since May 25, 1997.