ISO IEC 27002 2005


ISO IEC 27002 2005 is now OBSOLETE. Please see ISO IEC 27002 2013.

5. Security Policy Management


5.1  Establish
security policy

5.1.1  Develop an information
security policy document.

5.1.2  Review your information
security policy document.


6. Corporate Security Management


6.1  Establish an
internal security

6.1.1  Make an active commitment
information security.

6.1.2  Coordinate information
security implementation.

6.1.3  Allocate information security
responsibilities and authorities.

6.1.4  Establish an authorization
process for new facilities.

6.1.5  Use confidentiality agreements
to protect your information.

6.1.6  Maintain relationships
with other organizations.

6.1.7  Maintain relationships with
your special interest groups.

6.1.8  Perform independent
information system reviews.



6.2  Control external
party use of your

6.2.1  Identify risks related to
the use of external parties.

6.2.2  Address security before
customers are given access.

6.2.3  Address security using
third party agreements.


7. Organizational Asset Management


7.1  Establish
for your assets

7.1.1  Compile an inventory
of organizational

7.1.2  Select owners for your
information and assets.

7.1.3  Establish acceptable-use rules
for information and assets.



7.2  Use an

7.2.1  Develop information
classification guidelines.

7.2.2  Use information handling
and labeling procedures.


8. Human Resource Security Management


8.1  Emphasize
security prior to

8.1.1  Define all security roles
and responsibilities.

8.1.2  Verify the backgrounds
of all new personnel.

8.1.3  Use contracts to protect
your information assets.



8.2  Emphasize
security during

8.2.1  Expect your managers
to emphasize security.

8.2.2  Deliver relevant information
security training programs.

8.2.3  Set up an official disciplinary
process for security breaches.



8.3  Emphasize
security at the
termination  of

8.3.1  Assign responsibility for
termination or reassignment.

8.3.2  Make sure that assets are
returned at termination.

8.3.3  Remove information access
rights at termination.


9. Physical and Environmental Security Management


9.1  Use security
areas to protect
your facilities

9.1.1  Use physical security
perimeters to protect areas.

9.1.2  Use physical entry controls
to protect secure areas.

9.1.3  Secure your organizationís
offices, rooms, and facilities.

9.1.4  Protect your facilities from
natural and human threats.

9.1.5  Use work guidelines to
protect secure areas.

9.1.6  Isolate and control
public access points.



9.2  Protect

9.2.1  Use equipment siting
and protection strategies.

9.2.2  Make sure that supporting
utilities are reliable.

9.2.3  Secure all power and
telecommunications cables.

9.2.4  Maintain your equipment.

9.2.5  Protect off‑site equipment.

9.2.6  Control disposal and re‑use.

9.2.7  Control use of assets off‑site.


10. Communications and Operations Management


10.1  Establish
procedures and

10.1.1  Document all of your
operating procedures.

10.1.2  Control changes to
facilities and systems.

10.1.3  Segregate all duties
and responsibilities.

10.1.4  Separate development
and operations activities.



10.2  Control third
party service

10.2.1  Manage third party
service agreements.

10.2.2  Monitor third party
service delivery.

10.2.3  Control changes to
third party services.



10.3  Carry out
system planning

10.3.1  Monitor usage and carry
out capacity planning.

10.3.2  Use acceptance criteria
to test your systems.



10.4  Protect
against malicious
and mobile code

10.4.1  Establish controls to
handle malicious code.

10.4.2  Control the use of
mobile code.



10.5  Establish your
backup procedures

10.5.1  Backup your information
and software assets.



10.6  Protect your
computer networks

10.6.1  Establish network
security controls.

10.6.2  Control network
service providers.



10.7  Control
how media are

10.7.1  Manage removable media.

10.7.2  Manage the disposal of
your organizationís media.

10.7.3  Control information
handling and storage.

10.7.4  Protect your system



10.8  Protect
exchange of

10.8.1  Establish information exchange
policies and procedures.

10.8.2  Establish information and
software exchange agreements.

10.8.3  Safeguard the transportation
of your physical media.

10.8.4  Protect your electronic
messaging and messages.

10.8.5  Protect interconnected
information systems.



10.9  Protect

10.9.1  Protect information that
is involved in ecommerce.

10.9.2  Protect your on‑line
transaction information.

10.9.3  Protect all information
available on public systems.



10.10  Monitor

10.10.1  Establish audit logs.

10.10.2  Monitor information
processing facilities

10.10.3  Protect logging facilities
and log information.

10.10.4  Log system administrator
and operator activities.

10.10.5  Log information processing
and communication faults.

10.10.6  Synchronize your
system clocks.


11. Information Access Control Management


11.1  Control access
to information

11.1.1  Develop a policy to control
access to information.



11.2  Manage user
access rights

11.2.1  Establish a user access
control procedure.

11.2.2  Control the management
of system privileges.

11.2.3  Establish a process to
manage passwords.

11.2.4  Review user access
rights and privileges.



11.3  Encourage
good access

11.3.1  Expect users to protect
their passwords.

11.3.2  Expect users to protect
their equipment.

11.3.3  Establish a clear‑desk
and clear‑screen policy.



11.4  Control access
to your networked

11.4.1  Formulate a policy on
the use of networks.

11.4.2  Authenticate remote
user connections.

11.4.3  Use automatic equipment
identification methods.

11.4.4  Control access to diagnostic
and configuration ports.

11.4.5  Use segregation methods
to protect your networks.

11.4.6  Restrict connection
to shared networks.

11.4.7  Establish network
routing controls.



11.5  Control access
to your operating

11.5.1  Establish secure
log‑on procedures.

11.5.2  Identify and authenticate
all network users.

11.5.3  Establish a password
management system.

11.5.4  Control the use of
all system utilities.

11.5.5  Use session time‑outs
to protect information.

11.5.6  Restrict connection times
in high‑risk areas.



11.6  Control access
to applications and

11.6.1  Restrict access by users
and support personnel.

11.6.2  Isolate all sensitive
application systems.



11.7  Protect mobile
and teleworking

11.7.1  Protect mobile computing
and communications.

11.7.2  Protect and control all
teleworking activities.


12. Information Systems Security Management


12.1  Identify

12.1.1  Identify security controls
and requirements.


12.2  Make sure
that applications
process your

12.2.1  Validate data input
into your applications.

12.2.2  Protect message integrity
and authenticity.

12.2.3  Validate output data.



12.3  Use
controls to protect
your information

12.3.1  Implement a policy on use
of cryptographic controls.

12.3.2  Establish a secure key
management system.



12.4  Protect
and control
system files

12.4.1  Control the installation
of operational software.

12.4.2  Control the use of system
data for testing purposes.

12.4.3  Control access to
program source code.



12.5  Control
and support

12.5.1  Establish formal change
control procedures.

12.5.2  Review applications after
operating system changes.

12.5.3  Restrict changes to
software packages.

12.5.4  Prevent information
leakage opportunities.

12.5.5  Control outsourced
software development.



12.6  Control

12.6.1  Control your technical
system vulnerabilities.


13. Information Security Incident Management <SAMPLE PDF


13.1  Report
and weaknesses

13.1.1  Report information security
events as quickly as possible.

13.1.2  Report security weaknesses
in systems and services.



13.2  Manage
and improvements

13.2.1  Establish incident response
responsibilities and procedures.

13.2.2  Learn from information
security incidents.

13.2.3  Collect evidence to
support your actions.


14. Business Continuity Management


14.1  Use continuity
management to
protect information

14.1.1  Establish a business continuity
process for your information.

14.1.2  Identify the events that
could interrupt your business.

14.1.3  Develop and implement
your business continuity plans.

14.1.4  Establish business continuity
planning framework.

14.1.5 Test and update your
business continuity plans.


15. Compliance Management


15.1  Comply with
legal requirements

15.1.1  Identify all relevant
legal requirements.

15.1.2  Protect your records.

15.1.3  Protect the privacy of
personal information.

15.1.4  Prevent misuse of data
processing facilities.

15.1.5  Control the use of
cryptographic controls.



15.2  Perform

15.2.1  Review compliance with
policies and standards.

15.2.2  Review technical
security compliance.



15.3  Carry
out information
system audits

15.3.1  Control the audit of
information systems.

15.3.2  Protect information
system audit tools.


ISO IEC 17799 2005 is now obsolete. It was replaced by ISO IEC 27002 2013.

ISO IEC 27002 2013 PAGES

ISO 27002 2013 Introduction

Overview of ISO IEC 27002 2013

Information Security Control Objectives

How to Use ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 Translated into Plain English

ISO IEC 27002 2013 Information Security Audit Tool

Plain English ISO IEC 27002 2013 Security Checklist

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27000 Definitions in Plain English

ISO IEC 27001 2013 PAGES

Introduction to ISO IEC 27001 2013

Plain English Outline of ISO IEC 27001 2013

Plain English Overview of ISO IEC 27001 2013

ISO IEC 27000 2012 Definitions in Plain English

ISO IEC 27001 2013 versus ISO IEC 27001 2005

ISO IEC 27001 2013 Translated into Plain English

Overview of ISO IEC 27001 2013 Annex A Controls


ISO 31000 Risk Management Library

ISO 22301 Business Continuity Library

ISO 28000 Supply Chain Security Library

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited      780-461-4514

Updated on May 3, 2014. First published on December 22, 2005.

 Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2006 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited