ISO 27002 Information Security Standard in Plain English

5. Security Policy Management
	5.1 Establish an information security policy	5.1.1 Develop an information security policy document. 5.1.2 Review your information security policy document.
6. Corporate Security Management
	6.1 Establish an internal security organization	6.1.1 Make an active commitment to information security. 6.1.2 Coordinate information security implementation. 6.1.3 Allocate information security responsibilities and authorities. 6.1.4 Establish an authorization process for new facilities. 6.1.5 Use confidentiality agreements to protect your information. 6.1.6 Maintain relationships with other organizations. 6.1.7 Maintain relationships with your special interest groups. 6.1.8 Perform independent information system reviews.
	6.2 Control external party use of your information	6.2.1 Identify risks related to the use of external parties. 6.2.2 Address security before customers are given access. 6.2.3 Address security using third party agreements.
7. Organizational Asset Management
	7.1 Establish responsibility for your assets	7.1.1 Compile an inventory of organizational assets. 7.1.2 Select owners for your information and assets. 7.1.3 Establish acceptable-use rules for information and assets.
	7.2 Use an information classification system	7.2.1 Develop information classification guidelines. 7.2.2 Use information handling and labeling procedures.
8. Human Resource Security Management
	8.1 Emphasize security prior to employment	8.1.1 Define all security roles and responsibilities. 8.1.2 Verify the backgrounds of all new personnel. 8.1.3 Use contracts to protect your information assets.
	8.2 Emphasize security during employment	8.2.1 Expect your managers to emphasize security. 8.2.2 Deliver relevant information security training programs. 8.2.3 Set up an official disciplinary process for security breaches.
	8.3 Emphasize security at the termination of employment	8.3.1 Assign responsibility for termination or reassignment. 8.3.2 Make sure that assets are returned at termination. 8.3.3 Remove information access rights at termination.
9. Physical and Environmental Security Management
	9.1 Use security areas to protect your facilities	9.1.1 Use physical security perimeters to protect areas. 9.1.2 Use physical entry controls to protect secure areas. 9.1.3 Secure your organization’s offices, rooms, and facilities. 9.1.4 Protect your facilities from natural and human threats. 9.1.5 Use work guidelines to protect secure areas. 9.1.6 Isolate and control public access points.
	9.2 Protect equipment	9.2.1 Use equipment siting and protection strategies. 9.2.2 Make sure that supporting utilities are reliable. 9.2.3 Secure all power and telecommunications cables. 9.2.4 Maintain your equipment. 9.2.5 Protect off‑site equipment. 9.2.6 Control disposal and re‑use. 9.2.7 Control use of assets off‑site.
10. Communications and Operations Management
	10.1 Establish procedures and responsibilities	10.1.1 Document all of your operating procedures. 10.1.2 Control changes to facilities and systems. 10.1.3 Segregate all duties and responsibilities. 10.1.4 Separate development and operations activities.
	10.2 Control third party service delivery	10.2.1 Manage third party service agreements. 10.2.2 Monitor third party service delivery. 10.2.3 Control changes to third party services.
	10.3 Carry out system planning activities	10.3.1 Monitor usage and carry out capacity planning. 10.3.2 Use acceptance criteria to test your systems.
	10.4 Protect against malicious and mobile code	10.4.1 Establish controls to handle malicious code. 10.4.2 Control the use of mobile code.
	10.5 Establish your backup procedures	10.5.1 Backup your information and software assets.
	10.6 Protect your computer networks	10.6.1 Establish network security controls. 10.6.2 Control network service providers.
	10.7 Control how media are handled	10.7.1 Manage removable media. 10.7.2 Manage the disposal of your organization’s media. 10.7.3 Control information handling and storage. 10.7.4 Protect your system documentation.
	10.8 Protect exchange of information	10.8.1 Establish information exchange policies and procedures. 10.8.2 Establish information and software exchange agreements. 10.8.3 Safeguard the transportation of your physical media. 10.8.4 Protect your electronic messaging and messages. 10.8.5 Protect interconnected information systems.
	10.9 Protect electronic commerce services	10.9.1 Protect information that is involved in ecommerce. 10.9.2 Protect your on‑line transaction information. 10.9.3 Protect all information available on public systems.
	10.10 Monitor information processing facilities	10.10.1 Establish audit logs. 10.10.2 Monitor information processing facilities. 10.10.3 Protect logging facilities and log information. 10.10.4 Log system administrator and operator activities. 10.10.5 Log information processing and communication faults. 10.10.6 Synchronize your system clocks.
11. Information Access Control Management
	11.1 Control access to information	11.1.1 Develop a policy to control access to information.
	11.2 Manage user access rights	11.2.1 Establish a user access control procedure. 11.2.2 Control the management of system privileges. 11.2.3 Establish a process to manage passwords. 11.2.4 Review user access rights and privileges.
	11.3 Encourage good access practices	11.3.1 Expect users to protect their passwords. 11.3.2 Expect users to protect their equipment. 11.3.3 Establish a clear‑desk and clear‑screen policy.
	11.4 Control access to your networked services	11.4.1 Formulate a policy on the use of networks. 11.4.2 Authenticate remote user connections. 11.4.3 Use automatic equipment identification methods. 11.4.4 Control access to diagnostic and configuration ports. 11.4.5 Use segregation methods to protect your networks. 11.4.6 Restrict connection to shared networks. 11.4.7 Establish network routing controls.
	11.5 Control access to your operating systems	11.5.1 Establish secure log‑on procedures. 11.5.2 Identify and authenticate all network users. 11.5.3 Establish a password management system. 11.5.4 Control the use of all system utilities. 11.5.5 Use session time‑outs to protect information. 11.5.6 Restrict connection times in high‑risk areas.
	11.6 Control access to applications and information	11.6.1 Restrict access by users and support personnel. 11.6.2 Isolate all sensitive application systems.
	11.7 Protect mobile and teleworking facilities	11.7.1 Protect mobile computing and communications. 11.7.2 Protect and control all teleworking activities.
12. Information Systems Security Management
	12.1 Identify requirements	12.1.1 Identify security controls and requirements.
	12.2 Make sure that applications process your information correctly	12.2.1 Validate data input into your applications. 12.2.2 Protect message integrity and authenticity. 12.2.3 Validate output data.
	12.3 Use cryptographic controls to protect your information	12.3.1 Implement a policy on use of cryptographic controls. 12.3.2 Establish a secure key management system.
	12.4 Protect and control system files	12.4.1 Control the installation of operational software. 12.4.2 Control the use of system data for testing purposes. 12.4.3 Control access to program source code.
	12.5 Control development and support processes	12.5.1 Establish formal change control procedures. 12.5.2 Review applications after operating system changes. 12.5.3 Restrict changes to software packages. 12.5.4 Prevent information leakage opportunities. 12.5.5 Control outsourced software development.
	12.6 Control vulnerability	12.6.1 Control your technical system vulnerabilities.
13. Information Security Incident Management <SAMPLE PDF
	13.1 Report security events and weaknesses	13.1.1 Report information security events as quickly as possible. 13.1.2 Report security weaknesses in systems and services.
	13.2 Manage security incidents and improvements	13.2.1 Establish incident response responsibilities and procedures. 13.2.2 Learn from information security incidents. 13.2.3 Collect evidence to support your actions.
14. Business Continuity Management
	14.1 Use continuity management to protect information	14.1.1 Establish a business continuity process for your information. 14.1.2 Identify the events that could interrupt your business. 14.1.3 Develop and implement your business continuity plans. 14.1.4 Establish business continuity planning framework. 14.1.5 Test and update your business continuity plans.
15. Compliance Management
	15.1 Comply with legal requirements	15.1.1 Identify all relevant legal requirements. 15.1.2 Protect your records. 15.1.3 Protect the privacy of personal information. 15.1.4 Prevent misuse of data processing facilities. 15.1.5 Control the use of cryptographic controls.
	15.2 Perform compliance reviews	15.2.1 Review compliance with policies and standards. 15.2.2 Review technical security compliance.
	15.3 Carry out information system audits	15.3.1 Control the audit of information systems. 15.3.2 Protect information system audit tools.
ISO IEC 17799 2005 is now obsolete. It was replaced by ISO IEC 27002 2013.

Home Page	Our Libraries	A to Z Index	Our Customers
How to Order	Our Products	Our Prices	Our Guarantee
Praxiom Research Group Limited help@praxiom.com 780-461-4514
Updated on May 3, 2014. First published on December 22, 2005.
Legal Restrictions on the Use of this Page Thank you for visiting this page. You are, of course, welcome to view our material as often as you wish, free of charge. And as long as you keep intact all copyright notices, you are also welcome to print or make one copy of this page for your own personal, noncommercial, home use. But, you are not legally authorized to print or produce additional copies or to copy and paste any of our material onto another web site or to republish it in any way. Copyright © 2006 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

ISO IEC 27002 2005

TRANSLATED INTO PLAIN ENGLISH