ISO IEC 27002 2005


ISO IEC 27002 2005 is now OBSOLETE. See ISO IEC 27002 2013.


ISO IEC 27002 2005 is a generic information security management
standard. It can be used by any organization that needs to establish
a comprehensive information security management program or improve
its current information security practices. According to the official title
page, ISO IEC 27002 2005 is a “code of practice for information security
. ISO/IEC recommends that you consider each of these
practices as you establish or improve your organization’s information
security management program.

However, you don’t have to implement every recommended security
practice. It all depends on your unique information security risks and
requirements. If a particular practice helps you to address a serious
information security risk or to meet an important information security
requirement, then use it.  If it doesn’t, ignore it.


ISO is the International Organization for Standardization. It was set up
in 1947 and is located in Geneva, Switzerland. Its purpose is to develop
standards that support and facilitate international trade. IEC is
 International Electrotechnical Commission. It was set up in 1906 and
is also located in Geneva, Switzerland. Its purpose is to develop standards
for all types of electrotechnologies. Both ISO and IEC are supported
by national member bodies. These member bodies participate in the
standards development process through technical committees.

ISO IEC 17799

When the standard was officially published on June 15, 2005, it was
known as ISO IEC 17799 2005. On July 1, 2007, the name was formally
changed to ISO IEC 27002 2005. However, nothing else has changed.
The content is still exactly the same. The name was changed in order
to make it clear that ISO IEC 17799 belongs with the ISO IEC 27000
series of information security standards.

The ISO IEC 17799 2005 standard (now known as ISO IEC 27002 2005)
was developed by the IT Security Subcommittee (SC 27) of the Joint
Technical Committee on Information Technology (ISO/IEC JTC 1).
It cancels and replaces the old ISO IEC 17799 2000 standard which
is now obsolete. While much of the content is the same, the new
ISO IEC 17799 2005 (27002) standard has been entirely rewritten,
reorganized, and updated in order to address new and emerging
information security issues. In addition, one new section has been
added on information security incident management (section 13).


The ISO 27002 standard is all about information. Since information
can exist in many forms, the ISO 27002 standard takes a very broad
approach. In the context of this standard, the term information
includes at least the following:

  • Electronic files
    • Software files
    • Data files
  • Paper documents
    • Printed materials
    • Hand written notes
    • Photographs
  • Recordings
    • Video recordings
    • Audio recordings
  • Communications
    • Conversations
      • Telephone conversations
      • Cell phone conversations
      • Face to face conversations
    • Messages
      • Email messages
      • Fax messages
      • Video messages
      • Instant messages
      • Physical messages


From the standpoint of an organization, information has value and
is therefore an asset. It therefore needs to be protected just like any
other corporate asset. And because information must be protected, the
infrastructure that supports information must also be protected.
This infrastructure includes all the networks, systems, and functions
that allow an organization to manage and control its information assets.
The big question is how do you protect your information assets? That’s
where the ISO IEC 27002 standard comes in. It explains what you
can do to protect your organization’s information assets.

But why should information assets need to be protected? Information
needs to be protected because modern organizations are faced with
a wide range of security threats. These threats include everything
from human
error and equipment failure to theft, fraud, vandalism,
sabotage, fire, flood, and even terrorism.

And because most modern organizations operate in a complex,
interconnected, technological world, information is also vulnerable to
an entirely new set of high-tech threats and attacks. Because of their
interconnectedness, modern organizations are also threatened by
computer hackers, malicious code, and denial of service attacks.

According to ISO 27002, information can be protected using a wide
variety of controls. In addition to hardware and software functions,
controls include things like policies, procedures, processes, and
organizational structures. In order to protect their information,
organizations must develop, implement, monitor, evaluate, and
improve these types of security controls.


But how and where do you start? ISO IEC suggests that you begin
by identifying your organization’s information security needs and
. They suggest that you identify your security needs
and requirements in the following way:

  1. Perform a risk assessment. Identify major security threats and
    vulnerabilities. Then determine how likely it is that each threat
    and vulnerability will cause a security incident. Then evaluate the
    potential impact each incident could have on your organization
    given your overall business objectives and strategies. This will
    help you to pinpoint your organization’s unique information
    security needs and requirements.
  2. Study your legal requirements. Study all the legal, statutory,
    regulatory, and contractual requirements that your organization,
    its trading partners, contractors, and service providers must
    meet. Look for all the
    information security requirements
    that must be met. This will help you to identify your organization’s
    unique legal information security needs and requirements.

  3. Examine your own requirements. Examine your organization’s own
    information processing principles, objectives, and requirements.
    Study the information processing methods and practices that
    organization has developed in order to support its operations.
    This will help you to identify and refine your organization’s unique
    information security needs and requirements.


Once you’ve identified your information security needs and requirements,
you can begin to establish or improve your own information security
program. Choose from the security practices recommended by the
ISO IEC 27002 2005 standard. Select the practices that meet your
organization's unique security needs and requirements, and
ignore the ones that don't.

ISO IEC suggests that the following security practices are a good
place to start, and therefore ought to be at the center of your
information security program:

  • Common best practices:

  • Common legislated practices:

    • Respect intellectual property rights.

    • Safeguard your organization’s records.

    • Protect the privacy of personal information.


According to ISO IEC, your organization’s information security program
will be more successful if you accept the following suggestions:

•  Make sure that your senior management visibly supports
   and is committed to your information security program.

•  Make sure that your management has agreed to fund your
   organization's information security management activities.

•  Make sure that your approach to information security is
   consistent with your organization’s corporate culture.

•  Make sure that your information security policy, objectives,
   and activities reflect your organization’s business objectives.

•  Make sure that your organization understands its own
   unique information security needs and requirements.

•  Make sure that your organization understands why risk
   management is central to your program and why a risk
   assessment should be performed.

•  Make sure that your information security program is
   explained to all managers and employees and that
   they understand why it’s important.

•  Make sure that you distribute information that explains
   your information security policy and standards to all
   employees and other interested parties.

•  Make sure that you provide appropriate security
   training, education, and awareness programs.

•  Make sure that your organization establishes an effective
   information security incident management process.

•  Make sure that you encourage people to provide feedback
   and to suggest ways of improving the performance of your
   information security program.

•  Make sure that you develop a balanced and comprehensive
   way of measuring the performance of your information
   security program.


Each section of the ISO IEC 27002 2005 standard has been structured
in the same basic way. Each section uses the same four categories:
Objective, Control, Implementation guidance, and Other information.
Each section begins with one or more objectives. This is followed
by a discussion of the controls that should be used to achieve these
objectives. This control oriented discussion is immediately followed
by detailed implementation guidance that explains how the controls
can be implemented. In most cases each section also ends with
other information that further explains what the section is about.

While our publications have preserved this general four part structure,
we have shortened the headings to save space. Our headings are
as follows:

GOAL. Goals are security objectives that should be achieved.
CTRL. Controls explain how goals (objectives) can be achieved.
GUIDE. Guidelines explain how controls can be implemented.
NOTE. Notes add helpful hints and explanations.



ISO 27002 2013 Introduction

Overview of ISO IEC 27002 2013

Information Security Control Objectives

How to Use ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 Translated into Plain English

Plain English ISO IEC 27002 2013 Security Checklist

ISO IEC 27002 2013 Information Security Audit Tool

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27000 Definitions in Plain English


Updated on May 5, 2014. First published on November 2, 2004.

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited   780-461-4514

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are, of course, welcome to view our material as often
as you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2004 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited