|
ISO IEC 27002 can be used in at least three ways: you
can use it to select
information security
controls in order to implement an ISO IEC
27001
information security management system (ISMS), you can use it to select
generally accepted controls without implementing an ISO IEC 27001 ISMS,
or
you can use it to develop information security guidelines or standards
for
your own organization or for an entire industrial sector. So, you can
ignore
ISO IEC 27001 if you wish to do so.
But if you have chosen to use
ISO IEC 27001
you need to pay close
attention to section 6.1.3. It expects you to
use ISO IEC 27002, and any
other helpful
sources, to prepare a detailed Statement of
Applicability.
(A Statement of Applicability is a
document that lists security
controls.)
If you’ve chosen to use the ISO IEC 27001
standard, your task is to use
ISO IEC 27002 to select all the
information security controls that you need
in order to implement the
risk treatment
options that you have chosen and
the risk
treatment plan that you have developed using
ISO IEC 27001.
If you’ve chosen this option, you also need to
justify all of your control decisions, both inclusions and exclusions.
However, before you can select security
controls, you need to assess
your organization’s security risks and
identify its security requirements.
In order to do so, you need to
perform a
risk assessment.
You need to
identify your information security
threats and
vulnerabilities,
determine
how likely it is that each threat or vulnerability will
cause a security
incident, and evaluate the impact each incident could have.
In addition, you need to study your legal
requirements. You need to
identify and study all relevant
statutory, regulatory, and contractual
requirements that your organization, its trading partners, and service
providers must comply with.
And finally, you need to consider your own
information security needs
and requirements.
You need to examine your organization’s unique
information management principles, objectives, and requirements,
and you need to study the information processing
practices and
methods that your
organization uses.
Once you’ve done all of this you’re ready to
select your
controls.
You’re ready to select information security controls that address your
organization’s unique information security risks and meet its particular
information security requirements. According to ISO IEC 27002, you can
select your controls from the ISO IEC 27002 standard or any other
suitable source, or you can develop your own controls.
A comprehensive list of information security
controls can be found in
ISO IEC 27002
sections 5 to 18. For each control, you’ll also find a wide
variety
of implementation guidelines and supporting explanations.
|
