ISO IEC 27002 can be used in at least three ways: you
can use it to select information security
controls in order to implement an ISO IEC
27001
information security management system (ISMS), you can use it to select
generally accepted controls without implementing an ISO IEC 27001 ISMS, or
you can use it to develop information security guidelines or standards for
your own organization or for an entire industrial sector. So, you can ignore
ISO IEC 27001 if you wish to do so.
But if you have chosen to use
ISO IEC 27001
you need to pay close attention to section 6.1.3. It expects you to
use ISO IEC 27002, and any other helpful
sources, to prepare a detailed Statement of
Applicability. (A Statement of Applicability is a
document that lists security
controls.)
If you’ve chosen to use the ISO IEC 27001
standard, your task is to use ISO IEC 27002 to select all the
information security controls that you need in order to implement the
risk treatment
options that you have chosen and the risk
treatment plan that you have developed using
ISO IEC 27001. If you’ve chosen this option, you also need to
justify all of your control decisions, both inclusions and exclusions.
However, before you can select security
controls, you need to assess your organization’s security risks and
identify its security requirements. In order to do so, you need to
perform a
risk assessment.
You need to identify your information security
threats and
vulnerabilities,
determine how likely it is that each threat or vulnerability will
cause a security
incident, and evaluate the impact each incident could have.
In addition, you need to study your legal
requirements. You need to identify and study all relevant
statutory, regulatory, and contractual
requirements that your organization, its trading partners, and service
providers must comply with.
And finally, you need to consider your own
information security needs and requirements.
You need to examine your organization’s unique
information management principles, objectives, and requirements,
and you need to study the information processing
practices and methods that your
organization uses.
Once you’ve done all of this you’re ready to
select your
controls.
You’re ready to select information security controls that address your
organization’s unique information security risks and meet its particular
information security requirements. According to ISO IEC 27002, you can
select your controls from the ISO IEC 27002 standard or any other
suitable source, or you can develop your own controls.
A comprehensive list of information security
controls can be found in ISO IEC 27002
sections 5 to 18. For each control, you’ll also find a wide variety
of implementation guidelines and supporting explanations.
|