How to use ISO IEC 27002 

Praxiom Research Group Limited

ISO IEC 27002 can be used in at least three ways: you can use it to select
information security controls in order to implement an ISO IEC 27001
information security management system (ISMS), you can use it to select
generally accepted controls without implementing an ISO IEC 27001 ISMS,
or you can use it to develop information security guidelines or standards
for your own organization or for an entire industrial sector. So, you can
ignore ISO IEC 27001 if you wish to do so.

But if you have chosen to use ISO IEC 27001 you need to pay close
attention to section 6.1.3. It expects you to use ISO IEC 27002, and any
other helpful sources, to prepare a detailed Statement of Applicability.
(A Statement of Applicability is a document that lists security controls.)

If you’ve chosen to use the ISO IEC 27001 standard, your task is to use
ISO IEC 27002 to select all the information security controls that you need
in order to implement the risk treatment options that you have chosen and
the risk treatment plan that you have developed using ISO IEC 27001.
If you’ve chosen this option, you also need to justify all of your control decisions, both inclusions and exclusions.

However, before you can select security controls, you need to assess
your organization’s security risks and identify its security requirements.
In order to do so, you need to perform a risk assessment. You need to
identify your information security threats and vulnerabilities, determine
how likely it is that each threat or vulnerability will cause a security
incident, and evaluate the impact each incident could have.

In addition, you need to study your legal requirements. You need to
identify and study all relevant statutory, regulatory, and contractual
requirements that your organization, its trading partners, and service
providers must comply with.

And finally, you need to consider your own information security needs
and requirements. You need to examine your organization’s unique
information management principles, objectives, and requirements,
and you need to study the information processing practices and
methods that your organization uses.

Once you’ve done all of this you’re ready to select your controls.
You’re ready to select information security controls that address your
organization’s unique information security risks and meet its particular
information security requirements. According to ISO IEC 27002, you can
select your controls from the ISO IEC 27002 standard or any other
suitable source, or you can develop your own controls.

A comprehensive list of information security controls can be found in
ISO IEC 27002 sections 5 to 18. For each control, you’ll also find a wide
variety of implementation guidelines and supporting explanations.


MORE INFOSEC PAGES

Introduction to ISO IEC 27002

Overview of ISO IEC 27002 2013

Information Security Control Objectives

ISO IEC 27002 Translated into Plain English

ISO IEC 27002 Information Security Audit Tool

Plain English ISO IEC 27002 2013 Checklist

ISO IEC 27002 2013 vs ISO IEC 27002 2005

ISO IEC 27000 Definitions in Plain English

ALSO SEE OUR ISO 27001 SECURITY LIBRARY

Updated on April 21, 2014. First published on March 24, 2014.

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited   780-461-4514   help@praxiom.com

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are, of course, welcome to view our material as often
as you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited