ISO IEC 27002 2013 Introduction ot Information Security

ISO IEC 27002 is a comprehensive information security standard. It takes a very
broad approach. In the context of this standard, the term information includes
all forms of data, documents, communications, conversations, messages,
recordings, and photographs. It includes all forms of information.


ISO IEC 27002 2013 is an information security management standard.
It defines a set of recommended information security controls.
The official complete name of this standard is ISO/IEC 27002:2013
Information technology-Security techniques-Code of practice for
information security controls
. These recommended controls
are found in sections 5 to 18:

  1. Security Policy Management
  2. Corporate Security Management
  3. Personnel Security Management
  4. Organizational Asset Management
  5. Information Access Management
  6. Cryptography Policy Management
  7. Physical Security Management
  8. Operational Security Management
  9. Network Security Management
  10. System Security Management
  11. Supplier Relationship Management
  12. Security Incident Management
  13. Security Continuity Management
  14. Security Compliance Management


The ISO IEC 27002 standard is all about information. Since information
can exist in many forms, the ISO IEC 27002 standard takes a very broad
approach. It includes at least the following:

  • Electronic files
    • Software files
    • Data and image files
  • Paper documents
    • Printed materials
    • Hand written notes
    • Photographs and drawings
  • Recordings
    • Video recordings
    • Audio recordings
  • Communications
    • Conversations
      • Telephone conversations
      • Cell phone conversations
      • Face to face conversations
    • Messages
      • Email messages
      • Fax messages
      • Video messages
      • Instant messages
      • Physical messages

However, the term information includes not just words, numbers, and
images, it also includes all kinds of ideas, concepts, and knowledge.


From the standpoint of an organization, information has value and
is therefore an asset. It therefore needs to be protected throughout
its life-cycle just like any other asset. And since information must be
protected, the infrastructure that supports information must also be
protected. This infrastructure includes all of the systems, networks,
and functions that allow organizations to manage and control
information and all of the people that make it happen.

All of this must be protected because organizations are faced with
a wide range of security threats. These threats include everything from
human error and equipment failure to theft, fraud, vandalism, sabotage,
fire, flood, and even terrorism. And because most modern organizations
operate in a complex, interconnected, technological world, information is
also vulnerable to a new set of high-tech threats and attacks. Because
of their interconnectedness, most modern organizations are also
threatened by hackers, malware, and denial of service attacks.

So how can they protect themselves? That’s where ISO IEC 27002
can help. According to ISO IEC 27002 2013, you can use controls to
protect information and information systems. In addition to hardware
and software tools and functions, controls include things like policies,
procedures, processes, programs, records, arrangements, contracts,
agreements, job descriptions, and organizational structures. In order
to protect information, organizations must develop, implement,
monitor, review, and improve these types of security controls.


Each section of the ISO IEC 27002 standard has been structured
in the same basic way. Each section uses the same four categories:
Objective, Control, Implementation guidance, and Other information.
Each section begins with one or more objectives. This is followed
by a discussion of the controls that should be used to achieve these
objectives. This control oriented discussion is immediately followed
by detailed implementation guidance that explains how the controls
can be implemented. In most cases each section also ends with
other information that further explains what the section is about.

While we have preserved this general four part structure, we've
added a fifth (MEMO), and we've shortened the headings as follows:

• GOAL Goals are security objectives that should be achieved.
• MEMO Memos clarify what goals (objectives) are trying to achieve.
• CTRL Controls explain how goals (objectives) can be achieved.
• GUIDE Guidelines explain how controls are implemented.
• NOTE Notes add helpful hints and explanations.


Overview of ISO IEC 27002 2013

How to Use ISO IEC 27002 Standard

Information Security Control Objectives

ISO IEC 27002 Translated into Plain English

Plain English Information Security Audit Tool

Plain English ISO IEC 27002 2013 Checklist

ISO IEC 27002 2013 vs ISO IEC 27002 2005

ISO IEC 27000 Definitions in Plain English


Updated on December 31, 2016. First published on March 21, 2014.

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited   780-461-4514

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are, of course, welcome to view our material as often
as you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2014 - 2016 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research
        Group Limited