ISO IEC 27002 2013 Information Security Control Objectives

Each subsection of ISO IEC 27002 starts with at least one information
security control objective. This page summarizes this useful material.

  5. Security Policy Management


5.1 Provide management direction and support


To provide management direction and
support for information security activities.


  6. Corporate Security Management


6.1 Establish an internal information security organization


To establish a framework to manage
information security within your organization.


6.2 Protect your organization's mobile devices and telework


To ensure the security of mobile devices and telework
(work done away from the office at home or elsewhere).


  7. Personnel Security Management


7.1 Emphasize security prior to employment


To ensure that prospective employees and
contractors are suitable for their future roles.


7.2 Emphasize security during employment


To ensure that employees and contractors
meet their information security responsibilities.


7.3 Emphasize security at termination of employment


To protect your organizationís interests whenever
personnel terminations occur or responsibilities change.


  8. Organizational Asset Management   Sample PDF


8.1 Establish responsibility for corporate assets


To protect assets associated with information
and information processing facilities.


8.2 Develop an information classification scheme


To provide an appropriate level of protection
for your organizationís information.


8.3 Control how physical media are handled


To protect information by preventing unauthorized disclosure,
modification, removal, or destruction of storage media.


  9. Information Access Management


9.1 Respect business requirements


To control access to your organizationís
information and information processing facilities.


9.2 Manage all user access rights


To ensure that only authorized users gain access
to your organizationís systems and services.


9.3 Protect user authentication


To make your users accountable for safeguarding
their own secret authentication information.


9.4 Control access to systems


To prevent unauthorized access to your organizationís
information, systems, and applications.


  10. Cryptography Policy Management


10.1 Control the use of cryptographic controls and keys


To use cryptography to protect the confidentiality,
authenticity, and integrity of information.


  11. Physical Security Management


11.1 Establish secure areas to protect assets


To prevent unauthorized physical access to
information and information processing facilities.


11.2 Protect your organizationís equipment


To prevent the loss, theft, damage, or compromise of
equipment and the operational interruptions that can occur.


  12. Operational Security Management


12.1 Establish procedures and responsibilities


To ensure that information processing facilities
are operated correctly and securely.


12.2 Protect your organization from malware


To protect information and information
processing facilities against malware.


12.3 Make backup copies on a regular basis


To prevent the loss of data,
information, software, and systems.


12.4 Use logs to record security events


To record information security events
and collect suitable evidence.


12.5 Control your operational software


To protect the integrity of your
organizationís operational systems.


12.6 Address your technical vulnerabilities


To prevent the exploitation
of technical vulnerabilities.


12.7 Minimize the impact of audit activities


To minimize the impact that audit activities
could have on systems and processes.


  13. Network Security Management


13.1 Protect networks and facilities


To protect information in networks and to safeguard
the information processing facilities that support them.


13.2 Protect information transfers


To protect information while itís being transferred both
within and between the organization and external entities.


  14. System Security Management


14.1 Make security an inherent part of information systems


To ensure that security is an integral part of information
systems and is maintained throughout the entire lifecycle.


14.2 Protect and control system development activities


To ensure that security is designed into information systems
and implemented throughout the development lifecycle.


14.3 Safeguard data used for system testing purposes


To protect and control the selection and use of data and
information when it is used for system testing purposes.


  15. Supplier Relationship Management


15.1 Establish security agreements with suppliers


To protect corporate information and
assets that are accessible by suppliers.


15.2 Manage supplier security and service delivery


To ensure that suppliers provide the
agreed upon level of service and security.


  16. Security Incident Management


16.1 Identify and respond to information security incidents


To ensure that information security incidents
are managed effectively and consistently.


  17. Security Continuity Management


17.1 Establish information security continuity controls


To make information security continuity an
integral part of business continuity management.


17.2 Build redundancies into information processing facilities


To ensure that information processing facilities
will be available during a disaster or crisis.


  18. Security Compliance Management


18.1 Comply with legal security requirements


To comply with legal, statutory, regulatory, and contractual
information security obligations and requirements.


18.2 Carry out security compliance reviews


To ensure that information security is implemented
and operated in accordance with policies and procedures.



If you would like to see the complete list of control objectives
in addition to all information security controls, implementation guidelines, and supporting notes, please consider purchasing
Title 37: ISO IEC 27002 2013 Translated into Plain English.

 Our Title 37 is detailed, accurate, and complete. It uses language
that is clear, precise, and easy to understand.
 We guarantee it


Sample pdf

Place Order

Check Prices



Introduction to ISO IEC 27002 2013

Overview of ISO IEC 27002 2013 Standard

How to Use the ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 Translated into Plain English

ISO IEC 27002 2013 Information Security Audit

Plain English ISO IEC 27002 2013 Checklist

ISO IEC 27002 2013 vs ISO IEC 27002 2005

ISO IEC 27000 Definitions in Plain English

ISO 27001 2013 PAGES

Introduction to ISO IEC 27001 2013

Plain English Outline of ISO IEC 27001 2013

Plain English Overview of ISO IEC 27001 2013

ISO IEC 27001 2013 versus ISO IEC 27001 2005

ISO IEC 27001 2013 Translated into Plain English

Overview of ISO IEC 27001 2013 Annex A Controls

Updated on April 21, 2014. First published on March 23, 2014.

Home Page

Our Libraries

A to Z Index


How to Order

Our Products

Our Prices


Praxiom Research Group      780-461-4514

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited