|
What is it?
ISO/IEC 27002 is an information
security standard published by the International
Organization for Standardization (ISO) and the International
Electro-technical Commission (IEC) as ISO/IEC 17799:2005, which subsequently
renumbered as ISO/IEC 27002:2005 in July 2007, bringing it into line with the other
ISO/IEC
27000-series standards. It is entitled Information technology - Security
techniques - Code of practice for information security management. The
current standard is a revision of the version first published by ISO/IEC in 2000,
which was a word-for-word copy of the British Standard (BS) 7799-1:1999.
ISO/IEC 27002 provides best
practice recommendations on information security management for use by those
who are responsible for initiating, implementing or maintaining Information
Security Management Systems (ISMS). Information security is defined within
the standard in the context of the C-I-A
triad:
- the preservation of confidentiality
(ensuring that information is accessible only to those authorized to have
access), integrity
(safeguarding the accuracy and completeness of information and processing
methods) and availability
(ensuring that authorized users have access to information and associated
assets when required).
National Equivalent
ISO/IEC 27002 has direct national standard equivalence in countries such as
Australia and New Zealand (AS/NZS ISO/IEC 17799:2006), Netherlands
(NEN-ISO/IEC 17799:2002 nl, 2005 version in translation), Denmark (DS484:2005),
Sweden (SS 627799), Japan (JIS Q 27002), UNE 71501 (Spain), United Kingdom
(BS ISO/IEC 27002:2005), Uruguay (UNIT/ISO 17799:2005) and Estonia (EVS-ISO/IEC
17799:2003, 2005 version in translation). Translation and local publication
often result in several months delay after the main ISO/IEC standard is
revised and released, but the national standard bodies go to great lengths to
ensure that the translated content accurately and completely reflects ISO/IEC
27002.
Other related ISO
ISO/IEC 27007 is an information
security standard currently developed by the International
Organization for Standardization (ISO) and the International
Electro-technical Commission (IEC). Its current title is Information
technology -- Security techniques -- Guidelines for Information security
management systems auditing.
The purpose of ISO/IEC 27007 is to provide guidance for audit and
accredited certification bodies auditing Information Security Management
Systems against ISO/IEC 27001. Publication is not expected until 2009.
ISO/IEC 27799 is an information
security standard currently developed by the International
Organization for Standardization (ISO) and the International
Electro-technical Commission (IEC). Its current title is Information
Security Management in Health using ISO/IEC 27002.
The purpose of ISO/IEC 27799 is to provide guidance to health organizations
and other holders of personal health information on how to protect such
information via implementation of ISO17799/ISO27002.
| 
