ISO/IEC 27002:2013 pdf free.Information technology — Security techniques — Code of practice for information security controls.
It is essential that an organization identifies its security requirements. There are three main sources of security requirements:
a) the assessment of risks to the organization, taking into account the organizations overall business strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to
nd likelihood of occurrence is evaluated and potential impact is estimated;
b) the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy, and their socio-cultural environment;
c) the set of principles, objectives and business requirements for information handling, processing, storing, communicating and archiving that an organization has developed to support its operations.
Resources employed in implementing controls need to be balanced against the business harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.
ISO/IEC 270051111 provides iiiforirialiuii secuuily risk mariagemeril guidaitue, iiicludiiig advice on risk assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.
0.3 Selecting controls
Controls can be selected from this standard or from other control sets, or new controls can be designed to meet specific needs as appropriate.
The selection of controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options and the general riskmanagement approach applied to the organization, and should also be subject to all relevant national and international legislation and regulations. Control selection also depends on the manner in which controls interact to provide defence in depth.
Some of the controls in this standard can be considered as guiding principles for information security management and applicable for most organizations. The controls are explained in more detail below along with implementation guidance. More information about selecting controls and other risk treatment options can be found in ISO/IEC 27005.
0.5 Lifecycle considerations
Information has a natural lifecycle, from creation and origination through storage, processing, use and transmission to its eventual destruction or decay. The value of, and risks to, assets may vary during their lifetime (e.g. unauthorized disclosure or theft of a company’s financial accounts is far less significant after they have been formally published) but information security remains important to some extent at all stages.
Information systems have lifècycles within which they are conceived, specified, designed, developed, tested, implemented, used, maintained and eventually retired from service and disposed of. Information security should be taken into account at every stage. New system developments and changes to existing systems present opportunities for organizations to update and improve security controls, taking actual incidents and current and projected information security risks into account.
0.6 Related standards
While this standard offers guidance on a broad range of information security controls that are commonly applied in many different organizations, the remaining standards in the ISO/IEC 27000 family provide complementary advice or requirements on other aspects of the overall process of managing information security.
RefertolSO/IEC 27000 forageneral introduction to both ISMSs and thefamilyofstandards. ISO/IEC 27000 provides a glossary, formally defining most of the terms used throughout the ISO/IEC 27000 family of standards, and describes the scope and objectives for each member of the family.
This International Standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).
ISO/IEC 27002 is designed to be used by organizations that intend to;
a) select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary