3. What is ISO 27002 and do you have information security and operational specific policy and procedure documents relating to this well-known standard?

Another common question we receive is "what is ISO 27002" and how does it differ from ISO 27001. First and foremost, ISO 27002 is an international standard - but specifically - a code of practices that "establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization." The official standard is known as ISO 27002:2013 | Information technology - security techniques - Code of practice for information security controls. As such, the ISO 27002 publication consists of the following areas that pertain to information systems:

The ISO 27002:2013 standard publication contains the following areas:
  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Structure of this standard
  5. Information security policies
  6. Organization of information security
  7. Human resource security
  8. Asset management
  9. Access control
  10. Cryptography
  11. Physical and environmental security
  12. Operations security
  13. Communications security
  14. System acquisition, development and maintenance
  15. Supplier relationships
  16. Information security incident management
  17. Information security aspects of business continuity management
  18. Compliance

ISO 27002 Sections and Security Control Clauses

While the first four (4) areas merely explain and provide reference material for the publication itself, it's the remaining areas of sections 5 through 18 that essentially contain the fourteen (14) "security control clauses", with each "clause" containing security categories within them. For example, the "Access Control" is one of the fourteen (14) "security control" clauses, containing four (4) "security categories" within the clause itself, which are the following:

1. Business Requirement of Access Control
2. User Access Management
3. User Responsibilities
4. System and Application Access Control

Thus, you'll see that all the other "security control clauses" also have various "security categories" also.

Your ISO 27002 Consulting Experts | Contact Us Today

ISO 27002 is an incredibly detailed document, and one which is vital for helping organizations implement an Information Security Management System (ISMS) in accordance with ISO 27001. But remember that certification can only be had for ISO 27001, not ISO 27002. Even with that said, they both work in unison with each other. Learn more about our ISO 27001 and 27002 services and the ISO 27001 and ISO 27002 framework today.  FLANK offers comprehensive, industry leading information security policies and procedures and consulting services relating to the ISO 27000 standards, such as IS) 27001 and others.