ISO/IEC 27002:2013 is a set of guidelines established by the International Organization for Standardization to help enterprises establish and improve their information security standards and information security management practices. Its official title is Information technology — Security techniques — Code of practice for information security controls.
Usually implemented in conjunction with ISO 27001:20, ISO 27002 is not a standard but a code of practice that offers suggestions rather than requirements for effective ISMS management.
ISO 27002 guides organizations in selecting, implementing, and managing controls on their cybersecurity risk environment—the controls on risks to the confidentiality, integrity, and availability of information in their information systems.
Organizations adopting this standard must perform their own information security risk assessment. They must also clarify their security policy and control objectives, and apply appropriate controls (or other forms of risk management) using the standard for guidance.
ISO 27002 is designed for organizations to use when:
- Selecting controls to use in their information security management system (ISMS), in accordance with ISO/IEC 27001, the international standard for ISMS management;
- Implementing commonly accepted information security controls, or
- Developing their own information management security guidelines.
The standard contains 19 chapters addressing:
- Information security policies
- Organization of information security
- Human resources security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- Systems acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management