Audit Information systems & IT Security
Audit Information systems & IT Security

Audit Information systems & and IT Security

Information System audit and IT Security

ISO 27002 (ISO 17799)

ISO 27002 is the new name for the standard that used to be named ISO 17799.

Code of practice for information security management

ISO 27002 Overview

Obtaining ISO 27002

Auditing for ISO 27002 compliance


ISO 27002 Links

ISO 27002 Overview

ISO 27002, previously called ISO17799, also BS7799 is a widely accepted standard for information security management. It is a great tool for the fundamentals of security management and also helps in promoting information security to top management.

When ISO adopted the British standard BS7799 it became ISO17799. The latest version of ISO17799 was released 2005. In 2008 the name was changed to ISO27002 to be part of the ISO27000 series. Nothing else was changed at this point.

The standard has 16 sections (0 - 15) as outlined below

Section 0 - Introduction
The introduction discuses what information security is, why it is important, and outlines how to work with information security, and how ISO27002 is a good starting point.

Section 1 - Scope
Says that the standard establishes general guidelines for implementing and working with information security, and that risk assessments are required to make good use of the standard.

Section 2 - Terms and Definitions
Defines terminology used in the standard. The following terms are defined: asset, control, guideline, information processing facilities, information security, information security event, information security incident, policy, risk, risk analysis, risk assessment, risk evaluation, risk management, risk treatment, third party, threat, and vulnerability.

Section 3 - Structure of the Standard
Describes the structure of the standard. Identifies the eleven security control clauses:
Section 5 to 15 below.

Section 4 - Risk Assessment and Treatment
Section 4.1 describes how risk assessment needs to be performed periodically, and is the basis for implementing security controls.

Section 4.2 shows on the possible options for risk treatment, including:
- applying appropriate controls to reduce the risks;
- knowingly and objectively accepting risks, providing they clearly satisfy the organization's policy and criteria for risk acceptance;
- avoiding risks by not allowing actions that would cause the risks to occur;
- transferring the associated risks to other parties, e.g. insurers or suppliers.

Further, it is pointed out that there is no single solution that will fit all. Organisations have to find controls that are appropriate for them.

Section 5 - Security Policy
The objective of a policy is identified as a management guidance with clarity.
Section 5.1 Information security policy covers the policy document, and policy review.

Section 6 - Organizing Information Security
Section 6.1 covers internal organization while section 6.2 dicusses external parties.

Section 7 - Asset Management
Seciton 7.1 discusses responsibility for assets. Section 7.2 is about information classification.

Section 8 -Human Resources Security
Section 8.1 is about th3e time before employment while section 8.2 is about the employment period and section 8.3 is about termination or change of employment.

Section 9 - Physical and Environmental Security
Section 9.1 is about secure areas and section 9.2 is about equipment security.

Section 10 - Communications and Operations Management
Section 10.1 is about operational procedures and responsibilities while section 10.2 is about external parties delivering services (outsourcing) and section 10.3 is about system planning and acceptance. Section 10.4 is about malicious and mobile code and section 10.5 is about backups and section 10.6 is about network security management. Section 10.7 covers media handling and section 10.8 covers exchanges of information. Section 10.9 is about e-commerce while section 10.10 is about monitoring things.

Section 11 - Access Control
Section 11.1 is about business requirements while section 11.2 is about user controls and section 11.3 is about user responsibilities. Section 11.4 drills down into network access control, section 11.5 examines operating system access controls, section 11.6 is about applicaiton level controls, and section 11.7 is focussed on mobile computing.

Section 12 - Information Systems Acquisition, Development and Maintenance
Section 12.1 focuses on security requirements while Section 12.2 focuses on correct processing. Section 12.3 is about cryptographic controls while section 12.4 is about control of system files. Section 12.5 focuses on the development and support processes, section 12.6 centers around vulnerability management.

Section 13 - Information Security Incident Management
Section 13.1 is about reporting security events and weaknesses. Section 13.2 is about managing incidents and improvements.

Section 14 - Business Continuity Management
Section 14.1 covers information security aspects of business continuity management.

Section 15 - Compliance
Section 15.1 is about compliance with legal requirements while section 15.2 is about compliance with policies, standards, and technical specifications. Section 15.3 is about audit considerations.

Obtaining ISO 27002

ISO 27002 is published by ISO. The standard is not free, it has to be purchased. The ISO 27002 standard can be downloaded as part of the ISO-17799 Toolkit stand alone from the ISO17799 Shop, or from ISO.

Auditing for ISO 27002 compliance

SANS have published an Audit Check List for ISO 17799:2005. It is available as an MS Word file here.


Certification for organisations is currently available against ISO 27001 and is granted through an Accredited Certification Body. As a worldwide standard, the number of certified entities is increasing, with representation across the world.

ISO 17799 Links

The ISO-17799 forum page contains much useful information about the standard.


Auditing Security and IT Systems
Copyright 2006-2008. All Rights Reserved. Something missing on this page? Let us know