Skip to content. | Skip to navigation

Personal tools
This is Lite Plone Theme
You are here: Home / Documentation / ISO27002 / Overview



ISO IEC 27002 2013 - The original page can be found here

(Previous version ISO IEC 27002 2005 - The original page can be found here (obsolete))

5. Security Policy Management

5.1 Provide management direction and support

5.1.1 Develop your information security policies

5.1.2 Review your information security policies


6. Corporate Security Management

6.1 Establish an internal information security organization

6.1.1 Allocate information security roles and responsibilities

6.1.2 Segregate conflicting duties and responsibilities

6.1.3 Maintain contact with all relevant authorities

6.1.4 Establish relationships with external organizations

6.1.5 Make information security part of project management

6.2 Protect your organization's mobile devices and telework

6.2.1 Establish a mobile device security risk management policy

6.2.2 Establish a teleworking security management policy


7. Personnel Security Management

7.1 Emphasize security prior to employment

7.1.1 Verify the backgrounds of all new personnel

7.1.2 Use contracts to protect your information

7.2 Emphasize security during employment

7.2.1 Expect your managers to emphasize security

7.2.2 Deliver information security awareness programs

7.2.3 Set up a disciplinary process for security breaches

7.3 Emphasize security at termination of employment

7.3.1 Emphasize post-employment security requirements


8. Organizational Asset Management

8.1 Establish responsibility for corporate assets

8.1.1 Compile an inventory of assets associated with information

8.1.2 Select owners for all assets associated with your information

8.1.3 Prepare acceptable use rules for assets associated with information

8.1.4 Return all assets associated with information upon termination

8.2 Develop an information classification scheme

8.2.1 Classify your organization’s information

8.2.2 Establish information labeling procedures

8.2.3 Develop asset handling procedures

8.3 Control how physical media are handled

8.3.1 Manage removable media

8.3.2 Manage the disposal of media

8.3.3 Manage the transfer of media


9. Information Access Management

9.1 Respect business requirements

9.1.1 Develop a policy to control access to information

9.1.2 Control access to networks and network services

9.2 Manage all user access rights

9.2.1 Develop a user registration process

9.2.2 Set up a user access provisioning process

9.2.3 Restrict the use of privileged access rights

9.2.4 Control secret authentication information

9.2.5 Review access rights at regular intervals

9.2.6 Remove or adjust user access rights

9.3 Protect user authentication

9.3.1 Protect secret authentication information

9.4 Control access to systems

9.4.1 Restrict access to information and applications

9.4.2 Use secure log-on procedures to control access

9.4.3 Use formal password management systems

9.4.4 Control the use of utility programs

9.4.5 Control access to source code


10. Cryptography Policy Management

10.1 Control the use of cryptographic controls and keys

10.1.1 Implement a cryptographic control policy

10.1.2 Implement a cryptographic key policy

11. Physical Security Management

11.1 Establish secure areas to protect assets

11.1.1 Create physical security perimeters to protect areas

11.1.2 Use physical entry controls to protect secure areas

11.1.3 Secure your organization’s offices, rooms, and facilities

11.1.4 Protect information and facilities from external threats

11.1.5 Develop procedures to control work in secure areas

11.1.6 Prevent unauthorized persons from accessing premises

11.2 Protect your organization’s equipment

11.2.1 Use siting techniques to protect equipment and assets

11.2.2 Safeguard equipment from supporting utility failures

11.2.3 Secure your power and telecommunications cables

11.2.4 Ensure that your equipment is correctly maintained

11.2.5 Restrict the removal of assets to off-site locations

11.2.6 Regulate the off-site use of equipment and assets

11.2.7 Control the disposal and re-use of storage media

11.2.8 Expect users to protect unattended equipment

11.2.9 Establish a clear-desk and clear-screen policy

12. Operational Security Management

12.1 Establish procedures and responsibilities

12.1.1 Document and use your operating procedures

12.1.2 Control changes that affect information security

12.1.3 Monitor usage and carry out capacity planning

12.1.4 Keep your operational environment separate

12.2 Protect your organization from malware

12.2.1 Implement controls to manage malware

12.3 Make backup copies on a regular basis

12.3.1 Control how backups are carried out

12.4 Use logs to record security events

12.4.1 Establish information security event logs

12.4.2 Protect logging facilities and log information

12.4.3 Record administrator and operator activities

12.4.4 Synchronize clocks to a single reference source

12.5 Control your operational software

12.5.1 Control installation of operational software

12.6 Address your technical vulnerabilities

12.6.1 Manage your technical vulnerabilities

12.6.2 Establish software installation rules

12.7 Minimize the impact of audit activities

12.7.1 Control how audit activities are carried out

13. Network Security Management

13.1 Protect networks and facilities

13.1.1 Establish network security controls

13.1.2 Control network service providers

13.1.3 Use segregation to protect networks

13.2 Protect information transfers

13.2.1 Develop information transfer policies and procedures

13.2.2 Establish security information transfer agreements

13.2.3 Protect information sent using electronic messaging

13.2.4 Use confidentiality agreements to protect information


14. System Security Management

14.1 Make security an inherent part of information systems

14.1.1 Consider security when changing or acquiring systems

14.1.2 Protect application services on all public networks

14.1.3 Safeguard your application service transactions

14.2 Protect and control system development activities

14.2.1 Establish rules to control internal software development

14.2.2 Use formal procedures to control changes to systems

14.2.3 Review applications after operating platform changes

14.2.4 Restrict and control changes to software packages

14.2.5 Establish and use secure system engineering principles

14.2.6 Establish and protect secure development environments

14.2.7 Control outsourced system development projects

14.2.8 Test security functionality during development cycle

14.2.9 Use acceptance criteria to test information systems

14.3 Safeguard data used for system testing purposes

14.3.1 Control and protect data used for system testing


15. Supplier Relationship Management

15.1 Establish security agreements with suppliers

15.1.1 Expect suppliers to comply with risk mitigation agreements

15.1.2 Expect suppliers to comply with information security agreements

15.1.3 Expect suppliers to deal with their own supply chain security risks

15.2 Manage supplier security and service delivery

15.2.1 Manage supplier services and supplier security

15.2.2 Manage changes to services provided by suppliers


16. Security Incident Management

16.1 Identify and respond to information security incidents

16.1.1 Establish incident response procedures and responsibilities

16.1.2 Report information security events as quickly as possible

16.1.3 Identify and report all information security weaknesses

16.1.4 Assess your security events and decide if they are incidents

16.1.5 Follow procedures when you respond to security incidents

16.1.6 Learn from security incidents and apply your knowledge

16.1.7 Collect evidence to document incidents and responses


17. Security Continuity Management

17.1 Establish information security continuity controls

17.1.1 Plan how information security will continue during a disaster

17.1.2 Implement your approach to information security continuity

17.1.3 Verify the effectiveness of your security continuity controls

17.2 Build redundancies into information processing facilities

17.2.1 Use redundancies to ensure information processing continuity


18. Security Compliance Management

18.1 Comply with legal security requirements

18.1.1 Identify and comply with legal security requirements

18.1.2 Respect intellectual property rights and requirements

18.1.3 Meet all appropriate record protection requirements

18.1.4 Protect privacy and personally identifiable information

18.1.5 Regulate the use of cryptographic methods and controls

18.2 Carry out security compliance reviews

18.2.1 Perform independent reviews of information security

18.2.2 Review compliance with security policies and standards

18.2.3 Conduct technical information security compliance reviews