Overview
ISO IEC 27002 2013 - The original page can be found here
(Previous version ISO IEC 27002 2005 - The original page can be found here (obsolete))
5. Security Policy Management
5.1 Provide management direction and support
5.1.1 Develop your information security policies
5.1.2 Review your information security policies
6. Corporate Security Management
6.1 Establish an internal information security organization
6.1.1 Allocate information security roles and responsibilities
6.1.2 Segregate conflicting duties and responsibilities
6.1.3 Maintain contact with all relevant authorities
6.1.4 Establish relationships with external organizations
6.1.5 Make information security part of project management
6.2 Protect your organization's mobile devices and telework
6.2.1 Establish a mobile device security risk management policy
6.2.2 Establish a teleworking security management policy
7. Personnel Security Management
7.1 Emphasize security prior to employment
7.1.1 Verify the backgrounds of all new personnel
7.1.2 Use contracts to protect your information
7.2 Emphasize security during employment
7.2.1 Expect your managers to emphasize security
7.2.2 Deliver information security awareness programs
7.2.3 Set up a disciplinary process for security breaches
7.3 Emphasize security at termination of employment
7.3.1 Emphasize post-employment security requirements
8. Organizational Asset Management
8.1 Establish responsibility for corporate assets
8.1.1 Compile an inventory of assets associated with information
8.1.2 Select owners for all assets associated with your information
8.1.3 Prepare acceptable use rules for assets associated with information
8.1.4 Return all assets associated with information upon termination
8.2 Develop an information classification scheme
8.2.1 Classify your organization’s information
8.2.2 Establish information labeling procedures
8.2.3 Develop asset handling procedures
8.3 Control how physical media are handled
8.3.1 Manage removable media
8.3.2 Manage the disposal of media
8.3.3 Manage the transfer of media
9. Information Access Management
9.1 Respect business requirements
9.1.1 Develop a policy to control access to information
9.1.2 Control access to networks and network services
9.2 Manage all user access rights
9.2.1 Develop a user registration process
9.2.2 Set up a user access provisioning process
9.2.3 Restrict the use of privileged access rights
9.2.4 Control secret authentication information
9.2.5 Review access rights at regular intervals
9.2.6 Remove or adjust user access rights
9.3 Protect user authentication
9.3.1 Protect secret authentication information
9.4 Control access to systems
9.4.1 Restrict access to information and applications
9.4.2 Use secure log-on procedures to control access
9.4.3 Use formal password management systems
9.4.4 Control the use of utility programs
9.4.5 Control access to source code
10. Cryptography Policy Management
10.1 Control the use of cryptographic controls and keys
10.1.1 Implement a cryptographic control policy
10.1.2 Implement a cryptographic key policy
11. Physical Security Management
11.1 Establish secure areas to protect assets
11.1.1 Create physical security perimeters to protect areas
11.1.2 Use physical entry controls to protect secure areas
11.1.3 Secure your organization’s offices, rooms, and facilities
11.1.4 Protect information and facilities from external threats
11.1.5 Develop procedures to control work in secure areas
11.1.6 Prevent unauthorized persons from accessing premises
11.2 Protect your organization’s equipment
11.2.1 Use siting techniques to protect equipment and assets
11.2.2 Safeguard equipment from supporting utility failures
11.2.3 Secure your power and telecommunications cables
11.2.4 Ensure that your equipment is correctly maintained
11.2.5 Restrict the removal of assets to off-site locations
11.2.6 Regulate the off-site use of equipment and assets
11.2.7 Control the disposal and re-use of storage media
11.2.8 Expect users to protect unattended equipment
11.2.9 Establish a clear-desk and clear-screen policy
12. Operational Security Management
12.1 Establish procedures and responsibilities
12.1.1 Document and use your operating procedures
12.1.2 Control changes that affect information security
12.1.3 Monitor usage and carry out capacity planning
12.1.4 Keep your operational environment separate
12.2 Protect your organization from malware
12.2.1 Implement controls to manage malware
12.3 Make backup copies on a regular basis
12.3.1 Control how backups are carried out
12.4 Use logs to record security events
12.4.1 Establish information security event logs
12.4.2 Protect logging facilities and log information
12.4.3 Record administrator and operator activities
12.4.4 Synchronize clocks to a single reference source
12.5 Control your operational software
12.5.1 Control installation of operational software
12.6 Address your technical vulnerabilities
12.6.1 Manage your technical vulnerabilities
12.6.2 Establish software installation rules
12.7 Minimize the impact of audit activities
12.7.1 Control how audit activities are carried out
13. Network Security Management
13.1 Protect networks and facilities
13.1.1 Establish network security controls
13.1.2 Control network service providers
13.1.3 Use segregation to protect networks
13.2 Protect information transfers
13.2.1 Develop information transfer policies and procedures
13.2.2 Establish security information transfer agreements
13.2.3 Protect information sent using electronic messaging
13.2.4 Use confidentiality agreements to protect information
14. System Security Management
14.1 Make security an inherent part of information systems
14.1.1 Consider security when changing or acquiring systems
14.1.2 Protect application services on all public networks
14.1.3 Safeguard your application service transactions
14.2 Protect and control system development activities
14.2.1 Establish rules to control internal software development
14.2.2 Use formal procedures to control changes to systems
14.2.3 Review applications after operating platform changes
14.2.4 Restrict and control changes to software packages
14.2.5 Establish and use secure system engineering principles
14.2.6 Establish and protect secure development environments
14.2.7 Control outsourced system development projects
14.2.8 Test security functionality during development cycle
14.2.9 Use acceptance criteria to test information systems
14.3 Safeguard data used for system testing purposes
14.3.1 Control and protect data used for system testing
15. Supplier Relationship Management
15.1 Establish security agreements with suppliers
15.1.1 Expect suppliers to comply with risk mitigation agreements
15.1.2 Expect suppliers to comply with information security agreements
15.1.3 Expect suppliers to deal with their own supply chain security risks
15.2 Manage supplier security and service delivery
15.2.1 Manage supplier services and supplier security
15.2.2 Manage changes to services provided by suppliers
16. Security Incident Management
16.1 Identify and respond to information security incidents
16.1.1 Establish incident response procedures and responsibilities
16.1.2 Report information security events as quickly as possible
16.1.3 Identify and report all information security weaknesses
16.1.4 Assess your security events and decide if they are incidents
16.1.5 Follow procedures when you respond to security incidents
16.1.6 Learn from security incidents and apply your knowledge
16.1.7 Collect evidence to document incidents and responses
17. Security Continuity Management
17.1 Establish information security continuity controls
17.1.1 Plan how information security will continue during a disaster
17.1.2 Implement your approach to information security continuity
17.1.3 Verify the effectiveness of your security continuity controls
17.2 Build redundancies into information processing facilities
17.2.1 Use redundancies to ensure information processing continuity
18. Security Compliance Management
18.1 Comply with legal security requirements
18.1.1 Identify and comply with legal security requirements
18.1.2 Respect intellectual property rights and requirements
18.1.3 Meet all appropriate record protection requirements
18.1.4 Protect privacy and personally identifiable information
18.1.5 Regulate the use of cryptographic methods and controls
18.2 Carry out security compliance reviews
18.2.1 Perform independent reviews of information security
18.2.2 Review compliance with security policies and standards
18.2.3 Conduct technical information security compliance reviews