Key Elements of ISO/IEC 27002

ISO/IEC 27002:2005 addresses topics in terms of policies and general good practices. The document specifically identifies itself as “a starting point for developing organization specific guidance.” It states that not all of the guidance and controls it contains may be applicable and that additional controls not contained may be required. It is not intended to give definitive details or “how-to’s”. Given such caveats, the document briefly addresses the following major topics:

  • Security Policy
  • Organizing Information Security
  • Asset Management
  • Human Resources Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • Access Control
  • Information Systems Acquisition, Development and Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance