Establishment of IT Controls for ISO/IEC 27002 Compliance

International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly develop worldwide standards. National bodies that are members of ISO or IEC participate in the development of international standards through technical committees established by these organizations to deal with particular fields of international activity. Other international organizations, governmental and non-governmental, liaise with ISO and IEC to participate in the development of technical standards.

The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It outlines hundreds of potential controls and control mechanisms, which might be implemented, subject to the guidance provided within ISO 27001.

The standard "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization". The actual controls listed in the standard are intended to address the specific requirements identified through a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".

The basis of the standard was originally a document published by the UK government, which became a standard 'proper' in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO, as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other.

ISO/IEC 27002:2005, which replaces ISO/IEC 17799:2000, was released in July 2007.

ISO's future plans for this standard are focused largely around the development and publication of industry specific versions (for example: health sector, manufacturing, and so on). Note that this is a lengthy process, so the new standards take some time to appear.

ISO/IEC 17799 (now ISO/IEC 27002:2005) is one of the few accepted worldwide standards for information security. It has been adopted as a guideline by companies around the world, and the major consultancies have invested very heavily in developing ISO/IEC 17799/27002 implementation programs, including training and certification of auditors. Due to its worldwide acceptance, other standards, such as Japan’s Information Security Management System (ISMS) and ITIL® Security Management book, have based their security recommendations on ISO/IEC 17799/27002.