ISO 27002 Central. BS7799 and ISO27002 Guide


ISO 27001 and ISO 27002 Central is intended to be a launch pad for those seeking help with this international standard. It offers information, tips, guides and links to a range of resources.

About ISO 27002
Starting Point
The Glossary
The PDCA Cycle
Newsletter Archive

27000 Home

Add ISO27000 Central
to Your Bookmarks

ISO27002 History

ISO 27002 began life as the Information Security 'Code of Practice' from the UK's Department of Trade and Industry. It was published in the early nineties. Even then, however, the British Standards Institute, was involved, leading to the re-badging of the code in 1995. It became BS7799-1.

This document certainly had its supporters, but it was not widely embraced. This, however, was to change in the late nineties.

In 1999 the standard was significantly revised. This strengthened the standard in many respects. Accreditation and certification schemes were launched shortly after. A momentum was born.

Within a couple of years it had been fast-tracked through the International Standards Organization. In December 2000 it became ISO17799. This increased worldwide interest further.

In 2002 BS7799-2 was published. This covered ISMS and helped bridge the gap with ISO9000. The ISO 17799 Toolkit was published in the same month, to support early steps.

The standard was again revised in 2005, and renamed to ISO 27002 in 2007.

Introducing ISO 27001 and ISO 27002

The standard in generic terms effectively comprises of two parts:

a) Part 1: ISO/IEC 27002 (ex BS7799-2 and ISO 17799)

This is essentially the set of security controls: the measures and safeguards for potential implementation. In volume it is the main body of the overal 'standard set' itself.

The contents of this part are as follows:

1. Scope

2. Terms and definitions

3. Security Policy
3.1. Information Security POlicy

4. Security Organization
4.1 Information Security Infrastructure
4.2 Security and Third Party Access
4.3 Outsourcing

5. Asset Classification and Control
5.1 Accountability for assets
5.2 Information Classification

6. Personnel Security
6.1 Security in Job Definition and Resourcing
6.2 User Training
6.3 Responding to Security Incidents and Malfunctions

7. Physical and Environmental Security
7.1 Secure Areas
7.2 Equipment Security
7.3 General Controls

8. Communications and Operations Management
8.1 Operational Procedures and Responsibility
8.2 System Planning and Acceptance
8.3 Protection Against Malicious Software
8.4 Housekeeping
8.5 Network Management
8.6 Media Handling and Security
8.7 Exchanges of Information and Software

9 Access Control
9.1 Business Requirement for Access Control
9.2 User Access Management
9.3 User Responsibilities
9.4 Network Access Control
9.5 Operating System Access Control
9.6 Application Access Management
9.7 Monitoring System Access and Use
9.8 Mobile Computing and Telenetworking

10. System Development and Maintenance
10.1 Security Requirements of Systems
10.2 Security in Application Systems
10.3 Cryptographic Controls
10.4 Security of System Files
10.5 Security in Development and Support Processes

11. Business Continuity Management
11.1 Aspects of Business Continuity Management

12. Compliance
12.1 Compliance with Legal Requirements
12.2 Reviews of Security Policy and Technical Compliance
12.3 System Audit Considerations

b) Part 2: ISO27001 (ex BS7799-2)

This is the 'specification' for an Information Security Management System (ISMS). It is the means to measure, monitor and control security management from a top down perspective. It essentially explains how to apply ISO 27002 and it is this part that can currently be certified against.

Part 2 defines a six part 'process', roughly as follows:

- Define a security policy
- Define the scope of the ISMS
- Undertake a risk assessment
- Manage the risk
- Select control objectives and controls to be implemented
- Prepare a statement of applicability.

This possibly illustrates why risk analysis and security policies are so fundamental to progress with this standard.



ISO 27002 (and/or ISO27001) should always be obtained from an official source.
17799, 27002

Standards Direct (BSI) provides the standard as an instant download from the following page: ISO 27002 Download


The standard (both ISO 27001 and ISO27002) can also be obtained as part of the ISO27000 Toolkit. This also comprises a series of support resources, such as aligned security policies, checklists, BIA questionnaires, presentations, etc.

It can be downloaded via the following website: ISO 27000 Toolkit


Please feel free to contact us

Your Guide To ISO 27002 and BS7799
Copyright © 2011. All Rights Reserved.