DQS Certification India Private Limited logo afaq-afnor

ISO 27002 / ISO 17799

What is ISO 27002 or ISO 17799?

ISO/IEC 27002:2005, the latest version of “Information technology - Security techniques - Code of practice for information security management”, to give it its full title, is an internationally-accepted standard of good practice for information security. Tens or hundreds of thousands of organizations worldwide follow ISO/IEC 27002.

The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001.

The standard "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization". The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".

What is the significance of ISO 27002 or ISO 17799?

Information Security Policies

A stated objective of ISO 27002 is "To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Management should set a clear direction in line with business objectives and demonstrate support for, and commitment to IS with the issue and maintenance of an information security policy across the organization". 

Security Risk Assessment

Security risk assessment is a fundamental requirement not only of the standard, but as a driver for sound information security itself.

ISO 27001 is very clear with respect to the requirements, specifying that it is a requirement to "Define the risk assessment approach of the organization".  It continues, stating the requirement to "Identify the risks"; "Analyze and evaluate the risks"; Identify and evaluate options for the treatment of risks; "Select control objectives and controls for the treatment of risks; "Obtain management approval of the proposed residual risks".

  • Structure
  • Risk Assessment and Treatment
  • Security Policy
  • Organization of Information Security
  • Asset Management
  • Human Resources Security
  • Physical Security
  • Communications and Ops Management
  • Access Control
  • Information Systems Acquisition, Development, Maintenance
  • Information Security Incident management
  • Business Continuity
  • Compliance

Benefits of ISO 27002 or ISO 17799

There are of course a wide range of benefits and advantages in taking on the standards. These will vary from organization to organization. The following is an extracted starter list of some of the most common advantages reported:

Improved Security

Adopting the standards undoubtedly drives the process to improve information security, and reduce risk.

Assurance

Management and others can be more assured of the quality of a system or other entity if a recognized framework is followed.

Diligence

Compliance with (or certification for) an international standard can be used to demonstrate due diligence.

Benchmarking

The standard is often used as a measure of status within a peer community. Compliance with it can provide a benchmark for both the current position and future progress.

Interoperability

Systems from diverse parties are more likely to work together in harmony if they follow a common guideline or structure.

Security Awareness

Implementation of the standard always results in greater security awareness within the organization.

Alignment

Because the implementation of ISO 27001 requires the involvement of both business and technical management, greater Information Technology and Business alignment often results.

Differentiation (Marketing)

Adherence (or certification) with the standard is often used as a positive differentiator in the commercial market.

For Whom

Like governance, information security is a broad topic with ramifications in all parts of the modern organization. Information security, and hence ISO/IEC 27002, is relevant to all types of organization including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies - in fact any organization that handles and depends on information. The specific information security requirements may be different in each case but the point of ISO/IEC 27002 is that there is a lot of common ground.
The standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security per se. The IT Department is merely the custodian of a good proportion of the organization’s information assets and is charged with securing them by the information asset owners - the business managers who are accountable for the assets. A large proportion of written and intangible information (e.g. the knowledge and experience of workers) is nothing to do with IT.

ISO 27002 or ISO 17799 Services

Contact us

Please feel free to contact us. We are looking forward to hearing from you!

Rajendra Khare
MD
DQS Certification India Private Limited
Mobile: +91-9810268573
Phone:  +91-11-27025910
e-mail: rkhare@dqsindia.com

Please note: Email communication would be preferred mode of communication.

YOUR SUCCESS IS OUR GOAL