ISO/IEC 27002
The ISO / IEC 27002 (until 1 July 2007: ISO / IEC 17799 ) contains is an international standard, the recommendations for various control mechanisms for information security. It is about security against attacks ( engl. security). The corresponding standard for functional safety (English safety ) is the ISO / IEC 90003, see ISO 9001. Standard is part of ISO / IEC 27000 series.
Certification to ISO / IEC 27002 is in principle not possible because it is the norm to a collection of proposals (" should", in English: "should" ) and not claims ( " must ", in English: "shall" ) concerns. If an Information Security Management System (ISMS ) certified, this is possible only on the fulfillment of the requirements of ISO / IEC 27001.
- 3.1 edition ISO / IEC 17799:2000
- 3.2 edition ISO / IEC 27002:2005
Historical development
Development at BSI
Basis for standardization in this case was a collection of experiences, procedures and methods of practice, ie ITIL similar to a "best practice" to achieve approach. This collection was published as a result of the efforts of an active from January 1993 Industry Working Group in September 1993 as the DTI Code of Practice. This practice guideline was the basis for the creation of the BS 7799th
In February 1995, the BSI published ( British Standards Institution), to address the BS 7799-1:1995 the first standard in the field of information security, the security aspects in the context of the emerging e-commerce. However, the penetration was rather low due to some current problems such as the impending Y2K problem. That did not change even with the output of the second standard BS 7799-2:1998 in February 1998, which describes the requirements for a safety management system. It only changed when the BSI in April 1999 a completely revised version of both standards presented (BS 7799-1:1999 BS 7799-2:1999 and ) and therefore again aroused the interest of the ISO.
Conversion into an ISO standard
The ISO took over the BS 7799-1:1999 with the content remains unchanged as the norm, and published them in 2000 under the name ISO / IEC 17799:2000. Sometime in 2007, the standard ISO / IEC 27002 has been renamed and thus included by name in the ISO / IEC 27000 - series family. By September 2008 issue, the standard is also available as a DIN standard ISO / IEC 27002. The family of standards deals with various levels of information security management systems ( ISMS).
Care in Germany
The German share of the international standardization work of ISO / IEC JTC 1/SC 27 Information Technology - Security Techniques is supervised by DIN NIA 01-27 IT security procedures.
Versions and content
Edition ISO / IEC 17799:2000
As part of the revision of ISO / IEC 17799:2000 new main categories and security measures have been added to each. The standard has been slightly restructured in the course of this revision also with respect to its structure, ie it was, inter alia, a new monitoring area created ( Information security incident management - dealing with security incidents ). It builds on content, which until then were in another chapter.
Edition ISO / IEC 27002:2005
The ISO / IEC 27002:2005 addresses the following 11 monitoring areas:
These 11 monitoring areas are divided into 39 main categories, so-called control objectives. These are stocky with a total of 133 security measures, the application supports the achievement of the control objectives.