See Resources

ISO/IEC 27002

Qualys Solutions for IT Security & Compliance

Qualys' continuous security approach to IT security and compliance enables organizations of all sizes to successfully achieve both vulnerability management and policy compliance initiatives cohesively, while reducing costs and streamlining operations. Using an innovative Software as a Service (SaaS) approach, the Qualys® Security and Compliance Suite combines Qualys' industry leading vulnerability management service with a comprehensive IT compliance solution.

Related Links

The international standard for information security is officially called ISO/IEC 27002:2013. Its formal title is Information technology — Security techniques — Code of practice for information security management. The standard's best practices are defined for helping organizations to preserve the confidentiality, integrity, and availability of information. This page provides background information about ISO/IEC 27002 and describes how solutions from Qualys help organizations use this framework for compliance.

About ISO/IEC 27002

The ISO/IEC 27002 standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Some refer to it by the old title, ISO/IEC 17799:2013; in 2007 this was renumbered to ISO/IEC 27002:2013 for alignment with the 27000-series standards. ISO/IEC 27002 includes 14 areas outlined below. Each of these specifies controls and objectives for "initiating, implementing, maintaining, and improving information security management in an organization." ISO/IEC considers 27002 to be a general purpose security standard, iso 27002 presents best practices instead of specifying granular controls. Other ISO/IEC standards provide specific control implementation guidelines.

Why ISO/IEC 27002 Matters to Your Organization

ISO/IEC 27002 Wiki screenshot

ISO/IEC 27002 is important because it provides organizations with an international framework that auditors rely on for verification of compliance with security mandates. Typically, public mandates focus on setting policy and leave implementation details to standards set by accredited organizations. For example, a huge driver for IT security in public corporations is the U.S. Sarbanes-Oxley Act of 2002. The Act requires improving and safeguarding the reliability and transparency of accounting statements and regulatory filings, but its key Section 404 contains less than 75 words about internal controls and procedures. Section 404 does not even mention information technology or IT security! ISO/IEC 27002 helps fill in the blanks by specifying a comprehensive framework of best practices for compliance.

Considerations for Using ISO/IEC 27002

Implementation of ISO/IEC 27002 entails understanding and using its key concepts, principles and controls. These begin with the 14 sections of best practices outlined below, which address an organization's requirements discovered by a formal Risk Assessment. Each section presents information in four categories: Objective (or objectives), Control (or controls) that help meet the objective, Implementation Guidance, and Other Information. According to ISO/IEC, the standard "is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities."

Toward this end, many countries have their own equivalent national standard comparable to ISO/IEC 27002. These are summarized in the table below, from Wikipedia.

ISO/IEC 27002 Requirements
5. Security Policy

5.1 Information Security Policy

6. Organization of Information Security

6.1 Internal Organization

6.2 Mobile devices and teleworking

7. Human resource security

7.1 Prior to employment

7.2 During employment

7.3 Termination and change of employment

8. Asset Management

8.1 Responsibility for assets

8.2 Information classification

8.3 Media handling

9. Access Control

9.1 Business requirements of access control

9.2 User access management

9.3 User responsibilities

9.4 System and application access control

10. Cryptography

10.1 Cryptographic controls

11. Physical and environmental security

11.1 Secure areas

11.2 Equipment

12. Operations Security

12.1 Operational procedures and responsibilities

12.2 Protection from malware

12.3 Backup

12.4 Logging and monitoring

12.5 Control of operational software

12.6 Technical vulnerability management

12.7 Information systems audit considerations

13. Communications security

13.1 Network security management

13.2 Information transfer

14. System acquisition, development and maintenance

14.1 Security requirements of information systems

14.2 Security in development and support processes

14.3 Test data

15. Supplier relationships

15.1 Information security in supplier relationships

15.2 Supplier service delivery management

16. Information security incident management

16.1 Management of information security incidents and improvements

17. Information security aspects of business continuity management

17.1 Information security continuity

17.2 Redundancies

18. Compliance

18.1 Compliance with legal and contractual requirements

18.2 Information security reviews

Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Free Trial & Tools
Popular Topics