ISO/IEC 27002-2013 pdf free.Information technology – Security techniques – Code of practice for information security controls.
ISO/IEC 27002 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).
This International Standard is designed to he used by organizations that intend to:
a) select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;LWJ
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.
4 Structure of this standard
This standard contains 14 security control clauses collectively containing a total of 35 main security categories and 114 controls.
4.1 Clauses
Each clause defining security controls contains one or more main security categories.
The orderofthe clauses in this standard does not implytheir importance. Depending on the circumstances, security controls from any or all clauses could be important, therefore each organization applying this standard should identify applicable controls, how important these are and their application to individual business processes. Furthermore, lists in this standard are not in priority order.
4.2 Control categories
Each main security control category contains:
a) a control objective stating what is to be achieved;
b) one or more controls that can be applied to achieve the control objective.
5.1.1 Policies for information security Control
A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.
Implementation guidance
At the highest level, organizations should define an “information security policy” which is approved by management and which sets out the organization’s approach to managing its information security objectives. Information security policies should address requirements created by:
a) business strategy;
b) regulations, legislation and contracts;
c) the current and projected information security threat environment.
The information security policy should contain statements concerning:
a) definition of information security, objectives and principles to guide all activities relating to information security;
b) assignment of general and specific responsibilities for information security management to defined roles;
c) processes for handling deviations and exceptions.
At a lower level, the information security policy should be supported by topic-specific policies, which further mandate the implementation of information security controls and are typically structured to address the needs of certain target groups within an organization or to cover certain topics.
Examples of such policy topics include:
a) access control (see Clause 9).ISO/IEC 27002 pdf free download.