ISO 27002 is a set of standards that enhances information security and controls for businesses. It was previously known as BS7799 and ISO 17799. It covers various aspects of information security, including human resources, access control, and business continuity. ISO 27002 is aimed at the IT department but also covers paper assets. It was initially intended to be a broad standard for all institutions but is now being separated for different industries. ISO 27002 goes into detail about controls and procedures, while ISO 27001 specifies management aspects.
The International Organization for Standardization (ISO) is a non-governmental entity that exists to create standards for mostly technical subjects. ISO 27002 is a set of standards and procedures that strengthen information security and the controls that enable a business to perform appropriate security. Until 2005, ISO 27002 had two other names. This standard is extensively complemented by ISO 27001, which details management activities such as risk assessment and safety review, rather than the control aspect of 27002.
Two standards came before ISO 27002, each similar in subject matter and control. The first incarnation was in 1995 and appeared in the United Kingdom (UK) as BS7799. After being cleaned up and modernized, it was re-released by ISO, this time as ISO 17799. In 2005, after further changes, it was renamed ISO 27002. While each version is different, and subsequently has issues and more modern controls, all three incarnations deal with information security.
The 27002 standard highlights hundreds of ways to approach information security and has many different chapters for different aspects of information security. Some chapters deal with human resources and their interaction with information, while others tell a company how to control access and business continuity with its own security procedure. Information security usually involves information technology (IT), but ISO 27002 also covers information and paper assets, although most of the standard is aimed at the IT department.
In its first version, the 27002 standard was intended to be a broad standard for all institutions that needed information security. This means that a business, non-profit organization, government agency, and business would all follow the same standard. Future publications of this standard are focused on separating the standard for different industries to be more efficient.
ISO 27002 goes into detail about the controls and procedures involved in keeping information secure. Other standards, such as the complementary ISO 27001, offer only a sentence or two about control. Instead, 27002 goes into control with great detail but offers little in case handling. With ISO 27001 all management aspects are specified.
Many people confuse ISO 27001 and 27002, because they deal with the same topics in different ways. This means that many people are wondering why the standard has been separated into two parts. The reason is because, if both sides existed together, it would be too long for a publication.
Protect your devices with Threat Protection by NordVPN
