Information security standards

Information security standards

ISO 27002 (formerly BS 7799 Part 1) is the ‘Code of Practice for Information Security Management’. It is a management standard, designed primarily to guide senior managers through the issues that form the basis of good corporate information security.

This part of the module examines the need for protecting information, how to set the levels of information security required and possible controls to implement. It is intended to provide an introduction to Information Security Management using BS 7799 (now ISO 27001) and ISO 27002, the International Standard for Information Security Management, as the framework on which to base international best practise.

This module assumes no prior knowledge of information security and takes the reader from basic concepts. The text of this new document ISO 27001 is based on the well established British Standard 7799 part 2 (the ‘Specification for Information Security Management’). The whole information security set of standards are to be renumbered and published as ISO documents as below

New Standard

Old Standard

ISO 27001

BS 7799 Part 2

ISO 27002

ISO 27002 (latterly BS 7799 Part 1)

ISO 27003

Risk management standard (latterly BS 7799 Part 3)

ISO 27004

ISMS measurement and metrics standard

ISO 27005

ISMS implementation guidance

ISO 27006



This reflects how the originals British Standard has been adopted throughout the world either as ISO 27000 series or local variants such as AS/NZS 4444 (now AS/NZS 7799) the Australian and New Zealand variant of the original BS 7799

The title Information Security Management was deliberately chosen to emphasise the need for this fundamental component of good business practice to be addressed as an aspect of general management rather than as a new and separate topic. It is clear that security is a matter of identifying valuable assets and deciding how best to safeguard them (as outlined in the ideas of protecting your car or home as in Section 2 above). It is not the process of ‘IT Security’ which seeks to protect IT systems – what needs to be protected is the information that they process but this processing must be for the whole life cycle from creation to destruction – and this does not always involve IT systems or processes.

It’s equally clear that the art of making assets secure does involve physical or logical locks and bolts.

However, experience shows us that most breaches are not the result of locks failing to work. By far the greatest number of commercial security breaches are directly attributable to the failure people to comply with the rules and objectives of their own security policies and procedures. Failures such as doors wedged open with fire extinguishers and passwords left written on desktop pads are still some of the greatest threats to good security practise.

This is a general introduction to the terminology and issues are required to provide an appropriate level of information security in an organisation to protect the organisational assets including information. Understanding this process is essential if Senior Management are to meet the ever-increasing needs to comply with the requirements of Corporate Governance and good corporate husbandry.

ISO 27002 and ISO 27001 is divided into eleven complementary sections (or ‘clauses’ as they are called in the standard). As with most well laid out standards there is a degree of chronology to the layout in that the first section deals with policy and the subsequent sections evolve from that. It is also significant that each of the eleven sections (or clauses) are equally important as components of good security management. In brief, the eleven steps to good security management are:

Clause 1. Security policy, a top-level statement endorsed by the senior management team on which all security processes and procedures are subsequently based.

Clause 2. Organisation of Information Security, a published security organisation that shows clearly who is responsible for security and who is authorised to deal with security issues.

Clause 3. Asset management, a good understanding of what is important to the organisation and where good security is important.

Clause 4. Human resources security, careful recruiting and management of personnel employed in key positions.

Clause 5. Physical and environmental security, ensuring that the physical security precautions match the need expressed in the corporate policy.

Clause 6. Communications and operations management, the provision of adequate tools and services to ensure that corporate information in these systems is properly monitored, managed and protected.

Clause 7. Access control, close monitoring and control over who is authorised to read and to amend the organisation’s information especially within the information processing systems.

Clause 8. Information systems acquisition, development and maintenance, the need to ensure that future development continues to meet and exceed the strength of protection in previous generations of production services.

Clause 9. Information security incident management is the process for managing any incident that may affect the well being of the organisation.

Clause 10. Business continuity management is the ability to minimise the impact of major disasters on the business processes and requires comprehensive backup strategies to ensure that no corporate data is lost.

Clause 11. Compliance, the need to ensure that once good controls are put in place that they continue to work and to deliver the required level of protection to the organisation’s assets as well as meeting the legal and regulatory requirements for managing information.

ISO 27002 is derived from BS 7799 Part 1, which it superseded (formerly called ISO 17799).

ISO 27002 is the ‘Code of Practice for Information Security Management’ and is a management guide to the implementation of adequate security in an organisation.

It is a checklist of controls within the eleven clauses and explains or gives further guidance on them. It is used to advise the implementer of how and why the controls are implemented and gives some guidance on how they are to be implemented.

ISO 27002 does not set the ‘need’ for security but provides a ‘shopping list’ of components that can be installed.

BS 7799 has just been superseded by ISO 27001 (2005)

ISO 2701 is the ‘Specification for Information Security Management’ and should an organisation wish to become certified to ISO 27001 then this is the standard that certification is carried out against.

Part of the process of achieving accredited certification to ISO 27001 is the creation of an Information Security Management System (ISMS). Then the process given in Section 4 below must be followed

Whilst the certification process mandates the use of a risk assessment on the assets within the scope for certification the implementation of ISO 27002 does not

If we accept that all organisations are different and deliver their respective goods and services in different ways, how can one standard apply across the board?

The answer is that each organisation must understand and define their own need for information security by using risk assessment and risk management to set the level of protection required for the assets.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s