ISO/IEC 27002 Standard – A Complete Overview
The ISO 27002 framework applies to organizations of all types and sizes. This framework specifically serves as a reference for designing and implementing controls that were identified during the risk treatment phase as prescribed in the ISO/IEC 27001 standard (Refer to the blog on an overview of ISO/IEC 27001:2013 vs. 2022 for more details).
The ISO/IEC 27002 standard provides a guideline for implementing a generic set of information security (IS) controls that have to be implemented within the context of an information security management system (ISMS) (refer to ISO/IEC 27001). Further, the controls are based on internationally recognized best practices and are useful in developing organization-specific information security management (ISM) guidelines.
Overall, organizations can also refer to this standard as a guideline for determining and implementing the common IS controls as a proactive step towards cybersecurity preparedness. This standard serves as a reference for developing industry-specific ISM guidelines relevant to the organization’s risk environment. IS controls in addition to those specified in the document can be implemented as deemed necessary by the organization’s risk assessment results.
All public/private/non-profit organizations that create, collect, process, store, transmit and dispose of electronic/physical/verbal information need to safeguard their valuable information in either tangible/intangible form from accidental/natural/deliberate risk sources. Thus, it becomes essential to safeguard both the information asset (information, business processes, or activities) and its supporting assets (hardware, software, network, personnel, site, and organization’s structure).
In order to secure the information residing in various management (or operations) information systems, organizations need to carefully assess the risks and outline a plan for treating them with the necessary controls. More often the requirement of security controls goes beyond technological measures and requires immense support from all the employees of the organization including its interested parties such as shareholders or suppliers and subject matter experts wherever necessary.
This will ensure that the organizations can establish, implement, maintain, monitor, and continuously improve a successful ISMS. This provides a way of bestowing trust in the organization’s ways of managing information assets thus helping the organization to achieve its business objectives.
Stating the Information Security Requirements
Before the organization can proceed to determine the controls necessary for safeguarding the information assets, the organization must specify its information security requirements by
- Performing a risk assessment exercise that is measurable, comparable, and valid
- Understanding the legal, regulatory, statutory, and contractual requirements/obligations and those from the interested parties
- Referring to the set of principles, objectives, and business requirements of the information life cycle developed by the organization.
This is done so that the organization can carefully determine all relevant controls required to be implemented so that residual risks if any will meets its risk acceptance criteria.
The IS Controls
The ISO/IEC 27002 standard, discusses the organizational, people, physical and technological controls derived from international best practices for either modifying or maintaining the risk determined by the organization.
The organization must ensure to follow a structured approach to risk assessment in order to determine the right controls in treating the risks identified. The decisions with regard to the controls will also depend on their interaction for a defence-in-depth approach. It is here, that the organization must study all their requirements carefully prior to assessing the risks for determining the appropriate controls. The organization needs to consider the resources and budgetary requirements for investing in these controls. Thus, the tradeoff between investing in the controls versus the consequences of missing these controls needs to be balanced.
Organizations can prepare and maintain additional documents of guidelines or controls but need to ensure to cross-reference them to the ISO/IEC 27002 clauses for future reference. All the stages in the life cycle of the information or flow of the information throughout the organization must be considered for assessing the IS risks and implementing the necessary controls. Organizations can also refer to the sector-specific standards prescribed in the ISO/IEC 27002 document for additional controls namely, ISO/IEC 27017 (cloud services), 27701 (privacy), 27019 (energy), 27011 (telecommunications) and 27799 (health).
Categorization of controls
The controls in ISO/IEC 27002 standard are categorized under the following themes namely,
- people (A.6) — concerning individual people
- physical (A.7) — concerning physical objects
- technological (A.8) – concerning technology and
- others as organizational (A.5)
Each control is further associated with five attributes. The organization can use these attributes to create different views or representations of the controls to map to the respective themes fitting their audiences (or interested parties). The following table shows the attributes and the values for each attribute.
Control Type | IS Properties | Cybersecurity concepts | Operational Capabilities | Security Domains |
Preventive, Detective, Corrective | Confidentiality, Integrity, Availability | Identify, Protect, Detect, Respond, Recover | Governance, Asset_management, Information_protection, Human_resource_security, Physical_security, System_and_network_ security, Application_security, Secure_configuration, Identity_and_access_management, Threat_and_vulnerability_management, Continuity, Supplier_relationships_security, Legal_and_ compliance, Information_security_event_management and Information_security_assurance | Governance and ecosystem (GE), protection (PR), defence (DF) and resilience (RS) |
The first attribute, which is the control type, determines if the control can act prior to the incident taking place (preventive), while the incident takes place (detective) or after the incident has occurred in order to perform the necessary measures.
The second attribute discusses the principle of security (or the characteristic of information) that the control will preserve namely, preventing (a) unauthorized disclosure of the information asset (confidentiality), (b) unauthorized modification of the information asset (integrity), and (c) inaccessibility of the information asset to legitimate users/application (availability). The third attribute focuses on the cybersecurity concepts described in ISO/IEC 27110 which align with the NIST Cybersecurity Framework (CSF).
These concepts help in describing the overarching function of the control whether it can (a) identify the scope of the information asset and its supporting assets (Identify), (b) safeguard the assets from the misuse (Protect), (c) monitor and detect traces of a cybersecurity incident (Detect), (d) respond to security breaches (Respond) and (e) recover from the cybersecurity incident by undertaking restoration/communication activities (Recover). The fourth attribute helps in viewing the controls from a practitioner’s perspective while the fifth attribute helps in providing a broader view of the IS controls.
Each control essentially includes:
(a) a title,
(b) an attribute table based on the identified attributes,
(c) the control description,
(d) the purpose of implementing the control,
(e) guidance on how it should be implemented, and
(f) Other related explanations or references.
For a comprehensive understanding of the controls, download a copy of the mind map from the link given below:
References
ISO/IEC 27002 standard
https://cloud.google.com/security/compliance/iso-27110