International Organization for Standardization/International Electrotechnical Commission
Overview
ISO/IEC 27001, established in 2005, is an Information Security Management System standard that formally specifies a management system for bringing information security under explicit management control.
ISO/IEC 27002, established in 2005, is a best practice standard for Information Security. It consists of the following 12 main sections:
- Risk assessment
- Security policy – management direction
- Organization of information security – governance of information security
- Asset management – inventory and classification of information assets
- Human resources security – security aspects for employees joining, moving and leaving an organization
- Physical and environmental security – protection of the computer facilities
- Communications and operations management – management of technical security controls in systems and networks
- Access control – restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance – building security into applications
- Information security incident management – anticipating and responding appropriately to information security breaches
- Business continuity management – protecting, maintaining and recovering business-critical processes and systems
- Compliance – ensuring conformance with information security policies, standards, laws and regulations
References
Industry
Any organization that wishes to demonstrate compliance with the standard