ISO 27002 Explained: Your Blueprint for Robust Information Security Controls

The International Organization for Standardization (ISO) is a non-government entity that exists to make standards for mostly technical subjects. ISO 27002 is a set of standards and procedures that enforces information security and controls that allow a business to perform proper security. Until 2005, ISO 27002 went by two other names. This standard is largely complemented by ISO 27001, which details the managerial tasks such as risk assessment and reviewing security, rather than the control aspect of 27002.

Two standards came before the ISO 27002, each similar in topic and in control. The first incarnation was in 1995 and appeared in the United Kingdom (UK) as BS7799. After being cleaned up and modernized, it was published again by the ISO, this time as the ISO 17799. In 2005, after further edits, it was called ISO 27002. While each version is different, and successively highlights more modern problems and controls, all three incarnations deal with information security.

The 27002 standard highlights hundreds of ways to deal with information security and has many different chapters for the different aspects of securing information. Some chapters deal with human resources and their interaction with information, while others tell a business how to control access and business continuity with their security procedure. Information security usually implies information technology (IT), but ISO 27002 also is concerned with paper information and assets, though most of the standard is aimed at the IT department.

In its first release, the 27002 standard was meant to be a wide-sweeping standard for all institutions that needed information security. This means an enterprise, not-for-profit establishment, government agency and business would all follow the same standard. Future publications of this standard are focused on separating the standard for different sectors to be more efficient.

ISO 27002 goes into great detail about the controls and procedures involved in keeping information safe. Other standards, such as the complementary ISO 27001, only offer one or two sentences about the control. Instead, 27002 goes into control with great detail but offers little in the case of management. With the ISO 27001, all of the management aspects are specified.

Many people confuse the ISO 27001 and 27002, because they handle the same subjects in different ways. This means many people are left to wonder why the standard was separated into two parts. The reason is because, if both parts existed together, it would be too long for one publication.

About Mechanics is dedicated to providing accurate and trustworthy information. We carefully select reputable sources and employ a rigorous fact-checking process to maintain the highest standards. To learn more about our commitment to accuracy, read our editorial process.