Skip to main content

ISO 27002

Code of Practice

What is ISO 27002?

The international standard ISO/IEC 27002 is part of the ISO 27000 series of standards and is based on the British Standard BS7799. In 2005, it was published as ISO/IEC 17799 by Joint Technical Committee JTC1 established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 17799 was revised in 2005. In 2007 it was renumbered and integrated into the ISO 27000 series of standards. Its official title is "Information technology — Security techniques — Code of practice for information security management".

ISO 27002 covers the security controls defined in ISO 27001, Annex A, and describes them in more detail. Thus, ISO 27002 serves as a supplementary guide for the practical implementation of controls in the context of an Information Security Management System (ISMS) based on ISO 27001. Since ISO 27002 is to be used in conjunction with ISO 27001, certification is not possible.

ISO 27002: Topics and Content

ISO 27002 covers the same topics that are included in ISO 27001, Annex A:
  • General guidelines on information security
  • Organisational structures
  • Responsibility for and classification of information assets
  • Human resources security
  • Physical and environmental security
  • Network and operational security
  • Access control
  • System development and maintenance
  • Security incident handling
  • Business continuity
  • Compliance with internal and legal requirements

ISO 27002 in Your Organisation

ISO 27002 serves as a code of practice for the implementation of ISO 27001. Please refer to our overview to find out which other standards from the ISO 27000 series are relevant for you. Our project procedure describes how plan42 supports you during implementation. Do you have any further questions? Please feel free to contact us.