ISO 27002 provides organizations with the assurance of knowing that they are protecting their information assets using criteria in harmonization with an internationally recognized standard. Benefits are applicable to organizations of all sizes and all security maturity levels, not only large enterprises.
ISO/IEC 27002 is a Code of Practice for Information Security Management standard. It provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). The Code of Practice establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
ISO 27002 Compliance Lifecycle
Once the organization has performed an initial Baseline Benchmark then the results can be evolved into an on-going lifecycle benchmark process and ISO 27002 compliance measurement program. Performing benchmarks quickly and efficiently reduces the burden and enables timely reporting on progress, depending upon organization’s size that is quarterly, bi-annually or, annually. It can be used to demonstrate progress and trends in what has been achieved and what is left to do. The following is a high-level example ISO 27002 Compliance Lifecycle.
- Baseline Benchmark– Assess the status of security management processes and controls
- Regular Checkpoints – Perform periodic health checks to compare and contrast improvement and compliance progress
- Identify Gap – Use gap analysis to identify the divergence of current state security against the standard goal
- Statement of Applicability (SOA) – Describe the relevance of the standard’s controls to your organization
- Security Improvement Program (SIP) – Develop cyclic process to recommend the measures required to overcome the divergence identified in the gap analysis
Critical Success Factors
Experience has shown that the following factors are often critical to the successful implementation of information security within an organization:
- Information security policy, objectives, and activities that reflect business objectives
- An approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture
- Visible support and commitment from all levels of management
- A good understanding of information security requirements, through the use of risk assessments, and risk management
- Effective marketing of information security to all managers, employees, and other parties to achieve awareness and ultimately compliance
- Distribution of guidance on information security policy and standards to all managers, employees and other parties
- Provision to fund information security management activities
- Providing appropriate awareness, training, and education
- Establishing an effective information security incident management process
- Implementation of a measurement system used to evaluate performance in information security management and feed back data for improvement.