What is this standard about?
This is the reference handbook for selecting controls for use within an Information Security Management System (ISMS) based on BS EN ISO/IEC 27001. It can also be used as a guidance document for any organization wishing to implement commonly accepted information security controls.
Who is this standard for?
Anyone planning to build, operate, audit or certify an ISMS based on BS EN ISO/IEC 27001:2017. It provides essential further detail on the controls checklist used in BS EN ISO/IEC 27001.
It will also be useful to anyone with an interest in information security management, or a general interest in information security measures.
Why should you use this standard?
It carefully defines a wide range of potential security controls. Each potential control is followed by implementation guidance and other relevant information.
The standard uses a structured approach, whereby similar or related controls are grouped together into categories with a single control objective. These categories are then assigned to one of fourteen basic clauses, each of which addresses a particular aspect of information security.
NOTE: Although BS EN ISO/IEC 27002:2017 is an essential component of building an ISMS based on BS EN ISO/IEC 27001:2017, it can be used independently as a source of information security controls following other methodologies or even as a stand-alone guide to best practice information security.
What’s changed since the last update?
This second edition is a technical and structural revision which replaces the 2005 edition. It also implements three ISO/IEC corrigendum from:
- September 2014
- November 2015, which modified Subclause 14.2.8
- March 2017 which renumbered the standard from BS ISO/IEC 27001:2013 to BS EN ISO/IEC 27001:2017