ISO 27002 or ISO27002

The ISO 27002 Code of Practice for Information Security Management

The full title of this standard is: Information Technology - Security Techniques - Code of Practice for Information Security Management. If this sounds familiar, it is perhaps because this standard is simply a rename ISO 17799.

The actual renaming of the long established 17799 standard was finally ratified by the appropriate ISO committee (JTC 1/SC27) in paper N5930 in April 2007.

The standard itself is intended to be used in conjunction with ISO 27001. This is a specification for a management system: part of which is the selection of controls as appropriate. Those controls are broadly described by ISO 27002.

Its relationship with other ISO 27000 standards is currently less clear. However, on certain development is the creation of a series of industry specific variants of ISO 27002. The first of these is ISO 27799, which is specific to the health industry, but others will follow.

At time of writing, the online internet stores are still selling only ISO 17799. Given that this is the same standard as 27002, this isn't a particular issue.

A number of established sources for the ISO27002 standard are documented by the Standards.Bz business standards portal.



This is a long established (since 1996) portal dedicated to information technology, particularly that related to governance. It is also an archive for information journals and other technical publications and newsletters. We are also hoping to build an archive of out of print standards, but this is subject to permission.

ISO 27002 Future
See the main body of the article. Initial publication and launch of this standard was in summer of 2007.