NF ISO/IEC 27002

January 2014

Standard Cancelled

Information technology - Security techniques - Code of practice for information security controls

ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). It is designed to be used by organizations that intend to: select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001; implement commonly accepted information security controls; develop their own information security management guidelines.

View the extract

Main informations

Collections

National standards and national normative documents

Publication date

January 2014

Number of pages

98 p.

Reference

NF ISO/IEC 27002

ICS Codes

03.100.70 Management systems

35.030 IT Security

Classification index

Z74-222

Print number

International kinship

ISO/IEC 27002:2013

Sumary

Information technology - Security techniques - Code of practice for information security controls

It is designed to be used by organizations that intend to:

select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
implement commonly accepted information security controls;
develop their own information security management guidelines.

Standard replaced by (1)

NF EN ISO/IEC 27002

May 2017

Standard Cancelled

Information technology - Security techniques - Code of practice for information security controls

<p>ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).</p> <p>It is designed to be used by organizations that intend to:</p> <ol> <li>select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;</li> <li>implement commonly accepted information security controls;</li> <li>develop their own information security management guidelines.</li> </ol>

Table of contents

View the extract

Avant-propos
v
0 Introduction
vi
1 Domaine d'application
1
2 Références normatives
1
3 Termes et définitions
1
4 Structure de la présente norme
1
4.1 Articles
1
4.2 Catégories de mesures
2
5 Politiques de sécurité de l'information
2
5.1 Orientations de la direction en matière de sécurité de l'information
2
6 Organisation de la sécurité de l'information
4
6.1 Organisation interne
4
6.2 Appareils mobiles et télétravail
7
7 La sécurité des ressources humaines
9
7.1 Avant l'embauche
9
7.2 Pendant la durée du contrat
11
7.3 Rupture, terme ou modification du contrat de travail
14
8 Gestion des actifs
15
8.1 Responsabilités relatives aux actifs
15
8.2 Classification de l'information
16
8.3 Manipulation des supports
19
9 Contrôle d'accès
21
9.1 Exigences métier en matière de contrôle d'accès
21
9.2 Gestion de l'accès utilisateur
23
9.3 Responsabilités des utilisateurs
27
9.4 Contrôle de l'accès au système et aux applications
28
10 Cryptographie
31
10.1 Mesures cryptographiques
31
11 Sécurité physique et environnementale
34
11.1 Zones sécurisées
34
11.2 Matériels
37
12 Sécurité liée à l'exploitation
42
12.1 Procédures et responsabilités liées à l'exploitation
42
12.2 Protection contre les logiciels malveillants
46
12.3 Sauvegarde
47
12.4 Journalisation et surveillance
48
12.5 Maîtrise des logiciels en exploitation
50
12.6 Gestion des vulnérabilités techniques
51
12.7 Considérations sur l'audit du système d'information
53
13 Sécurité des communications
54
13.1 Management de la sécurité des réseaux
54
13.2 Transfert de l'information
56
14 Acquisition, développement et maintenance des systèmes d'information
60
14.1 Exigences de sécurité applicables aux systèmes d'information
60
14.2 Sécurité des processus de développement et d'assistance technique
63
14.3 Données de test
68
15 Relations avec les fournisseurs
69
15.1 Sécurité de l'information dans les relations avec les fournisseurs
69
15.2 Gestion de la prestation du service
72
16 Gestion des incidents liés à la sécurité de l'information
74
16.1 Gestion des incidents liés à la sécurité de l'information et améliorations
74
17 Aspects de la sécurité de l'information dans la gestion de la continuité de l'activité
78
17.1 Continuité de la sécurité de l'information
78
17.2 Redondances
80
18 Conformité
81
18.1 Conformité aux obligations légales et réglementaires
81
18.2 Revue de la sécurité de l'information
84
Bibliographie
87

ZOOM ON ... the Requirements department

To comply with a standard, you need to quickly understand its issues in order to determine its impact on your activity.

The Requirements department helps you quickly locate within the normative text:
- mandatory clauses to satisfy,
- non-essential but useful clauses to know, such as permissions and recommendations.

The identification of these types of clauses is based on the document “ISO / IEC Directives, Part 2 - Principles and rules of structure and drafting of ISO documents ”as well as on a constantly enriched list of verbal forms.

With Requirements, quickly access the main part of the normative text!

With Requirements, quickly access the main part of the normative text!

Need to identify, monitor and decipher standards?

COBAZ is the simple and effective solution to meet the normative needs related to your activity, in France and abroad.

Available by subscription, CObaz is THE modular solution to compose according to your needs today and tomorrow. Quickly discover CObaz!

Request your free, no-obligation live demo

I discover COBAZ