Introduction

Today, generally Corporate Information Security Controls, use the international standard ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information security management as an organizational framework to map security controls to and from the Corporate Policy, Standards and procedure documents. Each of the Corporate Enterprise Security Services delivered by IT are generally evaluated based on the guiding principles provided in ISO 27002.

According to ISO 27002, security requirements should determine appropriate security controls in each of eleven categories.  The eleven categories are outlined below, and numbered in accordance with their clause in both the ISO 27002 standard and the Foundation.

1) Security policies – the foundation for security standards, processes & procedures

2) Organization of information security – assignment of resources and responsibilities for security

3) Asset management – accountability for asset protection decisions

4) Human resources security – security considerations in hiring and training; incident reporting and response

5) Physical and environmental security – a secure environment for people, equipment and data

6) Communications and operations management – procedures and controls to reduce security risks in day-to-day operations

7) Access control – accountability for information and resource access

8) Information systems acquisition,  development and maintenance – security considerations in development and support environments

9) Information security incident management – management channels to ensure security events are reported and corrective action taken

10) Business continuity management – plans to avoid or recover from a disaster or security failure

11) Compliance – checks to ensure that security policy and controls are working as expected.

Backlink: www.bestitdocuments.com