Imagine waking up to discover that your IT systems have been hacked. Financial results of your company have been leaked and are discussed in the media. The market loses confidence in your organization and your directors are found to be personally responsible for inadequate risk management practices. An extreme example? Perhaps, but do not forget that even a small-scale security break could leave your business without access to its critical IT systems for hours or days.
Every organization uses information, most depend on it. Information is an asset that, like other important business assets. Information security has become a is not a business issue. Obviously, compliance with legal and regulatory requirements is important. It provides a very good reason for reviewing your information security practices, but it should not in itself be the sole or even the main driver. If a business aims to be successful, it must understand the importance of information security and undertake appropriate measures and processes.
ISO 27002 Information Security
ISO/IEC 27002 establishes guidelines and principles for initiating, implementing, maintaining and improving information security management in an organization. The standard is explicitly concerned with information security, including the security of all forms of information (e.g. computer data, documentation, knowledge and intellectual property) and not just IT/systems security or cybersecurity.
ISO/IEC 27002 is a code of practice, not a formal specification such as ISO 27001. It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity, and availability of information. The two standards are intended to be used together, with one complimenting the other.