Commentary

This is one of the largest sections in the standard and reflects the importance of security in the electronic environment through good management of information processing facilities and networks supporting them by those responsible for the task.

Most large organisations who are able to support professional IT departments, will find their own management procedures address the topics raised in this section and much more. The importance of this section is that it brings together the need for these professional information management procedures with good professional business management procedures. Often the only interface between the IT Department and the Business users is the overworked help desk where the staff spends all day resolving queries of one sort or another. It is important to recognise the changes brought about by what is now a well-established client-server environment in the workplace. Business users are often equally as IT aware as their professional counterparts, and very capable of creating additional copies of critical files or e-mailing documents home for use at another time.

Many organisations that depend on large client server networks manage their inventory with little or no on-site professional IT management on site. The reliability and replacement costs of the current generation of equipment means that often organisations feel able to dispense with on-site maintenance engineers. The controls identified in this section are no less important to those organisations and must, if necessary, be implemented by non-IT managers.

With the onset of on-line trading it is essential that appropriate security mechanisms are implemented and managed to protect the organisation. Again this should be subject to a risk assessment and where third parties are used, the organisation must ensure that the third party meets the requirements set by the organisation.

The text of each section and sub-section of the standard is brief and deliberately open to interpretation for use by large and small organisations alike. It is worth remembering that ISO27002 is primarily a code of practice which is drafted so as to provide a check list for managers and that it does not purport to be a complete operations manual. Used as a checklist this section will prompt the right questions of those professionals either inside or outside the organisation.

An Introduction To Information, Network and Internet Security
Commentary This is one of the largest sections in the standard and reflects the importance of security in the electronic environment through good management of information processing facilities and networks supporting them by those responsible for the task. Most large organisations who are able to support professional IT departments, will find their own management procedures address the topics raised in this section and much more. The importance of this section is that it brings together the need for these professional information management procedures with good professional business management procedures. Often the only interface between the IT Department and the Business users is the overworked help desk where the staff spends all day resolving queries of one sort or another. It is important to recognise the changes brought about by what is now a well-established client-server environment in the workplace. Business users are often equally as IT aware as their professional counterparts, and very capable of creating additional copies of critical files or e-mailing documents home for use at another time. Many organisations that depend on large client server networks manage their inventory with little or no on-site professional IT management on site. The reliability and replacement costs of the current generation of equipment means that often organisations feel able to dispense with on-site maintenance engineers. The controls identified in this section are no less important to those organisations and must, if necessary, be implemented by non-IT managers. With the onset of on-line trading it is essential that appropriate security mechanisms are implemented and managed to protect the organisation. Again this should be subject to a risk assessment and where third parties are used, the organisation must ensure that the third party meets the requirements set by the organisation. The text of each section and sub-section of the standard is brief and deliberately open to interpretation for use by large and small organisations alike. It is worth remembering that ISO27002 is primarily a code of practice which is drafted so as to provide a check list for managers and that it does not purport to be a complete operations manual. Used as a checklist this section will prompt the right questions of those professionals either inside or outside the organisation.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security