AS/NZS 7799.2:2003

1 - AS/NZS 7799.2:2003 INFORMATION SECURITY MANAGEMENT - SPECIFICATION FOR INFORMATION SECURITY MANAGEMENT SYSTEMS
5 - Preface
7 - Contents
9 - Introduction
11 - 1 Scope
11 - 1.1 General
11 - 1.2 Application
12 - 2 Normative references
13 - 3 Terms and definitions
13 - 3.1 Definitions for information security management
13 - 3.1.1 availability
13 - 3.1.2 confidentiality
13 - 3.1.3 information security
13 - 3.1.4 information security management system (ISMS)
13 - 3.1.5 integrity
13 - 3.1.6 risk acceptance
13 - 3.1.7 risk analysis
14 - 3.1.8 risk assessment
14 - 3.1.9 risk evaluation
14 - 3.1.10 risk management
14 - 3.1.11 risk treatment
14 - 3.1.12 statement of applicability
15 - 4 Information security management system
15 - 4.1 General requirements
15 - 4.2 Establishing and managing the ISMS
15 - 4.2.1 Establish the ISMS
16 - 4.2.2 Implement and operate the ISMS
17 - 4.2.3 Monitor and review the ISMS
17 - 4.2.4 Maintain and improve the ISMS
18 - 4.3 Documentation requirements
18 - 4.3.1 General
18 - 4.3.2 Control of documents
19 - 4.3.3 Control of records
20 - 5 Management responsibility
20 - 5.1 Management commitment
20 - 5.2 Resource management
20 - 5.2.1 Provision of resources
21 - 5.2.2 Training, awareness and competency
22 - 6 Management review of the ISMS
22 - 6.1 General
22 - 6.2 Review input
22 - 6.3 Review output
23 - 6.4 Internal ISMS audits
24 - 7 ISMS improvement
24 - 7.1 Continual improvement
24 - 7.2 Corrective action
24 - 7.3 Preventive action
25 - ANNEX A - Control objectives and controls
25 - A.1 Introduction
25 - A.2 Code of practice guidance
25 - A.3 Security policy
26 - A.4 Organizational security
27 - A.5 Asset classification and control
28 - A.6 Personnel security
29 - A.7 Physical and environmental security
30 - A.8 Communications and operations management
33 - A.9 Access control
36 - A.10 System development and maintenance
38 - A.11 Business continuity management
39 - A.12 Compliance
41 - ANNEX B - Guidance on use of the standard
41 - B.1 Overview
42 - B.2 Plan phase
44 - B.3 Do phase
45 - B.4 Check phase
47 - B.5 Act phase
50 - ANNEX C - Correspondence between ISO 9001:2000, ISO 14001:1996 and AS/NZS 7799.2:2002
52 - ANNEX D - Changes to internal numbering
54 - Bibliography

This Standard specifies the requirements for establishing, implementing operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

This standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organizations overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof (see Annex B which provides informative guidance on the use of this standard). The ISMS is designed to ensure adequate and proportionate security controls that adequately protect information assets and give confidence to customers and other interested parties. This can be translated into maintaining and improving competitive edge, cash flow, profitability, legal compliance and commercial image.

First published as part of AS/NZS 4444:1996.
Jointly revised and redesignated in part as AS/NZS 4444.2:2000.
AS/NZS 4444.2:2000 redesignated as AS/NZS 7799.2:2000.
Second edition 2003.