The ISO/IEC 27002 standard is a renaming of the ISO/IEC 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms which may be implemented, in theory, subject to the guidance provided within ISO/IEC 27001.
The standard "established guidelines and general principles for initiating, implementing, maintaining and improving information security management within an organization". The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".
The basis of the standard was originally a document published by the UK government, which became a standard 'proper' in 1995 when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO/IEC, as ISO/IEC 17799. A new version of this appeared in 2005, along with a new publication, ISO/IEC 27001. These two documents are intended to be used together, with one complementing the other.
ISO’s future plans for this standard are focused mainly on the development and publication of industry-specific versions (for example: health sector, manufacturing, and so on). Note that this is a lengthy process, so the new standards will take some time to appear.
