.Adopt an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an ongoing basis.
1.1.3 The ISO/IEC 27002
ISO/IEC 27002 is entitled Information technology - Security techniques - Code of practice for information security management. The standard provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad: the preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required)./IEC 27002:2005 has developed from BS7799, published in the mid-1990's. The British Standard was adopted by ISO/IEC as ISO/IEC 17799:2000, revised in 2005, and renumbered in 2007 to align with the other ISO/IEC 27000-series standards. The document  provides the history of the ISO/IEC 27002 development./IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS). It uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS, but since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organisations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls) as they see fit. ISO/IEC 27001 incorporates a summary (little more that than the section titles in fact) of controls from ISO/IEC 27002 under its Annex A. In practice, organisations that adopt ISO/IEC 27001 also substantially adopt ISO/IEC 27002./IEC 27002 is a code of practice - a generic, advisory document, not truly a standard or formal specification such as ISO/IEC 27001. It lays out a reasonably well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects. Organisations that adopt ISO/IEC 27002 must assess their own information security risks and apply suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory but if an organisation chooses not to adopt something as common as, say, antivirus controls, they should certainly be prepared to demonstrate that this decision was reached through a rational risk management decision process, not just an oversight, if they anticipate being certified compliant to ISO/IEC 27001.governance, information security is a broad topic with ramifications in all parts of the modern organisation. Information security, and hence ISO/IEC 27002, is relevant to all types of organisation including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies - in fact any organisation that handles and depends on information. The specific information security requirements may be different in each case but the whole point of ISO27k is that there is a lot of common ground.standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security. The IT department usually contains a good proportion of the organisations information assets and is commonly charged with securing them by the information asset owners - the business managers who are accountable for the assets. However a large proportion of written and intangible information (e.g. the knowledge and experience of non-IT workers) is irrelevant to IT.
1.1.4 The national peculiarities of the IS management standards
As the international standards were introduced in Ukraine by the National bank and renamed to branch standards of Ukraine, certain changes were made in a standard, predefined by the legal requirements and concrete necessities of banking industry. Technical divergences and additional information were attached directly to the sections which they refer to. These attachments are entitled „National divergence, „National explanation or „National remark.
The national insertions primarily explain references to other international standards, to which the accepted documents refer, or explain certain terms in more detail than the original standard does. The standard ГСТУ СУІБ 2.0/ISO/IEC 27002:2010 also contains national remarks with recommendations concerning security implementation procedures considering banking peculiarities.
1.2 IS management standards according to the system approach to IS
.2.1 General position of legal documents in the system approach
In 2007, the author conducted a research that formed the criteria of the classification and the existent normative-legal documents on providing of information security .a result of analysis of normative-legal documents in the field of providing information security, their classification was offered. A most essential section at creation of the information security system of the Ukrainian segment of external communication and data transfer network of space rocket complex «Cyclone» was remarked. A conclusion was made about the necessity of concordance of legislative base.creation of the effective information security system the legislative base, well-organized by the stages of construction is needed. At the time of the research conduction, providing of information technologies security is regulated by more than one hundred and twenty legislative, normative-legal and methodical documents, not coordinated on terminology, estimation criteria, sequence and directions of creation of the information security systems.task has been formulated: conduct the analysis of normative-legal documents in the field of information security technologies. Classify existent documents with the purpose of concordance of statements of Ukrainian legislative base.of analysis consisted in the following. The components of information security systems (ISS) can be divided into three groups, which are illustrated in fig. 1.1:
.Bases (what does ISS consist of);
.Directions (what is intended for);
.Stages (how it works).
. 1.1. Groups of ISS components
are four bases:
1.Legislative, normative-legal and scientific base;
2.Structure and tasks of subdivisions, providing security of information technologies;
.Organisationally-technical and regime means (policy of information security);
.Program-technical methods and tools.are formed based on the specific features of object to be defended. Taking into account the typical structure of information systems and historically obtained types of work on providing information security, it was suggested to consider the followings directions:
1.Providing security of objects of the information systems;
2.Providing security of processes, procedures and programs for information processing;
.Providing security of communication channels;
.Suppression of side electromagnetic radiations.
.Management of the security system.stages of creation and operation of ISS are the following:
1.Determination of informational and technical resources, along with objects of the information systems (IS), to be defended;
2.Definition of set of possible threats and information loss channels;
.Estimation of vulnerability and risks of information in IS according to present set of threats and loss channels;
.Determination of requirements for information security system;
.Choosing of means of providing information security and their specifications;
.Introduction and organisation of the use of the chosen, methods and means of security;
.Control of the integrity and management of the security system.each of directions is related to the bases listed above, in this report every element of "Legislative … base" is examined with every element of directions of creation of ISS (see fig. 1.2), namely:
1.Legislative … base of providing security of objects of the information systems;
2.Legislative … base of providing security of processes, procedures and programs…;
.Legislative … base of providing security of communication channels;
.Legislative … base of suppression of side electromagnetic radiations;
.Legislative … base on a management and control of the security system.
. 1.2. The observed segment of ISS creation
opened normative documents of the system of technical information defence of Ukraine have been reviewed. As a result, classification of legislative documents by the following directions of information security providing is offered:
.Legislative and conceptual aspects of information security;
.Organisation information security;
.Protecting information from a loss in technical channels ;
.Information security in the computer systems;
.Information security in communication and data transfer networks;
.Suppression of incidental electromagnetic radiations;
.Cryptographic defence of information;
.Special documents (methods of measuring and estimation parameters).«Information security in communication and data transfer networks» was selected as the most essential at creation of the information secu