Shell donated a corporate security standard to a UK government project in the early 1990s, which became the basis for the ISO/IEC 27000 set of standards. 1st In the mid-1990s, the Shell standard became British Standard BS 7799, which was later adopted as ISO/IEC 17799 in 2000. In 2005, the ISO/IEC specification was revised, and in 2007, it was renamed ISO/IEC 27002 to fit the other ISO/IEC 27000-series specifications.

the protection of confidentiality (ensuring that information is only available to those who are allowed to see it), honesty (ensuring that information and processing methods are accurate and complete), and availability (ensuring that authorized users have access to information and associated assets when required).

ISO/IEC 27002 is an advisory standard that can be interpreted and extended to entities of all types and sizes, based on the unique information security threats they face. In practice, this versatility allows users a lot of leeway in implementing information security measures that make sense to them, but it makes it unsuitable for compliance testing, which is relatively simple.

The ISO/IEC 27002:2013 standard (Information technology – Protection procedures – Information security management systems – Requirements) is a generally accepted certification standard. ISO/IEC 27001 lays out a range of specific standards for creating, adopting, sustaining, and enhancing an ISMS, as well as a set of information security controls in Annex A that organizations are encouraged to enforce within their ISMS, as needed. The controls in Annex A are based on ISO/IEC 27002 and are compatible with it.