Differences between ISO 27001 and ISO 27002
If you look at the ISO 27001 and ISO 27002 standards, you will probably find that ISO 27002 certification is much more accurate. ISO 27001 and ISO 27002 have different purposes and will be useful in different situations. So what is the ultimate goal of ISO 27001?
To summarize, the ISO 27001 standard is a measure of the implementation of an information security management system (ISMS) that companies adopt. This information includes what organizations must do to meet ISO 27001 requirements.
In general, it can be said that ISO 27002 and a number of other standards in the ISO 2700000 family can be considered to support ISO 27001 documents, provide guidance and advice on implementation.
The official titles of the two standards are as follows:
- ISO 27001: 2013 Information security management systems
- ISO 27002: 2013 Code of Practice for Information Security Control (Security Technology – Security Techniques – Proposed Guidelines for Information Security Management)
You can not certify against ISO 27002 . Because ISO 27002 is not a management standard . What does management standard mean ? This means that the standard defines how a system should run , and in the case of ISO 27001 , the information security management system . . Therefore, certification against ISO 27001 is possible.
In other words, the management system means that information security must be planned, implemented, monitored, reviewed and improved. This means that management has its own specific tasks. Objectives must be set, measured and reviewed, internal audits must be performed. All of these are defined in ISO 27001, but not in ISO 27002.
Difference between controls in ISO 27002 and ISO 27001
The question is, why do these two standards exist separately ? Why aren’t they merged ? And why put the positive aspects of both standards together ? The answer is that if it were a single standard, it would be too complex and too large for practical use.
Which standard is suitable for use in the ISO 27000 series?
Each standard of the ISO 27000 collection is designed with a specific focus . If you want to build the foundation of information security in your organization and develop its framework, you must use the ISO 27001 certification. If you want to implement the controls, you must use the ISO 27002 certification. If you want to do a risk assessment, you must use ISO 27005.
Overall, it can be said that without the details in ISO 27001 , the controls defined in Annex A cannot be implemented in ISO 27001 . Also, without the management framework in ISO 27001 , the ISO 27002 standard has no real impact on the organization .
Note that ISO 27002 is not just for organizations implementing ISO 27001. Here are some highlights from the 27,000 family:
- ISO 27003 discusses the design and implementation of ISMS.
- ISO 27004 provides guidelines for evaluating the performance of ISMS in ISO 27001, which helps the ISO 27001 standard for evaluating ISMS performance.
- ISO 27005 describes risk management practices. One of the main concepts of ISO 27001 is identifying hazards and then adapting the control to the hazards ahead.
- ISO 27007 advises on how to comply with ISO 27001 auditing requirements.
- ISO 27008 provides details on how to evaluate controls.
- ISO 27009 provides information on how to implement specific controls in the industrial sector.
Note that there are other documents in this family , but the above are the ones that are useful to most organizations.
Rose Calibration Company in Melbourne, Australia with over ten years of experience provides all calibration, maintenance, and repair services throughout Australia. If you live in Sydney, Melbourne, Adelaide, Perth, Geelong, and Brisbane, you can receive your quote in less than two hours by fill-up the form via the “Booking” link.
