When organizations decide to implement an Information Security Management System they often wonder what is the difference between ISO 27001 and the ISO 27002? To put it simply ISO 27001 holds the requirements of the Information Security Management System Standard and ISO 27002 gives guidelines and best practices intended for organizations who are becoming certified or implementing their own security processes and controls.
ISO 27000 is a series of international standards all related to information security. The ISO 27001 standard has an organizational focus and details requirements against which an organization’s ISMS (Information Security Management System), can be audited. ISO 27001 is a management system standard and therefore establishes specific requirements in which it can be certified by a third party accredited registrar. If an organization wants to certify its Information Security Management System (ISMS) it needs to comply with all requirements in ISO 27001.
On the other hand, ISO 27002 is more focused on specific examples, guidelines and provides a code of practice for use by individuals within an organization. You cannot get certified against ISO 27002 because it is not a management system standard.
Instead it was established based on various guidelines and principles for initiating, implementing, improving and maintaining information security management within an organization. The actual controls in the standard address specific requirements through a formal risk assessment. The standard consists of specific guidelines for the developments in organizational security standards and effective security management practices that would be useful in building confidence within inter-organizational activities.
There are a dozen other standards in the ISO 27000 series which are all designed to assist companies is securing their organizational information. These include ISO 27005 for organizations looking for more detail on how to carry out risk assessment and risk treatment and ISO 27004 which provide guidelines intended to help organizations with monitoring, measurement, analysis and evaluation of their information security performance and the effectiveness of their ISMS.
Every standard from the ISO 27000 series is designed with a certain focus in mind but if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; ISO 27002 is design to be a tool to help organizations with the implementation of ISO 27001 or for organizations who want to implement their own management guidelines and controls surrounding Information security.
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.