ISO 27001 vs ISO 27002: A Comparison
Cybersecurity is a constant threat these days. Implementing an Information Security Management System (ISMS) can help companies manage information security risks, but for some companies this may be a world that is a bit foreign to them. They will be much aided by way of ISO 27001 (information security) and ISO 27002 (information security controls), which are both standards within the ISO/IEC 27000 family, designed to help organizations keep information assets secure.
Before comparing the two standards it should be noted that although they may commonly be referred to as ISO 27001 and ISO 27002, this is in fact incorrect. Both standards were developed and published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and are correctly titled ISO/IEC 27001 and ISO/IEC 27002. However, many still refer to the two standards as ISO 27001 and ISO 27002.
Understanding the differences between ISO 27001 and ISO 27002 is key to implementing the right information security management practices.
What is ISO/IEC 27001?
In order to address the threats to information security and to comply with national or regional regulations in this area, organizations ideally should adopt an ISMS. ISO/IEC 27001 is the most recognized international standard for ISMS. Among the benefits of ISO/IEC 27001: it assists organizations to establish information security management policy, objectives and processes, and understand how significant aspects can be managed, implement necessary controls and set clear objectives to improve security of information.
It takes a comprehensive approach to information security. Assets that need protection range from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees. Issues to address range from competence development of staff to technical protection against computer fraud.
ISO/IEC 27001 is designed to be compatible and harmonized with other recognized management system standards. It is therefore ideal for integration into existing management systems and processes, even if in other areas.
Discover more about the DNV ISO 27001 internal auditor training course.
What is ISO 27002?
Part of implementing an ISMS is understanding what threats and risks are involved. ISO/IEC 27001 requires organizations to identify information security risks and select appropriate controls to tackle them. In a small or medium-sized business where staff competence is not focused on IT this can be a very daunting prospect. Even for larger organizations with an IT department the full range of risks may not be obvious.
ISO/IEC 27001 contains a helpful element in Annex A which is a list of 93 security controls that an organization may need to consider. It is, however, somewhat sparse in suggesting exactly how the controls can be applied.
ISO/IEC 27002 is a supplementary guidance standard to ISO/IEC 27001 that expands upon the information in Annex A describing each control in more detail and provides a code of practice for information security controls. It offers guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
Discover more about DNV ISO 27002 training course.
What's the difference between ISO 27001 and ISO 27002?
The main difference between ISO/IEC 27001 and ISO/IEC 27002 lies in their focus and application. ISO/IEC 27001 is a certifiable standard that sets out the criteria for an ISMS. It includes requirements for establishing, implementing, maintaining, and continually improving an ISMS. Organizations that achieve certification are able to easily demonstrate to stakeholders that they take information security seriously. This can provide reassurance to customers and business partners and satisfy regulators that the organization meets statutory requirements.
On the other hand, ISO/IEC 27002 is not a certifiable standard but is a comprehensive guidance document that outlines best practices for information security controls that should be considered within the context of the organization's ISMS. It covers key cybersecurity aspects including access control, cryptography, human resource security, and incident response. By making use of ISO/IEC 27002 guidelines, companies can take a proactive approach to cybersecurity risk management and protect critical information from unauthorized access and loss.
When should businesses use each standard?
ISO/IEC 27001 should be used by organizations that wish to establish a formal ISMS and seek certification by an independent third party to demonstrate compliance with information security best practices. This can be a ‘ticket-to-trade’ in many instances as customers and stakeholders look to protect their own valuable and personal data. Besides that consideration, it can aid in protecting the business by providing business continuity strategies and resilience.
ISO/IEC 27002 is best used as a reference for selecting and implementing controls within the ISMS based on ISO 27001's requirements. It can be particularly useful for organizations that are looking to improve their information security management practices without necessarily seeking certification. Even if not seeking ISO/IEC 27001 certification, adopting the controls set out in ISO/IEC 27002 will provide the organization with a degree of protection from cyber threats.
Both standards are regularly updated to take account of new developments and practices in a fast evolving field of threats and demands.
