What is the difference between ISO 27001 and ISO 27002? Are they related to each other or not?
Asked
Active
Viewed 5.8k times
3 Answers
17
The ISO 27000 series of standards are a compilation of international standards all related to information security. The difference is that the ISO 27001 standard has an organizational focus and details requirements against which an organization’s Information Security Management System (ISMS) can be audited. ISO 27002 on the other hand is more focused on the individual and provides a code of practice for use by individuals within an organization. If you compare them you will see that they're structured similarly and that they map to eachother.
The the difference is in the level of detail, ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control.ISO 27002 provides best practice recommendations on information security management for use by those who are responsible for implementing or maintaining the Information Security Management Systems (ISMS). Whereas ISO 27001 defines the audit requirements.
Lucas Kauffman
- 54,169
- 17
- 112
- 196
8
ISO 27001 establishes requirements. If an organization wants to certify its Information Security Management System (ISMS) it needs to comply with all requirements in ISO 27001.
On the other hand, ISO 27002 are best practices that are not mandatory. That means that an organization does not need to comply with ISO 27002 but can use it as inspiration to implement requirements in ISO 27001.
For example, in ISO 27001 you have a control that requires the organization to do backups and in ISO 27002 you have the same control but more developed, saying that the backups should be done at planned intervals, that should be tested, that you should backup data and software, etc.
ISO 27002 is more complex and difficult to comply with but it is not mandatory because depending on the context and the business of the organization it could implement the control in another way. ISO 27001 establishes what you have to do but not how. ISO 27002 describes how.
S.L. Barth
- 5,486
- 8
- 38
- 47
kinunt
- 2,759
- 2
- 23
- 30
-
1Note though that while officially no part of 27002 is mandatory, there are some controls in it that are so fundamental that if you don't implement them the 27001 auditors are going to figure your ISMS can't be working right. – Graham Hill Dec 16 '14 at 09:02
-
@GrahamHill, in fact, controls in ISO 27002 do appear in ISO 27002 but in the second it is descripted how to implement each control while in ISO 27001 the control is just enunciated and the organization should define how to implement each control. – kinunt Dec 21 '14 at 21:58
0
Regarding 27002, be aware that 27001 states that:
Control objectives and controls from these tables shall be selected as part of the ISMS process specified in 4.2.1,
where "these tables" mean Annex A (in especially 27002).
So you do have to take Annex A controls in scope, be it that you can place them out-of-scope if you can argue why (for example no software development takes place, or the risk is too low).
Jens Erat
- 23,446
- 12
- 72
- 96
