ISO 27001 & ISO 22301

 

ISO 27001/BS 25999 documents, presentation decks and implementation guidelines


Free_Downloads
 

Free eBook

Free eBook 9 Steps to Cybersecurity
 
Newsletter
 
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.
 
 
 
 
 
 
 
    

UPCOMING FREE WEBINAR

    

 
ISO 27001 benefits: How to obtain management support

    

Wednesday
June 5, 2013

    Register_now_green
     
 
 
 

ISO 27001 vs. ISO 27002

'By 'Dejan Kosutic on September 13, 2010

If you came across both the ISO 27001 and the ISO 27002, you probably noticed that ISO 27002 is much more detailed, much more precise – so, what’s the purpose of ISO 27001 then?

First of all, you cannot get certified against ISO 27002 because it is not a management standard. What does a management standard mean? It means that such a standard defines how to run a system, and in case of ISO 27001, it defines the information security management system (ISMS) – therefore, certification against ISO 27001 is possible.

This management system means that information security must be planned, implemented, monitored, reviewed, and improved. It means that management has its distinct responsibilities, that objectives must be set, measured and reviewed, that internal audits must be carried out and so on. All those elements are defined in ISO 27001, but not in ISO 27002.

The controls in ISO 27002 are named the same as in Annex A of ISO 27001 – for instance, in ISO 27002 control 6.1.6 is named Contact with authorities, while in ISO 27001 it is A.6.1.6 Contact with authorities. But, the difference is in the level of detail – on average, ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control.

Finally, the difference is that ISO 27002 does not make a distinction between controls applicable to a particular organization, and those which are not. On the other hand, ISO 27001 prescribes a risk assessment to be performed in order to identify for each control whether it is required to decrease the risks, and if it is, to which extent it should be applied.

The question is: why is it that those two standards exist separately, why haven’t they been merged, bringing together the positive sides of both standards? The answer is usability – if it was a single standard, it would be too complex and too large for practical use.

Every standard from the ISO 27000 series is designed with a certain focus – if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; if you want to implement controls, you should use ISO 27002, if you want to carry out risk assessment and risk treatment, you should use ISO 27005 etc.

To conclude, one could say that without the details provided in ISO 27002, controls defined in Annex A of ISO 27001 could not be implemented; however, without the management framework from ISO 27001, ISO 27002 would remain just an isolated effort of a few information security enthusiasts, with no acceptance from the top management and therefore with no real impact on the organization.

You can also check out our webinar ISO 27001 Foundations Part 3: Annex A overview (commercially sold training).


«
»

This entry was posted on Monday, September 13th, 2010 at 08:09 and is filed under Main. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

  • Abhiraj

    Hey Dejan,

    I had always in mind that all the ISO 27000 series are into a hierarchal role i.e. if we are through w/t creating the base infrastructure for Security in a firm through 27001, then only we could make our way to 27002 which indeed as you already said, pressurizes on control measures.. and i believe the above post justifies my lame yet factual belief. Yet, i doubt how could we take these standards on with Cloud Computing, from a ‘service providers’ point of view + their client, who manages their whole infrastructure in the cloud as a service?

    Again a great post signifying the ‘one-without-another’ relationship of ISO 27000 standards!

    Regards,
    Abhiraj

  • Dejan Kosutic

    Hi Abhiraj,

    When next revision comes, ISO/IEC 27001 will certainly have to be amended with cloud computing in mind.

    However, there already are clauses in ISO 27001 that can be applied to cloud computing – from service providers point of view it is actually the whole Annex A with its 133 controls, while from the point of view of their clients it is A.6.2.1 Identification of risks related to external parties, and A.6.2.3 Addressing security in third party agreements.

  • Lars Soderlund

    Both 27001 and 27002 are management standards. The 27001 is a requirement standard and 27002 is a huideline. If you look on ISO facts you will se that there is clear rules for writing the different types of standards.

  • Ali K

    Thanks’ for this blog, very usefull and informative

  • Vlad

    I would like to know your thoughts about the cloud computing and the actual ISO 2700x standards. Do they need significant updates or their statements are enough to cover the chalenges?

  • Dejan Kosutic

    As I already mentioned in previous comments, I think ISO 27001 will have to be amended because of the cloud computing, however it won’t be a large change – all the important clauses for users of cloud computing services already exist in the standard.

    However, I think that the providing cloud computing services will have to be covered better with legislation, and because of that legislation a new cloud computing information security standard might be developed. Or maybe such legislation will force ISO 27001 to change.

  • siewie

    Thank you sir,
    I’ve learn bout ISO 27000 family and how to design a security framework for some industry based on ISO27001.
    But i still hadn’t got clear picture of the difference ISO 27001 and ISO27002.
    But this article is really help me out.

  • Heru Susanto

    dear Dejan,

    from another references, Actually 27001 is icon of ISO 27000 family. is it right?
    why for the company, they focus on IS 27001 for information security? is it posibble to get ISO 27002 or another ISO number in 27000 family, regarding to information security?

    Regards,
    Heru

  • Dejan Kosutic

    Heru,

    A company can implement only ISO 27002 (or ISO 27005) if it wants, but in my view it doesn’t make too much sense – if it implemented only ISO 27002, it would lack the management framework for information security, as mentioned in the article above.

    Further, it is possible to certify only against ISO 27001, because certification bodies cannot issue a certificate for a standard that is not a management standard – only ISO 27001 from the ISO 27k series is a management standard.

©2010-2013 Dejan Kosutic. Proudly powered by WordPress
Entries (RSS) and Comments (RSS).