Apr 02 2019

Understanding the differences between ISO 27001 and ISO 27002

Category: ISO 27kDISC @ 9:38 am

Understanding the differences between ISO 27001 and ISO 27002

 Luke Irwin  2nd April 2019

Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.

Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.

 

What is ISO 27001?

ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.

The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance, which is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale ISO 27001 implementation project.

To meet these requirements, organisations must:

  • Assemble a project team and initiate the project;
  • Conduct a gap analysis;
  • Scope the ISMS;
  • Initiate high-level policy development;
  • Perform a risk assessment;
  • Select and apply controls;
  • Develop risk documentation;
  • Conduct staff awareness training;
  • Assess, review and conduct an internal audit; and
  • Opt for a certification audit.


What is ISO 27002?

ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

This is because the Standard explains how each control works, what its objective is, and how you can implement it.

 

The differences between ISO 27001 and ISO 27002

There are three main differences between ISO 27001 and ISO 27001:

  • Detail

If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.

Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.

  • Certification

You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.

  • Applicability

A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.

ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.

When you should use each standard

ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.

If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.

Learn the basics of information security

You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.

This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.


Apr 01 2019

Just Having A Security Product Doesn’t Make You Secure

Category: Information Security,ISO 27kDISC @ 5:31 pm

Every day, big companies are still getting breached despite their security products. F-Secure’s Mikko Hypponen warns that companies that say ‘use our technology and you will not have a breach’ actually make it much harder for clients to think about and be ready for a breach.

Source: Just Having A Security Product Doesn’t Make You Secure


Mar 31 2019

Facial ID payment

Category: Access Control,AuthenticationDISC @ 4:50 pm


Mar 30 2019

Expert disclosed two Zero-Day flaws in Microsoft browsers

Category: Zero dayDISC @ 2:54 pm

A 20-year-old security researcher publicly disclosed details and proof-of-concept exploits for two zero-day vulnerabilities in Microsoft web browsers.

Source: Expert disclosed two Zero-Day flaws in Microsoft browsers


  • Zero Day Vulnerability titles


    • Mar 29 2019

    Google’s most secure logon system now works on Firefox and Edge, not just Chrome

    Category: 2FA,App SecurityDISC @ 3:26 pm

    Better hardware security key support means our post-password future is one step closer to reality.

    Source: Google’s most secure logon system now works on Firefox and Edge, not just Chrome






    Subscribe to DISC InfoSec blog by Email

    Mar 29 2019

    Common Terms Used in Cyber Security by NCSC

    Category: cyber securityDISC @ 1:29 pm

    Common Terms Used in Cyber Security by NCSC


  • Cyber Security Awareness


    • Mar 28 2019

    How to set up two-factor authentication on all your online accounts

    Category: 2FA,App SecurityDISC @ 1:47 pm

    2FA is an important step in preventing your account from being accessed by unauthorized users — here’s how to enable 2FA on your accounts across the web.

    Source: How to set up two-factor authentication on all your online accounts

     


    Mar 28 2019

    The ABCs of Detecting and Preventing Phishing

    Category: PhishingDISC @ 11:12 am

    Stay out of the phishing net with these actionable tips – here’s how you can detect and prevent phishing attacks.

    Source: The ABCs of Detecting and Preventing Phishing


     

    Mar 24 2019

    Nmap Mindmap Reference

    Category: Security ToolsDISC @ 5:11 pm

    Nmap Mindmap Reference



    Mar 23 2019

    Python Cheat Sheets

    Category: Cheat Sheet,Hacking,Python,Security ToolsDISC @ 8:59 pm

    Beginner’s Python Cheat Sheet

    Python Crash Course – Cheat Sheets


    Mar 19 2019

    These are the top ten security vulnerabilities most exploited by hackers | ZDNet

    Category: Security vulnerabilitiesDISC @ 12:26 pm

    But one simple thing could help stop the vast majority of these attacks, say researchers.

    Source: These are the top ten security vulnerabilities most exploited by hackers | ZDNet


    Mar 17 2019

    Risk Management Framework for Information Systems

    Category: Risk Assessment,Security Compliance,Security Risk AssessmentDISC @ 9:32 pm

    Risk Management Framework for Information Systems and Organizations:
    A System Life Cycle Approach for Security and Privacy
    NIST 800-37r2












    Subscribe to DISC InfoSec blog by Email

    Tags: Risk Management Framework

    Mar 12 2019

    Firefox Send’s free encrypted file transfers are now available to all

    Category: data securityDISC @ 10:26 am

    Source: Firefox Send’s free encrypted file transfers are now available to all


    Mar 11 2019

    Chinese hacking group backdoors products from three Asian gaming companies | ZDNet

    Category: Cyber EspionageDISC @ 1:58 pm

    ESET suspects that tens or hundreds of thousands of users have been infected already.

    Source: Chinese hacking group backdoors products from three Asian gaming companies | ZDNet

    Cyber Security Espionage Titles


    Mar 09 2019

    How to Print Comments Only in Word

    Category: App SecurityDISC @ 1:35 pm

    When collaborating on a document with several people, leaving comments is an essential part of the process. You can print the document along with comments, but what if you want you print just the comments? You can do that.

    Source: How to Print Comments Only in Word

  • InfoSec Cheat Sheets


    • Mar 09 2019

    Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7

    Category: Information Security,Security patchingDISC @ 11:54 am

    Hot on the heels of disclosing a critical zero-day vulnerability in Chrome that was being exploited in the wild by attackers, Google has now uncovered another critical zero-day that is being used alongside it to take over Windows machines.

    Source: Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7


    Mar 07 2019

    How to choose the right cybersecurity framework

    Category: Policies & Controls,Risk Assessment,Security Compliance,Security Risk AssessmentDISC @ 10:05 am

    Does your organization need NIST, CSC, ISO, or FAIR frameworks? Here’s how to start making sense of security frameworks.

    Source: How to choose the right cybersecurity framework


    Mar 06 2019

    Firefox to add Tor Browser anti-fingerprinting technique called letterboxing | ZDNet

    Category: Web SecurityDISC @ 11:59 am

    Firefox gets another new feature from the Tor Uplift project started in 2016.

    Source: Firefox to add Tor Browser anti-fingerprinting technique called letterboxing | ZDNet


    Enter your email address:

    Delivered by FeedBurner

    Mar 05 2019

    Comcast security nightmare: default ‘0000’ PIN on everybody’s account

    Category: Information SecurityDISC @ 10:29 am

    It didn’t require an account PIN to switch carriers. Everybody uses 0000, it said, making it easier for customers… and phone hijackers.

    Source: Comcast security nightmare: default ‘0000’ PIN on everybody’s account

  • Best Practice Information Security

    • Enter your email address:

    Delivered by FeedBurner

    Mar 04 2019

    Probably the best-selling ISO27001 Toolkit in the world

    Category: ISO 27kDISC @ 2:11 pm

    IT Governance Ltd, the world’s one-stop shop for ISO27001 information, books, toolkits, training and consultancy for ISO27001 Information Security Management, has now sold 1,034 copies of its ISO27001 ISMS Documentation Toolkit.

    “We estimate that between 5% and 10% of all ISO27001-certified organisations worldwide have drawn on the comprehensive, best practice templates contained in our ISO27001 Toolkit,” commented Alan Calder, CEO of IT Governance.

  • The ISO27001 Documentation Toolkit
  • ISO 27001 Implementation


    • Enter your email address:

    Delivered by FeedBurner

    « Previous PageNext Page »