Aug 03 2021

ISO 27001 vs. ISO 27002: What’s the difference?

Category: Information Security,ISO 27kDISC @ 11:09 am

Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.

Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.

What is ISO 27001?

ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.

The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.

This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.

To meet these requirements, organisations must:

What is ISO 27002?

ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

This is because the Standard explains how each control works, what its objective is, and how you can implement it.

The differences between ISO 27001 and ISO 27002

There are three main differences between ISO 27001 and ISO 27001:

  • Detail

If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.

Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.

  • Certification

You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.

  • Applicability

A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.

ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.

When you should use each standard

ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.

If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.

Learn the basics of information security

You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.

This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.

Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.

You’ll learn from expert information security consultants, as they explain:

  • ISO 27001 management system documentation;.
  • How to plan, scope and communicate throughout your ISO 27001 project; and
  • The key steps involved in an ISO 27001 risk assessment.

Source: ISO 27001 vs. ISO 27002

Previous blog posts on ISO27k

Pentests are required for ISO 27001 or SOC2 audits

ISO 27002 major revision

With ISO27001 how you should choose the controls needed to manage the risks

The importance of the Statement of Applicability in ISO 27001 – with template

Steps to implement ISMS (ISO 27001)

How FAIR & ISO 27001 Work Together

ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses

Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, ISO 27001 Auditing, iso 27001 certification, ISO 27001 Handbook, ISO 27001 implementation, ISO 27001 Lead Implementer, iso 27002, Statement of Applicability in ISO 27001


Sep 16 2018

Download ISO27k standards

Category: ISO 27kDISC @ 7:23 pm

 

 

Download ISO27000 family of information security standards today!

‱ ISO27001 2013 ISMS Requirement (Download now)

‱ ISO27002 2013 Code of Practice for ISM (Download now)

ISO 27001 Do It Yourself Package (Download)

 

ISO 27001 Training Courses –  Browse the ISO 27001 training courses

ISO 27001 Training Courses





Tags: ISO 27001 2013, ISO 27001 2013 Toolkit


Oct 29 2015

Keep certification simple using ITGP’s toolkits

Category: ISO 27kDISC @ 8:13 pm

ISO

When implementing ISO management systems, most of us would like to:

  • get it right first time,
  • keep it as straightforward as possible,
  • be able to integrate the system with other frameworks,
  • reduce common errors that are made during the process, and
  • cut implementation costs where possible.

 

Implementing management systems has never been easier with ITGP’s toolkits

Authored by industry experts and used by over 4,000 organisations worldwide, ITGP’s toolkits will help you do all of the above and more.

Comprising pre-written templates, customisable worksheets, policies and helpful guidance, the documentation toolkits are perfect for organisations seeking certification, compliance and/or best-practice implementation.

View all toolkits >>







Tags: ISO 27001 2013 Toolkit, toolkit


Dec 04 2013

ISO27001 2013 high level review for making the transition

Category: ISO 27kDISC @ 3:06 pm

ISO 27001 2013

ISO 27001 2013 high level review for making the transition from ISO 27001 2005

The Case for ISO 27001 (2013) Second Edition (Download the latest book in Adobe)

It’s been several months now that highly anticipated release of the latest information security standard ISO 27001 2013 for the organization who have vested interest due to previous compliance or certification in ISO 27001 2005. ISO 27001 2013 has 114 controls defined within 14 security control clauses (domains) collectively containing a total of 35 main security categories and introductory clauses including introduction, scope, normative references.

0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The new standard no longer require organizations to adopt the Plan-Do-Check-Act (P-D-C-A) model to develop and introduce the ISMS, but leave it to each organization to determine and adopt a continual improvement model (corrective action) that works for them.

The scope in new standard requires every organization to make sure the external and internal issues, (vendor assessment) and information security requirements of these parties are addressed in the contract. This clause will ensure that an ISMS is relevant to the organization’s activity which include external partners and provides an assurance that appropriate controls are in place for external parties as well. In risk assessment area, risks are treated and residual risk accepted by risk owners rather than asset owners, which may require organizations to build a risk register, which will ultimately become an auditable document.

There is another important requirements relating to the setting of information security objectives (strategy), which include the evaluation of the information security performance and measuring the effectiveness of the ISMS.

Annex A has also been restructured into fewer controls (114) and three new domains
A.5. Information security policies
A.6. Organisation of information security
A.7. Human resources security
A.8. Asset management
A.9. Access control
A.10. Cryptography – new
A.11. Physical and environmental security
A.12. Operations security – new
A.13. Communications security
A.14. System acquisition, development and maintenance
A.15. Supplier relationships – new
A.16. Information security incident management
A.17. Information security aspects of business continuity management

The Standard now covers what was previously referred to as ‘control of documents’ and ‘control of records’ under the description of ‘documented information’.

There is no longer a summary of the mandated documents required by the Standard in this section, relying on the organization to identify the requirements for what is now referred to as ‘documented information’ for itself. They are listed below

The scope (4.3)
The information security policy (5.2 e)
The information security risk assessment process (6.1.2)
The information security risk treatment process (6.1.3)
Statement of Applicability (6.1.3 d)
The information security objectives (6.2)
Evidence of competence (7.2)
That documentation ‘determined by the organisation as being necessary for the effectiveness of the information security management system’ (7.5.1 b)
The documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
The results of information security risk assessments (8.2)
The results of information security risk treatment (8.3)
Evidence of the information security performance monitoring and measurement results (9.1)
Internal audit programme(s) and the audit results (9.2 g)
Evidence of the results of management reviews (9.3)
Evidence of the nature of the non-conformities and any subsequent actions taken, and the results of any corrective actions (10.1)

Summary of new controls in ISO 27001 2013 Annex A

A.6.1.5 – Information security in project management
All projects will address information security, regardless of the nature of the project. This ensures that information security is dealt with from the bottom up.
A.14.2.1 – Secure development policy
Rules for development of software and systems are established and applied to developments. This acts as a sort of precursor control to 14.1.1 and 14.1.3, which relate to controlling the data and applications developed under this control.
14.2.6 – Secure development environment
The organisation ensures an appropriately secure development environment for system development and integration, across the whole development lifecycle. This is deliberately broad to allow input from the earliest stages of the ISMS (identifying the nature of the organisation), rather than restrictively demanding measures that may not be relevant.
14.2.8 – System security testing
The organisation establishes acceptance testing programs and related criteria for new information systems, upgrades and new versions.
15.1.3 – Information and communication technology supply chain
This control requires agreements with suppliers to address information security risks associated with information and communications technology services and products supply chain.
16.1.4 – Assessment of and decision on information security events
Information security events are examined and assessed to determine whether they qualify as information security incidents. This control applies an additional step in the incident management process.

Contact DISC for a Free Gap Assessment for any domain of your choice based on location

Start your ISMS project with ISO27001 2013 Documentation Toolkit

Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 for $6.99  

  

 Download ISO27000 family of information security standards!
‱ ISO 27001 2013 ISMS Requirement (Download now)
‱ ISO 27002 2013 Code of Practice for ISM (Download now)

 




Tags: Information Security Management System, isms, ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, iso 27001 certification, ISO 27001 Lead Implementer


Dec 01 2013

ISO27001 2013 ISMS Standalone Documentation Toolkit

Category: ISO 27kDISC @ 9:53 pm

ISO27001 2013

Start your ISMS project with ISO27001: 2013

With the publication of the new version of the ISO27001 standard, there has never been a better time to start an ISMS implementation project to look after your information security.

 

ITGP toolkits – ISO27001: 2013 ISMS Documentation Toolkit

This new Toolkit provides you with a comprehensive set of pre-written ISMS documents compliant with the newly released ISO27001: 2013 Standard, built from the necessary policies, procedures, work instructions and records that will save you months of work as you get your information security system up to speed, including:

* Information Security Manual

* Visio Documentation Map and Structure

* Information Security Policy

* vsRisk risk assessment tool Integration Templates (not vsRisk itself)

* Business Continuity Management for information security

* Gap analysis ISO27001: 2013 and ISO27002: 2013 Audit tool

* Asset Management documentation templates such as, Asset Inventory, Information Hardware Assets, Software log, etc.

* Supplier Relationships documentation templates such as, External Parties Information Security Procedure and Third Party Service Contracts

* Operations and Communications Security document templates dealing with, Anti-Virus Software, Vulnerability Management, Systems Auditing, System Planning & Acceptance, etc.

 

Benefits of the ISO27001: 2013 ISMS Documentation Toolkit:

  • Fully customisable and editable templates inclusive of:
    7 Policies, 55 Procedures, 23 Work Instructions, 25 Records, guidance documents as well as Blank Templates that will enable you to bring in your exisitng documentation in-line with a consistent management system
  • Pre-written to be compliant with the standard
  • Saves you time on research
  • Saves you time on writing
  • Provides document guidance as you go
  • Cheaper than one day of consultancy
  • After sales support service
  • 12 months of automatic updates

 

Related articles




Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit