Aug 03 2021

ISO 27001 vs. ISO 27002: What’s the difference?

Category: Information Security,ISO 27kDISC @ 11:09 am

Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.

Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.

What is ISO 27001?

ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.

The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.

This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.

To meet these requirements, organisations must:

What is ISO 27002?

ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

This is because the Standard explains how each control works, what its objective is, and how you can implement it.

The differences between ISO 27001 and ISO 27002

There are three main differences between ISO 27001 and ISO 27001:

  • Detail

If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.

Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.

  • Certification

You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.

  • Applicability

A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.

ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.

When you should use each standard

ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.

If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.

Learn the basics of information security

You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.

This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.

Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.

You’ll learn from expert information security consultants, as they explain:

  • ISO 27001 management system documentation;.
  • How to plan, scope and communicate throughout your ISO 27001 project; and
  • The key steps involved in an ISO 27001 risk assessment.

Source: ISO 27001 vs. ISO 27002

Previous blog posts on ISO27k

Pentests are required for ISO 27001 or SOC2 audits

ISO 27002 major revision

With ISO27001 how you should choose the controls needed to manage the risks

The importance of the Statement of Applicability in ISO 27001 – with template

Steps to implement ISMS (ISO 27001)

How FAIR & ISO 27001 Work Together

ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses

Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, ISO 27001 Auditing, iso 27001 certification, ISO 27001 Handbook, ISO 27001 implementation, ISO 27001 Lead Implementer, iso 27002, Statement of Applicability in ISO 27001

Mar 27 2021

The importance of the Statement of Applicability in ISO 27001 – with template

Category: ISO 27kDISC @ 11:32 am
The importance of the Statement of Applicability in ISO 27001 – with template

The importance of the Statement of Applicability in ISO 27001 – with template

Chloe Biscoe  23rd March 2021

Documentation is a crucial part of any ISO 27001 implementation project, and one of the most important documents you need to complete is the SoA (Statement of Applicability).

In this blog, we explain what an SoA is, why it’s important and how to produce one.

What is a Statement of Applicability?

An SoA summarises your organisation’s position on each of the 114 information security controls outlined in Annex A of ISO 27001.

Clause 6.1.3 of the Standard states an SoA must:

  • Identify which controls an organisation has selected to tackle identified risks;
  • Explain why these have been selected;
  • State whether or not the organisation has implemented the controls; and
  • Explain why any controls have been omitted.

Every control should have its own entry, and in cases where the control has been selected, the SoA should link to relevant documentation about its implementation.

Which controls do you need to implement?

Organisations are only required to implement controls that are appropriate to the risks they face. They should determine which controls apply to them by conducting an ISO 27001 gap analysis and risk assessment.

These processes help organisations identify the risks they face, which they can match to the relevant control.

Annex A provides a useful outline of each control. Still, you’ll probably need something more in-depth when it comes to the implementation process. That’s where ISO 27002 comes in. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.

ISO 27002 provides detailed information on each control, explaining how each one works and providing advice on how to implement it.

You’ll therefore benefit from having copies of both standards when creating your SoA.

Why is the Statement of Applicability important?

The SoA is a useful document for everyday operational use because it provides comprehensive coverage of your organisation’s information security measures.

You can refer to it to understand how and why your organisation is tackling certain risks and accepting others.

This is especially important when ensuring continual improvement within your organisation. You can assess whether the controls you’ve implemented are working as intended and assess whether other controls might be more suitable.

Likewise, you can review why you chose to accept risks and determine whether the threat landscape has increased significantly enough to warrant a change.

An SoA also has significant regulatory consequences. If you are investigated for a data breach, you can use the document to demonstrate that your defences were the result of an ISO 27001-compliant risk assessment.

Completing the Statement of Applicability

Completing the SoA can seem like a daunting task, but there are a few things you can do to simplify the process.

For a start, you should consider delegating each part of the process to the relevant person. You can ask someone in the HR department to provide information regarding the way they process personal data, and do the same for IT, marketing and so on.

Breaking it down this way saves time – as you aren’t relying on one person or a small team to understand every part of your organisation. It also makes it easier to understand specific issues that your business faces.

Another way to simplify the SoA is by consulting ISO 27002. This is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

These controls are listed in Annex A of ISO 27001, but whereas that document simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

Finally, you should consider pooling together the documents you’ve created as part of your ISO 27001 implementation project – namely, the inventory of information assets, the risk assessment, the risk treatment plan.

Each of these documents provides a partial picture of your information security practices, but when you consider them altogether, you get a much clearer picture, which you can use to inform your SoA.

Save time writing your Statement of Applicability

Those looking for help creating their SoA should take a look at our ISO 27001 Toolkit.

The toolkit includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Simple dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Tags: Statement of Applicability in ISO 27001