ISO 27001 & 27002: Understanding the difference between ISO27001 and ISO27002
ISO/IEC 27001 and ISO/IEC 27002 both have few differences. The key difference is ISO 27002 is much more precise and detailed. Now the question is, when ISO 27002 covers everything, then why is there a need for ISO 27001?
Well, for a start, organizations cannot be certified against ISO 27002. For certification, a management standard is required, and ISO 27002 isn’t a management standard.
Here we explain what ISO 27001 and ISO 27002 is and the key differences between them. Crucially, we provide guidance as to when each of these should be used.
What is ISO 27001?
ISO/IEC 27001 is a specification or certification for an information security management system (ISMS). ISMS is a framework that contains a set of policies and procedures, including physical, technical, and legal controls involved in the information risk management process of an organization.
The documentation says that ISO 27001 was developed to provide a framework for planning, implementing, monitoring, operating, reviewing, and improving ISMS. This specification uses a top-down risk management approach. It defines a six-step planning process:
- Introduce a security policy
- Understand the scope of ISMS
- Perform a risk assessment
- Manage and mitigate the identified risks
- Select-control methods and their objectives
- Prepare a statement of applicability.
This framework includes management responsibility, continual improvement, internal audits, and preventive and corrective action plans. Moreover, cooperation among all departments of an organization is required for this standard.
The ISO 27001 standard doesn’t enforce specific information security controls; in fact, it offers a checklist of controls that must be considered for implementation.
For ISO 27001 conformance, third-party accredited certification is recommended. You can find out more about the ISO 27001 certification in our article, ISO/IEC 27001 Certification: Understanding the Process and Costs.
What is ISO 27002?
ISO/IEC 27002 is a supplementary standard that explains how organizations should implement ISO 27001 control standards. These security controls are available in “Annex A” of ISO 27001. Many information security experts refer to these controls while discussing security controls.
In contrast to ISO 27001, ISO 27002 includes 12 main sections, such as:
- Risk assessment plan
- Detailed security policy
- An organization of information security
- A department of asset management
- HR security
- Physical security
- Communications management
- Operation management and access control
- Information systems development and maintenance
- Incident management system
- Business continuity management
- Compliance standards
ISO 27002 describes a detailed set of information security control objectives and establishes good practice for security controls. For example, ISO 27002 specifies:
- Information security policies have to be directed from an organization’s top leadership and detailed to all staff members.
- Both full-time and contract employees must be aware of their role in protecting an organization’s information. The employees should exercise these responsibilities before, during, and after employment.
- Physical and information assets must be identified to ensure the appropriate level of protection is applied.
- To prevent unauthorized access, data and storage facilities access must be limited. Employees need to be responsible for protecting their authentication information.
- The information must be protected by establishing policies and procedures to meet legal, statutory, and regulatory obligations.
Many businesses deploy a wide range of ISO 27001 information security-related controls in a manner detailed by the ISO/IEC 27002. For organizations, it may be beneficial to structure their information security controls infrastructure per ISO/IEC 27002, since:
- Minimizes any overlaps and coverage gaps
- ISO/IEC 27002 compliments a well-respected global standard
- It’s easily recognizable by anyone familiar with ISO/IEC standards
ISO 27001 and 27002: Key Differences between the Controls
The ISO/IEC 27001 standard details the ISMS specifications. In contrast, the ISO/IEC 27002 is a best-practice guidance document describing how organizations can apply policies to ensure compliance.
Another key difference is the details. While ISO 27001 has “Annex A” outlining the 14 security controls, ISO 27002 dedicates one page for each security control, covering each control’s objective, how it works, and how to implement it.
In summary, the differences between ISO 27001 and 27002 are:
- Detail – ISO 27001 outlines each control. It may offer some specific advice regarding additional standards, such as ISO 27002. Other standards include ISO 27003, which covers ISMS implementation guidance (i.e. leadership, planning, operations), and ISO 27004, which details ISMS monitoring, measurement, analysis and evaluation.
- Certification – ISO 27001 is a management standard. Consequently, organizations can only certify to the ISO 27001 standard. As a management standard, ISO 27001 provides a detailed list of compliance requirements. ISO 27002, on the other hand, provides best practice guidance on information security controls.
- Applicability – When implementing an ISMS, you need to identify any information security controls not applicable to your company or business. ISO 27001 addresses this by specifying the need to conduct a risk assessment to determine which information security controls are required. ISO 27002 specifies information security control objectives, providing best practice means of achieving those objectives. Consequently, ISO 27002 compliments ISO 27001. For each of the controls identified as applicable to your organization, ISO 27002 will have the necessary implementation guidance.
Now the question arises, why both these standards exist separately and why they haven’t been merged? If they are merged, they can show positive sides of both these standards.
A simple answer is usability and applicability. If both these standards were merged, it would have been too complex for practical use.
Which standard should be used?
If you want to establish a robust information security framework within your organization, ISO 27001 will provide the standards in the form of requirements you need to attain.
A standard defines how to run a system, and in the case of ISO 27001:2013, ISMS is the management standard.
You can’t implement ISO 27001 without the details provided in ISO 27002. However, the management framework of ISO 27001 will always remain different from ISO 27002.
As an advisory standard, ISO/IEC 27002 is meant to be interpreted and applied to organizations of all types and sizes according to their particular information security risks. Such flexibility provides plenty of opportunities to adopt ISO 27001 information security controls in a way unique to your organization.