ISO 27001 vs ISO 27002: Which Standard Is Best for Your Organization?
Keeping information assets secure is crucial for today’s business leaders, but it is no simple feat. Executives and IT directors increasingly spend an inordinate amount of time searching for the best strategy to prevent a data disaster.
With more than 4 billion people plugged into the internet worldwide—all working, surfing, playing and socializing within a continually evolving digital landscape—the risks are everywhere and largely unpredictable.
Unfortunately, it is nearly impossible to understand—or even take a guess in the dark—the reasoning and approach of hackers and other cybercriminals who decide to compromise an organization’s computing system and its data.
The International Organization for Standardization (ISO), along with the International Electrotechnical Commission (IEC), has developed a family of standards set to protect information assets. The ISO/IEC 27000 series is a full family of standards specifically designed to keep help businesses keep data assets secure as more and more people and businesses become a part of the technological framework.
This comprehensive industry-respected family of standards can help your IT team in their efforts to manage the security of assets associated with employee details and human resources, financial information, intellectual property and trade secrets, and any information placed in your care by third parties.
Two Premier Standards in the ISO Family Are ISO 27001 and ISO 27002
ISO/IEC 27001:2013 (ISO 27001) may be the best known of the more than one-dozen ISO family of standards, but ISO/IEC 27002:2013 (ISO 27002) also holds great value regarding data asset security.
While none of the ISO standards are mandatory for businesses, ISO certification shows your clients, customers, investors, employees, executives, third parties, and any other stakeholders that you take the security of all information housed in your system seriously.
Achieving and maintaining the appropriate ISO standard certification may help your team land new exciting new business accounts, based on this certification alone. In a time where information has become its own currency, every above-and-beyond step you take to ensure security is likely to be rewarded with trust.
Let’s take a closer look at each ISO/IEC standard to help you determine which standard may best serve your organization’s goals in protecting valuable data resources.
ISO 27001 is the international standard lays out the details and best practices for a business’s information security management system (ISMS), which is crucial since it helps to prevent an organization’s controls from becoming disjointed and disorganized.
Often designed and implemented as temporary stop-gaps—or point solutions—for specific situations, an organization’s controls can quickly and easily take on a random—or even chaotic—existence within a system without a tool like ISMS.
And of course, “random” and “chaotic” are not terms you want to apply to your information system’s security controls.
ISO 27001 can be adopted by and implemented in any type of organization, in any sector, including the following:
- Profit or non-profit
- Governmental at federal, state and local levels
- Private firm: small, medium or global
Composed by the world’s top experts in information security, ISO 27001 offers a thorough methodology for the application and fulfillment of ISMS in an organization. The standard also allows companies to become certified, which confirms that your organization is fully compliant with the ISO 27001 standard.
It may help you to see a sample ISMS that aligns with the ISO 27001 standard. Take a look at the following sample ISMS strategy to see if it may help you determine whether ISO 27001 is right for your company:
Determine the Scope of Your Organization’s ISMS.
Determining what your organization’s ISMS will ultimately contain and cover is the first step in eliminating any semblance of chaos in your system. The scope generally comes down to understanding dependencies and interfaces. First, dependencies are essentially outside of your scope, and they include externally-based support services for accounting, cleaning and legal needs. Once you know and eliminate dependencies, you can focus on interfaces which include all endpoints within your network, such as your router, and high-level interfaces that include your people, processes and technology.
Perform a Risk Assessment of the Areas within the Scope of the ISMS.
Pinpointing your system’s risks and vulnerabilities is a crucial step in designing your ISMS and becoming ISO 27001 certified.
Create Policies and Procedures for ISMS and ISO 27001 Compliance.
Once you understand your scope, your system’s controls, and the risks within your system, create a set of policies and procedures to help your team maintain compliance and avert threats.
Assign Responsibilities for ISMS Design and ISO 27001 Compliance.
Your ISMS team will require a crew of informed and dedicated staff who understand the risks and vulnerabilities to your system, and they work to minimize those risks, using your policies and procedures—based on ISO 27001 best practices—as a guide.Your information security manager, or some similarly titled position, will serve as the point person for maintaining a smooth-running ISMS.
Conduct Regular Audits.
Internal and external audits can help ensure that your team is on track for ISO 27001 compliance. Many auditing firms extend a seal or certification proving that an organization has maintained an effective and stable ISMS at a certain point in time, and that it has complied with the ISO 27001 management standard.
The benefits of committing to ISO 27001 standard compliance are many and include the following:
- Lowered costs by preventing incidents like data breaches and other system infiltrations.
- Get the competitive edge since your clients will immediately see and recognize your ISO 27001 certification prominently displayed on your website.
- Makes it easier to comply with any laws, regulations and standards that are applicable to your business or industry.
Originally published as a means of renaming the existing ISO 17799 standard, which was a code of practice for information security, the ISO 27002 standard has taken new shape and direction over the years. This standard serves as a guideline for organizational information security standards and best practices for information security management.
Taking into consideration the business’s information security risk environments, ISO 27002 focuses on the organization’s selection, implementation and management of controls. Ultimately, while ISO 27002 is more of a guideline to achieving best practices and has subtle differences to ISO 27001, it also serves to demonstrate the stability of your organization’s ISMS.
The 2013 version of the ISO 27002 standard covers 114 controls over 14 sections.
The content sections of ISO 27002:2013 include the following:
- Security Policy
- Organization of Information Security
- Human Resources Security
- Asset Management
- Access Control
- Physical and Environmental Security
- Operations Security
- Communications Security
- Information Systems Acquisition, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity
Take a look at a few examples of what some of the codes may encompass in your control environment:
Physical and Environmental Security.
Here, you may consider factors like physical access to the network infrastructure, a list of staff who has access to the system, and a log of visitors to the physical work site.
Human Resource Security.
Human resource security helps you prevent bringing people into your facility who do not have the best intentions. A few ways to maintain human resource security is to screen candidates before hiring and to require all employees to sign a binding non-disclosure agreement or other document protecting the confidentiality of your data assets.
Do You Know Whether Your Business Needs ISO 27001 or ISO 27002?
Do you feel more confident about whether your business needs ISO 27001 or ISO 27002? It is easy to feel uncertain as to which one is right since they both intend to help you secure your organizational information. However, ISO 27001 is the foundation for building a solid ISMS framework while ISO 27002 is more of a design tool that supports and fills out the implementation of ISO 27001. ISO 27002 is also more commonly used when businesses prefer the strategy of designing and implementing their own controls and management guidelines for information security.
If you still need some guidance, our ISO team at I.S. Partners, LLC. can help you sort it out.