Understanding Compliance – ISO 27001 and ISO 27002
Although there is a relationship between the ISO 27001 and ISO 27002 standards, they have completely different meanings as far as the IT industry and compliance. Understanding these differences can save you thousands of dollars and hours of headache in your internal audit efforts as well as in your compliance reports. Here are the major differences between the ISO 27001 and ISO 27002 standards that you should know.
ISO 27002 is Not a Certified Standard.
The misconception that ISO 27002 is a standard that a business can actually become certified to comes from people who believe that the ISO 27002 standard was simply reworked from ISO 17799. Although many IT professionals in the past would use ISO 27002 compliance as an internal standard, there has never been a professional certification that a business could receive according to that standard.
In contrast, the ISO 27001 is a certified standard. As a matter of fact, the ISO 27001 standard was developed because of the confusion that ISO 27002 caused in the industry.
ISO 27002 is More Detailed. Why is it Not a Standard?
Although ISO 27002 explains controls in much greater detail than ISO 27001, ISO 27001 is the only standard that defines the objectives and responsibilities of management. Because it is the management of a company that actually implements, monitors and reviews the information security that a business uses, only ISO 27001 can be used as a management standard.
What Exactly is a Management Standard?
A management standard is more concerned with how the people in a company run a system than with the compliance of any individual control within that system. Auditors understand that individual controls can break down with technical problems. However, the larger problems in IT occur when the management running that system decides to implement that system in a way that is completely untenable with modern standards.
Individual controls are easy to fix because the rules of mechanics and physics only work a certain way. People can direct the system in virtually any way they want; therefore, the people running the system are the elements of the system that require a compliance check.
The Differences Between ISO 27001 and ISO 27002
Many people have asked why the two ISO standards have not been combined to form a single standard. After all, the detail that is in the ISO 27002 may actually bring some clarity and precision to the ISO 27001 management standard. However, the usability of each standard would actually fall if they were combined – the standard would be far too complex to use practically.
The ISO 27000 series of standards were created individually with a separate focus for each one. For instance, the ISO 27001 standard was created specifically to help build an IT foundation for an organization. The detail of the ISO 27002 makes it much more useful if you are looking to implement certain controls. Risk treatment is better served by other standards within the ISO 27001 line.
The ISO 27001 standard gives a company an actionable risk assessment for controls within a system. Using this standard, you can also determine the level to which the assessment should be applied. On the other hand, the ISO 27002 standard makes no distinctions between the controls that actually apply to a particular business. This is the only way that the ISO 27002 standard could be so detailed in its descriptions of each control.
Your Next Move
If you are looking to stay in compliance with the ISO 27001 standard, you need a company that understands the subtle differences between all of the members of the ISO 27000 series. We will use all of the standards in the ISO 27000 line to ensure that your systems are working to the height of their efficiency. We will also ensure that your company remains compliant with all external standards, using our cost-efficient audit methods and reports to showcase process bottlenecks and areas of improvement.