In short, ISO 27001 is the standard for implementing an Information Security Management System (ISMS) that companies are certified against. It details what organisations must implement in order to have an ISMS that meets the requirements of ISO 27001. To broadly generalise, ISO 27002 and a number of other standards in the same 27000 family, can be considered to be supporting documents to ISO 27001, giving guidance and advice on the implementation.
The formal titles of the two standards are as follows:
- ISO 27001:2013 Information security management systems — requirements
- ISO 27002:2013 Code of practice for information security controls
In full, whilst ISO 27001 compliance is commonly discussed, there are a number of other standards in the ISO27000 family, that help provide ISO 27001 implementation guidance. ISO 27002 is the most well known of these. To put it another way, ISO 27002 is implementation guidance for ISO 27001– it helps organisations consider what they need to put in place to meet the requirements of ISO 27001. It is worth reading ISO 27002 to see typical ways that a requirement of 27001 could be satisfied. An auditor may well show you the implementation guidance in 27002 if discussing how a gap in compliance might be addressed. Key points are:
- A company cannot be certified to ISO 27002. It is only a guidance document. The company is certified against 27001.
- Compliance with ISO 27002 may not mean much, as it would be very costly to comply to all the implementation guidance; alternatively picking and choosing which guidance to use without the risk assessment and management included with ISO 27001 makes it meaningless. Compliance with 27001 makes more sense, however this would be without certification from a Certification Body that would do regular audits and is audited themselves.
So if you see a company stating they are complaint to ISO 27002, offering ISO 27002 compliance audits, or even offering ISO 27002 training, consider caution, since in all but perhaps niche training scenarios ISO 27001 would be the expected standard and it may indicate a lack of understanding.
Note that ISO 27002 is not the only useful accompaniment for organisations implementing ISO 27001. Some highlights from the 27000 family are listed below:
- 27003 discusses the design and implementation of the ISMS.
- 27004 gives guidelines to asses how well the ISMS implemented in 27001 is performing, which assists with the 27001 requirement that the performance of the ISMS be assessed (section 9).
- 27005 describes risk management methods. One of the core concepts of 27001 is identifying risks (section 6) and then matching controls to the risks faced.
- 27007 advises on how to satisfy the audit conditions of ISO 27001 (section 9.2).
- 27008 gives details on how to assess controls.
- 27009 gives specific industry sector advice on how to implement specific controls.
Note that there are many other documents in this family, but the above are likely to be the ones most useful to the majority of organisations.
So in summary, if you receive advice to obtain a copy of both 27001 and 27002, it is not two separate certification standards, but one certification standard and an accompanying guidance document.