ISO 27001 & 27002 Definition

g33k3rg33k3r Member Posts: 249 ■■□□□□□□□□
I thought I understood ISO 27001 & 27002, but I have contradicting information now. Can someone give me an easy way to understand these?

Thanks!!

Comments

  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    A company is audited against ISO27001.
    27001 is the formal requirements for ISMS (Information Security Management System aka policy, guidelines, procedures). ISO27001 document has an Annex listing 35 control objectives and 114 controls.
    When implementing, you will decide which of the controls applies to your company's ISMS and do the necessary.


    27002 is the code of practice for ISMS controls, it expands on the 27001 Annex listing and provides implementation guidance for each control objective. Use ISO27002 as a guide when implementing 27001 documentation.

    There are other ISO2700X standards. See About ISO27k for a listing.
  • dave0212dave0212 Member Posts: 287
    Mike7 pretty much covered it.

    All I will add is; you certify against 27001, you cannot certify against 27002. 27002 is merely a guidance document for implementation of 27001 Annex controls (the 114), you are not expected to achieve everything listed in 27002 but it provides a framework for auditors to to assess you against as not all auditors are technical enough to understand the appropriate implementation of those controls
    This week I have achieved unprecedented levels of unverifiable productivity


    Working on
    Learning Python and OSCP
  • g33k3rg33k3r Member Posts: 249 ■■□□□□□□□□
    Thanks everyone. This is a much better description!
Sign In or Register to comment.