Home
Certification Preparation
(ISC)²
SSCP
ISO 27001 & 27002 Definition
g33k3r
I thought I understood ISO 27001 & 27002, but I have contradicting information now. Can someone give me an easy way to understand these?
Thanks!!
Find more posts tagged with
Comments
Mike7
A company is audited against ISO27001.
27001 is the
formal requirements
for ISMS (Information Security Management System aka policy, guidelines, procedures). ISO27001 document has an Annex listing 35 control objectives and 114 controls.
When implementing, you will decide which of the controls applies to your company's ISMS and do the necessary.
27002 is the
code of practice
for ISMS controls, it expands on the 27001 Annex listing and provides implementation guidance for each control objective. Use ISO27002 as a guide when implementing 27001 documentation.
There are other ISO2700X standards. See
About ISO27k
for a listing.
dave0212
Mike7 pretty much covered it.
All I will add is; you certify against 27001, you cannot certify against 27002. 27002 is merely a guidance document for implementation of 27001 Annex controls (the 114), you are not expected to achieve everything listed in 27002 but it provides a framework for auditors to to assess you against as not all auditors are technical enough to understand the appropriate implementation of those controls
g33k3r
Thanks everyone. This is a much better description!
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
