ISO 27001 & ISO 27002 – what’s the difference?
In the previous article, we covered Annex A to ISO 27001. And while it contains 114 security checkpoints broken down into 14 domains, the truth is that it does not give much detail about each check. Typically, for each control, there is one sentence that gives you an idea of what you need to achieve, but doesn’t show you how to do it.
Therefore, ISO 27002 was published – so that each control point from Annex A to ISO 27001 has a much more detailed explanation of how to implement it.
What you should know:
- Control points in ISO 27002 have the same name as in Annex A to ISO 27001 – for example in ISO 27002 control 6.1.2 is called “Segregation of duties”, while in ISO 27001 it is “A.6.1.2 Segregation of duties.”
- The difference between ISO 27001 and ISO 27002 is the level of detail – on average, ISO 27002 explains one for the entire page, while ISO 27001 dedicates only one sentence to each control.
Note: Don’t fall into the trap of using only ISO 27002 to manage information security – it doesn’t give you any guidance on how to choose which controls to implement, how to measure them, assign responsibilities, etc.
- ISO 27002 does not distinguish between control points that apply to a particular organization. ISO 27001 recommends that a risk assessment be performed to determine for each control point whether risk reduction is required and if so to what extent it should be applied.
The question is: why do these two standards exist separately, why have they not been combined, combining the
positive sides of both standards?
The answer is usability – if it were a single standard, it would be too complex and too big for practical application.
In conclusion – one could say that without proper organizational tools, ISO 27002 is an isolated ISO reference with the best guidelines for implementing security mechanisms – which makes it a useful set of good practices. ISO 27001 allows you to gain perspective on which practices and ISO 27002 to apply through skillful risk management.