ISO 27001 and ISO 27002 can seem quite similar. Both standards relate to IT security, and creating a robust, secure, and solid Information Security Risk Management System (ISMS).
So are they actually different? Do you need to keep both in mind when attempting to have your business certified to ISO standards? How are they related, and how are they distinct? Those are all great questions, and in this blog we’ll give you the answers you need.
ISO 27001 Sets The Standards Needed For A Certified ISMS implementation
ISO 27001 is an information security management standard regarding information security controls. It’s designed to be used when managing or implementing an information security risk management system (ISMS).
This international standard was created by the International Standards Organization (ISO) to help with risk assessment and risk management in IT systems, along with other ISO 27000 series standards.
An ISMS, simply put, refers to the systems, technology, people, and other elements of a plan that is designed to secure your enterprise data, such as important files, websites, servers, and emails. It’s a holistic concept, designed to incorporate all of the different controls that are in place to protect your data from accidental loss, data leaks, breaches, hacks, and other such threats and vulnerabilities.
For example, Annex A of ISO 27001 sets forth requirements about information security policies, securing human resources, IT asset management, data cryptography and encryption, operational security, and other such important areas of your ISMS.
Meeting ISO 27001 standards requires a systematic process of monitoring, measurement, analysis, and evaluation, and often includes internal audits to identify weak points and areas of improvement before the assessment takes place.
To implement ISO standards in Australia, you must work with a JAS-ANZ accredited certification body, such as Best Practice. We are fully qualified to analyse and assess businesses to determine if they meet ISO 27001 requirements.
If you meet the requirements set forth in the ISO 27001 standard, your business will be certified. This means that your information security risk management system meets certain requirements, as outlined by ISO 27001.
ISO 27002 Doesn’t Provide Certification, But Provides Implementation Guidance
The big difference between ISO 27001 and ISO 27002 is that, while you can earn ISO 27001 certification for your business, you cannot earn ISO 27002 certification. There is no such thing. You can’t be certified against ISO 27002 standards.
Basically, ISO 27001 sets forth the compliance requirements needed to become certified. In contrast, ISO 27002 is a set of guidelines that are designed to help you introduce and implement ISMS best practices.
Here’s a simpler analogy, ISO 27002 is like a guidebook or a practice test. It’s full of rules, guidelines, and tips that can help you prepare for the “test” – which is ISO 27001. You don’t need to worry about becoming ISO 27002 certified because there’s no such thing! It only exists to help you prepare for ISO 27001.
This also means that you do not need to follow each and every control and recommendation listed in ISO 27002. While this can be helpful if you are looking to lock down your data and improve data security, it is not necessary to follow everything outlined in this set of standards.
Interested In ISO 27001 Certification?
Best Practice are experts in ISO 27001, and are a JAS-ANZ accredited certification body. We are fully capable of certifying your business to ISO 27001 standards, and we also have a deep knowledge and understanding of ISO 27002 guidelines, and how they apply to the ISO 27001 certification process.
Whether you have a fully-formed ISMS and you are ready for a final audit, or you require assistance developing your ISMS implementation and ensuring it will meet all relevant ISO 27001 requirements, our team of consultants is here to help. Contact us online to schedule a meeting today.