Let us take a look at the differences between ISO 27001 v ISO 27002. Undoubtedly it can be confusing but the answer is surprisingly simple and straight forward. I am Stuart Barker the ISO27001 Ninja and this is difference between ISO27001 and ISO27002.
What is ISO27001
ISO 27001 is a management system and you can certify to ISO 270001.
What is ISO27002
ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.
ISO 27001 compared to ISO 27002
ISO 27001
A management system
Can certify to the standard
Mandatory requirements
Easy to implement
Satisfy it with ISO 27001 Templates
ISO 27002
A list of controls for you to pick from
Cannot certify to the standard
Optional requirements
Moderate to hard to implement
Templates won’t really help
What is ISO 27001 – a closer look
ISO 27001 is a management system. For the purpose of implementation it can be solved with an ISO 27001 toolkit. There is a bit of documentation to do and most of it you won’t use day in day out or come back to other than to pass the audit. Them’s the facts. There are aspects of it that become part of the day to day operation of the business though. The biggest cost and time sync of having ISO 27001 is your continual internal audit. Be prepared for this and plan resources for it. The rest of it is low impact if done right.
What is ISO 27002 – a closer look
ISO 27002 is a set of controls that someone somewhere has deemed as the most common best practice controls for a business to implement. With this in mind, ours is not to reason why. Those controls are changing and in 2022 and at this point you can read about the changes in our ISO 27002 Changes Guide.
Your job is to review the list of 114 business controls and decide if they are relevant to you. In the event that they are, you implement a control to meet it. Of course if they are not then you record in your statement of applicability why not. On the positive side it is ok not to implement controls on the list, but the auditor wants a compelling reason why not.
The ISO 27002 Controls cover all aspects of the business. With this in mind it is a common mistake is to assume this is an IT problem. Sadly, it is not. In truth it is a business wide problem.
The art is to implement the controls to meet the control objectives but to do it proportionate to you. Consequently people often ask, what is the bare minimum I need to do? Good question. It is certainly an approach, and following it you will certainly pass an audit.
Conclusion
In conclusion, ISO 27001 is a management system you can certify to and ISO 27002 is a control set for you to consider for relevance and implement.
Read Next
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)