Difference between ISO 27001 & ISO 27002?

 

Difference b/w ISO 27001 and ISO 27002?

ISO 27001 and ISO 27002 both are international standard to maintain ISMS program in any organization. However, ISO 27001 only talks about the scope of an ISMS (in other words best practices for an ISMS) but ISO 27002 help us to deal with actual implementation and control selection part which are a part of ISO 27001.

ISO 27002 lists all 14 control categories same as ISO 27001 but it goes in the level of detail for each control.

ISO 27002 is a supplementary standard that focuses on the information security controls that organizations might choose to implement. ISO 27002 standard explains how each control works, what its objective is, and how you can implement it.

Wait, so, what are the key differences here?

Level of detail (By saying this I mean that ISO 27001 only let us know about what is in scope, how to conduct risk assessment and gap analysis but in ISO 27002 we will be able to know about each control implementation criteria, objectives, and benefits).

 Certification (Yes, any org. can get certified in ISO 27001 but not to ISO 27002)

Statement of applicability (SOA simply explains that all safeguards can’t be implemented to any org. so, it is suggested by ISO 27001 to conduct gap analysis by doing risk assessment to know what controls we need to implement as per our business requirement).

Some additional knowledge: ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis, and evaluation of the ISMS. ISO 27004 also helps information security professionals to create metrics for higher management level overview.

I hope this small write-up was able to help you. If yes, don’t forget to share your thoughts.