Difference b/w ISO 27001 and ISO 27002?
ISO 27001 and ISO 27002 both are international standard to maintain
ISMS program in any organization. However, ISO 27001 only talks about the scope
of an ISMS (in other words best practices for an ISMS) but ISO 27002 help us to
deal with actual implementation and control selection part which are a part of
ISO 27001.
ISO 27002 lists all 14 control categories same as ISO 27001 but it goes in the level of detail for each control.
ISO 27002 is a supplementary standard that focuses on the
information security controls that organizations might choose to implement. ISO
27002 standard explains how each control works, what its objective is, and how
you can implement it.
Wait, so, what are the key differences
here?
Level of detail (By saying this I mean that ISO 27001 only let
us know about what is in scope, how to conduct risk assessment and gap analysis
but in ISO 27002 we will be able to know about each control implementation
criteria, objectives, and benefits).
Certification (Yes, any
org. can get certified in ISO 27001 but not to ISO 27002)
Statement of applicability (SOA simply explains that all safeguards
can’t be implemented to any org. so, it is suggested by ISO 27001 to conduct
gap analysis by doing risk assessment to know what controls we need to implement
as per our business requirement).
Some additional knowledge: ISO 27003 covers ISMS
implementation guidance and ISO 27004 covers the monitoring, measurement,
analysis, and evaluation of the ISMS. ISO 27004 also helps information security professionals
to create metrics for higher management level overview.
I hope this small write-up was able to help you. If yes, don’t
forget to share your thoughts.
No comments:
Post a Comment