Request a Proposal
Compliance Council Location

Knowledge

17 December 2018
Information Security

ISO 27001 vs. ISO 27002 - What's the difference?

ISO 27001 vs. ISO 27002 - What's the Difference?

For organisations that are exploring information security management systems (ISMS), they might have come across both ISO 27001 and ISO 27002 but they may not know the difference. When comparing ISO 27001 to ISO 27002, it appears that ISO 27002 is a much more detailed standard as it is 91 pages when compared to 31 pages in ISO 27001.

ISO 27001 and ISO 27002 Differences

The key difference between ISO 27001 and ISO 27002 is that ISO 27002 is designed to use as a reference for selecting security controls within the process of implementing an Information Security Management System (ISMS) based on ISO 27001. Organisations can achieve certification to ISO 27001 but not ISO 27002. ISO 27002 doesn't address any of the requirements from clauses 4-10 of ISO 27001, guidance for the implementation of these clauses is available in ISO 27003.

An Example of the Differences Between ISO 27001 and ISO 27002

ISO 27001 includes the security controls as part of a section titled Annex A which lists the security domains, security categories, control objectives and then the security controls. ISO 27002 addresses the same content as Annex A but adds an additional section titled "Implementation Guidance" to each security control.

 

An example of this is A.6.2.1 as shown below in verbatim from the standards:

 

A.6.2.1 Mobile Device Policy in ISO 27001:2013

 

 

Control

A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices.

 

 

A.6.2.1 Mobile Device Policy in ISO 27002:2013

Control

A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices.

Implementation Guidance

When using mobile devices, special care should be taken to ensure that business information is not compromised. The mobile device policy should take into account the risks of working with mobile devices in unprotected environments.

The mobile device policy should consider:

a) registration of mobile devices;

b) requirements for physical protection;

c) restriction for software installation;

d) requirements for mobile device software versions and for applying patches;

e) restriction of connection to information services;

f) access controls;

g) cryptographic techniques;

h) malware protection;

i) remote disabling, erasure or lockout;

j) backups;

k) usage of web services and web apps.

Care should be taken when using mobile devices in public places, meeting rooms and other unprotected areas. Protection should be in place to avoid the unauthorised access to or disclosure of the information stored and processed by these devices, e.g. using cryptographic techniques and enforcing the use of secret authentication information.

Mobile devices should also be physically protected against theft especially when left, for example, in cars and other forms of transport, hotel rooms, conference centres and meeting places. A specific procedure taking into account legal, insurance and other security requirements of the organisation should be established for cases of theft or loss of mobile devices. Devices carrying important, sensitive or critical business information should not be left unattended and, where possible, should be physically locked away, or special locks should be used to secure the devices.

Training should be arranged for personnel using mobile devices to raise their awareness of the additional risks resulting from this way of working and the controls that should be implemented.

Where the mobile device policy allows the use of privately owned mobile devices, the policy and related security measures should also consider:

a) separation of private and business use of the devices, including using software to support such separation and protect business data on a private device;

b) providing access to business information only after users have signed an end user agreement acknowledging their duties (physical protection, software updating etc.), waiving ownership of business data, allowing remote wiping of data by the organisation in case of theft or loss of the device or when no longer authorised to use the service. This policy needs to take account of privacy legislation.

 
 
 

What This Means for Organisations

Based on the additional implementation guidance in ISO 27002, it would be wise for organisations to refer to both standards when establishing, implementing and continually improving an ISMS.

 

Conclusion

ISO 27001 outlines how an organisation can manage their information security. While ISO 27002 looks very similar in structure it is designed to supplement the requirements outlined in ISO 27001 by outlining best practices for the controls.
For organisations still unsure about ISO 27001 and those interested in ISO 27001 certification, its crucial to work with an ISO 27001 Information Security Management System consultant.
Compliance Council are experienced Information Security Management System Consultants that work with organisations to establish, implement and improve information security management systems.