I attended a conference recently where many of the attendees mentioned that they used ISO/IEC 27002 as a standalone guide for security management, as opposed to using it simply as guidance for the certification to ISO/IEC 27001. Is this a common practice I should be employing too? In terms of compliance with multiple mandates, what can I achieve using ISO/IEC 27002 as a standalone guide?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
First, let's clarify the difference between the two standards. ISO 27001 is a management standard for information security programs. It is designed to provide a path to ISO/IEC 27001 certification for organizations that wish to demonstrate they have sound information security management practices. It specifies general control objectives but does not include detail on how to implement those controls. ISO/IEC 27002, on the other hand, is a best practice guide for building an information security program. It does contain detailed advice, but it is only advice. There is no such thing as ISO 27002 certification.
So, even if you're not pursuing ISO certification for your organization, you can still use the guidance provided in ISO/IEC 27002 to help you build your information security program. You have complete latitude to perform your own risk assessment and decide the appropriate level of implementation for your organization. I'd suggest that you think of ISO 27002 as a friendly security expert that you can consult to find out how things should be done, and then you can take that advice if you find it appropriate.
In your final question, you asked how you could use ISO/IEC 27002 as a standalone guide to help you comply with multiple mandates. The short answer is you can't. Because it is a collection of best practices, it is not possible to comply with 27002. However, following the advice contained within 27002 will help you understand your environment better and assist you in implementing a strong information security program. By building on that advice, you'll have a program that is well down the road toward complying with any regulatory requirements you face.
Dig deeper on ISO 17799
Related Q&A from Mike Chapple, Enterprise Compliance
Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.continue reading
Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.continue reading
Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.