Can ISO 27002 be used as a standalone guide for security management?

I attended a conference recently where many of the attendees mentioned that they used ISO/IEC 27002 as a standalone guide for security management, as opposed to using it simply as guidance for the certification to ISO/IEC 27001. Is this a common practice I should be employing too? In terms of compliance with multiple mandates, what can I achieve using ISO/IEC 27002 as a standalone guide?

    Requires Free Membership to View

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

First, let's clarify the difference between the two standards. ISO 27001 is a management standard for information security programs. It is designed to provide a path to ISO/IEC 27001 certification for organizations that wish to demonstrate they have sound information security management practices. It specifies general control objectives but does not include detail on how to implement those controls. ISO/IEC 27002, on the other hand, is a best practice guide for building an information security program. It does contain detailed advice, but it is only advice. There is no such thing as ISO 27002 certification.

So, even if you're not pursuing ISO certification for your organization, you can still use the guidance provided in ISO/IEC 27002 to help you build your information security program. You have complete latitude to perform your own risk assessment and decide the appropriate level of implementation for your organization. I'd suggest that you think of ISO 27002 as a friendly security expert that you can consult to find out how things should be done, and then you can take that advice if you find it appropriate.

In your final question, you asked how you could use ISO/IEC 27002 as a standalone guide to help you comply with multiple mandates. The short answer is you can't. Because it is a collection of best practices, it is not possible to comply with 27002. However, following the advice contained within 27002 will help you understand your environment better and assist you in implementing a strong information security program. By building on that advice, you'll have a program that is well down the road toward complying with any regulatory requirements you face.

This was first published in October 2012

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: