I attended a conference recently where many of the attendees mentioned that they used ISO/IEC 27002 as a standalone...
guide for security management, as opposed to using it simply as guidance for the certification to ISO/IEC 27001. Is this a common practice I should be employing too? In terms of compliance with multiple mandates, what can I achieve using ISO/IEC 27002 as a standalone guide?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
First, let's clarify the difference between the two standards. ISO 27001 is a management standard for information security programs. It is designed to provide a path to ISO/IEC 27001 certification for organizations that wish to demonstrate they have sound information security management practices. It specifies general control objectives but does not include detail on how to implement those controls. ISO/IEC 27002, on the other hand, is a best practice guide for building an information security program. It does contain detailed advice, but it is only advice. There is no such thing as ISO 27002 certification.
So, even if you're not pursuing ISO certification for your organization, you can still use the guidance provided in ISO/IEC 27002 to help you build your information security program. You have complete latitude to perform your own risk assessment and decide the appropriate level of implementation for your organization. I'd suggest that you think of ISO 27002 as a friendly security expert that you can consult to find out how things should be done, and then you can take that advice if you find it appropriate.
In your final question, you asked how you could use ISO/IEC 27002 as a standalone guide to help you comply with multiple mandates. The short answer is you can't. Because it is a collection of best practices, it is not possible to comply with 27002. However, following the advice contained within 27002 will help you understand your environment better and assist you in implementing a strong information security program. By building on that advice, you'll have a program that is well down the road toward complying with any regulatory requirements you face.
Related Q&A from Mike Chapple, Enterprise Compliance
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.