I attended a conference recently where many of the attendees mentioned that they used ISO/IEC 27002 as a standalone guide for security management, as opposed to using it simply as guidance for the certification to ISO/IEC 27001. Is this a common practice I should be employing too? In terms of compliance with multiple mandates, what can I achieve using ISO/IEC 27002 as a standalone guide?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
First, let's clarify the difference between the two standards. ISO 27001 is a management standard for information security programs. It is designed to provide a path to ISO/IEC 27001 certification for organizations that wish to demonstrate they have sound information security management practices. It specifies general control objectives but does not include detail on how to implement those controls. ISO/IEC 27002, on the other hand, is a best practice guide for building an information security program. It does contain detailed advice, but it is only advice. There is no such thing as ISO 27002 certification.
So, even if you're not pursuing ISO certification for your organization, you can still use the guidance provided in ISO/IEC 27002 to help you build your information security program. You have complete latitude to perform your own risk assessment and decide the appropriate level of implementation for your organization. I'd suggest that you think of ISO 27002 as a friendly security expert that you can consult to find out how things should be done, and then you can take that advice if you find it appropriate.
In your final question, you asked how you could use ISO/IEC 27002 as a standalone guide to help you comply with multiple mandates. The short answer is you can't. Because it is a collection of best practices, it is not possible to comply with 27002. However, following the advice contained within 27002 will help you understand your environment better and assist you in implementing a strong information security program. By building on that advice, you'll have a program that is well down the road toward complying with any regulatory requirements you face.
This was first published in October 2012