I attended a conference recently where many of the attendees mentioned that they used ISO/IEC 27002 as a standalone...
guide for security management, as opposed to using it simply as guidance for the certification to ISO/IEC 27001. Is this a common practice I should be employing too? In terms of compliance with multiple mandates, what can I achieve using ISO/IEC 27002 as a standalone guide?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
First, let's clarify the difference between the two standards. ISO 27001 is a management standard for information security programs. It is designed to provide a path to ISO/IEC 27001 certification for organizations that wish to demonstrate they have sound information security management practices. It specifies general control objectives but does not include detail on how to implement those controls. ISO/IEC 27002, on the other hand, is a best practice guide for building an information security program. It does contain detailed advice, but it is only advice. There is no such thing as ISO 27002 certification.
So, even if you're not pursuing ISO certification for your organization, you can still use the guidance provided in ISO/IEC 27002 to help you build your information security program. You have complete latitude to perform your own risk assessment and decide the appropriate level of implementation for your organization. I'd suggest that you think of ISO 27002 as a friendly security expert that you can consult to find out how things should be done, and then you can take that advice if you find it appropriate.
In your final question, you asked how you could use ISO/IEC 27002 as a standalone guide to help you comply with multiple mandates. The short answer is you can't. Because it is a collection of best practices, it is not possible to comply with 27002. However, following the advice contained within 27002 will help you understand your environment better and assist you in implementing a strong information security program. By building on that advice, you'll have a program that is well down the road toward complying with any regulatory requirements you face.
Related Q&A from Mike Chapple
The updated HITRUST Common Security Framework allows organizations to manage privacy, security and compliance with one framework. Here's how it works...continue reading
A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits.continue reading
A data breach warranty may seem like a tempting way to survive a costly attack, but it may not be all it's hyped up to be. Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.