I attended a conference recently where many of the attendees mentioned that they used ISO/IEC 27002 as a standalone guide for security management, as opposed to using it simply as guidance for the certification to ISO/IEC 27001. Is this a common practice I should be employing too? In terms of compliance with multiple mandates, what can I achieve using ISO/IEC 27002 as a standalone guide?