What is ISO 27002?

There are many common questions asked upon the ISO 27000 series of the standards; What is the difference between ISO 27001 and ISO 27002? Is it necessary to have both standards? ISO 27002 is much more detailed; should I use ISO 27002 instead of ISO 27001? – so, is there an answer to these questions?

Firstly, every standard from the ISO 27000 series is designed with a different purpose, meaning there is no standard in the series that is better than the other. As a consumer, what are you looking out for in your organization? What is your organization’s objective? – if you want to build the foundations of information security in your organization and devise its framework, ISO 27001 is the one you should be looking at; if you want to implement and manage security controls, ISO 27002 is the one for you.

So what is ISO 27002 exactly? ISO 27002 is an internationally recognized standard designed for organizations to implement and manage information security controls from risks to the confidentiality, integrity, and availability of information. Organizations that adopt ISO 27002 can assess their organization’s information risks, clarify control objectives, and apply appropriate controls using the standard for guidance. Carrying on to the following popular question, what is the relationship between ISO 27001 and ISO 27002? ISO 27001 includes security controls as part of a section titled Annex A, which lists the security domains, security categories, control objectives, and security controls. ISO 27002 addresses the same content as Annex A but with an additional section titled “Implementation Guidance” to each security control. Hence, ISO 27001 and ISO 27002 can be used together, with one complementing the other.

ISO 27002 is broken down into 14 detailed control sections starting from clause A.5
A.5: Information Security Policies
A.6: Organization of Information Security
A.7: Human Resource Security
A.8: Asset Management
A.9: Access Control
A.10: Cryptography
A.11: Physical and Environmental Security
A.12: Operations Security
A.13: Communication Security
A.14: System Acquisition, Development and Maintenance
A.15: Supplier Relationships
A.16: Information Security Incident Management
A.17: Information Security Aspects of Business Continuity Management
A.18: Compliance

ISO/IEC 27002:2013 is the recommended controls for organizations to adopt for Information Security Management System implementation

Organization should go through each of the 114 controls and adopt what is appropriate for their organization’s scope and boundary to meet ISO/IEC 27001:2013 requirements. Similarly, organization can use these 114 controls to formulate their Statement of Applicability (SOA)

We are information security consultant that can help your organization to simplify the implementation process of ISO/IEC 27001 and achieve certification status with our methodology and framework approach. For SME based in Singapore, we also help company in applying for the EDG grant for ISO 27001 and other standards adoption. Do reach out to us via email at [email protected]

We are information security consultant that can help your organization to implement Information Security Framework based on ISO/IEC 27001:2022, do reach out to us via email at [email protected]