June 11, 2013

Last Updated on January 13, 2024

A common misconception is that an organization can choose to get certified to the ISO 27002 standard.
I’ve noticed that this misconception is more prevalent with long-time information security practitioners, who understand that ISO 27002 is just a renamed version of ISO 17799 (which was itself a derivative work of British Security Standard BS 7799). “Back in the day” (pre widespread ISO 27001 acceptance) information security thought leaders would use 27002 standard “compliance” as a means of denoting that an organization had aligned the design of its information security program with the world’s most widely accepted code of practice. In a sense, it is the trials and tribulations of these thought leaders that led to the development of the ISO 27001 standard.
In order for an organization to be proclaimed “compliant,” with ISO 27002 there were several fundamental challenges:

  • You had to implement all 134 controls – whether you thought you really needed a given control or not.
  • 27002 does not provide “prescriptive” guidance (i.e., the detail around implementing the control). For example: Yes, I need passwords. Should they be three characters and change annually or should they be 12 characters, across three character types, rotate monthly, and never be re-used?
  • 27002 lacks the formal definition of a scope, so “compliance” meant compliance for the organization as a whole.
  • The recipient of the “compliance” report knew that the organization had addressed all of the required controls, but they had no assurance that the controls were “reasonable and appropriate.” They also did not have a formal way of determining whether the auditor and organization were appropriately qualified to render the opinion and/or that the audit program used was sufficient.

ISO 27001 was developed (in large part) to address these challenges/facilitate the process of leveraging ISO 27002. The relationship between the ISO 27001 vs 27002 standards can be simplified as follows:

  • It applies to a defined scope. This allows a SaaS provider, for instance, to get a certification for his SaaS solution without needing to address his corporate network (assuming appropriate segregation exists).
  • It is the management process for operating an Information Security Management System (ISMS) using the ISO 27002 controls. (Controls are mechanisms that reduce risk.)
  • It is fundamentally about information security risk management. You use an understanding of your information related risks to determine which ISO 27002 controls are needed (and to what extent) to mitigate the severity of the risk the control is intended to mitigate. Hence, the “prescriptivity” is defined by the risks specific to that environment.
  • Certification audits must be conducted by an ISO 27001 Certified Lead Auditor working for an ISO validated registrar. Hence, the recipient of the certificate knows that the diligence/validation performed has been validated by the International Standards organization.

The difference between ISO 27001 and 27002 can be summarized as follows: While the certification is to the process detailed in the 27001 standard, you are predominantly leveraging the controls in the ISO 27002 standard to manage critical information security risks in your environment.
Instead of thinking in terms of “27001 vs 27002,” it’s often more relevant to note how the two standards function together to provide a management standard that your business can be certified against, as well as guidance on how to implement needed controls based on a risk assessment.