ISO 27002 (formerly ISO 17799) is a “collection” of security controls (often referred to as best practices) that are often used as a “security standard”. By definition, an audit (or assessment) is comparison to a standard. While 27002 is not a standard per se – it is often used that way. Assuming that the design and/or operation of your Information Security Management Systems is “consistent with” (e.g., there are no notable gaps) it can be said that your environment is “compliant” with the standard.

ISO 27002 Compliance

There is a difference between Design compliance (e.g., your Policies/Standard/Procedures are consistent with the standard) and Operational compliance (e.g., the environment operates in compliance with the design (which is consistent with the standard)).

A company can assert on its own behalf as to its compliance with a standard, of course having an independent/qualified third party assert to your compliance is a notably stronger form of attestation. (A Shared Assessment is essentially a standardized way of asserting ISO 27002 Compliance.)

ISO 27002 Gap Assessment

An ISO 27002 Gap Assessment provides an assessment of an organization’s implementation of ISO 27002 control recommendations. The gap analysis is a good step toward understanding the effectiveness of the control environment and is a potential starting point for eventual Information Security Management System (ISMS) certification. It results in a gap analysis that clearly identifies the remediation steps required to achieve alignment with ISO 27002.