Cybersecurity is integral to any data-driven business, but building an effective cybersecurity apparatus can be challenging, if not outright daunting. Outside of industry-specific regulations, simply grasping the complexity of modern security threats and IT infrastructure has become an intellectual discipline on its own. That’s why compliance frameworks exist to help companies like yours best implement environments that can meet modern cyber threats.

One organization, the ISO, has dedicated significant resources to develop best practices and frameworks for organizations like yours to build effective and scalable cybersecurity systems that meet both the challenges of modern threats and the demands of modern compliance. ISO has released a series of documents, called the ISO 27000 series, to speak directly to these challenges. 

While we have previously discussed ISO 27001 and its importance to data-driven businesses, we will now expand that discussion into the next document, ISO 27002, and why it’s important to your organization. 

What is ISO 27001?

The International Organization for Standardization (ISO) regularly releases and updates documents providing standards, guidelines and best practices for a host of technical systems, tools and operations. This organization, composed of engineers and scientists, seeks to give professionals building or implementing technology to draw from expert knowledge to better secure and operate these systems. 

ISO 27001 is a document released by the ISO to address best practices for IT systems and cybersecurity. More specifically, ISO 27001 provides guidance for how organizations can develop their own Information Security Management Systems (ISMS). 

What is an ISMS? Contrary to what the name might suggest, an ISMS isn’t an out-of-the-box technology solution to help you shore up your cybersecurity infrastructure. Rather, it is a comprehensive collection of technologies, processes and positions that, together, contribute to the overall security posture of your organization. ISO 27001, therefore, offers best practices for developing this comprehensive security environment across your company. 

To meet the requirements for an ISMS under ISO 27001, you’d have to implement some of the following controls:

1. Information Security Policies, including how you document policies and procedures and how you review these documents regularly.
2. Human Resource Security, or how you train and inform employees about cybersecurity regulations during onboarding, in case of any changes or when an employee shifts positions or responsibilities. 
3. Organization of Information Security, especially as it relates to the positions, people and departments responsible for specific security tasks and procedures. 
4. Asset Management, including the maintenance of data assets regarding their protection and security, the tracking of hardware or devices and the management of applications. 
5. Cryptography, covering the minimum and ideal levels of encryption used for data transmission, storage and sharing. 
6. Environmental Security, including the protection of data centers, workstations and offices containing sensitive data.
7. Information Security Incident Management, which pertains to best practices for responding to breaches or hacks as they occur, including notifications for affected parties, reporting requirements for governing bodies and remediation efforts. 

Alongside these, you’ll also see guidelines for evaluating supplier relationships, securing technology acquisition and maintenance, and operational security. 

This compliance framework, however, isn’t often required in most industries. Businesses in healthcare or retail, for example, don’t have specific industry demands to follow ISO standards. Doing so, however, can provide significant security benefits above and beyond existing compliance regulations. Additionally, many compliance frameworks borrow, in smaller or larger parts, from ISO standards on a regular basis. 

What Are the Differences Between ISO 27001 and 27002?

If you were to take the steps necessary to comply with ISO 27001, you’d clearly see what those steps might be… but you wouldn’t necessarily know how you might take those steps with concrete action. That is to say, complying with ISO 27001 involves implementing security controls across all required categories to build out your ISMS. 

ISO 27002 fills the gap by emphasizing the controls your organization would need to implement to meet ISO 27001 requirements. In this sense, ISO 27002 is a supplement to ISO 27001. However, it is also, in many ways, a core part of 27001 specifically because it is nearly impossible to understand that document without understanding the controls that would lead to compliance. 

What are some of the key differences between the two documents?

1. Clarity: Without ISO 27002, 27001 is broad and lacks focus. This organization makes sense… were ISO to include everything required for compliance in a single document, it would be too large and complex to make sense of. So, therefore, while ISO 27001 provides the framework, ISO 27002 provides the details. 
2. Application: ISO 27002 doesn’t make sense by itself, and as such doesn’t provide guidance for how and why to implement any security controls. ISO 27001, on the other hand, includes guidance on conducting Gap Analysis and Risk Assessments to guide the development of an ISMS. This, in turn, provides a roadmap for the controls from ISO 27002 that you should implement. 
3. Certification: You cannot be certified under ISO 27002, only ISO 27001. 

When Do I Need to Consider ISO 27002 Compliance?

So, if you can’t get certified under ISO 27002, then why would you need to know anything about it? 

This distinction between the two rests in what you want to accomplish for your organization. Think about it through these two separate perspectives:

• ISO 27001 is available to organizations to help them build informed, responsive and effective ISMS. That is, this document is focused on providing a management framework. True security and compliance must, in our modern cybersecurity landscape, go much further beyond completing checklists for regulatory bodies. They must take into account the entire scope of a company’s IT system, from people to technology and procedures. As such ISO 27001 provides a management framework for your business to use approaches like risk assessment and other forms of evaluation as a way to best understand the unique needs of your infrastructure. 
• ISO 27002 provides the critical underpinning of that management framework. Once your organization has a clear understanding of what kind of security measures will benefit them the most, they can leverage controls in 27002 to make that plan a reality. Outside of that, looking to ISO 27002, while potentially helpful for cybersecurity improvements in isolation, will not provide the kind of comprehensive protection that certification under ISO 27001 will. 

Automate ISO 27001 and ISO 27002 with Continuum GRC and ITAM

One of the most challenging and time-consuming aspects of audits and compliance is continuing to maintain the documentation and accounting necessary to meet accreditation. We provide automated audits and reporting for several ISO compliance standards, including ISO 27001 and 27002. We remove the need to use older tools like spreadsheets, email and word processing by automating audit documentation and assessment across your entire infrastructure. 

Preparing for an ISO 27001/27002 Audit?

Call Continuum GRC at 1-888-896-6207 or complete the form below.