Here on the Ignyte blog, we talk a lot about ISO 27001 as a valuable international framework for information security. We also frequently touch on two related documents: ISO 27002 and Annex A.

As you may know, ISO/IEC, the organization responsible for developing the various ISO standards, has a lot of different standards for a lot of different purposes. ISO 9001 governs quality control, ISO 14001 centers on environmental management, and ISO 45001 centers on occupational health and safety, like an international OSHA. In total, there are over 25,000 ISO standards!

It makes sense that you might wonder what the differences are between related documents like ISO 27001 and ISO 27002. Which one do you follow?

Fortunately, there’s good news on that front: they’re the same standard.

What, then, is the purpose of documents like ISO 27002? How does it differ from ISO 27001, and which one do you need?

Follow Along at Home

Before we dig in, we’ll be referencing a lot of information found in the official ISO/IEC documents for ISO 27001 and ISO 27001. If you want to follow along, it can be helpful to have those documents on hand.

If you’re part of an organization that is working on implementing ISO 27001, there’s a good chance you already have a copy of the documents in question somewhere within your organization. Make sure to double-check before you purchase another copy.

If you need to obtain copies, you can find them here:

• ISO 27001:2022
• ISO 27002:2022

ISO/IEC also provides supplementary documents you can buy, which can help with the practical applications of the overall security standard. They’re available on their own or as part of a package. For example:

• ISO 27001 + the ISO 27001 Practical Guide
• ISO 27000 + ISO 27001 + ISO 27002 + ISO 27005

We’re only talking about ISO 27001 and ISO 27002 today, but be aware that there are other supplementary documents that can help with implementation, as well as a huge array of third-party information, including our guides.

Now, let’s dig into the specifics of ISO 27001 and ISO 27002.

What is ISO 27001?

In casual terms, when we talk about ISO 27001, we’re broadly talking about the information security standard as a whole. But that’s not what ISO 27001 the document is.

ISO 27001, the specific document you purchase from ISO/IEC, is a thorough outline of how to set up your organization’s information security policies and procedures in a way that can be validated as secure by an external auditor. It covers a wide range of topics within information security, including:

• How to determine the proper scoping for your organization
• How to perform a gap analysis
• How to identify vulnerabilities
• How to address vulnerabilities discovered
• How to develop relevant policies and procedures
• How to set up access control
• How to set up asset management
• How to handle incident response
• How to establish a business continuity plan
• How to train staff in all of the above
• How to conduct an internal audit to validate the above
• How to undergo an external audit to validate the above
• How to maintain compliance over time and pass recertification audits

That’s a lot, but there’s a significant caveat: the ISO 27001 document is actually quite short. That’s because the specifics for each of the points above are pretty thin. For example, section 4.4, on establishing an ISMS, simply says this:

“The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.”

You can see why it might not be helpful in a practical sense, right? Answering the question of “how do I set up an ISMS” with “Set up an ISMS according to the document” isn’t all that helpful.

That’s slightly disingenuous. The above quote was a little cherry-picked as a thin entry on the list. The preceding section, 4.3, is more representative.

“4.3 Determining the scope of the information security management system.

The organization shall determine the boundaries and applicability of the information security management system to establish its scope.

When determining this scope, the organization shall consider:

1. The external and internal issues referred to in 4.1;
2. The requirements referred to in 4.2;
3. Interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.

The scope shall be available as documented information.”

Still referential, still lacking in tangible steps to follow, but more precise.

This is why ISO 27001 is more of an ecosystem than a specific set of guidelines. It can be a bit of a culture shock if you’re used to more tangible frameworks like CMMC, which outline specific security controls to follow and implement. ISO 27001 tells you your goals, but not what you need to do to reach them.

That’s where supplemental documents like ISO 27002 come in.

What is ISO 27002?

If ISO 27001 gives you the list of goals you need to achieve, ISO 27002 is a more tangible guide on how to achieve them. It’s a much, much more robust document, going through each of the overarching goals outlined in ISO 27001, and providing specific concerns, considerations, and implementation guidelines for each of them.

To put it into perspective, ISO 27001 is something like 19 pages long; ISO 27002 is 150 pages.

ISO 27001 will tell you things like “you must establish access control for spaces that contain protected information” and “information must be encrypted as appropriate for your organizational needs.”

Meanwhile, ISO 27002 gives you a rundown of things you should consider when determining what access control means or what level of encryption is required.

This can be surprisingly important, because “industry standard” options aren’t always standard or even options. There’s no reason to implement military-grade encryption for a small business that barely handles information at all, let alone anything coming close to classified.

Even with enhanced guidance, many organizations can find ISO 27002 to be frustratingly vague. That’s because ISO, in general, doesn’t want to lay out specific checklists of what is and isn’t valid.

Why not? A couple of reasons. A big one is just that what constitutes “good enough” for a small pet supplies vendor will be very different from “good enough” for a sub-organization of a country’s military or an international aerospace firm. They want you to really think about what you need and what is reasonable for your organization.

It’s important to remember that neither of these documents will give you a step-by-step implementation guide. ISO 27002 is just more precise in helping you determine areas of concern you might not have thought of on your own.

What Other Documents Should You Consider?

There’s more than just ISO 27001 and ISO 27002 in the ISO 27000 family. Some of the other supplementary documents might be very useful to have on hand in addition to the big two.

ISO 27000 is the baseline document for the ISO 27000 family. It’s a top-level overview of the concepts relevant to information security, the vocabulary that ISO/IEC uses throughout their documents, and the overarching goals to meet. It’s also more frequently updated than the core documents and is slated to be replaced by a new version soon.

ISO 27003 is sort of a middle ground between ISO 27001 and ISO 27002. It’s more top-level concepts and overview explanations, along with guidance, for organizations of all sizes when it comes to setting up an ISMS.

ISO 27004 is essentially a guidebook for performing a self-audit and analysis of your security posture and your compliance with the guidelines in ISO 27001. It’s not the same document used by ISO 27001 auditing firms, but it gives you an idea of what to look for and how to analyze your security on a practical level.

ISO 27005 is a guidebook to risk management, with details on how to identify risks, analyze and evaluate them, and how to treat them. It expands upon the requirements in ISO 27001 and provides more tangible guidelines for organizations of all sizes and industries.

ISO 27006, ISO 27007, and ISO 27008 are unlike the other documents mentioned so far, because they are a standard, separate from but related to ISO 27001. They’re like ISO 27001 with higher requirements, because they’re the set of requirements that auditing organizations that provide ISO 27001 audits must follow. They define the standards for those audits and how to audit an ISMS according to ISO 27001 standards.

There are also more ISO 27000-family documents and standards with limited scope.

• ISO 27011 provides specific guidance for telecom companies and organizations based on ISO 27002.
• ISO 27013 is a combined document providing guidance on implementing ISO 27001 and ISO 20000 (the standard for IT service management organizations) at the same time.
• ISO 27017 is similar to ISO 27011, but for cloud service providers specifically.
• ISO 27102 is also similar, providing guidance for cyber-insurance providers.

For the most part, you won’t need any of these documents, though some of them can be helpful in specific circumstances or for organizations in specific roles.

Which Do You Need: ISO 27001 or ISO 27002?

Neither. Both. All that and more.

Technically speaking, you could do the work to secure your business with an ISMS, pay for a third-party ISO 27001 auditing firm to come in, undergo the audit and validate your security, pass the audit, and achieve certification, all without ever looking at the ISO 27001 document.

Realistically, that won’t happen.

There’s no actual requirement to purchase these documents, but without them, you’re going to be lost. You can still get all of the relevant information by cobbling together free resources and paying consultants, but that’s a lot more time, a lot more work, and a lot more expense than just buying the documents themselves.

You can also, potentially, achieve ISO 27001 certification solely through the purchase of the ISO 27001 document, without looking at ISO 27002.

Again, though, realistically, that won’t happen. You would have to dedicate an immense amount of time and resources to thinking through each of the elements of the ISMS, determining all of the possible concerns to address, and implementing them.

Why reinvent the wheel when you can buy the blueprints?

ISO 27001 contains Annex A, which is their short-form outline of the 93 security controls you’ll need to consider and implement. But, again, they’re on the level of “have encryption for your data” without the specifics you would need to think about along the way.

ISO 27002 is the guide to each of the security controls outlined in Annex A, with a greater level of detail and more considerations for each of them.

Finally, it’s important to understand that ISO 27001 is the standard. Audits will check you against the requirements in ISO 27001. Other documents, including ISO 27002, offer guidance and information for implementation, but are not themselves standards. You can’t be “ISO 27002 certified” or pass an “ISO 27002 audit”. It’s all supplemental information.

To bring things back around, what are the differences in control guidance between ISO 27001 and ISO 27002?

It really just comes down to the level of detail. The specific requirements are the same because ISO 27002 exists solely in the service of properly implementing ISO 27001. But, where ISO 27001 can be frustratingly vague and generic, ISO 27002 offers more tangible detail on what you should be looking for, what you should think about and consider, and what you need to do for a successful implementation.

Neither of them can provide you with a step-by-step process to follow, nor a checklist of specifics to implement, but they can get you a lot closer. From there, it’s up to organizations like us, the Ignyte Assurance Platform, to help. Our expertise in ISO 27001 and our framework-agnostic platform can both help with your implementation. To see it in action and chat about what we can do for you, schedule a call today.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Dan Page. Read the original post at: https://www.ignyteplatform.com/blog/iso-27001/iso-27001-27002-differences/