Anyone interested in information security will surely have come across the ISO 27001 standard "Information Technology - Security Techniques - Information Security Management Systems", the international standard that describes the best practices for designing an information security management system, that is a holistic approach to ensure the confidentiality, integrity and availability of company information assets.
A Sistema di gestione progettato in base alla ISO 27001:2017 is made up of policies, procedures and other controls that involve people, processes and technologies and can be considered as an efficient, risk-based approach to protect your information assets.
Even those who know ISO 27001 well, however, may not be familiar with the ISO 27002 "Information Technology - Security Techniques - Code of practice for information security management" which is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.
Although ISO 27001 is the best known standard and also the one according to which organizations are certified - neither can be considered separately because they prove to be absolutely complementary. Let's see, then, how to use the two documents and the differences that exist between them.
Let's start from the ISO 27001 which is the main standard of the ISO 27000 family, a series of documents that deals with the different parts of information security management. The ISO 27001 in its latest version was published in September 2013, in Italy in 2017, and replaced the 2005 version. It contains the requirements for the implementation of a management system for information security, that is everything that must be done to guarantee compliance with the ISO standard of what is done in one's organization to guarantee information security.
The certificazione allo standard ISO 27001 is recognized worldwide as an indication that your information security management system is aligned with best security practices. The standard is particularly useful at the beginning of the implementation project or if you are looking for general advice on how to proceed.
To meet the requirements of ISO 27001, organizations must:
- gather a team of people who will work on the project and start it;
- conduct an analysis of the existing gaps between how information is protected and what ISO 27001 requires;
- establish the scope of the management system;
- start the development of management policies that will have to guarantee the protection of information;
- carry out a serious assessment of the risks to which the information is subjected. Risk management constitutes the real cornerstone of a management system designed according to ISO standards. All projects of ISO management standards, in fact, are based precisely on periodic assessments of the risks for the management system to determine which controls to implement to reduce the risk or, even better, eliminate it. Specifically, ISO 27001 defines its requirements for the risk management process, including risk assessment and treatment, in point 6.1.2.;
- select the controls to apply and apply them;
- create the supporting documentation;
- conduct in-depth training to raise staff awareness on the subject that proves to be so important in today's world;
- conduct an internal audit;
- if everything is ok, look for an body that can verify the work done and certify you according to ISO 27001
The ISO 27002, on the other hand, is a supplementary standard that focuses on the information security controls that organizations may choose to implement. These controls are listed in the Annex A of ISO 27001 however, while Annex A simply describes each control in one or two sentences, ISO 27002 dedicates an average of one page to each control, thus making it extremely simple to understand and implement them. The standard, in fact, explains how each control works, what its objective is and how it can be implemented.
ISO 27002 is, therefore, extremely useful as a complementary standard to ISO 27001 because, if this standard were to go into the details that ISO 27002 goes into, it would become unnecessarily long and complicated. By simply providing a scheme of each aspect of a management system for information security and leaving the specific advice in some additional standards, it remains lean and easily understandable.
We talked about additional standards because ISO 27002 is not the only one that integrates ISO 27001. We find the ISO 27003 which covers the implementation guide of the management system and the ISO 27004 which deals with its monitoring, measurement, analysis and evaluation.
Be careful not to get confused! You can certify an information security management system only according to ISO 27001 but not according to ISO 27002, ISO 27003 "Information technology - Security techniques - Information security management systems - Guidance" or ISO 27004 "Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation".
This is because ISO 27001 is a management standard that provides a comprehensive list of requirements for management system compliance, while supplementary standards such as ISO 27002 only address a specific aspect of the system.
A key thing to consider when implementing a management system for information security is that not all security controls will apply to your organization. ISO 27001 makes this clear, specifying that organizations conduct a risk assessment to identify and prioritize threats to the security of their information but ISO 27002 does not mention this, therefore, if you were to consider the standard without the support of the main standard, ISO 27001, it would be virtually impossible to understand which controls you should adopt.
ISO 27001 and ISO 27002, therefore, have different objectives and will be useful in different circumstances. If you are starting to take your first steps in the world of information security or if you are planning your model to establish, implement, maintain, monitor, review, maintain over time and continuously improve the management system, then ISO 27001 will be ideal. Once you have identified the controls that you will implement, on the other hand, you will have to refer to ISO 27002 to learn more about how each of them works.