For those planning training sessions or candidates intending to take an online exam during this period, we will be offering online exam sessions on December 27 and 29, as well as January 5, 2024. You can check the link to online exam events here.
What is the difference between ISO/IEC 27001 and ISO/IEC 27002?
For most of the companies there is a misunderstanding about the different standard in the 27001 series, like; what is the difference between ISO 27001 and ISO 27002? Both standards are used but the only one that a company can get certified is 27001. In that standard we have all the requirements that a company need to follow to be certified. You have the management system part that are in the clause 4 to 10 and you have in the annex a list of different security controls, there’s 114 security controls that need to be state if you implemented or not that will be declared in a statement of applicability. That document states what are the security controls that a company follows. In 27002 is more a guideline what companies can put in place to comply to the Annex A of 27001. So, in that sense the two standards are very well related together. In one case it’s the requirement and 27001, and in 27002 this is the list of best practices. So, that’s why also even in vocabulary there is change; like for verbs, in 27001 it’s the verb shall that is used, say: “you have the obligation to do that”, and in 27002 is should, so it’s more a recommendation that a company can follow to comply with the standard. So, I’d say the main difference is that. So, for 27002, a lot of companies use them but you cannot be certified on it, it’s just guidelines to follow. Also, when companies want to develop its information security policy, it will use also that standard as guidelines.