ELI5: What is ISO 27001 / 27002?
ISO 27001 is like earning a safety badge that’s recognized all over the world. It proves a company has a proper system for keeping information safe. ISO 27002 is the guidebook that shows how to earn that badge.
Definition
ISO 27001 is an internationally recognized standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Organizations can achieve formal certification against ISO 27001 through an accredited external audit. ISO 27002 is the companion code of practice that provides implementation guidance for the controls listed in ISO 27001 Annex A. Together they form the cornerstone of a globally recognized ISMS.
Key Details
- ISO 27001: certifiable standard; certification requires an external Stage 1 (documentation review) and Stage 2 (control testing) audit by an accredited certification body
- ISO 27002: provides detailed guidance on implementing each control in Annex A; it is a reference, not a certifiable standard
- ISO 27001:2022 updated the control set to 93 controls organized into 4 themes (Organizational, People, Physical, Technological)
- Certification is increasingly required by enterprise customers and government contracts, particularly in Europe
- Exam tip: ISO 27001 = certifiable ISMS standard; ISO 27002 = implementation guidance; both together = the ISO 27000 series
Connections
- Parent: regulations-and-frameworks — ISO 27001/27002 is the most widely recognized international ISMS standard
- See also: nist-cybersecurity-framework-csf
- See also: external-audit