Can you explain the difference between ISO/IEC 27001 and ISO/IEC 27002?

In this article we will explore the structure and purpose of Annex A, explain its control themes, and highlight how ISO/IEC 27002 complements it by providing detailed guidance on implementing these controls.

Annex A of ISO/IEC 27001 is probably the most famous annex of all ISO standards. It provides a set of reference controls for information security that organizations can implement to treat their information security risks.

The Structure of Annex A

First of all, let’s have a look the contents and structure of Annex A. The controls are organized into four sections, each representing a different theme of controls:

1. Organizational Controls: These include 37 controls that deal with policies, procedures, and organizational measures to manage information security.

2. People Controls: There are 8 controls in this section. They focus on measures related to individuals, such as roles, responsibilities, and awareness programs.

3. Physical Controls: This section includes 14 controls related to physical security measures protecting organizational premises and physical assets.

4. Technological Controls: With 34 controls, this section addresses technological measures, including software, hardware, and technical procedures.

   
   

Each of these sections contains controls aimed at modifying or maintaining the risk within an organization. In total, there are 93 controls designed to provide a comprehensive approach to information security management. The latest revision of ISO 27001 has introduced several new controls, which are highlighted in yellow within Annex A.

The information provided by Annex A is very limited. Basically there is only a control identifier, combined with a title and a brief control statement. Below you can find control 5.11 as an example for what Annex A looks like.

• Control Identifier: 5.11

• Control Title: Return of assets

• Control (Statement): Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

  
  

I think we can all agree that this information is very limited and leaves beginners without the necessary guidance and understanding required to effectively implement these security controls. This is where ISO/IEC 27002 enters the stage.

ISO/IEC 27002: Guidance for the implementation of Annex A

ISO/IEC 27002 serves as an informative companion standard to ISO 27001, offering extensive guidance on how to implement the controls specified in Annex A.

The following mind map shows the contents of this standard.

Each control in ISO/IEC 27002 is detailed in a corresponding chapter, that relates to a specific control of ISO/IEC 27001. The chapters in ISO/IEC 27002 are numbered to match the control identifiers in Annex A, making it easy to navigate between the two standards. This structured approach ensures that each control is well-defined and provides the necessary guidance for implementation.

The guidance is presented by six components, extending the information necesssary to designing and implementing the controls of Annex A.

• Control Title: A concise name for the control.

• Attribute Table: Displays values associated with each attribute, such as control type or property.

• Control (Statement): Summarizes the control and its intended outcomes.

• Purpose: Explains why the control is necessary and the benefits it offers.

• Guidance: Provides recommendations and best practices for effective implementation.

• Other Information: Offers additional context and references to related documents.

  
  

Control Attributes

Each control in ISO/IEC 27002 is associated with five attributes to facilitate categorization and implementation:

• Control Type: Preventive, detective, or corrective.

• Information Security Properties: Confidentiality, integrity, or availability.

• Cybersecurity Concepts: Based on the cybersecurity framework in ISO/IEC TS 27110.

• Operational Capabilities: From a practitioner's perspective of information security capabilities.

• Security Domains: Governance and ecosystem, protection, defense, and resilience.

ISO 27001 vs. ISO 27002: Normative vs. Informative Standards

ISO/IEC 27001 is a normative standard, which means it contains mandatory requirements that organizations must follow to achieve certification. In contrast, ISO/IEC 27002 is an informative standard. It simply provides additional details, guidance, and best practices for implementing the controls listed in Annex A of ISO 27001. However, it does not contain mandatory requirements. Therefore it is not necessary to implement all the guidance provided.

If you are planning to implement ISO/IEC 27001, I would highly recommend to follow the guidance provided by ISO/IEC 27002, especially if you are new to the domain of information security management. But always align your measures with your actual risk exposure. For example don’t hire a squad of armed security guards, if their is no real necessity for it. You won’t need them and yes security guards are an actual recommendation of ISO/IEC 27002.