Information Security – How ISO27001 and ISO2002 Are Related

How ISO27001 and ISO27002 are related

Over the course of more than two centuries, China built a great wall to keep its enemies out.  An impressive security measure if there ever was one. Did it work? Hardly: guards could easily be bribed by the enemy to open the gates.

Not much has changed in the digital age. Even with the right tools, programs, and procedures in place, security depends first and foremost on human behavior.

Today, in an age where hacking, malware, ransomware and privacy breaches are daily news every organization takes security measures seriously. Security software is installed, security procedures are implemented and people are instructed. Organizations can also refer to an ISO standard to verify their security efforts: ISO 27000 Information Security Management Systems.

One Standard & One Code of Practice

ISO/IEC 27001 is a standard that details requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). The Chapters in this standard describe the requirements for the ISMS and Annex A describes the measures that need to be implemented. Organizations can be certified against this standard.

The two are very much related: The clauses of Annex A of the ISO/IEC 27001 are elaborated in detail in 27002 with some guidelines and examples of how you could implement these requirements. On average, ISO 27002 explains one control on one whole page, while ISO/IEC 27001 dedicates only one sentence to each control.

When it comes to exams, the main difference becomes very clear: Focus. ISO/IEC 27001 exams focus on the content of the standard whereas ISO/IEC 27002 focuses on the human behavior.

EXIN and ISO/IEC 27002

The EXIN Information Security Certification program is based on ISO/IEC 27002. Why? Because of the human factor. The certification intends to assess practical knowledge and application of information security principles and controls within an organization.  EXIN found the most relevant basis for assessing these competencies in ISO/IEC 27002. Because the ISO/IEC 27002 is further guidance on all the controls in Annex A of ISO/IEC 27001, it is not difficult to relate the specifications of the three certifications in this EXIN program to ISO/IEC 27001:

•    Information Security Foundation: meant for every employee in the organization. This is very practical and focuses on daily business activities. Some concepts will be found in the chapters of ISO/IEC 27001.

•    Information Security Management Advanced: aimed at team managers, process managers, and project managers. They need to know their responsibilities in protecting the information assets they are managing. That is why there are more references to ISO/IEC 27001 and a strong link with risk management.

•    Information Security Expert: this exam is aimed at Security Managers and Security Officers. They are usually the ones implementing the ISMS in the organization so the link with the ISO/IEC 27001 chapters about the management system is quite strong.

With employees that are aware of their roles and responsibilities with regards to security, CEOs can sleep peacefully and dream about the Great Wall of China, in the knowledge that their business is safe.