Digital Threat Digest Insights Careers Let's talk

What Is ISO 27002 and why does your business need to know about it?


The International Organization for Standardization (ISO) recently released an update to the ISO/IEC 27002 originally published in 2013. These documents provide a standard framework for how businesses can manage and implement IT security measures to prevent data breaches.

If you haven’t already acquired a copy of the updated version, you can download ISO 27002 guidelines here.

Before you do that, however, it is important to understand ISO 27002 and how your business can benefit from it.

What is ISO 27001 and 27002?

The ISO 27001 and 27002 frameworks outline IT security standards. Meeting these standards helps organisations to give their clients, partners, supply chains and stakeholders confidence in your capacity to store, manage and protect their sensitive data.

While ISO 27001 is the standard that lists conditions that must be met to achieve compliance, ISO 27002 provides in-depth guidance and solutions for implementing an Information Security Management System (ISMS).

Both documents should be used in conjunction. Where 27001 is ideal to start a project, or for general advice, 27002 is required for full-scale implementation. 99.9% of the control framework is described in Annex A and ISO 27002. i.e. without ISO 27002 typically you are not going to get ISO 27001 certification!

How do ISO 27001 and ISO 27002 interact?

ISO standards enable companies to manage the security of data that is classed as an asset; such as financial information, intellectual property, employee details or personal information entrusted by third parties that are deemed ‘sensitive’ in relation to GDPR.

ISO 27001 is the management standard that outlines the framework of an ISMS. ISO 27002 goes into more depth about how to implement solutions but is essentially a supplementary standard that only deals with one category of the ISO 27000 family.

For example, 27004 provides recommendations about how to monitor, measure and evaluate the ISMS.

However, it’s important to note that while ISO 27002 provides the solutions, you must adhere to ISO 27001 to qualify for a certificate. It is in the latter that the full list of compliance requirements is published.

How should a business use ISO 27002?

Not every recommendation listed in the ISO 27001 will be applicable for every company. You are only responsible for meeting compliance where the framework is relevant to your business.

It is recommended that your organisation performs a risk assessment that identifies where potential threats could occur in your IT network and areas of the business where sensitive data is vulnerable i.e., accounts, sales and marketing.

ISO 27002 doesn’t mention where threats may occur. For best practices, companies are advised to create a Statement of Applicability (SoA) which details compliance recommendations that apply to your firm.

Consulting ISO 27002 helps you to focus on the information security controls your organisation chooses to implement. The (SoA) provides an accessible overview that communicates the measures you have taken to your clients and other stakeholders.

Working with PGI

As the amount of data we hold increases, so will the regulations to protect these assets. The most effective way to deal with current and future requirements is to take a lead with building a risk-based approach for protecting all your important assets and adopt ISO 27001. In addition, ISO 27001 is much more widely recognised around the world than any of the other accreditations available, making any planned international expansion quicker and more cost-effective.

Contact us to talk about how we can help you achieve ISO 27001 compliance.