A standard that outlines the requirements for an information security management system (ISMS). It provides a framework for managing sensitive company information so that it remains secure.
On the other hand, ISO 27002 is a code of practice for information security management. It provides guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
In summary, ISO 27001 is a standard and ISO 27002 is a code of practice. ISO 27001 provides the requirements for an ISMS, while ISO 27002 provides guidelines for information security management.
It is a code of practice for information security management, providing a framework for managing sensitive company information so as to maintain confidentiality, integrity, and availability.
The standard is divided into 14 sections, or clauses, each of which covers a different aspect of information security management. These sections include:
- Introduction: provides an overview of the standard and its purpose
- Scope: defines the boundaries of the information security management system
- Normative references: lists the other standards and documents that are referred to in the standard
- Terms and definitions: explains the key terms and concepts used in the standard
- Information security management system: describes the overall structure of the information security management system
- Management responsibility: details the responsibilities of management in relation to information security
- Internal organization: describes the structure and responsibilities of the organization in relation to information security
- Asset management: covers the management and protection of the organization’s information assets
- Human resources security: addresses the security aspects of managing human resources
- Physical and environmental security: covers the measures to protect the organization’s physical assets and the surrounding environment
- Communications and operations management: covers the management of the organization’s communications systems and the management of its information processing facilities
- Access control: covers the measures taken to ensure that only authorized individuals have access to the organization’s information
- Information systems acquisition, development, and maintenance: covers the security aspects of acquiring, developing, and maintaining information systems
- Information security incident management: covers the management of information security incidents.
ISO 27002 is intended to be used in conjunction with other ISO 27000-series standards, such as ISO 27001, which provides a specific set of requirements for an information security management system. It provides a systematic approach to managing sensitive company information by establishing a framework of policies, procedures, standards and guidelines.