1st of all, you are unable to get licensed against ISO 27002 because it is not a management regular. What does a management regular indicate? It indicates that this kind of a standard defines how to operate a method, and in case of ISO 27001, it defines the details protection management technique (ISMS) - for that reason, certification in opposition to ISO 27001 is feasible.
This management system indicates that info security ought to be planned, applied, monitored, reviewed, and improved. It indicates that management has its distinct duties, that targets must be set, measured and reviewed, that internal audits need to be carried out and so on. All people elements are outlined in ISO 27001, but not in ISO 27002.
The controls in ISO 27002 are named thesame as in Annex A of ISO 27001 - for instance, in ISO 27002 management 6.1.6 is named Get in touch with with authorities, whilst in ISO 27001 it is A.six.one.6 Get in touch with with authorities. But, the big difference is in the degree of detail - on typical, ISO 27002 explains a single handle on 1 total page, although ISO 27001 dedicates only 1 sentence to each manage.
Finally, the distinction is that ISO 27002 does not make a distinction among controls relevant to a certain business, and individuals which are not. On the other hand, ISO 27001 prescribes a chance assessment to be carried out in buy to establish for every handle whether it is essential to lessen the pitfalls, and if it is, to which extent it need to be utilized.
The issue is: why is it that people two standards exist separately, why haven't they been merged, bringing with each other the positive sides of each standards? The solution is usability - if it was a single regular, it would be also advanced andalso huge for practical use.
Each and every regular from the ISO 27000 sequence is intended with a specific concentrate - if you want to build the foundations of information security in your organization, and devise its framework, you really should use ISO 27001 if you want to put into action controls, you really should use ISO 27002, if you want to carry out threat assessment and danger therapy, you should use ISO 27005 etc.
To conclude, one particular could say that without the facts provided in ISO 27002, controls outlined in Annex A of ISO 27001 could not be implemented nevertheless, without the management framework from ISO 27001, ISO 27002 would continue to be just an isolated work of a number of details safety lovers, with no acceptance from the best management and therefore with no genuine effect on the business.
ISMS
ไม่มีความคิดเห็น:
แสดงความคิดเห็น