ISO IEC 27001 is an information security management
is to help organizations to establish and maintain an
(ISMS). It defines a set of
requirements that must
be met if you want your ISMS to be certified.
ISO IEC 27001 is also an
methodology. It explains
to create an
ISMS. However, it doesn't tell you what kind of elements
make up an ISMS. That's
what ISO IEC 27002 2005 is all about.
ISO IEC 27002 (17799) lists all the bits and pieces that
combine to make
an ISMS. It presents a detailed list of
security management practices. ISO IEC 27001 asks
you to select only
those practices that address your security risks and requirements.
The information security management practices
ISO IEC 27002 are organized in the following way:
Security Objectives (for ISO IEC 27001)
Security Controls (for ISO IEC 27001)
ISO IEC 27001 asks you to select the
Security Objectives and
(1 and 2 above) that
address your unique security risks and requirements,
and then to use this
information to prepare what is called a
Applicability. This Statement of Applicability is, in turn, used to
Risk Treatment Plan. Once you've implemented this
established an ISMS, one that meets your organization's unique
information security needs and requirements.
Fortunately, the ISO IEC 27002 (17799) Security
Objectives and Security
Controls are included with the ISO IEC 27001 standard
(and our Title 35),
so you don't have to purchase
ISO IEC 27002 (17799) in order to
your ISMS. However, if you also want to get additional detailed
implementation guidance (item 3 above) and other related information
(item 4), you will have to purchase ISO IEC 27002
(17799) or our Title 37.