ISO 27001 2005 vs ISO 27002 2005

ISO 27001 2005 and ISO 27002 2005 are now obsolete.

Please see the ISO 27001 2013 and ISO 27002 2013 Standards.

ISO IEC 27001 is an information security management standard.
It's purpose is to help organizations to establish and maintain an
Information Security Management System (ISMS). It defines a set of
requirements that must be met if you want your ISMS to be certified.

ISO IEC 27001 is also an ISMS development methodology. It explains
to create an ISMS. However, it doesn't tell you what kind of elements
should make up an ISMS. That's what ISO IEC 27002 2005 is all about.

ISO IEC 27002 (17799) lists all the bits and pieces that combine to make
up an ISMS. It presents a detailed list of generally accepted information
management practices. ISO IEC 27001 asks you to select only
those practices that address your security risks and requirements.

The information security management practices that make
up ISO IEC 27002 are organized in the following way:

  1. Security Objectives (for ISO IEC 27001)

  2. Security Controls (for ISO IEC 27001)

  3. Implementation Guidance

  4. Other Information

ISO IEC 27001 asks you to select the Security Objectives and Controls
(1 and 2 above) that address your unique security risks and requirements,
and then to use this information to prepare what  is called a Statement of
Applicability. This Statement of Applicability is, in turn, used to prepare a
detailed Risk Treatment Plan. Once you've implemented this Plan, you've
established an ISMS, one that meets your organization's unique
information security needs and requirements.

Fortunately, the ISO IEC 27002 (17799) Security Objectives and Security
Controls are included with the ISO IEC 27001 standard (and our Title 35),
so you don't have to purchase ISO IEC 27002 (17799) in order to build
your ISMS.  However, if you also want to get additional detailed
implementation guidance (item 3 above) and other related information
(item 4), you will have to purchase ISO IEC 27002 (17799) or our Title 37.

ISO IEC 27001 and ISO IEC 27002 are Information Security Standards.


ISO IEC 27001 2013 Information Security Management Library

ISO IEC 27002 2013 Information Security Management Library

Updated on March 27, 2014. First published on May 15, 2006.

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited      780-461-4514

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright 2006 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research