Educause Security Discussion mailing list archives
Re: ISO27002 vs ISO27006
From: "TAMMY L. CLARK" <TClark () UT EDU>
Date: Mon, 15 Sep 2014 15:03:10 +0000
Correct—ISO 27006 is a standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. It is intended to be used along with ISO 27002 and ISO 27001 (the actual standard that organizations are certified against). ISO 27001 outlines how to develop an information security program (called Information Security Management System in the ISO 27000 standards). ISO 27002 as you mentioned, along with Appendix A of ISO 27001, provides an overview of recommended controls/best practices. I would not use ISO 27006 as primary guidance personally, as I use ISO 27001 and 27002, in combination with NIST and other standards. Regards, Tammy L. Clark, CISSP, CISM, CISA, CRISC, PCIP, PMP Chief Information Security Officer The University of Tampa East Walker Hall 133 401 W. Kennedy Blvd. | Box 1F Tampa, FL 33606 Phone: 813.257.7522 | Fax: 813.257.8800 Office of Information Security (OIS) East Walker Hall 127 Email: infosec () ut edu<mailto:infosec () ut edu> Phone: 813.257.3950 | Fax: 813.257.8800 www.ut.edu CONFIDENTIALITY NOTICE: If you have received this e-mail in error, please immediately notify the sender by reply email and delete this email from your files. This e-mail transmission, including any attachments, may contain information that is confidential or sensitive in nature. This information is intended only for the use of the individual(s) or entity to whom it is intended, even if addressed incorrectly. Thank you for complying.​ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Monday, September 15, 2014 7:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] ISO27002 vs ISO27006 Good Morning, I have a school (Not Brandeis) that is using ISO27006 as the foundation for their Information Security Policy. I'm used to seeing IS policies based on ISO27002 or even the NIST 800 series. My understanding of ISO27006 is that it outlines the audit processes organizations should use to audit and certify their process, versus ISO27002 which is an actual suite of controls that should be considered. Does anyone have any feedback on this? Thanks Dan
Current thread:
- ISO27002 vs ISO27006 Dan Sarazen (Sep 15)
- Re: ISO27002 vs ISO27006 Jones, Dan J. (Sep 15)
- Re: ISO27002 vs ISO27006 TAMMY L. CLARK (Sep 15)
- Re: ISO27002 vs ISO27006 Blake Penn (Sep 15)