Educause Security Discussion mailing list archives
Re: ISO27002 vs ISO27006
From: Blake Penn <BPenn () TRUSTWAVE COM>
Date: Mon, 15 Sep 2014 15:22:43 +0000
+1 to that. ISO 27001 is *the* recognized global standard for an ISMS. Here is the states it hasn’t been on the radar as much as in the rest of the world. With globalization, though, multi-nationals are now forcing their US business partners to comply with this standard so the adoption of ISO 27001 is rapidly increasing here (for example, I easily do an order of magnitude more ISO 27001 work than I did just a few years ago). This trend will likely “bleed over” into HE over time and one day this will be the standard in HE as well instead of the current rather ad-hoc methods of managing information security. Blake Penn CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor Principal Consultant t: 678.685.1277 Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not neccessarily reflect the opinions of Trustwave. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of TAMMY L. CLARK Sent: Monday, September 15, 2014 11:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ISO27002 vs ISO27006 Correct—ISO 27006 is a standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. It is intended to be used along with ISO 27002 and ISO 27001 (the actual standard that organizations are certified against). ISO 27001 outlines how to develop an information security program (called Information Security Management System in the ISO 27000 standards). ISO 27002 as you mentioned, along with Appendix A of ISO 27001, provides an overview of recommended controls/best practices. I would not use ISO 27006 as primary guidance personally, as I use ISO 27001 and 27002, in combination with NIST and other standards. Regards, Tammy L. Clark, CISSP, CISM, CISA, CRISC, PCIP, PMP Chief Information Security Officer The University of Tampa East Walker Hall 133 401 W. Kennedy Blvd. | Box 1F Tampa, FL 33606 Phone: 813.257.7522 | Fax: 813.257.8800 Office of Information Security (OIS) East Walker Hall 127 Email: infosec () ut edu<mailto:infosec () ut edu> Phone: 813.257.3950 | Fax: 813.257.8800 www.ut.edu<http://scanmail.trustwave.com/?c=4062&d=tP-W1FFgDpgRazSY1IwYliSvMw3sOIPim_Fcto0rNw&s=5&u=http%3a%2f%2fwww%2eut%2eedu> CONFIDENTIALITY NOTICE: If you have received this e-mail in error, please immediately notify the sender by reply email and delete this email from your files. This e-mail transmission, including any attachments, may contain information that is confidential or sensitive in nature. This information is intended only for the use of the individual(s) or entity to whom it is intended, even if addressed incorrectly. Thank you for complying. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Monday, September 15, 2014 7:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] ISO27002 vs ISO27006 Good Morning, I have a school (Not Brandeis) that is using ISO27006 as the foundation for their Information Security Policy. I'm used to seeing IS policies based on ISO27002 or even the NIST 800 series. My understanding of ISO27006 is that it outlines the audit processes organizations should use to audit and certify their process, versus ISO27002 which is an actual suite of controls that should be considered. Does anyone have any feedback on this? Thanks Dan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Current thread:
- ISO27002 vs ISO27006 Dan Sarazen (Sep 15)
- Re: ISO27002 vs ISO27006 Jones, Dan J. (Sep 15)
- Re: ISO27002 vs ISO27006 TAMMY L. CLARK (Sep 15)
- Re: ISO27002 vs ISO27006 Blake Penn (Sep 15)