Re: ISO27002 vs ISO27006

[Blake Penn <BPenn () TRUSTWAVE COM>]

+1 to that.

ISO 27001 is *the* recognized global standard for an ISMS.  Here is the states it hasn’t been on the radar as much as 
in the rest of the world.  With globalization, though, multi-nationals are now forcing their US business partners to 
comply with this standard so the adoption of ISO 27001 is rapidly increasing here (for example, I easily do an order of 
magnitude more ISO 27001 work than I did just a few years ago).  This trend will likely “bleed over” into HE over time 
and one day this will be the standard in HE as well instead of the current rather ad-hoc methods of managing 
information security.


Blake Penn  CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
t: 678.685.1277

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not 
neccessarily reflect the opinions of Trustwave.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of TAMMY L. 
CLARK
Sent: Monday, September 15, 2014 11:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ISO27002 vs ISO27006

Correct—ISO 27006 is a standard which offers guidelines for the accreditation of organizations which offer 
certification and registration with respect to an ISMS. It is intended to be used along with ISO 27002 and ISO 27001 
(the actual standard that organizations are certified against).  ISO 27001 outlines how to develop an information 
security program (called Information Security Management System in the ISO 27000 standards).  ISO 27002 as you 
mentioned, along with Appendix A of ISO 27001, provides an overview of recommended controls/best practices.  I would 
not use ISO 27006 as primary guidance personally, as I use ISO 27001 and 27002, in combination with NIST and other 
standards.

Regards,

Tammy L. Clark, CISSP, CISM, CISA, CRISC, PCIP, PMP
Chief Information Security Officer
The University of Tampa
East Walker Hall 133
401 W. Kennedy Blvd. | Box 1F
Tampa, FL 33606
Phone:  813.257.7522 | Fax:  813.257.8800

Office of Information Security (OIS)
East Walker Hall 127
Email:  infosec () ut edu<mailto:infosec () ut edu>
Phone:  813.257.3950 | Fax:  813.257.8800
www.ut.edu<http://scanmail.trustwave.com/?c=4062&d=tP-W1FFgDpgRazSY1IwYliSvMw3sOIPim_Fcto0rNw&s=5&u=http%3a%2f%2fwww%2eut%2eedu>

CONFIDENTIALITY NOTICE:
If you have received this e-mail in error, please immediately notify the sender by reply email and delete this email 
from your files.  This e-mail transmission, including any attachments, may contain information that is confidential or 
sensitive in nature.  This information is intended only for the use of the individual(s) or entity to whom it is 
intended, even if addressed incorrectly.  Thank you for complying.​

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Sarazen
Sent: Monday, September 15, 2014 7:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] ISO27002 vs ISO27006

Good Morning,

I have a school (Not Brandeis) that is using ISO27006 as the foundation for their Information Security Policy. I'm used 
to seeing IS policies based on ISO27002 or even the NIST 800 series. My understanding of ISO27006 is that it outlines 
the audit processes organizations should use to audit and certify their process, versus ISO27002 which is an actual 
suite of controls that should be considered.

Does anyone have any feedback on this?

Thanks

Dan

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format.