ISO27002 vs ISO27006

[Dan Sarazen <dsarazen () BRANDEIS EDU>]

Good Morning,

I have a school (Not Brandeis) that is using ISO27006 as the foundation for
their Information Security Policy. I'm used to seeing IS policies based on
ISO27002 or even the NIST 800 series. My understanding of ISO27006 is that
it outlines the audit processes organizations should use to audit and
certify their process, versus ISO27002 which is an actual suite of controls
that should be considered.

Does anyone have any feedback on this?

Thanks

Dan