Educause Security Discussion mailing list archives
Re: ISO27002 vs ISO27006
From: "Jones, Dan J." <djjones () WPI EDU>
Date: Mon, 15 Sep 2014 14:58:35 +0000
Dan, ISO 27001 formally defines the mandatory requirements for the ISMS. ISO 27002 is a code of practice (not a formal specification such as 27001) ISO/IEC 27006 is the *accreditation standard* that guides auditors on the processes they must follow when auditing their clients’ Information Security Management System (ISMS). The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited organizations are valid. That said, my understanding is organizations should build out their ISMS per the requirements (27001); using 27002 as a guide code of practice. The practical use for 27006 in building a foundation, IMO, would be as a guide for developing procedures that will satisfy the elements an auditor will be looking for, but not as a substitute for 27001. Best -Dan ___________________________ Dan Jones Information Security Office Worcester Polytechnic Institute From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Monday, September 15, 2014 7:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] ISO27002 vs ISO27006 Good Morning, I have a school (Not Brandeis) that is using ISO27006 as the foundation for their Information Security Policy. I'm used to seeing IS policies based on ISO27002 or even the NIST 800 series. My understanding of ISO27006 is that it outlines the audit processes organizations should use to audit and certify their process, versus ISO27002 which is an actual suite of controls that should be considered. Does anyone have any feedback on this? Thanks Dan
Current thread:
- ISO27002 vs ISO27006 Dan Sarazen (Sep 15)
- Re: ISO27002 vs ISO27006 Jones, Dan J. (Sep 15)
- Re: ISO27002 vs ISO27006 TAMMY L. CLARK (Sep 15)
- Re: ISO27002 vs ISO27006 Blake Penn (Sep 15)