Re: ISO27002 vs ISO27006

["Jones, Dan J." <djjones () WPI EDU>]

Dan,

ISO 27001 formally defines the mandatory requirements for the ISMS.

ISO 27002 is a code of practice (not a formal specification such as 27001)

ISO/IEC 27006 is the *accreditation standard* that guides auditors on the processes they must follow when auditing 
their clients’ Information Security Management System (ISMS). The accreditation processes laid out in the standard give 
assurance that ISO/IEC 27001 certificates issued by accredited organizations are valid.

That said, my understanding is organizations should build out their ISMS per the requirements (27001); using 27002 as a 
guide code of practice.

The practical use for 27006 in building a foundation, IMO, would be as a guide for developing procedures that will 
satisfy the elements an auditor will be looking for, but not as a substitute for 27001.

Best
-Dan
___________________________
Dan Jones
Information Security Office
Worcester Polytechnic Institute

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Sarazen
Sent: Monday, September 15, 2014 7:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ISO27002 vs ISO27006

Good Morning,

I have a school (Not Brandeis) that is using ISO27006 as the foundation for their Information Security Policy. I'm used 
to seeing IS policies based on ISO27002 or even the NIST 800 series. My understanding of ISO27006 is that it outlines 
the audit processes organizations should use to audit and certify their process, versus ISO27002 which is an actual 
suite of controls that should be considered.

Does anyone have any feedback on this?

Thanks

Dan