Educause Security Discussion mailing list archives

Re: ISO27002 vs ISO27006

From: "TAMMY L. CLARK" <TClark () UT EDU>
Date: Mon, 15 Sep 2014 15:03:10 +0000

Correct—ISO 27006 is a standard which offers guidelines for the accreditation of organizations which offer 
certification and registration with respect to an ISMS. It is intended to be used along with ISO 27002 and ISO 27001 
(the actual standard that organizations are certified against).  ISO 27001 outlines how to develop an information 
security program (called Information Security Management System in the ISO 27000 standards).  ISO 27002 as you 
mentioned, along with Appendix A of ISO 27001, provides an overview of recommended controls/best practices.  I would 
not use ISO 27006 as primary guidance personally, as I use ISO 27001 and 27002, in combination with NIST and other 
standards.

Regards,

Tammy L. Clark, CISSP, CISM, CISA, CRISC, PCIP, PMP
Chief Information Security Officer
The University of Tampa
East Walker Hall 133
401 W. Kennedy Blvd. | Box 1F
Tampa, FL 33606
Phone:  813.257.7522 | Fax:  813.257.8800

Office of Information Security (OIS)
East Walker Hall 127
Email:  infosec () ut edu<mailto:infosec () ut edu>
Phone:  813.257.3950 | Fax:  813.257.8800
www.ut.edu

CONFIDENTIALITY NOTICE:
If you have received this e-mail in error, please immediately notify the sender by reply email and delete this email 
from your files.  This e-mail transmission, including any attachments, may contain information that is confidential or 
sensitive in nature.  This information is intended only for the use of the individual(s) or entity to whom it is 
intended, even if addressed incorrectly.  Thank you for complying.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Sarazen
Sent: Monday, September 15, 2014 7:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ISO27002 vs ISO27006

Good Morning,

I have a school (Not Brandeis) that is using ISO27006 as the foundation for their Information Security Policy. I'm used 
to seeing IS policies based on ISO27002 or even the NIST 800 series. My understanding of ISO27006 is that it outlines 
the audit processes organizations should use to audit and certify their process, versus ISO27002 which is an actual 
suite of controls that should be considered.

Does anyone have any feedback on this?

Thanks

Dan

Current thread:

ISO27002 vs ISO27006 Dan Sarazen (Sep 15)
- Re: ISO27002 vs ISO27006 Jones, Dan J. (Sep 15)
- Re: ISO27002 vs ISO27006 TAMMY L. CLARK (Sep 15)
  - Re: ISO27002 vs ISO27006 Blake Penn (Sep 15)