{"id":8705,"date":"2023-03-09T12:01:28","date_gmt":"2023-03-09T10:01:28","guid":{"rendered":"http:\/\/inprosec.com\/?p=8705"},"modified":"2024-05-16T13:34:24","modified_gmt":"2024-05-16T11:34:24","slug":"iso-27001-and-iso-27002-benefits-greatest-hits","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/iso-27001-and-iso-27002-benefits-greatest-hits\/","title":{"rendered":"ISO 27001 and ISO 27002: Benefits & greatest hits"},"content":{"rendered":"

Below we share an article by our CEO<\/strong> Iago Fortes<\/a> on the news and benefits of ISO 27001 and ISO 27002<\/strong>:<\/p>\n

I will not extend and try to make it interesting to write about something is my passion and which I consider key, regarding the organization and management of Information Security (or cybersecurity).<\/strong><\/p>\n

Despite there are a lot of frameworks and standards: NIST, CIS (SANS), VDA-ISA (TISAX), ENS, \u2026 I would say without hesitating that ISO 27k series has been the first and always the one I have liked the most, because of his global, standardized view and complementarity (with other standards and systems, such as Quality-ISO 9001,\u2026). Furthermore, some of the ones I have mentioned were born and are still based on ISO 27k.<\/p>\n

\u00bfWhat are ISO 27001 and ISO 27002?<\/strong><\/h2>\n

ISO 27001<\/strong> (requirements for an Information Security Management System – ISMS):<\/u> This standard is common and very similar<\/strong> (with only a few relevant diferences in 1-2 of the 10 sections of the standard) to any other Management System<\/strong> (ISO 9001: Quality, ISO 14001: Environment, ISO 50001: Energy, ISO 27701: Privacy), with the key exception of having a very important annex. Annex<\/strong> A refers to a set of IS controls, which precisely replicates the set contained on the following (ISO 27002).<\/p>\n

ISO\/IEC 27001:2022(en), Information security, cybersecurity and privacy protection \u2014 Information security management systems \u2014 Requirements<\/a><\/p>\n

ISO 27002<\/strong> (in the begining described as \u201cbest practices\u201d, now a set of \u201cInformation Security Controls\u201d): It is a generic set of controls with guidance and high-level recommendations for its design & implementation. If we seriously go for it, helps a lot to manage the controls lifecycle (management of the set of controls).<\/p>\n

I consider the following phases (or lifecycle) for a control (or set of controls):<\/p>\n