ISO/IEC 27001 and 27002


ISO/IEC 27001 and ISO/IEC 27002 are two complementary standards.

  • ISO/IEC 27001:2013 is a specification for an Information Security Management System (ISMS). An ISMS is the means by which top management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements. It forms part of an organisation's internal control system.

  • ISO/IEC 27002:2013 is a code of practice and can be regarded as a comprehensive catalogue of good security things to do.

Interested in obtaining certification?  Click the graphic to read about our ISMS services

The Management Standard

ISO/IEC 27001:2013 instructs you how to build, operate, maintain and improve an ISMS. It is based on the new standard structure for all management systems standards, which is gradually being adopted in other areas such as quality and environmental management. It requires you to select security controls based upon risk assessment, and to consider all the controls defined in ISO/IEC 27002, the Code of Practice. The list is not exhaustive and you are free to identify additional control objectives and controls as you please.

The Code of Practice

ISO/IEC 27002:2013 defines 114 security controls structured under 14 major headings to enable readers to identify the particular safeguards that are appropriate to their particular business or specific area of responsibility. These security controls contain further detailed advice resulting in somewhere in the region of 5000 elements of best practice.

Certification schemes

Certification schemes have been established in many parts of the world.

ISO/IEC 27006 provides guidance to National Accreditation Bodies for the accreditation of Certification Bodies wishing to assess ISMSs, e.g. against ISO/IEC 27001:2013.  The various National Accreditation Bodies around the world operate a “mutual recognition” process that allows certificates awarded in one country to be accepted by the Accreditation Body of another.

In order to be awarded a certificate, your ISMS will be audited by an ISMS assessor. The assessor cannot also be a consultant. There are very strict rules about this. The assessor will work for a Certification Body (such as BSI Assessment Services Limited and Det Norske Veritas).

The Certification Body will award you the certificate. The certificate will document the scope of your ISMS and other relevant details, such as the statement of applicability. Only Certification Bodies that have been duly accredited by a National Accreditation Body can issue certificates.

The assessor will return periodically to check that your ISMS is working as intended.

Obtaining the Standards

In order to buy a copy of the standards, please contact BSI Customer Services by telephone at (+44) 20 8996 7555  or electronically from https://eshop.bsi-global.com/.

Want to know more?

Buy the BSI book An introduction to ISO/IEC 27001:2013 by David Brewer, one of Gamma's co-founders.