Operationally Necessary Cookies
ISO 27001 and ISO 27002 are cybersecurity framework standards that businesses use to improve their cyber strategy and better manage and minimize business risk. (ISO 27001 and ISO 27002 are also referred to as ISO/IEC 27001 and ISO/IEC 27002.) The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are essential standards organizations. ISO covers standards guidance in most fields except electrical and electronic engineering standards. Electrical and electronic engineering standards are instead the domain of the IEC. Work within information technology is carried out by a joint ISO/IEC technical committee.
ISO is an international standard-setting body that consists of representatives from 164 global, national standards organizations. In addition, ISO includes subject matter experts (SMEs) that develop standards that support global product development and safety initiatives. As a result, ISO standards promote quality, safety, efficiency and facilitate international trade.
Both ISO and IEC sponsor the ISO/IEC joint technical committee JTC 1. The goal of this committee is to specify, maintain and promote standards in the field of information technology. The JTC 1 committee developed both the ISO 27001 and ISO 27002 standards.
The ISO 27001 framework includes processes and policies that enable an enterprise to manage information and cybersecurity to lower risk and reduce vulnerability. ISO 27001 defines and specifies best practices to implement an Information Security Management System (ISMS). An ISMS is the set of processes that an organization can use to manage its information security risks more successfully. The ISMS is a comprehensive and complete framework for cybersecurity. The ISMS allows an enterprise to adapt to the changing cyber threat environment by identifying and mitigating new vulnerabilities and minimizing the potential adverse impact.
ISO 27001 Organization
The ISO 27001 consists of 14 security control clauses. Each of these clauses contains 35 main security categories and 114 controls. A security control defines the goals and the specific rules used to achieve the control objective.
The specification includes sections which are as follows:
Annex A is generally structured by clauses, then the categories inside of those clauses, and subsequently lists the controls listed within each clause. This structure includes 114 ISO 27001 Annex A Controls distributed across 14 categories.
ISO/IEC 27002 goes deeper into best practices and overviews planning and implementation of information security. Specific security controls are optional. ISO 27002 consists of 19 sections which are numbered 0 through 18.
Other Complementary Cybersecurity and Information Technology Frameworks
There are other cybersecurity and information technology management frameworks and standards. These include:
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Stay current with the latest security trends from Bugcrowd