At the same time that ISO/IEC 27001 was being revised, so was the standard ISO/IEC 27002 code of practice for information security management being revised. The revised versions of these standards were released at the same time.
The changes to ISO/IEC 27002 included the deletion of some controls,
the addition of some new controls and the modification of controls from the prevision edition. ISO/IEC 27023 is a guide that provides transition maps showing the high-level changes that have been made between the 2005 and the 2013 editions of ISO/IEC 27002.
Conformance with ISO/IEC 27002
The term “conformance” is often misunderstood and sometimes confused
and used interchangeably with the word “compliance.” The code of practice ISO/IEC 27002 takes the form of guidance and recommendations, as such, it is not a conformance assessment standard, using the ISO technical use of the term in the sense of a management system standard, as it uses “should” statements, unlike ISO/IEC 27001, which uses “shall” statements. Care needs to be taken to ensure that claims of conformance are not misleading.
Applying ISO/IEC 27002
ISO/IEC 27002 is primarily a catalogue of best practice controls, which users can select from to deploy security management controls in their business environment to achieve a baseline of best practice protection. When combined with ISO/IEC 27001, these two complement each other, providing organisations with a set of tools for managing information security risks (see Chapter 4 for the change in how Annex A of ISO/IEC 27001 is now used).
Of course, ISO/IEC 27002 can be used on its own, but this is outside
the management system risk-based processes specified in ISO/IEC 27001,
which are there to facilitate the management of an effective information
security system with a built-in programme for continually improving an
organisation’s security status. Subsequent chapters in the book will provide more detailed information on the use, implementation and application of the ISO/IEC 27002.