What Comes First, the 27001 or the 27002 ISO Standards?

There is something quirky about the 27000 series of standards published by the International Organization for Standardization (ISO).

Perhaps it is presented deliberately this way as a lesson in due diligence. Perhaps it is just a random error. But the standards are in the wrong numerical order. Judging from our interactions with company IT organizations, this has sowed general and widespread confusion that should be addressed.

Namely, we have a lot of folks coming to us and telling us that they would like to be “27001 compliant.” Intuitively, this makes sense. You’d want to take care of the first in the series first (27001) and then move onto 27002.

Except, no.

Snatch the pebble from my hand, Grasshopper. You must take care of 27002 first. This is the key document standard for security-related IT issues. Creating a security policy, identifying bad guys, stopping them from accessing your network, those essential sorts of things that would be reckless for an organization of any size to ignore. Security 101, so to speak.

After mastering the 27002 standards, then and only then should your organization consider tackling 27001.

27001 is the management piece – who is managing what in your processes, developing continuous quality control – factors that are important for giant enterprises with a lot of people and departments to manage. This is more like Management 101, and frankly, a lot of it is intuitive. For smaller organizations with some management expertise (or just plain common sense), 27001 may be unnecessary.

Yes, it is is confusing. For example, 27001 has an appendix in it. It is called “27002.” Say what?

The bottom line is that an organization of any size interested in developing an IT security  program should align with requirements in 27002 first, and then they can think about the requirements in 27001 later.

Last comes first. Makes perfect sense. Not really, but that’s the way it is.