- ISO 27001 specifies the requirements for an ISMS (certifiable). ISO 27002 provides the control guidance for implementing those requirements.
- Widely recognized internationally. Essential for organizations with global operations, European clients, or those pursuing ISO certification.
- ComplianceForge offers four tiers. Good (policies and standards), Better (plus procedures), Great (plus risk, IR, COOP), Awesome (comprehensive documentation).
- All products are editable, customized with your logo, and delivered the same day in Word, Excel and PowerPoint formats.
- ISO 27001 / 27002 documentation also maps to NIST CSF, NIST 800-53, and 200 plus other frameworks through the SCF.
ISO 27001 / ISO 27002 Solutions
ISO/IEC 27001 specifies how organizations should systematically manage sensitive information:
- It outlines requirements for establishing, implementing, maintaining and improving an ISMS, including risk assessments, treatment plans and performance monitoring.
- Annex A provides a comprehensive catalog of controls (aligned with risk treatment).
- Certification involves third-party audits assessing compliance and system effectiveness.
ISO/IEC 27001 specifies how organizations should systematISO 27001 emphasizes continual improvement (through Plan-Do-Check-Act cycles), management commitment, stakeholder approach and evidence-based risk treatment, making it a globally respected framework for demonstrating strong information security practices. ically manage sensitive information:
For a background on ISO 27001, the International Organization for Standardization (ISO) is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to cybersecurity, since a rebranding occurred in 2007 to migrate ISO’s IT security documents into the 27000 series of their documentation catalog (e.g., ISO 17799 was renamed and became ISO 27002). It is important to note that organizations cannot certify against ISO 27002, just ISO 27001.
When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with ISO 27001 / 27002. The product names you see in the various packages below map into the matrix shown above to show you how that maps into ISO 27002.
What Problem Does ComplianceForge Solve?
Lack of In House Security Experience
Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers cybersecurity documentation solutions that can save your organization significant time and money!
Compliance Requirements
It is increasingly common for companies to use ISO 27001 / 27002 as the baseline for compliance expectations. Our products are designed with compliance in mind, since they focus on leading security frameworks to address reasonably-expected security requirements, such as ISO 27001 / 27002. Our Security, Compliance & Resilience Program (SCRP) and Cybersecurity & Data Protection Program (CDPP) map ISO 27001 / 27002 and other leading compliance frameworks so you can clearly see what is required!
Audit Failures
Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
Vendor Requirements
It is very common for clients and partners to request evidence of a security program and this includes policies and standards. Our documentation solutions provide this evidence!
Clear Solution To Problems
Clear Documentation
ComplianceForge provides comprehensive documentation that can prove your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
Time Savings
Our cybersecurity documentation can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
Alignment With Leading Practices
Our documentation is mapped to the NIST CSF, as well as other leading security frameworks!
What is the Difference Between ISO 27001 and ISO 27002?
ISO 27001 and ISO 27002 are both international frameworks related to cybersecurity, where:
- ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an “Information Security Management System (ISMS)”. An organization can obtain a certification for ISO 27001
- ISO 27002 contains detailed security controls that organizations can implement to meet the requirements of ISO 27001. ISO 27002 is not certifiable, but serves as a practical implementation reference for ISO 27001.
ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to actually implement ISO 27001. Essentially, you can't meet ISO 27001 without implementing ISO 27002