Implementation guidance ISO 27002
Assign topic to the user
Let me put an example: Based on our risk evaluation we have determined that control 9.4.2 Secure log-on procedures, applies. In our Control Access Policy we have try to follow the implementation guidance for control 9.4.2, as indicated in ISO/IEC 27002:2013, but we can not comply with some requisites. Taking into account that the standard says that a good log-on procedure should, not a good log-on procedure must, we think we are right.
Can we have some problem with certification audit?
Answer:
You are right, ISO 27002 is not mandatory, this is only the guideline. You do not have to apply everything that is written in ISO 27002; you have to apply only what ISO 27001 requires of you.
Unfortunately, sometimes the certification auditors look towards ISO 27002, but you can clear this out very easily with them - simply ask them whether th ey think ISO 27002 is mandatory or not.
This article will help you: ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Comment as guest or Sign in
Jan 12, 2016