Shall and should in ISO 27001 standard
Assign topic to the user
Answer: In the ISO standards development, the word "shall" is related to requirements, which are mandatory to be fulfilled, while the word "should" is related to recommendations, which fulfilling is optional.
ISO 27001 provides requirements for the implementation of an ISMS, which are mandatory to be fulfilled for certification (all controls in Annex A deemed as applicable must be implemented). On the other hand, ISO 27002 was designed to be used as support to ISO 27001, or as a separated standard to support the implementation of security best practices, without enforcing them. That's why ISO 27002 replaces the word "shall" by "should"in the description of the controls objectives.
This article will provide you further explanation about the differences between ISO 27001 and 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Comment as guest or Sign in
Sep 19, 2017