Expert Advice Community

Guest

Shall and should in ISO 27001 standard

  Quote
Guest
Guest user Created:   Sep 19, 2017 Last commented:   Sep 19, 2017

Shall and should in ISO 27001 standard

I have a query about the ISO 27001 standard and the way in which the controls in annex A are worded differently to 27002.. "shall" and then "should"... why is this?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 19, 2017

Answer: In the ISO standards development, the word "shall" is related to requirements, which are mandatory to be fulfilled, while the word "should" is related to recommendations, which fulfilling is optional.

ISO 27001 provides requirements for the implementation of an ISMS, which are mandatory to be fulfilled for certification (all controls in Annex A deemed as applicable must be implemented). On the other hand, ISO 27002 was designed to be used as support to ISO 27001, or as a separated standard to support the implementation of security best practices, without enforcing them. That's why ISO 27002 replaces the word "shall" by "should"in the description of the controls objectives.

This article will provide you further explanation about the differences between ISO 27001 and 27002:

- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 19, 2017

Sep 19, 2017

Suggested Topics