CHAPTER 3: SPECIFICATION VS CODE OF PRACTICE
ISO/IEC 27001:2013 is a specification for an information security management system. It uses words like ‘shall’. It sets out requirements. It is the specification against which first-, second- and third-party audits can be carried out.
A first-party audit is an audit of an organisation’s own practices that is carried out by that organisation. A second-party audit is carried out by a partner organisation, usually pursuant to a commercial relationship of some description. A third-party audit is one carried out by an independent third party, such as a certification body or external auditor.
A code of practice or a set of guidelines uses words like ‘should’ and ‘may’, allowing individual organisations ...
Get ISO27001/ISO27002 A Pocket Guide, 2nd edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
