As the sophistication and frequency of information security attacks continue to increase, the number of organizations being targeted from those attacks is also increasing, regardless of the organizations’ size, industry, location, or reputation. Hence, the need for following an effective approach for information security governance has become inevitable.

Organizations that rely only on incident response plans for addressing information security incidents are usually not successful in reducing these incidents and their impact. Instead, they should implement information security management systems (ISMSs) that integrate various policies, processes, procedures, and activities for ensuring and maintaining information security.

ISMSs enable the creation of standardized procedures to select and implement adequate information security controls and manage them effectively. An ISMS that is suitable to the organization’s mission and objectives helps in reducing the likelihood and impact of information security risks.

While ISO/IEC 27001 provides the requirements for establishing, implementing, maintaining, and improving an ISMS, ISO/IEC 27002 provides the controls for managing risks within that ISMS. These controls are based on internationally recognized best practices and can be implemented by organizations of all types and sizes.

https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection