LOGBOOK

HELP

Quiz Entry - updated: 2026.03.01

What is the difference between a normative and an informative standard in the ISO 27000 family?

Normative standards define mandatory requirements ("shall"), while informative standards provide guidelines and recommendations ("should").

Normative (Requirements) standards:

  • Use mandatory language ("shall")
  • Can be used as a basis for certification
  • Example: ISO 27001 — organizations can be certified against it
  • Also: ISO 27006 (Certification Body Requirements)

Informative (Guidelines) standards:

  • Use recommendatory language ("should")
  • Cannot be certified against directly
  • Provide best practices and guidance
  • Examples: ISO 27002, 27003, 27004, 27005, 27007

Why it matters: When your organization wants to prove its security posture to customers or regulators, you get certified against ISO 27001 (normative). The informative standards help you implement and improve, but they're not what auditors check you against.

From Quiz: ISM / Standards & Frameworks I (ISO, BSI) | Updated: Mar 01, 2026