Certification
ISO/IEC 27002 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the information security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes.
ISO/IEC 27001 (Information technology - Security techniques - Information security management systems - Requirements) is a widely recognized certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS, and lays out in Annex A a suite of 133 information security controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls in Annex A are derived from and aligned with ISO/IEC 27002.
Security certification remains rare. No national bank in the US is ISO-27001 certified. Google Apps has been ISO-27001 certified by Ernst & Young CertifyPoint, receiving certification #2012-001 on MAY 28, 2012. Google "has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Google Apps for Business," specifically "GMail, Google Talk, Google Calendar, Google Docs (documents, spreadsheets, presentations), Google Sites, Google Control Panel (CPanel), Google Contacts, Google Video, Google Groups, Google Directory Sync," and Google's APIs for Provisioning, Single Sign On, Reporting and Audit.
Read more about this topic: ISO/IEC 27002