ISO 27001 vs ISO 27002: A Comparison
Cybersecurity is an ever‑present threat in today’s digital environment. Implementing an Information Security Management System (ISMS) can help organisations identify, manage and reduce information security risks. However, for some businesses, information security management may be unfamiliar territory. In such cases, guidance from internationally recognised standards such as ISO/IEC 27001 (Information Security Management) and ISO/IEC 27002 (Information Security Controls) can be invaluable. Both standards form part of the ISO/IEC 27000 family and are designed to help organisations protect their information assets effectively.
Before comparing the two standards, it is important to clarify their correct titles. Although they are commonly referred to as ISO 27001 and ISO 27002, both standards are jointly developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). As such, their formal and correct titles are ISO/IEC 27001 and ISO/IEC 27002.
Despite this, the shortened names remain widely used in practice.
Understanding the differences between ISO/IEC 27001 and ISO/IEC 27002 is essential for selecting and implementing the most appropriate information security management practices for an organisation.
What is ISO/IEC 27001?
To address increasing information security threats and comply with national or regional regulatory requirements, organisations are strongly advised to implement an Information Security Management System (ISMS). ISO/IEC 27001 is the world’s most widely recognised international standard for establishing, implementing and continually improving an ISMS. The benefits of ISO/IEC 27001: extend beyond compliance, helping organisations define information security policies, objectives and processes, understand and manage significant information security risks, implement appropriate controls, and set measurable objectives to continually enhance the protection of information.
The standard takes a comprehensive approach to information security. Assets requiring protection extend beyond digital data to include paper‑based information, physical assets such as IT systems and networks, and the knowledge and expertise of employees. Likewise, the risks addressed range from staff competence and awareness to technical safeguards against cybercrime and fraud.
ISO/IEC 27001 is also designed to be compatible and aligned with other recognised management system standards, making it well suited for integration into existing management systems and business processes, even across different operational areas.
Discover more about the DNV ISO 27001 internal auditor training course.
What is ISO 27002?
A key part of implementing an Information Security Management System (ISMS) is understanding the threats and risks that could affect information security. ISO/IEC 27001 requires organisations to identify these risks and select appropriate controls to address them. For small and medium‑sized businesses, particularly where in‑house IT expertise is limited, this can be a daunting task. Even in larger organisations with dedicated IT departments, the full range of potential risks may not always be immediately apparent.
To support this process, ISO/IEC 27001 includes Annex A, which provides a list of 93 information security controls that an organisation may consider when treating identified risks. However, Annex A offers limited guidance on how these controls should be implemented in practice.
ISO/IEC 27002 serves as a complementary guidance standard to ISO/IEC 27001. It expands on the controls listed in Annex A by describing each one in greater detail and providing a practical code of practice for information security controls. The standard offers guidance and general principles for establishing, implementing, maintaining and continually improving information security management within an organisation.
What's the difference between ISO 27001 and ISO 27002?
The key difference between ISO/IEC 27001 and ISO/IEC 27002 lies in their purpose and application. ISO/IEC 27001 is a certifiable standard that defines the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Organisations that achieve ISO/IEC 27001 certification can clearly demonstrate to stakeholders that information security is taken seriously. This helps to build trust with customers and business partners, while also providing assurance to regulators that statutory and regulatory requirements are being met.
By contrast, ISO/IEC 27002 is not a certifiable standard. Instead, it serves as a comprehensive guidance document that outlines best practices for information security controls to be considered as part of an organisation’s ISMS. It provides detailed guidance on a wide range of cybersecurity topics, including access control, cryptography, human resource security and incident management. By applying the guidelines in ISO/IEC 27002, organisations can adopt a proactive approach to managing cybersecurity risks and better protect critical information from unauthorised access, misuse and loss.
When should businesses use each standard?
ISO/IEC 27001 is intended for organisations seeking to establish a formal Information Security Management System (ISMS) and achieve independent third‑party certification to demonstrate compliance with recognised information security best practice. In many sectors, certification can act as a ‘ticket to trade’, as customers and stakeholders increasingly expect organisations to safeguard sensitive and personal data. In addition, ISO/IEC 27001 supports business protection by helping to strengthen resilience and support business continuity planning.
ISO/IEC 27002 is best used as a reference standard for selecting and implementing appropriate information security controls in line with the requirements of ISO/IEC 27001. It is particularly valuable for organisations looking to enhance their information security practices without necessarily pursuing certification. Even where ISO/IEC 27001 certification is not the goal, applying the controls outlined in ISO/IEC 27002 can significantly improve protection against cyber threats.
Both standards are regularly updated to reflect emerging technologies, evolving threats and changing regulatory and business demands in the fast‑moving field of information security.
