background

ISO 27001 vs ISO 27002: What’s the Difference?

  • iso-27001angle-right
  • ISO 27001 vs ISO 27002: What’s the Difference?

If you’re preparing to build an information security management system, you’ve probably come across both ISO 27001 and ISO 27002. At first glance, the two standards can look confusingly similar.

Both are information security standards created jointly by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). Both are focused on information security. And both touch on the controls organizations can implement to safeguard data. 

So what’s the real difference between ISO 27001 and ISO 27002? 

While their purpose overlaps, each framework has a different focus. 

  • ISO 27001 explains how companies can build a compliant ISMS, from scoping their system and assessing risk to developing policies and training staff. 
  • ISO 27002 focuses specifically on controls. It expands on ISO 27001’s Annex A overview to dive deep into the purpose, design, and implementation guidance for each control. 

That’s the quick answer. But if you’re trying to decide which one to use or understand how they work together, it helps to look closer. Below, we’ll unpack what each standard covers, the differences between them, and how the 2022 updates changed things.

What is ISO/IEC 27001?

ISO 27001 is an international gold standard for information security and risk management. It outlines how to establish an information security management system (ISMS) to house sensitive information assets, including:

  • Scoping the ISMS
  • Conducting a gap analysis
  • Identifying and addressing vulnerabilities
  • Developing information security policies and procedures
  • Establishing access controls and asset management
  • Creating incident response and business continuity plans 
  • Training staff
  • Conducting internal audits
  • Completing a certification audit
  • Maintaining compliance through surveillance and recertification audits

Getting ISO 27001 certified is one way for companies to prove to customers, regulators, and partners that they take data protection seriously. It also helps businesses gain a competitive edge, particularly when expanding into global markets where ISO 27001 is widely recognized.

What is ISO 27002?

ISO 27002 works hand-in-hand with ISO 27001. Where ISO 27001 describes what organizations need to do to manage information security, ISO 27002 digs into how to do it.

Specifically, ISO 27002 provides detailed guidance on implementing the controls listed in Annex A of ISO 27001.

For example:

  • ISO 27001 might tell you to establish access controls.
  • ISO 27002 will explain the objectives of those controls, how they reduce risk, and practical considerations for putting them into place.

Think of ISO 27002 as the playbook that makes Annex A actionable.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is what’s known as a management standard. Management standards explain how to run a system — in the case of ISO 27001, an information security management system. 

ISO 27002 is not a management standard. It’s a set of information security management guidelines and security techniques. 

While you can complete an audit to become ISO 27001 certified, you can’t get an ISO 27002 certification.

There’s also a big difference in the level of detail each standard goes into. 

For example, the ISO 27001 standard explains how to implement an ISMS: the responsibilities of company management, how to set and measure objectives, how to carry out an internal audit, and the controls a company can put in place. But it doesn’t get into the nitty-gritty details of every single control. ISO 27002 does. 

What changed with ISO 27001:2022 and ISO 27002:2022?

In February 2022, ISO introduced updates to the ISO 27000 series, which included a new version of ISO 27001 and ISO 27002.

Here are the major updates you should know:

Fewer controls and streamlined structure

Annex A controls were reduced from 114 to 93. This wasn’t about eliminating requirements — instead, 57 controls were merged into 24, 11 new controls were added, and one was split into two. The remaining 58 were slightly reworded for clarity.

The 11 new controls include:

  • A.5.7: Threat intelligence
  • A.5.23: Information security for cloud services
  • A.5.30: ICT readiness for business continuity
  • A.7.4: Physical security monitoring
  • A.8.9: Configuration management
  • A.8.10: Information deletion
  • A.8.11: Data masking
  • A.8.12: Data leakage prevention
  • A.8.16: Monitoring activities
  • A.8.23: Web filtering
  • A.8.28: Secure coding

Updates to Annex A domains and control attributes

The updated version streamlines Annex A’s 14 domains into 4 broader thematic categories:

  • Clause 5: Organizational Controls (37 controls)
  • Clause 6: People Controls (8 controls)
  • Clause 7: Physical Controls (14 controls)
  • Clause 8: Technological Controls (34 controls)

ISO 27002:2022 also introduced control attributes, which are essentially new ways to classify and understand controls. Attributes include control type (preventive, detective, corrective), security property (confidentiality, integrity, availability), cybersecurity function (identify, protect, detect, respond, recover), operational capability, and security domain.

These updates make the framework more flexible and easier to apply to modern environments like cloud services, DevOps, and hybrid infrastructures.

Which ISO standard should you use and when?

The short answer? You’ll likely use both.

  • Use ISO 27001 to structure your ISMS, establish policies, assign responsibilities, and prepare for certification.
  • Use ISO 27002 to understand the specifics of each control you choose to implement within that ISMS.

Other related standards from the ISO 27000 series can also play a role. For instance, ISO 27005 focuses on risk management, while ISO 27701 adds privacy controls. Together, these build a complete information security and privacy program.

If you’re just getting started, begin with ISO 27001. Once you’ve mapped out your ISMS and chosen which controls are relevant, turn to ISO 27002 to implement them effectively.

ISO 27001 and ISO 27002 are two sides of the same coin. One gives you the framework for managing information security. The other provides detailed guidance on the controls that make it work.

By using both together, you’ll not only meet compliance requirements but also build a stronger, more resilient approach to protecting sensitive data.

If you’re ready to simplify the journey to ISO 27001 certification, our compliance automation platform can guide you from gap analysis to audit readiness. With built-in support for ISO standards, we help organizations save time, reduce complexity, and achieve certification faster.