If you’re preparing to build an information security management system, you’ve probably come across both ISO 27001 and ISO 27002.
Both are information security standards created jointly by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) that explain how to create a robust ISMS. Both discuss the cybersecurity controls that organizations can put in place to protect their data.
So what’s the difference between the ISO 27001 and 27002 standards?
While their purpose overlaps, each framework has a different focus.
- ISO 27001 explains how companies can build a compliant ISMS, from scoping their system and assessing risk to developing policies and training staff.
- ISO 27002 focuses specifically on controls. It expands on ISO 27001’s Annex A overview to dive deep into the purpose, design, and implementation guidance for each control.
That’s the tl;dr version.
But there is a lot more nuance to ISO 27001 vs 27002.
Below, we’ll cover the essential differences and explain when to use each standard.
What is ISO/IEC 27001?
ISO 27001 is an international standard for information security and risk management. It outlines how to establish an information security management system (ISMS) to house sensitive information assets, including:
- Scoping the ISMS
- Conducting a gap analysis
- Addressing vulnerabilities
- Developing information security policies and security practices
- Establishing access controls and asset management
- Creating incident response and business continuity management plans
- Training staff
- Conducting internal audits
- Completing a certification audit
- Maintaining compliance through surveillance and recertification audits
Getting ISO 27001 certified is one way for companies to prove to customers and other stakeholders their data will be safe. As an internationally respected standard, ISO 27001 is also one way for businesses to gain a competitive edge and expand into global markets through a strong security posture.
What is ISO 27002?
The ISO 27002 standard complements ISO 27001. It outlines the specific controls organizations might choose to implement to build a compliant ISMS.
The ISO 27001 standard includes Annex A, which briefly discusses specific information security controls a company can put in place to secure their ISMS.
But while Annex A covers each control in a sentence or two, ISO 27002 goes into much more detail. It includes each control objective, how it works, and what companies can do to implement it successfully.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is what’s known as a management standard. Management standards explain how to run a system — in the case of ISO 27001, an information security management system.
ISO 27002 is not a management standard. It’s a set of information security management guidelines and security techniques.
While you can complete an audit to become ISO 27001 certified, you can’t get an ISO 27002 certification.
There’s also a big difference in the level of detail each standard goes into.
For example, the ISO 27001 standard explains how to implement an ISMS: the responsibilities of company management, how to set and measure objectives, how to carry out an internal audit, and the controls a company can put in place. But it doesn’t get into the nitty-gritty details of every single control. ISO 27002 does.
What changed with ISO 27001:2022 and ISO 27002:2022?
In February 2022, ISO introduced updates to the ISO 27000 series, which included a new version of ISO 27001 and ISO 27002. Here are the major updates you should know:
Fewer controls and streamlined structure
One of the most significant updates is the reduction of Annex A controls from 114 to 93. This doesn’t mean any controls were eliminated — instead, 57 existing controls were combined into 24, 11 new ones were added, and one was split into separate controls. The remaining 58 underwent only minor contextual adjustments.
The 2022 version introduces 11 entirely new controls that weren’t included in ISO/IEC 27002:2013. These are:
- A.5.7: Threat intelligence
- A.5.23: Information security for cloud services
- A.5.30: ICT readiness for business continuity
- A.7.4: Physical security monitoring
- A.8.9: Configuration management
- A.8.10: Information deletion
- A.8.11: Data masking
- A.8.12: Data leakage prevention
- A.8.16: Monitoring activities
- A.8.23: Web filtering
- A.8.28: Secure coding
Updates to Annex A domains and control attributes
The updated version streamlines Annex A’s 14 domains into 4 broader thematic categories:
- Clause 5: Organizational Controls (37 controls)
- Clause 6: People Controls (8 controls)
- Clause 7: Physical Controls (14 controls)
- Clause 8: Technological Controls (34 controls)
ISO 27002:2022 also introduces a new framework for categorizing and understanding controls through attributes. These attributes provide additional context, helping organizations identify which controls are relevant and how they fit into their overall risk management and mitigation efforts.
The five attribute categories include:
- Control types describe how a control influences risk treatment. Controls can be preventive (before a threat occurs), detective (as the treat occurs), or corrective (after the threat occurs).
- Information security properties identify which aspect of information security the control safeguards: confidentiality, integrity, or availability.
- Cybersecurity properties align the control with cybersecurity functions outlined in ISO/IEC TS 27110: identify, protect, detect, respond, or recover.
- Operational capabilities indicate the control’s role within the organization’s information security operations, such as:
- Application security
- Network security
- Supplier relationships
- Asset management
- Access management and authentication
- Secure configuration and cryptography
- Human resource security
- Information security incident management
- Security domains define the cybersecurity concepts or focus tied to each control: governance and ecosystem, data protection, defense, or operational resilience.
These updates make the framework more adaptable and user-friendly, allowing organizations to customize it based on their specific information systems while implementing information security best practices.
Which ISO standard should you use and when?
Every standard from the ISO 27000 series has a specific purpose and focus.
For ISO 27001, that focus is on building an ISMS. Implementing specific controls for that ISMS is the focus of ISO 27002. ISO 27005 is all about risk assessment and management. And so on.
Use ISO 27001 requirements to guide how you design and build your ISMS to achieve compliance. Once you’ve identified which controls you’re going to implement, use ISO 27002 as a reference to learn the specifics of how each one works.
If you’re ready to start the journey to ISO 27001 certification, our compliance automation platform can simplify the entire process from start to finish. We’ll help you build a compliant ISMS, manage information security risks, close gaps, and get you 100% audit-ready in record time.