If you’re preparing to build an information security management system, you’ve probably come across both ISO 27001 and ISO 27002.

Both are information security standards created by the International Organization for Standardization that explain how to create a robust ISMS. Both discuss the security controls that organizations can put in place to protect their data. 

So what’s the difference between the ISO 27001 and 27002 standards? 

While their purpose overlaps, each one has a different focus. 

  • ISO 27001 explains how companies can build a compliant ISMS, from scoping their system and developing policies to training staff. 
  • ISO 27002 focuses specifically on controls. It expands on ISO 27001’s Annex A overview to dive deep into the purpose, design, and implementation of each control. 

That’s the tl;dr version. 

But there is a lot more nuance to ISO 27001 vs 27002. 

In this post, we’ll cover the essential differences and explain when to use each standard.

What is ISO 27001?

ISO 27001 is a framework for information security. It outlines how to establish an information security management system (ISMS) to house sensitive data, including:

  • Scoping the ISMS
  • Conducting a gap analysis
  • Developing policies and controls
  • Creating documentation 
  • Training staff
  • Conducting internal audits
  • Completing a certification audit
  • Maintaining compliance through surveillance and recertification audits

Getting ISO 27001 certified is one way for companies to prove to customers their data will be safe. As an internationally respected standard, ISO 27001 is also one way for businesses to gain a competitive edge and expand into global markets. 

What is ISO 27002?

ISO 27002 outlines the specific controls organizations might choose to implement to build a compliant ISMS. 

The ISO 27001 standard includes Annex A, which briefly discusses specific information security controls a company can put in place to secure their ISMS. 

But while Annex A covers each control in a sentence or two, ISO 27002 goes into much more detail. It includes the objective for each control, how it works, and what companies can do to implement it successfully.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is what’s known as a management standard. Management standards explain how to run a system — in the case of ISO 27001, an information security management system. 

ISO 27002 is not a management standard. It’s a set of guidelines and security techniques. 

While you can complete an audit to become ISO 27001 certified, you can’t get an ISO 27002 certification.

There’s also a big difference in the level of detail each standard goes into. 

For example, the ISO 27001 standard explains how to implement an ISMS: the responsibilities of company management, how to set and measure objectives, how to carry out an internal audit, and the controls a company can put in place. 

But it doesn’t get into the nitty-gritty details of every single control. ISO 27002 does. 

Which ISO standard should you use and when?

Every standard from the ISO 27000 series has a specific purpose and focus. 

For ISO 27001, that focus is on building an ISMS. Implementing specific controls for that ISMS is the focus of ISO 27002. ISO 27005 is all about risk assessment and management. And so on. 

Use ISO 27001 requirements to guide how you design and build your ISMS to achieve compliance. Once you’ve identified which controls you’re going to implement, use ISO 27002 as a reference to learn the specifics of how each one works.

If you’re ready to start the journey to ISO 27001 certification, our compliance automation platform can simplify the entire process from start to finish. We’ll help you build a compliant ISMS, manage risk, close gaps, and get you 100% audit-ready in record time.