ISO 27001 vs ISO 27002: Key Differences Every Auditor Should Know

Why Understanding the Difference Matters

Confused about ISO 27001 and ISO 27002? You’re not alone.

These two standards often travel together in conversations about information security, but mixing them up is like confusing a blueprint with a toolbox – both are essential, but they serve completely different purposes.

Whether you’re preparing for an audit, implementing security controls, or trying to make sense of compliance requirements, understanding how these standards work together (and how they don’t) can save you countless headaches.

In this guide, we’ll break down these standards in plain language – no security jargon overload, just practical insights you can actually use.

What is ISO 27001?

Think of ISO 27001 as your security blueprint. It outlines the overall structure and requirements for building a solid Information Security Management System (ISMS).

ISO 27001 answers the question: “What do we need to do to protect our information assets?”

In practical terms, ISO 27001:

• Provides the framework for establishing security policies
• Helps you identify and assess risks
• Defines management responsibilities
• Sets requirements for documentation and monitoring
• Creates a structure for continuous improvement

The beauty of ISO 27001 is that it gives you a systematic way to manage information security without dictating exactly how to implement each control. It’s the standard that organizations get certified against, making it a powerful way to demonstrate your security commitment to clients and partners.

What is ISO 27002?

While ISO 27001 gives you the “what,” ISO 27002 delivers the “how.”

ISO 27002 is your detailed implementation guide – the toolbox that helps you put ISO 27001’s requirements into practice. It provides in-depth explanations, examples, and best practices for security controls.

For example, when ISO 27001 says “implement access control,” ISO 27002 explains:

• Different approaches to access control
• How to develop access control policies
• Best practices for implementation
• Ways to monitor effectiveness

The latest version (ISO 27002:2022) contains 93 controls grouped under 4 themes: organizational, people, physical, and technological.

Remember: You don’t get certified against ISO 27002. It exists solely to help you implement the controls needed for ISO 27001 compliance.

ISO 27001 vs ISO 27002: The Core Differences

Let’s break down the key differences in a way that’s easy to grasp:

ISO 27001 vs ISO 27002 ComparisonData provided by Ahrefs

An easy way to remember the difference:

• ISO 27001 is the “what to do” document
• ISO 27002 is the “how to do it” guide

Annex A: The Bridge Between Standards

Annex A of ISO 27001 is where these two standards connect most directly.

Think of Annex A as a summary listing of controls – it provides the control names and brief descriptions, but not the full implementation details. For the complete picture, you turn to ISO 27002.

Here’s how it works in practice:

1. ISO 27001 requires you to select appropriate controls based on your risk assessment
2. You consult Annex A for the list of potential controls
3. You turn to ISO 27002 for detailed guidance on how to implement those controls

This relationship highlights why both standards are valuable – ISO 27001 ensures you’re addressing the right risks, while ISO 27002 helps you implement effective solutions.

2022 Updates: What Changed?

In 2022, both standards received significant updates to reflect evolving security challenges and modern technologies. Here’s what changed:

Control Reorganization

The most visible change was the reorganization of controls. The previous 14 domains were streamlined into 4 themes:

1. Organizational controls (37 controls)
2. People controls (8 controls)
3. Physical controls (14 controls)
4. Technological controls (34 controls)

Control Count Changes

The total number of controls was reduced from 114 to 93. This doesn’t mean controls were eliminated – rather:

• 57 controls were merged into 24
• 11 new controls were added
• 1 control was split into separate controls
• 58 controls had minor updates

New Controls Added

The 2022 update introduced 11 entirely new controls:

• Threat intelligence
• Information security for cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

New Attribute System

The 2022 version introduced a control attributes framework that helps organizations better understand each control’s purpose and relationship to other controls. This includes attributes like:

• Control type (preventive, detective, corrective)
• Information security properties (confidentiality, integrity, availability)
• Cybersecurity concepts
• Operational capabilities
• Security domains

These changes make the standards more relevant to today’s security challenges and easier to implement in modern environments.

Practical Implementation Guide

Wondering how to use these standards together in real life? Here’s a practical approach:

Step 1: Start with ISO 27001

Begin by establishing your ISMS framework:

• Define the scope of your information security program
• Conduct a thorough risk assessment
• Develop your information security policy
• Establish security objectives and metrics

Step 2: Select Controls Based on Risk

Use your risk assessment to identify which controls you need:

• Review the controls listed in ISO 27001 Annex A
• Select controls that address your specific risks
• Document your selections in a Statement of Applicability (SoA)
• Justify any controls you choose not to implement

Step 3: Implement Controls with ISO 27002

Now turn to ISO 27002 for implementation guidance:

• Review the detailed guidance for each selected control
• Customize implementation to fit your organization’s needs
• Document your implementation approach
• Train relevant staff on new processes

Step 4: Monitor and Review

Establish ongoing monitoring and review processes:

• Set up metrics to measure control effectiveness
• Conduct regular internal audits
• Review and update your ISMS as needed
• Prepare for external certification audits (if pursuing ISO 27001 certification)

Real-World Example

Let’s see how this works with a specific control:

Access Control Implementation

ISO 27001 Annex A might state: “A.9.2.3 Management of privileged access rights - The allocation and use of privileged access rights shall be restricted and controlled.”

ISO 27002 expands this with detailed guidance:

• Implement a formal authorization process for privileged access
• Limit privileged access to specific job functions
• Use time-limited privileges where possible
• Document and regularly review all privileged access
• Implement technical controls to prevent unauthorized elevation of privileges

By using both standards together, you get both the “what” and the “how” for effective implementation.

The ISO 27000 Family: Understanding the Bigger Picture

ISO 27001 and 27002 are just two parts of the larger ISO 27000 family, which includes over 60 standards for information security. Here’s how some key standards fit together:

• ISO 27000: Provides overview and vocabulary
• ISO 27001: Specifies ISMS requirements
• ISO 27002: Provides implementation guidance for controls
• ISO 27003: Offers implementation guidance for the ISMS
• ISO 27004: Covers monitoring, measurement, and analysis
• ISO 27005: Focuses on information security risk management

When implementing your ISMS, you might need to reference several of these standards for comprehensive guidance.

FAQ: Your Common Questions Answered

Can an organization be certified to ISO 27002?

No. Only ISO 27001 is a certification standard. ISO 27002 is a guidance document that supports ISO 27001 implementation.

Do I need to implement all controls from ISO 27002?

No. You should select controls based on your risk assessment. Not all controls will be relevant to every organization.

How often are these standards updated?

Major updates typically occur every 7-10 years, with minor amendments in between. The most recent major update was in 2022.

If I’m compliant with ISO 27001, am I automatically compliant with other standards like GDPR or HIPAA?

Not automatically, but there’s significant overlap. ISO 27001 provides a solid foundation that can support compliance with many other regulations and standards.

Do I need to purchase both standards?

For effective implementation, yes. While ISO 27001 is the certification standard, ISO 27002 provides crucial implementation guidance that makes the process much more straightforward.

Conclusion: Making Sense of It All

ISO 27001 and ISO 27002 are two sides of the same security coin—but with distinct roles. ISO 27001 lays the foundation by telling you what your information security management system needs, while ISO 27002 shows you how to implement the necessary controls effectively.

For security professionals, auditors, and compliance teams, understanding this relationship is crucial. By using these standards together, you create a more robust, comprehensive security program that not only meets certification requirements but genuinely protects your information assets.

The security landscape continues to evolve, with new threats emerging regularly. These standards provide a flexible framework that can adapt to changing circumstances while maintaining a consistent approach to information security.

Remember the key difference: ISO 27001 is your blueprint, ISO 27002 is your toolbox. You need both to build a secure organization.