What is the difference between ISO 27001 and ISO 27002?
In this article we look at the differences between ISO 27001 and ISO 27001.
Specifically we are looking at the difference between ISO 27001:2022 and ISO 27002:2022 although the comparison holds for all versions of the standards.
Undoubtedly it can be confusing but the answer is surprisingly simple and straight forward.
I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 vs ISO 27002.
Table of contents
- What is the difference between ISO 27001 and ISO 27002?
- What is ISO 27001?
- What is ISO 27002?
- What is the difference between ISO 27001 and ISO 27002?
- When you should use each standard?
- ISO 27001 is 14 pages long
- ISO 27002 is guidance not a checklist
- You cannot fail ISO 27001 based on an ISO 27002 Control
- ISO 27001 vs ISO 27002
- In Summary
- Conclusion
- ISO 27001 vs ISO 27002 FAQ
What is ISO 27001?
ISO 27001 is a management system. For the purpose of implementation it can be solved with an ISO 27001 toolkit. There is a bit of documentation to do and most of it you won’t use day in day out or come back to other than to pass the audit. Them’s the facts. There are aspects of it that become part of the day to day operation of the business though. The biggest cost and time sync of having ISO 27001 is your continual internal audit. Be prepared for this and plan resources for it. The rest of it is low impact if done right.
What is ISO 27002?
ISO 27002 is a set of controls that someone somewhere has deemed as the most common best practice controls for a business to implement. With this in mind, ours is not to reason why. Those controls changed in 2022 and you can read about the changes in our ISO 27002 Changes Guide.
Your job is to review the list of business controls and decide if they are relevant to you. In the event that they are, you implement a control to meet it. Of course if they are not then you record in your statement of applicability why not. On the positive side it is ok not to implement controls on the list, but the auditor wants a compelling reason why not.
The ISO 27002 Controls cover all aspects of the business. With this in mind it is a common mistake is to assume this is an IT problem. Sadly, it is not. In truth it is a business wide problem.
The art is to implement the controls to meet the control objectives but to do it proportionate to you. Consequently people often ask, what is the bare minimum I need to do? Good question. It is certainly an approach, and following it you will certainly pass an audit.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is the standard for international information security management, and ISO 27002 is a supporting standard that guides how the information security controls can be implemented. You can certify to ISO 27001 and get an ISO 27001 certification but you cannot certify to ISO 27002.
A key consideration when implementing an ISMS is that not all information security controls in ISO 27002 will apply to your organisation.
ISO 27001 makes that clear. It specifically sets out that you conduct a risk assessment to identify and prioritise information security threats. Based on those treats and the needs of the business you would pick the controls from ISO 27002 that mitigate those risks. ISO 27002 does not mention this, it just presents a list of controls. So the danger here is that if you take ISO 27002 in isolation then it would be practically impossible to work out which controls you should adopt.
When you should use each standard?
You use ISO 27001 to build your information security management system (ISMS) and once you have identified your risks and business requirements you use ISO 27002 to select the appropriate controls and review the guidance.
ISO 27001 and ISO 27002 have different objectives and as such they will be helpful in different circumstances.
Organisations often start with technical controls and as such ISO 27002 would be the place to start as it provides specific implementation guidance.
If you are starting on and planning your information security management system (ISMS) the you would start with ISO 27001.
Ideally you start with ISO 27001, identify the controls you need, then implement the controls following the guidance. But we are realists and appreciate that often organisations come at this from the other way round. No one answer is the right answer, it is just the costs and hassle that will be more if you do it back to front.
ISO 27001 is 14 pages long
ISO 27001 is not a detailed standard. It is very light on detail in fact. Rather is sets out at a high level the requirements. That is why we recommend the Ultimate ISO 27001 Toolkit that is ready to go and takes the guess work out of the implementation.
DO IT YOURSELF
ISO 27001
ISO 27002 is guidance not a checklist
ISO 27002 provides guidance on how to implement controls but it is only guidance. It is not a checklist or a tickbox sequence of requirements. How you implement controls is down to you. The standard shows you ways you could implement them, options to consider and guidance you could follow.
You cannot fail ISO 27001 based on an ISO 27002 Control
This is technically true. Although the reality may differ due to the fact that auditors interpret the requirements differently. What is that you say? A standard that is not standard? That is correct.
ISO 27001 vs ISO 27002
ISO 27001 and ISO 27002 are both international standards for information security management. ISO 27001 is the more comprehensive standard, and it provides a framework for organisations to implement an information security management system (ISMS). ISO 27002 is a supporting standard that provides guidance on the controls that can be implemented as part of an ISMS.
Let us compare both standards side by side:
ISO 27001
A management system
Can certify to the standard
Mandatory requirements
Easy to implement
Satisfy it with ISO 27001 Templates
ISO 27002
A list of controls for you to pick from
Cannot certify to the standard
Optional requirements
Moderate to hard to implement
Templates won’t really help
In Summary
ISO 27001
ISO 27001 is a management system and you can certify to ISO 270001.
ISO 27002
ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.
Conclusion
In conclusion, ISO 27001 is a management system you can certify to and ISO 27002 is a control set for you to consider for relevance and implement.
ISO 27001 vs ISO 27002 FAQ
ISO 27001 is a management system and you can certify to ISO 270001. ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.
Yes, you can certify to ISO 27001.
No, you cannot certify to ISO 27002. ISO 27002 is a list of controls with implementation guidance for you to consider as part of your overall security framework. Which controls you need is based on risk and business need and is recored in your ISO 27001 Statement of Applicability.
No. You choose the controls that you need based on risk and your business need. You can also select other controls that are not contained in ISO 27002.
There is no right or wrong answer to this as they both serve different purposes. ISO 27001 is the management system and required for ISO 27001 certification. ISO 27002 is the list of controls with implementation guidance that you choose from based on risk and business need. They are both equally as good as each other, serving their respective requirements.
Yes. Whilst you will certify against ISO 27001, many of the controls in ISO 27002 are required.
Technically it is possible buy extremely unlikely. It would be more time, effort and cost to attempt to exclude ISO 27002 from your ISO 27001 certification.
Yes. You can outsource as many controls in ISO 27002 as is appropriate to your organisation.
Yes. You need your own licensed copies of each of the standards.
To purchase copies of the standards the costs are roughly the same. To implement each of the standards will cost you based on how you go about it and what you include. It is difficult to predict but in general and based on experience the cost of implementing ISO 27002 and the controls is more expensive than the cost of implementing ISO 27001 and the information security management system.
ISO 27002 can be perceived to be harder to implement as it is the implementation of controls into an organisation. This can take budget, resource, planning and project management. How hard will be dictated directly and proportionally to the size and complexity of your organisation. ISO 27001 on the other hand is relatively straightforward and easy to implement and is less affected by the size and complexity of your organisation.
Typically you will implement ISO 27001 in 3 months. It will take that long to implement the requirements, operate them and have evidence that the management system is effective.
Typically it will take you 3 to 12 months to implement the ISO 27002 controls. This is down to how complex you are and how mature your existing processes are.
