ISO 27001 v ISO 27002 – the definitive guide

ISO27001 v ISO27002

Let us take a look at the differences between ISO 27001 v ISO 27002. Undoubtedly it can be confusing but the answer is surprisingly simple and straight forward. I am Stuart Barker the ISO27001 Ninja and this is difference between ISO27001 and ISO27002.


What is ISO27001

ISO 27001 is a management system and you can certify to ISO 270001.

What is ISO27002

ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.

ISO 27001 compared to ISO 27002

ISO 27001

A management system

Can certify to the standard

Mandatory requirements

Easy to implement

Satisfy it with ISO 27001 Templates

ISO 27002

A list of controls for you to pick from

Cannot certify to the standard

Optional requirements

Moderate to hard to implement

Templates won’t really help

What is ISO 27001 – a closer look

ISO 27001 is a management system. For the purpose of implementation it can be solved with an ISO 27001 toolkit. There is a bit of documentation to do and most of it you won’t use day in day out or come back to other than to pass the audit. Them’s the facts. There are aspects of it that become part of the day to day operation of the business though. The biggest cost and time sync of having ISO 27001 is your continual internal audit. Be prepared for this and plan resources for it. The rest of it is low impact if done right.

What is ISO 27002 – a closer look

ISO 27002 is a set of controls that someone somewhere has deemed as the most common best practice controls for a business to implement. With this in mind, ours is not to reason why. Those controls are changing and in 2022 and at this point you can read about the changes in our ISO 27002 Changes Guide.

Your job is to review the list of 114 business controls and decide if they are relevant to you. In the event that they are, you implement a control to meet it. Of course if they are not then you record in your statement of applicability why not. On the positive side it is ok not to implement controls on the list, but the auditor wants a compelling reason why not.

The ISO 27002 Controls cover all aspects of the business. With this in mind it is a common mistake is to assume this is an IT problem. Sadly, it is not. In truth it is a business wide problem.

The art is to implement the controls to meet the control objectives but to do it proportionate to you. Consequently people often ask, what is the bare minimum I need to do? Good question. It is certainly an approach, and following it you will certainly pass an audit.


In conclusion, ISO 27001 is a management system you can certify to and ISO 27002 is a control set for you to consider for relevance and implement.

Free ISO27001 Strategy Call
ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call
Shopping Cart