ISO 27001 vs ISO 27002

ISO 27001 v ISO 27002 – the definitive guide

Let us take a look at the differences between ISO 27001 v ISO 27002. Undoubtedly it can be confusing but the answer is surprising simple and straight forward.

ISO 27001 is a management system and you can certify to ISO 270001.

ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.

Stuart Barker - Director at High Table 2

ISO 27001 compared to ISO 27002

ISO 27001

A management system

Can certify to the standard

Mandatory requirements

Easy to implement

114 controls

Satisfy it with ISO 27001 Templates

ISO 27002

A list of controls for you to pick from

Cannot certify to the standard

Optional requirements

Moderate to hard to implement

114 controls

Templates won’t really help

What is ISO 27002 – a closer look

ISO 27002 is a set of controls that someone somewhere has deemed as the most common best practice controls for a business to implement. With this in mind, ours is not to reason why. Those controls are changing and in 2022 and at this point you can read about the changes in our ISO 27002 Changes Guide.

Your job is to review the list of 114 business controls and decide if they are relevant to you. In the event that they are, you implement a control to meet it. Of course if they are not then you record in your statement of applicability why not. On the positive side it is ok not to implement controls on the list, but the auditor wants a compelling reason why not.

The ISO 27002 Controls cover all aspects of the business. With this in mind it is a common mistake is to assume this is an IT problem. Sadly, it is not. In truth it is a business wide problem.

The art is to implement the controls to meet the control objectives but to do it proportionate to you. Consequently people often ask, what is the bare minimum I need to do? Good question. It is certainly an approach, and following it you will certainly pass an audit.

What is ISO 27001 – a closer look

ISO 27001 is a management system. For the purpose of implementation it can be solved with an ISO 27001 toolkit. There is a bit of documentation to do and most of it you won’t use day in day out or come back to other than to pass the audit. Them’s the facts. There are aspects of it that become part of the day to day operation of the business though. The biggest cost and time sync of having ISO 27001 is your continual internal audit. Be prepared for this and plan resources for it. The rest of it is low impact if done right.


In conclusion, ISO 27001 is a management system you can certify to and ISO 27002 is a control set for you to consider for relevance and implement.

ISO 27001 Certification

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Shopping Cart