ISO 27001 vs ISO 27002: The difference explained simply

What is the difference between ISO 27001 and ISO 27002?

In this article we look at the differences between ISO 27001 and ISO 27001.

Specifically we are looking at the difference between ISO 27001:2022 and ISO 27002:2022 although the comparison holds for all versions of the standards.

Undoubtedly it can be confusing but the answer is surprisingly simple and straight forward.

I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 vs ISO 27002.

What is ISO 27001?

ISO 27001 is a management system. For the purpose of implementation it can be solved with an ISO 27001 toolkit. There is a bit of documentation to do and most of it you won’t use day in day out or come back to other than to pass the audit. Them’s the facts. There are aspects of it that become part of the day to day operation of the business though. The biggest cost and time sync of having ISO 27001 is your continual internal audit. Be prepared for this and plan resources for it. The rest of it is low impact if done right.

What is ISO 27002?

ISO 27002 is a set of controls that someone somewhere has deemed as the most common best practice controls for a business to implement. With this in mind, ours is not to reason why. Those controls changed in 2022 and you can read about the changes in our ISO 27002 Changes Guide.

Your job is to review the list of business controls and decide if they are relevant to you. In the event that they are, you implement a control to meet it. Of course if they are not then you record in your statement of applicability why not. On the positive side it is ok not to implement controls on the list, but the auditor wants a compelling reason why not.

The ISO 27002 Controls cover all aspects of the business. With this in mind it is a common mistake is to assume this is an IT problem. Sadly, it is not. In truth it is a business wide problem.

The art is to implement the controls to meet the control objectives but to do it proportionate to you. Consequently people often ask, what is the bare minimum I need to do? Good question. It is certainly an approach, and following it you will certainly pass an audit.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the standard for international information security management, and ISO 27002 is a supporting standard that guides how the information security controls can be implemented. You can certify to ISO 27001 and get an ISO 27001 certification but you cannot certify to ISO 27002.

A key consideration when implementing an ISMS is that not all information security controls in ISO 27002 will apply to your organisation.

ISO 27001 makes that clear. It specifically sets out that you conduct a risk assessment to identify and prioritise information security threats. Based on those treats and the needs of the business you would pick the controls from ISO 27002 that mitigate those risks. ISO 27002 does not mention this, it just presents a list of controls. So the danger here is that if you take ISO 27002 in isolation then it would be practically impossible to work out which controls you should adopt.

When you should use each standard?

You use ISO 27001 to build your information security management system (ISMS) and once you have identified your risks and business requirements you use ISO 27002 to select the appropriate controls and review the guidance.

ISO 27001 and ISO 27002 have different objectives and as such they will be helpful in different circumstances.

Organisations often start with technical controls and as such ISO 27002 would be the place to start as it provides specific implementation guidance.

If you are starting on and planning your information security management system (ISMS) the you would start with ISO 27001.

Ideally you start with ISO 27001, identify the controls you need, then implement the controls following the guidance. But we are realists and appreciate that often organisations come at this from the other way round. No one answer is the right answer, it is just the costs and hassle that will be more if you do it back to front.

ISO 27001 is 14 pages long

ISO 27001 is not a detailed standard. It is very light on detail in fact. Rather is sets out at a high level the requirements. That is why we recommend the Ultimate ISO 27001 Toolkit that is ready to go and takes the guess work out of the implementation.

ISO 27002 is guidance not a checklist

ISO 27002 provides guidance on how to implement controls but it is only guidance. It is not a checklist or a tickbox sequence of requirements. How you implement controls is down to you. The standard shows you ways you could implement them, options to consider and guidance you could follow.

You cannot fail ISO 27001 based on an ISO 27002 Control

This is technically true. Although the reality may differ due to the fact that auditors interpret the requirements differently. What is that you say? A standard that is not standard? That is correct.

ISO 27001 vs ISO 27002

ISO 27001 and ISO 27002 are both international standards for information security management. ISO 27001 is the more comprehensive standard, and it provides a framework for organisations to implement an information security management system (ISMS). ISO 27002 is a supporting standard that provides guidance on the controls that can be implemented as part of an ISMS.

Let us compare both standards side by side:

In Summary

ISO 27001

ISO 27001 is a management system and you can certify to ISO 270001.

ISO 27002

ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.

Conclusion

In conclusion, ISO 27001 is a management system you can certify to and ISO 27002 is a control set for you to consider for relevance and implement.

ISO 27001 vs ISO 27002 FAQ