Information security ISO 27001

5 Min

ISO 27001 vs. ISO 27002: What are the key differences?

DataGuard Information Security Experts
DataGuard Information Security Experts

If your organisation has an Information Security Management System (ISMS) in place or is planning to build one, you've likely encountered ISO 27001 or ISO 27002. These standards are designed to help safeguard and manage information assets effectively. 

The ISO 27001 certification is a staple in mitigating the risks an organisation may face if information becomes vulnerable to attacks. It combines the objectives of ISO 27001 and the guidelines of ISO 27002, both with separate uses and varying depths of detail. 

Discover the differences between ISO 27001 and 27002 and how to use them to optimise your ISMS. 


 

What is ISO 27001?

ISO 27001 is the international security standard that defines the specifics and best practices for an organisation's ISMS. Detailed checklists are available to guide you through the requirements for compliance. Any organisation can adopt and implement this standard. For more information on ISO 27001 compliance, read our essential guide to ISO 27001.

 

What is ISO 27002?

Did you know there are 60+ standards in the 27000 family? The ISO 27002 standard is closely related to ISO 27001. It includes reference rules for information security, cyber security, privacy protection, and implementation assistance based on globally recognised best practices. 

In short, it provides guidelines for establishing an ISO 27001-certified ISMS. This standard doesn’t have certification criteria of its own. Instead, your organisation can comply with the ISO 27001:2022 certification by adhering to the 93 controls for information and physical security and cyber and privacy management in ISO 27002. These controls address specific risks identified through an ISO 27001 risk assessment and provide a structured list of recommended security measures. You can also opt to design your own control framework within ISO 27001 by developing custom controls that align with your organisation’s specific risk profile and needs. 

While they are part of the same standard, ISO 27001 and ISO 27002 have key differences that you must be aware of. Read on to find out how they differ. 

 

What are the key differences between ISO 27001 and ISO 27002?

ISO 27001 and 27002 have three main differences regarding certification, guidelines, and applicability.

1. Details

Regarding implementation controls and guidelines, ISO 27001 is not as detailed as ISO 27002. Instead, ISO 27001 outlines a general overview of an ISMS's components, with more in-depth guidance provided in other ISO standards. One of these standards is ISO 27002. Examples of other such ISO standards are ISO 27003 for ISMS implementation advice and ISO 27004 for ISMS evaluation monitoring and measurement.

2. Certification

You can be certified for complying with the ISO 27001 standard but not to the ISO 27002. ISO 27001 is a standard that provides a complete list of compliance criteria, whereas ISO 27002 addresses only one part of an ISMS.

3. Applicability to your organisation

When establishing an ISMS, it’s important to remember that not all information security measures will apply to your organisation. ISO 27001 specifies that organisations must undertake a risk assessment to identify and prioritise potential risks related to their information security. However, ISO 27002 doesn’t specify this. Therefore, it can be challenging to determine which controls you should apply by only referring to the ISO 27002 standard. 

Now that you know the differences between each standard, we can look at how these differences form a cohesive relationship to ensure that your ISMS is up to standard. 

 

How do ISO 27001 and ISO 27002 relate to each other?

The ISO 27001 standard provides structure organisations need to achieve ISO 27001 certification. This structure consists of both Clauses 4-10 (otherwise known as Annex SL) and the 93 controls. ISO 27002 provides implementation guidance on how to implement any of the 93 controls in ISO 27001 within your organisation. To understand this concept in detail, here are some ISO 27001 objectives with their relevant ISO 27002 controls: 


ISO 27001 Objective


ISO 27002 Control


To guide and assist in managing information security in compliance with company needs and applicable laws and regulations.


Upon management's approval, a written policy on information security must be published and disclosed to all workers and relevant third parties. 
 
This policy is evaluated on a regular basis or when substantial changes occur to ensure it remains appropriate, adequate, and effective. 

To manage information security within the organisation.
Representatives from all sections of the organisation with appropriate responsibilities and job functions will coordinate information security efforts. 
 
There must be clear definitions of information security obligations and a management approval procedure for new information processing facilities. 

To achieve and maintain appropriate protection of organisational assets.


Each piece of data and asset linked with an information processing facility must be 'owned' by a certain division of the organisation. 
 
Identification, documentation, and implementation of rules for the appropriate use of data and assets related to information processing facilities are required. 

To limit the risk of theft, fraud or abuse of facilities by ensuring that employees, contractors and third-party users understand their obligations and are qualified for the jobs they are being considered for.
All job applicants, contractors and third-party users should have their backgrounds checked in compliance with applicable laws, rules and ethics and in a manner appropriate to the business requirements, information categorisation and potential dangers. 

 

When should you use each standard?

All the standards in the ISO 27000 series have a specific focus:  

  • ISO 27001 is designed to build the foundations of information security in your organisation and devise its framework 
  • ISO 27002 is designed to implement controls 
  • ISO 27005 is designed to carry out a risk assessment and risk treatment, etc. 

Although ISO 27002 provides the details needed to implement Annex A controls defined in ISO 27001, it would remain an isolated effort by a few information security enthusiasts. Without support from the organisation's top management, it would have no real impact on the organisation without the management framework provided by ISO 27001. 

Rather than treating ISO 27001 and ISO 27002 as two completely different standards, understanding that both standards are interconnected with each other is a step toward successfully being ISO 27001 certified. 

ISO 27001 certification can benefit your organisation in several ways, from improving customer trust to increasing organisational productivity. Furthermore, aligning with ISO 27001's robust standards positions your organisation favourably for NIS2 compliance, reflecting the evolving demands of cybersecurity in the European landscape. 

 

Achieve ISO 27001 compliance easily with cost-efficiency

Ready to take your security and compliance strategy to the next level? With DataGuard's expert guidance and AI-driven platform, you can streamline your ISO 27001 journey and strengthen your organisation’s risk resilience. 

Whether you're new to information security or looking to enhance your existing ISMS, DataGuard offers the technology and expert support to make ISO 27001 compliance worry-free and more efficient.  

 
Originally published updated
Tags Information security ISO 27001

About the author

DataGuard Information Security Experts DataGuard Information Security Experts
DataGuard Information Security Experts

Tips and best practices on successfully getting certifications like ISO 27001 or TISAX®, the importance of robust security programmes, efficient risk mitigation... you name it! Our certified (Chief) Information Security Officers and InfoSec Consultants from Germany, the UK, and Austria use their year-long experience to set you up for long-term success. How? By giving you the tools and knowledge to protect your company, its information assets and people from common risks such as cyber-attacks. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional Europe (IAPP), ITIL® 4 Foundation Certificate for IT Service Management, ISO 27001 Lead Implementer/Lead Auditor/Master, Certificate in Information Security Management Principles (CISMP), Certified TickIT+ Lead Auditor, Certified ISO 9001 Lead Auditor, Cyber Essentials

Explore more articles

Don’t miss these topics:

Related Articles

Why resilience requirements are key to long-term business success
Information security

6 Min

Why resilience requirements are key to long-term business success

Discover how resilience strategies, from risk assessment to adaptability training, help businesses reduce financial losses, protect reputation, and retain customers.

Read more
The key components of a compliance risk assessment matrix
Risk management

4 Min

The key components of a compliance risk assessment matrix

Learn why a compliance risk assessment matrix is crucial, its key components, and how it strengthens risk management to protect your organisation.

Read more
From identification to mitigation: Understanding risk assessment methodology
Risk management

6 Min

From identification to mitigation: Understanding risk assessment methodology

Explore the steps and methodologies of risk assessment to manage vulnerabilities, reduce risks, and implement effective mitigation strategies for your business.

Read more
What is policy lifecycle management and why is it important?
Information security

6 Min

What is policy lifecycle management and why is it important?

Effective policy lifecycle management ensures compliance, improves communication, and streamlines updates for continuous improvement and risk reduction.

Read more
How to perform a privacy impact assessment: a step-by-step guide
GDPR

6 Min

How to perform a privacy impact assessment: a step-by-step guide

Learn the essentials of conducting a privacy impact assessment to identify and mitigate data risks, comply with GDPR, and enhance trust and security.

Read more
The benefits of using a risk management framework for risk mitigation
Risk management

5 Min

The benefits of using a risk management framework for risk mitigation

Discover how a risk management framework identifies, prioritises, and mitigates risks to support compliance, resilience, and informed decisions.

Read more

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk