ISO 27001 vs ISO 27002: Key Differences and How to Use Both

  • What is difference between ISO 27001 and ISO 27002?
  • Published by: André Hammer on Apr 04, 2024
Group classes

ISO/IEC 27001 defines the requirements for an information security management system, while ISO/IEC 27002 provides guidance for selecting and implementing information security controls. Their 2022 revisions changed how many organisations describe, map, and evidence those controls, most visibly by restructuring the control set into 93 controls grouped under four themes and reshaping how Annex A is used in an ISO/IEC 27001 ISMS.

ISO/IEC 27001 is the certifiable standard for an information security management system, usually called an ISMS. ISO/IEC 27002 is supporting guidance that helps organisations understand and implement information security controls, but organisations are not certified to ISO/IEC 27002 itself.

The distinction matters because procurement teams, auditors, CISOs, and IT managers often refer to both standards in the same conversation. ISO/IEC 27001 answers whether the management system is properly defined, governed, audited, and improved. ISO/IEC 27002 helps control owners decide how selected controls can be designed, documented, operated, and reviewed in practice.

Last updated: June 2026. This article summarises the relationship between the two standards and avoids reproducing protected ISO text. Organisations should always confirm audit and transition details with their accredited certification body and refer to current guidance from ISO, the International Accreditation Forum, UKAS, ANAB, or their chosen certification body.

ISO 27001 vs ISO 27002 at a glance

Area ISO/IEC 27001 ISO/IEC 27002
Primary purpose Defines the requirements for establishing, maintaining, and improving an ISMS. Provides guidance for implementing and managing information security controls.
Certification Certifiable through an accredited audit process. Not certifiable as a standalone organisational certification.
Main audience Leadership, ISMS managers, auditors, risk owners, compliance teams, and procurement stakeholders. Security architects, control owners, IT operations teams, risk managers, and implementers.
Structure Management system clauses, plus Annex A as a reference set of information security controls. Control guidance aligned to the 2022 Annex A structure.
Practical use Used to define scope, risk management, governance, internal audit, management review, and continual improvement. Used to interpret control intent, implementation considerations, examples, and operational evidence.

The short decision rule is simple: organisations that need third-party certification for tenders, customer assurance, or contractual requirements should prioritise ISO/IEC 27001. Organisations that already have an ISMS, or are designing controls before an audit, use ISO/IEC 27002 to improve the quality and consistency of implementation.

What ISO 27001 requires

ISO/IEC 27001 is a management system standard. It requires an organisation to define the context and scope of its ISMS, understand interested-party requirements, assess information security risks, select risk treatment options, monitor performance, conduct internal audits, complete management reviews, and improve the system over time.

Its clauses describe how the ISMS should be governed. Annex A then provides a reference set of controls that an organisation considers during risk treatment. A common mistake is treating Annex A as a mandatory checklist where every control must be implemented in the same way. In practice, the organisation must justify which controls are applicable, which are excluded, and how risk treatment decisions connect back to the risk assessment.

The document that makes this connection visible is the Statement of Applicability, often shortened to SoA. Auditors look for a clear relationship between identified risks, selected controls, exclusion justifications, implementation status, and evidence. Weak SoA mapping is one of the areas where certification projects often lose time, especially when control names or numbering have changed after a standards update.

What ISO 27002 adds

ISO/IEC 27002 provides control guidance rather than management system requirements. It is most useful once an organisation has decided, through its ISO/IEC 27001 risk treatment process, that a control is relevant and needs to be implemented or improved.

The 2022 version reorganised the control catalogue into four themes: organisational, people, physical, and technological. It also modernised the control set to reflect current security needs, including areas such as threat intelligence, cloud services, data masking, data leakage prevention, secure coding, and web filtering. These topics are familiar to security teams, but they can be difficult to evidence unless responsibilities, procedures, technical settings, monitoring records, and review activities are clearly defined.

That is where ISO/IEC 27002 becomes practical. It helps translate a control selected in Annex A into day-to-day implementation expectations. For example, a control owner responsible for web filtering needs more than a line in the SoA. They need to understand the purpose of the control, the environments it covers, how exceptions are approved, how logs are reviewed, and how effectiveness is demonstrated during an audit.

How the two standards work together in an ISMS

ISO/IEC 27001 and ISO/IEC 27002 work best when they are treated as connected documents with different jobs. ISO/IEC 27001 provides the governance route from business context to risk treatment. ISO/IEC 27002 supports the design and operation of the controls selected through that route.

  1. Define the ISMS scope, business context, interested parties, and information security objectives.
  2. Assess information security risks using the organisation’s agreed risk methodology.
  3. Select risk treatment options and identify relevant Annex A controls.
  4. Record inclusion, exclusion, justification, and implementation status in the Statement of Applicability.
  5. Use ISO/IEC 27002 to design, operate, review, and evidence the selected controls.

A practical example is Annex A control A.8.23 on web filtering. ISO/IEC 27001 makes the organisation justify whether the control is applicable and how it supports risk treatment. The SoA records that decision. ISO/IEC 27002 then gives the control owner implementation guidance, examples, and considerations that can be turned into policy rules, technical configuration, exception handling, monitoring, and audit evidence.

ISMS artefact Example entry How ISO/IEC 27002 helps
Risk assessment Users may access malicious or inappropriate web content from corporate devices. Provides control-level considerations for reducing exposure through web filtering.
Statement of Applicability A.8.23 is included because it supports risk treatment for malware, phishing, and acceptable use risks. Helps refine the implementation approach and evidence expectations.
Operational evidence Filtering rules, exception approvals, review records, alert logs, and change records. Helps teams think beyond policy wording and show that the control is operating.

This connection is also useful for training. Security and compliance teams preparing for an audit need to understand the certification requirements of ISO/IEC 27001, while control owners need enough ISO/IEC 27002 knowledge to implement controls consistently. Readynez covers ISO learning paths through its ISO courses and certifications, which can be useful when an organisation wants a shared language across ISMS, audit, and technical teams.

What changed in 2022 and why it matters

The 2022 revisions affected both terminology and implementation planning. ISO/IEC 27002:2022 consolidated, renamed, and reorganised controls into 93 controls across four themes. ISO/IEC 27001:2022 Annex A was aligned with that structure, which means organisations moving from older versions needed to revisit their control mapping and SoA format.

The change was more than cosmetic. A control remapping exercise can expose gaps where a legacy control name existed in a policy but the operational evidence no longer matches the revised control structure. In many cases, organisations also needed to update risk treatment plans, internal audit checklists, supplier questionnaires, control ownership records, and management review reporting.

Certification is still to ISO/IEC 27001 only. Organisations certified under an earlier version had a defined transition window for moving audits to ISO/IEC 27001:2022, with exact arrangements dependent on accreditation and certification-body requirements. Because transition timing and local audit practice can vary, the safest approach is to confirm the current position with the certification body rather than relying on outdated project plans or informal advice.

Common implementation challenges

One frequent challenge is confusing clause compliance with control implementation. ISO/IEC 27001 clauses 4 to 10 describe the management system: context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A controls are different. They are selected and justified as part of risk treatment, then implemented through policies, processes, technologies, responsibilities, and evidence.

Another challenge is evidence quality. Modernised areas such as cloud services, threat intelligence, data masking, and secure coding often involve multiple teams. A policy may state the control intent, but audit evidence usually needs to show ownership, procedures, technical configuration, review activity, and corrective action where issues are found.

Procurement teams can also misread the standards. A supplier may say it “uses ISO 27002”, but that does not mean it holds ISO/IEC 27001 certification. For assurance purposes, it is better to ask for the scope of the ISO/IEC 27001 certificate, the accredited certification body, relevant exclusions in the SoA, and how the supplier manages controls that matter to the service being purchased.

Choosing the right standard for the job

The choice is rarely either-or. ISO/IEC 27001 is the standard to use when the organisation needs a certifiable management system. ISO/IEC 27002 is the standard to use when control owners need detailed implementation guidance and a common reference point for designing controls.

For a small or medium-sized organisation seeking certification, ISO/IEC 27001 should set the project structure from the beginning. That means defining the ISMS scope carefully, building a risk assessment method that is usable, and developing the SoA as a living governance document rather than a spreadsheet completed near the audit date. ISO/IEC 27002 then supports the control-by-control implementation work.

For a larger organisation with existing security frameworks, ISO/IEC 27002 can also help harmonise control language across teams. Many organisations already work with frameworks such as NIST CSF, NIST SP 800-53, CIS Controls, or sector-specific requirements. Mapping should be done carefully because similar control titles do not always mean identical assurance expectations, but ISO/IEC 27002 can provide a useful reference for aligning terminology and ownership.

Using both standards with confidence

The key takeaway is that ISO/IEC 27001 provides the certifiable ISMS requirements, while ISO/IEC 27002 provides control implementation guidance aligned to Annex A. Organisations get the most value when risk assessment, the Statement of Applicability, control design, and audit evidence are treated as one connected system.

As standards, threats, and audit expectations change, security teams benefit from keeping ISMS knowledge current rather than treating certification as a one-off project. Readynez offers Unlimited Security Training for teams that need ongoing access to security learning, and readers with questions about ISO training options can contact Readynez for guidance.

FAQ

What is the main difference between ISO 27001 and ISO 27002?

ISO/IEC 27001 defines the requirements for an information security management system and is the standard used for certification. ISO/IEC 27002 provides guidance on information security controls and supports implementation, but it is not a certifiable standard for organisations.

Can an organisation be certified to ISO 27002?

No. Organisations can be certified to ISO/IEC 27001, not ISO/IEC 27002. ISO/IEC 27002 can still be used during implementation because it helps teams interpret and operate the controls referenced by Annex A.

How do ISO 27001 and ISO 27002 work together?

ISO/IEC 27001 guides the ISMS, including risk assessment, risk treatment, the Statement of Applicability, internal audit, and continual improvement. ISO/IEC 27002 helps control owners design and evidence the selected controls in a more practical way.

What changed in the 2022 versions?

ISO/IEC 27002:2022 reorganised the control set into 93 controls across four themes: organisational, people, physical, and technological. ISO/IEC 27001:2022 Annex A was aligned to that structure, which affected control mapping, SoA updates, and audit preparation for organisations moving from older versions.

Which standard should an organisation start with?

An organisation seeking certification should start with ISO/IEC 27001 because it defines the certifiable ISMS requirements. ISO/IEC 27002 should then be used to support the design, operation, and evidence of the selected controls.

Related resources

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}