Basket
{{item.CourseTitle}}
Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}
Browse by Topic
Browse by Vendor
Unlimited Training
Attend all the top-notch LIVE Instructor-led Courses you want for the price of less than one course.
For any UK organisation handling sensitive data, proving your commitment to information security is no longer a nice-to-have; it’s a business necessity. The ISO 27000 family of standards provides the globally recognised benchmark. However, a common point of confusion arises with two of its core components: ISO 27001 and ISO 27002. While they sound similar and work together, they serve very different functions.
Understanding how to use them in tandem is the key to moving from a theoretical security policy to a practical, effective, and certifiable system. This guide breaks down their distinct roles and explains how they combine to form a robust defence for your organisation’s information assets.
Think of ISO 27001 as the master plan for your entire information security programme. It doesn’t tell you which specific tools or software to buy. Instead, it provides the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes, and technology. The core mandate of ISO 27001 is for an organisation to:
Critically, ISO 27001 is the standard against which your organisation can be formally audited and certified. Achieving this certification demonstrates to clients, partners, and regulators like the ICO that your security practices meet an international benchmark.
If ISO 27001 is the blueprint, ISO 27002 is the detailed instruction manual for the tools you'll use. Annex A of ISO 27001 lists a catalogue of potential security controls, but it provides very little detail on how to implement them. This is where ISO 27002 comes in.
ISO 27002 is a supplementary standard that provides best-practice guidance and detailed implementation advice for the controls listed in ISO 27001’s Annex A. It is not a certification standard itself; you cannot get "ISO 27002 certified." Instead, it is a code of practice to help you effectively satisfy the requirements of ISO 27001.
For each control, ISO 27002 explains its purpose, what is needed for implementation, and other helpful guidance. It helps you translate a requirement into concrete action.
Let’s illustrate with a scenario. During your risk assessment (mandated by ISO 27001), you identify a significant risk related to unauthorised access to your company’s cloud servers.
Your ISO 27001 ISMS requires you to select a control from Annex A to mitigate this risk. You choose control A.5.16, "Identity management."
Now, you turn to ISO 27002. You find the corresponding section, which provides detailed implementation guidance. It advises on best practices for the entire identity lifecycle, including provisioning unique user IDs, securing authentication protocols (suggesting multi-factor authentication), managing access rights, and processes for de-registering users when they leave the organisation.
By following the guidance in ISO 27002, you effectively implement the control required by ISO 27001, thereby reducing your risk and generating the evidence an auditor will need to see.
When an external auditor from a certification body visits, they will audit your organisation against the requirements of ISO 27001. They will check: Have you built a compliant ISMS? Have you conducted a risk assessment? Have you selected appropriate controls? Is there evidence of management review and continual improvement?
The auditor will not audit you against ISO 27002. However, they will assess whether the controls you chose have been implemented effectively. Your use of ISO 27002 as a guide demonstrates due diligence and that your implementation is aligned with international best practices, making the audit process smoother and increasing your chances of a successful outcome.
Understanding the interplay between ISO 27001's framework and ISO 27002's practical guidance is crucial for successfully protecting your organisation. The next step is equipping your team with the skills to implement them effectively.
Readynez offers an extensive portfolio of ISO Courses and Certifications, providing you with all the learning and support you need to successfully prepare for the exams and certifications. All our other ISO courses are also included in our unique Unlimited Security Training offer, where you can attend the ISO courses and 60+ other Security courses for just €249 per month—the most flexible and affordable way to get your Security Certifications.
Please reach out to us with any questions or if you would like a chat about your opportunity with the ISO certifications and how you can best achieve it.
No, organisations cannot be certified against ISO 27002. It is a code of practice offering guidance, not a management system standard with auditable requirements. Certification is only available for ISO 27001.
While technically possible, it is highly inadvisable. ISO 27001 lists the controls but doesn't explain how to implement them. ISO 27002 provides that essential "how-to" guidance, ensuring your controls are robust and follow established best practices.
Yes. The principles apply to organisations of all sizes. The ISO 27001 framework is designed to be scalable. You will tailor the scope of your ISMS and select only the controls from Annex A that are relevant to your risks. ISO 27002 then helps you implement those chosen controls correctly, regardless of your company's size.
The 2022 version of ISO 27002 restructured the controls, introduced new ones (like threat intelligence and data leak prevention), and merged others. These changes were subsequently mirrored in the 2022 update to ISO 27001's Annex A. Using the latest versions of both standards is essential for modern security management and certification.
Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course.