What is the Difference Between ISO 27001 and 27002?

Photo by Ildefonso Polo on Unsplash

The key difference between ISO 27001 and ISO 27002 is that ISO 27002 is designed to use as a reference for selecting security controls within the process of implementing an Information Security Management System (ISMS) based on ISO 27001. Organisations can achieve certification to ISO 27001 but not ISO 27002.

For example, an organisation may have implemented ISO 27001 if it has an ISMS in place which meets the criteria required of ISO 27001 certification. The organisation may wish to have a more active approach to implementing computer security controls consistent with ISO 27002.

The ISO 27002 standard and its accompanying guidance notes were designed to be incorporated within ISO 27001 certification schemes. Therefore, while ISO 27002 is considered part of ISO 27001, it does not make sense to ISO 27002.

ISO 27002 provides a starting point for organisations where ISO 27001 certification has not been obtained. For example, there are no compliance requirements under ISO 27002, but there is a requirement for all parts of the organisation to review and document the internal computer security controls.

In summary, ISO 27002 provides guidance on computer security control selection, implementation and effectiveness. It is the responsibility of an organisation to follow ISO 27002 guidance if they are implementing a computer security policy.

So, if ISO 27001 certification is your goal, there is only one standard you need to consider. However, ISO 27002 provides some useful guidance on implementing the computer security controls required by ISO 27001.

This post contains affiliate links. Affiliate disclosure: As an Amazon Associate, we may earn commissions from qualifying purchases from and other Amazon websites.
Photo by ThisisEngineering RAEng on Unsplash

What is the Difference Between SOC 2 and ISO 27001?

Photo by ThisisEngineering RAEng on Unsplash

What is PCI Compliance Training?