ISO 27001 vs ISO 27002: What's the Difference? Complete Comparison Guide
ISO 27001 vs ISO 27002: What's the Difference? Complete Comparison Guide
"What's the difference between ISO 27001 and ISO 27002?"
This is a common question when people first encounter security standards.
Simply put:
- ISO 27001 can be certified, it's "requirements"
- ISO 27002 cannot be certified, it's "guidance"
But that's too brief. This article will fully explain the differences between the two, as well as the entire ISO 27000 series family.
For a complete introduction to ISO 27001, see ISO 27001 Complete Guide.
Quick Comparison Table
Key points first:
| Item | ISO 27001 | ISO 27002 |
|---|---|---|
| Nature | Requirements standard | Guidelines standard |
| Certifiable | ✅ Yes | ❌ No |
| Content | ISMS framework + control list | Detailed implementation guidance for controls |
| Purpose | Build management system, get certified | Implementation reference, technical guidance |
| Latest version | 2022 | 2022 |
| Pages | ~30 pages | ~150 pages |
| Annex A | Lists 93 controls (list only) | Detailed explanation of 93 controls |
One sentence summary:
- ISO 27001 tells you "what to do"
- ISO 27002 tells you "how to do it"
ISO 27001 Explained
Standard Positioning
ISO 27001 is the requirements standard for Information Security Management Systems (ISMS).
It specifies:
- Requirements for establishing ISMS
- Requirements for implementing ISMS
- Requirements for maintaining ISMS
- Requirements for continually improving ISMS
Core structure:
| Part | Content |
|---|---|
| Clause text (Clauses 4-10) | ISMS framework requirements |
| Annex A | List of 93 controls |
The clause text are "mandatory" requirements. Annex A controls need applicability assessment.
Certification Value
ISO 27001 can be certified, which is its greatest value.
Benefits of certification:
| Benefit | Description |
|---|---|
| Business threshold | Many customers and tenders require the certificate |
| Trust endorsement | Third-party verification, more credible than self-claims |
| International recognition | Globally accepted standard |
| Regulatory compliance | Can meet certain regulatory security requirements |
Certification process:
- Build ISMS
- Operate for a period
- Apply for certification audit
- Get certificate after passing
- Annual surveillance audits
Target Audience
Who needs ISO 27001:
| Audience | Reason |
|---|---|
| Companies wanting certification | This is the only certifiable standard |
| Implementation personnel | Need to know what the standard requires |
| Security managers | Need to build management system based on standard |
| Auditors | Audit basis is this standard |
ISO 27002 Explained
Standard Positioning
ISO 27002 is implementation guidance for controls.
It provides:
- Detailed explanation of each control
- Why to do it (purpose)
- How to do it (guidance)
- Other reference information
Structure:
Each control has:
| Field | Content |
|---|---|
| Control | Definition of the control |
| Purpose | Why to implement this control |
| Guidance | Recommendations on how to implement |
| Other information | Additional reference materials |
The 2022 version also added attribute tags:
- Control types (Preventive, Detective, Corrective)
- Security properties (Confidentiality, Integrity, Availability)
- Cybersecurity concepts
- Operational capabilities
- Security domains
Relationship with 27001
ISO 27002 is the "instruction manual" for ISO 27001.
Example:
ISO 27001 Annex A says: "5.15 Access control"
This only tells you "do access control," but doesn't say how.
ISO 27002's 5.15 provides detailed explanation:
- What is the purpose of access control
- What aspects to consider
- Specifically how to implement
- Related reference information
Page count comparison:
| Standard | Pages | Control explanation |
|---|---|---|
| ISO 27001 Annex A | ~10 pages | Only control names |
| ISO 27002 | ~150 pages | Detailed explanation for each control |
How to Use 27002
When to use:
| Scenario | How to use |
|---|---|
| Writing SOPs | Reference guidance, design specific approaches |
| Don't know how to do something | Look up corresponding control explanation |
| Preparing for audit | Confirm approach aligns with guidance spirit |
| Training | Use as training material reference |
Important reminder:
- ISO 27002 is "guidance," not "requirements"
- You don't need to follow it exactly
- Can adjust based on company's actual situation
- Just need to achieve the control's purpose
How to Use Both Together
Application During Implementation
| Phase | Use 27001 | Use 27002 |
|---|---|---|
| Planning | Understand ISMS framework requirements | Understand control intentions |
| Risk assessment | Execute per 6.1.2 | Reference control classification |
| Select controls | Choose from Annex A | Understand detailed content of each |
| Write documents | Ensure compliance with clause requirements | Reference guidance to design approaches |
| Implementation | Based on clause requirements | Reference guidance for execution |
| Audit | Audit basis is 27001 | Auditors reference 27002 for judgment |
Practical Recommendations
1. Read ISO 27001 first
Understand the overall framework and requirements; this is the foundation.
2. Use ISO 27002 as a reference book
Look it up when you don't know how to implement a control.
3. Don't copy verbatim
27002 guidance is suggestions, not regulations. Adjust based on company's actual situation.
4. Audit preparation
Auditors will ask: "How do you do XX control?"
Your answer just needs to show "it's done and effective"; doesn't need to match 27002 word for word.
ISO 27000 Series Family
ISO 27001 and 27002 are just part of the ISO 27000 series.
ISO 27000: Vocabulary and Concepts
Purpose: Define ISMS-related terminology
Content:
- Definition of information security
- Definition of ISMS
- Explanation of various technical terms
Feature: Free download (ISO website)
ISO 27003: ISMS Implementation Guide
Purpose: How to implement ISO 27001
Content:
- Steps for implementing ISMS
- Implementation guidance for each clause
- Practical cases
Suitable for: People implementing ISMS for the first time
ISO 27004: Measurement Guide
Purpose: How to measure ISMS effectiveness
Content:
- Performance indicator design
- Measurement methods
- Reporting methods
Suitable for: People wanting to establish security KPIs
ISO 27005: Risk Management Guide
Purpose: How to do information security risk management
Content:
- Risk assessment methodology
- Risk identification, analysis, evaluation
- Risk treatment options
- Risk communication
Suitable for: People responsible for risk assessment
Key point: ISO 27001 only says "do risk assessment"; 27005 explains in detail "how to do it." For practical risk assessment operations, refer to the explanation in ISMS Implementation Guide.
ISO 27007: Audit Guide
Purpose: How to audit ISMS
Content:
- Audit planning
- Audit execution
- Audit reporting
- Auditor competence
Suitable for: Internal auditors, people preparing for LA certification
ISO 27701: Privacy Information Management
Purpose: Extend ISO 27001 to cover privacy protection
Content:
- Privacy Information Management System (PIMS)
- Requirements for personal data processors
- Requirements for personal data controllers
Suitable for: Companies needing to comply with GDPR or privacy regulations
Important: ISO 27701 is an extension of ISO 27001; you must have 27001 first before adding 27701.
Series Standards Overview
| Standard | Purpose | Certifiable |
|---|---|---|
| ISO 27000 | Vocabulary definition | ❌ |
| ISO 27001 | ISMS requirements | ✅ |
| ISO 27002 | Control guidance | ❌ |
| ISO 27003 | Implementation guide | ❌ |
| ISO 27004 | Measurement guide | ❌ |
| ISO 27005 | Risk management guide | ❌ |
| ISO 27006 | Certification body requirements | ❌ |
| ISO 27007 | Audit guide | ❌ |
| ISO 27701 | Privacy management | ✅ (extension) |
FAQ: Common Questions
Q1: Which standard do I need to buy?
If certifying: At least buy ISO 27001
Recommended: ISO 27001 + ISO 27002
ISO 27002 isn't mandatory, but very useful during implementation.
Q2: Can ISO 27002 be certified separately?
No.
ISO 27002 is guidance, not a requirements standard; there's no concept of "certification."
Only ISO 27001 can be certified.
Q3: After ISO 27001, do I still need to do ISO 27002?
ISO 27002 isn't something to "do."
It's reference material used during ISO 27001 implementation.
It's not another standard to "complete."
Q4: Is ISO 27005 mandatory?
Not mandatory, but very useful.
ISO 27001 only says to do risk assessment, not how. ISO 27005 provides detailed methodology.
If you don't know how to do risk assessment, reference 27005.
Next Steps
After understanding the differences between ISO 27001 and ISO 27002, you can:
- If certifying: Focus on ISO 27001 requirements
- If implementing: Use ISO 27002 as reference book
- If doing risk assessment: Reference ISO 27005
- If handling personal data: Consider ISO 27701
Want to learn more about ISO 27000 series? Contact us and let experts answer your questions.
Further Reading
- For complete standard introduction, see ISO 27001 Complete Guide
- For detailed clause interpretation, see ISO 27001 Clause Guide
- For ISMS implementation, see ISMS Implementation Guide
- For 2022 version updates, see ISO 27001:2022 Update Guide
References
Need Professional Cloud Advice?
Whether you're evaluating cloud platforms, optimizing existing architecture, or looking for cost-saving solutions, we can help
Book Free ConsultationRelated Articles
ISO 27001:2022 Update Guide: Control Changes & Transition Timeline Complete Analysis
What changed in ISO 27001:2022? Complete analysis of new control measure changes, four-theme classification, and transition timeline. Organizations must complete transition by October 2025!
ISO 27001ISO 27001 Clause Guide: Documentation Hierarchy, Controls & Implementation Guide [Complete Edition]
What does ISO 27001 contain? Complete guide to Clauses 4-10, Annex A controls, four-tier documentation system, helping you master the standard structure and implementation essentials.
ISO 27001ISO 27001 Complete Guide: Definition, Clauses, Implementation & Certification [2025 Latest]
What is ISO 27001? This article provides a complete analysis of the ISO 27001 information security management standard, including implementation costs, certification process, and 2022 version updates, helping enterprises quickly master ISMS implementation essentials.