The ISO 27001 certification is a staple in mitigating the risks an organisation may face if consumers' personal data becomes vulnerable to attacks. It combines the objectives of ISO 27001 and the guidelines of ISO 27002, both with separate uses and varying depths of detail.
This article covers the differences between ISO 27001 and 27002, and how to use them to manage a successful ISMS.
Summary of ISO 27001 vs ISO 27002
- ISO 27001 is a recognised standard for an organisation’s ISMS. It outlines how to do everything from scoping their system, designing rules, and educating employees.
- ISO 27002 provides comprehensive knowledge of how to improve your ISMS. It provides the Annex A controls that need to be implemented to become ISO 27001 certified.
In this Article
- What is ISO 27001?
- What is ISO 27002?
- What are the key differences between ISO 27001 vs. ISO 27002?
- How do ISO 27001 and ISO 27002 relate to each other?
- When should you use each standard?
What is ISO 27001?
ISO 27001 is the international security standard that outlines the specifics and best practices for an organisation's ISMS. Typically, it is a checklist of everything you must complete to gain compliance. It can be adopted and implemented by any type of organisation, corporate or non-profit, governmental or private, of any size. For more information on ISO 27001 compliance, read our essential guide to ISO 27001.
What is ISO 27002?
ISO 27002 standard is closely related to the ISO 27001 standard. It includes reference rules for information security, cyber security, privacy protection, and implementation assistance based on globally recognised best practices.
In short, it provides guidelines for establishing an ISO 27001-certified ISMS. This standard does not have certification criteria of its own. Instead, your organization can comply with the ISO 27001 certification by adhering to the 114 controls for information and physical security and cyber and privacy management in ISO 27002. They address specific risks identified in a risk assessment of ISO 27001 and provide a list of recommended controls.
While they are part of the same standard, ISO 27001 and ISO 27002 have key differences that you must be aware of.
What are the key differences between ISO 27001 and ISO 27002?
ISO 27001 and 27002 have three main differences regarding certification, guidelines and applicability.
DetailISO 27001 is not as detailed when compared to ISO 27002 about implementation controls and guidelines. Instead, ISO 27001 outlines a general overview of an ISMS's components, with more in-depth guidance provided in other ISO standards. One of these standards is ISO 27002. Examples of other such ISO standards are ISO 27003 for ISMS implementation advice and ISO 27004 for ISMS evaluation monitoring and measurement.
CertificationYou can be certified for complying with the ISO 27001 standard but not to the ISO 27002. ISO 27001 is a standard that provides a complete list of compliance criteria, whereas ISO 27002 addresses only one part of an ISMS.
Applicability to your organisationWhen establishing an ISMS, it is important to remember that not all information security measures will apply to your organisation. ISO 27001 specifies that organisations must undertake a risk assessment to identify and prioritise potential risks related to their information security. However, ISO 27002 does not specify this. Therefore, it can be challenging to determine which controls you should apply by only referring to the ISO 27002 standard.
Now that you are aware of the differences between each standard, we can take a look at how these differences form a cohesive relationship to ensure that your ISMS is up to standard.
How do ISO 27001 and ISO 27002 relate to each other?
The ISO 27001 standard provides objectives that an organisation needs to achieve to be ISO 27001 certified. To fulfil these objectives, ISO 27002 lays down controls that need to be implemented within the organisation. To understand this concept in detail, here are some ISO 27001 objectives with their relevant ISO 27002 controls:
|ISO 27001 Objective||ISO 27002 Control|
|To guide and assist in the management of information security in compliance with company needs and applicable laws and regulations.||Upon management's approval, a written policy on information security has to be published and disclosed to all workers and relevant third parties.
To ensure that it remains appropriate, adequate, and effective, this policy is evaluated on a regular basis, or when substantial changes occur.
|To manage information security within the organisation.||Representatives from all sections of the organisation with appropriate responsibilities and job functions will coordinate information security efforts.
There must be clear definitions of information security obligations and a management approval procedure for new information processing facilities.
To achieve and maintain appropriate protection of organisational assets.
Each piece of data and asset linked with an information processing facility must be 'owned' by a certain division of the organisation.
Identification, documentation, and implementation of rules for the appropriate use of data and assets related to information processing facilities are required.
|To limit the risk of theft, fraud or abuse of facilities by ensuring that employees, contractors and third-party users understand their obligations and are qualified for the jobs they are being considered for.||All job applicants, contractors and third-party users should have their backgrounds checked in compliance with applicable laws, rules and ethics and in a manner appropriate to the business requirements, information categorization and potential dangers.|
When should you use each standard?
All of the standards in the ISO 27000 series have a specific focus: ISO 27001 is designed to build the foundations of information security in your organisation and devise its framework; ISO 27002 is designed to implement controls; ISO 27005 is designed to carry out a risk assessment and risk treatment, etc.
Although ISO 27002 provides the details needed to implement Annex A controls defined in ISO 27001, it would remain an isolated effort by a few information security enthusiasts. With no support from the organisation's top management, it would have no real impact on the organisation without the management framework provided by ISO 27001.
Rather than treating ISO 27001 and ISO 27002 as two completely different standards, understanding that both standards are interconnected with each other is a step toward successfully being ISO 27001 certified.
ISO 27001 certification can benefit your organisation in a number of ways, from improving customer trust to increasing organisational productivity. Furthermore, aligning with ISO 27001's robust standards positions your organization favourably for NIS2 compliance, reflecting the evolving demands of cybersecurity in the European landscape.
We at DataGuard are here to guide you through the certification process and ensure that your ISMS is both well-maintained and in a safe, legal space. Get in touch with one of our experts today.