Information security ISO 27001

3 Min

ISO 27001 vs. ISO 27002 - How are they different

DataGuard Information Security Experts
DataGuard Information Security Experts

If your organisation collects consumer data and has Information Security Management Systems (ISMS) in place, you have probably come across ISO 27001 or ISO 27002.

The ISO 27001 certification is a staple in mitigating the risks an organisation may face if consumers' personal data becomes vulnerable to attacks. It combines the objectives of ISO 27001 and the guidelines of ISO 27002, both with separate uses and varying depths of detail.

Discover the differences between ISO 27001 and 27002, and how to use them to manage an ISMS.

In this blog post, we'll cover:

 

What is ISO 27001?

ISO 27001 is the international security standard that outlines the specifics and best practices for an organisation's ISMS. Typically, it is a checklist of everything you must complete to gain compliance. It can be adopted and implemented by any type of organisation, corporate or non-profit, governmental or private, of any size. For more information on ISO 27001 compliance, read our essential guide to ISO 27001.

What is ISO 27002?

ISO 27002 standard is closely related to the ISO 27001 standard. It includes reference rules for information security, cyber security, privacy protection, and implementation assistance based on globally recognised best practices.

In short, it provides guidelines for establishing an ISO 27001-certified ISMS. This standard does not have certification criteria of its own. Instead, your organization can comply with the ISO 27001 certification by adhering to the 114 controls for information and physical security and cyber and privacy management in ISO 27002. They address specific risks identified in a risk assessment of ISO 27001 and provide a list of recommended controls.

While they are part of the same standard, ISO 27001 and ISO 27002 have key differences that you must be aware of.

What are the key differences between ISO 27001 and ISO 27002?

ISO 27001 and 27002 have three main differences regarding certification, guidelines and applicability.

  • Details

    ISO 27001 is not as detailed when compared to ISO 27002 about implementation controls and guidelines. Instead, ISO 27001 outlines a general overview of an ISMS's components, with more in-depth guidance provided in other ISO standards. One of these standards is ISO 27002. Examples of other such ISO standards are ISO 27003 for ISMS implementation advice and ISO 27004 for ISMS evaluation monitoring and measurement.

  • Certification

    You can be certified for complying with the ISO 27001 standard but not to the ISO 27002. ISO 27001 is a standard that provides a complete list of compliance criteria, whereas ISO 27002 addresses only one part of an ISMS.

  • Applicability to your organisation

    When establishing an ISMS, it is important to remember that not all information security measures will apply to your organisation. ISO 27001 specifies that organisations must undertake a risk assessment to identify and prioritise potential risks related to their information security. However, ISO 27002 does not specify this. Therefore, it can be challenging to determine which controls you should apply by only referring to the ISO 27002 standard.

Now that you are aware of the differences between each standard, we can take a look at how these differences form a cohesive relationship to ensure that your ISMS is up to standard.

How do ISO 27001 and ISO 27002 relate to each other?

The ISO 27001 standard provides objectives that an organisation needs to achieve to be ISO 27001 certified. To fulfil these objectives, ISO 27002 lays down controls that need to be implemented within the organisation. To understand this concept in detail, here are some ISO 27001 objectives with their relevant ISO 27002 controls:

ISO 27001 Objective ISO 27002 Control
To guide and assist in the management of information security in compliance with company needs and applicable laws and regulations. Upon management's approval, a written policy on information security has to be published and disclosed to all workers and relevant third parties.

To ensure that it remains appropriate, adequate, and effective, this policy is evaluated on a regular basis, or when substantial changes occur.
To manage information security within the organisation. Representatives from all sections of the organisation with appropriate responsibilities and job functions will coordinate information security efforts.

There must be clear definitions of information security obligations and a management approval procedure for new information processing facilities.

To achieve and maintain appropriate protection of organisational assets.
Each piece of data and asset linked with an information processing facility must be 'owned' by a certain division of the organisation.

Identification, documentation, and implementation of rules for the appropriate use of data and assets related to information processing facilities are required.
To limit the risk of theft, fraud or abuse of facilities by ensuring that employees, contractors and third-party users understand their obligations and are qualified for the jobs they are being considered for. All job applicants, contractors and third-party users should have their backgrounds checked in compliance with applicable laws, rules and ethics and in a manner appropriate to the business requirements, information categorization and potential dangers.

When should you use each standard?

All of the standards in the ISO 27000 series have a specific focus: ISO 27001 is designed to build the foundations of information security in your organisation and devise its framework; ISO 27002 is designed to implement controls; ISO 27005 is designed to carry out a risk assessment and risk treatment, etc.

Although ISO 27002 provides the details needed to implement Annex A controls defined in ISO 27001, it would remain an isolated effort by a few information security enthusiasts. With no support from the organisation's top management, it would have no real impact on the organisation without the management framework provided by ISO 27001.

Rather than treating ISO 27001 and ISO 27002 as two completely different standards, understanding that both standards are interconnected with each other is a step toward successfully being ISO 27001 certified.

ISO 27001 certification can benefit your organisation in a number of ways, from improving customer trust to increasing organisational productivity. Furthermore, aligning with ISO 27001's robust standards positions your organization favourably for NIS2 compliance, reflecting the evolving demands of cybersecurity in the European landscape.

Ready to get ISO 27001 certified?

If you're ready to get ISO 27001 certified or simply have more questions about the certification process, we are here to guide you through it. We can help you make sure your ISMS is both well-maintained and in a safe, legal space. Get in touch with one of our ISO 27001 experts.

 
Originally published updated
InfoSec Beginners Guide 800x600 MOBILE UK

Information Security 101

Learn how an ISO 27001 compliant ISMS can protect your company.

Get your free guide
Tags Information security ISO 27001

About the author

DataGuard Information Security Experts DataGuard Information Security Experts
DataGuard Information Security Experts

Tips and best practices on successfully getting certifications like ISO 27001 or TISAX®, the importance of robust security programmes, efficient risk mitigation... you name it! Our certified (Chief) Information Security Officers and InfoSec Consultants from Germany, the UK, and Austria use their year-long experience to set you up for long-term success. How? By giving you the tools and knowledge to protect your company, its information assets and people from common risks such as cyber-attacks. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional Europe (IAPP), ITIL® 4 Foundation Certificate for IT Service Management, ISO 27001 Lead Implementer/Lead Auditor/Master, Certificate in Information Security Management Principles (CISMP), Certified TickIT+ Lead Auditor, Certified ISO 9001 Lead Auditor, Cyber Essentials

Explore more articles

Don’t miss these topics:

Related Articles

Components of data security
Information security

5 Min

Components of data security

Secure your data with encryption, access controls & compliance. Learn about GDPR, HIPAA & more. Prioritize data protection now!

Read more
What is data management in cyber security?
Information security

5 Min

What is data management in cyber security?

Unlock the power of data management in cybersecurity. Explore best practices, tools, and types, including Master Data Management (MDM).

Read more
What is data security management?
Information security

7 Min

What is data security management?

Learn about Data Security Management: Strategies, technologies, and processes to safeguard data from unauthorized access, breaches, and cyber threats.

Read more
American Privacy Rights Act (APRA): What it could mean for EU businesses and regulators
Information security

3 Min

American Privacy Rights Act (APRA): What it could mean for EU businesses and regulators

The US congress has released a draft of proposed new U.S. privacy laws. Here’s what the American Privacy Rights Act (APRA) could mean for your business.

Read more
What is data protection and why is it important?
Information security

6 Min

What is data protection and why is it important?

Discover the role of data privacy, effective management, and breach prevention. Ensure GDPR and CCPA compliance. Safeguard sensitive information.

Read more
What is the relationship between ISO and ISMS?
Information security

5 Min

What is the relationship between ISO and ISMS?

Explore ISO's role in info security. ISO 27001 establishes ISMS, while ISO 27002 offers security control guidance.

Read more

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk