ISO 27001 is the international security standard that outlines the specifics and best practices for an organisation's ISMS. Typically, it is a checklist of everything you must complete to gain compliance. It can be adopted and implemented by any type of organisation, corporate or non-profit, governmental or private, of any size. For more information on ISO 27001 compliance, read our essential guide to ISO 27001.
ISO 27002 standard is closely related to the ISO 27001 standard. It includes reference rules for information security, cyber security, privacy protection, and implementation assistance based on globally recognised best practices.
In short, it provides guidelines for establishing an ISO 27001-certified ISMS. This standard does not have certification criteria of its own. Instead, your organization can comply with the ISO 27001 certification by adhering to the 114 controls for information and physical security and cyber and privacy management in ISO 27002. They address specific risks identified in a risk assessment of ISO 27001 and provide a list of recommended controls.
While they are part of the same standard, ISO 27001 and ISO 27002 have key differences that you must be aware of.
ISO 27001 and 27002 have three main differences regarding certification, guidelines and applicability.
Now that you are aware of the differences between each standard, we can take a look at how these differences form a cohesive relationship to ensure that your ISMS is up to standard.
The ISO 27001 standard provides objectives that an organisation needs to achieve to be ISO 27001 certified. To fulfil these objectives, ISO 27002 lays down controls that need to be implemented within the organisation. To understand this concept in detail, here are some ISO 27001 objectives with their relevant ISO 27002 controls:
| ISO 27001 Objective | ISO 27002 Control |
| To guide and assist in the management of information security in compliance with company needs and applicable laws and regulations. | Upon management's approval, a written policy on information security has to be published and disclosed to all workers and relevant third parties. To ensure that it remains appropriate, adequate, and effective, this policy is evaluated on a regular basis, or when substantial changes occur. |
| To manage information security within the organisation. | Representatives from all sections of the organisation with appropriate responsibilities and job functions will coordinate information security efforts. There must be clear definitions of information security obligations and a management approval procedure for new information processing facilities. |
To achieve and maintain appropriate protection of organisational assets. |
Each piece of data and asset linked with an information processing facility must be 'owned' by a certain division of the organisation. Identification, documentation, and implementation of rules for the appropriate use of data and assets related to information processing facilities are required. |
| To limit the risk of theft, fraud or abuse of facilities by ensuring that employees, contractors and third-party users understand their obligations and are qualified for the jobs they are being considered for. | All job applicants, contractors and third-party users should have their backgrounds checked in compliance with applicable laws, rules and ethics and in a manner appropriate to the business requirements, information categorization and potential dangers. |
All of the standards in the ISO 27000 series have a specific focus: ISO 27001 is designed to build the foundations of information security in your organisation and devise its framework; ISO 27002 is designed to implement controls; ISO 27005 is designed to carry out a risk assessment and risk treatment, etc.
Although ISO 27002 provides the details needed to implement Annex A controls defined in ISO 27001, it would remain an isolated effort by a few information security enthusiasts. With no support from the organisation's top management, it would have no real impact on the organisation without the management framework provided by ISO 27001.
Rather than treating ISO 27001 and ISO 27002 as two completely different standards, understanding that both standards are interconnected with each other is a step toward successfully being ISO 27001 certified.
ISO 27001 certification can benefit your organisation in a number of ways, from improving customer trust to increasing organisational productivity. Furthermore, aligning with ISO 27001's robust standards positions your organization favourably for NIS2 compliance, reflecting the evolving demands of cybersecurity in the European landscape.
If you're ready to get ISO 27001 certified or simply have more questions about the certification process, we are here to guide you through it. We can help you make sure your ISMS is both well-maintained and in a safe, legal space. Get in touch with one of our ISO 27001 experts.