Skip to content

What is the difference between ISO 27001 and ISO 27002?


What is ISO/IEC 27001?

ISO/IEC 27001 is an international standard that sets the criteria for implementing, maintaining, and continuously improving an information security management system (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. ISO/IEC 27001 focuses on establishing a framework of policies, procedures, and controls to manage the security risks faced by an organization. It encompasses various aspects of information security, such as physical security, personnel security, communication security, and IT security. Compliance with ISO/IEC 27001 helps organizations demonstrate their commitment to protecting valuable information assets and mitigating the risk of security breaches. The standard outlines a certification process that involves a comprehensive assessment of an organization's ISMS by an accredited certification body. By achieving ISO/IEC 27001 certification, organizations can enhance their reputation, build trust with stakeholders, and gain a competitive advantage in the market.

What is ISO/IEC 27002?

ISO/IEC 27002 is an international standard that provides guidance and implementation guidance on information security controls. It serves as a supplementary standard to ISO/IEC 27001, which is the foundation for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS).

ISO/IEC 27002 covers 12 main sections that provide comprehensive guidance on various aspects of information security management. These sections include risk assessment, security policy, asset management, HR security, physical security, communication management, incident management, and business continuity management, among others.

The standard outlines various security controls and measures that organizations can implement to mitigate risks and protect their information assets. By adopting ISO/IEC 27002, organizations can ensure that they have a robust framework in place to identify, evaluate, and manage information security risks effectively.

ISO/IEC 27002 is a valuable resource for organizations of all sizes and industries to enhance their information security practices. It provides detailed guidance on the implementation of security controls and helps organizations align their security objectives with internationally recognized best practices.

Key differences between ISO/IEC 27001 and ISO/IEC 27002

ISO/IEC 27001 and ISO/IEC 27002 are two internationally recognized standards that are closely related to each other. While ISO/IEC 27001 provides requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), ISO/IEC 27002 offers guidance on the selection, implementation, and management of specific security controls.

ISO/IEC 27001 focuses on the overall management framework for information security, providing organizations with a framework to establish and maintain an ISMS effectively. It requires organizations to conduct risk assessments, implement appropriate security controls, and continuously monitor and improve their information security practices. The standard also includes a certification process, where organizations can undergo audits by accredited certification bodies to demonstrate their compliance with the standard.

On the other hand, ISO/IEC 27002 provides detailed implementation guidance for specific security controls. It offers a comprehensive list of security controls that organizations can select and implement based on their specific information security needs. ISO/IEC 27002 covers a wide range of security areas, such as access control, cryptography, physical security, human resource security, and incident management.

Scope & objectives

ISO/IEC 27001 and ISO/IEC 27002 have distinct scopes and objectives in the field of information security management.

The scope of ISO/IEC 27001 is to establish, implement, maintain, and continually improve an Information Security Management System (ISMS) within an organization. Its main objective is to provide organizations with a systematic approach to managing information security risks and protecting sensitive information. This standard aims to ensure the confidentiality, integrity, and availability of information by identifying and addressing security risks through risk assessments, implementing appropriate security controls, and establishing a culture of continuous improvement.

On the other hand, ISO/IEC 27002 focuses on providing detailed implementation guidance for specific security controls. Its objective is to assist organizations in selecting, implementing, and managing security controls that are relevant to their information security needs. ISO/IEC 27002 offers a comprehensive list of security control objectives and measures in various areas such as access control, cryptography, physical security, and incident management.

By adhering to ISO/IEC 27001, organizations can establish an effective ISMS framework to manage information security risks, while ISO/IEC 27002 provides practical guidance on implementing specific security controls aligned with the identified risks. These standards complement each other, with ISO/IEC 27001 setting the overall framework and ISO/IEC 27002 offering implementation guidance for organizations seeking to enhance their information security management practices.

Approach to risk management

Approach to Risk Management in ISO/IEC 27001 and ISO/IEC 27002

Both ISO/IEC 27001 and ISO/IEC 27002 are international standards that focus on information security management systems (ISMS). However, they differ in their approach to risk management.

ISO/IEC 27001 takes a systematic and holistic approach to risk management. It requires organizations to conduct a comprehensive risk assessment to identify and evaluate information security risks. This assessment helps organizations understand the potential impacts of these risks and determine the appropriate controls to mitigate them. ISO/IEC 27001 emphasizes the importance of understanding the organization's context, risk assessment, and risk treatment processes to ensure the effectiveness of the ISMS.

On the other hand, ISO/IEC 27002 focuses on providing detailed implementation guidance for specific security controls. While ISO/IEC 27001 identifies the need for risk assessment, ISO/IEC 27002 does not make distinctions based on risk. Instead, it offers a comprehensive list of security control objectives and measures that organizations can implement to address their information security needs. ISO/IEC 27002 provides organizations with a framework of best practices and specific control recommendations, regardless of the level of risk.

Control implementation & maintenance

Control implementation and maintenance are crucial aspects of both ISO/IEC 27001 and ISO/IEC 27002 in maintaining effective information security management systems (ISMS).

ISO/IEC 27001 provides the overall framework for implementing and maintaining controls. It emphasizes the importance of conducting a comprehensive risk assessment to identify and evaluate information security risks. Based on this assessment, organizations can then determine the appropriate controls to mitigate these risks. Control implementation involves identifying security objectives, selecting control measures, and establishing control procedures. Organizations need to ensure that these controls are properly implemented and integrated into their processes and operations.

ISO/IEC 27002 complements ISO/IEC 27001 by offering detailed implementation guidance for specific security controls. It provides organizations with a comprehensive list of control objectives and measures that can be implemented to address their information security needs. Control maintenance involves regularly reviewing and updating controls to ensure their ongoing effectiveness. Organizations need to monitor and assess the performance of controls, conduct internal audits, and take corrective actions when necessary.

In the ISO 27001:2022 Annex A, there are 11 new controls introduced, including the areas of threat intelligence, information security for the use of cloud services, and physical security monitoring. To ensure compliance with these new controls, organizations need to establish proper processes. This involves conducting a gap analysis to identify any existing gaps in their current control implementation, and then developing and implementing the necessary measures to address these gaps. Organizations also need to consider risk treatment plans and integrate the new controls into their overall ISMS framework.

Documentation requirements

Documentation requirements play an essential role in achieving compliance with ISO/IEC 27001 and ISO/IEC 27002 standards. Both standards emphasize the need for well-documented policies, procedures, and program-specific guidance to establish and maintain effective information security management systems (ISMS).

ISO/IEC 27001 requires organizations to develop a set of documented policies that outline their information security objectives, scope, and commitment towards security management. These policies serve as a foundation for the organization's overall security approach and provide a framework for implementing and maintaining controls. Additionally, ISO/IEC 27001 mandates the creation of supporting documents, such as risk assessment reports, risk treatment plans, and records of management decisions, to demonstrate the implementation of controls.

ISO/IEC 27002 complements ISO/IEC 27001 by providing guidance for specific security controls. While it does not have specific documentation requirements, it does recommend the development of documentation such as security standards, procedures, and guidelines to ensure the consistent implementation and maintenance of controls. These documents should address control objectives, responsibilities, and procedures for managing security risks.

In comparison, the NIST Cybersecurity Framework (CSF) and NIST 800-53 have their own documentation requirements. The NIST CSF focuses on providing a flexible approach to cybersecurity risk management and does not mandate specific documentation. However, it encourages organizations to document their risk management processes, progress, and outcomes to support effective communication and decision-making.

On the other hand, NIST 800-53 provides a catalog of security and privacy controls. It requires organizations to develop system-specific and common control documentation, including policies, standards, procedures, guidelines, and baselines. These documents help organizations implement, assess, and monitor controls effectively.

Certification processes

The certification process for ISO/IEC 27001 involves several steps. First, an organization must develop an Information Security Management System (ISMS) that complies with the requirements of the standard. This includes establishing policies, procedures, and controls to manage and protect information assets.

Once the ISMS is in place, the organization can undergo an external audit conducted by an ISO 27001-accredited certification body. This audit assesses the organization's compliance with the standard and verifies the effectiveness of its ISMS. The certification body thoroughly examines the organization's documentation, processes, and controls, and conducts interviews with key personnel to ensure that the ISMS is being implemented and maintained correctly.

The certification body will issue a certification if the organization meets all the necessary requirements. This certification is valid for a specific period, typically three years, but requires regular surveillance audits to ensure continued compliance. These audits are conducted annually or as defined by the certification body.

On the other hand, ISO/IEC 27002 is not a certification standard but a supplementary standard that provides guidance for implementing specific security controls. It is often used alongside ISO/IEC 27001 to provide additional implementation guidance. While ISO/IEC 27002 does not have a specific certification process, organizations can still use it as a reference to strengthen their security measures and align with international best practices.

It is important to note that ISO 27001 certification is a comprehensive certification that covers the complete range of compliance requirements, while ISO 27002 is a supplementary standard that provides guidance on specific security controls.

Annex A of ISO/IEC 27001 & supplementary standards for ISMS management

Annex A of ISO/IEC 27001 is an essential component of the standard that provides a comprehensive set of security controls. It outlines 114 controls across 14 different domains, including information security policies, asset management, human resource security, physical and environmental security, communication and operations management, and more. These controls serve as a reference for organizations to establish, implement, maintain, and continually improve their information security management systems (ISMS). While ISO/IEC 27001 sets the framework for ISMS implementation, Annex A provides the specific controls that organizations can adopt and customize according to their specific security risk environments and requirements.

In addition to Annex A, there are supplementary standards available to assist organizations in managing their ISMS effectively. These standards, such as ISO/IEC 27002, offer additional implementation guidance and best practices for specific security controls and techniques. While they do not have a certification process themselves, organizations can utilize these supplementary standards to enhance their security measures and align with international security standards. By incorporating supplementary standards alongside ISO/IEC 27001, organizations can benefit from a more robust and comprehensive approach to managing their information security risks. These standards act as valuable resources for security enthusiasts, providing actionable risk assessment and assessment for controls that address potential risks effectively.

Annex A - security controls overview

Annex A of ISO/IEC 27001, the international standard for information security management, provides a comprehensive list of security controls that organizations can implement to protect sensitive information. These controls cover various aspects of information security management and serve as a framework for establishing and maintaining an effective Information Security Management System (ISMS).

The key security controls provided in Annex A include:

  1. Security Policy: An organization-wide policy that defines management's commitment to information security.
  2. Organization of Information Security: Ensures clearly defined roles, responsibilities, and authorities for information security within the organization.
  3. Asset Management: Identifies and manages information assets, including their classification, ownership, and handling requirements.
  4. Human Resource Security: Ensures that employees, contractors, and third parties understand their information security responsibilities and are properly screened and trained.
  5. Access Control: Controls access to information systems and ensures authorized users can access the necessary resources while preventing unauthorized access.
  6. Cryptography: Protects information through encryption and ensures the confidentiality, integrity, and authenticity of sensitive data.
  7. Physical and Environmental Security: Protects information and information systems from physical threats, such as theft, fire, and natural disasters.
  8. Operations Security: Ensures the secure operation and maintenance of information systems and the prevention of breaches or disruptions.
  9. Communications Security: Safeguards the confidentiality, integrity, and availability of information during its transmission.
  10. Supplier Relationships: Establishes security requirements for third-party suppliers and ensures the secure exchange of information.

By implementing these security controls, organizations can establish an ISMS that addresses security risks and protects sensitive information. The controls provide a structured approach to risk assessment, risk treatment, and the implementation of security measures. They also help organizations comply with legal, contractual, and regulatory requirements related to information security.

Supplementary standards for ISMS management

In addition to ISO 27001 and ISO 27002, there are several supplementary standards that can assist organizations in managing their Information Security Management Systems (ISMS). These standards provide further guidance and additional implementation guidance to support the implementation and maintenance of an effective ISMS.

One of these supplementary standards is ISO 27003:2017, which provides detailed guidance on how to implement an ISMS based on the requirements of ISO 27001. It covers the planning, establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS.

Another important supplementary standard is ISO 27004:2016, which focuses on the measurement of the effectiveness of the ISMS and provides guidance on how to establish and maintain a measurement framework. It helps organizations assess the performance and effectiveness of their implemented security controls and identify areas for improvement.

ISO 27005:2018 is a risk management standard that provides guidance on how to systematically identify, assess, and manage information security risks. It helps organizations establish a risk management framework that is aligned with ISO 27001 and assists in the selection and implementation of appropriate risk treatment measures.

These supplementary standards, along with ISO 27001 and ISO 27002, form a comprehensive set of international standards for managing information security risks and establishing an effective ISMS. By following these standards, organizations can ensure the confidentiality, integrity, and availability of their information assets and protect themselves from potential security threats.

International standards For security management systems (ISMS)

International standards for security management systems (ISMS) play a crucial role in helping organizations establish effective frameworks for managing information security risks. These standards provide guidance on various aspects of security management, from planning and implementation to measurement and risk assessment. Two key standards in this space are ISO 27001 and ISO 27002. While ISO 27001 sets out the requirements for establishing, implementing, maintaining, and continually improving an ISMS, ISO 27002 provides additional guidance on the implementation of specific security controls. By adhering to these internationally recognized standards, organizations can enhance their security posture, protect sensitive information, and mitigate potential risks. Additionally, supplementary standards such as ISO 27003, ISO 27004, and ISO 27005 provide further guidance and frameworks for implementing and measuring the effectiveness of an ISMS. Let's explore the key differences between ISO 27001 and ISO 27002 in more detail.

Overview of the ISO/IEC 27000 series of standards

The ISO/IEC 27000 series of standards is a set of international standards that provide guidance for the implementation and management of information security within an organization. This series includes several standards, with two of the most well-known and widely used being ISO/IEC 27001 and ISO/IEC 27002.

ISO/IEC 27001 is the standard that specifies the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS) within the context of an organization. It provides a systematic approach for managing sensitive company information, ensuring its confidentiality, integrity, and availability, as well as managing the associated risks.

On the other hand, ISO/IEC 27002 provides implementation guidance and best practices for the controls that can be implemented to address specific information security risks identified in ISO/IEC 27001. It offers a comprehensive set of security controls, covering areas such as risk assessment, access control, physical and environmental security, incident management, and business continuity.

Implementation guidance in the ISO/IEC 27000 series of standards

The ISO/IEC 27000 series of standards provides organizations with valuable implementation guidance for achieving compliance with information security management. These standards offer a comprehensive framework for effectively managing and securing sensitive company information.

The implementation guidance in the ISO/IEC 27000 series helps organizations understand and navigate the complexities of information security management. It provides actionable recommendations and best practices for implementing security controls to address specific information security risks. This guidance ensures that organizations have a clear roadmap for protecting their information assets.

Compliance with the ISO/IEC 27000 series is crucial in today's digital landscape, where the risks of cyber threats and data breaches are ever-present. These standards help organizations establish a robust and effective framework to manage their information security risks. By following the implementation guidance, organizations can systematically assess their security risks, develop appropriate security controls, and monitor their effectiveness.

The management framework provided by ISO/IEC 27001 plays a vital role in the effective implementation of these standards. It outlines the requirements for establishing an Information Security Management System (ISMS) and provides a systematic approach to managing information security risks. By implementing this framework, organizations can ensure that their information assets are protected, and their compliance with international standards is achieved.

Privacy protection, cybersecurity & physical security considerations in an ISMS

Privacy protection, cybersecurity, and physical security are essential considerations in an Information Security Management System (ISMS). ISO 27001 provides a comprehensive framework for integrating these elements to achieve effective protection.

ISO 27001 emphasizes the importance of privacy protection by requiring organizations to establish policies and procedures that ensure the confidentiality, integrity, and availability of private customer information. This includes implementing secure processes for handling personal data, ensuring the appropriate use of encryption and access controls, and conducting regular reviews to identify and address privacy risks.

In terms of cybersecurity, ISO 27001 guides organizations in establishing a strong security management system to protect against cyber threats. It encourages the implementation of security controls such as network security measures, incident response plans, and regular vulnerability assessments. By incorporating cybersecurity best practices, organizations can proactively mitigate risks and prevent data breaches.

Additionally, ISO 27001 addresses physical security considerations by requiring organizations to assess and implement measures to safeguard their physical assets and resources. This includes implementing access controls, security monitoring systems, and contingency plans to protect against unauthorized access, theft, and physical damage.

To achieve ISO 27001 certification, organizations need to implement the controls outlined in Annex A of ISO 27002. Annex A provides a comprehensive list of security controls that cover various areas, including information security policies, asset management, access control, cryptography, and incident management. Implementing these controls is crucial for meeting the requirements of ISO 27001 and ensuring the establishment of a robust and effective ISMS.

General thought leadership and news

6clicks receives ISO 42001 certification for its AI Management System

6clicks receives ISO 42001 certification for its AI Management System

Melbourne, Australia – 18 November 2024. 6clicks, pioneer of the first AI-powered GRC (Governance, Risk, and Compliance) software, is proud to...

Hailey’s newest updates: Risk & issue generation + compliance mapping

Hailey’s newest updates: Risk & issue generation + compliance mapping

At 6clicks, we’re continually evolving our AI capabilities to make the process of risk management and compliance faster, smarter, and more intuitive....

Understanding the NIST RMF: Breaking down the 7 key steps

Understanding the NIST RMF: Breaking down the 7 key steps

The NIST Risk Management Framework (NIST RMF) is a flexible framework that can be tailored to your specific organizational profile and regulatory...

Past, present, and future themes in cybersecurity: Are you keeping up?

Past, present, and future themes in cybersecurity: Are you keeping up?

In the ever-evolving landscape of cybersecurity, understanding where we've been, where we are, and where we're going is essential. By examining the...

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

Why 6clicks is outpacing legacy GRC platforms like Archer and more

For years, Archer, ServiceNow, and Diligent were the go-to names in GRC software. Archer’s rich functionality made it a leader, while ServiceNow’s IT...

ServiceNow GRC pricing: Is it worth it in 2025?

ServiceNow GRC pricing: Is it worth it in 2025?

Concerned about ServiceNow GRC’s pricing plans and total cost of ownership? You’re not alone. With a custom pricing structure, determining the...