Skip to content

ISO 27001 vs. ISO 27002: Know the Difference

Andrew Robinson |

July 17, 2023
ISO 27001 vs. ISO 27002: Know the Difference

Contents

In today's digital age, information security has become a top priority for organizations around the world. With the increasing number of cyber threats, businesses are looking for effective ways to protect their sensitive data and ensure the confidentiality, integrity, and availability of their information assets.

In this article, we will explore the key differences between ISO 27001 and ISO 27002, two widely recognized standards in the realm of information security management. By understanding their distinctive roles and areas of focus, organizations can make informed decisions about implementing these standards to fortify their information security posture.

What is ISO 27001?

ISO 27001 is an internationally recognized standard that outlines the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive information within an organization. The 2022 update to the standard extends this focus to explicitly include cyber security and privacy protection.

ISO 27001 focuses on the management system itself, emphasizing the systems and processes necessary to identify, assess, and mitigate information security risks. It is an international standard developed by the International Organization for Standardization (ISO) *and* the International Electrotechnical Commission (IEC). So is correctly referred to as ISO/IEC 27001 in the full form.

ISO 27001 is widely regarded as an industry leading framework and aligns with other standards such as the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and the General Data Protection Regulation (GDPR). In fact, ISO 27001 and the NIST CSF grow closer and closer together with every iteration.

What is ISO 27002?

ISO 27002, formerly known as ISO 17799 (and BS 7799 before that), is a reference set of generic information security controls incorporate implementation guidance. It provides a detailed set of security controls that organizations can implement to address specific risks identified during the risk assessment process. You'll find ISO 27002 provides additional details on each of the controls found in Annex A of ISO 27001.

ISO 27002 serves as a comprehensive guide for selecting and implementing security controls, covering areas such as access control, cryptography, physical security, and incident management. It offers valuable guidance for organizations in various industries, including healthcare (useful for HIPAA compliance), data protection, human resources, and financial services (usually the basis for sector based regulations).

Key Differences Between ISO 27001 and ISO 27002

ISO 27001 and ISO 27002, while closely related, serve different purposes within an organization's information security framework. Let's explore the key differences between these two standards:

Scope

ISO 27001 focuses on the establishment and maintenance of an ISMS, addressing the entire management system and its processes. It provides a holistic approach to information security, covering risk assessment, risk treatment, performance evaluation, and continual improvement.

On the other hand, ISO 27002 focuses on the implementation of specific security controls based on the organization's risk assessment. It provides detailed guidance on how to select, implement, and manage security controls to mitigate identified risks.

Focus

ISO 27001 emphasizes the management of information security risks and the continuous improvement of the ISMS. It focuses on creating a robust framework that ensures the confidentiality, integrity, and availability of information assets. ISO 27001 provides a strategic and risk-based approach to information security management.

In contrast, ISO 27002 primarily focuses on the selection, implementation, and management of security controls. It provides a detailed set of controls that organizations can adopt to address specific security risks. ISO 27002 serves as a practical guide for implementing security measures within the context of the organization's risk profile.

Implementation

ISO 27001 provides a set of requirements that organizations must fulfill to achieve certification. It involves establishing policies, conducting risk assessments, implementing controls, and conducting regular audits. ISO 27001 certification demonstrates that an organization has implemented an effective ISMS and complies with the requirements of the standard.

On the other hand, ISO 27002 is a set of information security controls that can use as a reference for implementing effective countermeasures to risks. It offers guidance on best practices but does not itself provide a certification framework. Organizations can choose to implement ISO 27002 controls as part of their overall information security strategy, leveraging the guidance provided in the standard.

Certification

ISO 27001 certification is achieved through a formal audit process conducted by an accredited certification body. The certification demonstrates that an organization has implemented an effective ISMS and complies with the requirements of the standard. It involves a thorough assessment of the organization's information security management practices, including policies, processes, and controls.

In contrast, ISO 27002 does not have a certification process. It serves as a supporting document for ISO 27001 implementation. Organizations can use ISO 27002 as a reference for implementing security controls in alignment with their risk assessment and business requirements.

The differences between 2013 and 2022 versions in detail

ISO 27001 Annex A and 27002:2022 introduces new control attributes

One notable change in ISO 27002:2022 is the introduction of control attributes. These attributes include control type, information security properties, cybersecurity concepts, operational capabilities, and security domains. The inclusion of control attributes enhances the risk treatment planner or security architect's ability to develop a diverse control environment, avoiding overreliance on specific control types. This emphasis on control attributes facilitates a more comprehensive risk assessment and allows organizations to tailor their security controls to their specific needs and objectives and ensure comprehensive coverage.

New controls introduced in 2022

ISO/IEC 27002:2022 incorporates new controls reflecting key trends and drivers in the industry. These controls address emerging risks and technological advancements. They include areas such as threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, and more. By incorporating these new controls, organizations can enhance their security management practices and address the evolving challenges of the digital landscape.

Key drivers behind the new controls

The new controls in ISO/IEC 27002:2022 align with key drivers shaping the industry. Cloud controls respond to the rise of cloud computing, the dominance of global cloud service providers, service vulnerabilities, and concerns related to data sovereignty. Business continuity planning gains renewed importance due to the impact of events such as the COVID-19 pandemic, ransomware attacks, and natural disasters. Mobility controls accommodate the growing trend of remote work and the need to secure mobile devices. Secure code and privacy controls address vulnerabilities and the increasing significance of privacy legislation. Lastly, visibility controls foster collaboration between government and industry to combat emerging threats effectively.

Merged controls in ISO/IEC 27001:2022 Annex A and ISO/IEC 27002:2022

ISO/IEC 27002:2022 streamlines the control set by merging controls from the previous version, reducing duplicative controls and enhancing clarity. Out of the 56 merged controls, 24 condensed controls were created in the new version. This consolidation optimizes the control environment without overwhelming organizations. For example, electronic media security controls were merged to reflect the preference for cloud storage, and logging controls were condensed while maintaining visibility. These changes streamline the implementation process and improve the usability of the standard.

Experts Guide to ISO 27001

Split controls in ISO/IEC 27001:2022 Annex A and ISO/IEC 27002:2022

In ISO/IEC 27002:2022, only one control, Technical Compliance Review, was split into two controls to align with Management of Technical Vulnerabilities and Compliance with Security Policies and Standards. This split reflects the evolving landscape of security management and the need for more focused controls to address specific aspects of compliance and vulnerability management. The integration of these split controls with the merged controls provides organizations with a more comprehensive and tailored approach to information security.

Benefits of Implementing ISO 27001 and ISO 27002

Implementing ISO 27001 and ISO 27002 can bring significant benefits to organizations seeking to fortify their information security posture. Let's explore some of the key benefits of implementing these standards:

Enhanced Security Measures

By implementing ISO 27001 and ISO 27002, organizations can establish robust security measures that protect their information assets from various threats. These standards provide a structured approach to identifying vulnerabilities, assessing risks, and implementing controls, ensuring the confidentiality, integrity, and availability of information.

Regulatory Compliance

ISO 27001 and ISO 27002 assist organizations in meeting regulatory requirements related to information security. Compliance with these standards demonstrates a commitment to safeguarding sensitive information and helps organizations avoid legal and financial consequences associated with data breaches or non-compliance. They align with industry-specific regulations such as GDPR, HIPAA, and PCI DSS.

Risk Management

ISO 27001 and ISO 27002 help organizations effectively manage information security risks. By conducting regular risk assessments and implementing appropriate controls, organizations can mitigate potential threats and minimize the impact of security incidents. These standards provide a structured approach to risk management, enabling organizations to proactively identify and address security vulnerabilities.

Business Continuity

Information security breaches can disrupt business operations and lead to financial losses. ISO 27001 and ISO 27002 promote the development of business continuity plans that ensure organizations can recover quickly from security incidents and continue their operations with minimal disruption. By incorporating business continuity into their information security practices, organizations can enhance their resilience and ensure the availability of critical business functions.

Competitive Advantage

ISO 27001 certification can give organizations a competitive edge by demonstrating their commitment to information security to clients, partners, and stakeholders. It instils confidence in the organization's ability to protect sensitive information and enhances its reputation as a trustworthy and reliable business partner. ISO 27001 certification can be a differentiating factor in competitive markets, attracting clients who prioritize information security.

Risks of Implementing ISO 27001 and ISO 27002

While implementing ISO 27001 and ISO 27002 brings benefits, it also comes with potential risks that organizations need to consider and address during the implementation process. Here are some risks associated with implementing these standards:

Complexity

One of the risks associated with implementing ISO 27001 and ISO 27002 is the complexity of the standards themselves. These standards require a deep understanding of information security concepts, risk assessment methodologies, and security controls. Organizations may need to invest in training and expertise to ensure effective implementation.

Resource Allocation

Implementing ISO 27001 and ISO 27002 requires significant resource allocation, including financial, human, and technological resources. Organizations need to allocate adequate resources to support the implementation process, including conducting risk assessments, implementing controls, and conducting regular audits. Insufficient resource allocation can lead to incomplete or ineffective implementation, compromising the overall security posture of the organization.

Organizational Resistance

Resistance to change within the organization can pose a risk to the successful implementation of ISO 27001 and ISO 27002. Stakeholder buy-in and organizational support are crucial for establishing a robust information security framework. Resistance to change can hinder the implementation progress and affect the organization's ability to achieve the desired security objectives.

Lack of Integration

Another risk is the potential lack of integration of ISO 27001 and ISO 27002 with existing business processes and systems. It is important to integrate these standards into the organization's operations and align them with other management frameworks. Failure to integrate the standards may result in fragmented security measures, gaps in control implementation, or duplication of efforts.

Ongoing Maintenance

ISO 27001 and ISO 27002 require ongoing maintenance to remain effective and relevant. Organizations must regularly review and update their information security practices, conduct internal audits, and address any identified vulnerabilities or gaps. Failure to maintain and continuously improve the implemented controls and management system can lead to outdated security measures and increased exposure to risks.

How ISO 27001 and ISO 27002 Work Together

ISO 27001 and ISO 27002 complement each other in establishing a robust information security management system. While ISO 27001 focuses on the management system and risk assessment, ISO 27002 provides the necessary controls to mitigate identified risks.

By implementing both standards, organizations can ensure a comprehensive approach to information security, covering the management, implementation, and maintenance aspects. ISO 27001 provides the framework for establishing and continuously improving the ISMS, while ISO 27002 offers detailed guidance on implementing specific security controls aligned with the organization's risk assessment.

ISO 27001 and ISO 27002 are essential standards in the field of information security management. Implementing these standards can enhance security measures, ensure regulatory compliance, manage risks, promote business continuity, and provide a competitive advantage. However, organizations should also consider the associated risks and allocate resources effectively to ensure a successful implementation. By adopting these standards and following best practices, organizations can strengthen their information security posture and protect their valuable data assets.

Contact us today to learn more about implementing ISO 27001 and ISO 27002 in your organization, how to safeguard your information assets and stay ahead in the ever-changing cybersecurity landscape with 6clicks.

Get started with 6clicks





Andrew Robinson

Written by Andrew Robinson

Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.