Information Security Management
ISO 27001 vs ISO 27002 — What’s the Difference?
How it fits with 27001
ISO 27002 is an incredibly useful document that takes each control in Annex A of ISO 27001, and offers advice and guidance on how you can implement the control.
Read on to get a better understanding of how it works.
If ISO 27001 is the what of information security management, then ISO 27002 is the how.
27001 sets the requirements for an Information Security Management System (ISMS), while 27002 provides a reference set of security controls with practical implementation guidance to treat the risks you identify in that ISMS. It’s designed to be used in the context of an ISO 27001‑based ISMS and to help you choose and implement commonly accepted controls.
What ISO 27002 actually is
ISO 27002 is effectively a catalogue of the 93 controls from Annex A of 27001, each described with:
- a clear control statement (what it is),
- the purpose (why you’re doing it), and
- guidance (how to implement it).
Each control also comes with attributes you can use to plan and communicate your programme—for example, whether a control is preventive/detective/corrective, which CIA property it supports, and how it maps to the Identify/Protect/Detect/Respond/Recover cybersecurity functions.
In short: ISO 27002 is your implementation playbook; ISO 27001 is the rulebook it serves.
It’s a very handy (if slightly expensive) addition to ISO 27001. I’d recommend it, as it removes much of the guesswork when you are looking at controls and thinking, “What do they mean by this, and what does an auditor want to see?”
How ISO 27002 relates to ISO 27001
- Risk‑based fit
ISO 27001 asks you to assess risks and choose appropriate treatment. ISO 27002 is the curated library you draw from when selecting and tailoring controls to address those risks. - From Annex A to detail
ISO 27001 includes a reference list of controls in Annex A. ISO 27002 takes those topics and expands them with purpose and detailed guidance so teams know what “good” looks like in practice. - Certification vs guidance
You certify against ISO 27001 (via an accredited audit). ISO 27002 itself is not a certifiable standard; it is a guidance document to help you implement controls effectively.
ISO 27001 vs ISO 27002 — The Key Differences
| Area | ISO 27001 | ISO 27002 |
|---|---|---|
| What it is | A certifiable management standard | A guidance document |
| Purpose | Sets requirements for your ISMS | Explains how to implement Annex A controls |
| Certification | Yes — you can be certified against it | No — you cannot be certified against it |
| Mandatory? | Yes, if you want ISO 27001 certification | No — optional reference |
| Cost | Available from ISO (~£138) | Available from ISO (~£138) |
| Who needs it | Any organisation pursuing ISO 27001 | Anyone implementing Annex A controls |
Example Control
So, as an example, 27001 Annex A control 5.23 is about the use of cloud services.
If we look that control up in 27002, then it’ll give you guidance on;
- Different actions you can take
- Relationships to other controls
- Examples of roles & responsibilities
- Examples of things to look for in cloud service contracts
You do not have to do all of these things, but they illustrate what ‘good looks like’.
An auditor will use this as the high-level benchmark and then evaluate your response based on your risk evaluation and what is right for your business.
Frequently asked questions
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is a certifiable management standard — it sets out the requirements your organisation must meet to build and operate an Information Security Management System (ISMS). ISO 27002 is a guidance document — it takes each of the 93 controls in Annex A of ISO 27001 and explains in detail how to implement them. The simplest way to think about it: ISO 27001 tells you what you must do, ISO 27002 tells you how to do it.
Do I need ISO 27002 to get ISO 27001 certified?
No — ISO 27002 is not required for certification. Your auditor will assess your ISMS against ISO 27001, not ISO 27002. That said, ISO 27002 is genuinely useful during implementation. When you’re working through your Annex A controls and wondering what a specific control actually means in practice, ISO 27002 removes much of the guesswork. Most experienced implementers treat it as a valuable reference, not a mandatory document.
Can I be certified against ISO 27002?
No. ISO 27002 is a guidance standard, not a requirements standard. There is no certification scheme for ISO 27002 — you cannot be audited against it or receive a certificate for it. Certification is only available against ISO 27001. If a client or contract asks for ISO 27001 certification, ISO 27002 alone will not satisfy that requirement.
Is ISO 27002 mandatory for ISO 27001?
It is not mandatory. ISO 27001 references Annex A controls and requires you to address them in your Statement of Applicability, but it does not require you to purchase or follow ISO 27002. Many organisations implement ISO 27001 successfully without it. Where ISO 27002 adds real value is in bridging the gap between “this control applies to us” and “this is how we’ve implemented it” — which is exactly what auditors want to see.
Which should I read first — ISO 27001 or ISO 27002?
Start with ISO 27001. It defines the structure, requirements and scope of what you’re building. Once you have a working understanding of the clauses and the Annex A control framework, ISO 27002 becomes much more useful — you can look up specific controls in context rather than reading it cold. If budget is a constraint, ISO 27001 is the essential purchase; ISO 27002 is the worthwhile addition once you’re into implementation.
Bottom line
- ISO 27001 gives you the management system and obligations to run security as a business process.
- ISO 27002 gives your teams the concrete, modern, risk‑based controls—and the “how‑to”—to make that system real.
Use them together: assess risk (27001), select and implement appropriate controls (27002), monitor and improve (27001), and keep refining the controls using the 27002 guidance as technology and threats evolve.
ISO 27001 Online Course + Full Toolkit
Stop guessing. Follow a proven step-by-step process.
“Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.“
Verified Trust.me Review
£285
Instant access
✓ Full toolkit included ✓ Learn as you build ✓ 12-month access ✓ 6 hours of video ✓ Email consultancy