top of page

Check out the brand new FREE ISO 27001 Information Security Toolkit!

ISO 27001 and 27002 Compared

Introduction


ISO 27001 and ISO 27002 are critical standards in information security management, offering frameworks that help organisations safeguard their data assets effectively. While both standards are part of the broader ISO 27000 family, they serve distinct but complementary roles.


ISO 27001:2022 outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. This standard is widely recognised as the foundation for managing information security risks and is the basis for certification.


Organisations seeking to demonstrate their commitment to information security typically achieve ISO 27001 certification, which provides confidence to stakeholders that information security risks are being managed effectively. Additionally, integrating business continuity management within the ISMS ensures that organisations maintain their information security continuity, addressing risks comprehensively.



On the other hand, ISO 27002:2022 provides guidelines and best practices for implementing security controls. It is designed to assist organisations in selecting and implementing the appropriate measures to manage risks identified through the ISO 27001 framework.


While ISO 27002 does not set out requirements for certification, it acts as a comprehensive reference for implementing the controls needed to comply with ISO 27001. Implementing security controls as outlined in ISO 27001 and ISO 27002 is crucial for ensuring compliance and protecting sensitive data against various threats.


Both standards have been updated in 2022 to align with modern information security challenges, offering enhanced guidance and a more streamlined approach to managing risks.


Purpose and Scope


ISO 27001:2022 and ISO 27002:2022 serve distinct yet interconnected purposes within the information security management framework.


ISO 27001:2022 - Information Security Management System


ISO 27001 is primarily concerned with establishing information security management systems (ISMS) within the context of the ISO 27000 family of standards. It provides a systematic approach to managing sensitive company information, ensuring it remains secure.


The scope of ISO 27001 includes setting out the requirements for implementing, maintaining, and continually improving an ISMS, ensuring that organisations can effectively manage and mitigate risks related to information security.


The standard applies to all types and sizes of organisations, from small businesses to large enterprises and across all sectors. Its main purpose is to protect the confidentiality, integrity, and availability of information by applying a risk management process and giving confidence to stakeholders that risks are adequately controlled.


ISO 27002:2022


ISO/IEC 27002, on the other hand, is a complementary standard that offers guidelines and best practices for implementing information security controls. While it is not a certification standard like ISO 27001, it is crucial in helping organisations select the appropriate controls needed to address the risks identified under ISO 27001.


The scope of ISO/IEC 27002 extends beyond the requirements of ISO 27001, providing detailed guidance on a broad range of controls that can be adapted to different organisations’ specific needs and contexts. This makes ISO/IEC 27002 an invaluable resource for tailoring an ISMS to fit an organisation’s unique characteristics.


How They Complement Each Other


ISO 27001 and ISO 27002 are designed to work hand-in-hand. ISO 27001 defines the framework and requirements for an ISMS, while ISO 27002 provides the tools and guidelines necessary to implement the controls within that framework.


By following ISO 27001, an organisation can systematically assess its information security risks and apply the relevant controls outlined in ISO 27002 to manage those risks effectively.


This complementary relationship between the two standards ensures that organisations not only comply with the requirements of ISO 27001 but also implement them in a manner that is both effective and tailored to their specific needs. This dual approach enhances the overall robustness of an organisation's information security posture.





Structure and Content


While interconnected, ISO 27001:2022 and ISO 27002:2022 are structured differently to serve their distinct purposes. Understanding their structure and content is essential for effective implementation within an organisation.


ISO 27001:2022 - High-Level Structure

ISO 27001:2022 follows the harmonised structure outlined in Annex SL, a common framework used across all ISO management system standards. This structure ensures consistency and compatibility between various management systems, making it easier for organisations to integrate ISO 27001 with standards like ISO 9001 (Quality Management) or ISO 14001 (Environmental Management).


The high-level structure of ISO 27001:2022 includes the following key clauses:


  1. Context of the Organisation - This section focuses on understanding the organisation's internal and external context, including identifying relevant stakeholders and defining the scope of the ISMS.

  2. Leadership - Emphasises the role of top management in demonstrating leadership and commitment to the ISMS, including establishing an information security policy.

  3. Planning - Involves addressing risks and opportunities, setting information security objectives, and planning changes to the ISMS.

  4. Support - Covers resources, competence, awareness, communication, and documented information necessary to support the ISMS.

  5. Operation - Focuses on implementing risk assessment and treatment plans and controlling processes to ensure the ISMS meets its objectives.

  6. Performance Evaluation - Involves monitoring, measuring, analysing, and evaluating the performance of the ISMS, including internal audits and management reviews.

  7. Improvement - Addresses nonconformities and corrective actions, as well as the continual improvement of the ISMS.


ISO 27002:2022 - Detailed Guidelines


ISO 27002:2022 is structured as a comprehensive guide that expands on the controls mentioned in ISO 27001’s Annex A, detailing security techniques as per the guidelines provided by ISO 27002. It emphasises safeguarding personal and proprietary information as integral to developing and enhancing information security management systems.


27002 is divided into four main sections, each detailing a set of controls with specific objectives and implementation guidance:


  1. Organisational Controls - These controls focus on the organisation’s policies, procedures, and governance, covering aspects like information security policies, roles and responsibilities, and human resource security.

  2. People Controls - This section addresses the security measures related to individuals within the organisation, such as training, awareness, and disciplinary processes.

  3. Physical Controls - Focuses on securing the physical environment, including controls related to secure areas, equipment security, and environmental threats.

  4. Technological Controls - Covers the security of information systems, including access controls, cryptography, and network security.


Annex SL: Harmonised Structure in ISO 27001


Adopting the Annex SL structure in ISO 27001:2022 allows for easier integration with other ISO management standards. This harmonised structure streamlines the implementation process and reduces the complexity of maintaining multiple management systems. It ensures that the ISMS is aligned with the organisation's broader management objectives and strategies.


Comparison of Information Security Controls


While ISO 27001 outlines the requirements and includes a reference list of controls in Annex A, ISO 27002 delves into the specifics of each control. For instance, if ISO 27001 mentions the need for access control, ISO 27002 will provide detailed guidance on implementing and managing access controls, including best practices, potential risks, and mitigation strategies.


This level of detail in ISO 27002 makes it an indispensable tool for organisations looking to customise their ISMS to fit their specific risk profile and operational needs.


Implementation and Use Cases


The implementation of ISO 27001 and ISO 27002 varies depending on the specific needs and context of the organisation. Each standard plays a unique role in building a comprehensive information security framework, and understanding when and how to use each is critical to achieving the desired security outcomes.


When to Use ISO 27001 vs. ISO 27002


When to use ISO 27001


ISO 27001 is primarily used when an organisation aims to establish, certify, and maintain an Information Security Management System (ISMS). It sets out an organisation's requirements to ensure that information security risks are adequately managed.


Organisations typically use ISO 27001 when they want to:


  • Achieve certification to demonstrate their commitment to information security to stakeholders.

  • Systematically manage sensitive information so that it remains secure.

  • Identify risks and implement appropriate controls to address them.

  • Continuously improve their ISMS through regular audits and reviews.


When to use ISO 27002


ISO 27002, on the other hand, is a practical guide for implementing the controls necessary to meet the requirements set out in ISO 27001.


Organisations use it to:


  • Select and implement information security controls that are appropriate to their specific needs.

  • Align their information security practices with industry best practices.

  • Develop detailed policies and procedures that support the ISMS established under ISO 27001.

  • Provide staff with clear guidance on managing information security within their specific roles.


Practical Examples of Implementation in Organisations


Organisations of various sizes and industries implement ISO 27001 and ISO 27002 to effectively manage their information security risks. Here are a few examples:


Small and Medium-Sized Enterprises (SMEs)

SMEs may implement ISO 27001 to gain a competitive edge by demonstrating their commitment to information security. They use ISO 27002 to tailor controls to their specific risks, such as securing customer data or protecting intellectual property.


Financial Institutions

Banks and financial services firms often implement ISO 27001 to comply with regulatory requirements and industry standards. They rely on ISO 27002 to ensure that controls such as encryption, access management, and transaction monitoring are effectively implemented to protect sensitive financial data.


Healthcare Providers

Hospitals and clinics use ISO 27001 to protect patient data and comply with privacy laws like the GDPR. ISO 27002 helps them implement controls to secure electronic health records (EHRs), ensure secure access to medical information, and protect data against cyber threats.


Certification under ISO 27001 and the Role of ISO 27002


Certification to ISO 27001 is a formal process that involves an independent audit by a certification body. The audit assesses whether the organisation's ISMS meets the requirements of ISO 27001. Successfully obtaining certification demonstrates that the organisation has implemented an effective ISMS and is committed to maintaining information security.


ISO 27002 plays a crucial role in this process, even though it is not a certifiable standard. It provides detailed guidance on implementing the controls assessed during the ISO 27001 certification audit. Essentially, ISO 27002 acts as a toolkit that organisations can use to ensure they meet the requirements of ISO 27001.


By following the guidelines in ISO 27002, organisations can ensure that their ISMS is compliant with ISO 27001 and robust and capable of addressing the specific risks they face.


Key Differences


ISO 27001:2022 and ISO 27002:2022 are both essential for information security management, but they serve different functions and have distinct features. Understanding these key differences helps organisations effectively leverage both standards in their security strategies.


Specific Clauses in ISO 27001 and Corresponding Controls in ISO 27002


One of the most significant differences lies in how ISO 27001 and ISO 27002 are structured and applied. ISO 27001 is a requirements standard that sets out specific clauses that an organisation must follow to establish an effective Information Security Management System (ISMS). These broad clauses focus on what must be achieved without prescribing how to achieve it.


For example:


  • Clause 6.1.2 of ISO 27001 requires organisations to define and apply an information security risk assessment process. However, it does not specify the exact controls to mitigate those risks.

  • Annex A of ISO 27001 provides a reference list of security controls without detailed implementation guidance.


ISO 27002 fills this gap by offering detailed guidance on implementing these controls. It expands on the controls listed in Annex A of ISO 27001, providing specific instructions, examples, and best practices.


For instance:


  • ISO 27002:2022 offers extensive guidelines on implementing access controls, including practical advice on managing user permissions, setting up authentication processes, and ensuring secure access to data.


Updates in the 2022 Versions


Both ISO 27001 and ISO 27002 were updated in 2022, reflecting changes in the information security landscape and the evolving nature of cyber threats.


  • ISO 27001:2022 saw updates that align it more closely with the harmonised structure of other ISO management standards, facilitating easier integration with other management systems. The 2022 update also includes changes in terminology and a more streamlined approach to risk management and control selection.

 

  • ISO 27002:2022 was significantly revised to include new controls that address emerging technologies and security concerns. The updated version introduces controls related to cloud security, mobile device management, and data masking. It also reorganises the controls into four main categories (organisational, people, physical, and technological), making it easier for organisations to navigate and implement them.


Flexibility and Adaptability of ISO 27002 Information Security Management Guidelines


ISO 27002 is inherently flexible, allowing organisations to tailor the recommended controls to fit their needs. This adaptability is one of its greatest strengths, enabling organisations to implement controls most relevant to their operational context and risk profile.


While ISO 27001 provides the structure and framework, ISO 27002 allows organisations to decide how best to protect their information assets. For example, a small business might prioritise different controls than a large multinational corporation, but both can rely on ISO 27002 to guide their decision-making process.


Additionally, ISO 27002 does not impose a one-size-fits-all approach. Organisations are encouraged to assess their own risks and apply the most appropriate controls for their specific situation. This flexibility ensures that the ISMS remains practical and effective, regardless of the organisation's size, industry, or geographical location.


ISO 27001 and 27002 Compared Conclusion


This article has been on the subject of ISO 27001 and 27002 compared. While ISO 27001 establishes the framework and requirements for an Information Security Management System (ISMS), ISO 27002 provides the detailed guidance necessary to implement the controls that secure an organisation's data.



The key to successfully using these standards lies in understanding their complementary nature. ISO 27001 focuses on what an organisation needs to do to manage information security risks. In contrast, ISO 27002 focuses on how to implement the specific controls needed to mitigate those risks. Together, they offer a comprehensive approach to information security, ensuring that organisations meet the necessary requirements and apply best practices tailored to their specific environments.


The 2022 updates to both standards reflect the evolving landscape of cybersecurity, addressing new challenges such as cloud security, mobile device management, and integrating these standards with other management systems. These updates make the standards more relevant and easier to integrate into the broader management frameworks of organisations.


For organisations looking to enhance their information security posture, implementing ISO 27001 with the support of ISO 27002 is a strategic move. Not only does it help in achieving certification and meeting regulatory requirements, but it also provides a robust defence against the ever-increasing threats in the digital world.


Recommendations


  • For organisations seeking certification: Begin with ISO 27001 to establish your ISMS and use ISO 27002 as a reference to select and implement appropriate controls.

  • For organisations looking to improve existing practices: Use ISO 27002 to review and enhance your current controls, ensuring they meet the latest best practices.

  • For small businesses: Tailor the guidance in ISO 27002 to fit your specific needs, focusing on the most critical controls for your organisation's size and risk profile.


By understanding and effectively applying these two standards, organisations can build a resilient information security framework that protects their data and supports their overall business objectives.



 

Comments

Never miss another article.

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page