ISO 27001 versus ISO 27002

ISO 27001 is the international standard that gives you the framework for an information security management system (ISMSP). You can become ISO 27001 accredited, but there is no certification for ISO 27002. However, you cannot consider the two standards in isolation.


What is ISO 27001?

ISO 27001 is a set of guidelines that relate to the security of your organisation’s information. It sets out the requirements to implement ISMS so all your organisation’s information is protected from prying eyes and cyber security incidents. It contains the information you need to implement ISMS as part of your business. For ISO 27001 accreditation, you must:

  • Have an ISMS project team to initiate the project.
  • Complete a gap analysis of your organisation’s information security.
  • Define the scope of your ISMS.
  • Complete a risk assessment.
  • Develop information security policies.
  • Choose and apply security controls throughout the organisation.
  • Develop risk documentation.
  • Hold training to raise information security awareness among your staff.
  • Assess, review, and conduct an internal audit to ensure the controls are effective.
  • Complete an audit for certification.


What is ISO 27002?

ISO 27002 is an additional standard that contains more information about information security controls. Where ISO 27001, Annex A only provides little detail of each control, ISO 27002 goes into greater depth for each one. It explains how each control works, its objective and how to implement it.


Three main differences between ISO 27001 and ISO 27002

There are three main differences between the two ISO standards. These are:

  • Certification. You can become certified for ISO 27001 as it is a framework for compliance. It is not possible to become certified for ISO 27002 as it only focuses on one element of an ISMS.
  • Level of detail. ISO 27001 only contains an outline of each element for implementing an ISMS where ISO 27002 details security controls in depth. There are other standards within the ISO 27000 family that provide detail for each element of ISO 27001. For example, ISO 27003 provides guidelines for implementation and ISO 27004 covers monitoring, measurement, analysis, and evaluating the ISMS. If all this information were in ISO 27001, the standard would be too long and difficult to work with.
  • Relevance. The key to implementing an ISMS is that not all information security controls are relevant to your organisation.


How to begin protecting your information

When starting to plan your ISMS, start out with ISO 27001. Once you have identified your information security controls, refer to ISO 27002 for more insight on how to implement each one.

The whole ISO 27000 family works together, ISO 27001 sets up the framework and the others provide the detail for each ISMS element.


If information security is a priority for your organisation, contact us for more information about ISO 27001 certification. We can show you how to protect your information, earn consumer trust and grow your business so it reaches its full potential. 

Tags: No tags

One Response

Add a Comment

Your email address will not be published. Required fields are marked *