What is the difference between ISO 27001 and ISO 27002?

The main difference between ISO 27001 and ISO 27002 is that ISO 27001 provides the framework for an information security management system (ISMS) for an organization, and ISO 27002 is a supporting guide for ISO 27001, offering in-depth, detailed explanations of information security controls outlined in ISO 27001. The two 27000 series standards should be used together. In addition, you can only get certified for ISO 27001.

ISO 27001

ISO 27001 (ISO/IEC 27001:2013) is an internationally recognized standard that helps organizations manage information security. ISO 27001 provides a framework for organizations to follow in order to implement an information security management system (ISMS). This system is the basis for managing the security of all information assets within a company. ISO 27001 is the core framework for ISO 27000 series.
Read more about ISO 27001 here.

ISO 27002

ISO 27002 (ISO/IEC 27002:2022) is a supplementary standard that supports ISO 27001. ISO 27002 describes in-depth the information security controls which are outlined in ISO 27001. This includes 114 security controls that are divided into 14 control sets. ISO 27002 should be used together with ISO 27001, as it’s a supporting document offering detailed explanations of how each control works, its purpose, and how it can be implemented.

ISO 27002 is not a certifiable standard. Only ISO 27001 offers a certification.

Change your life and career - in just 9 hours!

Make brilliant decisions effortlessly.

Rely on a risk management framework that always works.

Online, self-paced, easy-to-understand ISO 31000 course with certification.