Login Introduction
If you’re exploring information security standards, you’ve almost certainly come across both ISO 27001 and ISO 27002 — and you’d be forgiven for wondering what sets them apart. They’re closely related, frequently mentioned together, and both sit within the wider ISO 27000 family of Standards. But they serve very different purposes.
In short: ISO/IEC 27001:2022 is the certifiable Standard. The framework your organisation implements, maintains, and gets audited against. ISO/IEC 27002:2022 is the guidance companion, a detailed reference for how to implement the security controls your risk assessment identifies. One gives you the structure, the other helps you fill it.
For UK businesses, understanding both matters. Whether you’re navigating GDPR obligations, protecting customer data, or strengthening your position when tendering for public sector contracts, getting your information security management right is increasingly non-negotiable. Both Standards were updated in 2022, bringing meaningful changes that affect how organisations plan and implement their security programmes.
ISO 27001 vs ISO 27002 Standards at a glance
- ISO 27001: Certifiable ISMS requirements (ISO/IEC 27001:2022)
- ISO 27002: Guidelines for 93 security controls (ISO/IEC 27002:2022)
- Key difference: ISO 27001 defines the overall system; ISO 27002 guides control implementation
- UK focus: Supports GDPR Article 32 compliance; aligns with NIS Regulations
- Certification: Only ISO 27001 is certifiable — ISO 27002 is not
- Best practice: Use both together for an effective and auditable ISMS
What is ISO 27001?
ISO 27001 is the internationally recognised Standard for Information Security Management Systems (ISMS). It sets out the requirements your organisation must meet to establish, implement, maintain, and continually improve a systematic approach to managing information security risk.
The Standard is built around Clauses 4 to 10, which cover everything from understanding your organisation and its context, to leadership commitment, risk assessment and treatment, and performance evaluation. Annex A provides a reference set of security controls that must be considered during your risk assessment process.
Crucially, ISO 27001 is the Standard organisations certify against. A successful third-party audit by an accredited certification body results in an ISO 27001 certificate — formal, independent evidence that your information security management meets internationally recognised requirements.
For UK organisations, this carries real weight. Key benefits include:
Demonstrating compliance with UK GDPR and the Data Protection Act 2018, specifically the requirement under Article 32 to implement appropriate technical and organisational security measures
Strengthening your position when tendering for public sector and NHS contracts, where information security assurance is increasingly expected
Meeting supply chain security requirements from enterprise clients and regulated sector buyers
Providing a structured framework to identify, assess, and treat information security risks before they become costly incidents
Supporting alignment with the NIS regulations for operators of essential services and relevant digital service providers
What is ISO 27002?
ISO 27002 is the implementation guidance Standard for information security controls. It doesn’t define an ISMS or set certifiable requirements, instead, it provides detailed advice on how to implement the controls referenced in Annex A of ISO 27001.
The 2022 update restructured and streamlined the controls significantly. The previous version contained 114 controls across 14 domains. The current ISO/IEC 27002:2022 contains 93 controls, organised into four cleaner categories:
- Organisational controls (37 controls) — governance, policies, roles, and supplier relationships
- People controls (8 controls) — awareness, training, responsibilities, and conduct
- Physical controls (14 controls) — physical security, clear desk, secure disposal
- Technological controls (34 controls) — access management, encryption, logging, endpoint security
Each control in ISO 27002 is accompanied by context on its purpose, implementation guidance, and other supporting information. It also introduces attribute tagging (a new feature in the 2022 version) which lets organisations map controls against frameworks like NIST, Cyber Essentials, or NIS2, making cross-framework compliance considerably more manageable.
For UK SMEs facing increasing threats such as ransomware attacks, phishing, and data breaches that feature consistently in NCSC annual threat reports, ISO 27002 offers practical, actionable guidance to build controls that actually work, not just ones that look good on paper.
Key differences between ISO 27001 and ISO 27002
The simplest way to understand the relationship: ISO 27001 tells you what you need to do, and ISO 27002 helps you work out how to do it. Here’s how they compare:
| Aspect | ISO 27001 | ISO 27002 |
|---|---|---|
| Purpose | Defines requirements for an ISMS | Provides guidance on implementing security controls |
| Certifiable? | Yes — organisations can achieve certification | No — guidance only, not certifiable |
| Starting point | Risk assessment drives control selection | Assumes controls have already been selected |
| Structure | Clauses 4–10 plus Annex A control reference | 93 controls across 4 domains with implementation advice |
| Audience | Organisations building or certifying an ISMS | Security teams implementing specific controls |
| Relationship to risk | Requires documented risk assessment and treatment | Supports risk treatment by explaining controls in depth |
| Mandatory use? | Required for ISO 27001 certification | Not mandatory, but strongly recommended as companion guidance |
| 2022 updates | Annex A aligned to ISO 27002:2022 – minor clause updates | Reduced from 114 to 93 controls: new domain structure and attribute tagging |
How ISO 27001 and ISO 27002 work together
These two Standards are designed to be used in tandem. Think of ISO 27001 as the blueprint and ISO 27002 as the builder’s manual.
Here’s how a typical implementation flows:
Step 1: Build your information security management system framework (ISO 27001)
You start with ISO 27001. This means defining the scope of your information security management system, understanding your organisation’s context, identifying interested parties (clients, regulators, employees), and committing to the process at leadership level.
Step 2: Conduct your risk assessment (ISO 27001)
ISO 27001 requires a systematic risk assessment — identifying information assets, the threats and vulnerabilities they face, and the potential impact of a security incident. Your risk treatment plan then determines which controls you need.
Step 3: Select your controls (ISO 27001 Annex A)
Annex A of ISO 27001 lists the 93 controls from ISO 27002. Based on your risk assessment, you select the controls applicable to your organisation. You document this in a Statement of Applicability (SoA), noting which controls you’ve included or excluded and why.
Step 4: Implement with ISO 27002 guidance
This is where ISO 27002 becomes essential. For each control you’ve selected, ISO 27002 provides detailed implementation guidance. For example:
- Your risk assessment identifies a need for access control management. ISO 27002 Control 5.15 explains how to implement identity and access management effectively.
- A risk around cloud-hosted data leads you to select cloud security controls. ISO 27002 includes dedicated guidance for cloud service use (Control 5.23) — a new addition in the 2022 version.
- Supplier risks feature in your assessment. ISO 27002 provides controls for supplier relationships, due diligence, and exit management.
UK tip
Integrating your ISO 27001 risk assessment with GDPR Data Protection Impact Assessments (DPIAs) creates a more efficient compliance process. Many of the information security risks relevant to ISO 27001 overlap directly with the risks you’re required to assess under UK GDPR — so joining them up saves time and strengthens both programmes.
2022 updates to ISO 27001 and ISO 27002
Both Standards were updated in 2022, and the changes are significant enough to affect how organisations plan their ISMS — especially those still working from the 2013 versions.
ISO 27002:2022 — What changed
- Controls reduced from 114 to 93, through consolidation and rationalisation
- 11 new controls added, including threat intelligence (5.7), cloud service information security (5.23), data masking (8.11), and web filtering (8.23)
- Domain structure changed from 14 categories to 4: Organisational, People, Physical, and Technological
- Attribute tagging introduced — each control is tagged across five dimensions: control type, security properties, cybersecurity concepts, operational capabilities, and security domains. This makes cross-mapping to other frameworks considerably easier.
ISO 27001:2022 — What changed
- Annex A updated to reflect the new 93-control structure from ISO 27002:2022
- Minor updates to clauses 4, 6, 8, and 9 to improve clarity
- New requirement to consider ‘changes in needs and expectations of interested parties’ in management review
2013 vs 2022: Key differences at a glance
| Feature | 2013 Version | 2022 Version |
|---|---|---|
| Number of controls | 114 | 93 |
| Control domains / categories | 14 domains | 4 domains (Org, People, Physical, Tech) |
| New controls | – | 11 new controls including cloud, threat intelligence |
| Attribute tagging | Not present | Introduced for cross-framework mapping |
| Alignment | Minor structural differences between Annex A and ISO 27002 | Annex A and ISO 27002 fully aligned |
Transition timeline: Organisations certified to ISO 27001:2013 were given a transition period. If you’re still operating under the 2013 version, speak to your certification body about your transition plan — it’s worth addressing this sooner rather than later to avoid long gaps in your certification continuity. The Citation ISO Certification team can help you plan and manage your upgrade, get in touch and we’ll talk you through exactly what needs updating and how to get there.
When to use each Standard
The right approach depends on where you are in your information security journey.
Use ISO 27001 when you need to:
- Build a formal information security management system from the ground up
- Achieve ISO 27001 certification — for tenders, client assurance, or regulatory compliance
- Demonstrate to regulators, auditors, or clients that your information security is managed systematically
- Meet regulation requirements
- Align your organisation’s security governance with a recognised international framework
Use ISO 27002 when you need to:
- Implement specific security controls and want detailed guidance on best practice
- Understand the purpose and application of controls listed in Annex A
- Map your existing controls against a recognised reference framework
- Align your security controls to other frameworks like NIST CSF, Cyber Essentials, or NIS2
- Support your security team with in-depth technical and operational guidance
For most UK SMEs, the practical advice is straightforward: start with ISO 27001 to build your framework and pursue certification and use ISO 27002 as your constant reference throughout implementation. They work best together.
Benefits of implementing ISO 27001 with ISO 27002 guidance
Used together, these Standards give your organisation a robust, internationally recognised approach to information security. For UK businesses, the practical benefits include:
Reduced risk of data breaches — a structured information security management system helps you identify and close security gaps before they become incidents. The ICO reported thousands of personal data breach notifications in 2023/24 alone, many from organisations without formal security management in place.
GDPR and UK data protection compliance — ISO 27001 directly supports the 'appropriate technical and organisational measures' requirement under UK GDPR Article 32, reducing exposure to ICO enforcement action and fines.
Competitive advantage in tendering — ISO 27001 certification is increasingly requested in tenders and supply chains. It demonstrates security maturity that gives you an edge over uncertified competitors.
Cyber Essentials alignment — ISO 27002's attribute tagging makes it straightforward to map your ISMS controls against Cyber Essentials and Cyber Essentials Plus requirements, supporting a layered cyber security posture.
Supply chain confidence — enterprise clients and regulated sector buyers increasingly conduct supplier due diligence. ISO 27001 certification provides independent assurance without lengthy questionnaires.
Continual improvement — ISO 27001's Plan Do Check Act (PDCA) cycle builds ongoing review into your security programme, ensuring your controls evolve as threats change.
Common Questions
About ISO 27001
ISO 27001 is the certifiable Standard — it defines the requirements for an information security management system (ISMS) and is what organisations achieve certification against. ISO 27002 is guidance-only — it provides detailed implementation advice for the security controls that ISO 27001 requires you to consider. You certify to ISO 27001; you use ISO 27002 to implement it effectively.
No. ISO 27002 is a guidance document, not a requirements Standard. There is no certification process for ISO 27002, and no certification body issues certificates against it. If you want formal, auditable certification, ISO 27001 is the Standard to pursue.
The 2022 updates streamlined the control set from 114 to 93 and introduced 11 new controls covering areas like cloud security, threat intelligence, and data masking. If you’re implementing ISO 27001 for the first time, you’ll work with the 2022 versions from the outset. If you’re transitioning from ISO 27001:2013, you’ll need to review your Statement of Applicability against the new control structure and update your ISMS documentation accordingly. The structural changes are significant, but the transition is manageable with a clear plan.
ISO 27002 is not a mandatory requirement for ISO 27001 certification — auditors assess your ISMS against ISO 27001, not ISO 27002. However, ISO 27002 is the de facto reference for implementing the controls in Annex A, and most experienced ISO 27001 practitioners use it throughout implementation. Ignoring it makes implementation harder and increases the risk of implementing controls that don’t fully address the underlying security objective. Treat it as essential guidance even though it isn’t technically mandatory.