ISO 27001 v 27002: What’s the difference?


If you’ve heard about ISO 27001, then you’ve probably heard about ISO 27002 too. A common misconception is that both ISOs offer the same certification requirements, but in this blog, we’ll explain why that’s not the case…

ISO 27001 – a brief definition…

ISO 27001 is recognised as the international Standard for information security. Within the Standard are specific requirements your ISMS must consider and meet, to satisfy the criteria of the Standard. If you can demonstrate this, your business will be better equipped to deal with the impact of any cyber attacks or unauthorised access to confidential data.

ISO 27002 – what purpose does it serve?

But, where does ISO 27002 fit into the jigsaw puzzle? Firstly, we need to expel the myth that ISO 27002 is a Standard you can certify to. Because it isn’t, it acts as a guiding Standard to support the implementation of the ISO 27001 controls.

A handy tip to note: ISOs that end with the number ‘1’ are the only Standards that you can achieve certification to. 

It gives your business the insight to develop security processes and procedures tailored to meet the requirements of your operations. Outlined in the ISO 27002 Standard are some helpful reference points that cover the following areas:

  • Information security 
  • Physical security 
  • Cyber security 
  • Privacy Protection controls

ISO 27002 principles

Not to forget the core principles of the ISO 27002 Standard, of which there are three. 

  • Confidentiality – Drawing up confidential agreements tightens the net on authorised access to your data. 
  • Data integrity – Frequent data checks help to strengthen the accuracy of your data. 
  • Availability – Restricting access to data is an effective way of safe-proofing your business. Only allowing access by authorised personnel limits the risk of compromise. 

Recently, the ISO 27002 Standard underwent a few minor tweaks, which we’ll look at in a little more detail in the next section.

What is the difference between ISO 27001 and ISO 27002?

Differentiating between both Standards can be tricky. There are lots of similarities, and the two complement each other, so we’ve laid out the basics below to make things a little clearer.

Level of detail

Think of ISO 27001 as the objectives you’re trying to achieve, whereas ISO 27002 is the guiding framework to help you achieve them. The controls within ISO 27002 provide the granular detail that helps satisfy the objectives set out in ISO 27001. Each objective has a control assigned that helps meet the criteria to reach the intended goal.


Your ISMS should address all aspects of compliance criteria, and that’s what certification to ISO 27001 does. ISO 27002 differs, as it only addresses a section of your ISMS.

How applicable is the ISMS to your business?

One major difference between ISO 27001 and ISO 27002 is the categorisation of assessing risk. Again, the ISO 27001 Standard offers a wider scope, in the sense that your risk assessment needs to be stringent. Having an ISMS that spreads itself too thin and tries to cover all bases isn’t the approach to take. Focus on the specific information security measures that relate to your business. ISO 27002 doesn’t explicitly outline this, so it can be a little challenging to apply the relevant controls.

Why certify to ISO 27001

Digital threats constantly evolve, so staying ahead of the curve and putting blocks in place is essential. We’ve highlighted some other key business benefits too!

  • Keep your business reputation intact – A business at risk isn’t one to be trusted. Use ISO 27001 to shape policy, implement the right technology and get your staff up to speed. 
  • A structural approach to information security – It’s easy for people to lose sight of the focus on the busyness of their day-to-day duties. So your ISMS is a great reference point that keeps tasks and duties aligned.
  • Stay compliant and avoid hefty fines – Non-compliance with GDPR could mean forking out to pay large regulatory fines. ISO 27001 covers many facets of GDPR, helping you to be compliant and keep costs down. Discover more about ISO 27001 and GDPR in our blog.

Gain certification to ISO 27001 today!

Find out more about our ISO 27001 services and how we can help you to develop a complete ISMS for your business. Request a quote today, or why not arrange for an ISO 27001 audit and determine the best course of action for your business to achieve certification?


Sign up to get the latest in your inbox

    • Email address

About the author

  • Name:

    Serena Cooper

  • Company:

    Citation ISO Certification

  • Bio:

    Serena has worked for Citation ISO Certification since 2022, writing creative and informative content on ISO certification and consultation to help businesses reach their potential.


QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only