Skip to content
Search our site  
    Frequently Asked Questions

    ISO 27001 vs. ISO 27002: Understanding the difference

    What is ISO/IEC 27001?

    ISO 27001 is the international standard focused on information security. ISO/IEC 27001 is a recognized international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), developed to help organizations of any size or industry protect their information systematically and cost-effectively through the adoption of an Information Security Management System. The standard specifies the requirements for implementing and maintaining an effective ISMS to safeguard against information security risks. Organizations that achieve ISO/IEC 27001 certification strengthen their ability to protect themselves against cyberattacks and prevent unwanted access to sensitive and confidential information.

    What is ISO 27002?

    ISO 27002 is a supplementary standard focusing on information security controls that organizations might choose to implement. Listed in Annex A of ISO 27001, these controls are what you’ll see information security experts refer to when discussing information security controls. However, whereas Annex A outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control. The standard explains how each control works, its objective, and how you can implement it.

    What is the difference between ISO 27001 and ISO 27002?

    ISO 27001 is the standard for international information security management, and ISO 27002 is a supporting standard that guides how the information security controls can be implemented. Note it is only possible to certify to ISO standards that end in a “1”.

    How does ISO 27001 work?

    The main job of ISO 27001 is to protect a company’s confidentiality, integrity, and information. By performing a risk assessment, you can determine what needs to happen to prevent such problems (i.e., risk mitigation or risk treatment). Therefore, the central philosophy of ISO 27001 is managing risks, finding out where the risks are, and then treating them through the implementation of security controls (or safeguards).

    Why is ISO 27001 important?

    The standard provides companies with the necessary information for protecting their most valuable information. Companies can also get certified against ISO 27001. Individuals can get ISO 27001-certified by attending a course, passing the exam, and proving their skills. ISO 27001 is easily recognized worldwide, increasing business opportunities for organizations and professionals.

    When should you use each standard?

    ISO 27001 and ISO 27002 have different goals. If you’re starting with the standard or planning your ISMS implementation framework, then ISO 27001 is ideal. You should then refer to ISO 27002 once you’ve identified the controls you’ll be implementing to learn more about how each one works.

    What is an ISMS?

    Information Security Management System (ISMS) is a set of rules a company needs to establish:

    • Identify stakeholders and the expectations they hold the company to regarding information security.
    • Identify which risks exist.
    • Define controls to meet the expectations and handle risks.
    • Set clear objectives on what needs to be done with information security.
    • Implement all the controls and other risk treatment methods.
    • Continuously measure the implemented controls and make sure they perform as expected.
    • Make continuous improvements to make the whole ISMS work better.
      This can be written down in the form of policies, procedures, and other documents or in the form of established processes and technologies that are not documented.
    Why do we need ISMS?

    There are four essential business benefits a company can achieve with the implementation of this standard:
    • Comply with legal requirements – there are many laws, regulations, and contractual requirements related to information security. The good news is that most can be resolved by implementing ISO 27001.
    • Achieve competitive advantage – if your company gets certified, you may have an advantage over your competitors in the eyes of those customers who are sensitive about keeping their information safe.
    • Lower costs – the central philosophy of ISO 27001 is to prevent security incidents. Every incident, whether large or small, costs money. By preventing them, your company will save money.
    • Better organization – Fast-growing companies don’t have the time to stop and define their processes and procedures; therefore, the employees often do not know what needs to be done, when, and by whom. Implementing ISO 27001 helps resolve such situations by encouraging companies to write down their main processes.
    What are the benefits of ISO/IEC 27001 certification?

    Organizations that certify their ISMS to the requirements of ISO/IEC 27001 gain several significant benefits, including regulatory compliance, Systematic approach, Reduced risk, Reduced costs, and Market advantage.

    How do you implement ISO 27001 controls?

    Technical controls - Primarily implemented in information systems, using software, hardware, and firmware components.
    Organizational controls - Implemented by defining rules to be followed by users, equipment, software, and systems.
    Legal controls - Implemented by ensuring that rules follow and enforce the laws, regulations, contracts, and other similar legal instruments the organization must comply with.
    Physical controls - Implemented by using equipment or devices that interact physically with people and objects.
    Human resource controls - Implemented by providing people with knowledge, education, skills, or experience to enable them to perform their activities securely.

    Is ISO 27001 mandatory?

    In most countries, the implementation of ISO 27001 is not mandatory, but some countries have published regulations that require some industries to implement ISO 27001. To determine whether ISO 27001 is mandatory for your company, you should look for expert legal advice in your country of operation.

    Is ISO 27001 a legal requirement?

    Public and private organizations can define compliance with ISO 27001 as a legal requirement in their contracts and service agreements. Countries can determine laws or regulations of ISO 27001 as a legal requirement to be fulfilled by the organizations operating in their territory.

    How will the new ISO 27002:2022 affect ISO 27001?

    The changes to the control set published in ISO 27002:2022 will be reflected in Annex A of ISO 27001:2022. Organizations implementing ISO 27001 or managing an existing ISMS must reflect the changes to the control set in their management framework. You won’t need to make changes immediately, as there will be a transition period.

    When should organizations transition to the new control set?

    As of now only, ISO 27002:2022 has been published, with ISO 27001:2022 expected later this year. Once the new standard is published, we anticipate a transition period of around 2-years to allow changes to be implemented. It is also likely that certification bodies will need some time to interpret and adopt the new standard and the changes to its control set.