Skip to main content

    We value your privacy

    We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Read our Cookie Policy to learn more.

    Skip to main content
    Compliance Comparison

    ISO 27001 VS ISO 27002

    ISO 27001 is the certifiable standard that specifies requirements for an Information Security Management System (ISMS), while ISO 27002 is a supporting guidance document that provides detailed implementation guidance for the controls listed in ISO 27001 Annex A. You certify against 27001; you reference 27002 for how to implement controls.

    Quick Verdict

    You need **ISO 27001** if you want certification - it's the only certifiable standard. Use **ISO 27002** as your implementation guide when building controls. Most organizations purchase both: 27001 for the requirements and 27002 for detailed "how-to" guidance on each control.

    At A Glance

    FeatureISO 27001ISO 27002
    PurposeRequirements specification (ISMS)Implementation guidance (controls)
    CertificationYes - certifiable standardNo - guidance document only
    Structure (2022)10 clauses + Annex A (93 controls)93 controls across 4 themes
    Content Focus"What" - requirements to meet"How" - implementation details
    Typical UseAudit scope and certificationReference during implementation
    Page Count~30 pages~150+ pages

    About ISO 27001

    The international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). This is the certifiable standard.

    Pros

    • Certifiable by accredited bodies
    • Globally recognized credential
    • Provides structured ISMS framework
    • Satisfies customer security requirements

    Cons

    • Requires formal certification audit
    • Ongoing surveillance audits (annual)
    • 3-year recertification cycle
    • Higher implementation effort

    About ISO 27002

    A guidance document that provides detailed best practice recommendations for implementing the security controls referenced in ISO 27001 Annex A. Updated in 2022 with 93 controls across 4 themes.

    Pros

    • Detailed implementation guidance
    • Best practices and examples
    • Updated 2022 version with modern controls
    • Useful standalone reference

    Cons

    • Not certifiable (guidance only)
    • Must be purchased separately
    • Can be overwhelming (93 controls)
    • Requires 27001 context for certification

    Frequently Asked Questions

    Do I need to buy both standards?

    For certification, you only need ISO 27001. However, ISO 27002 provides valuable implementation guidance. Most organizations benefit from both. They must be purchased separately from ISO.

    What changed in ISO 27002:2022?

    The 2022 update reorganized controls from 14 domains to 4 themes (Organizational, People, Physical, Technological), reduced controls from 114 to 93 (through consolidation), and added 11 new controls for cloud, threat intelligence, and ICT readiness.

    Can I be certified to ISO 27002?

    No, ISO 27002 is a guidance document, not a requirements standard. You can only certify against ISO 27001. However, your ISO 27001 certification demonstrates you've implemented the Annex A controls that 27002 provides guidance for.

    How do ISO 27001 and 27002 work together?

    ISO 27001 Annex A lists 93 controls you may need to implement. ISO 27002 provides detailed guidance, examples, and best practices for implementing each of those 93 controls. Think of 27001 as the "what" and 27002 as the "how."

    Still Not Sure Which to Choose?

    Our experts can help you evaluate your specific business needs and customer requirements to pick the right path.

    Talk to an ExpertCalculate Costs