ISO 27001 vs. ISO 27002: What’s the Difference?

If your company is dipping its toes into information security for the first time, you’ve almost certainly come across the ISO 27001 standard. And right alongside it, you’ve probably bumped into another standard with a suspiciously similar name: ISO 27002. Are they the same thing? Does one replace the other? Do you need to implement both?

The confusion makes sense. Both belong to the same ISO/IEC 27000 family, they share the same broad goal—protecting an organization’s information—and their controls even use the same numbering. But they aren’t equivalent or interchangeable, and each plays a distinct role within an Information Security Management System (ISMS).

In this article, we’ll walk through what each one is, how they differ, and how they fit together, so you know exactly what role each standard plays in your compliance strategy.

What is ISO 27001?

ISO 27001 (officially ISO/IEC 27001) is the international standard that sets the requirements for building, maintaining, and improving an Information Security Management System (ISMS). Its first version dates back to 2005, and the latest update landed in October 2022. It’s the most widely recognized reference in the field, with a presence in more than 150 countries.

What really sets it apart from the other standards in the family is that it’s certifiable. Any organization, regardless of size or industry, can go through an external audit performed by an accredited body and earn an official certificate with international validity. That certificate is good for three years, with annual surveillance audits along the way.

The standard is split into two parts. On one side are the mandatory clauses (4 through 10), which define how to build and run the ISMS. On the other is Annex A, which lists 93 security controls grouped into four categories. You don’t have to apply all of these controls—each organization documents which ones apply and which don’t in its Statement of Applicability (SoA).

It’s also the usual jumping-off point for tackling other frameworks like SOC 2, HIPAA, or state privacy laws such as the CCPA, since it shares a good chunk of the same risk management and security principles.

ISO 27001 key takeaways

• It’s the international standard for Information Security Management Systems (ISMS).
• A standard you can certify against through an accredited body, valid for three years with annual surveillance audits.
• It follows a common high-level structure (HLS), making it compatible with other ISO standards like 9001 and 14001.
• It includes 93 controls in Annex A, organized into four categories (organizational, people, physical, and technological).
• It defines the management requirements—in other words, what the organization needs to do to keep its ISMS running.
• It works as a common starting point for meeting frameworks like SOC 2 and HIPAA.

What is ISO 27002?

ISO 27002 (officially ISO/IEC 27002) is the best-practices guide that spells out how to implement the security controls referenced in Annex A of ISO 27001. Its latest version, published in February 2022, completely reorganized the catalog, going from the previous 114 controls down to today’s 93, spread across four categories.

Unlike 27001, it isn’t a certifiable standard. It doesn’t set auditable requirements and can’t serve as the basis for an official certificate. Its role is complementary: it’s a technical reference document that gives organizations a detailed description of each control, with guidance on its purpose, design, and implementation.

If ISO 27001 tells you which controls your organization should consider, ISO 27002 explains how to put them into practice. A control that 27001 sums up in a single sentence gets a full page in 27002, complete with examples, recommendations, and usage considerations. It’s the go-to resource for any security lead who’s rolling out or revisiting an ISMS.

ISO 27002 key takeaways

• It’s a best-practices guide, not a certifiable standard.
• Its latest version is from 2022, with 93 controls organized into four categories.
• It fleshes out the controls referenced in Annex A of ISO 27001.
• It provides practical guidance on the purpose and implementation of each control.
• It’s applicable to any organization, whatever its size or industry.
• It serves as a common technical reference for auditors and security leads.

Get ISO 27001 certified in weeks

Factorial IT combines MDM, access management, and a dedicated compliance consultant to take you from zero to certified.

Learn more

ISO 27001 vs. ISO 27002: the differences

Even though the two standards were updated around the same time and share the same control structure, the differences between them are significant. One sets the requirements for the management system, and the other provides the technical guide for applying those requirements. Here are the main differences between the two:

When should you use ISO 27001 vs. ISO 27002?

The question is a little misleading, because in practice you almost never pick one and toss out the other. The two standards work in tandem: ISO 27001 defines the ISMS framework, and ISO 27002 explains how to apply each of its controls.

You can see this right down to the details. Control A.5.15 in ISO 27001 shows up in Annex A simply as “Access control.” ISO 27002 devotes several pages to that same control—what it’s for, how to define access rules, which best practices to follow, and how to review it. One says the control needs to exist; the other explains how to build it. The 2022 update reinforced this relationship even further, since both standards aligned their structure and now share the same control numbering.

That said, there are scenarios where it makes sense to lean on one standard more than the other.

If your goal is to get certified for a client, an RFP, or a regulator, ISO 27001 is your only valid option. 27002 doesn’t allow for official certification and is used purely as a supporting technical reference. The same goes if you’re prepping for SOC 2 or a similar framework, since those lean heavily on the ISMS structure that 27001 defines.

If what you need is to document internal controls without going through an external audit, or you’re training technical teams and putting together reference material, ISO 27002 tends to be more useful. Its level of detail per control is a better fit than the more abstract language of 27001.

And if you work as a consultant or auditor, the natural move is to keep both on hand. 27001 tells you what to assess; 27002 guides you on how each control should actually be implemented in practice.

How does Factorial IT help with ISO 27001 and ISO 27002?

From a single platform, Factorial IT covers several of the Annex A controls in ISO 27001 that ISO 27002 develops in detail—mainly the ones tied to identities, devices, SaaS access, antivirus, and employees. The evidence any auditor asks for on these controls is generated automatically through day-to-day operations, so there’s nothing to scramble to rebuild the night before the audit. Here are the six areas the platform covers.

• IT asset inventory: an automatic catalog of the company’s devices, software, and access, always up to date and exportable for audits.
• Access management: centralized management of access to SaaS tools, with permissions automatically granted and revoked based on the employee’s role.
• Device security: encryption, passwords, and lock screens applied automatically on every machine. Compatible with Mac, iOS, Windows, and Linux.
• Secure offboarding: when a departure is logged in HR, all of the employee’s access is shut down with no manual work and no leftover accounts.
• Malware protection: advanced antivirus deployed on every device, with detection for malware, ransomware, and zero-day threats.
• Audit evidence: compliance logs and reports generated automatically, ready to export and hand to your auditor at any time.