business leaders shake hands with the sun in the background
Author Picture
Listen to: "Understanding Compliance – ISO 27001 and ISO 27002"

Although there is a relationship between the ISO 27001 and ISO 27002 standards, they have completely different meanings as far as the IT industry and compliance. Understanding these differences can save you thousands of dollars and hours of headache in your internal audit efforts as well as in your compliance reports. Here are the major differences between the ISO 27001 and ISO 27002 standards that you should know.

The Differences Between ISO 27001 and ISO 27002

Many people have asked why the two ISO standards have not been combined to form a single standard. After all, the detail that is in the ISO 27002 may actually bring some clarity and precision to the ISO 27001 management standard. However, the usability of each standard would actually fall if they were combined – the standard would be far too complex to use practically.

The ISO 27000 series of standards were created individually with a separate focus for each one. For instance, the ISO 27001 standard was created specifically to help build an IT foundation for an organization. The detail of the ISO 27002 makes it much more useful if you are looking to implement certain controls. Risk treatment is better served by other standards within the ISO 27001 line.

The ISO 27001 standard gives a company an actionable risk assessment for controls within a system. Using this standard, you can also determine the level to which the assessment should be applied. On the other hand, the ISO 27002 standard makes no distinctions between the controls that actually apply to a particular business. This is the only way that the ISO 27002 standard could be so detailed in its descriptions of each control.

What Is ISO 27001?

ISO 27001 is the international standard that lays out the details and best practices for an organization’s ISMS, which is critical to preventing controls from becoming disjointed and disorganized.

Often designed and implemented as temporary stop-gaps—or point solutions—for specific situations, an organization’s controls can quickly and easily take on a random—or even chaotic—existence within a system without an effective ISMS. And of course, “random” and “chaotic” are not terms you want to apply to your information system’s security controls.

ISO 27001 can be adopted by and implemented in any type of organization, in any sector, including the following:

  • Profit or non-profit,
  • Governmental at federal, state, and local levels,
  • Private firms of any size – small, medium, or global.

Composed by the world’s top experts in information security, ISO 27001 offers a thorough methodology for the application and fulfillment of ISMS in an organization. The standard also allows companies to become certified, which confirms that your organization is fully compliant with the ISO 27001 standard. Generally, ISO 27001 certification helps prevent data breaches and system infiltrations, makes compliance with other industry regulations easier, and is a recognizable security attestation.

The latest update, ISO/IEC 27001:2013, published September 23, 2013, supersedes the previous set of standards known as ISO/IEC 27001:2005. Yet it continues the mission of “specifying the the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization,” according to the International Organization of Standardization.

The primary difference between the original and the updated standards involves the emphasis on measuring and monitoring the success of an organization’s ISMS performance. The latest version of this management standard covers 114 controls that are categorized in 14 sections:

  1. Information Security Policy
  2. Organization of Information Security
  3. Human Resources Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. Information Systems Acquisition, Development and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security Aspects of Business Continuity
  14. Compliance

What Exactly is a Management Standard?

A management standard is more concerned with how the people in a company run a system than with the compliance of any individual control within that system. Auditors understand that individual controls can break down with technical problems. However, the larger problems in IT occur when the management running that system decides to implement that system in a way that is completely untenable with modern standards.

Individual controls are easy to fix because the rules of mechanics and physics only work a certain way. People can direct the system in virtually any way they want; therefore, the people running the system are the elements of the system that require a compliance check.

What Is ISO 27002?

ISO 27002 serves as a guideline for organizational information security standards and best practices for information security management. Taking into consideration the business’s information security risk environments, ISO 27002 focuses on the organization’s selection, implementation, and management of controls. It is meant to be used as a guide, based on ISO 27001, for identifying appropriate security controls within the process of implementing an ISMS.

Ultimately, while ISO 27002 is more of a guideline to achieving best practices and has subtle differences to ISO 27001, it also serves to demonstrate the stability of your organization’s ISMS. The main difference is that ISO 27002 does not distinguish between controls applicable to your particular organization, and those which are not. ISO 27002 is a reference for selecting security controls, rather than a certification process.

ISO 27002 is Not a Certified Standard.

The misconception that ISO 27002 is a standard that a business can actually become certified to comes from people who believe that the ISO 27002 standard was simply reworked from ISO 17799. Although many IT professionals in the past would use ISO 27002 compliance as an internal standard, there has never been a professional certification that a business could receive according to that standard.

In contrast, the ISO 27001 is a certified standard. As a matter of fact, the ISO 27001 standard was developed because of the confusion that ISO 27002 caused in the industry.

ISO 27002 is More Detailed. Why is it Not a Standard?

Although ISO 27002 explains controls in much greater detail than ISO 27001, ISO 27001 is the only standard that defines the objectives and responsibilities of management. Because it is the management of a company that actually implements, monitors and reviews the information security that a business uses, only ISO 27001 can be used as a management standard.

Related article: How to Ensure Your Team Is Meeting Compliance Controls & Processes.

Get Certified and Stay Updated on ISO Standards

I.S. Partners regularly monitors updates to ISO 27001 standards. If you are looking to stay in compliance with the ISO 27001 standard, you need a firm that understands your organization’s IT systems, internal goals and external standards. Contact I.S. Partners to discuss your questions about standards and compliance.

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal