info security iso 27001 27002
Author Picture
Listen to: "Understanding Compliance – ISO 27001 and ISO 27002"

Although there is a relationship between the ISO 27001 and ISO 27002 standards, they have completely different meanings as far as the IT industry and compliance. Understanding these differences can save you thousands of dollars and hours of headache in your internal audit efforts as well as in your compliance reports. Here are the major differences between the ISO 27001 and ISO 27002 standards that you should know.

ISO 27002 is Not a Certified Standard.

The misconception that ISO 27002 is a standard that a business can actually become certified to comes from people who believe that the ISO 27002 standard was simply reworked from ISO 17799. Although many IT professionals in the past would use ISO 27002 compliance as an internal standard, there has never been a professional certification that a business could receive according to that standard.

In contrast, the ISO 27001 is a certified standard. As a matter of fact, the ISO 27001 standard was developed because of the confusion that ISO 27002 caused in the industry.

ISO 27002 is More Detailed. Why is it Not a Standard?

Although ISO 27002 explains controls in much greater detail than ISO 27001, ISO 27001 is the only standard that defines the objectives and responsibilities of management. Because it is the management of a company that actually implements, monitors and reviews the information security that a business uses, only ISO 27001 can be used as a management standard.

What Exactly is a Management Standard?

A management standard is more concerned with how the people in a company run a system than with the compliance of any individual control within that system. Auditors understand that individual controls can break down with technical problems. However, the larger problems in IT occur when the management running that system decides to implement that system in a way that is completely untenable with modern standards.

Individual controls are easy to fix because the rules of mechanics and physics only work a certain way. People can direct the system in virtually any way they want; therefore, the people running the system are the elements of the system that require a compliance check.

The Differences Between ISO 27001 and ISO 27002

Many people have asked why the two ISO standards have not been combined to form a single standard. After all, the detail that is in the ISO 27002 may actually bring some clarity and precision to the ISO 27001 management standard. However, the usability of each standard would actually fall if they were combined – the standard would be far too complex to use practically.

The ISO 27000 series of standards were created individually with a separate focus for each one. For instance, the ISO 27001 standard was created specifically to help build an IT foundation for an organization. The detail of the ISO 27002 makes it much more useful if you are looking to implement certain controls. Risk treatment is better served by other standards within the ISO 27001 line.

The ISO 27001 standard gives a company an actionable risk assessment for controls within a system. Using this standard, you can also determine the level to which the assessment should be applied. On the other hand, the ISO 27002 standard makes no distinctions between the controls that actually apply to a particular business. This is the only way that the ISO 27002 standard could be so detailed in its descriptions of each control.

Related article: Get informed about how to Ensure Your Team Is Meeting Compliance Controls & Processes.

Your Next Move

If you are looking to stay in compliance with the ISO 27001 standard, you need a company that understands the subtle differences between all of the members of the ISO 27000 series. We will use all of the standards in the ISO 27000 line to ensure that your systems are working to the height of their efficiency. We will also ensure that your company remains compliant with all external standards, using our cost-efficient audit methods and reports to showcase process bottlenecks and areas of improvement.

Give us a call or an email to discuss your questions about standards and compliance today at (215) 675-1400 or [email protected].

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal