ISO 27001 vs. 27002: One Standard, Two Essential Pieces
Wondering what the difference is between ISO 27001 and ISO 27002? Well, there are a few.
Here's an easy-to-follow breakdown of what they are to help you build a program that addresses all of the requirements to achieve and maintain compliance.
Get Started With Drata
In this article, we discuss the differences between ISO 27001 and 27002 and the importance of using them together.
ISO 27001:2022 is flexible enough to be implemented by any size or type of organization while remaining a highly effective instrument to improve and maintain an organization’s information security management system (ISMS). ISO 27002:2022 provides best-practice recommendations and guidance for implementing the controls listed in Annex A of ISO 27001:2022.
The ISO 27002 also underwent a change in 2022. No longer intended to be a “code of practice,” the newest version focuses on broadening the set of references for the control implementation examples to help users keep up with ever-expanding international regulations governing any given organization around the world.
Key concept | Summary |
Differences between ISO 27001 and ISO 27002 | The main differences between ISO 27001 and ISO 27002 are found in their scope, structure, and applicability. |
The complementary relationship between ISO 27001 and ISO 27002 | The two frameworks complete each other, as ISO 27002 brings in-depth implementation guidance for ISO 27001 Annex A controls |
Benefits of using both standards | It is recommended to use both ISO 27001 and 27002 together to avoid roadblocks and gaps in control implementation. |
Recommendations | We strongly advocate automating the heavy, manual compliance process to streamline certification and audits. |
While ISO 27001 specifies the requirements for an ISMS that organizations are audited against, ISO 27002 provides additional details and best-practice implementation examples for the controls found in Annex A of ISO 27001.
The key differences between the two standards boil down to scope, structure, and applicability, as explained below.
Dimension | ISO 27001 | ISO27002 |
Scope | The scope is broad and covers high-level implementation requirements of the ISMS. | The scope is specific to controls that supplement ISO 27001. |
Structure | The structure consists of a series of clauses and subclauses, which are administrative in nature. | The structure consists of more specific controls that companies can choose to implement to support the implementation of ISO 27001. |
Applicability | All ISO 27001 Clauses are applicable to the entire ISMS implementation and cannot be excluded. | ISO 27002 Controls’ applicability to the organization can be defined based on what makes sense to the business’s goals and security needs. |
ISO 27001:2022 is broad in its scope and encompasses the entirety of the organization as part of the ISMS. This includes the following topics:
Scope
Normative References
Terms and Definitions
Organizational Context
Leadership
Planning
Support
Operation
Performance Evaluation
Improvement
Annex A
In contrast, ISO 27002:2022 takes a narrower and more specific focus on the controls in Annex A of ISO 27001, most of which are covered in great detail. It does not cover any of the other parts, such as the topics listed above found in ISO 27001.
ISO 27001:2022 is broken down into 10 clauses, which are necessary for the organization to understand the context and concepts of the standard as it is implemented. These clauses are followed up by the controls of Annex A. The structure of ISO 27002:2022 is straight to the point and goes control by control, providing the optional implementation guidance for each control found in Annex A of ISO 27001.
ISO 27001 is applicable to the entirety of the organization's ISMS. Additionally, it is a well-respected and globally recognized certifiable standard. ISO 27001 gives high-level requirements, while ISO 27002 expands on implementing security controls. Not all controls in ISO 27002 may be applicable for each organization since ISO 27001 mandates assessing risks first to determine which controls should be implemented based on an organization's unique threat landscape. That being said, their key denominator lies in the controls themselves.
We’ve provided a couple of examples below from the standards to demonstrate the differences listed in the above section as well as the tight connection between the two.
ISO 27001 wording: An inventory of information and other associated assets, including owners, shall be developed and maintained.
Purpose: To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership.
ISO 27002 extra information: ISO 27002 goes into detail in the Guidance section covering the following vital components of the control:·
Identification of assets
Categorization of assets
Maintaining an accurate and up-to-date inventory
Documenting the duties and responsibilities of asset owners
The control implementation provides an example of a successful asset inventory, such as one that includes a list of all assets listed by risk. This includes documenting the identified asset owner and version numbers for underlying software, systems, and firmware.
ISO 27001 wording: The full lifecycle of identities should be managed.
Purpose: To ensure that the right people and other interacting systems have the required access to the organization’s resources and to make certain that appropriate access rights have been given.
ISO 27002 extra information: ISO 27002 goes into detail in the Guidance section covering the following vital components of the control:
Where identities are assigned to a person, only that specific person is allowed to authenticate with and/or use that identity when accessing network resources.
Sometimes, it may be necessary to assign an identity to multiple people—also known as a “shared identity.” This approach should be used sparingly and only to satisfy an explicit set of operational requirements.
“Non-human” entities (as the name suggests, any identity that isn’t attached to an actual user) should be considered differently from user-based identities at the point of registration.
Identities that are no longer required (those who leave the organization, redundant assets, etc.) should be disabled by a network administrator or removed entirely, as required.
Duplicate identities should be avoided at all costs. Firms should adhere to a “one entity, one identity” rule across the board.
Adequate records should be kept of all “significant events” regarding identity management and authentication information.
A new feature in the recent version of ISO 27002:2022 involves attributes for controls, allowing organizations and users of the standard to categorize the controls in whichever manner suits them best. The table below summarizes these attributes, and the following sections explain them individually.
Similar to the control types found in other standards, these address the three primary functions of the security controls as they relate to potential security incidents:
Preventive: These are controls that focus on preventing security incidents and minimizing risks to the organization.
Detective: These controls focus on detecting potential security incidents.
Corrective: These are controls whose focus is on the response to security incidents and the ensuing response activities.
Well-known as the CIA triad, these address the fundamental principles of protecting an organization’s assets:
Confidentiality: These are controls that aim to protect sensitive information from unauthorized access and disclosure.
Integrity: These are controls whose focus is on maintaining information's trustworthiness, completeness, and accuracy.
Availability: These controls revolve around ensuring that information essential to the organization remains accessible when needed.
Similar to the cybersecurity functions used by others, such as the NIST Cybersecurity Framework (CSF), these address the high-level effect of the controls:
Identify: Controls focused on helping the organization understand its environment and the risks posed to it.
Protect: Controls whose focus is on the tools and processes that allow the organization the ability to mitigate potential security incidents and minimize their impact.
Detect: Controls for the tools and processes that enable the organization to identify potential security incidents as quickly and efficiently as possible.
Respond: Controls aimed at helping the organization quickly respond to security incidents to minimize the potential impact.
Recover: Controls that concentrate on helping the organization quickly and efficiently recover from security incidents and enable a return to normal operations.
Resembling control “families” or control “categories” across many other standards, these are controls that are grouped by the similarity of capabilities:
Asset Management: Controls to identify information assets and define the appropriate protections.
Governance: Controls to manage the overarching policies and processes of securing the organization.
Information Protection: Controls to ensure the confidentiality, integrity, and availability of organizational systems and data.
Human Resource Security: Controls to ensure the employees and contractors of the organization understand their roles and responsibilities.
Physical Security: Controls to ensure the physical security of facilities and organizational equipment.
System and Network Security: Controls to ensure the safeguarding of the organization’s systems and networks, including logging, segmentation, and other activities.
Application Security: Controls to protect the organization’s information assets that are stored or processed through applications.
Secure Configuration: Controls to ensure that the organization’s network and assets are operating in a secure manner and protected against unauthorized changes or incorrect configurations.
Identity and Access Management: Controls to manage the lifecycle of the organization’s identities and the access granted to those identities as well as information assets.
Threat and Vulnerability Management: Controls to comprehensively manage the threats and vulnerabilities posed to the organization’s environment through scanning, patching, remediation activities, and other activities.
Continuity: Controls to ensure the successful continuity of business operations after an incident.
Supplier Relationships Security: Controls that address managing supplier risk and contractual agreements.
Legal and Compliance: Controls that help the organization ensure compliance with legal requirements.
Information Security Event Management: Controls that address how an organization manages security events and incidents.
Information Security Assurance: Controls to ensure the protection of the organization’s information confidentiality, integrity, and availability and ensure non-repudiation.
These are controls grouped into overarching information security domains.
Governance: Largely a combination of controls performing management functions.
Protection: Controls that provide protective functions for the organization’s assets and environment.
Defense: Controls that defend the organization’s assets and environment from attacks.
Resilience: This is mostly a combination of controls performing response and continuity functions to allow the organization to withstand an attack and carry on business as usual.
Due to the complementary and interconnected relationship between them, it is best practice to take advantage of the details and examples provided by ISO 27002 when implementing the objectives of ISO 27001. While it is possible to be certified on ISO 27001 without using 27002, it could lead to more nuances, dependencies, potential gaps, and increased costs if done on its own.
An organization can be certified against ISO 27001 but not against ISO 27002. Even though it is not certifiable, it is extremely beneficial for organizations to leverage ISO 27002 as an interconnected and complementary standard to the implementation of the requisite controls found in Annex A of ISO 27001 that apply to their organization.
Given all the required documents, details, and evidence that are continuously needed to manage ISO 27001, as well as the constantly moving parts of the ISMS, it can be a very heavy manual process to achieve and maintain multiple frameworks. Not to mention the potential human errors caused by trying to keep track of a myriad of spreadsheets with a variety of owners. This makes it extremely beneficial to adopt an automated compliance platform to streamline all of the requirements throughout the ISO 27001:2022 certification process.
The ability to continuously update these artifacts throughout the cycle between certification and audits can save an organization on resources, including time and money, and provide the comfort of knowing that the organization can stay focused on its essential business functions while maintaining compliance.
Take Your Learning Further
Discover research, playbooks, checklists, and other resources on ISO 27001 compliance.
