ISO 27001 vs 27002: What’s the Difference?

If you’re interested in information security, you may have come across IS0 27002 or 27001 certification, a recognised management standard that outlines the best practices for an Information Security Management System (ISMS).

But is there a difference between ISO 27001 and 27002? In this blog, we’ll discuss the difference between these two standards and how to use them in your organisation to manage an effective ISMS.

What is ISO 27001?

ISO 27000 family of standards is a series of guidelines and best practices created to help companies improve their information security. ISO 27001 is the most popular standard of the ISO 27000 family, which covers the specific implementation requirements for information systems.

It highlights everything an organisation needs to achieve compliance. ISO 27001 is often used at the beginning of a project. However, to fulfil these requirements, your organisation must:

  • Perform a gap analysis
  • Conduct a risk analysis
  • Define the scope of the ISMS
  • Develop strict policies
  • Conduct staff training
  • Choose and apply controls

What is ISO 27002?

This is a series of security guidelines designed to help a company to select, implement, and maintain its ISMS. As a supplementary standard, ISO 27002 is utilized as a guide under ISO 27001 framework for choosing suitable security control in deploying an effective ISMS. The standard describes the objective of each standard, how it works, and how to implement it.

ISO 27001 vs 27002

While ISO 27001 and ISO 27002 are closely related, they have significant differences in terms of applicability, guidelines, and certification.


Although numerous information security controls exist, not all will apply to your company. According to ISO 27001 specifications, you must conduct a risk assessment to recognise the potential risks associated with your information security.

On the contrary, ISO 27002 does not define these specifications. And this makes it a little harder to identify which appropriate controls to apply.


ISO 27001 is not as detailed as ISO 27001, making it precise and less complicated. It only describes individual aspects of an information system, with detailed guidelines being found in other standards.

These additional standards include ISO 27002, a supplementary standard, and ISO 27003, which provides guidelines for ISMS implementation. ISO 27004 deals with the measuring, monitoring, evaluation, and analysis of the ISMS.


When it comes to certification, you can only certify to ISO 27001 because this standard provides a complete range of compliance requirements. On the other hand, you cannot certify to ISO 27002 since it is a supplementary standard that addresses just a single aspect within an ISMS.

Learn The Basics of ISO 27001 Certification with Best Practice

Best Practice is a JAZ-ANZ-approved certification body that provides ISO certification services in Australia and globally. We can guide and support you through the ISO 27001 certification process to ensure your information system is well-implemented and maintained. Contact Best Practice today to get started.

iso 27001 certification by best practice


Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover