~90% overlap

ISO 27001 vs ISO 27002

A detailed comparison to help you understand the differences, similarities, and when you need each framework.

Quick Overview

ISO 27001

ISO 27001 is the internationally recognized certification standard for Information Security Management Systems (ISMS). It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization. Annex A provides a reference list of 93 security controls across four themes (organizational, people, physical, technological), but the standard itself focuses on the management system — risk assessment, leadership commitment, planning, support, operation, performance evaluation, and improvement.

ISO 27002

ISO 27002 is a guidance standard that provides detailed implementation advice for the 93 security controls listed in ISO 27001 Annex A. It is not a certification standard — you cannot certify to ISO 27002. Instead, it serves as a practical reference explaining the purpose, guidance, and other information for each control, helping organizations understand how to implement the controls they select through their ISO 27001 risk treatment process. The 2022 revision reorganized controls into four themes and introduced control attributes for filtering.

What They Have in Common

  • Both are published by ISO/IEC and form part of the ISO 27000 family of information security standards
  • Both reference the same 93 security controls organized into four themes: organizational, people, physical, and technological
  • Both were substantially revised in 2022 to modernize control language and introduce new controls for cloud security, threat intelligence, and data masking
  • Both address the full spectrum of information security domains including access control, cryptography, physical security, and incident management
  • Both are used together by organizations building and certifying an ISMS — they are designed as companion documents

Key Differences

AspectISO 27001ISO 27002
PurposeSpecifies requirements for an ISMS — what you must do to achieve certificationProvides implementation guidance for security controls — how to implement what Annex A lists
CertificationCertifiable standard — organizations are audited and certified against ISO 27001 by accredited bodiesNot certifiable — it is a guidance document that supports ISO 27001 implementation
Content focusManagement system requirements: context, leadership, planning, support, operation, evaluation, improvementDetailed control guidance: purpose statement, guidance text, and other information for each of the 93 controls
Mandatory vs advisoryContains mandatory requirements (clauses 4-10) that must be met for certificationEntirely advisory — organizations choose which guidance to follow based on their risk treatment decisions
ScopeCovers the entire ISMS lifecycle including risk assessment, management review, internal audit, and continual improvementCovers only the implementation details of individual security controls without addressing the management system
AudienceAuditors, management, and compliance teams responsible for ISMS governance and certificationSecurity engineers, IT teams, and practitioners responsible for implementing specific controls
Cost$20,000-$80,000 for initial certification; $10,000-$30,000 annual surveillance auditsNo certification cost — only the cost of purchasing the standard document (approximately $200)

Who Needs What?

Every organization pursuing ISO 27001 certification should use ISO 27002 as a companion reference. ISO 27001 tells you what your ISMS must include and is the standard you certify against. ISO 27002 tells you how to implement the Annex A controls you select during risk treatment. Security practitioners implementing controls day-to-day will reference ISO 27002 far more frequently than ISO 27001 itself. Organizations benchmarking their security posture without pursuing certification sometimes use ISO 27002 as a standalone control framework.

Our Recommendation

These are not competing standards — they are designed to be used together. ISO 27001 is required for certification and provides the management system structure. ISO 27002 is the practical implementation guide that helps your team build the controls ISO 27001 requires. Purchase and reference both. If you are pursuing certification, ISO 27001 is the mandatory standard; ISO 27002 is your implementation handbook. Do not skip ISO 27002 — it contains the practical guidance that makes the difference between controls that exist on paper and controls that actually work.

Related Policy Templates

ISO 27002 Policies

    Explore More Comparisons

    SOC 2 Type II vs ISO 27001SOC 2 Type II vs GDPRSOC 2 Type II vs HIPAAGDPR vs HIPAAGDPR vs ISO 27001HIPAA vs ISO 27001SOC 2 Type II vs PCI DSS v4.0SOC 2 Type II vs CCPA/CPRASOC 2 Type II vs NIST CSF 2.0GDPR vs PCI DSS v4.0GDPR vs CCPA/CPRAGDPR vs NIST CSF 2.0HIPAA vs PCI DSS v4.0HIPAA vs CCPA/CPRAHIPAA vs NIST CSF 2.0ISO 27001 vs PCI DSS v4.0ISO 27001 vs CCPA/CPRAISO 27001 vs NIST CSF 2.0PCI DSS v4.0 vs CCPA/CPRAPCI DSS v4.0 vs NIST CSF 2.0CCPA/CPRA vs NIST CSF 2.0SOC 1 vs SOC 2 Type IIHITRUST CSF vs SOC 2 Type IIHIPAA vs HITRUST CSFUK GDPR vs EU GDPRISO 27001 vs NIST 800-53

    Get compliant with PoliWriter

    Generate ISO 27001 and ISO 27002 policies in hours, not months. AI-powered, customized to your infrastructure.

    Get Started Free