Difference Between ISO 27001 and ISO 27002

Photo of author

By admin


The International Standards Organization (ISO) created the ISO 27000 Series that provides documentation to help risk assessment and risk mitigation in information systems. Most Information Security professionals are aware of the international standards of ISMS (Information Security Management System) – ISO 27001 and ISO 27002. However, not many are aware of the difference between the two ISMS standards. In this article, we will establish the difference between ISO 27001 and ISO 27002. But before that here’s a brief outline of the two ISMS standards.



What is ISO 27001?


The ISO 27001 is an information security standard that was created to manage and implement security controls in IT systems. This standard is a requirement document that organizations must follow for an efficient ISMS. ISO 27001 standard forms the central framework of the whole ISO 27001 series and is a must for every organization at the start of a project.

It is also the more well-known standard and organizations can get certified against it. This means that if the information security risk management system of the organization meets the guidelines set forth by ISO 27001, then the business will become eligible for the ISO 27001 standard certification.


What is ISO 27002?


ISO 27002 standard is not a certification that organizations can earn. It supplements the ISO 27001 standard by providing the best practices methods and guidelines for ISMS. It provides advice about the implementation of security controls that are listed in Annex A of ISO 27001. Information Security Professionals usually refer to ISO 27002 to discuss these security controls as they are documented in detail here. There are other standards in the ISO 27000 Series like ISO 27003 and ISO 27004 that describe ISMS implementation guidelines and managing instructions for ISMS, respectively.


Difference Between ISO 27001 and ISO 27002


So, we can conclude that the main difference between ISO 27001 and ISO 27002 is that ISO 27001 is a standard that organizations can certify whereas, ISO 27002 is a supplementary standard that helps Information Security professionals learn the security controls in detail once the risk areas have been identified.

For organizations that are just starting out their ISMS journey, learning about ISO 27001 will be enough. However, after they have established the security needs and gradually start implementing security controls, they need to refer to the ISO 27002 standard.

Gaining a thorough knowledge about the ISO 27001 standard is very essential. Information security consultants and practitioners can learn about these standards through verified training and certification providers. Manage the security and compliance of your organization’s information security systems with the help of the right knowledge and skillset. Help your business or your organization excelling the ISMS by planning and monitoring effective risks mitigation strategies. Become qualified information security professionals and earn credibility as well as promotability in the IT industry.