Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Pursuing strong information security certification has never been more important, as a recent survey of IT professionals found that60% of companiesexperienced a data breach in 2023. Achieving ISO certification helps businesses both defend against and respond to security breaches. However, conceptualizing ISO 27001 vs. 27002 can be difficult, as the standards appear similar at first glance.
The International Organization for Standardization and the International Electrotechnical Commission jointly publish the ISO/IEC 27000 standard for information security. The difference between ISO 27001 and 27002 is that the former covers all of the requirements for certification and the latter expands on the brief descriptions of controls in Annex A. Learning about the distinctions between ISO 27001 and ISO 27002 can help a business certify to ISO 27001 and improve its information security.
ISO 27001 is a global information security standard with an independent certification body and auditors. Organizations can certify to ISO 27001 by assembling a multi-part security plan and submitting it for review.
Security plans must address the specific risk factors in ISO 27001 Annex A, a list of over 100 controls that apply to certain businesses and types of sensitive information. Businesses with ISO 27001 certification can advertise to consumers, partners, clients and shareholders that they have verified and tested information security protocols in place.
ISO 27002 is a supplement to ISO 27001 that explains the many controls in Annex A in greater detail. It is not a separate certification, but rather a way to communicate the information Annex A more clearly and comprehensively.
ISO 27002 includes longer descriptions of each control, how the controls contribute to a larger security plan and specific strategies to implement each control. It is intended to help those outside of the direct IT sphere, such as stakeholders, understand and contribute to a business’s ISO 27001 certification efforts.
Organizations seeking ISO certification for information security must craft their plans to the ISO/IEC 27001 standard. In general, certification is only available for ISO standards ending in the digit “1.”
The most significant difference between ISO 27002 and 27001 lies in how a business uses these standards. Annex A of ISO 27001 outlines each of its controls in one to two sentences, whereas ISO 27002 devotes about one page to each. Stakeholders can refer to the longer control descriptions, objectives and guidelines in ISO 27002 to better understand controls at the implementation stage.
ISO 27002:2022 predated the revised ISO 27001:2022. The new, revised standard summarizes changes to controls. Also, the themes and attributes in the updated 2022 version of the standard offer more insight into multiple applications of controls. ISO 27002:2022 no longer includes the phrase “code of practice” in the title of the standard. This indicates its purpose as a reference that expands on the ISO 27001 standard.
Some situations require several controls or elements related to more than one control. Subsequent ISO 27000 series standards provide further guidance in these complex scenarios. For example, ISO 27003 provides guidelines for implementing an Information Security Management System in clauses that correspond to the organization of ISO 27001.
Another difference between ISO 27001 and 27002 is that the new 27002 groups its Annex A controls differently to better communicate how they relate to overall business operations. The categorization of controls is more thorough and detailed in 27002 than in the original 27001 standard. Annex A of ISO 27001:2022 groups its controls into four themes:
There are eight controls that pertain to people, 37 organizational controls, 34 technological controls and 14 physical controls. This totals 93 information security controls in the 2022 standard, compared to 114 controls in the 2013 standard.
The standards body did not remove any controls, however. They instead merged 56 controls into 24 controls and added several controls to reach the new total.
The new version of ISO 27002 categorizes the revised information security controls in the certifying standard based on five attributes:
The security-related controls that fall under operational capabilities range from human resources to physical, system, network and application security. Best practices for managing identity and access and threats and vulnerabilities are associated with this attribute. Broader operational factors such as business continuity, supplier relationships, legal and compliance considerations, information security event management and information security assurance are also grouped under operational capabilities.
The ISO 27001 standard covers all requirements for certification. This standard is a useful reference for any business interested in investing in information security.
Stakeholders can select controls using ISO 27001’s brief descriptions of technical, organizational, legal, physical and human resource controls, but they can also reference ISO 27002 for more information. Another significant difference between ISO 27001 and 27002 is that ISO 27001 focuses primarily on risk assessment and mitigation for use as the foundation for implementing an ISMS.
One takeaway is key to understanding ISO 27001 vs. 27002. ISO 27002 provides more detail about controls and organizes these controls differently for the sake of explanation. It does not introduce any new requirements beyond ISO 27001.
The year 2022 brought a few changes to ISO standards. ISO 27002:2022 and the revised version of Annex A of ISO 27001 include 11 new controls.
These additions include threat intelligence, information security for use of cloud services, information and communication technology readiness for business continuity, physical security monitoring and configuration management.
Other new controls in the 2022 versions of these standards address information deletion and data masking. Strategies for data leakage prevention, monitoring activities, web filtering and secure coding are also included.
These controls are relevant to organizations planning to certify to ISO 27001:2022. In general, there is a transition period of around two years following the publication of new certification standards. A centralized security and compliance platform can be helpful for organizations pursuingISO 27001 certification.
Understanding ISO 27001 vs. 27002 is most important in early stages of the certification process, as businesses decide which Annex A controls are relevant to their operations. In the current standard, the reference rules for certification under ISO 27001, the list of controls in Annex A of this standard, and the explication of these controls in ISO 27002 are all consistent. In other words, the objectives set forth in 27001 correspond to controls outlined in Annex A and detailed descriptions in 27002.
Remember that there are more standards to understand and review than simply 27001 and 27002. ISO 27003 refers to ISMS implementation. ISO 27004 details ISMS evaluation monitoring and measurement. ISO 27005 is a comprehensive look at risk assessment and treatment.
The main takeaway is that organizations can only certify to the 27001 standard. The other standards provide helpful supplementary information.
Ultimately, ISO 27001 vs. 27002 boils down to this: ISO 27002 clarifies, expands on and recategorizes the controls in Annex A of the ISO 27001 standard. These detailed descriptions can be useful references when an organization is considering or implementing controls for certification.
An end-to-end information security platform capable of continuous monitoring can also facilitate certification and ongoing compliance.Request a demoto find out how Compyl can streamline the ISO 27001 certification process.
