The Difference Between ISO 27001 and 27002 Controls

October 03, 2023

What Is the Difference Between ISO 27001 and 27002?

The International Organization for Standardization and the International Electrotechnical Commission jointly publish the ISO/IEC 27000 standard for information security. The difference between ISO 27001 and 27002 is that the former covers all of the requirements for certification and the latter expands on the brief descriptions of controls in Annex A of ISO 27001. Learn more about the distinction between ISO 27001 vs ISO 27002 and how to use these standards to certify to ISO 27001.

Compyl ISO 27001 and 27002 Controls

The Main Difference Between ISO 27001 and 27002

Organizations seeking ISO certification for information security cancertifyto the ISO/IEC 27001 standard. In general, certification is only available for ISO standards ending in the digit “1.” The most significant difference between ISO 27002 and 27001 in terms of use is that Annex A of ISO 27001 outlines each control in one to two sentences, whereas ISO 27002 devotes about one page to each control. Stakeholders can refer to the longer control descriptions, objectives and guidelines in ISO 27002 to better understand controls at the implementation stage.

ISO 27002:2022 predated the revised ISO 27001:2022, which summarizes changes to controls under the certification standard. The themes and attributes in the updated 2022 version of the standard offer more insight into multiple applications of controls, situations that require several controls or elements related to more than one control. Subsequent ISO 27000 series standards provide further guidance. For example, ISO 27003 provides guidelines for implementing an Information Security Management System in clauses that correspond to the organization of ISO 27001.

Information Security Controls in ISO 27001 vs ISO 27002

Annex A of ISO 27001:2022 groups 93 controls into four themes: people, organizational, technological and physical controls. Eight controls pertain to people, while the standard also includes 37 organizational controls, 34 technological controls and 14 physical controls. The 2022 version of the standard has a total of 93 information security controls, compared to 114 controls in the 2013 standard. The standards body did not remove any controls but merged 56 controls into 24 controls and added several new controls.

ISO 27002:2022 no longer includes the phrase “code of practice” in the title of the standard to indicate its purpose as a reference that expands on the ISO 27001 standard. The new version of ISO 27002 categorizes the revised information security controls in the certifying standard based on five attributes:

  • Control type:Preventive, detective and corrective
  • Information security properties:Confidentiality, integrity and availability
  • Cybersecurity concepts:Identify, protect, detect, respond and recover
  • Operational capabilities:Governance, asset management, information protection and security-related capabilities
  • Security domains:Governance and ecosystem, protection, defense and resilience

The security-related controls that fall under operational capabilities range from human resources to physical, system, network and application security. Secure configurations and best practices for managing identity and access and threats and vulnerabilities are also associated with this attribute. Broader operational factors such as business continuity, supplier relationships, legal and compliance considerations, information security event management and information security assurance are also grouped under operational capabilities.

How To Use the ISO 27001 and ISO 27002 Standards

The ISO 27001 standard covers all requirements for certification. This standard is a useful reference. Stakeholders can refer to the brief descriptions of technical, organizational, legal, physical and human resource controls in this standard when selecting controls. Another significant difference between ISO 27001 and 27002 is that ISO 27001 focuses primarily on risk assessment and mitigation for use as the foundation for implementing an ISMS.

ISO 27002 is a useful reference for stakeholders seeking more information during the implementation process. This standard categorizes controls into four themes. Technological controls include 34 controls that are directly related to information technology. Organization controls cover 37 controls with broader applications. Physical controls include 14 controls for securing assets. People controls are eight controls related to human resources. This standard provides more detail about controls and organizes these controls for the sake of explanation but does not introduce any new requirements beyond ISO 27001.

New Controls in ISO 27001:2022 and ISO 27002:2022

ISO 27002:2022 and the revised version of Annex A of ISO 27001 include 11 new controls. These additions include threat intelligence, information security for use of cloud services, information and communication technology readiness for business continuity, physical security monitoring and configuration management.

Other new controls in the 2022 versions of these standards range from information deletion to data masking, data leakage prevention, monitoring activities, web filtering and secure coding. These controls are relevant to organizations planning to certify to ISO 27001:2022. In general, there is a transition period of around two years following the publication of new certification standards. A centralized security and compliance platform can be helpful for organizations pursuingISO 27001 certification.

ISO Certification Standards and Supporting Standards

The difference between ISO 27001 and 27002 is most relevant based on the stage of the certification process. The reference rules for certification under ISO 27001, list of controls in Annex A of this standard and explication of these controls in ISO 27002 are consistent across the current version of this standard. The objectives set forth in 27001 correspond to controls outlined in Annex A and detailed descriptions in 27002.

ISO 27000 standards are not limited to ISO 27001 and ISO 27002 but also include ISO 27003 for ISMS implementation, ISO 27004 for ISMS evaluation monitoring and measurement and ISO 27005 for risk assessment and treatment. The main takeaway from a comparison of ISO 27001 vs ISO 27002 and subsequent standards is that organizations can only certify to the 27001 standard.

Free Security Assessment Today

Why the Difference Between ISO 27001 and 27002 Matters

The difference between ISO 27001 and 27002 matters because the control set outlined in Annex A of ISO 27001 is clarified by expanded descriptions in ISO 27002. These detailed descriptions can be useful references when an organization is considering or implementing controls for certification. An end-to-end information security platform capable of continuous monitoring can also facilitate certification and ongoing compliance.Request a demoto find out how Compyl can streamline the process of certifying to ISO 27001:2022.


How does the cost of obtaining and maintaining ISO 27001 certification compare to SOC 2 compliance?

The cost of obtaining and maintaining ISO 27001 certification generally involves a more significant initial investment due to the certification process, but it may lead to lower ongoing costs. SOC 2 compliance, while potentially less expensive upfront, requires regular audits that can add to the total cost over time.

Can a business be both ISO 27001 certified and SOC 2 compliant, and if so, what are the benefits?

Businesses can indeed pursue both ISO 27001 certification and SOC 2 compliance. Doing so can enhance a company’s security posture, expand its market appeal, and meet a broader range of customer and regulatory requirements.

What specific industries or types of businesses might prefer ISO 27001 certification over SOC 2 compliance, and vice versa?

Industries dealing with international data security requirements might prefer ISO 27001 due to its global recognition. Conversely, businesses that primarily operate in the United States or serve clients that require American Institute of Certified Public Accountants (AICPA) standards might lean towards SOC 2 compliance.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies