The International Organization for Standardization and the International Electrotechnical Commission jointly publish the ISO/IEC 27000 standard for information security. The difference between ISO 27001 and 27002 is that the former covers all of the requirements for certification and the latter expands on the brief descriptions of controls in Annex A of ISO 27001. Learn more about the distinction between ISO 27001 vs ISO 27002 and how to use these standards to certify to ISO 27001.
ISO 27002:2022 predated the revised ISO 27001:2022, which summarizes changes to controls under the certification standard. The themes and attributes in the updated 2022 version of the standard offer more insight into multiple applications of controls, situations that require several controls or elements related to more than one control. Subsequent ISO 27000 series standards provide further guidance. For example, ISO 27003 provides guidelines for implementing an Information Security Management System in clauses that correspond to the organization of ISO 27001.
Annex A of ISO 27001:2022 groups 93 controls into four themes: people, organizational, technological and physical controls. Eight controls pertain to people, while the standard also includes 37 organizational controls, 34 technological controls and 14 physical controls. The 2022 version of the standard has a total of 93 information security controls, compared to 114 controls in the 2013 standard. The standards body did not remove any controls but merged 56 controls into 24 controls and added several new controls.
ISO 27002:2022 no longer includes the phrase “code of practice” in the title of the standard to indicate its purpose as a reference that expands on the ISO 27001 standard. The new version of ISO 27002 categorizes the revised information security controls in the certifying standard based on five attributes:
The security-related controls that fall under operational capabilities range from human resources to physical, system, network and application security. Secure configurations and best practices for managing identity and access and threats and vulnerabilities are also associated with this attribute. Broader operational factors such as business continuity, supplier relationships, legal and compliance considerations, information security event management and information security assurance are also grouped under operational capabilities.
The ISO 27001 standard covers all requirements for certification. This standard is a useful reference. Stakeholders can refer to the brief descriptions of technical, organizational, legal, physical and human resource controls in this standard when selecting controls. Another significant difference between ISO 27001 and 27002 is that ISO 27001 focuses primarily on risk assessment and mitigation for use as the foundation for implementing an ISMS.
ISO 27002 is a useful reference for stakeholders seeking more information during the implementation process. This standard categorizes controls into four themes. Technological controls include 34 controls that are directly related to information technology. Organization controls cover 37 controls with broader applications. Physical controls include 14 controls for securing assets. People controls are eight controls related to human resources. This standard provides more detail about controls and organizes these controls for the sake of explanation but does not introduce any new requirements beyond ISO 27001.
ISO 27002:2022 and the revised version of Annex A of ISO 27001 include 11 new controls. These additions include threat intelligence, information security for use of cloud services, information and communication technology readiness for business continuity, physical security monitoring and configuration management.
Other new controls in the 2022 versions of these standards range from information deletion to data masking, data leakage prevention, monitoring activities, web filtering and secure coding. These controls are relevant to organizations planning to certify to ISO 27001:2022. In general, there is a transition period of around two years following the publication of new certification standards. A centralized security and compliance platform can be helpful for organizations pursuingISO 27001 certification.
The difference between ISO 27001 and 27002 is most relevant based on the stage of the certification process. The reference rules for certification under ISO 27001, list of controls in Annex A of this standard and explication of these controls in ISO 27002 are consistent across the current version of this standard. The objectives set forth in 27001 correspond to controls outlined in Annex A and detailed descriptions in 27002.
ISO 27000 standards are not limited to ISO 27001 and ISO 27002 but also include ISO 27003 for ISMS implementation, ISO 27004 for ISMS evaluation monitoring and measurement and ISO 27005 for risk assessment and treatment. The main takeaway from a comparison of ISO 27001 vs ISO 27002 and subsequent standards is that organizations can only certify to the 27001 standard.
The difference between ISO 27001 and 27002 matters because the control set outlined in Annex A of ISO 27001 is clarified by expanded descriptions in ISO 27002. These detailed descriptions can be useful references when an organization is considering or implementing controls for certification. An end-to-end information security platform capable of continuous monitoring can also facilitate certification and ongoing compliance.Request a demoto find out how Compyl can streamline the process of certifying to ISO 27001:2022.