ISO 27001 vs ISO 27002: What’s the Difference?

More often than not, you have to convincingly demonstrate data security to inspire confidence and trust when you win a new client or enter new geographies. The ISO 27000 series, developed by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC), offers a globally-accepted information security benchmark in this regard. 

But did you know that not all the management standards in ISO 27000 series are relevant to you? In this article, we will discuss the distinct differences between ISO 27001 vs ISO 27002 and detail the recently-announced changes in ISO 27001 and ISO 27002.

ISO 27001 vs ISO 27002: What are the differences?

ISO 27001 helps organizations create and implement an Information Security Management System (ISMS) systematically and cost-effectively, while ISO 27002 provides the guidelines for enforcing information security controls within the ISMS.

For the uninitiated, the ISMS is a framework of policies for maintaining and strengthening an organization’s confidentiality, integrity, and availability of information. ISO 27001 is based on identifying the potential threats to an organization’s information through a risk assessment and then placating those risks by implementing security controls given in ISO 27002.

While implementing an ISMS, organizations must produce a ‘Statement of Applicability‘, which comprises the selected controls from Annex A of ISO 27001 and ISO 27002, though similar in structure, supplements the security ISO 20071 Requirements by detailing the best practices for the controls listed in Annex A (But that’s changed following recent updates. Read the section ISO 27002: What’s new?).

It, therefore, is a reference guide for implementing those security management controls and should be read alongside ISO 27001. Put simply, if ISO 27001 were a restaurant menu card, the ISO 27002 would be the recipe for each item on the menu! And, yes, the benefits of ISO 27002 are that it is that detailed. 

Basis	ISO 27001	ISO 27002
Purpose	To outline requirements for establishing, implementing and maintaining an effective ISMS	To offer guidance on selecting and implementing information security controls
Focus	Build a management system and a risk-focused ISMS	Provide implementation guidance
Certification	Yes, certifiable standard	No
Structure	Includes clauses (4-10) and Annex A controls (93)	Offers detailed explanation of these controls
Mandatory	Yes, for certification	No (optional but recommended)
Who uses it and when	Organizations just starting out on their ISO 27001 certification journey	Security teams when they need implementation guidance

Here are the key differences between ISO 27001 and ISO 27002:

1. ISO 27002 isn’t a Certified Standard

ISO 27001 is a standard that organizations can be certified against whereas ISO 27002 is a set of best practices for controls that you can implement as part of an ISO 27001 framework. You cannot be certified against it.

2. ISO 27002 is more detailed than ISO 27001

ISO 27001 standard lists specific security controls for organizations to follow in Annex A. It doesn’t provide details on these controls, however. Also, ISO 27002 details all the security controls outlined in ISO 27001’s Annex A. 

3. ISO 27001 allows for Risk Assessment 

ISO 27001 checklist standard gives organizations actionable risk assessment for controls in the ISMS. Based on the risk assessment, ISO certification allows organizations to determine which and to what level the controls apply. The supplementary standards, on the contrary, doesn’t make any such distinctions. It simply details the controls.

4. ISO 27001 has Mandatory Clauses

ISO 27001 has mandatory clauses (clauses 4 to 10) that must be complied with for ISO 27001 certification. Also, ISO 27002 controls aren’t compulsory. They are, at best, a reference set of information security controls that organizations can use.

Also check out: ISO 27004 standard

When should you use ISO 27002 vs ISO 27001?

ISO 27001 and ISO 27002 have varied objectives and are relevant under different circumstances. ISO 27001 makes an ideal fit if you’re planning your ISMS implementation framework. The framework requirements serve as a guide to designing the ISMS and achieving certification. Once you have identified the controls you will implement to achieve ISO 27001 compliance, you can refer to ISO 27002 to learn more about how each control works. 

ISO 27002: What’s new?

ISO 27002, up until the update earlier this year, was aligned to the controls list outlined in Annex A of ISO 27001. But that’s now changed. While the intent remains to support ISO 27001 vs ISO 27002, the changes incorporate information security management, cybersecurity, and privacy into the same set of controls. 

Decrease in the count of controls

The number of controls (after the changes) has decreased from 114 to 93. Note that the decrease in controls is due to mergers of similar/redundant controls and not the removal of controls.

Addition of 11 new controls

• A.5.7 : Threat intelligence
• A.5.23 : Information Security Management for use of Cloud Services
• A.5.30 : ICT Readiness for Business Continuity
• A.7.4 : Physical Security Monitoring
• A.8.9 : Configuration Management
• A.8.10 : Information Deletion
• A.8.11 : Data Masking
• A.8.12 : Data Leakage Prevention
• A.8.16 : Monitoring Activities
• A.8.23 : Web Filtering
• A.8.28 : Secure Coding

Reorganization of Categories

The controls have been reorganized into four categories instead of the earlier 14 domains as follows: 

• Clause 5: Organizational
• Clause 6: People
• Clause 7: Physical
• Clause 8: Technological

Addition of Attributes

Each control now has five attributes assigned to it. These are as follows:

• Control Type – Preventive, Detective, Corrective
• Security Properties – Confidentiality, Integrity, Availability
• Cybersecurity Concepts – Identify, Protect, Detect, Respond, Recover
• Security Domains – Governance and Ecosystem, Protection, Defense, Resilience
• Operational Capabilities – Governance, Asset Management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance.

How are ISO 27001 and ISO 27002 interconnected?

Both ISO 27001 and 27002 are a part of the ISO family of standards and are interconnected in essence that they work together to help businesses strengthen their Information Security Management System.

The standards serve complementary purposes and here’s how they connect:

For each control laid out in ISO 27001, ISO 27002 expands and suggests ways in which the company could implement that. Let’s take an example here. A.9.1.1 in ISO 27001 talks about ‘restricting access based on business and security requirements’.
ISO 27002 offers detailed guidance here in terms of implementing role-based access controls, enforcing strong password policies and conducting regular access reviews.

So while ISO 27001 offers you certifiable security, ISO 27002 acts as your execution playbook to achieve the certification.

What do these ISO 27001 vs 27002 changes mean to your organization?

The ISO 27002 mirrors the controls list in Annex A of ISO 27001 and provides detailed guidance on its implementation. So, we can take the changes made in ISO 27002:2022 as a helpful guide to prep for the changes to ISO certification by the end of the year.

So, if your organization is currently assessing against ISO 27001, it may be a good idea to include the 11 new controls too. But if you are yet to begin your compliance journey, be proactive in preparing for the new controls. 

Cost comparison of implementing ISO 27001 and 27002

Since ISO 27001 is a certifiable standard, the major implementation costs are associated with this standard. Here’s what the costs look like:

Pre-audit costs include:

• Gap analysis: $5000
• Implementation: $5000-$20000+
• Security tools: $5000-$50000
• Training: $250-$12500
• Continuous monitoring: $7000-$45000+
• VAPT costs: $2000-$20000
• Consultant: $10000

Audit costs for small businesses (11-50 employees) range from $1250-$2500, and for large businesses (200-1000 employees) range from $2500-$6500.

The total cost of ISO 27001 ranges from $50000-$200000, depending on the size and complexity of the business.

For ISO 27002 you need to purchase the $225 standard and then spend on some custom controls, process adjustments, documentation enhancements or more tooling. This expense can range from $1000-$30000 and is very low as compared to ISO 27001.

Benefits and Challenges of using ISO 27001 and ISO 27002 together

Combine ISO 27001 and ISO 27002 if you have the time and resources and if you are seeking more than just compliance. If certification is your key goal at the moment and there are constraints, don’t go for both.

Here are the benefits and challenges of using both the standards together:

Benefits

Minimizes implementation guesswork

ISO 27002, when combined with ISO 27001, eliminates the guesswork from control implementation because it offers practical and detailed guidance. It helps make the ISMS actionable and impactful and not only a paperwork-based framework.

Enables continuous improvement

ISO 27002 supports continuous refinement of processes and encourages organizations to implement measures that are more forward-looking. This helps businesses stay on top of threats while maintaining a strong security posture.

Makes security training easier

ISO 27002 adds a lot of context and meaning to ISO 27001 controls. This enhances their understanding of security expectations and makes it easier to enhance awareness on policies and controls.

Accelerates certification process

Combining the two frameworks helps complement the ‘what’ with ‘how’ and reduces the need for any rework during audits. This is because of the detailed implementation of context-specific controls and it fast-tracks the whole certification process.

Challenges

Adds a layer of complexity

Combining ISO 27002 with ISO 27001 adds an additional layer of depth and may even require additional training and consulting. The requirement for better technical understanding increases compliance complexity and can even lead to increased burnout among employees.

Brings dangers of overengineering

In order to get everything right at the time of audit, a company may over-apply controls without understanding the business-context. This leads to extra efforts, unnecessary complexity and overburdening of teams.

Enhanced paperwork

Compliance is already a lot about paperwork and combining two standards means the load will only increase. ISO 27002 requires extensive documentation which means more document hubs, management costs and collaboration difficulties.

Increased time and costs

Simultaneously handling the two standards can bring increased time and costs especially initially because of the upfront work. There may also be some confusion between mandatory requirements and optional guidelines, leading to increased costs of remediation later in case of misinterpretation or misalignment.

How can Sprinto help you in achieving ISO 27001 certification?

ISO 27001 is a detail-oriented and documentation-heavy compliance. And with over 114 security controls across 14 groups, it can be pretty daunting. 

Sprinto’s compliance automation platform helps SaaS firms make confident strides in their security journey. It intelligently maps and minimizes risks and breaks down the entire process into simple, logical and easy-to-understand steps. From defining the scope of your ISMS to setting up robust information security policies, deploying entity-level checks and implementing infosec training programs for employees, Sprinto does everything. What’s more, even changes and updates in frameworks are managed and automated for you. 

Sprinto’s continuous monitoring system validates your compliance with proof and alerts you when something isn’t done or done incorrectly. It replaces all the manual, error-prone, repetitive busy work with automation and gives you a dashboard view of it all! 

Book a demo with us and see how Sprinto makes compliance easy, error-free and fast. 

FAQS

Can ISO 27002 be used independently?

Yes ISO 27002 can be used independently only if you want to use it as a best practice guide and inform your security practices. However, since it’s not a certifiable standard, the best practice is to combine it with ISO 27001 and enhance trust among stakeholders and clients.

Do we need to implement all 93 controls?

No. ISO 27001 requires you to perform a risk assessment and take a risk-based approach when implementing controls. So it is important that you understand your business context and justify the inclusions and exclusions in the statement of applicability.

Can we implement controls not listed in ISO 27002?

Yes you can implement controls not listed in ISO 27002 since ISO 27001 is a flexible framework and allows you to take a risk-based approach. So for any emerging threats and new technologies you can and must implement custom controls for enhanced protection. The only thing to note here is that you must include those controls in your Statement of Applicability and Risk Treatment Plans.

What’s the best way to use ISO 27001 and 27002 together?

The best way to use ISO 27001 and 27002 is to use them as complementary standards. Start with ISO 27001 to define scope, conduct risk assessments and identify applicable requirements. Next, use ISO 27002 for detailed control explanations, train your team and justify inclusions. Basically, ISO 27001 will tell you what is required and ISO 27002 will guide you on how.