ISO 27001 vs ISO 27002: What’s the Difference?

More often than not, you have to convincingly demonstrate data security to inspire confidence and trust when you win a new client or enter new geographies. The ISO 27000 series, developed by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC), offers a globally-accepted information security benchmark in this regard. 

But did you know that not all the management standards in ISO 27000 series are relevant to you? In this article, we will discuss the distinct differences between ISO 27001 vs ISO 27002 and detail the recently-announced changes in ISO 20001 and ISO 27002.

ISO 27001 vs ISO 27002: How different the controls are?

The major difference between ISO 27001 and ISO 27002 is that: ISO 27001 outlines how organizations can protect their information systematically and cost-effectively by adopting an Information Security Management System (ISMS). For the uninitiated, the ISMS is an organized approach to maintaining an organization’s confidentiality, integrity, and availability.

It is based on identifying the potential threats to an organization’s information through a risk assessment and then placating those risks by implementing security controls.

 

While implementing an ISMS, organizations must produce a ‘Statement of Applicability‘, which comprises the selected controls from Annex A of ISO 27001 and ISO 27002, though similar in structure, supplements the security ISO 20071 Requirements by detailing the best practices for the controls listed in Annex A (But that’s changed following recent updates. Read the section ISO 27002: What’s new?).

It, therefore, is a reference guide for implementing those security management controls and should be read alongside ISO 27001. Put simply, if ISO 27001 were a restaurant menu card, the ISO 27002 would be the recipe for each item on the menu! And, yes, the benefits of ISO 27002 are that it is that detailed. 

ISO 27002 isn’t a Certified Standard

ISO 27001 is a standard that organizations can be certified against whereas ISO 27002 is a set of best practices for controls that you can implement as part of an ISO 27001 framework. You cannot be certified against it.

ISO 27002 is more detailed than ISO 27001

ISO 27001 standard lists specific security controls for organizations to follow in Annex A. It doesn’t provide details on these controls, however. Also, ISO 27002 details all the security controls outlined in ISO 27001’s Annex A. 

ISO 27001 allows for Risk Assessment 

ISO 27001 checklist standard gives organizations actionable risk assessment for controls in the ISMS. Based on the risk assessment, ISO certification allows organizations to determine which and to what level the controls apply. The supplementary standards, on the contrary, doesn’t make any such distinctions. It simply details the controls.

ISO 27001 has Mandatory Clauses

ISO 27001 has mandatory clauses (clauses 4 to 10) that must be complied with for ISO 27001 certification. Also, ISO 27002 controls aren’t compulsory. They are, at best, a reference set of information security controls that organizations can use.

Also check out: ISO 27004 standard

When should you use ISO 27002 vs ISO 27001?

ISO 27001 and ISO 27002 have varied objectives and are relevant under different circumstances. ISO 27001 makes an ideal fit if you’re planning your ISMS implementation framework. The framework requirements serve as a guide to designing the ISMS and achieving certification. Once you have identified the controls you will implement to achieve ISO 27001 compliance, you can refer to ISO 27002 to learn more about how each control works. 

ISO 27002: What’s new?

ISO 27002, up until the update earlier this year, was aligned to the controls list outlined in Annex A of ISO 27001. But that’s now changed. While the intent remains to support ISO 27001 vs ISO 27002, the changes incorporate information security management, cybersecurity, and privacy into the same set of controls. 

Decrease in the count of controls

The number of controls (after the changes) has decreased from 114 to 93. Note that the decrease in controls is due to mergers of similar/redundant controls and not the removal of controls.

Addition of 11 new controls

• Threat intelligence
• Information Security Management for use of Cloud Services
• ICT Readiness for Business Continuity
• Physical Security Monitoring
• Configuration Management
• Information Deletion
• Data Masking
• Data Leakage Prevention
• Monitoring Activities
• Web Filtering
• Secure Coding

Reorganization of Categories

The controls have been reorganized into four categories instead of the earlier 14 domains as follows: 

• Clause 5: Organizational
• Clause 6: People
• Clause 7: Physical
• Clause 8: Technological

Addition of Attributes

Each control now has five attributes assigned to it. These are as follows:

• Control Type – Preventive, Detective, Corrective
• Security Properties – Confidentiality, Integrity, Availability
• Cybersecurity Concepts – Identify, Protect, Detect, Respond, Recover
• Security Domains – Governance and Ecosystem, Protection, Defense, Resilience
• Operational Capabilities – Governance, Asset Management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance.

What do these ISO 27001 vs 27002 changes mean to your organization?

The ISO 27002 mirrors the controls list in Annex A of ISO 27001 and provides detailed guidance on its implementation. So, we can take the changes made in ISO 27002:2022 as a helpful guide to prep for the changes to ISO certification by the end of the year.

So, if your organization is currently assessing against ISO 27001, it may be a good idea to include the 11 new controls too. But if you are yet to begin your compliance journey, be proactive in preparing for the new controls. 

How can Sprinto help you in achieving ISO 27001 certification?

ISO 27001 is a detail-oriented and documentation-heavy compliance. And with over 114 security controls across 14 groups, it can be pretty daunting. 

Sprinto’s compliance automation platform helps SaaS firms make confident strides in their security journey. It intelligently maps and minimizes risks and breaks down the entire process into simple, logical and easy-to-understand steps. From defining the scope of your ISMS to setting up robust information security policies, deploying entity-level checks and implementing infosec training programs for employees, Sprinto does everything. What’s more, even changes and updates in frameworks are managed and automated for you. 

Sprinto’s continuous monitoring system validates your compliance with proof and alerts you when something isn’t done or done incorrectly. It replaces all the manual, error-prone, repetitive busy work with automation and gives you a dashboard view of it all! 

Book a demo with us and see how Sprinto makes compliance easy, error-free and fast.