ISO 27001 vs ISO 27002: Key Differences and Use Cases Explained

More often than not, you have to convincingly demonstrate data security to inspire confidence and trust when you win a new client or enter new geographies. The ISO 27000 series, developed by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC), offers a globally-accepted information security benchmark in this regard. 

But did you know that not all the management standards in ISO 27000 series are relevant to you? In this article, we will discuss the distinct differences between ISO 27001 vs ISO 27002 and detail the recently-announced changes in ISO 27001 and ISO 27002.

When was ISO 27001 put in place?

ISO/IEC 27001 was first published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It was created to provide a formal, globally recognized framework for managing information security through an Information Security Management System (ISMS).

The standard has since been updated:

• 2005 – First release of ISO/IEC 27001.
• 2013 – The intermediate ISO 27001:2013 revision restructured the original 2005 release around the Annex SL high-level structure that ISO uses across management-system standards, making cross-certification with ISO 9001 and ISO 14001 considerably more straightforward.
• 2022 – Latest update, modernizing controls (reduced from 114 to 93) and adding new focus areas like threat intelligence, cloud services, and data masking.

ISO 27001 vs ISO 27002: What are the differences?

ISO 27001 defines the requirements for establishing and maintaining an Information Security Management System (ISMS), whereas ISO 27002 provides detailed guidance on how to implement and manage the specific controls within that system. While ISO 27001 focuses on the framework and outlines what needs to be done to manage information security risks, ISO 27002 focuses on the practical execution and explains how each control should be applied effectively.

In other words, ISO 27001 sets the “what,” whereas ISO 27002 explains the “how.” ISO 27001 is certifiable and forms the foundation for compliance, while ISO 27002 acts as a supporting reference guide that enhances understanding and implementation of those controls.

Basis	ISO 27001	ISO 27002
Purpose	To outline requirements for establishing, implementing and maintaining an effective ISMS	To offer guidance on selecting and implementing information security controls
Focus	Build a management system and a risk-focused ISMS	Provide implementation guidance
Certification	Yes, certifiable standard	No
Structure	Includes clauses (4-10) and Annex A controls (93)	Offers detailed explanation of these controls
Mandatory	Yes, for certification	No (optional but recommended)
Who uses it and when	Organizations just starting out on their ISO 27001 certification journey	Security teams when they need implementation guidance

Here are the key differences between ISO 27001 and ISO 27002:

1. ISO 27002 isn’t a Certified Standard

ISO 27001 is a standard that organizations can be certified against whereas ISO 27002 is a set of best practices for controls that you can implement as part of an ISO 27001 framework. You cannot be certified against it.

2. ISO 27002 is more detailed than ISO 27001

ISO 27001 standard lists specific security controls for organizations to follow in Annex A. It doesn’t provide details on these controls, however. Also, ISO 27002 details all the security controls outlined in ISO 27001’s Annex A. 

3. ISO 27001 allows for Risk Assessment 

ISO 27001 checklist standard gives organizations actionable risk assessment for controls in the ISMS. Based on the risk assessment, ISO certification allows organizations to determine which and to what level the controls apply. The supplementary standards, on the contrary, doesn’t make any such distinctions. It simply details the controls.

4. ISO 27001 has Mandatory Clauses

ISO 27001 has mandatory clauses (clauses 4 to 10) that must be complied with for ISO 27001 certification. Also, ISO 27002 controls aren’t compulsory. They are, at best, a reference set of information security controls that organizations can use.

When should you use ISO 27002 vs ISO 27001?

ISO 27001 and ISO 27002 have varied objectives and are relevant under different circumstances. ISO 27001 makes an ideal fit if you’re planning your ISMS implementation framework. The framework requirements serve as a guide to designing the ISMS and achieving certification. Once you have identified the controls you will implement to achieve ISO 27001 compliance, you can refer to ISO 27002 to learn more about how each control works. 

ISO 27002: What’s new?

ISO 27002, up until the update earlier this year, was aligned to the controls list outlined in Annex A of ISO 27001. But that’s now changed. While the intent remains to support ISO 27001 vs ISO 27002, the changes incorporate information security management, cybersecurity, and privacy into the same set of controls. 

Decrease in the count of controls

corrected: The corresponding ISO 27001:2022 revision updated Annex A to mirror the new ISO 27002 control structure, reducing 114 controls to 93 through merges and introducing 11 new controls covering cloud, threat intelligence, and data masking.

Addition of 11 new controls

• A.5.7 : Threat intelligence
• A.5.23 : Information Security Management for use of Cloud Services
• A.5.30 : ICT Readiness for Business Continuity
• A.7.4 : Physical Security Monitoring
• A.8.9 : Configuration Management
• A.8.10 : Information Deletion
• A.8.11 : Data Masking
• A.8.12 : Data Leakage Prevention
• A.8.16 : Monitoring Activities
• A.8.23 : Web Filtering
• A.8.28 : Secure Coding

Reorganization of Categories

The controls have been reorganized into four categories instead of the earlier 14 domains as follows: 

• Clause 5: Organizational
• Clause 6: People
• Clause 7: Physical
• Clause 8: Technological

Addition of Attributes

Each control now has five attributes assigned to it. These are as follows:

• Control Type – Preventive, Detective, Corrective
• Security Properties – Confidentiality, Integrity, Availability
• Cybersecurity Concepts – Identify, Protect, Detect, Respond, Recover
• Security Domains – Governance and Ecosystem, Protection, Defense, Resilience
• Operational Capabilities – Governance, Asset Management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance.

How are ISO 27001 and ISO 27002 interconnected?

Both ISO 27001 and 27002 are a part of the ISO family of standards and are interconnected in essence that they work together to help businesses strengthen their Information Security Management System.

The standards serve complementary purposes and here’s how they connect:

For each control laid out in ISO 27001, ISO 27002 expands and suggests ways in which the company could implement that. Let’s take an example here. A.9.1.1 in ISO 27001 talks about ‘restricting access based on business and security requirements’.
ISO 27002 offers detailed guidance here in terms of implementing role-based access controls, enforcing strong password policies and conducting regular access reviews.

So while ISO 27001 offers you certifiable security, ISO 27002 acts as your execution playbook to achieve the certification.

What do these ISO 27001 vs 27002 changes mean to your organization?

The ISO 27002 mirrors the controls list in Annex A of ISO 27001 and provides detailed guidance on its implementation. So, we can take the changes made in ISO 27002:2022 as a helpful guide to prep for the changes to ISO certification by the end of the year.

So, if your organization is currently assessing against ISO 27001, it may be a good idea to include the 11 new controls too. But if you are yet to begin your compliance journey, be proactive in preparing for the new controls. 

Cost comparison of implementing ISO 27001 and 27002

Since ISO 27001 is a certifiable standard, the major implementation costs are associated with this standard. Here’s what the costs look like:

Pre-audit costs include:

• Gap analysis: $5000
• Implementation: $5000-$20000+
• Security tools: $5000-$50000
• Training: $250-$12500
• Continuous monitoring: $7000-$45000+
• VAPT costs: $2000-$20000
• Consultant: $10000

Audit costs for small businesses (11-50 employees) range from $1250-$2500, and for large businesses (200-1000 employees) range from $2500-$6500.

The total cost of ISO 27001 ranges from $50000-$200000, depending on the size and complexity of the business.

For ISO 27002 you need to purchase the $225 standard and then spend on some custom controls, process adjustments, documentation enhancements or more tooling. This expense can range from $1000-$30000 and is very low as compared to ISO 27001.

Benefits and Challenges of using ISO 27001 and ISO 27002 together

Combine ISO 27001 and ISO 27002 if you have the time and resources and if you are seeking more than just compliance. If certification is your key goal at the moment and there are constraints, don’t go for both.

Here are the benefits and challenges of using both the standards together:

Benefits

Minimizes implementation guesswork

ISO 27002, when combined with ISO 27001, eliminates the guesswork from control implementation because it offers practical and detailed guidance. It helps make the ISMS actionable and impactful and not only a paperwork-based framework.

Enables continuous improvement

ISO 27002 supports continuous refinement of processes and encourages organizations to implement measures that are more forward-looking. This helps businesses stay on top of threats while maintaining a strong security posture.

Makes security training easier

ISO 27002 adds a lot of context and meaning to ISO 27001 controls. This enhances their understanding of security expectations and makes it easier to enhance awareness on policies and controls.

Accelerates certification process

Combining the two frameworks helps complement the ‘what’ with ‘how’ and reduces the need for any rework during audits. This is because of the detailed implementation of context-specific controls and it fast-tracks the whole certification process.

Challenges

Adds a layer of complexity

Combining ISO 27002 with ISO 27001 adds an additional layer of depth and may even require additional training and consulting. The requirement for better technical understanding increases compliance complexity and can even lead to increased burnout among employees.

Brings dangers of overengineering

In order to get everything right at the time of audit, a company may over-apply controls without understanding the business-context. This leads to extra efforts, unnecessary complexity and overburdening of teams.

Enhanced paperwork

Compliance is already a lot about paperwork and combining two standards means the load will only increase. ISO 27002 requires extensive documentation which means more document hubs, management costs and collaboration difficulties.

Increased time and costs

Simultaneously handling the two standards can bring increased time and costs especially initially because of the upfront work. There may also be some confusion between mandatory requirements and optional guidelines, leading to increased costs of remediation later in case of misinterpretation or misalignment. A surveyed comparison of ISMS software shows where each platform handles the dual-framework workload most effectively, since the implementation-guidance overlay that ISO 27002 provides can either be embedded directly in the tool or treated as an external reference.

How can Sprinto help you in achieving ISO 27001 certification?

ISO 27001 is a detail-oriented and documentation-heavy compliance. And with over 114 security controls across 14 groups, it can be pretty daunting. 

Sprinto’s compliance automation platform helps SaaS firms make confident strides in their security journey. It intelligently maps and minimizes risks and breaks down the entire process into simple, logical and easy-to-understand steps. From defining the scope of your ISMS to setting up robust information security policies, deploying entity-level checks and implementing infosec training programs for employees, Sprinto does everything. What’s more, even changes and updates in frameworks are managed and automated for you. 

Sprinto’s continuous monitoring system validates your compliance with proof and alerts you when something isn’t done or done incorrectly. It replaces all the manual, error-prone, repetitive busy work with automation and gives you a dashboard view of it all! 

Book a demo with us and see how Sprinto makes compliance easy, error-free and fast. 

Frequently asked questions