Two Standards, One Security Framework
Organizations beginning their ISO 27001 journey often encounter references to ISO 27002 and wonder how the two standards relate to each other. While they are closely connected and designed to work together, they serve fundamentally different purposes. ISO 27001 is the certifiable standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System. ISO 27002 is a guidance document that provides detailed implementation advice for the controls referenced in Annex A of ISO 27001. Understanding this relationship is essential for effective implementation.
Think of ISO 27001 as the what — it tells you what you must do to achieve certification. ISO 27002 is the how — it provides detailed guidance on implementing the security controls that form part of your ISMS. You certify against ISO 27001, not ISO 27002, but the implementation guidance in ISO 27002 is invaluable for understanding and operationalizing the controls.
ISO 27001: The Requirements Standard
ISO 27001 contains mandatory requirements expressed using the word “shall.” These requirements define the management system framework including context analysis, leadership commitment, planning, support, operation, performance evaluation, and improvement. The standard also includes Annex A, which provides a reference list of controls that organizations select based on their risk assessment.
Annex A in ISO 27001 lists each control with a brief description of its objective and a concise statement of the control itself. However, it does not provide detailed guidance on how to implement each control. This is intentional — the standard is designed to be applicable to any organization regardless of its size, industry, or technology environment, so implementation details would necessarily vary.
Certification auditors assess your organization against the requirements of ISO 27001, including whether you have appropriately selected and implemented controls from Annex A based on your risk assessment. The auditor verifies that controls are implemented and effective, but the specific implementation approach is your choice as long as it achieves the control’s objective.
ISO 27002: The Implementation Guide
ISO 27002:2022, titled “Information security, cybersecurity and privacy protection — Information security controls,” provides detailed implementation guidance for each of the 93 controls listed in ISO 27001 Annex A. For each control, ISO 27002 provides the control description matching Annex A, a purpose statement explaining why the control matters, detailed implementation guidance with practical advice, and other information including examples and additional considerations.
The implementation guidance in ISO 27002 is significantly more detailed than the brief control descriptions in Annex A. For example, where Annex A simply states that access control policies should be established, ISO 27002 provides extensive guidance on what those policies should cover, how access decisions should be made, what factors to consider in different scenarios, and how access control relates to other security measures.
ISO 27002:2022 also introduces the control attribute concept, tagging each control with five attribute types that help organizations categorize and filter controls based on different perspectives. These attributes include control type, information security properties, cybersecurity concepts, operational capabilities, and security domains.
How to Use Them Together
The most effective approach is to use ISO 27001 as your compliance framework and ISO 27002 as your implementation reference. During risk assessment and control selection, refer to ISO 27001 Annex A for the list of available controls. When implementing selected controls, consult ISO 27002 for detailed guidance on how to implement each control effectively in your specific environment.
When developing your Statement of Applicability, use ISO 27001 Annex A as the structure and ISO 27002’s implementation guidance to inform your descriptions of how each control is implemented. This ensures your SoA reflects the depth of implementation that auditors expect while maintaining alignment with the certifiable standard.
During internal audits, ISO 27002’s implementation guidance helps auditors understand the expected depth and breadth of each control’s implementation. This leads to more thorough and effective internal audits that identify genuine improvement opportunities rather than superficial compliance checks.
Do You Need Both Standards?
Strictly speaking, you only need ISO 27001 to achieve certification. However, ISO 27002 is highly recommended as an implementation companion. The investment in obtaining ISO 27002 pays for itself through more efficient implementation, deeper understanding of control requirements, and better preparation for certification audits. Most organizations pursuing ISO 27001 certification consider ISO 27002 an essential reference document.
Easy Compliances training courses integrate guidance from both ISO 27001 and ISO 27002, providing you with the requirements knowledge and implementation detail you need in a single comprehensive learning experience. Our courses help you understand not just what is required but how to implement it effectively in your organization.