Updated: March 28, 2023, according to the ISO 27001 2022 revision.
If you came across the ISO 27001 and ISO 27002 standards, you probably noticed that ISO 27002 is much more detailed, much more precise — so, why would you focus on ISO 27001 vs ISO 27002?
General differences
The first difference between ISO 27001 and 27002 is that you cannot get certified against ISO 27002 —because it is not a management standard. What do we mean by “management standard”? It means that such a standard defines how to run a system, and in the case of ISO 27001, it defines the Information Security Management System (ISMS) — therefore, certification against ISO 27001 is possible.
Which elements are not included in the ISO 27002 standard?
A management system means that information security must be planned, implemented, monitored, reviewed, and improved. It means that management has its distinct responsibilities; that objectives must be set, measured and reviewed; that internal audits must be carried out; and so on. All those core components are defined in ISO 27001, but not in ISO 27002.
- Certification against ISO 27001 is possible, but not against ISO 27002.
- Elements about responsibilities, objectives, internal audits, etc. are defined in ISO 27001, but not in ISO 27002.
- ISO 27002 takes a whole page to explain just one control, while 27001 dedicates only one sentence to each control.
- ISO 27001 prescribes a risk assessment, while ISO 27002 doesn’t.
The differences between the controls in ISO 27001 vs 27002
The controls in ISO 27002 are named the same as in Annex A of ISO 27001 — for instance, in ISO 27002, control 5.3 is named “Segregation of duties,” while in ISO 27001 it is “A.5.3 Segregation of duties.” But the difference is in the level of detail — on average, ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control.
The final difference is that ISO 27002 does not make a distinction between controls applicable to a particular organization, and those which are not. On the other hand, ISO 27001 prescribes a risk assessment to be performed in order to identify, for each control, whether it is required to decrease the risks, and if it is, to what extent it should be applied.
What are the changes in ISO 27001 and ISO 27002?
In 2022, both ISO 27001 and ISO 27002 received an update. The biggest changes are:
- 11 new controls were added.
- The total number of controls decreased to 93 (from 114 in the previous version).
- No controls were removed, but many were merged.
- Controls are now divided into four clauses, rather than the 14 domains in the previous version.
Why ISO 27001 and ISO 27002 standards have not merged?
The question is: Why is it that the ISO 27001/27002 standards exist separately? Why haven’t they been merged, bringing together the positive sides of both standards? The answer is usability — if it was a single standard, it would be too complex and too large for practical use.
Which standard to use from the ISO 27000 series and when
Every standard from the ISO 27000 series is designed with a certain focus — if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; if you want to implement controls, you should use ISO 27002; if you want to carry out risk assessment and risk treatment, you should use ISO 27005; etc.
What is the use of ISO 27002?
One could say that without the details provided in ISO 27002, controls defined in Annex A of ISO 27001 could not be implemented; however, without the management framework from ISO 27001, ISO 27002 would remain just an isolated effort of a few information security enthusiasts, with no acceptance from the top management and therefore no real impact on the organization. So, to increase your chances of being successful in protecting your information, consider using the pair ISO 27001/2.
To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.