ISO 27001 vs ISO 27002: What's the Difference?

The one-sentence distinction

ISO 27001 specifies the requirements for an information security management system (ISMS) and is the standard you are certified against. ISO 27002 is a code of practice that provides detailed implementation guidance for the controls listed in ISO 27001’s Annex A.

Put simply: ISO 27001 tells you what you must do; ISO 27002 helps you understand how to do it. You cannot be certified against ISO 27002, because it is advice, not a set of auditable requirements.

Hold that distinction and almost every other question about the two answers itself.

ISO 27001 vs ISO 27002 at a glance

The table below summarises how the certifiable standard and its guidance companion differ.

What ISO 27001 contains

ISO 27001 has two parts. The mandatory clauses (4–10) define the management system: context, leadership, planning and risk assessment, support, operation, performance evaluation, and improvement. These are the auditable requirements.

Annex A then lists the 93 controls (in the 2022 edition) you can select from to treat your risks, organised into four themes. Annex A gives each control a title and a one-line statement of intent — but not much detail on implementation.

That deliberate brevity is where ISO 27002 comes in.

What ISO 27002 contains

ISO 27002 takes each of those Annex A controls and expands it into real guidance: the purpose of the control, what good implementation looks like, and practical considerations. Where ISO 27001 Annex A might give a control a sentence, ISO 27002 gives it a page or more.

The 2022 edition of ISO 27002 also introduced ‘attributes’ — tags that let you view controls by characteristics such as control type, security property, or operational capability — which helps with planning and reporting.

In short, ISO 27002 is the implementation manual that makes Annex A actionable.

Why you can only certify against ISO 27001

Certification requires auditable requirements — clear statements an assessor can verify you meet. ISO 27001 provides those: a defined management system and a controlled process for selecting and operating controls. ISO 27002 is written as guidance (‘should’ rather than ‘shall’), so there is nothing fixed to audit against.

This is why ‘ISO 27002 certified’ is not a thing. You implement controls guided by ISO 27002 and you get certified against ISO 27001.

The relationship mirrors the old BS 7799 split of guidance and requirements that the standards inherited.

How they work together in practice

During implementation you use both side by side. ISO 27001 drives the process: define scope, assess risk, and decide which Annex A controls apply. For each control you decide to implement, you turn to ISO 27002 to understand what a sound implementation looks like and to avoid reinventing the wheel.

Your Statement of Applicability references the Annex A controls (from ISO 27001), while your actual control design and procedures draw heavily on ISO 27002’s guidance. The two documents are used together constantly.

Think of ISO 27001 as the blueprint and ISO 27002 as the construction handbook.

The numbering and structure connection

The two standards are deliberately aligned. The control set in ISO 27001 Annex A and the guidance in ISO 27002 use the same structure and numbering, so a control in one maps directly to its expanded guidance in the other.

Both were revised together for 2022, moving from the older 14-domain layout to the four themes (Organizational, People, Physical, Technological) and the consolidated set of 93 controls. Keeping them in lockstep is what makes them usable as a pair.

If you find a control number in Annex A, you can go straight to the same number in ISO 27002 for the detail.

Do you need to buy both?

For implementation, having access to both is highly valuable: ISO 27001 to know the requirements, ISO 27002 to implement the controls well. Many teams purchase both official documents, though a good partner or a well-built program effectively bakes the ISO 27002 guidance into templates and procedures.

You are only obliged to conform to ISO 27001 to certify, but ignoring ISO 27002 means doing the hard interpretive work from scratch — usually a false economy.

If budget is tight, prioritise ISO 27001 and lean on expert guidance or templates that already incorporate ISO 27002 thinking.

Common misconceptions

The biggest misconception is treating them as alternatives. They are not — you need the requirements of ISO 27001 and benefit from the guidance of ISO 27002. A second misconception is that implementing every ISO 27002 control is mandatory; in reality, your risk assessment decides which Annex A controls apply, and ISO 27002 simply guides those you select.

A third is assuming the guidance is optional fluff. In practice, ISO 27002 is where most of the ‘how’ lives, and skipping it leads to thin, hard-to-defend control implementations.

Clearing these up early prevents wasted effort and audit findings.

What this means for your project

Practically, plan your project around ISO 27001 and resource it with ISO 27002 (or equivalent expertise). Your auditable deliverables — scope, risk assessment, SoA, and the management system — come from ISO 27001. Your control quality — how well access management, logging, or supplier security are actually done — comes from following ISO 27002.

Teams that respect this division produce control implementations that are both compliant and genuinely effective, which is exactly what auditors reward.

It also makes onboarding new staff easier: the ‘why and how’ of each control is documented in a recognised reference.

The bottom line

ISO 27001 and ISO 27002 are a pair: the certifiable standard and its implementation guide. You are certified against ISO 27001; you implement its Annex A controls with help from ISO 27002. Neither replaces the other, and the question is never ‘which one’ but ‘how to use both’.

Get the management system right (ISO 27001) and implement the controls well (ISO 27002), and you have a program that is both certifiable and effective. ISpectra builds exactly that — an ISO 27001-conformant ISMS with controls implemented to ISO 27002 standard, including free VAPT and a multi-framework discount.

Understanding the relationship is the first step; using the two together well is what earns the certificate.

A quick worked example

Imagine your risk assessment says you need an access-control policy and quarterly access reviews. ISO 27001 tells you the relevant Annex A control must appear in your Statement of Applicability, be justified, and be operated — but it does not describe what a good access-control policy actually contains or how often to review access.

For that you turn to ISO 27002, which walks through least privilege, joiner-mover-leaver processes, privileged access management, review frequency, and prompt de-provisioning. You implement accordingly and retain the review records that ISO 27001’s audit will sample.

That one example captures the entire relationship: ISO 27001 sets the obligation and demands the proof, while ISO 27002 supplies the practical know-how to meet it properly.

The bottom line

ISO 27001 and ISO 27002 are two halves of one system: the certifiable standard and its implementation guide. You are certified against ISO 27001, and you implement its Annex A controls with guidance from ISO 27002. The right question is never ‘which one’ but ‘how to use both’.

Get the management system right with ISO 27001 and implement controls well with ISO 27002, and you have a program that is both certifiable and genuinely effective. ISpectra builds precisely that, with free VAPT and a multi-framework discount included.

Understanding the relationship is step one; using the pair together well is what earns and sustains the certificate. ISpectra helps organisations achieve iso 27001 certification efficiently, from gap analysis through to the certificate.