Differences Between ISO 27001 vs 27002

13 Jan 2021 | Randy Lindberg

Within the world of information security, there are standards for the way data is handled. Much of this takes place within a business framework. The rest is determined through international standards.


These standards aren't taken lightly, especially where personally identifiable information (PII) and financial data exist. Organizations that store this data must adhere to global standards. If not, they can be audited and fined through various governmental agencies.


These policies are established by the International Organization of Standardization (ISO). They review and create the policies companies everywhere need to comply with. Two of the older ones, created at the start of the 21st century, are ISO 27001 and ISO 27002.


What is the difference between ISO 27001 vs 27002? Here's a breakdown.


ISO 27001

This ISO was created in 2005 and updated in 2013. In short, it provides details on how organizations handle information security. This goes beyond the world of items stored on in-house servers and the cloud. It deals with the employees behind these operations.


ISO 27001 dictates the following:


  • Organizations must examine the risks to their information security and take account of the impact of known threats and vulnerabilities.
  • Organizations have to implement a comprehensive package of controls for information security that minimize risk and its transfer to other entities. Risks deemed unacceptable must be addressed.
  • Organizations have to adopt a management process across all departments that ensures information security controls meet their ongoing needs.


Overall, this information security management system (ISMS) deals with the technology that stores the data and the people that handle the information. It maintains what is called the CIA triad -- Confidentiality, Integrity, and Accessibility.


ISO 27002

Where ISO 27001 provides the ISMS specifications in relation to risk management over security, ISO 27002 is the best-practice guidance document. It describes how policies should be applied within organizations in order to be compliant.


Out of the 114 controls listed in the annex of 27001, ISO 27002 details one subset of the 14 groups that make up the ISO 27001 controls. 


ISO 27002 dictates the following:


  • Policies for information security must be directed from an organization's top leadership and clearly detailed to all employees.
  • Employees, regardless if they are full-time or contractors, must be aware of their role in the protection of an organization's information. This should be known before, during, and after employment.
  • Identification of physical and information assets must be determined to apply the appropriate level of protection.
  • Access to data and storage facilities must be limited to dissuade unauthorized access. In turn, employees need to be responsible for safeguarding their own authentication information.
  • This information must be protected to meet legal, statutory, and regulatory obligations established by policies and procedures.


In order to comply with these ISOs, businesses have to start from the top-levels. It's the responsibility of senior management to alert its employees to the guidelines behind ISO 27001. This is normally done through the establishment of a high-level white paper. Think of it as a 30,000-foot look at what's required.


Implementation of the control subset defined in ISO 27002 is directed to the department heads. It's their responsibility to ensure the 14 domains of ISO 27001 are active. They do this through documentation and regular audits of their information security structure.


ISO 27001 Certification

This is one area where the differences between ISO 27001 vs 27002 become even more apparent. Should an organization desire approval from the ISO organization on their compliance to 27001, they can go through a certification process. However, they cannot do so with ISO 27002 because it is a supplementary standard that addresses one specific ISMS aspect. 


To be ISO 27001 certified, there are normally four steps to complete:


  1. Determine the scope of certification and complete a statement of applicability at the same time you begin orientation sessions.
  2. Assess your organization's current state of compliance, and provide a report with change recommendations with an IT audit.
  3. Create and implement a plan to close all identified gaps while you establish an ISO leadership structure and define performance indicators.
  4. Allow independent auditors to examine your information security controls.


While certification isn't necessary for an organization it can definitely help increase a business’s reputation and customer confidence. When prospects see you are ISO compliant they feel more at ease that their information is protected at the highest levels.


Certification also eases the worries of employees. With guidance in place and constant training, they're familiar with the proper ways to protect information. In turn, they feel secure in reporting potential gaps within the process.


When examining ISO 27001 vs ISO 27002, the best conclusion is that they are like members of the same family. And as part of the 27000 series family, they break down the necessities of proper information security. Without them, many industries would be without a standard for compliance.

Contact Rivial to request an ISO compliance audit today.