Difference Between ISO 27001 and ISO 27002

ISO 27001 vs ISO 27002

As ISO 27000 is a series of standards that have been initiated by ISO to ensure safety and security within the organizations worldwide, it is worthwhile knowing the difference between ISO 27001 and ISO 27002, two of the standards in the ISO 27000 series. These standards have been initiated for the benefit of the organizations and also to provide a quality service for the customers. This article analyzes the differences between ISO 27001 and ISO 27002.

What is ISO 27001?

ISO 27001 standard is to ensure the Information Security and data protection in organizations worldwide. This standard is so important for business organizations in safeguarding their customers and confidential information of the organization against threats. Implementation of the information security management system would ensure quality, safety, service and product reliability of the organization that can be safeguarded at its highest level.

The primary objective of the standard is to provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). In most of the companies, decisions of adopting these types of standards are taken by the top management. Also, the requirement of having this kind of information security system for the organization arises due to various factors like organizational goals and objectives, security requirements, size and structure of the organization, etc.

In the previous version of the standard in 2005, it was developed based on PDCA cycle, Plan-Do-Check-Act model to structure the processes and that was in a way of reflecting the principles set out by the OECG guidelines. The new version in 2013 emphasizes measuring and evaluating the effectiveness of the organizational performance in ISMS. It has also included a section based on outsourcing and more concentration is given to the information security in organizations.

What is ISO 27002?

The ISO 27002 standard was initially originated as ISO 17799 standard which is based on the code of practice for information security. It highlights various security controlling mechanisms for organizations with the guidance of ISO 27001.

The standard was established based on various guidelines and principles for initiating, implementing, improving and maintaining information security management within an organization. The actual controls in the standard address specific requirements through a formal risk assessment. The standard consists of specific guidelines for the developments in organizational security standards and effective security management practices that would be useful in building confidence within inter-organizational activities.

The existing version of the standard was published in 2013 as ISO 27002:2013 with 114 controls. The most important factor to be noted is that over the years a number of industry specific versions of ISO 27002 have been developed or are under development in the fields like health sector, manufacturing, etc.

Information Security | Difference Between ISO 27001 and ISO 27002

What is the difference between ISO 27001 & ISO 27002?

• The ISO 27001 standard expresses the requirements for information security management in organizations and ISO 27002 standard provides support and guidance for those who are responsible in initiating, implementing or maintaining Information Security Management Systems (ISMS).

• ISO 27001 is an auditing standard based upon auditable requirements, while ISO 27002 is an implementation guide based upon best practice suggestions.

• ISO 27001 includes a list of management controls to the organizations while ISO 27002 has a list of operational controls to the organizations.

• ISO 27001 can be used to audit and certify the organization’s Information Security Management System and ISO 27002 can be used to assess the comprehensiveness of an organization’s Information Security Program.


Image Attribution: “CIAJMK1209” by John M. Kennedy T. (CC BY-SA 3.0)