ISO 27001 vs ISO 27002: requirements standard vs implementation guidance
One is the certifiable management system; the other is the code of practice behind its controls.
How the two standards relate
| Feature | ISO 27001 | ISO 27002 |
|---|---|---|
| Document type | Management-system requirements standard | Code of practice (implementation guidance) |
| Certifiable | Yes — accredited certification is issued against ISO 27001 | No — not independently certifiable or auditable |
| Core content | Clauses 4-10 plus the Annex A control titles | Purpose, guidance, and context for the 93 Annex A controls |
| Structure | Annex SL management-system clauses | Four themes: Organizational (37), People (8), Physical (14), Technological (34) |
| Risk treatment | Requires risk assessment, treatment, and a Statement of Applicability | Explains what each selected control is intended to achieve |
| Audit role | Basis for the certification audit | Reference an auditor may use to judge implementation quality |
| How they are used | Defines what must be in place | Helps decide how to put each control in place |
You don\'t pick — how they are used together
There is no decision to make between ISO 27001 and ISO 27002. ISO 27001 is the standard you certify against: it defines the ISMS requirements in clauses 4 to 10 and lists the Annex A control titles you justify in your Statement of Applicability. Those control titles are terse by design. ISO 27002 fills the gap by giving each control a stated purpose, detailed guidance, and context across its four themes. In practice, teams scope and run the ISMS using ISO 27001, then turn to ISO 27002 whenever they need to interpret what a specific control such as 5.7 threat intelligence or 8.11 data masking actually requires in their environment. Treat 27002 as the implementation companion to 27001, never as a substitute or a rival framework.
Work through the Annex A controls with the ISO 27002 Copilot →Using both effectively
- Drive certification scope and risk treatment from ISO 27001 clauses 4-10
- Resolve ambiguous Annex A control titles using ISO 27002 guidance
- Map every Statement of Applicability entry to its ISO 27002 objective
- Use ISO 27002 themes to organise implementation notes and evidence
Frequently Asked Questions
Can I get certified to ISO 27002?
No. Accredited certification is issued only against ISO 27001, the management-system requirements standard. ISO 27002 is a code of practice that provides implementation guidance for Annex A control titles and is not independently auditable or certifiable.
Do I need ISO 27002 if I have ISO 27001?
You are not obliged to buy ISO 27002, but it is the official source of detailed guidance for the Annex A controls. Most teams use it to interpret terse control titles and to justify implementation decisions during the audit.
What changed in ISO 27002:2022?
The 2022 edition restructured the previous 114 controls into 93 controls grouped under four themes — Organizational (37), People (8), Physical (14), and Technological (34) — and introduced 11 new controls, including threat intelligence and data masking.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.