Image source: Bing image creatorISO 27001 vs ISO 27002: what's the difference and what do you need
Dennis van de WielLinkedIn
Once you start exploring information security, you'll come across 2 standards that look similar: ISO 27001 and ISO 27002. They belong to the same family, both cover information security, and both contain the same controls. Yet they are fundamentally different documents. Understanding the difference determines what you buy, what you implement, and where you spend your time.
The shortest summary: ISO 27001 is the standard you get certified against, ISO 27002 is the reference guide that explains how to implement the controls. There is no certification for ISO 27002. This article explains where that difference comes from, how the two work together, and when you need one, the other, or both.
Why the two are so often confused
The confusion has a logical cause: both documents contain exactly the same list of 93 controls. The controls in Annex A of ISO 27001 are identical in substance to those in ISO 27002. The difference lies in depth. ISO 27001 names each control with a brief description of the objective, often one or 2 lines. ISO 27002 takes that same control and devotes several pages to it: the objective, detailed implementation guidance, and additional considerations.
A comparison that captures the difference: ISO 27001 is the building permit that specifies what must be built. ISO 27002 is the construction manual that explains how to carry it out. You need the permit to be allowed to build. The manual is not mandatory, but it reduces the chance of mistakes.
What ISO 27001 is
ISO/IEC 27001:2022 is the international standard containing the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Published by ISO and IEC, it is the only document within the ISO 27000 family against which you can be certified.
The standard consists of 2 parts. Clauses 4 through 10 describe the management requirements: how you determine the context of your organisation, how management is involved, how you treat risks, how you measure whether your ISMS is working, and how you improve. In addition, there is Annex A, with 93 controls divided across 4 themes: organisational (37), people (8), physical (14), and technological (34). From those 93, you select which ones apply to your situation, documented in the Statement of Applicability.
The distinguishing characteristic is certifiability. An accredited certification body conducts an audit in 2 stages: a document review (stage 1) and an assessment of implementation and effectiveness (stage 2). After a successful audit, you receive a certificate that is valid for three years, with annual surveillance audits and recertification after three years. That certificate is what customers, partners, and regulators ask for.
What ISO 27002 is
ISO/IEC 27002:2022 is not a standard with requirements but a guideline. The full title is "Information security, cybersecurity and privacy protection. Information security controls". It provides a reference set of controls with extensive implementation guidance, intended for organisations building an ISMS based on ISO 27001, but also for those who want to improve their security without certification.
Where ISO 27001 Annex A describes a control in a few lines, ISO 27002 devotes several pages to it. Take control 5.15 (access control). Annex A states that you must establish rules for physical and logical access. ISO 27002 then goes into the principle of least privilege, periodic review of access rights, segregation of duties, and concrete examples. That depth makes the document valuable for teams that want to understand what lies behind a control.
One detail that causes confusion: in the 2013 version, ISO 27002 was still called a "code of practice". That term was dropped in the 2022 version, but the function remained the same: best-practice advice on how to implement the controls from Annex A.
What changed in 2022
ISO 27002 was significantly revised on 15 February 2022, and that revision was directly reflected in Annex A of ISO 27001:2022. The old structure of 114 controls across 14 domains was replaced by 93 controls in four themes. That is a net reduction of 21, but not a removal of requirements. Existing controls were largely merged to eliminate overlap, and 11 entirely new controls were added for modern risks such as cloud services, threat intelligence, and secure development.
The 2022 version also introduced attributes per control: labels such as the type (preventive, detective, corrective), the security property (confidentiality, integrity, availability), and the cybersecurity function (identify, protect, detect, respond, recover). This makes it easier to filter, classify, and assign controls.
The key differences at a glance
Standard versus guideline. ISO 27001 is a standard with requirements, using language like "the organisation shall". ISO 27002 is a guideline with recommendations, using "it is recommended" (should). An auditor assesses your ISMS against the requirements of ISO 27001, not against ISO 27002.
Certifiable versus supporting. Only ISO 27001 leads to a certificate; an ISO 27002 certification does not exist. When a customer asks whether you are "certified", they always mean ISO 27001. When a tender refers to ISO 27002, it is referring to the controls themselves, which are identical to Annex A.
Structure and use. ISO 27001 follows the management system structure you also know from ISO 9001 and ISO 42001: context, leadership, planning, support, operation, evaluation, and improvement. This allows you to implement multiple ISO standards in an integrated way. ISO 27002 is a reference work, organised around the 4 themes, with each control following a fixed structure of objective, guidance, and additional information. You consult it for the control you are working on.
How the two work together
In practice, the standards are complementary. ISO 27001 tells you that you must select controls based on your risk assessment and document them in your Statement of Applicability. How you actually implement those controls is largely left to you. That is where ISO 27002 comes in, with detailed guidance per control.
Take control 8.13 (backups). Annex A states that you must establish and carry out a backup policy. ISO 27002 goes into detail: how often you back up, what you back up, how you test whether a restore works, how you protect backups against unauthorised access. That depth is especially valuable for organisations that are working with information security for the first time.
Important: ISO 27002 is not the only source of implementation guidance. Many GRC platforms offer pre-built controls that have already translated the essence of ISO 27002 into concrete tasks and evidence requirements. This can make purchasing ISO 27002 as a standalone document less urgent, although it retains value as an in-depth reference.
What your organisation needs
For most organisations pursuing certification, ISO 27001 is the primary document: it contains all the requirements, the structure of your ISMS, and the list of controls. If you work with a platform that offers pre-built controls, or with an experienced consultant, you can often complete the process without ISO 27002 as a separate document. This is especially true for smaller organisations with a straightforward scope.
ISO 27002 adds value where the standard implementation is not sufficient: in a complex IT environment, for controls that require customisation, or when your team is uncertain about a specific control such as supplier management (5.19) or incident handling. The most common approach is a combination: ISO 27001 defines the structure and requirements, ISO 27002 is consulted selectively. You do not need to read the 150+ page document from start to finish; using it in a targeted way prevents you from getting lost in it.
Three persistent misconceptions
"I need to implement ISO 27002 to get certified." Incorrect. ISO 27001 refers to the controls in Annex A, not to ISO 27002 as a document. An auditor assesses whether your controls are effective, not whether you have implemented them in line with the wording of ISO 27002. You are free to implement a control in your own way, as long as it demonstrably works.
"ISO 27001 and ISO 27002 are 2 separate projects." Incorrect and undesirable. There is no separate "ISO 27002 project". You implement your ISMS according to ISO 27001 and consult ISO 27002 where you need guidance. Treating them as 2 separate projects creates duplicate documentation and confusion.
"Involving ISO 27002 makes the process more complex." Usually not. Using the guidance removes guesswork. Complexity only arises if you try to apply every guideline literally, regardless of relevance. Not everything is relevant for a small organisation with a limited scope. Use it as a starting point and adapt it to your context.
How Tidal Control supports this
Tidal Control offers pre-built controls that are directly linked to the ISO 27001 Annex A references. Each control contains concrete tasks that describe what you need to do to meet the requirement, including ownership, deadlines, and evidence. The platform thereby fulfils part of the role that ISO 27002 traditionally plays: translating an abstract control into an actionable task.
Evidence is collected automatically through integrations with Microsoft Azure, AWS, Google Cloud, GitHub, GitLab, and Jira, with more than 200 automated tests that continuously verify whether controls are working. Because the Annex A controls overlap significantly with SOC 2, NIS2, DORA, and GDPR, you can set up a control once and link it to multiple standards.
Want to know where your organisation stands?
Before you start, it helps to know which controls you already have implicitly in place and where the gaps are. Take the free quick scan and get an initial picture of your position and the logical next steps in five minutes. No sales call, no obligations.
The scan also shows which Annex A controls you already cover.
Frequently asked questions
What is the most important difference between ISO 27001 and ISO 27002?
ISO 27001 is a certifiable standard containing the requirements for an information security management system. ISO 27002 is a non-certifiable guideline that provides implementation recommendations for the controls in Annex A of ISO 27001. The controls are identical in both documents; the difference lies in the purpose. ISO 27001 sets requirements, ISO 27002 explains how to fulfil them. You certify against ISO 27001 and consult ISO 27002 as a reference.
Do you need ISO 27002 to get certified against ISO 27001?
No. An auditor assesses your ISMS against the requirements of ISO 27001, not against the guidance of ISO 27002. You are free to implement controls in any demonstrably effective way. ISO 27002 is a valuable reference, but using it is a choice, not an obligation. An ISO 27002 certificate does not exist; certification is reserved for ISO 27001.
How many controls does ISO 27001:2022 have and how are they organised?
The standard contains 93 controls in Annex A, divided across 4 themes. This replaced the old structure of 114 controls across 14 domains. The reduction came mainly from merging overlapping controls, and 11 entirely new controls were added for modern risks such as cloud services and secure development. The breakdown is: organisational (37), people (8), physical (14), and technological (34).