ISO 27001 vs ISO 27002: what's the difference and what do you need

In this article we clearly explain what both standards entail, how they relate to each other and when you need one, the other, or both. Not a theoretical treatise, but a practical guide that helps you make the right choices for your organisation, whether you're just starting with ISO 27001 or already implementing controls.

ISO 27001 and ISO 27002 in brief

Why this comparison is often made

The confusion between ISO 27001 and ISO 27002 doesn't come out of nowhere. Both standards share the same controls: the 93 controls listed in Annex A of ISO 27001 are exactly the same controls described in ISO 27002. The difference lies in the depth and purpose. ISO 27001 names each control with a brief description of its objective. ISO 27002 takes that same control and then provides extensive implementation guidelines, examples and explanation.

That overlap causes people to confuse the two standards or think they're the same document. They're not. ISO 27001 is the standard you can be certified against. ISO 27002 is the accompanying document that helps you put the controls from that standard into practice. The distinction is comparable to the difference between a building permit (what needs to be built) and an engineering drawing (how you build it). You need the permit to be allowed to build, but the drawing helps you do it well.

When the difference becomes relevant

The difference between ISO 27001 and ISO 27002 only becomes truly relevant when you need to make concrete choices. Do you need to purchase both documents? Do you need to implement both standards? What does an auditor expect? And what do your clients expect when they ask whether you're "ISO 27001 certified"? At all those moments, it's important to know which standard plays which role.

For many startups and scale-ups tackling certification for the first time, ISO 27001 is the starting point. That's the standard clients ask for, auditors assess against, and that appears on your certificate. ISO 27002 is the reference work you consult when you want to understand how to fill in a specific control. When you know this difference, you avoid spending unnecessary time and money on things that aren't required, while deploying the right tools where they actually add value.

What ISO 27001 is

Purpose and positioning of the standard

ISO/IEC 27001:2022 is the international standard describing the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is the only standard within the ISO 27000 family against which you can actually be certified.

The core of ISO 27001 consists of two parts. The first part (clauses 4 through 10) describes the management requirements: how you determine your organisation's context, how management must be involved, how you identify and treat risks, how you measure whether your ISMS works and how you continually improve. The second part is Annex A, which provides an overview of 93 controls divided into four categories: organisational (37 controls), people (8 controls), physical (14 controls) and technological (34 controls). You select from those 93 controls which apply to your situation and document this in the Statement of Applicability.

Certification and audit

The distinguishing feature of ISO 27001 is that it's a certifiable standard. An accredited certification body conducts an audit in two phases: phase 1 (document review) and phase 2 (assessment of implementation and effectiveness). After a successful audit, you receive a certificate valid for three years, with annual surveillance audits in years two and three and a recertification audit after three years.

That certificate is what clients, partners and regulators ask for when they want to know whether your information security is in order. It's an independent confirmation that an external party has assessed your ISMS against the standard's requirements. The certificate transforms your sales process: larger clients who previously hesitated gain the confidence they need to engage. ISO 27001 has that effect because it's a recognised, audited standard, not merely a collection of guidelines.

What ISO 27002 is

Guidelines and best practices

ISO/IEC 27002:2022 is not a certifiable standard but a guideline. Its full title is "Information security, cybersecurity and privacy protection - Information security controls". The document provides a reference collection of generic information security controls, including implementation guidelines. It's designed to be used by organisations working on an ISMS based on ISO 27001, but also by organisations that want to improve their information security independently of certification.

Where ISO 27001 Annex A describes each control in one or two lines, ISO 27002 devotes multiple pages per control to explanation. For each control, ISO 27002 describes the objective, implementation guidelines and additional information. Take control 5.15 (access control) for example: ISO 27001 Annex A says you must establish rules for physical and logical access. ISO 27002 then elaborates on the principle of least privilege, periodic review of access rights, separation of duties, and concrete examples of how to set this up in practice. That depth makes ISO 27002 valuable for teams wanting to understand what's behind each control.

Relationship with controls

The 93 controls in ISO 27002:2022 are substantively identical to the controls in Annex A of ISO 27001:2022. The terms ISO 27002 and ISO 27001 Annex A are interchangeable in practice when it comes to the list of controls. The difference is that ISO 27001 Annex A provides a concise overview as part of the certifiable standard, while ISO 27002 is a standalone document that extensively explains those controls.

ISO 27002:2022 underwent a fundamental restructuring compared to the previous version (from 2013). The old structure of 114 controls divided across 14 domains was replaced by 93 controls in four themes. Additionally, the 2022 version introduced attributes per control, including the control type (preventive, detective, corrective), the security property (confidentiality, integrity, availability) and the cybersecurity function (identify, protect, detect, respond, recover). These attributes make it easier to classify controls and assign them to the right people within your organisation.

The key differences between ISO 27001 and ISO 27002

Standard versus guideline

The fundamental difference is the status of the document. ISO 27001 is a standard with requirements. It contains formulations like "the organisation shall" indicating what's mandatory to comply with the standard. ISO 27002 is a guideline with recommendations. It contains formulations like "it is advisable that" (should) indicating best practice, but not what's mandatory.

This distinction has direct consequences. An auditor assesses your ISMS against ISO 27001's requirements. When you don't meet a requirement from clauses 4 through 10 or a control you've included in your Statement of Applicability, that's a finding. ISO 27002 isn't audited. An auditor may ask how you've implemented a control and implicitly check whether your approach aligns with ISO 27002 guidelines, but the document itself isn't an audit criterion. You can implement a control differently than ISO 27002 describes, as long as the control is effective.

Certifiable versus supporting

Only ISO 27001 leads to a certificate. There's no ISO 27002 certification. No accredited certification body offers an ISO 27002 certificate because the standard isn't intended for that. When clients or partners ask whether you're certified, they always mean ISO 27001. When a tender refers to ISO 27002, that's typically in the context of "the controls as described in ISO 27002 must be applied", which in practice amounts to the controls from Annex A of ISO 27001.

ISO 27002 plays a supporting role: it helps you implement the controls you select based on ISO 27001 in the right way. You can compare ISO 27002 to a user manual for a product: you need the product (ISO 27001) to function, but the manual (ISO 27002) helps you use it well. The manual isn't mandatory, you can operate the product without it, but it makes the process more efficient and reduces the chance of errors.

Structure and application

ISO 27001 follows a management system structure familiar from other ISO standards (such as ISO 9001 for quality and ISO 42001 for artificial intelligence): context, leadership, planning, support, operation, evaluation and improvement. This structure makes it possible to implement multiple ISO standards in an integrated way, because the management requirements follow similar patterns.

ISO 27002 follows a different structure. It's organised around the four themes of controls (organisational, people, physical, technological) and offers a uniform structure per control: objective, implementation guideline and additional information. The document is intended as a reference work, not something you read from cover to cover. You consult it when you want to know how other organisations fill in a specific control in practice. This fundamental difference in design, management system versus controls catalogue, explains why the two documents complement rather than overlap each other.

How ISO 27001 and ISO 27002 work together

ISO 27002 as deepening of controls

The collaboration between both standards works as follows: ISO 27001 tells you that you must select controls based on your risk assessment and document them in your Statement of Applicability. But how you then concretely implement those controls is largely left to you. That's where ISO 27002 comes in. The document provides detailed guidelines per control that you can use as a starting point for your own implementation.

Take control 8.13 (information backup) for example. ISO 27001 Annex A states that you must establish and implement a backup policy. ISO 27002 then elaborates: how often should you back up, what should you back up, how do you test whether backups can actually be restored, how do you protect backups against unauthorised access, and how do you document all of this. That depth is particularly valuable for organisations working with information security for the first time and lacking the experience to fill in each control independently.

Practical application within ISO 27001

In practice, most organisations use ISO 27002 as a reference during the implementation phase of their ISO 27001 journey. Once the risk assessment is completed and controls are selected, they consult ISO 27002 to understand what's expected per control. This approach is efficient because you can search specifically: you open the document at the control you're currently implementing and read the corresponding guideline.

It's worth knowing that ISO 27002 isn't the only source of implementation guidelines. Many GRC platforms offer pre-built controls that have already translated the essence of ISO 27002 into concrete tasks and evidence requirements. Tidal Control for example offers controls directly linked to ISO 27001 Annex A references, including tasks describing what you need to do per control. The platform thereby partially fulfils the role ISO 27002 traditionally plays: the translation from abstract control to concrete action. This can make purchasing ISO 27002 as a separate document less urgent, although the document retains value as an in-depth reference.

What your organisation needs in practice

When ISO 27001 is sufficient

For most organisations pursuing certification, ISO 27001 is the primary document. It contains all the requirements you must meet, the structure of your ISMS and the list of controls to select from. When working with a platform that offers pre-built controls and implementation guidelines, or when you have a consultant with ISO 27001 experience, you can in many cases complete the certification journey without purchasing ISO 27002 as a separate document.

This applies especially to smaller organisations with a manageable scope and standard controls. If you work entirely in the cloud, have a limited number of systems and implement most Annex A controls in a standard way (multi-factor authentication, encryption, access management, incident procedures), the descriptions in Annex A together with your platform or consultant's guidelines provide sufficient guidance. ISO 27002 becomes more of a "nice to have" than a "must have" in that situation.

When ISO 27002 adds value

ISO 27002 adds value in situations where the standard implementation isn't sufficient. When you have a complex IT environment, when you need to implement controls in a non-standard way, or when your team is uncertain about the right approach for a specific control, ISO 27002 provides the depth you need. The document helps you make informed choices instead of guessing.

A concrete example: control 5.19 (information security in supplier relationships) is a challenge for many organisations. How do you assess your suppliers' information security? Which requirements do you include in contracts? How do you monitor whether suppliers continue to meet those requirements? ISO 27002 describes this in detail, including considerations for different types of suppliers. For organisations with a large supplier portfolio, that guideline is extremely practical.

Combination of both

The most common approach in practice is a combination: ISO 27001 as the certifiable standard defining structure and requirements, and ISO 27002 as a reference work you consult when you need depth on specific controls. This combination is also what ISO itself intends: the two documents are designed as a complementary pair.

Importantly, you don't need to read or implement ISO 27002 from cover to cover. It's a reference document. You consult it selectively, for the controls you actually apply and where you need more context. That targeted approach prevents you from being overwhelmed by the document's volume (ISO 27002:2022 is more than 150 pages) and ensures you apply the guidelines where they contribute most to the quality of your implementation.

Common misconceptions about ISO 27001 and ISO 27002

ISO 27002 as a mandatory component

A persistent misconception is that you must implement ISO 27002 to become ISO 27001 certified. That's not the case. ISO 27001 refers to the controls in Annex A, not to ISO 27002 as a document. The controls are the same, but ISO 27002's implementation guidelines aren't an audit requirement. An auditor checks whether your controls are effective, not whether you've implemented them according to the letter of ISO 27002.

In practice, this means you have complete freedom in how you implement a control, as long as the result demonstrably works. If you've set up access management in a way that deviates from the ISO 27002 guideline but is demonstrably effective for your situation, that's fine. The auditor assesses the result, not the method. ISO 27002 is an aid, not an obligation.

Implementing both simultaneously

A second misconception is that you need to implement ISO 27001 and ISO 27002 as two separate projects. That's neither necessary nor desirable. You implement ISO 27001 as a management system and use ISO 27002 as a reference where needed. There's no separate "ISO 27002 project", the document supports your ISO 27001 implementation but has no implementation journey of its own.

Organisations that try to implement ISO 27002 as a separate framework alongside ISO 27001 create unnecessary complexity. They end up with duplicate documentation, overlapping processes and team confusion about which standard sets which requirements. The right approach is: implement your ISMS according to ISO 27001 and consult ISO 27002 when you need guidelines for specific controls. One journey, one management system, one set of controls.

Over-complexity

The third misconception is that involving ISO 27002 automatically leads to a more complex journey. The opposite can be true: by using ISO 27002's implementation guidelines, you remove the guesswork otherwise needed to fill in a control. That doesn't make the journey more complex but actually more efficient, provided you use the document selectively.

Complexity only arises when you try to literally apply every guideline from ISO 27002, regardless of whether it's relevant to your situation. ISO 27002 describes best practices for organisations of all types and sizes. Not everything applies to a startup with ten employees. The art is to use the guidelines as inspiration and starting point, and then adapt them to your own context and risk profile. That pragmatic approach keeps the journey manageable.

The role of tooling with ISO 27001 and ISO 27002

Overview of controls

A GRC platform provides an overview of which controls you've selected, how they're implemented and what evidence accompanies them. That overview is valuable regardless of whether you use ISO 27002 as a separate document. The platform translates the abstract descriptions from Annex A into concrete tasks and evidence requirements, so you know what's expected for each control.

Where ISO 27002 makes that translation on paper, tooling makes the same translation interactive and trackable. You see not only what you need to do but also whether it's already been done, by whom and when. That visibility prevents controls from existing on paper but not being executed in practice, exactly the kind of discrepancy auditors flag at certification audits. The platform thereby functions as the practical translation of what ISO 27002 describes in theory.

Safeguarding and maintenance

After implementation, safeguarding is the biggest challenge. Controls that were in order at the first audit can deteriorate over time when there's no mechanism to periodically test them. ISO 27002 provides guidelines on what needs to be maintained per control, but it's up to you to actually perform that maintenance.

Tooling automates part of that maintenance. Automated tests continuously check whether technical controls are correctly configured. Reminders flag when policy documents expire or when controls need reassessment. That automation replaces the manual work otherwise needed to structurally comply with ISO 27002's guidelines.

Connection with other frameworks

An additional advantage of tooling is the ability to link controls to multiple standard frameworks. The controls from ISO 27001 Annex A overlap significantly with other standards: SOC 2 Trust Services Criteria, NIS2 requirements, GDPR measures and ISO 42001 controls for artificial intelligence. When you implement a control once and link it to multiple standards, you save double work.

ISO 27002 describes controls in the context of information security, but those same controls are often more broadly applicable. Access management is relevant for ISO 27001, SOC 2 and GDPR. Incident handling is a requirement under ISO 27001, NIS2 and DORA. By making those connections visible in a platform, you maximise the value of your investment in each control. That's more efficient than working through ISO 27002 or comparable documents separately for each standard framework.

How Tidal Control supports ISO 27001 and ISO 27002

Structure and overview

Tidal Control offers pre-built controls directly linked to ISO 27001 Annex A references. Each control contains concrete tasks describing what you need to do to meet the requirements. The platform thereby provides a practical fulfilment of the role ISO 27002 traditionally plays: the translation from abstract standard requirements to executable actions.

The risk library of Tidal Control contains common scenarios with automatic linking to relevant controls. When you identify a risk, you immediately see which controls cover that risk and which tasks belong to them. That coherence between risks, controls and tasks is precisely what ISO 27001 requires and what ISO 27002 supports in practice. The platform makes that coherence visible and trackable, without you having to place two separate documents side by side.

Practical application of controls

During the implementation phase, the platform helps you concretely fill in each control. Tasks are assigned to the right people, deadlines are monitored and evidence is automatically collected through integrations with more than 150 automated tests across Microsoft Azure, AWS, Google Cloud, GitHub, GitLab and Jira. That continuous nature of evidence collection replaces the manual work otherwise needed at every surveillance audit.

The more than thirty policy templates that Tidal Control includes have been developed based on hundreds of audit journeys. Each template is aligned with ISO 27001's standard requirements and ISO 27002's guidelines, so you don't have to figure out which elements a policy document must contain yourself.

Scalability

As your organisation grows and additional standards come into view, the platform scales with you. ISO 27001 is often the starting point, but SOC 2, NIS2, GDPR, ISO 42001 and ISO 9001 follow when clients, regulators or markets ask for them. Tidal Control supports more than thirty standards and makes it possible to set up controls once and reuse them for multiple standards.

That scalability is relevant for the relationship between ISO 27001 and ISO 27002. ISO 27002's guidelines are specifically written for information security, but many controls are more broadly deployable. An access management control you implement for ISO 27001 also applies to SOC 2 and GDPR. By setting up that control once in the platform and linking it to multiple standards, you maximise the value of your investment. That principle of reuse is ultimately more valuable than the ISO 27002 document itself: it's not about reading guidelines, but about structurally applying them in your daily way of working.

Frequently asked questions about ISO 27001 and ISO 27002

What is the most important difference between ISO 27001 and ISO 27002?

ISO 27001 is a certifiable standard describing the requirements for an information security management system. ISO 27002 is a non-certifiable guideline providing implementation recommendations for the controls listed in Annex A of ISO 27001. The controls themselves are identical in both documents. The difference lies in purpose: ISO 27001 sets requirements you must meet, ISO 27002 describes how you can fulfil those requirements in practice. You certify against ISO 27001; you consult ISO 27002 as an aid.

Do you need ISO 27002 to become ISO 27001 certified?

No. ISO 27002 is not a requirement for certification. An auditor assesses your ISMS against ISO 27001's requirements, not against ISO 27002's guidelines. You're free to implement controls in any way that's demonstrably effective. ISO 27002 is a valuable reference work that helps you implement controls well, but purchasing and applying it is a choice, not an obligation.

When does ISO 27002 actually add value for an organisation?

ISO 27002 primarily adds value when your team lacks sufficient information security experience to fill in controls independently, when you have a complex IT environment requiring customisation, or when you need detailed guidelines for specific controls (such as supplier management or incident handling). For organisations working with a GRC platform that offers pre-built controls and implementation guidelines, the added value of ISO 27002 as a separate document is more limited, as the platform already makes that translation.

Can you combine ISO 27001 and ISO 27002 without added complexity?

Yes, provided you use ISO 27002 as a reference work and not as a separate implementation project. Implement your ISMS according to ISO 27001's requirements and consult ISO 27002 selectively for controls where you need depth. This approach doesn't add complexity but actually makes your implementation more targeted. Avoid the pitfall of treating every point from ISO 27002 as a separate requirement, it's a guideline, not a checklist.

What role does tooling play in applying ISO 27002 within ISO 27001?

Tooling makes the translation from standard to practice concrete and trackable. A GRC platform offers pre-built controls that already contain the essence of ISO 27002 guidelines, including tasks, evidence requirements and automatic links to standard references. The platform thereby partially fulfils ISO 27002's function: it helps you understand what's expected per control and how to implement it. Automated evidence collection and continuous checks additionally ensure that controls don't just exist on paper but are followed in practice, precisely what both ISO 27001 and ISO 27002 aim for.