Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
Home
FAQ
What is the difference between ISO 27001 and ISO 27002?

What is the difference between ISO 27001 and ISO 27002?

Direct Answer

ISO 27001 and ISO 27002 are both international frameworks related to cybersecurity, where:

  • ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an “Information Security Management System (ISMS)”. An organization can obtain a certification for ISO 27001
  • ISO 27002 contains detailed security controls that organizations can implement to meet the requirements of ISO 27001. ISO 27002 is not certifiable, but serves as a practical implementation reference for ISO 27001.

The ISO 27001 framework was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and exists to create an (e.g., a comprehensive IT security program). ISO 27001 leverages the controls from ISO 27002 for the details of what goes into building a comprehensive IT security program (e.g., ISMS).

ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to actually implement ISO 27001. Essentially, you can't meet ISO 27001 without implementing ISO 27002.

Keep Exploring

Relevant ComplianceForge Resources

References

Authoritative Sources