What is the Difference Between ISO 27001 and ISO 27002?
ISO 27001 and ISO 27002 are both international frameworks related to cybersecurity, where:
- ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an “Information Security Management System (ISMS)”. An organization can obtain a certification for ISO 27001
- ISO 27002 contains detailed security controls that organizations can implement to meet the requirements of ISO 27001. ISO 27002 is not certifiable but serves as a practical implementation reference for ISO 27001.
The ISO 27001 framework was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and exists to create an (e.g., a comprehensive IT security program). ISO 27001 leverages the controls from ISO 27002 for the details of what goes into building a comprehensive IT security program (e.g., ISMS).
ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to implement ISO 27001. Essentially, you can't meet ISO 27001 without implementing ISO 27002.