ISO 27001 vs ISO 27002: What's the Difference in 2026?
If you have started reading about ISO 27001 certification, you have probably hit the same wall every compliance lead hits: the standard keeps referencing ISO 27002. The two documents look nearly identical from the cover, sound nearly identical when colleagues talk about them, and yet only one of them gets you certified. The difference is small in name but large in consequence. Confuse the two during audit planning and you waste a quarter rewriting policies your auditor never wanted to see.
This guide explains what ISO 27001 and ISO 27002 actually are, when each one applies, and how to use them together to pass an ISO 27001 certification audit. By the end you will know which document to buy, which controls to implement, and how to talk about the pair without sounding like you just discovered the ISO website.
What is ISO 27001?
ISO 27001 is the international standard for an Information Security Management System (ISMS). Published by the International Organization for Standardization, it is the certifiable framework that organizations use to prove they manage information security in a structured, risk-based way. The current version is ISO/IEC 27001:2022.
ISO 27001 has two parts: the main clauses (4 through 10) that describe how to build and operate an ISMS, and Annex A that lists 93 reference controls. To pass an ISO 27001 audit, an organization must demonstrate that the ISMS is operating across the main clauses and that the Annex A controls are either implemented or formally excluded with documented justification in the Statement of Applicability.
For a complete walkthrough of the certification pathway, see our ISO 27001 certification guide.
What is ISO 27002?
ISO 27002 is a companion standard to ISO 27001. It is a code of practice for information security controls. The current version is ISO/IEC 27002:2022.
While ISO 27001 lists the 93 Annex A controls in roughly three lines each, ISO 27002 expands those same 93 controls into 150+ pages of implementation guidance, examples, and considerations. ISO 27002 is not certifiable. You cannot be "ISO 27002 certified." Instead, organizations use ISO 27002 as the reference manual when they implement the controls that ISO 27001 Annex A requires.
According to the ISO/IEC 27002:2022 standard published in February 2022, the controls are grouped into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls).
ISO 27001 vs ISO 27002: the core difference
The relationship between ISO 27001 and ISO 27002 is the relationship between a contract and a manual. ISO 27001 tells you what to do. ISO 27002 tells you how to do it.
| Dimension | ISO 27001 | ISO 27002 |
|---|---|---|
| Full name | ISO/IEC 27001:2022 Information security management systems requirements | ISO/IEC 27002:2022 Information security controls |
| Purpose | Specifies requirements for an ISMS | Provides implementation guidance for security controls |
| Certifiable | Yes (by an accredited certification body) | No |
| What it tells you | WHAT must be in place | HOW to put it in place |
| Length | ~40 pages | ~150+ pages |
| Annex A controls | Lists 93 controls in short form | Explains the same 93 controls in detail |
| Audit role | Auditor checks compliance against this | Auditor may reference this for context |
| Cost | ~$170 USD from ISO | ~$200 USD from ISO |
If you only buy one, buy ISO 27001. If you are implementing controls and want examples, ISO 27002 saves you weeks of guessing.
Why both standards exist
When ISO first published the precursor standards in 2005, the certifiable standard (ISO 27001) and the guidance document (ISO 27002, originally called ISO 17799) were separated to keep two ideas distinct.
The certifiable document had to be lean enough that auditors could check every clause and accredit organizations consistently across countries. A 150-page document filled with implementation suggestions would have made certification audits inconsistent. Some auditors would have demanded the examples; others would have ignored them.
The guidance document had to be detailed enough that practitioners could actually implement the controls without consulting a paid consultant for every clause. Pushing all that detail into the certifiable standard would have inflated audit scope.
The current 2022 revision aligned the two documents tightly. ISO 27001:2022 Annex A is a one-to-one mirror of the ISO 27002:2022 control set. The 2022 revision reduced the number of controls from 114 in the 2013 version to 93 in 2022, regrouped them into four themes, and introduced five new controls that reflect modern risks: threat intelligence, cloud services, ICT readiness for business continuity, physical security monitoring, and secure coding.
How auditors actually use the pair
In an ISO 27001 certification audit, the auditor works against ISO 27001 clauses 4 through 10 and Annex A. They will ask:
- Have you defined the scope of the ISMS in writing?
- Do you have leadership commitment with a documented security policy?
- Have you completed a risk assessment using a defined methodology?
- Have you produced a Statement of Applicability that addresses every Annex A control?
- Have you set measurable objectives and reviewed them with management?
- Have you trained staff and run internal audits?
- Have you actioned non-conformities and held a management review in the past 12 months?
That entire checklist comes from ISO 27001. ISO 27002 is rarely referenced by the auditor directly. The auditor will, however, expect that whatever Annex A control you say you have implemented actually works. If you claim to have a clean desk policy (control 7.7), they may ask to see the policy, see the awareness training that explains it, and see evidence that someone has been observed enforcing it. ISO 27002 is where you turn before the audit to learn what "implementing a clean desk policy" actually means in practice.
For a deeper look at the audit process, see our ISO 27001 internal audit guide.
Which one do you need first
The answer depends on what you are doing:
- Pursuing certification: start with ISO 27001. You will need it to understand scope, leadership, planning, support, operation, performance evaluation, and improvement.
- Implementing a single control: start with ISO 27002. Each control has 1 to 4 pages of implementation guidance you can apply directly.
- Comparing against another framework: start with ISO 27002. Its control descriptions map cleanly to SOC 2, NIST CSF, and HIPAA control families.
- Writing policies for the first time: use ISO 27002 as the source of truth for what your policy should cover and use ISO 27001 to confirm the policy meets a Annex A reference control.
If you are building an ISMS from scratch and your budget covers only one purchase, buy ISO 27001 and use the free ISO/IEC 27001:2022 preview to understand the Annex A control structure, then look up specific control implementation guidance through your auditor, consultant, or a free secondary source.
The 4 themes of ISO 27002:2022 controls
The 2022 revision regrouped the 93 controls into four themes. Every control belongs to exactly one theme.
Organizational controls (37 controls). Information security policies, segregation of duties, contact with authorities, threat intelligence, project management, asset inventory, classification, access control policy, identity management, authentication, supplier security, ICT readiness for business continuity, intellectual property rights, privacy and PII protection.
People controls (8 controls). Screening, terms and conditions of employment, awareness education and training, disciplinary process, responsibilities after termination, confidentiality agreements, remote working, information security event reporting.
Physical controls (14 controls). Physical security perimeters, entry controls, securing offices, physical security monitoring, protecting against environmental threats, working in secure areas, clear desk and clear screen, equipment siting, security of off-site assets, storage media, supporting utilities, cabling security, equipment maintenance, secure disposal.
Technological controls (34 controls). User endpoint devices, privileged access, information access restriction, source code access, secure authentication, capacity management, malware protection, technical vulnerability management, configuration management, deletion of information, data masking, data leakage prevention, backup, redundancy, logging, monitoring, clock synchronization, use of privileged utility programs, installation of software, network controls, segregation of networks, web filtering, cryptography, secure development life cycle, application security requirements, secure system architecture, secure coding, security testing in development, outsourced development, segregation of development environments, change management, test information, protection of information systems during audit testing, cloud services use.
The new 2022 controls (highlighted by BSI in its 2022 transition guide) are: 5.7 threat intelligence, 5.23 cloud services use, 5.30 ICT readiness for business continuity, 7.4 physical security monitoring, 8.28 secure coding. If you certified on ISO 27001:2013, these are the five gaps to close before recertification.
How the relationship works during certification
The certification path is:
- Buy ISO 27001:2022. Read clauses 4 through 10 and Annex A.
- Buy or reference ISO 27002:2022. Use it as your implementation reference for each Annex A control.
- Run a gap assessment. Compare your current state against ISO 27001 clauses and Annex A controls.
- Build the ISMS. Write policies, define risk methodology, document procedures, train staff.
- Run an internal audit. Verify the ISMS works using your own auditors or a consultant.
- Engage an accredited certification body. Stage 1 audit (documentation review) followed by Stage 2 audit (operating effectiveness).
- Receive certification. Valid for three years with surveillance audits annually.
ISO 27002 is the silent partner throughout this process. You will not see it on the certificate. Auditors will not ask you to quote it. But every well-implemented control will be traceable to its corresponding ISO 27002 guidance.
For a sense of timeline and cost, see our ISO 27001 certification cost breakdown.
What about ISO 27003, 27004, and 27005?
The ISO/IEC 27000 family includes more than the famous pair:
- ISO 27000:2018: vocabulary and definitions (free download).
- ISO 27001:2022: ISMS requirements (certifiable).
- ISO 27002:2022: information security controls guidance.
- ISO 27003:2017: ISMS implementation guidance.
- ISO 27004:2016: information security measurement and metrics.
- ISO 27005:2022: information security risk management.
- ISO 27006:2015: requirements for certification body auditors.
- ISO 27017:2015: cloud-specific controls guidance.
- ISO 27018:2019: protection of PII in public clouds.
- ISO 27701:2019: privacy information management extension.
Of those, ISO 27001 and ISO 27002 are the only two that most teams need to read end to end. ISO 27005 is useful when you build your risk methodology, and ISO 27017 plus ISO 27018 are useful for cloud-heavy organizations.
Common confusions to avoid
- Saying "ISO 27002 certified." Nobody is. Only ISO 27001 is certifiable.
- Skipping ISO 27001 because ISO 27002 looks more useful. You cannot pass an audit by quoting ISO 27002. Auditors check ISO 27001 clauses.
- Treating Annex A as a checklist. Annex A is a reference list. Controls can be excluded if your Statement of Applicability documents a valid reason.
- Using ISO 27001:2013 instead of 2022 after the transition deadline. The deadline to migrate from 2013 to 2022 was 31 October 2025. If your organization is still on the 2013 standard, your certification is no longer valid as of November 2025.
Frequently asked questions
Is ISO 27002 mandatory for ISO 27001 certification?
No. ISO 27002 is a guidance document, not a requirement. Auditors check compliance against ISO 27001, not ISO 27002. However, every practitioner who actually implements the Annex A controls uses ISO 27002 (or an equivalent secondary source) because the implementation detail in ISO 27001 itself is too thin.
Can I buy just one of the two standards?
Yes. ISO 27001 is the must-buy if your goal is certification. ISO 27002 is the recommended buy if you are also implementing controls in-house. If you are working with a consultant or auditor, they typically have ISO 27002 and will reference it for you, so buying ISO 27001 alone is often enough.
How much do ISO 27001 and ISO 27002 cost?
ISO 27001:2022 costs approximately $170 USD from the ISO store; ISO 27002:2022 costs approximately $200 USD. Many national standards bodies (ANSI in the US, BSI in the UK, AFNOR in France) sell the same standards through their local stores at similar prices. Bulk purchase or corporate licensing discounts are available through ISO directly.
What changed in the 2022 revision?
The 2022 revision reduced the Annex A control count from 114 to 93 by merging duplicates, regrouped controls into four themes (Organizational, People, Physical, Technological), and added five new controls covering threat intelligence, cloud services, ICT readiness for business continuity, physical security monitoring, and secure coding. The clause structure of ISO 27001 also tightened around modern ISMS expectations.
Does NIST CSF align with ISO 27002?
Yes, the mapping is well-documented. NIST published a crosswalk between ISO 27001/27002 Annex A controls and the NIST CSF 2.0 categories. Most US organizations that hold ISO 27001 certification also report NIST CSF maturity using that mapping. For a side-by-side comparison, see our NIST CSF vs ISO 27001 guide.
Should I get ISO 27002 if my consultant has it?
Usually no. If your consultant or auditor is doing the heavy implementation lift, they will quote ISO 27002 when relevant. Buy your own copy only if you want to read it cover to cover, train an internal team, or implement controls without consultant support.
Takeaway
ISO 27001 and ISO 27002 are not competitors. They are a matched pair. ISO 27001 is the certifiable standard your auditor checks against. ISO 27002 is the implementation manual your team reaches for when actually putting controls in place. Buy ISO 27001 first, use ISO 27002 alongside it for implementation depth, and remember that no certificate ever says "ISO 27002 certified" because no such certification exists. With the 2022 revision now mandatory and the 2013 transition deadline behind us, every organization pursuing or maintaining certification should be working from the 2022 versions of both documents.
For the full certification roadmap, start with our ISO 27001 certification guide and follow it through to the ISO 27001 Statement of Applicability template.
