ISO 27001 vs ISO 27002: Certifiable Standard vs Implementation Guide
TL;DR
- ISO 27001 is certifiable. ISO 27002 is not. Auditors check your ISMS against ISO 27001 clauses and Annex A. No certificate exists for ISO 27002.
- ISO 27001 tells you what to do. Its 93 Annex A controls set the requirements your ISMS must meet or formally exclude.
- ISO 27002 tells you how to do it. The same 93 controls are expanded into 150+ pages of implementation guidance, examples, and considerations.
- Buy ISO 27001 first. If you are pursuing certification, ISO 27001 is the only document your auditor will check compliance against.
- Use both together. ISO 27001 sets the bar; ISO 27002 shows you how to clear it. Most practitioners keep both open during implementation.
Who this is for
This article is for compliance leads, security engineers, and IT managers who are starting an ISO 27001 certification program or maintaining an existing one. It is also for auditors and consultants who need a plain-language explanation of the two standards to share with clients.
What is ISO 27001?
ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). Published by the International Organization for Standardization, it is the document that organizations certify against. The current version is ISO/IEC 27001:2022, published in October 2022.
ISO 27001 has two structural components:
Clauses 4 through 10 define how to build and operate an ISMS. They cover: context of the organization, leadership commitment, planning and risk assessment, support (resources, competence, awareness), operation, performance evaluation, and improvement. Every clause is mandatory. An auditor will check all of them.
Annex A lists 93 reference controls in short form, organized into four themes. These controls are not all mandatory; organizations choose which apply based on their risk assessment. Any control excluded must be justified in the Statement of Applicability.
Passing an ISO 27001 certification audit means demonstrating that the ISMS is operating across clauses 4 through 10, that the Statement of Applicability addresses every Annex A control, and that the controls you claim to have implemented actually work.
For a complete walkthrough of the certification pathway, see our ISO 27001 certification guide.
What is ISO 27002?
ISO/IEC 27002:2022 is the companion standard. It is a code of practice for information security controls. The current version was published on 15 February 2022, ahead of the ISO 27001:2022 update that aligned with it.
While ISO 27001 describes each of its 93 Annex A controls in roughly two or three lines, ISO/IEC 27002:2022 expands those same 93 controls into roughly 150 pages of implementation guidance, attribute tables, examples, and practical considerations. The 2022 edition also broadened the standard's scope beyond information security to include cybersecurity and privacy protection.
ISO 27002 is not certifiable. No accreditation body issues an "ISO 27002 certification." Its role is as a reference manual: when you are implementing a control that ISO 27001 Annex A requires, ISO 27002 shows you what that implementation should actually contain.
The core difference
The relationship between the two standards is the relationship between a contract and an instruction manual. ISO 27001 defines the obligations. ISO 27002 explains how to fulfill them.
| Dimension | ISO 27001 | ISO 27002 |
|---|---|---|
| Full name | ISO/IEC 27001:2022 — Information security management systems — Requirements | ISO/IEC 27002:2022 — Information security controls |
| Purpose | Specifies requirements for an ISMS | Provides implementation guidance for security controls |
| Certifiable | Yes (by an accredited certification body) | No |
| What it tells you | WHAT must be in place | HOW to put it in place |
| Approximate length | ~40 pages | ~150 pages |
| Annex A / control set | 93 controls in short form | Same 93 controls explained in full |
| Audit role | Auditor checks compliance against this | Auditor may reference for context only |
| Price | See ISO store (CHF pricing applies) | See ISO store (CHF pricing applies) |
If you can only buy one, buy ISO 27001. If you are doing the implementation work yourself rather than relying on a consultant, ISO 27002 will save you significant guesswork on each control.
Why the two documents exist separately
When ISO published the precursor standards — ISO 17799 (later renumbered 27002) and ISO 27001 — the split was deliberate.
A certifiable standard has to be lean. Auditors across dozens of accreditation bodies in different countries must be able to check the same document against the same criteria and reach consistent conclusions. A 150-page document filled with "consider the following..." implementation suggestions would have made certification inconsistent: some auditors would have treated the suggestions as mandatory; others would have ignored them entirely.
A guidance document, by contrast, has to be detailed. Practitioners need enough specificity to actually implement controls without hiring a consultant for every clause. Collapsing all that implementation detail into the certifiable standard would have ballooned the audit scope and made certification impractical for smaller organizations.
The 2022 revision aligned the two documents tightly. ISO 27001:2022 Annex A is now a one-to-one mirror of the ISO 27002:2022 control set. Before 2022, the mapping between the two had gaps. That gap is now closed.
What the 2022 revision changed
The 2022 revision made three structural changes worth understanding before you start an implementation:
1. Control consolidation. The control count dropped from 114 (in the 2013 edition) to 93. The reduction came from merging overlapping controls, not from removing requirements. If you are migrating from a 2013-based ISMS, your existing controls likely cover the merged set already.
2. New grouping. The 2013 edition organized controls into 14 domains (A.5 through A.18). The 2022 edition replaces those domains with four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). The structure is cleaner and maps better to how security teams are actually organized.
3. New controls. Five controls appear in 2022 that had no direct equivalent in 2013. These are the gaps that organizations certified on the 2013 standard needed to close before the transition deadline:
| Control | Topic |
|---|---|
| 5.7 | Threat intelligence |
| 5.23 | Information security for use of cloud services |
| 5.30 | ICT readiness for business continuity |
| 7.4 | Physical security monitoring |
| 8.28 | Secure coding |
The transition deadline was 31 October 2025. Organizations that had not migrated to ISO 27001:2022 by that date have certifications that are no longer valid under the 2022 standard.
The four themes of ISO 27002:2022
Every one of the 93 controls belongs to exactly one of these four themes.
Organizational controls (37 controls) cover governance, policy, and management-level processes: information security policies, segregation of duties, contact with authorities, threat intelligence, project management security, asset inventory and classification, access control policy, identity and access management, supplier security, ICT readiness for business continuity, intellectual property, and privacy and PII protection.
People controls (8 controls) cover the human side of security: pre-employment screening, employment terms and conditions, security awareness education and training, disciplinary process, responsibilities on termination, confidentiality or non-disclosure agreements, remote working, and information security event reporting.
Physical controls (14 controls) cover facility and hardware security: physical security perimeters, entry controls, securing offices rooms and facilities, physical security monitoring, protecting against physical and environmental threats, working in secure areas, clear desk and clear screen policy, equipment siting and protection, off-site asset security, storage media, supporting utilities, cabling security, equipment maintenance, and secure disposal or re-use.
Technological controls (34 controls) cover technical implementation: user endpoint devices, privileged access rights, information access restriction, source code access, secure authentication, capacity management, malware protection, technical vulnerability management, configuration management, deletion of information, data masking, data leakage prevention, backup, redundancy, logging, monitoring, clock synchronization, use of privileged utility programs, software installation on operational systems, network controls, network segregation, web filtering, cryptography, secure development life cycle, application security requirements, secure system architecture and engineering principles, secure coding, security testing in development, outsourced development, separation of development environments, change management, test information, and information systems audit protection.
How auditors use ISO 27001 and ISO 27002
In a certification audit, the auditor's reference document is ISO 27001. They work through clauses 4 through 10 and then check the Statement of Applicability against Annex A. A standard Stage 2 audit includes questions like:
- Is the ISMS scope documented and approved by leadership?
- Does the organization have a documented risk assessment methodology?
- Does the Statement of Applicability address every Annex A control, with documented justification for any exclusions?
- Are objectives documented and tracked? Have they been reviewed?
- Has the organization completed an internal audit of the ISMS?
- Has management reviewed the ISMS at planned intervals and documented the outcomes?
- Have identified non-conformities been corrected?
None of those questions cite ISO 27002. ISO 27002 does not appear in the audit checklist.
Where ISO 27002 matters is in the evidence. If your Statement of Applicability says you have implemented control 5.15 (access control), the auditor will ask to see how access control actually works in your environment. They are not checking your implementation against ISO 27002, but if your implementation was built without ISO 27002 as a reference, it is likely to be thin. ISO 27002 tells you that an access control policy should cover topics like access provisioning, access review cycles, privileged access separation, and segregation of duties. Implementations that cover those specifics hold up better under scrutiny than implementations that just say "we manage access."
For a closer look at what auditors actually examine, see our ISO 27001 internal audit guide.
Which document do you need first
The right starting point depends on what you are doing:
- Building toward certification: start with ISO 27001. Clauses 4 through 10 define what your ISMS must contain. Annex A defines the control set your Statement of Applicability must address. You cannot pass a certification audit without it.
- Implementing a specific control: start with ISO 27002. Each control entry includes purpose, attribute tags, implementation guidance, and considerations for different organizational contexts. You will apply ISO 27002 during the build phase, not the audit phase.
- Mapping your controls to another framework (SOC 2, NIST CSF, HIPAA): start with ISO 27002. Its full control descriptions map cleanly to other frameworks' control families. ISO 27001 Annex A is too abbreviated for a useful crosswalk.
- Writing policies from scratch: use ISO 27002 to determine what topics your policy needs to cover, then check ISO 27001 Annex A to confirm the policy satisfies the corresponding reference control.
If budget is a constraint and you are working with a consultant or auditor who already has ISO 27002, buying ISO 27001 alone is often sufficient. Your consultant will reference ISO 27002 when relevant.
How certification actually works
The seven-step certification path:
- Buy ISO 27001:2022. Read clauses 4 through 10 and Annex A end to end before doing anything else.
- Reference ISO 27002:2022. Use it as your implementation guide for each applicable Annex A control.
- Run a gap assessment. Compare your current state against ISO 27001 clauses and each Annex A control.
- Build the ISMS. Document scope, risk methodology, policies, procedures, and staff training.
- Run an internal audit. Verify the ISMS is operating as described before engaging an external body.
- Engage an accredited certification body. Stage 1 (documentation review) followed by Stage 2 (operating effectiveness audit, typically on-site).
- Receive certification. Valid for three years with annual surveillance audits.
ISO 27002 does not appear on your certificate. It will not be cited in the audit report. But every well-implemented control in your ISMS should be traceable to ISO 27002 guidance.
For cost and timeline planning, see our ISO 27001 certification cost breakdown.
The rest of the ISO 27000 family
ISO 27001 and ISO 27002 are the two documents most organizations need. The broader family includes:
| Standard | What it covers |
|---|---|
| ISO 27000:2018 | Vocabulary and definitions — free download from ISO |
| ISO 27001:2022 | ISMS requirements — certifiable |
| ISO 27002:2022 | Information security controls guidance |
| ISO 27003:2017 | ISMS implementation guidance |
| ISO 27004:2016 | Information security measurement and metrics |
| ISO 27005:2022 | Information security risk management |
| ISO 27006:2015 | Requirements for certification body auditors |
| ISO 27017:2015 | Cloud-specific controls guidance |
| ISO 27018:2019 | Protection of PII in public clouds |
| ISO 27701:2019 | Privacy information management extension |
ISO 27005 is worth reading when you build your risk methodology. ISO 27017 and ISO 27018 are worth buying for cloud-heavy organizations that need to extend their ISMS to cover cloud service provider relationships.
Common mistakes to avoid
Claiming ISO 27002 certification. No such certificate exists. If a vendor tells you they are "ISO 27002 certified," that is either a miscommunication or a misrepresentation.
Skipping ISO 27001 because ISO 27002 looks more practical. You cannot pass a certification audit by referencing ISO 27002. The auditor checks ISO 27001.
Treating Annex A as a mandatory checklist. Every Annex A control can be excluded if your risk assessment justifies it and your Statement of Applicability documents the reasoning. Some small organizations legitimately exclude physical security controls because they have no on-premises infrastructure.
Running the 2013 version of ISO 27001 past October 2025. The 2013-to-2022 transition deadline set by IAF was 31 October 2025. If your organization's current certificate was issued under ISO/IEC 27001:2013, it should have been re-issued under the 2022 standard before that date. Check with your certification body if there is any ambiguity about the version your current certificate references.
Conflating ISO 27001 with SOC 2. ISO 27001 is a certification issued by an accredited certification body. SOC 2 is an attestation report issued by a licensed CPA firm under AICPA standards. They are structurally different: one produces a certificate, the other produces an audit report. They are not interchangeable even where their control sets overlap.
Frequently asked questions
Is ISO 27002 mandatory for ISO 27001 certification?
No. ISO 27002 is a guidance document, not a requirement. Auditors check compliance against ISO 27001 clauses and Annex A, not ISO 27002 sections. That said, most practitioners who implement controls in-house use ISO 27002 because ISO 27001's Annex A provides too little detail to build a working control from scratch.
Can I buy just one of the two standards?
Yes. ISO 27001 is the necessary purchase if your goal is certification. Buy ISO 27002 separately if you are doing the implementation work in-house. If a consultant or auditor is managing the implementation for you, they will typically reference ISO 27002 on your behalf and you may not need your own copy.
How much do ISO 27001 and ISO 27002 cost?
Both standards are sold through the ISO store at CHF-denominated prices. National standards bodies — ANSI in the US, BSI in the UK, AFNOR in France, DIN in Germany — sell the same documents in local currency at equivalent prices. Corporate licensing and multi-user packages are available directly through ISO.
What changed in the 2022 revision?
Control count dropped from 114 to 93 through merging. Controls were regrouped from 14 domains into four themes (Organizational, People, Physical, Technological). Five net-new controls were added: threat intelligence (5.7), cloud services (5.23), ICT readiness for business continuity (5.30), physical security monitoring (7.4), and secure coding (8.28). The main clauses of ISO 27001 also received tighter language around clause 6.1.3 (information security risk treatment options) and clause 6.2 (information security objectives).
Does NIST CSF align with ISO 27002?
Yes, the overlap is well-documented. NIST publishes informative references mapping CSF 2.0 subcategories to various standards including ISO/IEC 27001:2022 controls. Most US organizations that hold ISO 27001 certification also use the NIST CSF mapping to report framework maturity internally. For a full side-by-side, see our NIST CSF vs ISO 27001 guide.
Should I get ISO 27002 if my consultant already has it?
Usually no. If your consultant is doing the implementation work, they will quote the relevant ISO 27002 guidance when it matters. Buy your own copy if you are building the ISMS without outside help, want to train an internal security team, or plan to run future internal audits without a consultant.
What is the Statement of Applicability?
The Statement of Applicability (SoA) is the document that lists all 93 Annex A controls, states whether each one is implemented or excluded, and provides justification for any exclusion. It is one of the first documents an auditor asks for. ISO 27002 is useful when writing the SoA because it gives you enough context about each control to write a meaningful justification rather than a one-line placeholder.
Where to go next
ISO 27001 is the certifiable standard your auditor checks against. ISO 27002 is the implementation manual your team uses when actually building controls. They are a matched pair, not alternatives. Buy ISO 27001 first, use ISO 27002 alongside it during implementation, and remember that no certificate ever says "ISO 27002 certified" because no such certification exists.
With the 2022 revision now mandatory and the October 2025 transition deadline behind us, every organization pursuing or maintaining certification should be working from the 2022 versions of both documents.
For the full certification roadmap, start with our ISO 27001 certification guide and follow through to the ISO 27001 Statement of Applicability template.
Sources used
- International Organization for Standardization — accessed 2026-05-12
- ISO/IEC 27002:2022 — accessed 2026-05-12
- 2022 revision — accessed 2026-05-12
- ISO store — accessed 2026-05-12
Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.
