During the implementation of an Information Security Management System, many organizations face the question of whether to adopt ISO/IEC 27001 or ISO/IEC 27002. These two standards share many similarities, as both focus on protecting information and outline necessary security controls for organizations. However, behind these similarities lie important differences in roles, scope, and application, giving each standard a distinct position within the information security management framework. So, how do ISO/IEC 27001 and ISO/IEC 27002 differ, and how should they be used appropriately? In this article, SQC Certification explores these two standards in detail.
Concepts of ISO 27001 and ISO 27002
-
ISO/IEC 27001 Standard
ISO/IEC 27001 is an international standard that specifies the requirements for establishing, implementing, operating, monitoring, maintaining, and continually improving an Information Security Management System (ISMS).
This standard helps organizations:
- Identify and assess information security risks
- Select and implement appropriate control measures
- Protect information based on three core principles:
- Confidentiality
- Integrity
- Availability
-
ISO/IEC 27002 Standard
ISO/IEC 27002 is a guidance standard that provides a Code of Practice for information security controls. s
This standard focuses on:
- Providing detailed descriptions of control objectives, content, and effective implementation methods
- Supporting organizations in selecting, implementing, and managing controls aligned with identified risks
ISO/IEC 27002 is commonly used as a technical reference when building an ISMS in accordance with ISO/IEC 27001.
Similarities Between ISO/IEC 27001 and ISO/IEC 27002
Key similarities between ISO/IEC 27001 and ISO/IEC 27002 include:
- Both belong to the ISO/IEC 27000 family
Both ISO/IEC 27001 and ISO/IEC 27002 are part of the ISO/IEC 27000 series, which focuses on establishing and improving information security management within organizations. As they are jointly developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), they ensure consistency, compatibility, and global recognition.
2. Shared Objective of Protecting Information Security
Both ISO/IEC 27001 and ISO/IEC 27002 aim to protect an organization’s information assets and minimize risks of data loss, breaches, or disruption. They are built around the three core principles of information security: Confidentiality, Integrity, and Availability (CIA).
3. Both Address Information Security Controls
Both standards refer to information security controls and support organizations in selecting and implementing controls appropriate to identified risks. ISO/IEC 27001 requires organizations to identify and select controls. ISO/IEC 27002 provides detailed guidance on how to implement those controls.
4. Risk-Based Approach
Both standards adopt a risk-based approach, including: Identifying threats and vulnerabilities, Assessing information security risks, Applying appropriate controls to reduce risks to acceptable levels
5. Applicable to All Types of Organizations
ISO/IEC 27001 and ISO/IEC 27002:
- Are not limited by size or industry
- Are suitable for enterprises, public organizations, finance, technology, manufacturing, services, education, etc.
- Can be flexibly applied depending on organizational context and risk levels
6. Complementary in ISMS Implementation
The two standards are designed to complement each other in building an ISMS: ISO/IEC 27001 acts as the framework of requirements, ISO/IEC 27002 serves as the implementation guideline
Differences Between ISO/IEC 27001 and ISO/IEC 27002
In addition to the similarities mentioned above, ISO 27001 and ISO 27002 have fundamental differences that you should consider as follows:
| Criteria | ISO/IEC 27001:2022 | ISO/IEC 27002:2022 |
| Main Purpose | This standard specifies requirements for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). It serves as a framework for managing information security risks. | Provides detailed guidance for implementing information security controls. It explains the “how-to” for the controls in Annex A of ISO 27001. |
| Certifiable? | Yes, organizations can achieve ISO 27001 certification through independent audits. It is the only certifiable standard within the ISO 27000 family. | No – serves only as guidance, not certifiable |
| Structure | Main clauses (Clauses 4–10): Define ISMS requirements (scope, risk assessment, policies, internal audits, etc.)
Annex A: List of 93 reference controls (not detailed) |
Focuses entirely on 93 controls, categorized into 4 groups: Organizational, People, Physical, and Technological.
Each control includes objectives, detailed implementation guidance, and examples. |
| Number of Controls | 93 controls in Annex A (updated version) | 93 detailed controls (reduced from 114 in 2013 version due to consolidation and updates) |
| Relationship | Core standard requiring the use of controls (referencing ISO 27002) | Supporting standard that expands Annex A with practical guidance |
| Benefits | Demonstrates an effective ISMS, enhances credibility, supports legal compliance | Helps implement controls effectively, especially in risk assessment and selecting appropriate measures |
Which ISO standard should your organization adopt and when?
It can be seen that ISO/IEC 27001 serves as the core foundation for organizations to build an Information Security Management System (ISMS). ISO 27001 establishes policies, defines responsibilities, sets up the management structure, and prepares the organization for audits and certification. Meanwhile, ISO/IEC 27002 helps organizations dive deeper into each control, clarifying how to implement and operate the selected controls within the ISMS.
For organizations that are just starting out, ISO/IEC 27001 should be implemented first when building an ISMS. ISO/IEC 27002 then becomes an effective guidance tool for putting those controls into practice.
In essence, ISO/IEC 27001 and ISO/IEC 27002 are like two inseparable pieces: one defines the structure of information security management, while the other provides detailed guidance to ensure security controls are implemented correctly and effectively. Combining both not only helps meet compliance requirements but also builds a robust and sustainable data protection system.
Conclusion:
Adopting both ISO/IEC 27001 and ISO/IEC 27002 is not about choosing one over the other—they strongly complement each other in information security management. While ISO/IEC 27001 acts as the management framework that enables organizations to build, operate, and certify an ISMS, ISO/IEC 27002 provides detailed guidance on controls, supporting effective implementation of those requirements. When applied together, these standards help organizations achieve compliance while strengthening their long-term information security capabilities.
What is a SOC 2 Report? A Guide to SOC 2 Reporting for Technology Businesses
Latest Updates to SOC 2 for Businesses in 2026
Free Training Course: HIGG FEM Assessment Toolkit and Latest Updates
SQC Certification Vietnam officially becomes a QSAC authorized by PCI SSC.
What is a QSA? The Role of a QSA in the PCI DSS Assessment Process
PCI DSS: Special Guidance for E-commerce
