Skip to main contentChat with us

ISO 27001 · Comparison

ISO 27001 vs
ISO 27002

ISO 27001 and ISO 27002 are companion standards that share the same 93 controls and do different jobs. ISO 27001 sets the auditable requirements for an information security management system — the standard you certify against. ISO 27002 explains how to implement each of those controls, in depth, with nothing to certify. Here is the full comparison.

There is no ISO 27002 certificate. Certification bodies audit and certify against ISO 27001 only. ISO 27002 contains guidance — no requirements, no “shall” statements — so there is nothing to certify against; “ISO 27002 certified” is always a misstatement.

93controls shared by both standards
1of the two is certifiable — ISO 27001
500+audits delivered by TCSA

Plain-English comparison · 2022 editions · Last reviewed July 2026

ISO 27001 is the requirements standard — the auditable specification for an information security management system (ISMS) that your organization can certify against. ISO 27002 is its companion guidance standard — detailed implementation advice for the same 93 controls, with no requirements and no certificate. You certify to ISO 27001; you consult ISO 27002. The names invite confusion — consecutive numbers, identical subject, same ISO/IEC committee — but the division of labor is clean. ISO/IEC 27001:2022 is titled “Information security management systems — Requirements”: its Clauses 4–10 set out what a certifiable ISMS must do, written as auditable “shall” statements, and Annex A lists 93 reference controls in one line each. ISO/IEC 27002:2022 — “Information security, cybersecurity and privacy protection — Information security controls” — takes those same 93 controls and expands each one into a purpose statement, implementation guidance, and supporting information. One is the exam; the other is the textbook. If the ISMS concept itself is new to you, start there; this page compares the two 2022 editions side by side and shows where each belongs in a certification project.

The Pair

What Each Standard Actually Is

Two documents, one control set. The quickest way to keep them straight: ISO 27001 tells you what an ISMS must do; ISO 27002 tells you how to implement the controls it references. Everything else about the relationship follows from that split. Most teams meet them in that order, too — a customer or regulator asks about ISO 27001 certification, and the people implementing it discover ISO 27002 the first time a one-line Annex A control raises more questions than it answers.

ISO/IEC 27001:2022 — the requirements standard

  • Full title: “Information security management systems — Requirements.” It is a specification: the clauses are written as “shall” statements an auditor can test your ISMS against.
  • Clauses 4–10 are mandatory — context, leadership, planning, support, operation, performance evaluation, and improvement. None of them can be excluded from scope.
  • Annex A lists 93 controls in one-line form as a reference set. You select against it and justify every inclusion and exclusion in the Statement of Applicability.
  • Certifiable: an accredited certification body audits the ISMS in a Stage 1 and Stage 2 audit and issues a certificate, maintained through surveillance audits on a three-year cycle.

ISO/IEC 27002:2022 — the guidance standard

  • Full title: “Information security, cybersecurity and privacy protection — Information security controls.” The 2022 edition retired the old “Code of practice” name.
  • Expands each of the same 93 controls into a purpose statement, detailed implementation guidance, and “other information” — the depth Annex A deliberately leaves out.
  • Tags every control with five attributes — control type, information security properties, cybersecurity concepts, operational capabilities, and security domains — so teams can filter and map the catalogue.
  • Not certifiable: it contains guidance rather than requirements — no “shall” statements, nothing to audit against, and no certificate.

A useful mental model: ISO 27001 is thin and legalistic because every sentence has to be auditable. ISO 27002 is thick and practical because none of it has to be. That is not a flaw in either document — it is the design, and it is older than the ISO numbering. Both standards descend from the British standard BS 7799: Part 1, a code of practice, became ISO/IEC 17799 in 2000 and was renumbered ISO/IEC 27002 in 2007, while Part 2, the certifiable specification, became ISO/IEC 27001 in 2005. The two have been revised in step ever since — most recently in the 2022 editions — with requirements and guidance kept in separate documents throughout. They were built as a pair, never as competitors or substitutes.

Side by Side

ISO 27001 vs ISO 27002 at a Glance

Five dimensions cover almost every question buyers, implementers, and auditors ask about the pair — and the same rows come up constantly in procurement questionnaires and audit planning.

DimensionISO/IEC 27001:2022ISO/IEC 27002:2022
PurposeDefines the requirements a certifiable ISMS must meet — the standard your organization is audited against.Provides detailed implementation guidance for information security controls — the reference you build from.
StructureMandatory Clauses 4–10 plus Annex A: 93 reference controls, each stated in a single line.The same 93 controls in four themes, each expanded with a purpose, implementation guidance, other information, and five attributes.
Certifiable?Yes — accredited certification bodies audit against it and issue ISO 27001 certificates.No — it contains no requirements, so there is nothing to certify against.
Primary audienceLeadership and the ISMS owner — plus the auditors, customers, and regulators who ask for the certificate.Implementers — security engineers, IT operations, and control owners deciding what “good” looks like.
How it’s usedSets up the management system: scope, risk process, Statement of Applicability, internal audit, management review.Consulted control by control during implementation — and read by auditors as the benchmark of good practice.

The certifiable/not-certifiable row does the most work in practice. When a customer questionnaire asks about “ISO 27002 compliance,” the substantive answer is an ISO 27001 certificate whose Statement of Applicability shows which of the 93 controls are in scope — because a certificate against 27002 alone cannot exist.

The audience row is the other one worth acting on. Hand ISO 27001 to whoever owns the management system — it defines the artifacts leadership will be asked to produce: scope statement, risk methodology, Statement of Applicability, internal-audit programme, management-review records. Hand ISO 27002 to the people who own controls — it reads like an engineering reference, because that is what it is. And when a contract names either standard, read closely which one: a commitment to “implement controls aligned with ISO 27002” is a design benchmark, while a commitment to “maintain ISO 27001 certification” is an auditable obligation with an annual external check attached.

Relationship

Same 93 Controls, Different Depth

The dependency runs from 27002 to 27001: Annex A is derived from ISO 27002’s control catalogue, not the other way around. That is why the 2022 refresh landed in two steps — ISO 27002:2022 was published first, in February 2022, restructuring the catalogue from 114 controls in 14 clauses down to 93 controls in four themes; ISO 27001:2022 followed in October 2022 with an Annex A aligned to the new set. Overlapping controls were merged, eleven were newly introduced — threat intelligence, cloud services security, data masking, and secure coding among them — and the numbering now runs identically in both documents, 5.1 through 8.34. For anyone maintaining a Statement of Applicability, the practical effect is that every SoA row maps one-to-one to a chapter of implementation guidance.

37OrganizationalControls 5.1–5.37
8PeopleControls 6.1–6.8
14PhysicalControls 7.1–7.14
34TechnologicalControls 8.1–8.34

The difference between the documents is altitude, not content. Annex A states control 8.24 (use of cryptography) in a single sentence; ISO 27002 expands the same control into guidance on cryptographic policy and key management. Multiply that by 93 and you have the practical relationship: Annex A is the checklist you justify decisions against in the Statement of Applicability, and ISO 27002 is the reference you open to implement each line of it. We walk through every control — theme by theme, in plain English — in our guide to the 93 Annex A controls.

The five attributes are ISO 27002’s quiet upgrade. Every control carries hashtag-style tags across five dimensions — control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (identify, protect, detect, respond, recover), operational capabilities, and security domains — and the standard explicitly allows organizations to add attributes of their own. In practice this is how mature teams slice the catalogue: filter by detective controls to review monitoring coverage, or use the cybersecurity concepts to cross-walk the control set against frameworks that share the identify-through-recover vocabulary. Annex A carries none of this metadata — one more reason the two documents are read together rather than interchangeably.

In Practice

How to Use Them Together

A certification project uses both standards in a fixed sequence, and the order matters more than teams expect: controls are chosen because a risk assessment demanded them. Organizations that start by implementing the ISO 27002 catalogue front to back end up with shelfware controls and a Statement of Applicability written backwards to justify them.

  1. 1Run the risk assessment. ISO 27001 Clause 6.1.2 requires a documented process to identify, analyse, and evaluate information security risks — the engine that drives every control decision that follows.
  2. 2Select controls to treat the risks. Under Clause 6.1.3 you determine the controls your risk treatment needs — from any source — then compare them against Annex A to verify nothing necessary has been overlooked.
  3. 3Record decisions in the Statement of Applicability. The SoA covers all 93 Annex A controls with a justification for each inclusion and exclusion. Our free SoA builder generates a working draft from the 2022 control set.
  4. 4Implement using ISO 27002. For each selected control, the corresponding 27002 entry — purpose, implementation guidance, other information — is the natural starting specification for your policy, procedure, or technical configuration.
  5. 5Certify against ISO 27001. An accredited certification body audits the ISMS — clauses, risk process, SoA, and control operation — and issues the certificate. ISO 27002 never appears on it.

The certification audit then tests both halves of the sequence. Stage 1 is largely a documentation review — scope, risk methodology, the Statement of Applicability, and the mandatory clause artifacts. Stage 2 examines whether the ISMS and the selected controls actually operate: evidence, records, interviews, and observation. Nowhere in either stage is ISO 27002 the audit criterion — yet a control implemented from its guidance walks into Stage 2 with far less to prove.

This is also where the most common confusion resolves itself. Certification auditors audit against ISO 27001 — it is the only standard on the audit plan — but when they examine how a control operates, they expect an implementation consistent with recognized good practice, and ISO 27002 is the most direct written expression of what good practice means for each control. An organization that ignores 27002 is not non-compliant by definition; it has simply chosen to argue “suitably designed” from scratch instead of building on the answer key. The same logic protects you on the buying side: a supplier claiming “ISO 27002 alignment” without an ISO 27001 certificate is describing an uncertified control implementation — possibly a good one, but one that no independent auditor has examined.

One line on the wider 27000 family, since the numbering rarely stops confusing people at 27002: ISO/IEC 27000 defines the shared vocabulary (and is freely available), ISO/IEC 27005 provides guidance on information security risk management, and ISO/IEC 27701 extends the ISMS into privacy information management. All of them orbit ISO 27001 — the requirements standard at the centre of the family.

If you are heading toward certification, this pairing is the whole project in miniature: ISO 27001 supplies the management-system spine and the audit; ISO 27002 supplies the depth behind each control. Tranquility Cybersecurity (TCSA) has delivered 500+ audits and readiness engagements across both halves of that split — scoping and risk assessment, Statement of Applicability drafting, 27002-aligned control implementation, and coordination of the certification audit with accredited certification bodies. The certificate itself always comes from the certification body — an advisor who offers to “issue” one is selling something else. Start with our ISO 27001 services overview.

ISO 27001 vs ISO 27002 — Common Questions

Certification, control parity, the 2022 changes, and which documents you actually need.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the requirements standard: it specifies what a certifiable information security management system must do — mandatory Clauses 4–10 plus the 93-control Annex A reference set — and accredited certification bodies audit against it. ISO 27002 is the companion guidance standard: it expands each of the same 93 controls into implementation advice, with no requirements and no certificate. In short, ISO 27001 defines the destination; ISO 27002 describes, control by control, a well-trodden way to get there.

Can you get certified to ISO 27002?

No. ISO 27002 contains guidance rather than requirements — there are no “shall” statements to audit against — so no certification scheme exists for it. Certification in this pair is available only against ISO 27001. A vendor claiming to be “ISO 27002 certified” is either describing an ISO 27001 certificate loosely or misrepresenting; ask for the ISO 27001 certificate, the accredited certification body that issued it, and the scope statement instead.

Do I need to buy both standards?

If you are certifying, you need ISO 27001 — it is the specification your ISMS will be audited against, and you cannot implement to a paraphrase of it. ISO 27002 is technically optional but strongly recommended: Annex A gives you each control in one line, while ISO 27002 turns that line into implementation guidance your control owners can act on. Most implementation teams work with both open. Both are purchased from ISO or from national standards bodies.

Are the controls in ISO 27001 and ISO 27002 the same?

Yes. Annex A of ISO 27001:2022 is derived from ISO 27002:2022 — the same 93 controls, the same four themes (Organizational, People, Physical, and Technological), and the same numbering, 5.1 through 8.34. The difference is depth: Annex A states each control in a sentence, as a reference list for the Statement of Applicability, while ISO 27002 expands each one with a purpose statement, implementation guidance, other information, and five classification attributes.

What changed in the 2022 editions?

ISO 27002:2022, published in February 2022, was renamed from “Code of practice for information security controls” to “Information security, cybersecurity and privacy protection — Information security controls,” restructured 114 controls in 14 clauses into 93 controls in four themes — merging overlapping controls and adding new ones such as threat intelligence, cloud services security, data masking, and secure coding — and introduced the five-attribute tagging system. ISO 27001:2022, published in October 2022, aligned Annex A to the new catalogue and made modest clause-level edits. The transition window for certificates issued against the 2013 edition closed on 31 October 2025.

Where do the 93 controls come from?

From ISO 27002. The ISO/IEC committee that maintains the 27000 family develops and revises the control catalogue in ISO 27002; ISO 27001’s Annex A then reproduces it in summary form as the reference set for the Statement of Applicability. That is why ISO 27002 was revised first in 2022 and ISO 27001 followed months later. Neither standard requires you to implement all 93 — you select controls based on your risk assessment and justify any exclusions in the SoA.

Related reading: the ISO 27001 knowledge hub, the 93 Annex A controls explained, Clauses 4–10, ISO 27001 requirements, what an ISMS is, and ISO 27701 for privacy. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations