What is the difference between ISO 27001 and 27002

he primary difference between ISO 27001 and ISO 27002 is that ISO 27002 is intended to be used as a guide for selecting security controls when establishing an ISO 27001-based Information Security Management System (ISMS). Organisations can acquire ISO 27001 certification, but not ISO 27002.

For example, if an organisation has an ISMS in place that fulfils the ISO 27001 certification requirements, it may have adopted ISO 27001 certification. The company may want to take a more proactive approach to adopting ISO 27002-compliant computer security measures.

The ISO 27002 standard and its related guidance notes were written with ISO 27001 certification schemes in mind. As a result, while ISO 27002 is deemed part of ISO 27001, ISO 27002 makes no sense. For organisations that have not yet achieved ISO 27001 certification, ISO 27002 serves as a starting point. ISO 27002, for example, has no compliance criteria, but it does require all areas of the organisation to examine and document internal computer security policies.

In summary, ISO 27002 provides recommendations on the selection, implementation, and effectiveness of computer security controls. If a company is adopting a computer security policy, it is their obligation to meet ISO 27002 guidelines. So, if ISO 27001 certification is your aim, you only need to evaluate one standard. ISO 27002, on the other hand, provides some valuable recommendations on how to apply the computer security measures mandated by ISO 27001.