· Jane Iamias · iso 27001 vs iso 27002 · 21 min read
ISO 27001 vs ISO 27002 A UK Business Guide
Struggling with ISO 27001 vs ISO 27002? Our guide clarifies the key differences, how they work together, and which standard your UK business needs to focus on.
When people talk about ISO 27001 and ISO 27002, the most common point of confusion is thinking you have to choose between them. The reality is they are two sides of the same coin.
At its heart, the difference is simple: ISO 27001 tells you what you need to do to build a robust Information Security Management System (ISMS). ISO 27002 explains how to do it. You get certified against ISO 27001; you use ISO 27002 as your guide to get there.
Clarifying The Core Relationship
The best way I’ve found to explain this is with an analogy. Think of ISO 27001 as the architectural blueprint for a secure building. It lays out the essential, non-negotiable requirements—it must have secure doors, monitored access points, and fire suppression systems. An auditor’s job is to walk through with that blueprint and tick off that you’ve met every requirement.
ISO 27002, on the other hand, is the detailed construction manual. It’s the guide your builders and engineers use, offering best-practice advice on how to select the right locks, where to position CCTV cameras for maximum effect, and what type of fire extinguisher is best for a server room. It offers guidance, not commands.
For the teams on the ground actually implementing the security measures, ISO 27002 is indispensable.
From UK Roots to Global Standards
This close partnership isn’t an accident; it’s baked into their history. Both standards evolved from the UK’s original security standard, BS 7799.
The part that became ISO 27001 (originally BS 7799-2) was always about the formal requirements for a management system. The other part, which became ISO 27002 (originally BS 7799-1), was the code of practice—the detailed ‘how-to’ for the security controls listed in ISO 27001’s Annex A. This history really highlights how they were designed from day one to work together. If you’re interested in the details, IT Governance offers a good overview of this evolution.
Key Takeaway: You can’t properly implement one without the other. ISO 27001 gives you the framework and the certificate at the end, but ISO 27002 provides the practical wisdom needed to make the controls effective in the real world.
To put it all into perspective, here’s a quick summary of the fundamental differences.
ISO 27001 vs ISO 27002 at a Glance
| Attribute | ISO 27001 (The ‘What’) | ISO 27002 (The ‘How’) |
|---|---|---|
| Primary Purpose | Defines mandatory requirements for an Information Security Management System (ISMS). | Provides best-practice guidance and implementation advice for security controls. |
| Certification | Yes, organisations get certified against this standard to prove compliance. | No, it is a supporting document and is not independently certifiable. |
| Audience | Management, compliance officers, and auditors who need to establish and verify the ISMS. | Security managers, IT teams, and implementers who need to build specific controls. |
| Structure | Contains management clauses (4-10) and a high-level list of controls (Annex A). | Provides detailed descriptions, purpose, and guidance for each control. |
| Analogy | A legal document or architectural blueprint that sets the rules. | An instructional manual or best-practice guide that explains the techniques. |
Ultimately, ISO 27001 is your destination—the certified standard. ISO 27002 is your roadmap, providing the turn-by-turn directions to get you there successfully.
Breaking Down The ISO 27001 Framework
To really get to the heart of the ISO 27001 vs ISO 27002 debate, you need to see ISO 27001 for what it is: a strategic framework for your entire business. It’s not just a technical checklist for the IT department. It’s a blueprint for building, running, and continuously improving a complete Information Security Management System (ISMS), embedding security into the very culture of your organisation.
At its core, the standard revolves around the classic Plan-Do-Check-Act (PDCA) cycle. This isn’t just a management theory; it’s a practical model that forces your ISMS to be a living, breathing system. It ensures your security practices adapt to new threats and business changes, rather than becoming a static project that’s obsolete in six months.
The Mandatory Clauses Driving The ISMS
The real teeth of ISO 27001 are in its mandatory clauses—specifically, Clauses 4 through 10. These aren’t suggestions; they are the non-negotiable requirements that form the basis of any certification audit. They compel an organisation to take a top-down, structured approach to information security.
In essence, these clauses require you to:
- Understand Your Organisation (Clause 4): This means figuring out your context—defining internal and external issues, identifying who cares about your security (like clients and regulators), and setting the scope for your ISMS.
- Demonstrate Leadership (Clause 5): Security has to start at the top. This clause demands commitment from senior management, a formal information security policy, and clearly defined roles and responsibilities.
- Plan Your Approach (Clause 6): Here’s where the proactive work begins. You must conduct a proper risk assessment, set clear security objectives, and create a plan to tackle the risks you’ve identified.
- Provide Support (Clause 7): You can’t achieve security without the right tools and people. This clause covers allocating resources, ensuring staff are competent and aware, and managing all your documented information.
This structured approach guarantees that security isn’t just an afterthought but a central part of your strategic planning. The emphasis on leadership is particularly important, as it’s what gives the ISMS the authority and budget it needs to succeed.
From Risk Assessment To Continual Improvement
Once the groundwork is laid, you have to execute and evaluate. Clauses 8, 9, and 10 complete the PDCA cycle, making the ISMS operational and accountable.
- Clause 8 (Do): This is where the rubber meets the road. You implement the plans and controls you identified back in Clause 6, running your risk assessments and treatment plans.
- Clause 9 (Check): You can’t manage what you don’t measure. You must monitor, analyse, and evaluate how your ISMS is performing through internal audits and formal management reviews.
- Clause 10 (Act): Based on what you find in the ‘Check’ phase, you take action. This means fixing nonconformities and, crucially, always looking for ways to improve the ISMS.
It’s this cyclical process that gives ISO 27001 its power. It creates a built-in mechanism for constant refinement, ensuring your security posture never stands still. This framework’s importance is well-recognised in the UK. A 2016 IT Governance report found 80% of UK organisations were either certified or pursuing it, with 71% saying clients were directly asking for it.
The Bridge to ISO 27002: Think of it this way: Annex A in ISO 27001 lists the security controls you might need, but it deliberately leaves out the ‘how-to’. It’s a menu of options. ISO 27002 is the recipe book that gives you the detailed instructions for each dish.
Annex A: The Control Catalogue
Annex A is the critical link that ties ISO 27001 directly to ISO 27002. It acts as a catalogue of security controls that an organisation can choose from to mitigate the risks it has identified. The descriptions, however, are intentionally high-level.
For instance, a control might simply say you need “user access management.” That’s it. To figure out how to implement that effectively—from provisioning to regular reviews—your team would turn to the detailed guidance in ISO 27002. For a deeper dive into how modern tech is helping with this, it’s worth reading up on global standards like ISO 27001 and AI-powered risk detection.
This intentional separation is what makes the system work. ISO 27001 remains a flexible, high-level framework that can apply to any organisation, while ISO 27002 provides the rich, practical detail needed to get the job done right. To find out more about what goes into a successful ISMS, check out our other articles on ISO 27001.
Putting The Guidance of ISO 27002 into Practice
If ISO 27001 provides the strategic framework for your Information Security Management System (ISMS), think of ISO 27002 as the operational playbook your teams will have open on their desks. It’s essentially a code of practice, packed with comprehensive, real-world advice for implementing the controls listed back in Annex A of ISO 27001.
It’s crucial to understand that you cannot get certified to ISO 27002. It’s a supplementary standard, designed purely to provide guidance. This is the detailed instruction manual that brings the high-level blueprint to life. Where ISO 27001 is concise and focused on requirements, ISO 27002 is descriptive and rich with implementation detail.
The difference in length alone tells you everything you need to know. The core ISO 27001 document is under 30 pages, whereas ISO 27002 often balloons to over 100 pages. All that extra content is dedicated to explaining the purpose, attributes, and practical steps for each control, making the difference between ISO 27001 and ISO 27002 one of requirements versus detailed recommendations.
From High-Level Objective To Practical Action
So, how does this work in the real world? Let’s look at a classic control area: Access Control.
In Annex A, ISO 27001 states a broad objective, something along the lines of “to ensure authorised user access and to prevent unauthorised access to systems and services.” It tells you what you need to achieve but gives you absolutely no clues on how to do it.
This is the point where your IT managers, security engineers, and compliance officers will pick up ISO 27002. For that one single Access Control objective, the standard provides granular, practical guidance on multiple fronts.
It breaks down that high-level requirement into concrete tasks your teams can actually start working on, such as:
- User Access Provisioning: Guidance on setting up formal processes for registering new users and, just as importantly, de-registering them when they leave.
- Management of Privileged Access Rights: Solid advice on how to control, restrict, and monitor those powerful administrative privileges.
- Review of User Access Rights: Recommendations for running regular reviews to ensure people’s access levels haven’t become excessive over time.
- Authentication Information: Best practices for managing passwords, rolling out multi-factor authentication (MFA), and handling other credentials securely.
This level of detail is what separates a tick-box security exercise from a robust and auditable security programme. For teams tasked with writing the policies, browsing through some well-structured information security policy examples is a great way to turn this guidance into concrete documentation.
A Tangible Example: Access Control In Practice
Let’s say your organisation needs to implement control 5.15, “Access Control,” from Annex A. Your Head of IT has been given the job.
- ISO 27001 (The ‘What’): The CISO consults ISO 27001 and identifies the requirement to control access to information. This high-level objective is then documented in the Statement of Applicability (SoA).
- ISO 27002 (The ‘How’): The Head of IT now turns to ISO 27002. The standard gives specific implementation guidance, suggesting they establish a formal access control policy, implement a procedure for regular user access reviews, and segregate privileged accounts from standard user accounts.
- Implementation: Armed with ISO 27002, the team drafts a User Access Control Policy. They configure their systems to require manager approval for new accounts, set up an automated quarterly report of all user access rights for review, and create separate, limited-use accounts for system administrators.
Key Insight: Without ISO 27002, the team would be left trying to interpret the broad objective from ISO 27001 on their own. This guesswork often leads to inconsistent implementation, security gaps, and a much tougher time during an audit. ISO 27002 ensures everyone follows a consistent, best-practice approach.
Ultimately, this standard is the bridge that translates strategic security requirements into the day-to-day tasks performed by your technical and operational teams. It’s what makes a certifiable ISMS possible, ensuring that every control is not just present on paper, but actually effective and well-considered. In my experience, your security engineers will spend far more time with ISO 27002 than they ever will with ISO 27001.
How the 2022 Updates Impact Your Compliance Journey
The information security landscape is always shifting, and so are the standards that help us navigate it. The 2022 updates to both ISO 27001 and ISO 27002 were one of the most significant changes we’ve seen in years, directly impacting how UK organisations need to handle their compliance.
These weren’t just minor adjustments. It was a serious overhaul aimed at tackling modern security challenges head-on. If your business is already certified or thinking about it, getting to grips with these changes is non-negotiable for keeping your security posture strong and your certificate valid.
The fundamental relationship hasn’t changed—ISO 27001 still tells you what you need to do, and ISO 27002 shows you how to do it. But the specifics of the ‘how’ have evolved quite a bit.
A Modernised Control Set in ISO 27002
The most obvious change is how the security controls in ISO 27002:2022 have been reorganised. The old structure of 14 domains has been scrapped and replaced with four practical, high-level themes. This makes the standard far more intuitive to use.
The new structure groups controls into logical clusters:
- Organisational Controls (37 controls): This is where you’ll find the high-level policies, governance, and procedural stuff.
- People Controls (8 controls): All about the human side of security—think screening, awareness training, and remote working.
- Physical Controls (14 controls): Covers the security of tangible assets like your offices, data centres, and equipment.
- Technological Controls (34 controls): This is the technical deep-dive into things like access control, network security, and cryptography.
From a practical standpoint, this reorganisation makes life much easier. You can now assign ownership of control groups far more clearly. Instead of digging through a complex web of domains, you can point your HR team towards the ‘People’ controls and your IT team to the ‘Technological’ ones.
New Controls for Today’s Threats
Beyond just rearranging the furniture, the 2022 update brought in 11 entirely new controls to deal with emerging risks. These aren’t just suggestions; they reflect the realities of the modern threat landscape and cover crucial areas that were previously under-represented.
Some of the key new controls include:
- Threat intelligence: This moves you from a passive to an active stance, requiring you to gather and analyse information on current and potential threats.
- Information security for use of cloud services: Finally, a dedicated control for creating policies around how you buy, use, and manage cloud services securely.
- Data leakage prevention: Focuses on implementing technical measures to spot and stop sensitive data from walking out the door.
- Web filtering: Managing what external websites your team can access to protect your systems from malware.
These new additions have a direct impact on the scope of your ISMS. For instance, with the threat intelligence control, a passive, once-a-year risk assessment just won’t cut it anymore. You’re now expected to have an ongoing process for understanding the threat environment as it evolves.
Crucial Takeaway: The 2022 updates aren’t just a re-shuffle. They introduce new, mandatory considerations for your risk assessment and Statement of Applicability (SoA), forcing you to re-evaluate your existing security measures.
The Ripple Effect on ISO 27001 Annex A
Because Annex A in ISO 27001 is a direct reflection of the controls in ISO 27002, these changes have completely altered its structure. The 2022 update restructured and reduced the total number of controls from 114 down to 93, which includes the 11 brand-new ones.
This overhaul meant UK businesses had to adapt their ISMS to stay compliant, with a hard transition deadline of 31st October 2025.
This change requires a careful re-mapping exercise. If your current Statement of Applicability is built on the old 2013 version, you’ll need to align it with this new, consolidated control set. As you navigate your compliance journey, it’s vital to understand what’s required to achieve ISO 27001 accreditation.
Think of the transition not as an administrative chore, but as a strategic opportunity. It’s a chance to reinforce your ISMS against today’s threats and prove you’re taking a forward-thinking approach to security.
Connecting Annex A Controls To ISO 27002 Guidance
The real magic between ISO 27001 and ISO 27002 happens when you see how Annex A works with the guidance in ISO 27002. For anyone new to these standards, this is often the biggest hurdle, but once you get it, everything else clicks into place.
Here’s the simplest way I can put it: ISO 27001’s Annex A is your shopping list. It provides a high-level catalogue of 93 security controls you need to consider for your Information Security Management System (ISMS). ISO 27002 is the cookbook. It takes every item on that list and gives you the detailed recipe for turning it into an effective security measure.
This structure is a deliberate choice and it’s what makes the framework so flexible. It keeps ISO 27001 as a lean, certifiable standard, while ISO 27002 offers the rich, practical advice needed to get things done right on the ground.
A Practical Side-by-Side Comparison
To really understand the difference, let’s walk through a common example. We’ll use control A.8.1 (User endpoint devices), something every modern business has to deal with.
In Annex A of ISO 27001, the description is intentionally brief. It simply outlines the control’s objective: to protect information on user devices. This tells your CISO or compliance lead what they need to achieve, which then becomes a line item in your Statement of Applicability (SoA).
Great, but how do you actually do that? This is where your IT team turns to the corresponding section in ISO 27002. Suddenly, they have a wealth of actionable guidance covering a huge range of considerations.
The guidance in ISO 27002 would prompt them to think about and implement policies for things like:
- Device Configuration: Practical advice on how to securely set up laptops, phones, and tablets, including password policies and encryption.
- Acceptable Use: Guidance on drafting clear rules for what staff can and cannot do on company-owned devices.
- Remote Work Security: Specific recommendations for locking down devices used outside the trusted office network.
- Device Disposal: Best practices for securely wiping or destroying old devices to prevent sensitive data from walking out the door.
Without ISO 27002, your team would be left trying to interpret the broad objective from Annex A. That often leads to patchy security and a much higher chance of failing an audit. This level of detail is crucial, and using something like a requirement collection template can help keep all these moving parts organised.
The SoA Connection: Your Statement of Applicability (SoA) is the crucial document where you formally state which Annex A controls you’ve chosen to implement and why. ISO 27002 provides the practical know-how to both justify those choices and then implement them effectively.
Mapping Annex A Controls to ISO 27002 Guidance
This table shows exactly how a single, high-level control in ISO 27001’s Annex A blossoms into detailed, practical advice in ISO 27002.
| Annex A Control (ISO 27001) | Control Objective Summary | ISO 27002 Implementation Guidance Snippet |
|---|---|---|
| A.8.1 User endpoint devices | Protect information stored on, processed by, or accessible via user endpoint devices. | Guidance Includes: Implementing policies for mobile device use, enabling remote wipe capabilities, enforcing device-level encryption (e.g., BitLocker), and restricting software installation to approved applications. |
| A.5.15 Access control | Ensure only authorised users can access information and systems based on business requirements. | Guidance Includes: Establishing a formal user registration/de-registration process, conducting regular access rights reviews, and managing privileged access rights separately from standard user accounts. |
| A.5.23 Information security for use of cloud services | Specify and manage information security for the acquisition, use, and management of cloud services. | Guidance Includes: Defining a cloud services policy, establishing security requirements for cloud providers in agreements, and monitoring the security of services being used. |
This mapping isn’t just a theoretical exercise; it’s the day-to-day process your security team will live and breathe. They start with the ‘what’ from Annex A and use the ‘how’ from ISO 27002 to build the specific, technical, and procedural safeguards that make your ISMS a reality. It’s this partnership that turns a high-level requirement into a tangible, auditable security control.
Which Standard Should Your Team Use and When?
Figuring out whether to use ISO 27001 or ISO 27002 often causes a bit of a headache, but it’s not a case of picking one over the other. The real question is: who on your team should be using which standard, and at what stage of your security journey?
Think of them as two sides of the same coin, designed to work together but used by different people for very different jobs. When everyone understands their go-to document, the whole process of building a solid Information Security Management System (ISMS) becomes much clearer and more efficient.
Guidance for Strategic and Leadership Roles
If you’re in a leadership or oversight role, your world revolves around the certifiable framework, high-level governance, and proving compliance.
For the CISO or Compliance Manager: You’re the architect of the ISMS, and ISO 27001 is your blueprint. You’ll live in clauses 4-10 to build the governance structure, get the board on board, and define the scope of the whole system. You’ll then use its Annex A as a checklist to draft your Statement of Applicability (SoA). But when it comes to the “how,” you’ll hand ISO 27002 to your technical teams. It’s their detailed implementation guide. You need to understand both, but your primary job is done within the pages of ISO 27001.
For the Procurement or Vendor Manager: Your focus is on third-party risk. When you’re assessing a supplier, you should only be asking for one thing: their ISO 27001 certificate. This is the only official, audited proof that they have a functioning ISMS. A supplier claiming they “follow ISO 27002” is a red flag—it means nothing from a compliance perspective because you can’t get certified against it. For proper due diligence, the ISO 27001 certificate is the gold standard.
Guidance for Technical and Implementation Roles
For the people in the trenches—the ones actually building and maintaining security controls—the practical guidance in ISO 27002 is what truly matters.
Key Takeaway: The CISO uses ISO 27001 to draw the blueprint for the house. The security engineers and IT teams then use ISO 27002 as the detailed construction manual to build the walls, fit the locks, and wire the alarms correctly.
A Security Analyst or IT Engineer won’t get much out of the high-level management clauses in ISO 27001. Their job is to bring the controls listed in the SoA to life. For them, ISO 27002 is the day-to-day playbook.
If they’re tasked with implementing a new access control policy, they won’t be looking at ISO 27001. They’ll open up ISO 27002 to find practical, best-practice guidance on everything from robust password policies to managing privileged access rights. It’s their operational manual for configuring systems and writing procedures that meet the strategic goals set by leadership.
Frequently Asked Questions
When you start digging into information security standards, it’s easy to get tangled up. Let’s tackle some of the most common questions we hear from UK businesses trying to get to grips with ISO 27001 vs ISO 27002.
Can My Organisation Get Certified To ISO 27002?
In a word, no. Certification is only possible for ISO 27001. Think of ISO 27002 as a supporting guide – it provides the detailed, best-practice advice, but it’s not a standard you can be audited against.
An external auditor will come in and measure your Information Security Management System (ISMS) against the mandatory requirements laid out in ISO 27001. ISO 27002 is the detailed instruction manual you’ll use to actually build the security controls needed to pass that audit.
Do We Need To Purchase Both Standards?
For any serious certification project, yes, absolutely. Trying to get certified for ISO 27001 without having ISO 27002 handy is like trying to assemble flat-pack furniture with only a picture of the finished product. You’d be missing all the critical steps.
- ISO 27001 is your blueprint: It tells you what you must do, outlining the ISMS framework, its clauses, and the high-level control objectives in Annex A.
- ISO 27002 is your implementation guide: It gives you the “how-to” for each specific control you choose as part of your Statement of Applicability (SoA).
Without both documents, your team will be flying blind, struggling to build security measures that are effective and, just as importantly, auditable.
How Does ISO 27001 Help With UK GDPR Compliance?
Achieving ISO 27001 certification is one of the best ways to show you’ve put in place the “technical and organisational measures” needed to protect personal data under the UK General Data Protection Regulation (UK GDPR).
While it’s not a direct UK GDPR certification, it’s seen by regulators and clients alike as concrete proof of a strong data protection programme. It gives you a formal, systematic way to meet key obligations, like those in Article 32, by proving you have a solid process for identifying and managing information security risks. For any business serious about UK GDPR, it’s a foundational piece of the puzzle.
