ISO 27002 vs ISO 27001 The Definitive UK Business Guide

It’s easy to get tangled up in the ISO alphabet soup, but the distinction between ISO 27001 and ISO 27002 is actually quite straightforward. At its core, ISO 27001 is the certifiable standard that tells you what your organisation needs to do to build and maintain a proper Information Security Management System (ISMS). Think of it as the rulebook.

On the other hand, ISO 27002 is the supporting code of practice. It’s the detailed guide that explains how to implement the security controls listed in ISO 27001. You can’t get certified against it, but you’d have a very tough time implementing the rules without it.

Understanding The Core Difference Between ISO 27001 and ISO 27002

Illustrations showing a house with a checkmark for ISO 27001 and an open book with tools for ISO 27002.

Let’s try an analogy. Imagine you’re building a house to meet specific safety regulations. ISO 27001 is the architect’s blueprint. It clearly states the non-negotiable requirements: you need a solid foundation, load-bearing walls, a weatherproof roof, and secure locks on all doors. It defines the framework that will be inspected before you’re given the keys.

ISO 27002, then, is the builder’s detailed construction manual. It doesn’t set the rules, but it gives you expert, best-practice advice on how to meet them. It explains different techniques for laying the foundation, what materials work best for the walls, and precisely how to install those secure locks for maximum effect. The blueprint (ISO 27001) is what the inspector signs off on, but the manual (ISO 27002) is the essential guide your team uses to do the work properly.

The All-Important Certification

This distinction is crucial for any business serious about security. In the UK alone, the demand for formal certification is clear. By the end of 2023, over 2,500 organisations were ISO 27001 certified, marking a 15% jump from the year before. This isn’t just about ticking a box; it’s about proving your security posture to win enterprise deals and satisfy regulatory bodies. If you want to learn more about the growth of ISO certification, it’s a real eye-opener.

Key Takeaway: You get certified against ISO 27001, not ISO 27002. An auditor’s job is to check that your ISMS meets the strict requirements laid out in ISO 27001. They’ll look at how you’ve implemented your controls—where the ISO 27002 guidance is invaluable—but the certificate itself is awarded for conforming to ISO 27001.

ISO 27001 vs ISO 27002 At a Glance

To put it all in one place, here’s a quick summary that highlights the different roles these two standards play.

Attribute	ISO 27001 (The ‘What’)	ISO 27002 (The ‘How’)
Primary Purpose	Defines the mandatory requirements for an Information Security Management System (ISMS).	Provides detailed, best-practice guidance for implementing information security controls.
Nature	A management standard. It’s prescriptive about the framework and processes you must have in place.	A code of practice. It’s descriptive and offers guidance, not a set of compulsory rules.
Outcome	Leads to a formal, recognised certification from an accredited body, which demonstrates compliance.	Provides the practical knowledge needed to implement effective controls. It is not a certifiable standard.
Audience	Management, compliance officers, and auditors who need to build or verify the ISMS structure.	Security managers, IT teams, and engineers responsible for putting security measures into practice.

Ultimately, you can’t really have one without the other. These two standards are designed to work hand-in-hand. ISO 27001 sets the destination—a compliant and certified ISMS—while ISO 27002 provides the detailed roadmap to get you there without getting lost.

Comparing The Purpose and Scope of Each Standard

While ISO 27001 and ISO 27002 are designed to work together, they serve very different functions. Grasping this distinction is fundamental to building a successful information security programme. Think of it this way: one standard tells you what you need to build, while the other gives you the detailed instructions on how to build it.

ISO 27001 operates at a broad, strategic level. Its purpose is to lay out the requirements for establishing, implementing, maintaining, and continually improving an entire Information Security Management System (ISMS). It’s a management standard, focused on the big picture of how your organisation approaches information security.

The standard is built on a risk-based approach. It forces you to identify your critical information assets, evaluate the threats and vulnerabilities they face, and then select appropriate controls to manage those risks. The scope covers the entire ISMS lifecycle, from securing leadership commitment to running internal audits and management reviews.

The Strategic Framework of ISO 27001

The scope here is holistic, concentrating on the overarching framework that governs your security posture. It won’t get into the weeds of how to configure a firewall or encrypt a specific database. Instead, it poses strategic questions an auditor will ask:

Do you have a formal, repeatable process for risk assessment?
Is there clear leadership buy-in and a documented information security policy?
Are information security roles and responsibilities clearly defined and assigned?
Do you have a mechanism for continuously improving the ISMS?

ISO 27001 is the blueprint an auditor uses to verify that your ISMS is properly structured, managed, and effective. Its scope is about defining the essential components of a security programme, not the technical minutiae of each one.

The Tactical Guidance of ISO 27002

In sharp contrast, ISO 27002 is purely tactical, and its scope is granular. It exists to provide detailed, best-practice guidance for implementing the specific security controls listed in ISO 27001’s Annex A. It’s a code of practice, not a list of mandatory requirements.

ISO 27002 doesn’t define a management system at all. It functions more like a comprehensive reference library for security professionals. For every control, it explains the objective, its attributes, and offers practical advice on implementation. For instance, where ISO 27001 simply requires “access control,” ISO 27002 dives into different approaches for user registration, privilege management, and password policies.

An organisation implements an ISMS based on ISO 27001 and uses ISO 27002 as a practical guide to meet control objectives. You can’t build a compliant ISMS using ISO 27002 alone because it completely lacks the required management system framework.

This relationship is the crux of the matter. Your team first uses the ISO 27001 risk assessment to decide which controls from Annex A are relevant. Only then do you turn to ISO 27002 to figure out the best way to implement them. The core difference in the ISO 27002 vs ISO 27001 debate is just that: one is a certifiable framework, the other is an implementation handbook.

Certification vs Guidance: Why Only One is Auditable

Diagram comparing ISO 27001 certification (certifiable) with ISO 27002 guidance (auditable, not certifiable).

When people ask me about the difference between ISO 27002 vs ISO 27001, I always start here, because this is the single most critical distinction for any UK business: certifiability. Only one of these standards results in a formal, recognised certificate that unlocks enterprise deals and satisfies regulatory scrutiny.

That standard is ISO 27001.

An organisation can be formally audited and certified against ISO 27001 by an accredited certification body. This is a rigorous process. An external auditor comes in and assesses whether your Information Security Management System (ISMS) truly meets the specific, mandatory requirements laid out in the standard.

Achieving this certification is powerful, independent proof of your company’s commitment to information security. For SaaS and tech firms today, it’s often not just a nice-to-have; it’s a non-negotiable prerequisite for doing business with larger corporations.

Why You Can’t Get ‘ISO 27002 Certified’

Here’s where a lot of teams get tripped up: no organisation can ever become “ISO 27002 certified.” It simply isn’t a thing. ISO 27002 is strictly a code of practice—think of it as a comprehensive reference manual that gives you best-practice advice on how to implement the security controls.

It contains no mandatory “shall” statements or auditable requirements for a management system. It’s an expert advisory document. You consult it for detailed implementation guidance, but you are not audited directly against its suggestions. An auditor’s checklist is built from the requirements in ISO 27001, not the guidance in ISO 27002.

Crucial Distinction: An auditor will absolutely assess the effectiveness of your chosen security controls, and your implementation might align perfectly with ISO 27002’s guidance. However, the certificate itself is awarded based on your adherence to the management system requirements defined in ISO 27001’s clauses 4 through 10.

The UK Market Demands Certification

Looking at the UK market, the importance of this distinction becomes even clearer. Adoption rates show ISO 27001’s dominance for compliance, with projections showing 4,200 active certificates by the end of 2025—an 18% increase from 2024.

A recent survey of 800 UK enterprises found that 72% prioritise ISO 27001 for stakeholder assurance, as it directly satisfies regulators like the Financial Conduct Authority (FCA). You can learn more about these UK compliance trends and see just how much certification impacts business.

This data tells a simple story: when it comes to demonstrating compliance and building trust, the market demands the verifiable proof that only ISO 27001 certification can provide. ISO 27002 remains an essential internal tool for the teams doing the groundwork, but it holds no external weight as a standalone credential.

So, while both documents are vital for a successful security programme, their roles in an audit couldn’t be more different. Your ISMS is audited against the framework of ISO 27001. Your controls—ideally implemented using the wisdom from ISO 27002—are the evidence that your framework is effective. The certificate, however, is exclusively for ISO 27001.

Unpacking the Structure of Controls and Guidance

Handwritten diagram illustrating Annex A and ISO 27022 controls, attributes, and detailed concepts.

To really get to the heart of the ISO 27002 vs ISO 27001 relationship, you have to look at how each standard is built. ISO 27001 is a remarkably concise document. Its core is made up of clauses 4 through 10, which lay out the mandatory, high-level framework for building and running an Information Security Management System (ISMS).

These clauses cover the big picture: understanding your organisation’s context, getting leadership buy-in, and establishing processes for planning, support, operations, performance reviews, and continuous improvement. Tacked onto the end is the well-known Annex A—essentially a catalogue of security controls. The 2022 version lists 93 of them.

This is where ISO 27002 steps in. It takes that list from Annex A and breathes life into it, providing the depth and practical detail needed for implementation. The 2022 update also gave the controls a much-needed reorganisation, shifting from 14 domains to four intuitive themes.

The Four Themes of ISO 27002

This new structure is a massive help for teams, allowing them to group their security efforts logically.

Organisational Controls: Think of these as the foundational, top-down controls. They cover policies, asset management, and defining roles and responsibilities.
People Controls: This theme zeroes in on the human side of security. It includes everything from onboarding and security awareness training to remote working policies.
Physical Controls: Here, we’re talking about protecting tangible assets. This covers secure areas, equipment maintenance, and even clear desk policies.
Technological Controls: As the largest group, this gets into the technical weeds: access control, cryptography, network security, and secure development practices.

If your team is building out its security programme, our collection of information security policy examples can be a great place to find inspiration for documents that align with these themes.

From Control List to Implementation Guidance

The synergy between the two standards becomes crystal clear when you map a control from ISO 27001’s Annex A to its matching section in ISO 27002. Annex A just gives you the name of the control. ISO 27002 gives you the full story—the purpose, the attributes, and a detailed “how-to” guide for implementation.

This is by design. Your risk assessment in ISO 27001 tells you which controls from Annex A you need. ISO 27002 then shows you how to put them in place effectively. It’s a powerful combination; UK statistics show that organisations certified to ISO 27001 have 30% fewer breaches than those without certification. It’s the risk-based framework of ISO 27001, brought to life by the guidance in ISO 27002, that makes it so effective.

Think of it this way: ISO 27001’s Annex A is the “what”—a list of ingredients. ISO 27002 is the “how”—the detailed recipe that explains how to combine those ingredients to create a robust security dish. You need both for a successful outcome.

As you dive into the practical side of ISO 27002’s guidance, it’s worth looking at guides for mitigating cloud computing security risks, since so many modern controls are applied directly within cloud environments.

To make this truly concrete, the table below shows how a single, brief control requirement in ISO 27001 expands into comprehensive, actionable advice in ISO 27002.

Mapping an Annex A Control to ISO 27002 Guidance

Aspect	ISO 27001 Annex A (Control A.5.23)	ISO 27002 (Guidance for A.5.23)
Control Title	Information security for use of cloud services.	Information security for use of cloud services.
Requirement	A brief, one-sentence statement requiring that processes for acquiring, using, managing, and exiting cloud services be established in accordance with the organisation’s information security requirements.	Expands into extensive guidance covering the entire cloud service lifecycle. This includes advice on defining security requirements for cloud providers, establishing shared responsibility models, configuring services securely, monitoring usage, and ensuring data is securely handled upon contract termination.
Level of Detail	Minimal. It tells you that you need a process.	High. It provides a roadmap for how to build, implement, and maintain that process effectively, offering considerations that teams might otherwise overlook.

This side-by-side view really highlights why security teams must use both documents together. One tells you the destination, and the other gives you the map to get there.

How UK Technology Companies Use Both Standards

Sketch showing ISO 2702 and Certificate A leading to a secured document, with 'INTERAL TEAM' on a tablet.

It’s one thing to understand the textbook differences between ISO 27001 and ISO 27002, but it’s in the real world where their partnership really shines. For UK tech and SaaS companies, these aren’t competing standards. They’re two sides of the same coin, working together every day to build trust and win new business.

Think of them as having two distinct jobs: one faces outwards towards the market, while the other looks inwards, guiding the technical teams.

Let’s take a typical scaling UK SaaS company as an example. They’ve just spent months of hard work getting their ISO 27001 certification. That certificate is now a crucial asset for their sales and compliance teams.

Proving Compliance Externally with ISO 27001

When a massive enterprise prospect sends over a hefty security questionnaire, the first thing the sales team presents is their ISO 27001 certificate. It’s their most powerful piece of evidence. In one fell swoop, that single document answers dozens of questions about whether they have a formal, audited Information Security Management System (ISMS).

It’s a clear, internationally recognised signal of security maturity. It proves the company has a structured approach to managing risk, is committed to continuous improvement, and has strong security governance in place. For a sales team, this is gold. It helps them get past initial security hurdles, speed up the sales cycle, and avoid debating every single policy from the ground up.

The ISO 27001 certificate is the “what” you show the world. It’s the verifiable proof that your organisation has a functioning ISMS, ticking the box for procurement teams and building instant credibility.

In a commercial setting, this is the primary job of ISO 27001. It’s the key that opens the door to enterprise-level conversations and makes vendor risk assessments far less painful.

Guiding Implementation Internally with ISO 27002

Now, let’s pivot to another scene inside the same company. The prospect’s questionnaire has a very specific technical question: “Describe your process for ensuring information security in supplier relationships, including monitoring and offboarding.” The sales team is stumped; they don’t have that kind of detail.

The question gets passed to the internal security team. The security manager doesn’t just make something up. They pull up their copy of ISO 27002 and go straight to the guidance for control A.15 from Annex A, which is all about supplier relationships.

There, they find a treasure trove of best practices for a solid process:

How to define security requirements in supplier contracts.
Ways to monitor a supplier’s service delivery against agreed terms.
How to manage changes while keeping security tight.
The right way to handle the end of a supplier relationship, including data return or destruction.

Using this detailed guidance, the team writes a clear, thorough, and accurate response for the questionnaire. But more importantly, they use ISO 27002 as a checklist to double-check and strengthen their own supplier management procedures, ensuring their day-to-day practices genuinely align with global best practices.

Dealing with these detailed questions is a constant challenge, which is why many UK firms are now using security questionnaire automation to make the process smoother.

This whole workflow shows the symbiotic relationship perfectly. ISO 27001 gets your foot in the door with a certificate, while ISO 27002 gives you the detailed knowledge to walk through it confidently, answering tricky technical questions and building a genuinely secure operation from the inside out.

Which Standard Should Your Business Prioritise?

When you’re weighing up ISO 27001 against ISO 27002, the decision of where to start is actually quite simple. It really just boils down to one question: what is your business trying to achieve? Your answer will point you in the right direction.

If your objective is to prove your security maturity to the market, satisfy enterprise customer contracts, or meet strict regulatory demands, then your focus has to be on achieving ISO 27001 certification. It’s not really a choice; this is the standard that customers, partners, and regulators recognise and expect to see.

Think of ISO 27002 as its essential companion guide. This is the detailed manual your technical teams will have open as they work. It’s packed with the practical, ‘how-to’ advice needed to correctly build and implement the specific controls you’ve chosen from your ISO 27001 risk assessment.

A Clear Decision Framework

Let’s make this even clearer by looking at a few common business scenarios. This should help you see how each standard fits into your company’s security journey.

You need to win a major contract that demands proof of a formal Information Security Management System (ISMS). In this case, you must prioritise ISO 27001. The certificate is the non-negotiable evidence they need.
Your engineering team needs to configure network security controls or map out a secure development lifecycle. They should turn to ISO 27002 for best-practice guidance on how to do it properly.
You’re answering a security questionnaire and need to show you have an audited ISMS. You’ll lead with your ISO 27001 certification as the definitive proof.
Your security manager needs the nitty-gritty details for implementing an access control policy. They will consult ISO 27002 for the specific steps.

This back-and-forth shows the standards aren’t competing—they work in perfect harmony. One sets the strategic “what” (the ISMS), while the other provides the tactical “how” (the control implementation). For businesses in the UK or handling EU data, this also ties into regulations like GDPR. ISO 27001 provides a strong framework for this, as outlined in this handy GDPR compliance checklist.

The simplest way to remember it is this: ISO 27001 is the destination—a certified ISMS that proves your commitment to security. ISO 27002 is the detailed map that helps your team navigate the journey and build everything correctly to get there.

So, at the end of the day, a business doesn’t really choose one over the other. You prioritise ISO 27001 for certification and lean on ISO 27002 for implementation. A key part of this is documenting your processes, and our guide on finding a data protection policy template is a great place to start. A truly effective security programme needs both the overarching framework and the detailed guidance to succeed.

Frequently Asked Questions

When you start digging into the ISO 27000 series, a few common questions always seem to pop up. Let’s tackle them head-on to clear up any confusion and help you map out your next steps.

Can I Get Certified for ISO 27002?

This is a big one, and the answer is a straightforward no. You cannot get certified for ISO 27002. It’s crucial to understand that it’s purely a guidance document—a detailed code of practice full of best-practice advice for putting security controls into action.

Certification is reserved exclusively for ISO 27001. This is the standard that lays out the formal, auditable requirements for building and running an Information Security Management System (ISMS). When an auditor comes knocking, they’ll be assessing your organisation against the requirements in ISO 27001, not the helpful hints in ISO 27002.

Do I Need to Buy Both ISO 27001 and ISO 27002?

While you’re not technically forced to buy both, it would be a huge mistake not to. In practice, you absolutely need both for a successful certification journey.

Think of it this way: ISO 27001 tells you what you need to do—it gives you the framework and the list of controls in Annex A. But it’s intentionally brief. ISO 27002 provides the critical how—the detailed, practical implementation advice your teams need to actually build those controls properly. Trying to implement Annex A without the corresponding guidance from ISO 27002 is like trying to build flat-pack furniture with only a picture of the finished product. You might get there, but you’ll probably have gaps.

How Did the 2022 Updates Affect Their Relationship?

The 2022 updates were a welcome change, designed to make the two standards work together more smoothly. The fundamental relationship hasn’t changed at all: ISO 27001 is still for certification, and ISO 27002 is for guidance.

What did change was the structure. ISO 27002:2022 was updated first, reorganising its controls into four much more logical themes:

Organisational
People
Physical
Technological

Then, the ISO 27001:2022 update followed suit, mirroring this new structure perfectly in its Annex A. This alignment is a massive practical benefit. Now, when you see a required control in Annex A, you can flip to the exact same section in ISO 27002 to find all the implementation details. It has made moving from requirement to action far more straightforward for any UK business.