ISO 27001 vs ISO 27002: the standard vs the control guidance
ISO 27001 is the certifiable management-system standard — what to do. ISO 27002 is the implementation guidance — how to do it. You certify against 27001. You reference 27002 when building and operating. They're complementary parts of the same family. Most organizations buy both.
Side-by-side
| Dimension | ISO 27001 | ISO 27002 |
|---|---|---|
| Purpose | Management-system standard — defines ISMS requirements | Implementation guidance — details for each Annex A control |
| Certifiable | Yes | No — implementation guidance only |
| Structure | 10 clauses + Annex A (93 controls) | 93 controls explained in detail with purpose, implementation, and other information |
| Who reads it | ISMS owners, compliance officers, auditors | Implementers, security engineers, control owners |
| Length | ~40 pages | ~150+ pages |
| Price | ~CHF 150 (or bundled with 27002) | ~CHF 200 |
| Update cadence | Periodic (2005, 2013, 2022) | Aligned with 27001 major revisions |
| Used in audit | Auditor certifies against 27001 clauses + Annex A | Auditor references 27002 for implementation depth but doesn't certify against it |
When to choose which
ISO 27001
You need the certifiable ISMS standard. You're building an ISMS for certification. You're training on what to do at the management-system level.
ISO 27002
You need implementation depth for specific Annex A controls. You're training on how to implement a control. You're operating controls and want reference depth.
Both
Almost always both. ISO 27001 is the 'what'; ISO 27002 is the 'how'. No mature ISMS program uses only one.
The overlap
Total — ISO 27002:2022 is a direct companion to ISO 27001:2022. Every Annex A control in 27001 has a corresponding detailed section in 27002. ISO 27002 doesn't add controls; it explains how to implement them. Think of 27002 as the expanded user manual for 27001's Annex A.
Key differences
- ISO 27001 is certifiable. ISO 27002 is not.
- ISO 27001 defines the ISMS management system. ISO 27002 explains the controls.
- ISO 27001 is shorter and higher-level. ISO 27002 is comprehensive implementation guidance.
- You certify to ISO 27001. You reference ISO 27002 when operating.
- ISO 27001 scopes are organization-defined. ISO 27002 is the reference universe of control detail.
- Auditors care more about ISO 27001 outcome evidence than ISO 27002 fidelity — as long as controls work, the exact implementation approach has flexibility.
Frequently asked questions
Do I need to buy both ISO 27001 and ISO 27002?+
For serious ISMS programs: yes. ISO 27001 tells you what management-system elements are required and what the 93 controls are. ISO 27002 tells you how to implement them. Skipping 27002 forces you to invent implementation from each control's one-line title. Matproof's platform includes ISO 27002-aligned implementation guidance per control.
Can I certify ISO 27002?+
No — ISO 27002 is not certifiable. It's implementation guidance. You certify ISO 27001. Some organizations informally reference 'ISO 27002 compliance' as a sign they follow 27002's guidance, but there's no certification body that audits ISO 27002 directly.
Did the 27001:2022 update change 27002 too?+
Yes — ISO 27002:2022 was revised alongside ISO 27001:2022. The 93 controls (reorganized from 114 in the 2013 version) are explained in 27002:2022. 27001's Annex A is a one-line summary per control; 27002 is the expanded detailed version.
Matproof covers all major EU frameworks.
One platform, 11 frameworks, EU-hosted. 30-minute demo tailored to your framework mix.