ISO 27001 & ISO 27002: How they work together

In any organisation, threats to data security should be taken seriously. Whilst you cannot prepare for all eventualities, implementing an Information Security Management System (ISMS) is a good way of ensuring you are on top of your game when it comes to protecting confidential or sensitive data.

If you’ve come across ISO 27001 and ISO 27002 in your research, you might be wondering what the difference between the two are, and whether they work in conjunction with each other. In this blog we outline what each standard is and how they work together to help you implement a security system that you can trust.

What is ISO 27001?

ISO 27001 offers a comprehensive set of controls that outlines the requirements of ISMS. The process of becoming certified concentrates on improving your information (including cyber) security standards so that you can be sure you have an ultra-safe and validated data security management system.

Have more questions about ISO 27001? Learn everything you need to know here.

What is ISO 27002?

ISO 27002 is more of a code of practice for security controls. It outlines the best practices for those implementing the ISMS, providing guidelines on the selection, implementation, and management of controls taking into consideration the risk environments of the organisation.

You cannot get certified to it as it is not a management standard, instead it is required for use by companies who are in the process of implementing ISO 27001. The ISO 27002 can also be used by organisations who are planning to implement their own, or other commonly accepted information security management guidelines.

How do they work together?

If you think of ISO 27001 as the ‘what’ to do, the ISO 27002 acts as the ‘how’ do I achieve this. The ISO 27001 can be audited and certified against, you follow certain steps to make sure you become compliant with the standard. The ISO 27002 outlines and offers guidance on how to apply controls that are included in Annex A of ISO 27001.

Having the ISO 27001 certification will convey to your customers that you are keeping their data safe and secure, making you a business they can trust. If you are considering implementing an ISMS you should consider using both the ISO 27001 & ISO 27002 as a reference framework.