The International Organization of Standardization (ISO) has created thousands of standards to help organizations meet universally recognized standards across various sectors. ISO 27001 and ISO 27002 are two standards that were created by ISO that relate to information security. 

‍

In this article, we’ll explain what ISO 27001 and ISO 27002 are, how these two documents are related, and how to use them to strengthen your organization’s data security.

‍

What is ISO 27001?

ISO 27001 is a globally recognized security framework that assesses how an organization protects its customer’s data. It’s a set of guidelines for establishing, enhancing, and managing a secure information security management system (ISMS).

‍

ISO 27001 is recognized worldwide across numerous industries. The document includes a list of requirements that a strong ISMS must meet, along with an appendix called Annex A which lists specific security controls to implement when applicable to meet those requirements.

{{cta_withimage1}}

What is ISO 27002?

ISO 27002 is a complementary document to the ISO 27001 standard, serving as an implementation guide for ISO 27001. ISO 27002 provides a thorough explanation for each of the controls listed in Annex A, when it should be implemented, and instructions on how to best implement it. 

‍

‍

What’s the difference between ISO 27001 and ISO 27002?

Both ISO 27001 and ISO 27002 can help you create a powerful and thorough ISMS, but serve different purposes in the process of getting compliant. Instead of choosing between these two documents, you’d want to use the ISO 27001 framework and the ISO 27002 guide together.

‍

We’ll cover some of the differences between these two documents and how to use them together: 

‍

Certification vs. guidance

The biggest difference between ISO 27001 and ISO 27002 is the purpose of each document. The goal of ISO 27001 is certification — it provides criteria your ISMS needs to meet to get compliant and pass your audit. The goal of ISO 27002 is to guide your implementation of ISO 27001. There is no ISO 27002 certification. 

‍

Scope of content

ISO 27001 and ISO 27002 each cover different topics and details. ISO 27001 covers the core requirements for your ISMS and includes Annex A that lists the security controls you can implement to meet those requirements. It covers each control briefly, with only a sentence or two explaining each one. ISO 27002 doesn’t include the core requirements for your ISMS but goes into extensive detail about each of the controls listed in Annex A and how to implement them.

‍

When to use ISO 27001 vs. ISO 27002

In the process of building and maintaining a strong ISMS, you won’t need to choose between ISO 27001 and ISO 27002 as you’ll use both of these documents at different times in the process.

‍

It’s best to start with ISO 27001 to understand the standard, its requirements, and which of the Annex A controls you should implement. You’ll then use ISO 27002 for guidance on implementing those controls.

‍

Simplify your ISO 27001 certification

With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like: 

‍

• Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
• Assess your risk holistically from one unified view.
• Identify areas of non-compliance with in-platform notifications.
• Get a checklist of actions to help you make the needed changes. 
• Automate evidence collection and centralize all your documents in one place.
• Find a Vanta-vetted auditor within the platform. 
• Complete your ISO 27001 certification in half the time. 

‍

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo. 

{{cta_simple2}}