5 Critical Differences Between ISO 27001:2022 and ISO 27002:2022

Compliance almost always feels like one of those alphabet soups that you ate when you were sick. You needed to eat, but it wasn’t exactly what you wanted to eat regularly. If you’re a business that needs to comply with the International Organization for Standardization (ISO) 27000 series, the different numbers and acronyms feels like that nourishing yet unexciting alphabet soup.

Understanding the critical differences between ISO 27001:2022 and ISO 27002:2022 helps you align your business objectives to your compliance goals so keep reading for a breakdown. 

What is ISO 27001:2022?

ISO 27001:2022 is the framework specifying the requirements an organization should use when establishing, implementing, maintaining, and continually improving an information security management system (ISMS). 

Intended to be applicable to companies of all sizes and across all industry verticals, the generic requirements include the information security risk assessment and treatment.

What is ISO 27002:2022?

ISO 27002:2022 provides a set of generic information security controls that organizations use when establishing and maintaining an ISMS. Since the information security controls are based on internationally recognized best practices, organizations can implement them as listed or use them to develop organization-specific information security management controls. 

Similarly, organizations can choose to use a completely different control set when implementing ISO 27001:2022 rather than using or customizing the controls listed in ISO 27002:2022.

5 Critical Differences Between ISO 27001:2022 and ISO 27002:2022

Although the two documents work together, they have several significant differences.

Purpose

ISO 27001 outlines the foundational qualities that start by:

• Understanding your organization and its context.

• Understanding the needs and expectations of different internal and external stakeholders.

• Determining the ISMS’s scope.

ISO 27002 supplements by outlining and detailing the controls that you will implement to support the way your ISMS addresses your information security risk. Additionally, it provides guidance around how to implement these controls. 

Contents

As the purpose of each document drives the content, the information each one contains differs. 

ISO 27001 defines seven clauses, which are broken into subclauses. The first three sections of the ISO 27001 are administrative information such as scope, definitions, and similar items and are not actionable by an organization implementing ISO 27001. 

The remaining clauses and their subclauses focus on how to establish, implement, and maintain an internal program based on processes, including:

• Leadership

• Planning

• Support

• Operation

• Performance evaluation

• Improvement

Meanwhile, ISO 27002 contains the controls that support the processes outlined in ISO 27001. The document details the 93 controls that it separates according to four themes:

• Organizational

• People

• Physical

• Technological

Level of Detail About Controls

Although both documents discuss the information security controls, ISO 27001 only provides a very high-level list in its Appendix A. 

ISO 27002 goes into far more detail, providing the following for each control:

• Short name for the control

• A table outlining the control’s attributes

• What the control is

• Why you should implement the control

• How you should implement the control

• Additional explanations or references to other related documents

Applicability

When establishing an ISMS, every organization needs to incorporate ISO 27001’s requirements. The document specifically explains under Scope:

Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document. 

However, the fundamental basis of your ISO 27001 implementation is your organization’s risk assessment and treatment. 

Based on how your organization defines risk and chooses to treat risk, you may not need to implement every single ISO 27002 control. ISO 27002:2022’s Annex A exists to show organizations how they can use attributes so that they can create different views of controls. In section Annex A, section A.2, ISO notes:

Organizations can discard the examples of attributes proposed in this document and create their own attributes with different values to address specific needs in the organization. In addition, the values assigned to each attribute can differ between organizations. 

While organizations need to have all the components of an ISMS listed in ISO 27001, they can implement controls based on ISO 27002:2022 in a way that makes sense for their unique business and security needs. 

Certification

ISO certifications only apply to an organization’s ability to conform to ISO 27001. 

To achieve an ISO 27001 certification, you need to:

1. Create a project plan that defines responsibilities, oversight, and milestone management.

2. Define the ISMS’s scope by determining whether it will encompass the entire organization or focus on a single department/system.

3. Perform a risk assessment that focuses on identifying risks applicable to the scope you defined in step two and how to mitigate those risks.

4. Engage in a gap assessment that identifies current controls and determines additional controls needed to fully mitigate risk.

5. Design, implement, and document policies, and controls. 

6. Document and collect evidence proving that policies and controls function as intended.

ISO 27002 doesn’t have a certification because it’s just a list of optional controls. However, most organizations will use ISO 27002 for steps four through six of the certification process. 

How Do ISO 27002:2022 Controls Support ISO 27001 Compliance?

Understanding how the documents work together is easier when you have a concrete example. 

ISO 27001 ISMS Requirement

Within Clause 6 Planning, Subsection 6.2 states:

When planning how to achieve its security objectives, the organization shall determine:

• What will be done. 

• What resources will be required.

• Who will be responsible.

• When it will be completed.

• How the results will be evaluated.

This section is about planning the control implementations that mitigate risk as determined within the risk assessment. To determine the controls, you look at ISO 27001’s Annex A. 

Within Annex A, you’ll find the following control,

5.9 Inventory of information and other associated assets: An inventory of information and other associated assets, including owners, shall be developed and maintained.

ISO 27002:2022

All the details about control 5.9 are outlined in ISO 27002. 

27002 defines the purpose as:

To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. 

The Guidance section provides additional information including:

• Identifying assets

• Categorizing them by importance based on the type of data associated with them

• Keeping the inventory accurate and updated

• Conducting regular reviews 

• Automatically enforcing updates when installing, changing, or removing an asset

• Detailing the asset owner duties

Control Implementation

An example of the control implementation would be an asset inventory that contains a list of all assets listed as high, medium, and low risk based on the data they process, manage, or store. It would also list the person responsible for managing and updating it, the date of the most recent entry, and the operating system/software/firmware version. 

Automation and Continuous Monitoring for ISO Certification

Using Drata’s platform, you can assess risk and engage in a gap assessment to accelerate your audit readiness. 

Our automated asset inventory, pre-built risk self-assessments, pre-mapped controls, endpoint monitoring tool, and built-in security training save you money by automating manual tasks associated with implementing and documenting ISO compliance activities.  

With our platform continuously monitoring your environment, you gain real-time visibility into your compliance posture. Our in-platform documentation ensures that you have the evidence collection, asset and personnel tracking, and access control workflow automation needed to achieve your ISO certification goals. 

If you’re struggling to determine what controls you should implement, book a demo with our team of compliance experts who will answer the questions that get you compliant and help you stay compliant.