Blog Post

ISO27001 vs ISO27002

So, you have started your journey into the world of ISO27000 and the first stumbling block is the number of standards. Why so many? What do they do? Where do I start? It is all a little confusing but don’t worry, I am here to help!

First of all, congratulations! The fact that you are this far means you are serious and doing research into the 27000 series. So, let’s look at the standards overall. ISO27000 series of standards is all around “Information Security”. This is the protection of the confidentiality, integrity and availability of your information assets. No, it’s not just about cyber security! There are lots in the 27000 series but here are the highlights:

ISO27001; This is the standard to which companies certify. This lays out the clauses of the international standard that you MUST implement and maintain (clauses 4-10). Annex A of this standard contains 114 “optional” controls that help control risks to your information security.

ISO27002; This is a guidance document for implementing ISO27001. All the controls within Annex A of 27001 are brief and contain statements that seem a little vague. 27002 will help you implement these controls. If you are implementing 27001 for the first time, or perhaps without consultant help, this ISO can be useful!

ISO27005; This document is around information risk management. Clause 6 of ISO27001 talks about risk, threat, vulnerability and treating these risks. 27005 is a good document if you are unfamiliar with these terms of if you need help doing your risk assessments. If you have a good consultant helping then you probably won’t need this standard.


There are lots of standards within the 27000 family, but you can ONLY certify to 27001. The rest are just “support” documents. All of the standards can be purchased from the ISO web site or from your friendly consultant.

If you need help or have any questions why not contact us for a free, informal chat.

Thanks for reading!


More Blog Posts