Articles & Blogs

ISO 27001 AND ISO 27002 Correlation & Differences in the updated versions of 2022

September 2, 2022 | By Accorian
Difference between ISO 27001 & ISO 27002

(ISO/IEC 27001:2022 and ISO/IEC 27002:2022)

Written by Kiran Murthy & Tathagat Katiyar II 

ISO 27001 – A Framework for Information Security Management Systems

ISO 27001 is an ISMS (Information security management system) standard that emphasizes a risk-based approach to the management of people, processes, and technological controls. The standard’s structured nature to auditing people and technology interdependence enables the measurement, comparison, and improvement of multiple operational benchmarks if security breaches are detected.

The current standard, ISO/IEC 27001:2013, will shortly be replaced by ISO/IEC 27001:2022, the new international standard for information security management and will be renamed from “Information technology – Security techniques – Code of conduct for information security controls” to “Information security, cybersecurity, and privacy protection – Information security controls.”

Why should organizations implement ISO 27001

Businesses of all sizes face an imminent threat due to complex attacks, driven attackers and lack of current . Securing an organization’s information framework requires ensuring that security measures, controls, and policy guidelines fit the specific demands of an organization.

Adopting a proven security management system can fill gaps utilizing accurate and tried best practices. ISO 27001 is much more than a security standard. When implemented, the standard includes all stakeholders across the organization and has a scalable design that allows individuals, business units, or the whole organization to take responsibility for security in their environment.

This method aids management in strengthening security and increasing danger awareness at all levels of the organization. The ISO 27001 audit is frequently part of a more extensive organizational assessment that looks at all aspects of processes, technologies, and supply chains.

ISO 27001 a risk-based framework

Understanding that ISO 27001 is not a compliance tool but rather a risk-based framework and approach is critical. A risk-based strategy means that resources, cost, and time can be invested in minimizing threats based on the weightage of each threat and severity of the business risk. Thus making it possible to devote resources to initiatives that provide the greatest return on investment, rather than wasting time and money on “ticks in the compliance box” that have no real value.

What is the difference between ISO 27001 and 27002?

The distinguishing factor between ISO 27001 and ISO 27002 is that although an organization may achieve ISO 27001 certification, it cannot get ISO 27002 certification.

ISO 27001 is the primary standard, whereas ISO 27002 is a set of support controls that serves as a guideline and assists organizations in implementing best security practices to get ISO 27001 certification. They are following the same ISO 27000 Family.

How will the new ISO 27002 standard affect existing ISO 27001 certification or the current "first-time" implementation of the standard ?

If the 2022 revision of ISO 27001 is broadly identical to the 2013 revision, a recent version of Annex A will be applicable once the standard is published. This will be consistent with the controls specified in the new ISO 27002.

At the very least, organizations are expected to evaluate their risk assessment, identify appropriate new controls, and modify the ‘Statement of Applicability’ considering the revised ‘Annex A’. Organizations should evaluate the controls for any implementation modifications, as there are some new controls and revised guidelines for the remaining controls.


As previously stated, organizations are reminded that controls listed in ISO/IEC 27001 Annex A are not mandatory. ISO/IEC 27001 contains only two requirements: the use of Annex A’s control set as a reference for the comparison process (6.1.3 c)) and the development of a ‘Statement of Applicability’ (6.1.3 d)). These standards remain unaltered in ISO/IEC 27001:2022 and are essential to prevent accidental omissions.

Control themes of ISO 27001:2022

Control themes of ISO 27001:2022

Market assurance and governance

The advantages of deploying an information security management system (ISMS) is classified into these two key categories: Market Assurance and Governance.

Market Assurance refers to an information security management system’s (ISMS) ability to build market confidence in an organization’s ability to protect sensitive data. It demonstrates to external parties – clients, partners & investors that the organization will safeguard and maintain the security posture (including confidentiality, integrity, availability, and privacy of the customer’s information).

Governance is a collection of executive management responsibilities and processes to provide strategic direction, ensure objectives are being met, verify that risks are effectively managed, and validate that the enterprise’s resources are used effectively and responsibly.

To Summarize

The advantage of implementing the new controls is that because they are attribute-based, it is easier to focus on organization selections, which may reduce their compliance burden or help them see how to integrate the organization’s security processes better, thereby simplifying the implementation and management of the organization ISMS (information security management system).

Recent Blog

Ready to Start?

Ready to Start?

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide