There’s a lot of confusion in the industry between ISO 27001 and ISO 27002. First, let’s talk about ISO 27001. ISO 27001 is the core documents to the ISO 27001 Information Security Management (ISMS) program. ISO 27001 outlines all of the mandatory and non-mandatory documentation you need to provide in order to and construct your ISMS. Additionally, ISO 27001 ISMS also includes all of the Annex A controls which represent the core and foundational controls that should be in place within any ISO 27001 ISMS.
Next, is ISO 27002. We most often see companies trying to use ISO 27002 as a substitute or comparison to other industry frame works such as PCI, HIPAA, and NIST. This is actually a miss application of how ISO 27002 is intended to be used. ISO 27002 is intended to complement the ISO 27001 ISMS. Controls should be selected purposefully and carefully from ISO 27002 to mitigate risks identified while building out your information security management system. So in other words, an organization should use both documents. The ISO 27001 is a core document and outlines how to build your ISMS whereas ISO 27002 is meant to provide a catalog of controls that can be selected from in order to mitigate risk identified as part of your ISO 27001 process. While the ISO 27002 document is a great resource and catalog of controls the intent of that document is not to implement all of the controls.