ISO 27001 vs ISO 27002: Understanding the Difference and How They Work Together
Understand the critical difference between ISO 27001 (certification framework) and ISO 27002 (control guidance). Learn which audiences they serve, whether companies can be certified, and training options at reconn.
ISO 27001 is the certification framework for information security management systems (ISMS); ISO 27002 is the guidance library providing 93 detailed security controls for implementation.
ISO 27001 and ISO 27002 are often mentioned together in information security conversations, but they serve different purposes and apply to different audiences. Many organisations and professionals confuse these two standards — some assume they are one-and-the-same, while others struggle to understand how they complement each other. This guide explains what each standard is, how they differ, which audiences they serve, and how you can get certified or trained in both. Whether you're implementing information security at your organisation or developing practitioner expertise, understanding this distinction is foundational.
Key Takeaways
ISO 27001 is the certification standard that defines the requirements for establishing, implementing, and maintaining an information security management system (ISMS) across an organisation.
ISO 27002 is the control library providing 93 detailed security controls and implementation guidance that organisations reference when designing their ISMS.
They are complementary, not interchangeable — ISO 27001 sets the framework; ISO 27002 provides the control toolkit to fill it.
Only organisations can be ISO 27001 certified — individuals can pursue Lead Auditor or Lead Implementer credentials; only individuals can be certified in ISO 27002 as a Lead Manager.
What is ISO 27001?
ISO/IEC 27001:2022 is the international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It is a certification standard — meaning organisations can be audited against it and earn formal certification. The standard does not dictate which controls you must use; instead, it requires you to follow a structured process: identify your information security risks, select controls to treat those risks, document your choices, and prove you're managing them effectively.
ISO 27001 covers 10 mandatory clauses:
Clause
What It Covers
Clause 4
Context: understanding your organisation and what information matters to it
Clause 5
Leadership: top-management commitment and governance
Clause 6
Planning: risk assessment and treatment strategy
Clause 7
Support: resources, competence, awareness, and communication
Clause 8
Operation: executing the security controls you've chosen
Clause 9
Performance Evaluation: monitoring, measurement, and audit
Clause 10
Improvement: handling non-conformities and driving continual improvement
Annex A
The Statement of Applicability: risk-based selection of 93 controls from ISO 27002
Organisations pursuing ISO 27001 certification must follow this structured approach and pass an independent audit. The audit covers both the management system clauses (4–10) and your implementation of selected controls from Annex A.
What is ISO 27002?
ISO/IEC 27002:2022 is the international standard that provides a comprehensive reference set of 93 information security controls, implementation guidance, and best practices for organisations establishing or improving their information security posture. It is a guidance standard — not a certification standard. You cannot be certified to ISO 27002 as an organisation. Instead, organisations reference it as a toolkit when selecting controls for their ISMS.
The 93 controls in ISO 27002 span five categories:
Each control includes implementation guidance specific to different organisational contexts — startups, SMEs, enterprises, and sector-specific environments. ISO 27002 also serves as the reference for other standards: it's cited by ISO 27001, aligned with NIST frameworks, and used as a benchmark in regulatory assessments.
Key Differences Between ISO 27001 and ISO 27002
The clearest distinction is purpose: ISO 27001 is a certification framework; ISO 27002 is a guidance library. Here are the core differences:
Aspect
ISO 27001
ISO 27002
Standard Type
Certification / Requirement
Guidance / Best Practice
Auditable?
Yes — independent audits lead to formal certification
No — used as reference only
Mandatory Controls
Clauses 4–10 are mandatory; Annex A controls are risk-driven (SoA-based)
No mandatory controls — all are selectable based on context
Who Uses It?
Organisations seeking certification and compliance
Sets the framework and process; doesn't prescribe control specifics
Provides detailed control descriptions, objectives, implementation notes, and context-specific examples
Control Count
References 93 controls (from Annex A and external sources)
Defines 93 controls with full guidance
Lifecycle Stage
Ongoing — requires continuous monitoring, audit, and improvement
Reference — consulted during planning and implementation phases
How They Work Together
ISO 27002 is the control library that organisations consult when implementing ISO 27001. The relationship is hierarchical: ISO 27001 tells you how to build an ISMS; ISO 27002 tells you which controls exist and how to implement them.
Here's the workflow:
Risk Assessment (ISO 27001, Clause 6): You identify information assets and the risks they face based on your organisation's context.
Control Selection (ISO 27001, Annex A + ISO 27002): You review the 93 controls in ISO 27002 and select those that align with your identified risks. You document this selection in a Statement of Applicability (SoA).
Implementation (ISO 27002 guidance): You use ISO 27002's implementation notes, context-specific examples, and best practices to deploy each selected control.
Audit (ISO 27001, Clauses 9–10): An independent auditor verifies that your ISMS meets Clauses 4–10 and that your controls from the SoA are effectively implemented.
Certification: If you pass, you receive ISO 27001 certification — not ISO 27002 certification.
In summary: ISO 27001 is the "what and how" of building an ISMS; ISO 27002 is the "which controls and implementation details."
💡 Key Point: You do not "implement ISO 27002" — you implement controls referenced in ISO 27002 as part of your ISO 27001 ISMS. Many organisations mistakenly believe they need a separate "ISO 27002 implementation project" — they don't. ISO 27002 is the reference guide; ISO 27001 is the management system you're building.
Certification Options: Company vs. Individual
Organisational Certification (ISO 27001)+
Only organisations — not individuals — can be ISO 27001 certified. Your company undergoes an independent audit by a PECB-accredited certification body. If you pass, your organisation receives an ISO 27001 certificate valid for three years, with annual surveillance audits required.
Who pursues this?
Companies handling sensitive customer data (e.g., financial, healthcare, government contractors)
Organisations required by regulation (e.g., GDPR, NCA ECC in Saudi Arabia, DPA requirements)
Service providers needing to demonstrate security to clients
Any organisation building trust and competitive advantage through formal security commitment
Individual Certifications (ISO 27001 Pathway Recommended)+
For individuals, we recommend the ISO 27001 pathway as the primary route. ISO 27001 Lead Implementer and Lead Auditor certifications provide comprehensive expertise that inherently covers ISO 27002 principles — you learn the controls as part of mastering the full ISMS framework. This is the most valuable and widely recognized professional credential.
ISO 27001 Lead Implementer
For professionals responsible for designing, implementing, or overseeing the day-to-day operation of an ISMS. You learn to translate ISO 27001 requirements into practical controls, manage implementation projects, and prepare organisations for certification. The curriculum covers Annex A controls in depth — effectively teaching ISO 27002 within the 27001 context. After training and passing an exam, you earn the PECB Certified ISO 27001 Lead Implementer credential.
ISO 27001 Lead Auditor
For professionals auditing ISMS implementations. You learn how to assess organisations against ISO 27001 requirements, conduct certification audits, and identify non-conformities. Many Lead Auditors work for certification bodies or as independent consultants. The PECB Certified ISO 27001 Lead Auditor credential is your professional credential.
ISO 27002 Lead Manager (Optional Specialist Path)
For professionals focused specifically on information security control design and implementation. This credential demonstrates expertise in interpreting the 93 ISO 27002 controls in your organisational context. However, we recommend completing ISO 27001 Lead Implementer or Lead Auditor first — it provides a stronger, more comprehensive foundation. ISO 27002 Lead Manager is ideal as a secondary certification for control specialists.
🎯 Professional Pathway Recommendation: Start with ISO 27001 Lead Implementer or Lead Auditor. The 27001 curriculum extensively covers the 93 controls from ISO 27002 in practical context. You will master control design, selection, and implementation as part of the ISMS framework — making you equally capable of working with ISO 27002 controls independently. This path offers broader career opportunities and deeper expertise than specializing in ISO 27002 alone.
ISO 27001 & 27002 Training at reconn
reconn is a top-rated, most affordable PECB-authorized training provider for both ISO 27001 and ISO 27002 certifications, with expert implementation services to back up your learning. We offer flexible training formats designed for working professionals. All classes run in the evening to accommodate full-time work schedules.
ISO 27001 Lead Implementer & Lead Auditor — 4 Training Formats
Format 1: Self-Study (Most Affordable)+
Self-study lets you learn at your own pace with structured curriculum and exam access. You get the full PECB training materials, lifetime access to course content, and two exam attempts included. Most learners complete self-study in 4–6 weeks, dedicating 8–10 hours per week. It's ideal for professionals with strong self-discipline or those needing maximum cost savings.
Price: Starting from $799 (includes materials and 2 exam vouchers)
Format 2: eLearning (On-Demand, Self-Paced)+
Pre-recorded eLearning modules with structured curriculum, allowing you to study whenever you want. Unlike live classes, you control the pace entirely. All materials are provided, and you can revisit videos and notes as needed. Ideal for professionals with unpredictable schedules or those who prefer to learn independently but with professionally produced content.
Price: Starting from $899 (includes materials, on-demand video access, and 2 exam vouchers)
Format 3: Live Online (Small Cohort, Evening Classes)+
Live online instructor-led classes held in the evening over 4–5 days, with a small cohort (max 12 participants). You interact with your cohort, ask questions live, and get clarification on the toughest concepts. Classes run in the evening (typically 6:00–9:00 PM your local time) to accommodate full-time work schedules. Each session is recorded, so you have replay access if you miss a day.
Price: Starting from $1,199 (includes all materials, live instruction, recorded sessions, and 2 exam vouchers)
Format 4: Private Mentoring (1-on-1 Expert Guidance)+
If you need deep, personalised guidance — whether you're struggling with exam prep, implementing ISO 27001 at your organisation, or transitioning from another certification — we offer 1-on-1 private sessions with Shenoy Sandeep, founder of reconn and a CAIP-certified expert with 20+ years in cybersecurity and enterprise AI governance.
Private mentoring covers:
In-depth knowledge of information security and cybersecurity in your role
Real-world ISO 27001 implementation challenges and how to solve them
Exam coaching tailored to your learning style and pace
Integration of ISO 27001 with other governance frameworks (ISO 27002, ISO 42001, NIST, etc.)
Career planning in information security and governance
Get in touch directly: WhatsApp +971-585-726-270 or email hello@reconn.io to schedule your first session and discuss pricing. Sessions are live, online, and can be scheduled around your availability.
ISO 27002 Lead Manager — Self-Study Only
The PECB ISO/IEC 27002 Lead Manager certification is available exclusively in self-study format at reconn. This course enables you to acquire comprehensive knowledge and understanding of the implementation and management of information security controls based on ISO/IEC 27002. However, as mentioned above, we recommend completing ISO 27001 Lead Implementer or Lead Auditor first for a broader foundation.
ISO 27002 Lead Manager includes:
Comprehensive knowledge of the 93 controls across 5 categories
Understanding of how to determine, implement, and manage controls in your organisational context
Interpretation of ISO 27002 controls specific to different organisation types and risk profiles
Two exam attempts included
Price: $799 for self-study (includes materials and 2 exam vouchers). For live online or private mentoring formats of ISO 27002, contact us directly on WhatsApp +971-585-726-270 or email hello@reconn.io.
🎯 Why reconn? We are PECB-authorized trainers with 20+ years of practitioner expertise. Every course includes live support, personalised attention, and real-world insights from professionals who've implemented ISO 27001 and ISO 27002 in organisations across the Middle East, Africa, Europe, and globally. We also offer implementation services — if you need hands-on help building your ISMS after certification, we can guide you through the entire process. All classes designed for working professionals — evening schedules, flexible formats, expert instructors.
Ready to start your ISO 27001 journey?
Choose your training format and get certified. Whether you prefer self-study, on-demand eLearning, live cohort classes in the evening, or personalised 1-on-1 mentoring — we have a path for you. Start as low as $799. Explore ISO 27001 Lead Implementer options →
ISO 27001 Lead Auditor
Learn to audit ISMS implementations and advance to professional auditor credentials. This course teaches you to conduct certification audits, assess organisational compliance, and identify gaps — critical skills for auditors, consultants, and internal audit teams. Perfect if you want to move into a third-party or internal audit role. Enroll in ISO 27001 Lead Auditor →
Frequently Asked Questions
What is the core difference between ISO 27001 and ISO 27002?+
ISO 27001 is a certification standard that defines the requirements for building and managing an information security management system (ISMS). ISO 27002 is a guidance standard that provides 93 detailed security controls and implementation best practices. ISO 27001 tells you the framework and process; ISO 27002 tells you which controls exist and how to implement them. You can be certified to ISO 27001 as an organisation; you cannot be certified to ISO 27002, though individuals can be certified as ISO 27002 Lead Managers.
Do companies need both ISO 27001 and ISO 27002?+
Your organisation needs ISO 27001 certification if you want formal, third-party recognition of your information security governance and management system. ISO 27002 is not something you "need" separately — it's automatically referenced as part of your ISO 27001 implementation. When you build your ISMS under ISO 27001, you select and implement controls from ISO 27002 (and potentially other sources) based on your risk assessment. Think of 27001 as the framework; 27002 is the toolkit you consult to fill it.
Can individuals get certified in ISO 27002?+
Yes — individuals can earn the PECB Certified ISO 27002 Lead Manager credential by completing the PECB ISO/IEC 27002 Lead Manager training and passing an exam. However, we recommend starting with ISO 27001 Lead Implementer or Lead Auditor first, as these certifications comprehensively cover ISO 27002 controls within the full ISMS framework. ISO 27001 credentials provide broader career opportunities and deeper expertise. Contact us on WhatsApp +971-585-726-270 or email hello@reconn.io to enrol in ISO 27002 Lead Manager self-study.
Can a company be certified to ISO 27002?+
No — only organisations can be certified to ISO 27001. ISO 27002 is not a certification standard; it's a guidance and best practice standard. When an organisation pursues ISO 27001 certification, the auditor checks that your selected controls (many of which come from ISO 27002) are implemented and effective. The certificate you receive is "ISO 27001 certified," not "ISO 27002 certified."
Is ISO 27001 certification mandatory for companies?+
ISO 27001 certification is not legally mandatory for most companies in most jurisdictions, but it is required or strongly expected by: government contractors (many countries require supplier security audits), financial institutions (banking regulators often mandate ISMS frameworks), healthcare organisations (HIPAA and similar regulations expect formal information security), and data processors under GDPR (data protection authorities increasingly expect ISO 27001 or equivalent controls). Beyond compliance, many organisations pursue certification voluntarily to build customer trust, meet vendor requirements, and reduce risk. If you handle sensitive data or serve regulated sectors, check with your regulator or customers — certification may be de facto mandatory even if not formally required by law.
What's the relationship between ISO 27001:2022 and ISO 27002:2022?+
Both standards were updated in 2022. ISO 27001:2022 maintains the same 10-clause structure and Annex A (which lists 93 controls), but clarifies management system requirements and governance expectations. ISO 27002:2022 reorganised the 93 controls into five categories (organisational, people, physical, technical, communication/operations) and added context-specific implementation guidance for different organisation sizes and sectors. The relationship is unchanged: 27001 is the certification framework, 27002 is the guidance library for control implementation. If you're currently operating under ISO 27001:2013, updating to the 2022 version is highly recommended — the newer version addresses modern risks (cloud, AI, remote work) more explicitly.
What training formats does reconn offer for ISO 27001?+
reconn delivers ISO 27001 Lead Implementer and Lead Auditor training in four flexible formats designed for working professionals: (1) Self-Study — most affordable, learn at your own pace, starting from $799; (2) eLearning — on-demand pre-recorded modules, starting from $899; (3) Live Online (Small Cohort) — structured evening classes (6–9 PM) over 4–5 days with a small group, starting from $1,199; (4) Private Mentoring with Shenoy Sandeep — 1-on-1 expert guidance for in-depth knowledge, exam coaching, and real-world implementation support. All formats include course materials, exam vouchers, and support. Contact us on WhatsApp +971-585-726-270 or email hello@reconn.io to discuss which format works best for you.
Are evening classes really available for working professionals?+
Yes — all live online cohort classes at reconn are scheduled in the evening (typically 6:00–9:00 PM your local time) specifically to accommodate working professionals. We understand you have a day job, and we've designed our schedule around that reality. Live online classes run over 4–5 days, and each session is recorded, so you have replay access if you miss a day. Self-study and eLearning are fully flexible — learn whenever you want. For 1-on-1 private mentoring, we work with your schedule. Contact us to check upcoming class dates and enrol.
Can reconn help with ISO 27001 implementation at my organisation?+
Yes — reconn is an expert ISO 27001 implementation and certification services provider, not just a training company. Beyond certification courses, we work with organisations to design, implement, and audit ISMS across all industries in the Middle East, Africa, Europe, and globally. Our implementation services include: risk assessment and control design; ISMS policy and documentation; control implementation guidance; internal audit preparation; and certification readiness. If you're pursuing ISO 27001 certification and want hands-on expert support beyond training, we can guide you through the entire journey. Contact us on WhatsApp +971-585-726-270 or email hello@reconn.io for a consultation.
Ready to Get Certified?
Start Your ISO 27001 Journey Today
Choose your certification path and training format. Whether you're seeking personal certification, leading your organisation's ISMS, or specialising in control management — reconn has a programme for you. All formats include expert instruction, comprehensive materials, and exam support.
ISO 27001 Lead Implementer + Lead Auditor Bundle — Get both certifications at a combined discount. View Bundle Offer →
ISO 27002 Lead Manager Certification — Specialise in control design and lifecycle management. Available in self-study ($799). For other formats, contact us directly.
Shenoy Sandeep is the Founder of reconn, an AI-first cybersecurity firm based in Dubai, UAE — assisting startups and enterprises scale across the Middle East and African region. With 20+ years across offensive security, threat intelligence, and enterprise risk, and over 10 years in Enterprise AI, AI governance, and Business Continuity, he brings a practical, execution-driven approach to information security and AI governance.
He is a PECB-certified trainer and one of the world's early PECB-certified AI professionals, specialising in ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 42001, ISO 22301, and ISO 9001. He has personally implemented and certified organisations across the Middle East, Africa, Europe, USA, and APAC regions.
