What is the difference between ISO 27001 and ISO 27002?

ISO 27002 is a supporting document that provides guidance on 93 best practice information security controls that can be implemented to help mitigate the risks identified by your ISO 27001 risk assessment.   The ISO/IEC 27002:20022 Standard restructured and rationalised the previous 114 controls, and added a further 11 controls to the structure, reflecting the evolving IS technologies and the emergence of new threats.

In fact, these 93 controls are replicated in Annex A of ISO 27001 and you are required to consider all of them when determining the most appropriate actions to mitigate your risks.

The controls are separated into 4 main themes organisational, people, technological and physical.  The Standard also introduced 5 ‘attributes’, where you can assign hashtags to controls to enable you to filter, sort, or present controls in different ways.  More information can be found here.

It was an interesting presentation since we had the updated standard released last week. Thanks
Contact the ISO 27001 Experts Today

ISO 27001 Clause 10.2: Nonconformity and corrective action

Published on
17 Jun
2026

URM’s blog explains how to meet ISO 27001 Clause 10.2, including finding nonconformities, performing root cause analysis, implementing corrective actions & more

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/4/2026
ISO 27001 Clause 7.5: Documented Information Explained

URM’s blog breaks down ISO 27001 Clause 7.5 requirements, with practical guidance on how to achieve conformance to this Clause & what external assessors expect.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
15/4/2026
ISO 27001 – Clause 6.3: The Importance of Planned ISMS Change Management

URM’s blog explains the purpose & requirements of ISO 27001 Clause 6.3, types of ISMS change it covers, and key considerations when putting it into practice.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
2/4/2026
Transitioning to ISO 27001:2022

If your organisation is looking to transition to ISO 27001:2022, URM’s blog provides practical and invaluable guidance on meeting the new requirements.

Read more
"
The enthusiasm and passion URM consultants have for their subject matter is clearly evident in every engagement. They always take care to ensure that the advice they deliver is understandable and actionable.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.