What changed in the 2022 versions of ISO 27001 and ISO 27002?

ISO/IEC 27002:2022 underwent a major restructuring: the 114 controls in 14 domains from the 2013 version were consolidated into 93 controls organized under 4 themes (Organizational, People, Physical, Technological). Eleven new controls were added covering areas like threat intelligence, cloud security, data masking, and secure coding. ISO/IEC 27001:2022 updated Annex A to align with the new ISO 27002 structure but made only minor changes to the management system requirements in Clauses 4–10. The core ISMS framework remains substantially the same.

What are the 4 themes in ISO 27002:2022?

ISO/IEC 27002:2022 organizes all 93 controls into four themes: Organizational controls (37 controls covering governance, policies, asset management, access control, supplier relationships, incident management, business continuity, and compliance), People controls (8 controls covering screening, employment terms, awareness, training, disciplinary process, and termination responsibilities), Physical controls (14 controls covering security perimeters, entry controls, facility security, equipment protection, and environmental controls), and Technological controls (34 controls covering endpoint devices, access rights, authentication, malware protection, vulnerability management, network security, cryptography, secure development, and monitoring).

What Are ISO/IEC 27001:2022 and ISO/IEC 27002:2022? Purpose, Relationship, and How to Use Them Together

Published by nank.ai — Compliance-As-A-Service for ISO 27001, SOC 2, and Beyond

Key Facts: ISO/IEC 27001:2022 and ISO/IEC 27002:2022

Fact	Detail
Publishing body	International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) [1]
Current versions	ISO/IEC 27001:2022 (published October 2022) and ISO/IEC 27002:2022 (published February 2022) [1]
ISO 27001 certificates worldwide	Over 70,000 across 150+ countries [2]
ISO 27001 Annex A controls	93 controls across 4 themes [3]
Previous version (2013)	114 controls across 14 domains [3]
New controls added in 2022	11 new controls (including threat intelligence, cloud security, data masking, secure coding) [4]
Transition deadline	Organizations certified to the 2013 version must transition to the 2022 version by October 31, 2025 [5]

If you are researching information security standards, you will quickly encounter two documents that are referenced constantly — often interchangeably, and often incorrectly: ISO/IEC 27001 and ISO/IEC 27002.

They are closely related but fundamentally different. Confusing their roles leads to wasted effort, misaligned implementation, and audit preparation that misses the mark. One is the standard you certify against. The other is the guide that tells you how to implement the controls.

This post explains both standards clearly — what each one is, what it is for, how they relate, how they changed in the 2022 revisions, and how organizations use them together in practice. If you are building an ISMS and need expert support, nank.ai provides Compliance-As-A-Service that encodes both standards into guided, actionable workflows.

What Is ISO/IEC 27001?

Definition

ISO/IEC 27001 is an international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The current version is ISO/IEC 27001:2022, which replaced the previous ISO/IEC 27001:2013.

The Requirements Standard

ISO 27001 is the requirements standard. It defines what an organization must do. It is the standard against which an organization is audited and certified by an accredited certification body.

What Does ISO 27001 Contain?

ISO 27001 is organized into two major sections:

Clauses 4–10: The Management System Requirements

These seven clause groups define the mandatory structure and governance of the ISMS:

Clause	Title	What It Requires
Clause 4	Context of the Organization	Understand internal/external issues, identify interested parties and their requirements, define the ISMS scope
Clause 5	Leadership	Top management commitment, information security policy, organizational roles and responsibilities
Clause 6	Planning	Risk assessment, risk treatment, Statement of Applicability, security objectives
Clause 7	Support	Resources, competence, awareness, communication, documented information (document control)
Clause 8	Operation	Operational planning and control, performing risk assessments and implementing risk treatment
Clause 9	Performance Evaluation	Monitoring, measurement, analysis, evaluation; internal audit; management review
Clause 10	Improvement	Nonconformity, corrective action, continual improvement

Every clause is mandatory. There is no option to exclude any management system requirement.

Annex A: The Control Reference

Annex A provides a reference list of 93 information security controls organized into four themes. These controls are not automatically required — organizations select which controls are applicable based on their risk assessment and document their decisions in the Statement of Applicability (SoA).

Annex A in ISO 27001 provides only a brief title and description for each control. For detailed implementation guidance, organizations must refer to ISO/IEC 27002.

What Is the Purpose of ISO 27001?

Define what a compliant ISMS looks like. The standard provides a universally accepted specification for an information security management system.
Provide the basis for independent certification. ISO 27001 is an auditable requirements standard.
Establish a common language for security assurance. When an organization says “we are ISO 27001 certified,” it communicates a verified, internationally understood meaning.

How Is ISO 27001 Used?

Use Case	Description
Certification	Pursuing formal certification to demonstrate compliance to customers, regulators, and partners
Framework for ISMS design	Using the clause structure and Annex A as the blueprint for building an information security program
Customer assurance	Sharing the certificate and audit results with customers as evidence of security maturity
Regulatory alignment	Using ISO 27001 as a foundation for meeting regulatory requirements (GDPR, NIS2, DORA, HIPAA)
Supply chain security	Requiring ISO 27001 certification from vendors and third-party service providers

What Is ISO/IEC 27002?

Definition

ISO/IEC 27002 is an international standard that provides guidance for implementing the information security controls referenced in ISO 27001 Annex A. It is a companion document — not a replacement and not a standalone framework.

The current version is ISO/IEC 27002:2022, titled Information security, cybersecurity and privacy protection — Information security controls.

The Guidance Standard

ISO 27002 is the guidance standard. It explains how to implement each control. It is not auditable for certification purposes.

What Does ISO 27002 Contain?

For each of the 93 controls referenced in ISO 27001 Annex A, ISO 27002 provides:

Control title: The name of the control.
Attribute table: Metadata categorizing the control by type, properties, concepts, and capabilities.
Control description: A concise statement of what the control requires.
Purpose: Why the control exists — what risk or objective it addresses.
Guidance: Detailed implementation guidance — how to design and operate the control.
Other information: Additional references, related standards, or supplementary context.

An Example: How ISO 27001 and ISO 27002 Describe the Same Control

Consider control A.8.9 — Configuration Management:

In ISO 27001 Annex A:

“Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.”

That is the entire description — one sentence. Enough to define the requirement, but not enough to implement it.

In ISO 27002 Clause 8.9:
The standard provides approximately two full pages covering the Purpose (ensuring functions operate correctly and safely), Guidance (defining baselines, using CMDBs, restricting modifications, monitoring drift, etc.), and Other information (CIS benchmarks references).

What Is the Purpose of ISO 27002?

Provide implementation guidance for ISO 27001 controls. This is the primary purpose.
Serve as a reference for control selection. Helps teams understand what each control does during risk treatment.
Establish a common vocabulary for security controls. Shared understanding between auditors and practitioners.

How Do ISO 27001 and ISO 27002 Relate to Each Other?

The Relationship in One Sentence

ISO 27001 tells you what your ISMS must include; ISO 27002 tells you how to implement the security controls.

Think of ISO 27001 as the building code — it specifies the structural, safety, and compliance requirements that a building must meet to receive occupancy approval. ISO 27002 is the architect’s handbook — it provides detailed design guidance, material recommendations, and construction techniques for meeting each requirement.

You are inspected (audited) against the building code (ISO 27001). You use the handbook (ISO 27002) to build correctly.

Dimension	ISO/IEC 27001:2022	ISO/IEC 27002:2022
Document type	Requirements standard	Guidance standard
Certifiable	Yes — organizations are certified against it	No — there is no certification
Mandatory for certification	Yes	No (but strongly recommended)
Controls	Annex A lists 93 controls with brief descriptions	Provides detailed guidance for all 93 controls
Management system requirements	Clauses 4–10 define the full ISMS framework	Not covered
Risk assessment & SoA	Requires formal risk assessment and SoA	Not addressed directly

Why the Distinction Matters (Common Mistakes)

Mistake 1: Treating ISO 27002 as the certification standard. Implementing all 93 controls per ISO 27002 but neglecting the management system requirements (risk assessment, internal audit). You will fail the certification audit.
Mistake 2: Ignoring ISO 27002 entirely. Reading the one-line descriptions in ISO 27001 Annex A and guessing the implementation. This produces weak controls and avoidable audit findings.
Mistake 3: Implementing all 93 controls without risk-based selection. Reading ISO 27002 as a mandatory checklist and implementing every control regardless of relevance wastes resources.

How Do Organizations Use ISO 27001 and ISO 27002 Together in Practice?

In a typical implementation, the two standards are used together across the entire ISMS lifecycle:

Step 1 Define the ISMS Scope

Use ISO 27001 (Clause 4) to define what is in scope. ISO 27002 is not directly involved here.

Step 2 Conduct the Risk Assessment

Use ISO 27001 (Clause 6.1.2) to structure the risk assessment. ISO 27002 begins to be relevant as you consider which controls could address identified risks.

Step 3 Select Controls and Build the SoA

For each risk requiring treatment, select controls from Annex A. Refer to ISO 27002 to understand what the control achieves and how to implement it. Document applicability in the Statement of Applicability (SoA) per ISO 27001 (Clause 6.1.3).

Step 4 Design and Implement Controls

This is where ISO 27002 is used most heavily. For each applicable control, read the ISO 27002 guidance, design your implementation, write the policy, and deploy the technical or organizational control.

Step 5 Internal Audit and Management Review

Evaluate if controls are operating per ISO 27001 requirements. Auditors reference ISO 27002 to assess reasonable implementation.

Step 6 Certification Audit

The external audit is conducted against ISO 27001 only. The auditor verifies the management system and the documented controls.

Frequently Asked Questions

What is the difference between ISO 27001 and ISO 27002?

ISO/IEC 27001 is the requirements standard — it defines what an organization must do to establish an ISMS and is the standard against which organizations are certified. ISO/IEC 27002 is the guidance standard — it provides detailed implementation guidance for the security controls referenced in ISO 27001 Annex A.

Can you get certified against ISO 27002?

No. ISO 27002 is a guidance document, not a requirements standard. Organizations are certified against ISO/IEC 27001 only.

How do organizations use ISO 27001 and ISO 27002 together in practice?

Organizations use ISO 27001 as the ISMS framework — defining scope, conducting risk assessments, and managing the system. When they select a control from Annex A, they refer to the corresponding ISO 27002 clause for detailed implementation guidance. The risk assessment determines which controls are applicable; ISO 27002 guides how to implement them. The Statement of Applicability documents decisions; the certification audit verifies implementation against ISO 27001 requirements.

Do I need to buy both ISO 27001 and ISO 27002?

ISO 27001 is mandatory for certification. ISO 27002 is strongly recommended but technically optional. Most organizations use ISO 27002 for guidance on the control design options because Annex A provides only brief descriptions. Platforms like nank.ai provides practical guidance and samples/templates to assist with the design, implementation and operations of the controls, reducing the need to interpret raw standard text.

Source References

International Organization for Standardization (ISO). ISO/IEC 27001 and ISO/IEC 27002 Standards Overview. https://www.iso.org/standard/27001
International Organization for Standardization (ISO). The ISO Survey of Management System Standard Certifications — 2023. https://www.iso.org/the-iso-survey.html
International Organization for Standardization (ISO). ISO/IEC 27001:2022. https://www.iso.org/standard/27001
International Organization for Standardization (ISO). ISO/IEC 27002:2022. https://www.iso.org/standard/75652.html
International Accreditation Forum (IAF). IAF MD 26:2022 — Transition Requirements for ISO/IEC 27001:2022. https://iaf.nu/en/iaf-documents/
International Organization for Standardization (ISO). ISO/IEC 27005:2022. https://www.iso.org/standard/80585.html