ISO 27001 / ISO 27002

Name: ISO / IEC 27001 and ISO/IEC 27002

Type: Framework

Authoritative Source: ISO.org

Certification Available: Yes. ISO has a conformity program that it maintains, where a certified auditor may issue an ISO 27001 certification.

Too Long / Didn’t Read (TL/DR): ISO/IEC 27001 and ISO/IEC 27002 offer more than just a security checklist, they combine to build an Information Security Management System (ISMS). An ISMS is a way for organizations to demonstrate that cybersecurity is not a one-time project, but a structured, ongoing and accountable enterprise function.

GRC-Focused Overview of ISO 27001 / ISO 27002

The ISO/IEC 27000 series of standards has become a foundational cornerstone in global information security governance. Among them, ISO/IEC 27001 and ISO/IEC 27002 are among the most widely recognized and implemented. Together, these standards offer a practical framework for establishing, implementing, maintaining and continuously improving an ISMS. While ISO/IEC 27001 defines the requirements for a certifiable ISMS, ISO/IEC 27002 provides the implementation guidance for security controls.

This page provides a cybersecurity-focused summary of ISO 27001 and ISO 27002 from a GRC practitioner's perspective, including:

  • The history of these frameworks;
  • Practical compliance strategies; and
  • The role of high-quality documentation to be secure, compliant and resilient.

ISO 27001 / ISO 27002 - Origins and Purpose

The origins of ISO/IEC 27001 and ISO/IEC 27002 can be traced back to the British Standard BS 7799, first published in 1995 by the British Standards Institution (BSI). BS 7799 was one of the first formalized attempts to create a structured, policy-driven approach to information security.

Recognizing the value of a universal framework, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) adopted and expanded the standard:

  • 2005: ISO/IEC 27001 was first published, replacing BS 7799-2. It became the formal specification for an ISMS.
  • ISO/IEC 17799 (the code of practice) was renamed and published as ISO/IEC 27002, providing implementation guidance.
  • 2013: Major revisions introduced to align with ISO’s Annex SL structure, promoting compatibility with other management system standards like ISO 9001 (quality) and ISO 14001 (environment).
  • 2022: The most recent versions of ISO/IEC 27001 and ISO/IEC 27002 introduced updated terminology, control categories and a more agile approach to risk-based control implementation.

The ISO/IEC 27000 series is now maintained as a globally accepted framework for managing the Confidentiality, Integrity and Availability (CIA) of information assets in line with international best practices.

ISO/IEC 27001 and ISO/IEC 27002 are industry-agnostic, but their adoption is especially prominent in sectors where:

  • Data sensitivity is high;
  • Regulatory scrutiny is intense; and
  • Client trust is essential for business continuity.

Common Sectors Include:

  • Financial Services. Banks, credit card processors, fintech companies and insurers often use ISO 27001 to reinforce internal governance and meet regulatory obligations such as GLBA, PCI DSS, or SOX.
  • Healthcare providers and service vendors adopt ISO 27001 to demonstrate compliance with privacy and security regulations such as HIPAA, GDPR and country-specific health data laws.
  • Technology and Cloud Services. SaaS, IaaS and PaaS providers use ISO/IEC 27001 as a contractual differentiator and compliance benchmark for customers in regulated sectors.
  • Government and Defense Contractors. Though frameworks like NIST SP 800-171 are often mandated, ISO/IEC 27001 certification is frequently accepted as an international standard of due care, particularly for non-US-based defense and aerospace firms.
  • Legal, Consulting and Professional Services. Entities handling sensitive client data (legal records, intellectual property, merger and acquisition documentation) use ISO 27001 to reduce liability and align with clients’ security expectations.

ISO/IEC 27001: Framework Overview

ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving an ISMS. It is organized around a Plan-Do-Check-Act (PDCA) lifecycle and contains the following core elements:

  • Context of the Organization. Organizations must define internal and external issues, identify interested parties (e.g., customers, regulators) and understand legal and contractual obligations. This contextual understanding drives the design of the ISMS.
  • Leadership and Governance. Top management must:
    • Demonstrate leadership and commitment to information security;
    • Assign roles and responsibilities (e.g., CISO, ISMS lead); and
    • Integrate ISMS goals with business strategies.
  • Risk Assessment and Risk Treatment. A formalized information security risk assessment methodology is required. Based on risk findings, organizations select appropriate controls from Annex A, supported by an up-to-date Statement of Applicability (SoA).
  • Support and Awareness. ISO/IEC 27001 requires robust documentation practices, competency programs, internal awareness training and communication strategies to ensure effective implementation.
  • Operational Controls. This includes:
    • Change management;
    • Supplier security management;
    • Incident response;
    • Access controls; and
    • Business continuity.
  • Performance Evaluation. Ongoing monitoring, measurement, internal auditing and management reviews are required to verify effectiveness and track non-conformities.
  • Continuous Improvement. Organizations must respond to incidents, internal audit findings, or shifts in risk with corrective actions and continuous improvement strategies.

ISO/IEC 27002: Control Implementation Guidance

While ISO/IEC 27001 contains high-level requirements, ISO/IEC 27002 provides specific guidance for implementing the controls listed in Annex A of ISO/IEC 27001. The 2022 revision of ISO 27002 reorganized the previous 14 control categories into four core themes:

  • Organizational Controls (37 controls)
    • Information security roles and responsibilities;
    • Policies, procedures and third-party risk management;
    • Asset classification and data handling rules; and
    • Secure development lifecycle (SDLC).
  • People Controls (8 controls)
    • Background checks;
    • Security awareness and training; and
    • Disciplinary processes for policy violations.
  • Physical Controls (14 controls)
    • Facility access controls;
    • Environmental protections; and
    • Equipment security.
  • Technological Controls (34 controls)
    • Cryptographic controls;
    • Logging and monitoring;
    • Secure configuration;
    • Network segmentation and endpoint protection; and
    • Threat intelligence and information sharing.

ISO/IEC 27002 also introduces attributes for each control, which help organizations tailor controls based on maturity, business objectives and regulatory obligations.

Common Methods to Achieve and Maintain Conformity With ISO 27001 / ISO 27002

Implementing ISO/IEC 27001 and ISO/IEC 27002 involves the following steps:

  • Conduct a Gap Analysis. Organizations typically begin with a gap assessment comparing their existing security program to the ISO/IEC 27001:2022 requirements and ISO/IEC 27002 implementation guidance. This identifies deficiencies and establishes a roadmap for ISMS development.
  • Define the ISMS Scope. Clearly delineating the boundaries of the ISMS (geographies, departments, technologies) ensures controls are contextually appropriate and avoids overextension.
  • Develop Required Documentation. Essential documents include:
    • ISMS Policy and Objectives;
    • Risk Assessment and Risk Treatment Methodology;
    • Statement of Applicability (SoA);
    • Risk Register and Treatment Plans;
    • Control Procedures and Technical Guidelines;
    • Audit Reports and Management Reviews; and
    • Evidence of Competence and Awareness.
  • Select and Implement Controls. From the 93 controls in ISO/IEC 27002:2022, organizations must:
    • Determine which are applicable based on risk;
    • Implement them in operational systems and processes; and
    • Document their selection rationale and effectiveness.
  • Train and Build Awareness. Regular training and organizational awareness are required under ISO/IEC 27001. It must be role-based, measurable and repeated periodically.
  • Perform Internal Audits and Management Reviews. Senior leadership must review ISMS performance and drive decisions from audit results. Annual internal audits are essential to:
    • Assess ISMS conformity;
    • Identify systemic weaknesses; and
    • Provide input for corrective action and continual improvement.
  • Undergo Certification (Optional but Common). Surveillance audits are typically conducted annually, with recertification every three years. Accredited certification bodies audit the ISMS against ISO/IEC 27001 standards. Organizations seeking certification should demonstrate:
    • Compliance with each requirement;
    • Control effectiveness; and
    • Operational evidence (e.g., logs, reports, artifacts).

Understanding The Value of Quality Cybersecurity Documentation To Conform With ISO 27001 / ISO 27002

ISO/IEC 27001 and ISO/IEC 27002 are documentation-intensive standards. Unlike some frameworks that allow for implied controls, ISO requires explicit, maintained and auditable evidence of conformity.

Documentation Is Required for:

  • Defining the ISMS framework (scope, policies, risk methodology)
  • Articulating how each Annex A control is applied or excluded (via the Statement of Applicability)
  • Demonstrating control implementation (procedures, logs, records)
  • Tracking audit findings and management responses
  • Recording security events, training and asset management

Benefits of High-Quality Documentation Include:

  • Audit Readiness: Well-maintained documentation accelerates certification and reduces audit fatigue.
  • Legal Defense: In breach scenarios, documentation can demonstrate due diligence and mitigate liability.
  • Operational Maturity: Policies and procedures create consistency in security operations across teams and geographies.
  • Client Assurance: ISO 27001-aligned documentation often serves as the foundation for responding to customer security questionnaires, RFPs and vendor assessments.

Weak or templated documentation is a common source of non-conformity findings during ISO audits. Organizations that treat documentation as a living asset, where it is regularly reviewed, updated and integrated into security operations. This makes organizations better positioned to sustain compliance and reduce enterprise risk.

** SPONSORED CONTENT **

ISO 27001 ISMS policies standards procedures