ISO 27002 and how it differs from ISO 27001

L’ISO 27002 et sa différence avec l’ISO 27001

Understand the difference between certifiable requirements and implementation guidance.

Lesson overview

ISO 27001 tells you what the management system must do. ISO 27002 helps you interpret and implement controls more effectively.

Professional explanation

ISO/IEC 27001 contains the certifiable ISMS requirements and Annex A control list. ISO/IEC 27002 provides implementation guidance, interpretation detail, and examples for the control set.

Practical example

Teams often read a short control title in ISO 27001 and then use ISO 27002 to understand what good implementation might look like for their size and context.

Content blocks

Requirement versus guidance

Exigence versus guide

A requirement tells you what must exist. Guidance helps you decide how to make it real and what good practice could look like.

27002 supports implementation choices

La 27002 soutient les choix de mise en oeuvre

It becomes especially useful when a control title is short but the organization needs examples, interpretation, and implementation depth.

Examples and callouts

A logging control title is short; ISO 27002 can help teams think through retention, review, and operational use.

Supplier security control guidance becomes more actionable when interpretation examples are available.

Use 27002 to enrich implementation workshops

Utiliser la 27002 pour enrichir les ateliers de mise en oeuvre

It is especially valuable when translating a control title into process, ownership, and evidence expectations.

27002 is not the certification target

La 27002 n'est pas la cible de certification

Certification still sits on the ISO 27001 requirements even when 27002 strongly informs implementation.

Interactive prompt

Take one control title such as vulnerability management and write what ISO 27001 gives you versus what ISO 27002 adds.

Learning objectives

Explain the role of ISO 27002 clearly. / Expliquer clairement le rôle de l'ISO 27002.
Avoid confusing guidance with certifiable requirements. / Éviter de confondre recommandations et exigences certifiables.
Use ISO 27002 as a practical interpretation layer. / Utiliser l'ISO 27002 comme couche d'interprétation pratique.

Learning outcomes

Separate standards logic cleanly. / Séparer proprement la logique des normes.
Know when to open ISO 27002. / Savoir quand ouvrir l'ISO 27002.
Prepare for the compare section. / Se préparer à la section comparatif.

Key artifacts

Control interpretation notes / Notes d'interprétation des mesures
Implementation workshop outputs / Sorties des ateliers de mise en oeuvre
Evidence expectations by control / Attentes de preuve par mesure

Recap summary

ISO 27001 defines the certifiable requirement set. / L'ISO 27001 définit le jeu d'exigences certifiables.
ISO 27002 gives control guidance. / L'ISO 27002 donne un guide sur les mesures.
The two are complementary, not interchangeable. / Les deux sont complémentaires, pas interchangeables.

Continue from here

Compare the frameworksComparer les référentiels Apply the logic in the control libraryAppliquer la logique dans la bibliothèque des mesures

Interactive exercise

Module checkpoint

Answer in either language. The quiz uses the same underlying concept, not literal duplicated wording.

Answered0/2

What is ISO 27002 mainly used for?

Which standard remains the certification basis?