What is ISO/IEC 27002?

ISO/IEC 27002 is the companion guidance standard that explains how to implement the information security controls referenced in ISO/IEC 27001 Annex A. The 2022 edition details the same 93 controls across four themes, giving purpose and implementation advice for each. It is guidance only -- you cannot be certified against ISO 27002.

ISO/IEC 27001 tells you what controls exist and that you must justify which apply; ISO/IEC 27002 tells you how to actually implement each one. The 2022 edition aligns control-for-control with Annex A's 93 controls grouped into four themes (Organizational, People, Physical, Technological) and, for each control, provides the control statement, its purpose, and detailed implementation guidance. The older "code of practice" label was dropped in 2022, but the role is unchanged: practical how-to advice.

For example, when your risk assessment selects the Annex A access control objective, ISO 27002 walks you through what good access provisioning, review, and revocation look like in practice -- the substance your written access control policy should reflect.

This is exactly where well-built templates save time: a policy pack drafted to ISO/IEC 27001:2022 and informed by ISO 27002 guidance gives you control text that already reflects accepted practice, so you tailor rather than research from scratch. The documents accelerate readiness, but certification still comes only from an accredited body auditing your live ISMS against ISO 27001 -- never against ISO 27002.

Related terms: Annex A Controls · Statement of Applicability (SoA) · Security Control · Information Security Management System (ISMS)

Frequently asked questions

Can I get certified to ISO 27002?
No. ISO/IEC 27002 is a guidance document, not a management-system standard, so there is no certification against it. Organizations certify to ISO/IEC 27001 and use ISO 27002 to help implement the controls.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is the auditable requirements standard for an ISMS and lists the 93 Annex A controls; ISO 27002 is the detailed implementation guidance that explains how to put each of those controls into practice.
Do I need to buy ISO 27002 to do ISO 27001?
It is not strictly mandatory, but it is highly useful. Many teams use it (or templates informed by it) as a reference for designing controls, since ISO 27001 Annex A states controls only briefly without implementation detail.

Toolkits that cover ISO/IEC 27002

ISO/IEC 27001:2022

ISO 27001 Policy Pack — Core

16 editable ISO/IEC 27001:2022 policies plus the full 93-control Statement of Applicability — everything a small business needs to start its ISMS.

$5930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
ISO 27001:2022 + SOC 2

ISO 27001 + SOC 2 Dual Toolkit

47 documents covering both frameworks plus a control crosswalk, risk register, Statement of Applicability and TSC mapping — run one security program, pass two audits.

$14930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.