ISO/IEC 27001 provides requirements for companies that want to establish, implement, maintain and continuously improve an information security management system

ISO/IEC 27002 is an international standard used as a tool, support for guiding the introduction of information security. It is an implementation standard based on proposals and best practices - it contains a list of measures that are considered "best practice" in the field of information security and instructions for their implementation in the organization.

In this regard, the main difference is that organizations can obtain certification according to ISO/IEC 27001, while they cannot obtain certification according to ISO/IEC 27002.

ISO/IEC 27002 serves as supporting material in the implementation of ISO/IEC 27001 requirements and controls.