LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is ISO 27002, and why can you not get certified against it?

27002 = Code of Practice ("CoP") for information security management — a catalogue of 93 controls in 4 themes (was 114 controls in 14 domains in older versions). It uses "should" not "shall", so there's nothing hard to certify against.

The pivotal idea is the split between what and how. ISO 27001 is the certifiable standard, but it is deliberately abstract — its Annex A just names the controls. ISO 27002 is the companion that describes each one: a Control statement, its Purpose, and several paragraphs of implementation Guidance. So 27001 tells an auditor a control must exist; 27002 tells the engineer what implementing it actually looks like. You implement against 27002 every day, but you get certified against 27001.

The reason you cannot certify against 27002 alone is purely linguistic: it is written entirely in "sollte" (should), never "muss" (shall). A "should" has no pass/fail line, so an auditor has nothing objective to test. 27002 is therefore informative; only 27001, which makes the same controls mandatory by referencing them in Annex A, is normative.

  • 93 controls (also called Massnahmen, Prüfpunkte, or Controls), grouped since the 2022 revision into 4 themes: Organisational, People, Physical, Technological. The older 27002:2013 had 114 controls in 14 domains.
  • Two everyday uses: building a Grundschutz (minimum baseline — the 93 controls cover the standard expectations), and mapping 27001 to other frameworks (NIST CSF, BSI, COBIT), for which 27002 is the lingua franca.

Tip: "ISO 27002 certified" is a marketing lie; the only certifications are 27001 (organisation) and 27006 (certification bodies themselves).

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026