ISO/IEC 27001 and ISO/IEC 27002 are international standards for information security. Together, they form the foundation for establishing, implementing, and improving an Information Security Management System (ISMS). ISO 27001 defines the requirements for the ISMS, while ISO 27002 provides practical security controls to meet those requirements. These standards are widely applicable across all sectors and organization sizes — including those with complex supply chains.
ISO 27001: the information security framework
ISO/IEC 27001 outlines how to set up a formal ISMS, including:
- Context and stakeholder analysis;
- Risk assessment and treatment;
- Security policy and planning;
- Operational security controls;
- Continuous improvement and auditing.
It is a certifiable standard, meaning organizations can be formally audited and accredited for compliance.
ISO 27002: the actionable controls
ISO/IEC 27002 complements 27001 with a catalogue of 93 detailed controls, grouped into four domains:
- Organizational controls;
- People and culture;
- Physical controls;
- Technological controls.
Each control includes guidance, applicability, and examples — covering areas like access control, encryption, backup, logging, and supplier security. ISO 27002 acts as the practical handbook for implementing ISO 27001.
Why are ISO 27001 and 27002 important?
These standards help organizations:
- Secure information in a structured and risk-based way;
- Demonstrate compliance with regulations like GDPR or NIS2;
- Build trust with customers and stakeholders;
- Manage internal and third-party risks effectively.
Compliance with ISO standards is increasingly required in public tenders and industry partnerships, especially in sectors like finance, healthcare, and government.
ISO 27001/27002 and RiskStudio
RiskStudio helps organizations apply ISO 27001 and 27002 within third-party and supply chain contexts. You can group vendors by critical process, assess risks per ISO control, and monitor compliance over time. Whether it’s encryption, access management, or incident response — RiskStudio links ISO-based security to real-world supplier data. This makes your information security program visible, scalable, and actionable — fully aligned with ISO principles.