ISO 27001 vs ISO 27002

Answer: If you want to implement only the ISO 27002, which is a code of best practices about information security, you don’t need the ISO 27001. But remember that you cannot certify ISO 27002, only ISO 27001 is certifiable, because this standard - I mean, ISO 27001- defines an Information Security Management System.

The core of ISO 27001 is the risk management, and basically you will need to identify and treat risks, and for the treatment, you can use the ISO 27002, because it gives you specific information about how to implement security controls. So, the logic is to implement ISO 27001, using the code of best practices of ISO 27002 to know how to implement security controls for the treatment of risks identified.

For more information about ISO 27001 and ISO 27002, please see this article “Diferencias y similitudes entre ISO 27001 e ISO 27002” : https://advisera.com/27001academy/es/knowledgebase/diferencias-y-similitudes-entre-iso-27001-e-iso-27002/

And also this one “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/