Above all else, you cannot get certified against ISO 27002 in light of the fact that it is anything but an administration standard. What does an administration standard mean? It implies that such a standard characterizes how to run a framework, and if there should be an occurrence of ISO 27001, it characterizes the data security the executive’s framework (ISMS) – subsequently, certification against ISO 27001 is conceivable. This administration framework implies that data security must be arranged, actualized, checked, inspected, and improved. It implies that administration has its unmistakable duties, that destinations must be set, estimated and looked into, that interior reviews must be done, etc. Each one of those components are characterized in ISO 27001, yet not in ISO 27002.
The controls in iso 27001 are named equivalent to in Annex An of ISO 27001 – for example, in ISO 27002 control 6.1.6 is named Contact with specialists, while in ISO 27001 it is A.6.1.6 Contact with specialists. Be that as it may, the thing that matters is in the degree of detail – by and large, ISO 27002 clarifies one control on one entire page, while ISO 27001 devotes just one sentence to each control. At long last, the thing that matters is that ISO 27002 does not make a differentiation between controls material to a specific association, and those which are definitely not. Then again, ISO 27001 recommends a hazard appraisal to be acted so as to distinguish for each control whether it is required to diminish the dangers, and in the event that it is, to which degree it ought to be applied.
The inquiry is: how can it be that those two standards exist independently, for what reason have not they been blended, uniting the positive sides of the two standards? The appropriate response is convenience on the off chance that it was a solitary standard, it would be excessively mind boggling and unreasonably enormous for handy use. Each standard from the ISO 27000 arrangement is structured with a certain center – on the off chance that you need to manufacture the establishments of data security in your association, and devise its system, you should utilize ISO 27001; in the event that you need to execute controls, you should utilize ISO 27002, in the event that you need to do hazard evaluation and hazard treatment, you should utilize ISO 27005 and so forth.
To close, one could state that without the subtleties gave in ISO 27002, controls characterized in Annex An of ISO 27001 could not be actualized; notwithstanding, without the administration system from ISO 27001, ISO 27002 would stay only an isolated exertion of a couple of data security devotees, with no acknowledgment from the top administration and along these lines with no genuine effect on the association.