Which ISO 27000 standard can you actually be certified against?

ISO/IEC 27001 is the certifiable standard — it specifies the requirements for an Information Security Management System (ISMS). Most other 27000-family documents (like 27002) are guidance or code-of-practice supplements that support 27001 but are not certified on their own. ISO 27701 extends 27001 and can be certified as a privacy add-on.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 defines the ISMS requirements and the framework you certify against, including the Annex A control objectives. ISO 27002 is the implementation guidance — a code of practice that explains in detail how to apply each control. You comply with 27001; you consult 27002 for the how.

What does ISO 27017 add over ISO 27001?

ISO/IEC 27017 is a code of practice for information security controls specific to cloud services. It adds cloud-relevant guidance on top of 27002, covering shared responsibility between cloud providers and customers, virtual environment hardening and administrator operations.

Is ISO 27701 the same as GDPR?

No. ISO/IEC 27701 is a Privacy Information Management System (PIMS) extension to ISO 27001 and 27002. It maps to many GDPR requirements and can demonstrate good privacy governance, but certification to 27701 is not legal proof of GDPR compliance — GDPR is enforced by regulators, not by ISO certificates.

Does this reference send my searches anywhere?

No. The table and filter run entirely in your browser with JavaScript. Nothing you type is uploaded, logged or stored.

ISO 27000 Series Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The ISO/IEC 27000 family of information security standards

The ISO/IEC 27000 series is a set of international standards for managing information security. At its centre is ISO/IEC 27001, the certifiable standard for an Information Security Management System (ISMS); the surrounding documents provide controls guidance, sector extensions and measurement methods. This reference lists the most widely used members of the family with each one’s scope, whether it is certifiable, and a filter to find the right standard fast.

How it works

Each standard in the family plays a defined role. 27000 is the free vocabulary and overview document. 27001 states the ISMS requirements and is the one organisations get audited and certified against. 27002 is the implementation code of practice for the controls. Sector and topic extensions — 27017 (cloud), 27018 (PII in public clouds), 27701 (privacy) — layer specialised guidance on top. Measurement (27004), risk management (27005) and incident response (27035) round out the operational practice. Only 27001 (and 27701 as an extension) are certifiable; the rest are guidance that support a certified ISMS.

Tips and notes

Start with 27001 + 27002: requirements plus the how-to for controls.
Add 27017/27018 only if you operate or consume cloud services.
Reach for 27701 when you need a privacy management layer mapped to GDPR.
A certificate names 27001 (or 27701) — guidance standards are never “certified” on their own.