What is the difference between ISO 27001 and ISO 27002?

The ISO 27000 series of standards are a compilation of international standards all related to information security. The difference is that the ISO 27001 standard has an organizational focus and details requirements against which an organization’s Information Security Management System (ISMS) can be audited. ISO 27002 on the other hand is more focused on the individual and provides a code of practice for use by individuals within an organization. If you compare them you will see that they're structured similarly and that they map to eachother.

The the difference is in the level of detail, ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control.ISO 27002 provides best practice recommendations on information security management for use by those who are responsible for implementing or maintaining the Information Security Management Systems (ISMS). Whereas ISO 27001 defines the audit requirements.

ISO 27001 establishes requirements. If an organization wants to certify its Information Security Management System (ISMS) it needs to comply with all requirements in ISO 27001.

On the other hand, ISO 27002 are best practices that are not mandatory. That means that an organization does not need to comply with ISO 27002 but can use it as inspiration to implement requirements in ISO 27001.

For example, in ISO 27001 you have a control that requires the organization to do backups and in ISO 27002 you have the same control but more developed, saying that the backups should be done at planned intervals, that should be tested, that you should backup data and software, etc.

ISO 27002 is more complex and difficult to comply with but it is not mandatory because depending on the context and the business of the organization it could implement the control in another way. ISO 27001 establishes what you have to do but not how. ISO 27002 describes how.