Can an organization be certified to ISO 27002?

No. An organization cannot be certified to ISO 27002.

ISO 27002 is a guidance and reference standard that describes information security controls and good practices. Certification bodies do not issue certificates to ISO 27002. Formal, accredited certification is issued only against ISO 27001, usually for a defined scope (sites, processes, and systems) within the organization.

How ISO 27002 is used in practice

In most environments, including regulated manufacturing, ISO 27002 is used to:

• Provide a catalog of information security controls and implementation guidance.
• Support the selection and justification of controls in an ISO 27001 information security management system (ISMS).
• Benchmark internal security policies and procedures, including those that apply to MES, ERP, PLM, QMS, and OT networks.

ISO 27001 requires organizations to define a risk-based control set. ISO 27002 is often used as the primary reference for that control set, but this does not change the fact that the certifiable requirement is ISO 27001, not ISO 27002.

What you can claim

Accurate, defensible statements typically look like:

• “Our organization is certified to ISO/IEC 27001 for the following scope: …”
• “Our information security controls are based on ISO/IEC 27002.”
• “Our OT cybersecurity program aligns with ISO/IEC 27001 and uses ISO/IEC 27002 and IEC 62443 as control references.”

Statements such as “ISO 27002 certified” or “ISO 27002 compliant” are usually misleading. At best, they should be rephrased as “controls aligned with ISO 27002”, and even then the underlying evidence (policies, procedures, technical configurations, and records) must actually support that claim.

Implications for regulated manufacturing environments

For plants operating in aerospace, defense, medical, or other regulated sectors, this distinction has several practical consequences:

• Audit and customer assurance: External auditors and customers will generally recognize ISO 27001 certificates, not ISO 27002 “certificates.” For ISO 27002, they will expect to see alignment and objective evidence, not a formal certificate.
• Brownfield IT/OT stacks: Applying ISO 27002 in a mixed environment (legacy MES, ERP, OT controllers, vendor-managed equipment) typically means mapping recommended controls to what is realistically achievable on each platform, then documenting compensating controls where full implementation is not feasible.
• Change control and validation: Strengthening controls per ISO 27002, especially around access control, logging, and network segregation, often triggers change control, revalidation, and downtime planning. These activities belong in your ISO 27001-aligned ISMS, with clear traceability from risk assessment to implemented controls.
• Long lifecycle assets: Many OT assets cannot fully meet modern ISO 27002 control expectations without significant retrofit or replacement. In practice, organizations use ISO 27002 as a target, then document risk acceptance and compensating safeguards where legacy constraints exist.

In summary, you can be certified to ISO 27001, and you can design and operate your controls in line with ISO 27002, but you cannot obtain formal certification to ISO 27002 itself.