Is ISO 27002 required to get ISO 27001 certified?

No. ISO 27002 is not formally required to obtain ISO 27001 certification. Certification bodies audit and certify only against ISO 27001. However, in practice ISO 27002 is very important, because it provides the reference controls and implementation guidance that most organizations use to design and justify their ISO 27001 control set.

What ISO 27001 actually requires

ISO 27001 requires you to:

• Define the scope of your Information Security Management System (ISMS).
• Perform an information security risk assessment and decide how to treat those risks.
• Select applicable controls and document them in a Statement of Applicability (SoA).
• Implement and operate those controls, and maintain evidence that they work.

ISO 27001 Annex A includes a set of control objectives and controls. For modern editions of the standard, those Annex A controls are aligned with ISO 27002, but ISO 27001 does not force you to implement every Annex A control, and it does not force you to own or buy ISO 27002.

How ISO 27002 fits in

ISO 27002 is a guidance standard. It:

• Describes each Annex A control in more detail.
• Provides implementation guidance and examples.
• Helps you justify why a control is applicable, tailored, or not applicable.

Most organizations in regulated or high-risk environments use ISO 27002 as their primary reference when building their SoA, procedures, and technical standards. Auditors typically expect your controls to be traceable either to ISO 27002 or to an equivalent control framework, unless you can clearly justify an alternative.

When ISO 27002 becomes effectively “expected”

ISO 27002 is not mandatory, but it becomes hard to avoid in practice when:

• You need a structured control catalog. For example, aligning plant network controls with both Annex A and IEC 62443. ISO 27002 provides a consistent reference.
• Your customers or regulators reference it explicitly. Some contracts and industry schemes ask for alignment with ISO 27002, even though certification is only against ISO 27001.
• You operate across multiple sites and vendors. ISO 27002 helps normalize expectations for access control, logging, backup, and OT security across heterogeneous MES, ERP, and legacy control systems.

You can, in principle, build your own control framework or rely on others (such as NIST SP 800-53 or CIS Controls) and map them to Annex A. That is acceptable for ISO 27001 if:

• Your SoA clearly explains the mapping and rationale.
• Risk treatment decisions are well documented.
• Controls are implemented, monitored, and maintained with evidence.

Implications for industrial and regulated environments

In brownfield manufacturing environments with mixed OT/IT, legacy systems, and tight downtime constraints, ISO 27002 is often useful because:

• It supports traceability from risks to controls, which is important for audits, change control, and system validation.
• It helps define minimum security baselines for aging equipment that cannot be fully modernized without major requalification.
• It provides a consistent language for integrators, vendors, and internal teams when hardening MES, historians, and plant networks.

However, strict one-to-one implementation of every ISO 27002 recommendation is rarely realistic in OT-heavy plants. Controls typically need tailoring and compensating measures, and these choices must be documented in the SoA and in your risk treatment records. Auditors generally focus on whether your controls are effective and justified, not whether you implemented every ISO 27002 example as written.

Bottom line

• ISO 27001 certification does not require ISO 27002.
• ISO 27002 is the main, widely accepted source of detailed control guidance aligned with Annex A.
• You may use other frameworks, but you must maintain clear mappings, risk-based justifications, and evidence that controls work in your actual plant and system landscape.