ISO 27001: Information security management systems – Requirements
ISO 27002: Code of practice for information security controls

ISO 27001 is a set of requirements for an information security management system (ISMS). An organization must meet ISO 27001 requirements to be certified.

Risk management is required to meet clause 6.1, actions to address risks and opportunities. Clause 6.1.3, information security risk treatment, further specifies a list of security controls as Annex A that must be implemented.

ISO 27001 Annex A is directly derived from ISO 27002 that provides guidelines to implement them.