Implementation, maintenance, training, and knowledge products for Information Security Management Systems (ISMS) according to the ISO 27001 standard.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
All required policies, procedures, and forms to implement an ISMS according to ISO 27001.
Train your key people about ISO 27001 requirements and provide cybersecurity awareness training to all of your employees.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance and training products for critical infrastructure organizations for the European Union’s Network and Information Systems cybersecurity directive.
All required policies, procedures, and forms to comply with the NIS 2 cybersecurity directive.
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Compliance and training products for financial entities for the European Union’s DORA regulation.
All required policies, procedures, and forms to comply with the DORA regulation.
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Compliance and training products for personal data protection according to the European Union’s General Data Protection Regulation.
All required policies, procedures, and forms to comply with the EU GDPR privacy regulation.
Accredited courses for individuals and privacy professionals who want the highest-quality training and certification.
Implementation, training, and knowledge products for Quality Management Systems (QMS) according to the ISO 9001 standard.
All required policies, procedures, and forms to implement a QMS according to ISO 9001.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for Environmental Management Systems (EMS) according to the ISO 14001 standard.
All required policies, procedures, and forms to implement an EMS according to ISO 14001.
Accredited courses for individuals and environmental professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 14001 and the EMS using Advisera’s proprietary AI-powered knowledge base.
Implementation and training products for Occupational Health & Safety Management Systems (OHSMS) according to the ISO 45001 standard.
All required policies, procedures, and forms to implement an OHSMS according to ISO 45001.
Accredited courses for individuals and health & safety professionals who want the highest-quality training and certification.
Implementation and training products for medical device Quality Management Systems (QMS) according to the ISO 13485 standard.
All required policies, procedures, and forms to implement a medical device QMS according to ISO 13485.
Accredited courses for individuals and medical device professionals who want the highest-quality training and certification.
Compliance products for the European Union’s Medical Device Regulation.
All required policies, procedures, and forms to comply with the EU MDR.
Implementation products for Information Technology Service Management Systems (ITSMS) according to the ISO 20000 standard.
All required policies, procedures, and forms to implement an ITSMS according to ISO 20000.
Implementation products for Business Continuity Management Systems (BCMS) according to the ISO 22301 standard.
All required policies, procedures, and forms to implement a BCMS according to ISO 22301.
Implementation products for testing and calibration laboratories according to the ISO 17025 standard.
All required policies, procedures, and forms to implement ISO 17025 in a laboratory.
Implementation products for automotive Quality Management Systems (QMS) according to the IATF 16949 standard.
All required policies, procedures, and forms to implement an automotive QMS according to IATF 16949.
Implementation products for aerospace Quality Management Systems (QMS) according to the AS9100 standard.
All required policies, procedures, and forms to implement an aerospace QMS according to AS9100.
Implementation, maintenance, training, and knowledge products for consultancies.
Handle multiple ISO 27001 projects by automating repetitive tasks during ISMS implementation.
All required policies, procedures, and forms to implement various standards and regulations for your clients.
Organize company-wide cybersecurity awareness program for your client’s employees and support a successful cybersecurity program.
Accredited ISO 27001, 9001, 14001, 45001, and 13485 courses for professionals who want the highest-quality training and recognized certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Find new clients, potential partners, and collaborators and meet a community of like-minded professionals locally and globally.
Implementation, maintenance, training, and knowledge products for the IT industry.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), NIS 2 (critical infrastructure cybersecurity), and DORA (cybersecurity for financial sector).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance, training, and knowledge products for essential and important organizations.
Documentation to comply with NIS 2 (cybersecurity), GDPR (privacy), ISO 27001 (cybersecurity), and ISO 22301 (business continuity).
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for manufacturing companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for transportation & distribution companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for schools, universities, and other educational organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for telecoms.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for banks, insurance companies, and other financial organizations.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with DORA (cybersecurity for financial sector), ISO 27001 (cybersecurity), ISO 22301 (business continuity), and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for local, regional, and national government entities.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for hospitals and other health organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), NIS 2 (critical infrastructure cybersecurity) and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the medical device industry.
Documentation to comply with MDR and ISO 13485 (medical device), ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), NIS 2 (critical infrastructure cybersecurity) and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the aerospace industry.
Documentation to comply with AS9100 (aerospace), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the automotive industry.
Documentation to comply with IATF 16949 (automotive), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for laboratories.
Documentation to comply with ISO 17025 (testing and calibration laboratories), ISO 9001 (quality), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
ISO 27002, officially named “ISO/IEC 27002 Information Security, Cybersecurity and Privacy Protection – Information Security Controls,” is a widely used and well-known information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides detailed guidelines for the implementation of the controls listed in ISO 27001 Annex A, because ISO 27001 provides only a high-level description of each control. ISO 27002 has become an internationally recognized set of industry best practices that support the implementation of ISO 27001.
The main purpose of ISO 27002 is to help organizations implement the Annex A controls from ISO 27001, because ISO 27001 does not provide explanations for how these controls should be implemented. ISO 27002 is designed to work in conjunction with ISO 27001, as ISO 27001 describes how to manage security by implementing an Information Security Management System (ISMS).
ISO 27002 is important because it is the only standard in the ISO 27k series that provides implementation guidance on all 93 controls defined in Annex A of ISO 27001. By using the detailed guidance in ISO 27002, companies can have a much better understanding of the best practices for controls.
Certification against ISO 27002 is not possible. ISO 27002 is non-certifiable because, unlike ISO 27001, it is not a management standard. Instead, ISO 27002 is a code of practice (or best practices) for the implementation of security controls that support the ISMS defined in ISO 27001.
ISO 27002 supports the ISMS by providing detailed guidance on how to implement the controls necessary to establish and operate an ISMS within a company. For example, ISO 27002 takes a whole page to explain one control, while ISO 27001 dedicates only one sentence to each control. This ensures that organizations have a comprehensive set of guidelines to use as a framework to deploy an effective ISMS in a structured manner.
As of the publication date of this article, the current version of ISO 27002 is ISO/IEC 27002:2022. The new 2022 revision of ISO 27002 was published on February 15, 2022.
As already explained in brief, ISO 27001 is the main standard, and companies can get certified against it; companies cannot certify against ISO 27002:2022 because it is only a supporting standard.
In its Annex A, ISO 27001 provides a list of security controls and what must be achieved with those controls, but it does not explain how they can be implemented. ISO 27002 lists those very same controls and provides guidance on how they could be implemented; however, this guidance in ISO 27002 is not mandatory, i.e., companies can decide whether to use those guidelines or not.
ISO 27002 does not contain explicit requirements for companies to follow — for requirements, you should see ISO 27001. However, ISO 27002 does provide guidance on information security controls that can be applied in an organization.
The structure of ISO 27002 is listed and briefly explained below:
ISO 27002 defines a control as "a measure that modifies and/or maintains risk." Put simply, a control (or a safeguard) is a practice that can be implemented to reduce a risk to an acceptable level. Some examples of security controls include an Access control policy (5.15), Configuration management (8.9), and Secure coding (8.28).
The 2022 revision of ISO 27002 has reduced the number of controls from 114 to 93. Some of the reasons for this reduction in the number of controls include technological advancements and an improvement in the understanding of how to apply security practices.
Control attributes provide a standardized way to sort and filter controls against different views to address the needs of different groups.
Attributes options for each control are as follows:
These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework. You can read more about the differences between the 2013 and 2022 versions of ISO 27002 in the last section of this article.
The layout for each ISO control in ISO 27002 consists of the following elements:
The layout is designed to provide comprehensive information and guidance for each control, helping organizations understand and implement the necessary security measures.
To effectively implement ISO 27002 controls, follow a process that assesses the organization's needs; identifies the appropriate controls, and customizes them if necessary; implements them using a structured approach; and then monitors, measures, and continuously improves them. Once completed, the implemented control should address needs at a combined technological, organizational/process, people, and documentation level.
For example, the implementation of control 8.9 Configuration management will address the following aspects:
Technology. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.
Organization/processes. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.
People. Make employees aware of why strict control of security configurations is needed, and train them to define and implement security configurations.
Documentation. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your security operating procedures. Larger companies will typically have a separate procedure that defines the configuration process.
It took nine years for the last revision of ISO/IEC 27002 (published in 2013) to be replaced with the latest 2022 revision. The most important changes are as follows:
Here are the 11 controls that are new in ISO 27002:2022:
To learn more about these new controls and their requirements, read the article Detailed explanation of 11 new security controls in ISO 27001:2022.
In the current version of ISO 27002, 23 controls had their names changed for the sake of making them easier to understand. For example:
These changes help keep the focus on the information security aspects of business processes and activities, reducing the effort of implementing and maintaining the Information Security Management System.
To see a full list of controls in the new ISO 27002, and to learn which controls were renamed and merged when compared to ISO 27002:2013, download this free white paper: Overview of new security controls in ISO 27002:2022.
Although the number of controls has been reduced, no controls were excluded in this new version, only merged for the sake of better understanding.
A total of 57 controls have been merged into 24 controls. For example:
These consolidations were decided either because multiple related controls were natural steps of a bigger process, or because more efficient security could be achieved by considering them in a single control.
There is only one control that was split: 18.2.3 Technical compliance review was split into 5.36 Conformance with policies, rules, and standards for information security and 8.8 Management of technical vulnerabilities.
In the new ISO 27002, 35 controls remained the same, only changing their control numbers.
ISO 27002 is almost as popular as ISO 27001 for a very good reason — it provides tips and tricks for the implementation and the everyday operation of controls. This helps companies save lots of time with implementing an ISMS and going for the certification.
To automate your compliance with ISO 27001/ISO 27002 security controls, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.