What is ISO 27002?

ISO 27002, officially named “ISO/IEC 27002 Information Security, Cybersecurity and Privacy Protection – Information Security Controls,” is a widely used and well-known information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides detailed guidelines for the implementation of the controls listed in ISO 27001 Annex A, because ISO 27001 provides only a high-level description of each control. ISO 27002 has become an internationally recognized set of industry best practices that support the implementation of ISO 27001.

What is ISO 27002? - 27001Academy
ISO 27001 compliance software
What is ISO 27002? - 27001Academy
ISO 27001 Templates
What is ISO 27002? - 27001Academy
ISO 27001 Courses

The basics

What is the purpose of ISO 27002?

The main purpose of ISO 27002 is to help organizations implement the Annex A controls from ISO 27001, because ISO 27001 does not provide explanations for how these controls should be implemented. ISO 27002 is designed to work in conjunction with ISO 27001, as ISO 27001 describes how to manage security by implementing an Information Security Management System (ISMS).

Why is ISO 27002 important?

ISO 27002 is important because it is the only standard in the ISO 27k series that provides implementation guidance on all 93 controls defined in Annex A of ISO 27001. By using the detailed guidance in ISO 27002, companies can have a much better understanding of the best practices for controls.

ISO 27002 certification – Is it possible?

Certification against ISO 27002 is not possible. ISO 27002 is non-certifiable because, unlike ISO 27001, it is not a management standard. Instead, ISO 27002 is a code of practice (or best practices) for the implementation of security controls that support the ISMS defined in ISO 27001.

Key facts about ISO 27002

How does ISO 27002 support the ISMS?

ISO 27002 supports the ISMS by providing detailed guidance on how to implement the controls necessary to establish and operate an ISMS within a company. For example, ISO 27002 takes a whole page to explain one control, while ISO 27001 dedicates only one sentence to each control. This ensures that organizations have a comprehensive set of guidelines to use as a framework to deploy an effective ISMS in a structured manner.

What is the current version of ISO 27002?

As of the publication date of this article, the current version of ISO 27002 is ISO/IEC 27002:2022. The new 2022 revision of ISO 27002 was published on February 15, 2022.

What is the difference between ISO 27001 and 27002?

As already explained in brief, ISO 27001 is the main standard, and companies can get certified against it; companies cannot certify against ISO 27002:2022 because it is only a supporting standard.

In its Annex A, ISO 27001 provides a list of security controls and what must be achieved with those controls, but it does not explain how they can be implemented. ISO 27002 lists those very same controls and provides guidance on how they could be implemented; however, this guidance in ISO 27002 is not mandatory, i.e., companies can decide whether to use those guidelines or not.

Requirements & security controls

What are the requirements for ISO 27002?

ISO 27002 does not contain explicit requirements for companies to follow — for requirements, you should see ISO 27001. However, ISO 27002 does provide guidance on information security controls that can be applied in an organization.

What are the sections of ISO 27002?

The structure of ISO 27002 is listed and briefly explained below:

  • Clause 5: Organizational controls – This section contains all controls related to various organizational issues, comprising 37 controls.
  • Clause 6: People controls – This section focuses on controls related to human resources security, comprising 8 controls.
  • Clause 7: Physical controls — This section focuses on controls related to the physical environment and equipment, comprising 14 controls.
  • Clause 8: Technological controls — This section focuses on controls related to technological solutions, comprising 34 controls.
  • Annex A: Using attributes — This annex provides a matrix of all the new controls, it compares their attributes, and provides suggestions on how to use the controls according to their attributes.
  • Annex B: Correspondence with ISO/IEC 27002:2013 — This annex provides a mapping between controls from the 2022 revision and the controls from the previous 2013 version.

What is a security control?

ISO 27002 defines a control as "a measure that modifies and/or maintains risk." Put simply, a control (or a safeguard) is a practice that can be implemented to reduce a risk to an acceptable level. Some examples of security controls include an Access control policy (5.15), Configuration management (8.9), and Secure coding (8.28).

How many controls are there in ISO 27002?

The 2022 revision of ISO 27002 has reduced the number of controls from 114 to 93. Some of the reasons for this reduction in the number of controls include technological advancements and an improvement in the understanding of how to apply security practices.

What are control attributes?

Control attributes provide a standardized way to sort and filter controls against different views to address the needs of different groups.

Attributes options for each control are as follows:

  • Control types: Preventive, Detective, and Corrective
  • Information security properties: Confidentiality, Integrity, and Availability
  • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
  • Operational capabilities: Governance, Asset management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance
  • Security domains: Governance and Ecosystem, Protection, Defense, and Resilience

These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework. You can read more about the differences between the 2013 and 2022 versions of ISO 27002 in the last section of this article.

How are the controls structured?

The layout for each ISO control in ISO 27002 consists of the following elements:

  • Control title: The short name of the control
  • Attribute table: A table that shows the value(s) of each attribute for the given control
  • Control: A brief description of the control
  • Purpose: An explanation of why the control should be implemented
  • Guidance: Instructions for how the control should be implemented
  • Other information: Additional explanatory text, or references to related documents

The layout is designed to provide comprehensive information and guidance for each control, helping organizations understand and implement the necessary security measures.

How to implement ISO 27002 controls

To effectively implement ISO 27002 controls, follow a process that assesses the organization's needs; identifies the appropriate controls, and customizes them if necessary; implements them using a structured approach; and then monitors, measures, and continuously improves them. Once completed, the implemented control should address needs at a combined technological, organizational/process, people, and documentation level.

For example, the implementation of control 8.9 Configuration management will address the following aspects:

Technology. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.

Organization/processes. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.

People. Make employees aware of why strict control of security configurations is needed, and train them to define and implement security configurations.

Documentation. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your security operating procedures. Larger companies will typically have a separate procedure that defines the configuration process.

What’s new in ISO 27002:2022?

It took nine years for the last revision of ISO/IEC 27002 (published in 2013) to be replaced with the latest 2022 revision. The most important changes are as follows:

  • There are 11 new controls.
  • 23 controls have changed their names.
  • 57 controls have been merged into 24 controls.
  • 1 control was split into 2 controls.
  • Even though 35 controls remained the same, their control IDs have changed.

New controls

Here are the 11 controls that are new in ISO 27002:2022:

  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity
  • 7.4 Physical security monitoring
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring activities
  • 8.23 Web filtering
  • 8.28 Secure coding

To learn more about these new controls and their requirements, read the article Detailed explanation of 11 new security controls in ISO 27001:2022.

Renamed controls

In the current version of ISO 27002, 23 controls had their names changed for the sake of making them easier to understand. For example:

  • Control 12.7.1 Information systems audit controls was changed to 8.34 Protection of information systems during audit testing.
  • Control 15.1.3 Information and communication technology supply chain was changed to 5.21 Managing information security in the ICT supply chain.

These changes help keep the focus on the information security aspects of business processes and activities, reducing the effort of implementing and maintaining the Information Security Management System.

To see a full list of controls in the new ISO 27002, and to learn which controls were renamed and merged when compared to ISO 27002:2013, download this free white paper: Overview of new security controls in ISO 27002:2022.

No excluded controls

Although the number of controls has been reduced, no controls were excluded in this new version, only merged for the sake of better understanding.

Merged controls

A total of 57 controls have been merged into 24 controls. For example:

  • Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security were merged into 5.1 Policies for information security.
  • Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas were merged into 7.2 Physical entry.

These consolidations were decided either because multiple related controls were natural steps of a bigger process, or because more efficient security could be achieved by considering them in a single control.

Split controls

There is only one control that was split: 18.2.3 Technical compliance review was split into 5.36 Conformance with policies, rules, and standards for information security and 8.8 Management of technical vulnerabilities.

Controls that have stayed the same

In the new ISO 27002, 35 controls remained the same, only changing their control numbers.

Why ISO 27002?

ISO 27002 is almost as popular as ISO 27001 for a very good reason — it provides tips and tricks for the implementation and the everyday operation of controls. This helps companies save lots of time with implementing an ISMS and going for the certification.

To automate your compliance with ISO 27001/ISO 27002 security controls, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Connect with Dejan:
Advisera Hugh Shepherd
Hugh Shepherd
Hugh Shepherd is a freelance consultant currently living in Bangkok, Thailand. He has over 20 years of professional experience spanning the military, telecommunications, information technology, cable television, and management consulting industries. He holds a master’s degree in technology management and an MBA. Over the course of his career, he has earned certifications and/or gained expertise in IT service management (ITIL, ISO 20000), telecom business processes (TM Forum), enterprise architecture (TOGAF), and cybersecurity (CISSP, CEH, Security+, ISO 27001). Previously, Hugh worked on various ICT projects in Washington, DC; New York City; Chicago, IL; Dallas, TX; and numerous other cities across the United States. While living overseas, he has done pro bono advisory work in cybersecurity and business strategy for several small businesses.