- Implement & Learn
Implementation Products - Resources
- For Consultants
- About Us
ISO 27001 Expert - Contact Us
ISO 27002, officially named “ISO/IEC 27002 Information Security, Cybersecurity and Privacy Protection – Information Security Controls,” is a widely used and well-known information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides detailed guidelines for the implementation of the controls listed in ISO 27001 Annex A, because ISO 27001 provides only a high-level description of each control. ISO 27002 has become an internationally recognized set of industry best practices that support the implementation of ISO 27001.
The main purpose of ISO 27002 is to help organizations implement the Annex A controls from ISO 27001, because ISO 27001 does not provide explanations for how these controls should be implemented. ISO 27002 is designed to work in conjunction with ISO 27001, as ISO 27001 describes how to manage security by implementing an Information Security Management System (ISMS).
ISO 27002 is important because it is the only standard in the ISO 27k series that provides implementation guidance on all 93 controls defined in Annex A of ISO 27001. By using the detailed guidance in ISO 27002, companies can have a much better understanding of the best practices for controls.
Certification against ISO 27002 is not possible. ISO 27002 is non-certifiable because, unlike ISO 27001, it is not a management standard. Instead, ISO 27002 is a code of practice (or best practices) for the implementation of security controls that support the ISMS defined in ISO 27001.
ISO 27002 supports the ISMS by providing detailed guidance on how to implement the controls necessary to establish and operate an ISMS within a company. For example, ISO 27002 takes a whole page to explain one control, while ISO 27001 dedicates only one sentence to each control. This ensures that organizations have a comprehensive set of guidelines to use as a framework to deploy an effective ISMS in a structured manner.
As of the publication date of this article, the current version of ISO 27002 is ISO/IEC 27002:2022. The new 2022 revision of ISO 27002 was published on February 15, 2022.
As already explained in brief, ISO 27001 is the main standard, and companies can get certified against it; companies cannot certify against ISO 27002:2022 because it is only a supporting standard.
In its Annex A, ISO 27001 provides a list of security controls and what must be achieved with those controls, but it does not explain how they can be implemented. ISO 27002 lists those very same controls and provides guidance on how they could be implemented; however, this guidance in ISO 27002 is not mandatory, i.e., companies can decide whether to use those guidelines or not.
ISO 27002 does not contain explicit requirements for companies to follow — for requirements, you should see ISO 27001. However, ISO 27002 does provide guidance on information security controls that can be applied in an organization.
The structure of ISO 27002 is listed and briefly explained below:
ISO 27002 defines a control as "a measure that modifies and/or maintains risk." Put simply, a control (or a safeguard) is a practice that can be implemented to reduce a risk to an acceptable level. Some examples of security controls include an Access control policy (5.15), Configuration management (8.9), and Secure coding (8.28).
The 2022 revision of ISO 27002 has reduced the number of controls from 114 to 93. Some of the reasons for this reduction in the number of controls include technological advancements and an improvement in the understanding of how to apply security practices.
Control attributes provide a standardized way to sort and filter controls against different views to address the needs of different groups.
Attributes options for each control are as follows:
These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework. You can read more about the differences between the 2013 and 2022 versions of ISO 27002 in the last section of this article.
The layout for each ISO control in ISO 27002 consists of the following elements:
The layout is designed to provide comprehensive information and guidance for each control, helping organizations understand and implement the necessary security measures.
To effectively implement ISO 27002 controls, follow a process that assesses the organization's needs; identifies the appropriate controls, and customizes them if necessary; implements them using a structured approach; and then monitors, measures, and continuously improves them. Once completed, the implemented control should address needs at a combined technological, organizational/process, people, and documentation level.
For example, the implementation of control 8.9 Configuration management will address the following aspects:
Technology. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.
Organization/processes. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.
People. Make employees aware of why strict control of security configurations is needed, and train them to define and implement security configurations.
Documentation. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your security operating procedures. Larger companies will typically have a separate procedure that defines the configuration process.
It took nine years for the last revision of ISO/IEC 27002 (published in 2013) to be replaced with the latest 2022 revision. The most important changes are as follows:
Here are the 11 controls that are new in ISO 27002:2022:
To learn more about these new controls and their requirements, read the article Detailed explanation of 11 new security controls in ISO 27001:2022.
In the current version of ISO 27002, 23 controls had their names changed for the sake of making them easier to understand. For example:
These changes help keep the focus on the information security aspects of business processes and activities, reducing the effort of implementing and maintaining the Information Security Management System.
To see a full list of controls in the new ISO 27002, and to learn which controls were renamed and merged when compared to ISO 27002:2013, download this free white paper: Overview of new security controls in ISO 27002:2022.
Although the number of controls has been reduced, no controls were excluded in this new version, only merged for the sake of better understanding.
A total of 57 controls have been merged into 24 controls. For example:
These consolidations were decided either because multiple related controls were natural steps of a bigger process, or because more efficient security could be achieved by considering them in a single control.
There is only one control that was split: 18.2.3 Technical compliance review was split into 5.36 Conformance with policies, rules, and standards for information security and 8.8 Management of technical vulnerabilities.
In the new ISO 27002, 35 controls remained the same, only changing their control numbers.
ISO 27002 is almost as popular as ISO 27001 for a very good reason — it provides tips and tricks for the implementation and the everyday operation of controls. This helps companies save lots of time with implementing an ISMS and going for the certification.
To automate your compliance with ISO 27001/ISO 27002 security controls, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.
Dejan Kosutic 