ISO 2700111 min read
ISO 27002 Explained: A Complete Guide to Security Controls
ISO 27002 provides detailed implementation guidance for the security controls referenced in ISO 27001 Annex A. While ISO 27001 tells you what to implement, ISO 27002 tells you how to implement it. This guide explains the relationship between these standards and how to use ISO 27002 effectively.
Key Takeaways
| Point | Summary |
|---|---|
| Purpose | Implementation guidance for ISO 27001 Annex A controls |
| 93 controls | Same controls as ISO 27001:2022 Annex A, with detailed guidance |
| 4 themes | Organizational (37), People (8), Physical (14), Technological (34) |
| Not certifiable | ISO 27002 is guidance only; certification is to ISO 27001 |
| 2022 update | Restructured from 14 domains to 4 themes, 11 new controls added |
Quick Answer: ISO 27002 is the implementation companion to ISO 27001. It provides detailed guidance on how to implement each of the 93 security controls in Annex A. You don't get certified to ISO 27002; you use it to help implement ISO 27001.
Understanding ISO 27002
What Is ISO 27002?
ISO 27002 is formally titled "Information security, cybersecurity and privacy protection — Information security controls." It serves as a reference guide that provides:
- Control objectives for each security control
- Implementation guidance with practical recommendations
- Other information including examples and additional context
Think of ISO 27001 and ISO 27002 as complementary documents:
| Standard | Purpose | Status |
|---|---|---|
| ISO 27001 | Management system requirements and control list | Certifiable |
| ISO 27002 | Detailed control implementation guidance | Reference/guidance only |
The ISO 27001 and ISO 27002 Relationship
ISO 27001 Annex A lists 93 security controls that organizations must consider. For each control, it provides:
- A brief title
- A short description of the control objective
ISO 27002 expands on each control with:
- Detailed control description
- Implementation guidance (typically several paragraphs)
- Other information and considerations
Example comparison:
| Element | ISO 27001 Annex A | ISO 27002 |
|---|---|---|
| Control 5.17 | "Authentication information shall be controlled by a management process" | Multiple paragraphs on password policies, MFA implementation, password managers, initial credential distribution, etc. |
When to Use ISO 27002
| Use Case | How ISO 27002 Helps |
|---|---|
| Implementing ISO 27001 | Provides practical guidance for each control |
| Writing security policies | Offers baseline requirements to adapt |
| Gap assessment | Benchmark current controls against guidance |
| Security awareness | Resource for understanding control purposes |
| Statement of Applicability | Context for justifying control selections |
ISO 27002:2022 Structure
The Four Themes
The 2022 revision reorganized controls from 14 domains into 4 themes:
| Theme | Controls | Focus Area |
|---|---|---|
| 5. Organizational | 37 | Policies, governance, roles, asset management, access, vendors, incidents |
| 6. People | 8 | HR security, awareness, training, responsibilities |
| 7. Physical | 14 | Facilities, equipment, perimeters, environmental controls |
| 8. Technological | 34 | Endpoints, authentication, network, applications, cryptography, development |
Control Attributes (New in 2022)
ISO 27002:2022 introduced attributes to help organizations categorize and filter controls:
| Attribute | Values | Purpose |
|---|---|---|
| Control type | Preventive, Detective, Corrective | When the control acts |
| Security properties | Confidentiality, Integrity, Availability | What the control protects |
| Cybersecurity concepts | Identify, Protect, Detect, Respond, Recover | NIST CSF alignment |
| Operational capabilities | 15 categories (e.g., Governance, Asset management) | Functional grouping |
| Security domains | Governance, Protection, Defence, Resilience | Strategic focus area |
These attributes help when:
- Mapping controls to other frameworks (e.g., NIST CSF)
- Filtering controls by type or function
- Creating targeted control subsets for specific roles
Organizational Controls (Theme 5)
Policies and Governance (5.1-5.8)
| Control | Title | Implementation Highlights |
|---|---|---|
| 5.1 | Policies for information security | Topic-specific policies, management approval, regular review |
| 5.2 | Information security roles | Clear responsibilities, documented accountabilities |
| 5.3 | Segregation of duties | Separation of conflicting duties, compensating controls |
| 5.4 | Management responsibilities | Active management engagement, resource provision |
| 5.5 | Contact with authorities | Relationships with regulators, law enforcement |
| 5.6 | Contact with special interest groups | Security communities, threat intelligence sharing |
| 5.7 | Threat intelligence | Collection, analysis, use of threat information |
| 5.8 | Information security in project management | Security integrated into all project types |
Key implementation guidance for policies (5.1):
- Define an overall information security policy approved by management
- Create topic-specific policies for areas like access control, classification, cryptography
- Review policies at planned intervals and when significant changes occur
- Communicate policies to relevant personnel and interested parties
Asset Management (5.9-5.14)
| Control | Title | Implementation Highlights |
|---|---|---|
| 5.9 | Inventory of information and assets | Complete inventory with owners assigned |
| 5.10 | Acceptable use of assets | Rules for proper use of information and systems |
| 5.11 | Return of assets | Process for returning assets on termination |
| 5.12 | Classification of information | Classification scheme (e.g., Public, Internal, Confidential) |
| 5.13 | Labelling of information | Marking classified information appropriately |
| 5.14 | Information transfer | Secure transfer procedures, agreements |
Key implementation guidance for classification (5.12):
- Establish a classification scheme based on confidentiality, integrity, availability
- Assign information owners responsible for classification
- Consider legal requirements, business value, criticality
- Apply consistent classification across the organization
Access Control (5.15-5.18)
| Control | Title | Implementation Highlights |
|---|---|---|
| 5.15 | Access control | Policy-based access, default deny, need-to-know |
| 5.16 | Identity management | Unique user identification, lifecycle management |
| 5.17 | Authentication information | Password policies, MFA, secure distribution |
| 5.18 | Access rights | Provisioning, review, removal processes |
Supplier Relationships (5.19-5.23)
| Control | Title | Implementation Highlights |
|---|---|---|
| 5.19 | Information security in supplier relationships | Risk assessment, contractual requirements |
| 5.20 | Addressing security in supplier agreements | Security requirements in contracts |
| 5.21 | Managing ICT supply chain security | Sub-supplier oversight, supply chain risks |
| 5.22 | Monitoring and review of supplier services | Ongoing assessment, audit rights |
| 5.23 | Information security for cloud services | Cloud-specific considerations, shared responsibility |
Key implementation guidance for cloud services (5.23):
- Define cloud service acquisition, use, and exit processes
- Clarify shared responsibility with cloud providers
- Maintain visibility into cloud security posture
- Address data location, jurisdictional considerations
Incident Management (5.24-5.28)
| Control | Title | Implementation Highlights |
|---|---|---|
| 5.24 | Incident management planning | Procedures, roles, communication plans |
| 5.25 | Assessment and decision on events | Event triage, incident determination |
| 5.26 | Response to incidents | Containment, eradication, recovery |
| 5.27 | Learning from incidents | Post-incident review, improvement |
| 5.28 | Collection of evidence | Forensic procedures, chain of custody |
Compliance and Continuity (5.29-5.37)
| Control | Title | Implementation Highlights |
|---|---|---|
| 5.29 | Information security during disruption | Security maintained in crisis situations |
| 5.30 | ICT readiness for business continuity | Recovery capabilities, testing |
| 5.31 | Legal and regulatory requirements | Identify and document applicable requirements |
| 5.32 | Intellectual property rights | License compliance, IP protection |
| 5.33 | Protection of records | Retention, integrity, disposal |
| 5.34 | Privacy and PII protection | Personal data handling |
| 5.35 | Independent review | Security audits, assessments |
| 5.36 | Compliance with policies | Internal compliance verification |
| 5.37 | Documented operating procedures | Procedures for operational activities |
People Controls (Theme 6)
Human Resource Security
| Control | Title | Implementation Highlights |
|---|---|---|
| 6.1 | Screening | Background verification appropriate to role |
| 6.2 | Terms of employment | Security responsibilities in contracts |
| 6.3 | Awareness, education, training | Security awareness program, role-based training |
| 6.4 | Disciplinary process | Consequences for security violations |
| 6.5 | Responsibilities after termination | Ongoing confidentiality obligations |
| 6.6 | Confidentiality agreements | NDAs for employees and contractors |
| 6.7 | Remote working | Secure remote work policies and controls |
| 6.8 | Security event reporting | Mechanism for reporting suspicious events |
Key implementation guidance for awareness training (6.3):
- Initial security training for all new employees
- Regular refresher training (at least annually)
- Role-specific training for privileged users, developers, etc.
- Track completion, measure effectiveness
- Update content based on emerging threats
Physical Controls (Theme 7)
Physical Security
| Control | Title | Implementation Highlights |
|---|---|---|
| 7.1 | Physical security perimeters | Defined boundaries, barriers |
| 7.2 | Physical entry | Access control mechanisms, visitor management |
| 7.3 | Securing offices and facilities | Protection of work areas |
| 7.4 | Physical security monitoring | Surveillance, intrusion detection |
| 7.5 | Physical and environmental threats | Fire, flood, environmental controls |
| 7.6 | Working in secure areas | Procedures for sensitive areas |
| 7.7 | Clear desk and clear screen | Preventing unauthorized access to information |
| 7.8 | Equipment siting | Secure placement of equipment |
| 7.9 | Security of assets off-premises | Protecting mobile equipment |
| 7.10 | Storage media | Handling, transport, disposal |
| 7.11 | Supporting utilities | Power, cooling, connectivity |
| 7.12 | Cabling security | Protection of network and power cables |
| 7.13 | Equipment maintenance | Secure maintenance procedures |
| 7.14 | Secure disposal | Data sanitization before disposal |
Note for cloud-native organizations: Physical controls are often addressed through cloud provider certifications. Document reliance on provider controls in your Statement of Applicability.
Technological Controls (Theme 8)
Endpoint and Access (8.1-8.8)
| Control | Title | Implementation Highlights |
|---|---|---|
| 8.1 | User endpoint devices | MDM, endpoint security, BYOD policies |
| 8.2 | Privileged access rights | Limited privileged accounts, just-in-time access |
| 8.3 | Information access restriction | Technical enforcement of access policies |
| 8.4 | Access to source code | Protection of source code repositories |
| 8.5 | Secure authentication | MFA, strong authentication mechanisms |
| 8.6 | Capacity management | Monitoring, planning for capacity |
| 8.7 | Protection against malware | Anti-malware, endpoint protection |
| 8.8 | Technical vulnerability management | Scanning, patching, remediation |
Key implementation guidance for MFA (8.5):
- Implement MFA for all users, especially remote access
- Use phishing-resistant methods where possible (hardware keys, passkeys)
- Consider risk-based authentication
- Maintain backup authentication methods
Configuration and Data Protection (8.9-8.14)
| Control | Title | Implementation Highlights |
|---|---|---|
| 8.9 | Configuration management | Secure baselines, hardening standards |
| 8.10 | Information deletion | Secure deletion when no longer needed |
| 8.11 | Data masking | Protection of sensitive data in non-production |
| 8.12 | Data leakage prevention | DLP tools, controls on data egress |
| 8.13 | Information backup | Backup strategy, testing, protection |
| 8.14 | Redundancy | High availability, failover capabilities |
Key implementation guidance for configuration management (8.9):
- Define secure configuration baselines for all systems
- Use automated configuration management tools
- Monitor for configuration drift
- Document standard configurations
Logging and Monitoring (8.15-8.17)
| Control | Title | Implementation Highlights |
|---|---|---|
| 8.15 | Logging | Comprehensive logging, log protection, retention |
| 8.16 | Monitoring activities | SIEM, alerting, analysis |
| 8.17 | Clock synchronization | NTP, accurate timestamps |
Network and Communications (8.18-8.22)
| Control | Title | Implementation Highlights |
|---|---|---|
| 8.18 | Privileged utility programs | Control of powerful system utilities |
| 8.19 | Software installation | Controlled software installation |
| 8.20 | Networks security | Network segmentation, protection |
| 8.21 | Network services security | Secure configuration of network services |
| 8.22 | Segregation of networks | Network segmentation, zones |
Application and Development Security (8.23-8.34)
| Control | Title | Implementation Highlights |
|---|---|---|
| 8.23 | Web filtering | URL filtering, content control |
| 8.24 | Cryptography | Encryption at rest and in transit, key management |
| 8.25 | Secure development lifecycle | Security in SDLC |
| 8.26 | Application security requirements | Security requirements definition |
| 8.27 | Secure system architecture | Security by design principles |
| 8.28 | Secure coding | Secure coding practices, code review |
| 8.29 | Security testing | SAST, DAST, penetration testing |
| 8.30 | Outsourced development | Third-party development security |
| 8.31 | Separation of environments | Dev, test, prod separation |
| 8.32 | Change management | Controlled change processes |
| 8.33 | Test information | Protection of test data |
| 8.34 | Audit testing protection | Security of audit activities |
Using ISO 27002 Effectively
For ISO 27001 Implementation
When implementing ISO 27001, use ISO 27002 to:
| Step | How ISO 27002 Helps |
|---|---|
| Risk assessment | Understand control options available |
| Control selection | See full scope of what each control covers |
| Implementation | Follow detailed implementation guidance |
| Statement of Applicability | Justify control inclusions/exclusions |
| Policy development | Base policies on control guidance |
| Evidence collection | Understand what demonstrates compliance |
Gap Assessment Using ISO 27002
Compare your current controls against ISO 27002 guidance:
| Assessment Step | Action |
|---|---|
| 1. List current controls | Document existing security measures |
| 2. Map to ISO 27002 | Align with the 93 controls |
| 3. Evaluate implementation | Compare against ISO 27002 guidance |
| 4. Identify gaps | Note missing or incomplete implementations |
| 5. Prioritize remediation | Based on risk assessment results |
Tailoring Controls to Your Organization
ISO 27002 provides guidance, not mandates. Tailor implementation to your context:
| Factor | Consideration |
|---|---|
| Organization size | Smaller organizations may need simpler implementations |
| Industry | Regulated industries may need stricter controls |
| Risk appetite | Higher risk tolerance may justify fewer controls |
| Technology environment | Cloud-native vs. on-premises affects physical controls |
| Resources | Available budget and personnel |
New Controls in ISO 27002:2022
The 2022 revision added 11 new controls:
| Control | Theme | Purpose |
|---|---|---|
| 5.7 | Organizational | Threat intelligence |
| 5.23 | Organizational | Cloud services security |
| 5.30 | Organizational | ICT readiness for business continuity |
| 7.4 | Physical | Physical security monitoring |
| 8.9 | Technological | Configuration management |
| 8.10 | Technological | Information deletion |
| 8.11 | Technological | Data masking |
| 8.12 | Technological | Data leakage prevention |
| 8.16 | Technological | Monitoring activities |
| 8.23 | Technological | Web filtering |
| 8.28 | Technological | Secure coding |
These additions reflect evolving security practices including cloud adoption, threat intelligence, and secure development.
Common Questions
Do I need to buy ISO 27002?
Yes, ISO 27002 is a copyrighted document that must be purchased from ISO or your national standards body. While summaries and interpretations are available, the full implementation guidance requires the official document.
Can I be certified to ISO 27002?
No. ISO 27002 is a guidance document, not a certification standard. Certification is to ISO 27001. However, auditors may reference ISO 27002 when assessing control implementation.
Is ISO 27002 mandatory for ISO 27001?
ISO 27002 is not mandatory, but it's highly recommended. ISO 27001 requires you to implement controls from Annex A, and ISO 27002 provides the detailed guidance for doing so effectively.
How often is ISO 27002 updated?
ISO 27002 was significantly revised in 2022 (previous version was 2013). The standard is reviewed every five years, though not every review results in changes.
The Bastion Approach
Simplified Control Implementation
Bastion streamlines ISO 27002 control implementation:
| Challenge | Bastion Solution |
|---|---|
| Understanding 93 controls | Expert guidance on what applies |
| Translating guidance to action | Pre-built control implementations |
| Evidence requirements | Automated evidence collection |
| Gap assessment | Control mapping against your environment |
| Ongoing compliance | Continuous control monitoring |
Need help implementing ISO 27002 controls? Talk to our team
Sources
- ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection — Information security controls
- ISO/IEC 27001:2022 - Information security management systems — Requirements