What is ISO 27002?
ISO/IEC 27002 is an international standard that provides an extensive set of best practices and guidelines for information security controls. The standard supports the establishment and maintenance of an Information Security Management System (ISMS) based on ISO 27001.
🧱 What does ISO 27002 do?
ISO 27002 describes how to implement the controls from ISO 27001. Whereas ISO 27001 sets out the requirements, ISO 27002 provides the detail of the controls.
The standard contains:
- Practical guidance per control
- Implementation examples
- Objectives per control
- Linkage to risks and threats
🔢 Structure (2022 version)
The updated version of ISO 27002 (2022) contains 93 controls (previously 114), divided across 4 themes:
| Theme | Number of controls |
|---|---|
| Organisational controls | 37 |
| People controls | 8 |
| Physical controls | 14 |
| Technological controls | 34 |
Each control includes:
- The objective
- Guidance
- Optionally: attributes (such as threat type, area of application)
🔄 Relation to other standards
| Standard | Function |
|---|---|
| ISO 27001 | Sets requirements for an ISMS (management system) |
| ISO 27002 | Provides guidance and explanation for the controls |
| BIO | Dutch government implementation of ISO 27001/27002 |
| CSIR | Practical application for OT/SCADA using BIO/IEC 62443 |
🛡️ Examples of ISO 27002 controls
- A.5.7: Threat Intelligence
- A.8.3: Backup
- A.9.4: Access rights
- A.11.1: Physical Security perimeter
- A.12.6: Technical Vulnerability Management
📌 In summary
ISO 27002 is a practical guide to information security, based on risks and aimed at the correct implementation of the controls from ISO 27001. It is a critical tool for any organisation that wants to professionally structure its information security.