What is ISO/IEC 27002?

ISO/IEC 27002:2022 Information technology — Security techniques — Code of practice for information security controls

ISO/IEC 27002:2022 serves as a guidance document, providing best-practice guidance on applying the controls listed in Annex A of ISO 27001. This includes the selection, implementation and management of controls taking into consideration the organization’s information security risk. This document should be read and used alongside ISO 27001. The suggested controls listed in the standard are intended to address specific issues identified during a formal risk assessment. The standard is also intended to provide a guide for the development of security standards and effective security management practices.

ISO 27002:2022 was created to be used by organizations that intend to:

• select controls within the process of implementing an ISMS based on ISO 27001
• implement accepted information security controls
• develop their own information security management guidelines

What is the difference between ISO/IEC 27002 and ISO 27001?

ISO/IEC 27001 provides the specifications for an ISMS. This includes requirements for the risk management process that your organization will choose depending on what is appropriate for the risks your organization faces.

ISO 27002 serves as a guidance document, providing best-practice guidance on applying the controls listed in Annex A of ISO 27001. It is a supporting document of ISO 27001 and should be used alongside it.

ISO 27001 is the only standard within the ISO 27000 series of information security standards for which organizations can achieve certification.

ISO/IEC 27002 Details

ISO 27002 is broken down into 18 clauses. In Annex A of ISO 27001 there is a list of 114 security controls. These are broken down into 14 control sets, each of which is expanded upon in Clauses 5-18 of ISO 27002:

Clause 5: Information security policies
The organization must provide management direction and support for the ISMS in accordance with any business requirements and relevant laws and regulations.

Clause 6: Organization of information security
A management framework should support the organization’s information security operations, including on and off-site

Clause 7: Human resource security
Employees and contractors should be aware of their role in safeguarding the organization’s information and are suitable for the roles of which they are considered. 

Clause 8: Asset management
Organizations should identify their assets and determine the appropriate level of protection necessary for each.

Clause 9: Access control
Access to information, and information processing facilities, should be limited to prevent unauthorized access. 

Clause 10: Cryptography
Policies on cryptography and that use cryptographic keys should be developed and implemented to protect the confidentiality, integrity, and/or availability of information.

Clause 11: Physical and environmental security
Controls should be introduced to prevent unauthorized physical access, damage, and interference to the organization’s information processing facilities.

Clause 12: Operations security
Information and information processing facilities should be protected from malware, data loss, and the exploitation of technical vulnerabilities.  

Clause 13: Communications security
Information must be protected in networks and to its supporting information processing facilities. 

Clause 14: System acquisition, development and maintenance
Ensure information security is designed and implemented throughout information systems’ lifecycle. This also includes requirements for information systems which provide services over networks. 

Clause 15: Supplier relationships
Ensure that the organization’s information assets that are accessible by suppliers are appropriately protected. 

Clause 16: Information security incident management
Ensure that information security incidents are handled consistently and effectively.

Clause 17: Information security aspects of business continuity management
Ensure information security continuity is embedded in the organization’s business continuity management practices.

Clause 18: Compliance
Ensure information is protected to meet legal, statutory, regulatory, and contractual obligations, and in accordance with the organization’s policies and procedures.