The ISO 27002 standard is a collection of information security management guidelines that are intended to help an organization implement, maintain and improve its information security management system (ISMS). The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO 27002 is designed to work with ISO 27001, which provides the requirements for establishing, implementing, maintaining and improving an ISMS. ISO 27002 provides guidelines, general principles and control mechanisms for implementing, maintaining and improving information security management in an organization.
Any information technology (IT) group using ISO 27001 to build or enhance an ISMS will want to also follow ISO 27002 guidance. All types and sizes of organizations can benefit from basing their ISMS on the two standards. They can help establish an effective IT security risk assessment and risk management process and an ISMS implementation that adapts to the organization's size and specific needs.
ISO 27001 and 27002 are intended to be used together and complement one another. ISO 27001 is an acknowledged compliance and audit standard. ISO 27002 supplements ISO 27001, providing information that helps organizations prepare for potential ISO 27001 compliance audits and assessments.
ISO 27002 is used as a reference for implementing the controls required by ISO 27001. ISO 27001 doesn't provide detailed guidelines on how to implement the controls but relies on the information provided by ISO 27002 as a source of information security best practices. ISO 27002 provides guidance on the selection, implementation and management of controls required to achieve the objectives of ISO 27001.
Together, the two standards provide a comprehensive starting point for an organization to establish risk-awareness and identify potential threats and vulnerabilities. Using them to implement an ISMS can help organizations improve their security risk management capabilities, cybersecurity and resilience. It also establishes a security management process that's globally recognized and accepted.
The benefits of using ISO 27002 along with ISO 27001 include the following:
ISO 27002 was originally named ISO/IEC 17799 when it was first released in 2000. It was updated in 2005 as ISO 17799, when it was accompanied by the newly published ISO 27001.
The two standards are updated regularly to incorporate references to other ISO/IEC-issued security standards in new versions of the ISO/IEC 27000 series. Each update adds information security guidance and best practices that emerged since previous versions were published. They include the selection, implementation and management of information security controls based on an organization's unique information security risk environment. Controls focus on areas such as information security policies, human resources security, asset management, access control, cryptography, communications security, information systems acquisition, development and maintenance, supplier relationships, information security incident management and business continuity management.
The 2022 version was released in December 2022, and builds on previous editions of the standards, specifically the 2013 version. ISO/IEC 27002:2022 decreased the number of controls addressed to 93 from 114 in the ISO/IEC 27002:2013.
Controls in the 2022 version of the ISO 27002 standard are organized into four categories:
Controls in each category have five attributes assigned to them that fine-tune how the controls are applied to specific requirements. Attributes provide maximum flexibility when users apply them to specific information security activities. They include the following:
Each control is structured according to the following configuration:
The following table lists the four categories of controls, with examples of in each category.
Control category | Control name |
Organizational | Information security policies |
Management responsibilities | |
Access control | |
Identity management | |
Information security during a disruption | |
People | Employee screening |
Information security awareness, education and training | |
Confidentiality of nondisclosure agreements | |
Remote working | |
Event reporting | |
Physical | Physical security perimeters |
Working in secure areas | |
Clear desk and clear display screen | |
Storage media | |
Equipment maintenance | |
Technological | Information access restrictions |
Protection against malware | |
Configuration management | |
Network security | |
Change management |
Source: ISO 27002:2022
The ISO 27000 family of standards includes dozens of information security standards. These are the eight standards following ISO 27002:
Learn what you need to know about 10 common information security threats.
30 Oct 2023