Security.com

ISO 27002 (International Organization for Standardization 27002)

By Paul Kirvan

What is ISO 27002?

The ISO 27002 standard is a collection of information security management guidelines that are intended to help an organization implement, maintain and improve its information security management system (ISMS). The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO 27002 is designed to work with ISO 27001, which provides the requirements for establishing, implementing, maintaining and improving an ISMS. ISO 27002 provides guidelines, general principles and control mechanisms for implementing, maintaining and improving information security management in an organization.

Any information technology (IT) group using ISO 27001 to build or enhance an ISMS will want to also follow ISO 27002 guidance. All types and sizes of organizations can benefit from basing their ISMS on the two standards. They can help establish an effective IT security risk assessment and risk management process and an ISMS implementation that adapts to the organization's size and specific needs.

How ISO 27001 and 27002 work together

ISO 27001 and 27002 are intended to be used together and complement one another. ISO 27001 is an acknowledged compliance and audit standard. ISO 27002 supplements ISO 27001, providing information that helps organizations prepare for potential ISO 27001 compliance audits and assessments.

ISO 27002 is used as a reference for implementing the controls required by ISO 27001. ISO 27001 doesn't provide detailed guidelines on how to implement the controls but relies on the information provided by ISO 27002 as a source of information security best practices. ISO 27002 provides guidance on the selection, implementation and management of controls required to achieve the objectives of ISO 27001.

Together, the two standards provide a comprehensive starting point for an organization to establish risk-awareness and identify potential threats and vulnerabilities. Using them to implement an ISMS can help organizations improve their security risk management capabilities, cybersecurity and resilience. It also establishes a security management process that's globally recognized and accepted.

Benefits of ISO 27002

The benefits of using ISO 27002 along with ISO 27001 include the following:

History of ISO 27002

ISO 27002 was originally named ISO/IEC 17799 when it was first released in 2000. It was updated in 2005 as ISO 17799, when it was accompanied by the newly published ISO 27001.

The two standards are updated regularly to incorporate references to other ISO/IEC-issued security standards in new versions of the ISO/IEC 27000 series. Each update adds information security guidance and best practices that emerged since previous versions were published. They include the selection, implementation and management of information security controls based on an organization's unique information security risk environment. Controls focus on areas such as information security policies, human resources security, asset management, access control, cryptography, communications security, information systems acquisition, development and maintenance, supplier relationships, information security incident management and business continuity management.

The 2022 version was released in December 2022, and builds on previous editions of the standards, specifically the 2013 version. ISO/IEC 27002:2022 decreased the number of controls addressed to 93 from 114 in the ISO/IEC 27002:2013.

What's included in 2022 version of ISO 27002

Controls in the 2022 version of the ISO 27002 standard are organized into four categories:

  1. Controls that affect people.
  2. Controls that affect physical objects, such as computing devices and buildings.
  3. Controls that affect technology.
  4. Controls that are linked with activities associated with organizations.

Controls in each category have five attributes assigned to them that fine-tune how the controls are applied to specific requirements. Attributes provide maximum flexibility when users apply them to specific information security activities. They include the following:

Each control is structured according to the following configuration:

The following table lists the four categories of controls, with examples of in each category.

Control category Control name
Organizational Information security policies
Management responsibilities
Access control
Identity management
Information security during a disruption
People Employee screening
Information security awareness, education and training
Confidentiality of nondisclosure agreements
Remote working
Event reporting
Physical Physical security perimeters
Working in secure areas
Clear desk and clear display screen
Storage media
Equipment maintenance
Technological Information access restrictions
Protection against malware
Configuration management
Network security
Change management

Source: ISO 27002:2022

Additional ISO 27000 series standards

The ISO 27000 family of standards includes dozens of information security standards. These are the eight standards following ISO 27002:

Learn what you need to know about 10 common information security threats.

30 Oct 2023

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement