The modern business landscape depends on the confidentiality, integrity, and availability of information, making robust security management a top organizational priority. As digital threats evolve, organizations require a structured, internationally recognized framework to guide their defense strategy. ISO/IEC 27002 is that global standard, providing a comprehensive code of practice for implementing information security controls to protect sensitive assets. This document offers practical, detailed guidance for establishing a systematic approach to managing information security risks.
Defining ISO/IEC 27002
ISO/IEC 27002:2022 is the international standard that functions as a detailed reference set of generic information security controls. It is a guidance document, or code of practice, offering practical advice on implementing security measures rather than a mandatory list of requirements. The standard provides best-practice recommendations for selecting, implementing, and managing controls that help preserve the confidentiality, integrity, and availability of information assets. This standard is not certifiable on its own; an organization cannot undergo an audit to become officially ISO 27002 compliant. Instead, it serves as an authoritative source of detailed security controls and implementation advice for those building or enhancing their security environment.
Understanding the Relationship Between ISO 27002 and ISO 27001
The standards ISO/IEC 27001 and ISO/IEC 27002 work together, but they serve distinctly different functions. ISO/IEC 27001 is the core, auditable management system standard that defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). This standard is what an organization certifies against to demonstrate compliance. Conversely, ISO/IEC 27002 is the supporting document that details how to implement the security measures referenced in ISO 27001.
ISO 27001 includes a foundational list of controls in its Annex A, which are the security measures an organization must consider for risk treatment. ISO 27002 expands on each of those controls, providing extensive guidance on the purpose, design, and implementation of each measure. One standard presents the “what”—the requirement for a formal ISMS—while the other provides the “how”—the detailed advice for making the controls operational. Organizations rely on ISO 27002 guidance to effectively meet the requirements outlined in the auditable ISO 27001 standard.
The Structure of the 2022 Standard
The 2022 revision of ISO/IEC 27002 introduced a significant structural change, reorganizing the security controls into four thematic groupings, or domains. This update streamlined the total number of controls from 114 to 93, with 11 new controls added to address current threats like cloud services security and threat intelligence. The new structure simplifies navigation and better aligns security practices with modern enterprise operations. The four categories organize the 93 controls based on the area of the business they affect, ensuring security is managed across people, processes, and technology.
Organizational Controls
This category contains the largest number of controls, with 37 measures focusing on the establishment of the information security framework and its governance. Controls address high-level policies, roles and responsibilities, segregation of duties, intellectual property protection, and information security continuity. They ensure security is managed from the top-down and integrated into the organization’s business processes. These controls formalize the necessary documentation and compliance requirements for the security program.
People Controls
The People domain includes eight specific controls related to human resources security and the behaviors of staff, contractors, and other users. These measures cover pre-employment screening, terms and conditions of employment, security awareness training, and disciplinary processes. The focus is on ensuring personnel understand their information security responsibilities before, during, and after their employment. This domain recognizes that human factors are a frequent element in security incidents.
Physical Controls
Physical controls consist of 14 measures designed to prevent unauthorized physical access, damage, or interference to the organization’s premises and information assets. This domain addresses the protection of secure areas, physical entry controls, securing offices and facilities, and protecting equipment from environmental hazards and theft. These controls extend the security perimeter beyond the digital realm to include buildings, server rooms, and physical hardware. They establish protocols for managing visitors and delivering assets offsite.
Technological Controls
This category includes 34 controls that focus on the technical implementation of security within IT systems and networks. These measures cover network security, secure authentication, data masking, cryptography, configuration management, and the use of anti-malware software. They represent the technical solutions deployed to protect information throughout its lifecycle, including data at rest and data in transit.
How Organizations Apply ISO 27002
The application of ISO 27002 begins only after an organization has conducted a comprehensive information security risk assessment, a mandatory step under the ISO 27001 standard. This assessment identifies specific threats, vulnerabilities, and potential impacts to information assets. The organization then uses the detailed controls in ISO 27002 as a catalogue of options for treating those identified risks. Since not every control is relevant to every organization, a formal selection process is necessary to map the appropriate measures to the identified risks.
This selection process culminates in the creation of the Statement of Applicability (SoA), a mandatory document for ISO 27001 certification. The SoA lists all 93 controls from the ISO 27002 guidance and documents whether the control is applicable to the organization’s ISMS, whether it has been implemented, and provides a justification for its inclusion or exclusion. For any control deemed non-applicable, the organization must provide a clear, risk-based rationale for its exclusion from the scope of the ISMS. The SoA links the risk assessment, the selection of controls, and the final implementation decisions.
Key Benefits of Adoption
Implementing controls based on the ISO 27002 guidance delivers multiple strategic benefits. A primary outcome is improved information security risk management, which enhances the organization’s overall security posture against evolving threats. Following the guidance helps organizations establish resilience, reducing the likelihood and impact of security incidents and data breaches. This systematic approach also leads to better operational efficiency through standardized security practices and clearer internal processes.
Adoption of these internationally recognized controls helps organizations meet various regulatory and legal compliance obligations, such as GDPR or HIPAA. Demonstrating adherence to this global standard builds trust and confidence among clients, partners, and other stakeholders. Providing assurance of a mature security environment offers a competitive advantage in contract negotiations and market reputation.