ISO/IEC 27002:2022 is an international standard that provides a detailed set of information security controls to help organisations implement and manage their Information Security Management System (ISMS). It is a guidance document that supports ISO 27001, which is the certification standard. While ISO 27001 specifies what an organisation must do, ISO 27002 provides the practical guidance on how to do it by offering a comprehensive list of security controls.
Key Changes from Previous Versions
- New Structure: The standard has been restructured from 14 clauses to 4 themes: Organisational, People, Physical, and Technological controls. This makes the controls easier to organise and manage.
- Streamlined Controls: The number of controls has been reduced and consolidated from 114 to 93, with 11 new controls added to address emerging threats, such as cloud services and data masking.
- Attribute-based Tags: Each control now has five attributes (Control Type, Information Security Properties, Cybersecurity Concepts, Operational Capabilities, and Security Domains) to make them more searchable and easier to map to other frameworks.
ISO 27001 Context
ISO 27002 is not a certifiable standard itself. An organisation is certified against ISO 27001, but they use the guidance in ISO 27002 to select and implement the security controls necessary to meet the requirements of ISO 27001, particularly in Annex A. Organisations should view it as a detailed reference guide for building a strong ISMS.
