Definition

ISO 27002

ISO 27002 is the international standard providing guidelines for the selection, implementation and management of information security controls.

ISO/IEC 27002:2022 is an implementation guide for controls referenced in ISO 27001 Annex A. The 2022 version reorganized controls from 114 (in 14 domains) to 93 controls in 4 categories: organizational, people, physical and technological. Each control includes attributes such as type, security property and cybersecurity concept.

Key aspects

93 controls in 4 categories

Organizational (37), people (8), physical (14) and technological (34). Includes 11 new controls compared to the 2013 version.

Attribute system

Each control has attributes such as type (preventive, detective, corrective), CIA property and mapping to NIST cybersecurity concepts.

Implementation guidance

It is not certifiable on its own; it serves as a guide for implementing ISO 27001 Annex A controls and preparing the statement of applicability.

Frequently asked questions

No. ISO 27002 is a best practices guide. Certification is obtained against ISO 27001, which references ISO 27002 controls in its Annex A.

Reduced from 114 to 93 controls, reorganized from 14 domains to 4 categories, added 11 new controls and introduced an attribute system for classifying each control.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

ISO 27002

Key aspects

93 controls in 4 categories

Attribute system

Implementation guidance

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

ISO 27002

Key aspects

93 controls in 4 categories

Attribute system

Implementation guidance

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

ISO 27002

Key aspects

93 controls in 4 categories

Attribute system

Implementation guidance

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

ISO 27002

Key aspects

93 controls in 4 categories

Attribute system

Implementation guidance

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?