ISO 27002: A Comprehensive Guide to Information Security Controls


Data breaches are becoming increasingly prevalent lately, organizations must prioritize information security to safeguard their sensitive information and protect their stakeholders. One internationally recognized standard that assists organizations in establishing robust information security practices is ISO 27002. In this comprehensive guide, we will explore into the intricacies of ISO 27002, its purpose, importance, and how it supports the Information Security Management System (ISMS) established by ISO 27001.

ISO 27002 is an integral part of the ISO 27k series, which includes several standards related to information security. While ISO 27001 focuses on establishing an ISMS, this provides detailed guidance on implementing the controls outlined in Annex A of ISO 27001. Think of ISO 27002 as a companion document to ISO 27001, offering practical instructions on how to implement effective security measures.

The primary purpose is to bridge the gap left by ISO 27001 by providing organizations with clear guidelines on how to implement the controls specified in Annex A. ISO 27001 outlines the requirements for an effective ISMS, but it does not elaborate on the practical implementation of these controls. ISO 27002 steps in to fill this void, providing organizations with implementation guidance to ensure the controls are effectively deployed.

ISO 27002 holds significant importance for organizations aiming to establish robust information security practices. It is the only standard in the ISO 27k series that offers comprehensive implementation guidance on all 93 controls defined in Annex A of ISO 27001. By leveraging the detailed guidance provided, organizations gain a deeper understanding of best practices for implementing these controls, ultimately enhancing their overall security posture.

Unlike ISO 27001, ISO 27002 is not certifiable. This is a code of practice or best practice guide for implementing security controls that support the ISMS defined in ISO 27001. While organizations can obtain certification against ISO 27001, ISO 27002 acts as a practical resource to guide the implementation of controls.

security, iso 27002
Image by Freepik

ISO 27002 plays a crucial role in supporting the ISMS established by ISO 27001. It offers detailed guidance on how to implement the controls required to establish and operate an effective ISMS within an organization. While ISO 27001 provides a brief sentence for each control, this one takes a more comprehensive approach, devoting an entire page to explain each control. The guidelines provided by ISO 27002 enable organizations to implement an ISMS in a structured manner and ensure a comprehensive approach to information security.

ISO 27002 is structured into several sections, each focusing on specific aspects of information security controls. Understanding the structure of is essential for organizations seeking to implement effective security practices. Let’s explore the different sections of ISO 27002:

Organizational Controls

The organizational controls section, found in Clause 5, addresses various organizational issues related to information security. This section comprises 37 controls, covering areas such as information security policies, risk assessment and treatment, asset management, human resources security, and more. These controls provide guidance on how organizations can establish a solid foundation for their information security practices.

People Controls

Clause 6 of ISO 27002 is dedicated to people controls, focusing on the security measures related to human resources. It encompasses eight controls that aim to ensure that employees understand their roles and responsibilities in maintaining information security. These controls cover areas such as employment agreements, awareness training, disciplinary process, and termination procedures.

Physical Controls

Physical controls, as outlined in Clause 7, are essential for protecting an organization’s physical assets and the environment in which they operate. This section includes 14 controls that address areas such as secure areas, equipment protection, media handling, and disposal. By implementing these controls, organizations can mitigate physical security risks and safeguard their resources.

Technological Controls

Clause 8 of ISO 27002 focuses on technological controls, providing guidance on security measures related to technology solutions. This section comprises 34 controls, covering areas such as secure system configuration, access control, cryptography, malware protection, and more. Implementing these controls helps organizations establish a robust technological infrastructure that is resilient against cyber threats.

ISO 27002 encompasses a total of 93 controls that organizations can implement to enhance their information security practices. These controls are categorized into various sections, as outlined in the previous section. Some key controls worth highlighting include:

Access control policy (5.15)

Ensures that access to sensitive information is granted only to authorized individuals, minimizing the risk of unauthorized access.

Configuration management (8.9)

Focuses on managing and maintaining the configuration of technology assets, ensuring that they adhere to security requirements.

Secure coding (8.28)

This control emphasizes the importance of following secure coding practices during software development to prevent vulnerabilities and protect against attacks.

Data masking (8.12)

Data masking is a technique used to protect sensitive data by replacing it with fictional data that retains the original data’s format and structure.

Physical entry controls (7.2)

This control ensures that physical access to sensitive areas is restricted to authorized personnel, preventing unauthorized entry and physical security breaches.

These are just a few examples of the controls outlined in ISO 27002. Each control plays a crucial role in establishing a comprehensive information security framework.

As of February 15, 2022, the current version is ISO/IEC 27002:2022. This revision introduces several changes compared to the previous version, including the addition of 11 new controls, changes to control names, merging of controls, and splitting of one control. The updated version aligns with technological advancements and incorporates improved understanding of security practices.

ISO 27001ISO 27002
Management standard that outlines the requirements for establishing an ISMS and provides a framework for managing information securityCode of practice that offers implementation guidance for the controls specified in ISO 27001’s Annex A
Provides a high-level overview of controls and what must be achievedDelves into the practical implementation of these controls
MandatoryNot mandatory

The framework does not contain explicit requirements for organizations to follow. Instead, it offers guidance on information security controls that can be applied within an organization. For specific requirements, organizations should refer to ISO 27001. By following the guidance provided in ISO 27002, organizations can effectively implement the necessary security controls to protect their sensitive information.

The latest revision of ISO 27002, released in 2022, introduces several new features. Notable changes include the addition of 11 new controls, renaming of 23 controls for better clarity, merging of 57 controls into 24 controls, and splitting one control into two. These changes reflect the evolving landscape of information security and aim to provide organizations with more precise and practical guidance for implementing effective security measures.

To effectively implement its’, organizations should follow a systematic process that assesses their specific needs, identifies the appropriate controls, customizes them if necessary, implements them using a structured approach, and continuously monitors and improves them. The implementation process should address technological, organizational, people, and documentation aspects to ensure comprehensive coverage.

For example, the implementation of control 8.9 on configuration management requires attention to various aspects. Organizations must consider the technology involved, such as software, hardware, services, or networks. Smaller companies may handle configuration management without additional tools, while larger companies may require software solutions. Establishing processes for proposing, reviewing, and approving security configurations, as well as managing and monitoring configurations, is also crucial. Employee awareness and training regarding the importance of strict control over security configurations should be prioritized. Finally, documentation of configuration rules and procedures is essential for compliance with ISO 27001.

ISO 27002 serves as a vital resource for organizations looking to establish robust information security practices. By providing detailed implementation guidance on the controls outlined in ISO 27001’s Annex A, it enables organizations to enhance their security posture and protect their valuable information assets. While it is not certifiable, it offers practical guidance to support organizations in their journey towards ISO 27001 certification. By leveraging the guidance provided by ISO 27002, organizations can ensure compliance with industry best practices and effectively mitigate information security risks.