Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27002:2022 — Information Security, Cybersecurity and Privacy Protection — Code of Practice for Information Security Controls
Information security, cybersecurity and privacy protection — Code of practice for information security controls
Role of ISO/IEC 27002 in the 27000 Family
ISO/IEC 27002:2022 serves as the definitive code of practice for information security controls, providing detailed implementation guidance for the controls listed in ISO/IEC 27001:2022 Annex A. While ISO/IEC 27001 specifies the mandatory requirements for an ISMS — including the requirement to select and implement controls — ISO/IEC 27002 explains how those controls should be implemented, offering practical guidance, design considerations, and implementation examples for each of the 93 controls organized across 4 thematic areas.
The relationship between 27001 and 27002 is complementary. Think of 27001 as the “what” (requirements and control selection) and 27002 as the “how” (implementation guidance). Together, they form a complete framework for managing information security.
The 2022 edition represents a major update from the previous 2013 edition. The controls have been restructured from 14 domains and 114 controls to 4 themes and 93 controls, with 11 newly added controls and significant revisions to existing ones. The standard now includes a comprehensive attribute classification system that tags each control with multiple attributes — control type, cybersecurity concepts, operational capabilities, and security domains — enabling flexible filtering and reporting from various perspectives.
| Theme | Controls | Focus Area | Example Controls |
|---|---|---|---|
| Organizational | 37 | Policies, roles, responsibilities, governance | IS policy, threat intelligence, cloud security, supplier relationships, incident management, business continuity |
| People | 8 | Human resource security, awareness, training | Screening, security awareness, disciplinary process, remote working, responsibility assignment |
| Physical | 14 | Physical and environmental security | Physical perimeter, entry controls, security monitoring, equipment protection, clear desk policy |
| Technological | 34 | Technical security measures | Access control, cryptography, network security, secure development, malware protection, data leakage prevention |
The thematic restructuring reflects the reality that security controls naturally span organizational boundaries. For example, “remote working” (People control 8.1) involves not only people policies but also technological controls (VPN, endpoint protection) and organizational controls (security policy, risk assessment). The attribute system helps connect these cross-cutting relationships.
Structure of Security Controls and Implementation Guidance
Each control in ISO/IEC 27002:2022 is presented in a standardized format designed to facilitate consistent interpretation and implementation. For each control, the standard provides: (1) the control statement — a concise description of what the control achieves; (2) the purpose — explaining why the control is important; (3) implementation guidance — the core content, providing step-by-step or scenario-based guidance on how to implement the control; and (4) related information — cross-references to other controls, standards, or legal frameworks that are relevant.
The new attribute system deserves particular attention. Each control is tagged with attributes across five dimensions: Control type (preventive, detective, corrective), Information security properties (confidentiality, integrity, availability), Cybersecurity concepts (Identify, Protect, Detect, Respond, Recover — aligned with the NIST Cybersecurity Framework), Operational capabilities (governance, asset management, access control, etc.), and Security domains (governance and ecosystem, protection, defence, resilience). These attributes enable organizations to generate tailored views for different audiences — a board-level cybersecurity report might focus on governance and defence, while a technical team report might focus on protection and detection.
| Attribute Dimension | Attribute Values | Use Case |
|---|---|---|
| Control type | Preventive (#P), Detective (#D), Corrective (#C) | Identify gaps in control coverage type |
| Security properties | Confidentiality (#C), Integrity (#I), Availability (#A) | Map controls to the CIA triad |
| Cybersecurity concepts | Identify (#I), Protect (#P), Detect (#D), Respond (#R), Recover (#RC) | Align with NIST CSF or similar frameworks |
| Operational capabilities | Governance, Asset Management, Access Control, etc. | Identify capability gaps in security operations |
| Security domains | Governance & Ecosystem, Protection, Defence, Resilience | Strategic security program planning |
The attribute system is descriptive, not prescriptive — it helps organizations analyze and communicate about their control posture but does not create additional requirements. Organizations certified to ISO/IEC 27001:2022 are not required to use the attribute system; it is an optional tool for enhanced management and reporting.
Key Controls in Depth
Among the eleven new controls introduced in the 2022 edition, several warrant detailed discussion due to their contemporary relevance. Control 5.7 (Threat intelligence) addresses the need for organizations to systematically collect and analyze information about current and emerging threats, converting raw threat data into actionable intelligence. This control reflects the maturation of threat intelligence from a specialized function in large enterprises to a baseline capability expected of all security-conscious organizations. Implementation typically involves establishing sources (ISACs, industry groups, commercial feeds), defining analysis processes, and integrating intelligence outputs into risk assessment and incident response workflows.
Control 5.23 (Information security for use of cloud services) provides guidance on managing the security implications of cloud adoption. This control recognizes that cloud services introduce different risk profiles compared to on-premises solutions, including shared responsibility models, multi-tenancy considerations, data residency requirements, and vendor lock-in risks. The implementation guidance covers cloud service selection, supplier due diligence, contract security requirements, and ongoing monitoring of cloud service security posture.
Control 5.10 (Information security for ICT readiness for business continuity) links information security with business continuity management. This control requires organizations to ensure that ICT systems are prepared to maintain or rapidly recover business operations during disruptions. The guidance covers capacity planning, redundancy architecture, backup strategies, disaster recovery testing, and the integration of ICT readiness with organizational business continuity plans.
The addition of Control 5.25 (Information deletion) and Control 8.11 (Data masking) addresses the growing importance of data lifecycle management. Information deletion ensures data is securely disposed of when no longer needed, reducing the risk of data breaches from obsolete data. Data masking enables the use of realistic data for testing and development without exposing sensitive information, an increasingly critical capability as privacy regulations such as GDPR and CCPA impose strict requirements on personal data handling.
Control 8.28 (Secure coding) formalizes the principles of secure software development. It requires organizations to establish rules for secure coding, conduct code reviews, perform security testing, and manage vulnerabilities discovered in developed software. This control aligns with established secure development lifecycle (SDL) frameworks such as OWASP SAMM and BSIMM, providing a management system-compatible wrapper around these technical practices. For organizations developing software, this control has become a cornerstone of their security program, bridging the gap between development operations and information security management.
Control 8.34 (Monitoring activities) addresses the need for systematic monitoring of information systems to detect security events and anomalies. The guidance covers log collection and retention, monitoring scope (network traffic, system events, user activities), analysis techniques (correlation, baselining, anomaly detection), and alerting mechanisms. This control is particularly relevant given the increasing sophistication of cyber threats and the need for early detection to minimize incident impact.
Frequently Asked Questions
Q1: Can ISO/IEC 27002 be used independently of ISO/IEC 27001?
Yes. While 27001 and 27002 are designed to be complementary, 27002 can be used independently as a reference guide for implementing information security controls. Many organizations use 27002 as a best-practice framework even if they are not pursuing 27001 certification. The standard explicitly supports this use case by providing standalone implementation guidance for each control.
Yes. While 27001 and 27002 are designed to be complementary, 27002 can be used independently as a reference guide for implementing information security controls. Many organizations use 27002 as a best-practice framework even if they are not pursuing 27001 certification. The standard explicitly supports this use case by providing standalone implementation guidance for each control.
Q2: How does the 2022 edition handle controls that were merged or removed from the 2013 edition?
Controls from the 2013 edition were either retained (possibly revised), merged into broader controls, or in a few cases, not carried forward. For example, the previous 14 domain structure artifacts related to purely organizational boundaries were consolidated. The standard includes an annex mapping the relationship between 2013 and 2022 controls, making it straightforward for organizations transitioning between editions to identify corresponding controls and update their documentation accordingly.
Controls from the 2013 edition were either retained (possibly revised), merged into broader controls, or in a few cases, not carried forward. For example, the previous 14 domain structure artifacts related to purely organizational boundaries were consolidated. The standard includes an annex mapping the relationship between 2013 and 2022 controls, making it straightforward for organizations transitioning between editions to identify corresponding controls and update their documentation accordingly.
Q3: What are the documentation requirements for implementing controls according to ISO/IEC 27002?
ISO/IEC 27002 itself does not impose documentation requirements — those come from ISO/IEC 27001. However, the implementation guidance in 27002 frequently recommends documentation as a best practice, including policies, procedures, records, and reports. The level of documentation should be proportionate to the organization’s size, complexity, and risk profile. The standard emphasizes that the value of documentation lies in its practical utility for guiding and evidencing security operations, not in creating bureaucratic overhead.
ISO/IEC 27002 itself does not impose documentation requirements — those come from ISO/IEC 27001. However, the implementation guidance in 27002 frequently recommends documentation as a best practice, including policies, procedures, records, and reports. The level of documentation should be proportionate to the organization’s size, complexity, and risk profile. The standard emphasizes that the value of documentation lies in its practical utility for guiding and evidencing security operations, not in creating bureaucratic overhead.
Q4: How do the 27002 controls relate to the NIST Cybersecurity Framework?
The 2022 edition specifically aligns its attribute system with the five NIST CSF functions (Identify, Protect, Detect, Respond, Recover). This alignment means that organizations using NIST CSF can map their existing security capabilities to corresponding 27002 controls and vice versa. Many organizations use both frameworks together — NIST CSF for strategic risk communication and board-level reporting, and 27002 for detailed control implementation guidance and certification.
The 2022 edition specifically aligns its attribute system with the five NIST CSF functions (Identify, Protect, Detect, Respond, Recover). This alignment means that organizations using NIST CSF can map their existing security capabilities to corresponding 27002 controls and vice versa. Many organizations use both frameworks together — NIST CSF for strategic risk communication and board-level reporting, and 27002 for detailed control implementation guidance and certification.
