What is ISO/IEC 27002?
ISO/IEC 27002 is part of the ISO 27000 family of standards that were created to keep companies and organizations safe. ISO 27002 provides organizational guidance on a wide range of information security controls that are commonly implemented across many organizations.
This standard is considered a supplemental standard by many and often goes hand in hand with ISO/IEC 27001, an international standard that outlines the requirements for an information security management system (ISMS). ISO 27002 provides additional guidance on how to implement and adhere to the requirements of ISO 27001 and must be used as a reference when developing and maintaining an ISMS.
Having said that, it can also be used for other purposes. According to ISO, it was designed with three purposes in mind:
- To determine and implement controls in an ISMS based on ISO 27001
- To implement information security controls based on best practices
- For developing organization-specific information security management guidelines
ISO 27002 is applicable to organizations of all types and sizes, including public and private sectors, commercial and non-profit organizations.
While this standard offers recommendations on commonly implemented information security controls, other ISO 27000 standards provide complementary advice or requirements on other elements of managing information security, such as ISO 22301, a business continuity management standard, and ISO/IEC 27701, a privacy extension to ISO 27001.
Changes from ISO/IEC 27002:2013 to ISO/IEC 27002:2022
ISO 27002 was updated on February 15, 2022. The 2022 version is titled, “Information security, cybersecurity and privacy protection — Information security controls.” This third edition cancels and succeeds the second version (ISO/IEC 27002:2013 +Cor 1:2014 +Cor 2:2015), which has been technically updated. The controls have been reordered and revised. Various controls have been removed or merged, and several new controls have been added.
Organizations will need to review their policies, processes and procedures and determine what they are required to adjust or update according to the new 27002 guidelines. Nevertheless, there is no reason to panic, as a period of three years was given for organizations to adopt the new version.
What are the requirements for ISO 27002?
The ISO 27002 standard does not provide any specific requirements for organizations. Instead, it offers suggestions that can be applied per the nature of each organization’s specific information security risks. Additionally, it is not mandatory to implement every control and recommendation listed in ISO 27002, unlike ISO 27001 which has formal specifications.
With its new update, ISO 27002:2022 has decreased from 114 controls in 14 clauses to 93 controls in 4 clauses. The controls are divided into four categories, which are referred to as themes. They are as follows:
Clause 5: Organizational
Clause 6: People
Clause 7: Physical
Clause 8: Technological
ISO 27002 is not a certification standard, meaning that organizations cannot be certified as compliant with it. However, it is often used as a reference when working towards ISO 27001 certification. Implementing ISO 27002 without ISO 27001 is possible, but this doesn’t work the other way around. To get ISO 27001 certification, you will be audited against the whole of 27001 including its Annex A section which is directly derived from ISO 27002.
Annex A is a section in ISO 27001 providing a list of possible information security controls, which are directly derived and aligned with those listed in ISO 27002. The complete ISO 27002 standard contains those very same controls, as well as detailed guidance and information on how they can be implemented. These can be considered as guiding principles for information security management. Although the guidance in ISO 27002 is optional, meaning organizations can choose whether or not to follow those guidelines, organizations using this standard within the context of ISO 27001 compliance, must create a Statement of Applicability explaining why they’ve excluded any of the ISO 27002 controls.
Why should you implement the ISO 27002 framework?
ISO 27002, first and foremost, was created to assist organizations in achieving ISO 27001 compliance. As a result, although ISO 27002 is not a certifiable standard in and of itself, implementation of its information security controls and guidelines brings your organization that much closer to obtaining the coveted ISO 27001 certification.
Adopting ISO 27002 provides additional benefits. It enables you to:
- Implement an established ISO/IEC process for information security controls
- Prove information security assurance to third parties
- Gain increased awareness of information security
- Identify and control your sensitive assets and information
- Implement control policies with a straightforward approach
- Identify risks and mitigate weaknesses
- Demonstrate compliance with ISO 27001
- Gain a competitive advantage over other companies
- Improve your organization with well-designed and managed processes and mechanisms
- Reduce costs with prevention of information security incidents
- Advance compliance with legislation and other regulations
How to achieve ISO 27002 compliance?
As mentioned, there is no certification or compliance factor with ISO 27002. However, to achieve ISO 27001 compliance, organizations are required to use ISO 27002 / Annex A to ensure that no necessary controls have been omitted when they choose their risk treatment.
Centraleyes has integrated the latest ISO 27002 standard in its comprehensive and centralized platform, with specific guidance for organizations in selecting controls within the process of achieving ISO/IEC 27001 certification.
The pre-loaded ISO 27002 framework can also be applied as a guide for implementing commonly accepted information security controls, as well as for organizations looking to develop industry and organizational information security management guidelines, factoring in their particular risk environment(s).
The Centraleyes platform offers fast and easy data collection, automated scoring and tiering and control crosswalking for significant time and resources savings, enhancing the accuracy of your ISO compliance activities.