ISO 27002

What is ISO/IEC 27002?

ISO/IEC 27002:2013, titled “Information technology — Security techniques — Code of practice for information security controls,” is an international standard, with organizational guidance for implementing information security standards and information security management practices including control selection, implementation and management. 

ISO 27002 was created for organizations that wish to: 

  1. Implement controls within the development of an Information Security Management System (ISMS) based on ISO/IEC 27001
  2. Adopt commonly accepted information security controls
  3. Establish their own information security management guidelines

The path to achieving information security can be accomplished by selecting a set of appropriate controls, including policies, procedures, processes, software and hardware functions, and organizational structures. To ensure that the specific security, business and compliance objectives of the company are met, these controls need to be implemented, maintained, monitored, reviewed and adjusted, where relevant. An ISMS such as that required in ISO/IEC 27001 offers a comprehensive, synchronized view of an organization’s information security risks in order to establish a suitable set of information security controls within the context of an integrated management system.

ISO 27001 provides a list of control objectives and controls in its Annex A section, but does not describe how they can be applied. This is where ISO 27002 comes in. It contains those very same controls, as well as detailed guidance and information on how they can be implemented. These can be considered as guiding principles for information security management. However, the guidance in ISO 27002 is optional, meaning organizations can choose whether or not to follow those guidelines.

While this standard serves as a guide on a broad range of information security controls that are commonly implemented across many organizations, the remaining standards in the ISO/IEC 27000 family offer complementary recommendations or requirements on other elements of managing information security, such as ISO/IEC 27701, a privacy extension to ISO 27001.

ISO 27002:2013 was the latest version until mid February 2022 when ISO 27002:2022 was released. 

Changes from ISO/IEC 27002:2013 to ISO/IEC 27002:2022

ISO 27002 was updated on February 15, 2022. The 2022 version is titled, “Information security, cybersecurity and privacy protection — Information security controls.” The controls have been reordered and revised. Various controls have been removed or merged, and several new controls have been added. 

However, Annex A of ISO 27001 is expected to be updated no sooner than May or June, 2022, to align with those changes. Only once the amendment is released, it will be possible to (re)certify against the updated version. Organizations will need to realign their policies and procedures according to the new 27002 guidelines. Nevertheless, there is no reason to panic, as there will be a period of time given for organizations to adopt the new version.

Until the amendment of Annex A, if your existing or potential clients expect you to get certified, you will be implementing ISO 27001 along with its Annex A aligned to the 2013 version of ISO/IEC 27002.

What are the requirements for ISO 27002?

The ISO 27002 standard does not provide any specific requirements for organizations. Instead, it offers suggestions that can be applied per the nature of each organization’s specific information security risks. Additionally, it is not mandatory to implement every control and recommendation listed in ISO 27002, unlike ISO/IEC 27001 which has formal specifications.

ISO 27001 is the main standard, and companies can get certified against it, while ISO 27002 was created as a supporting standard; ISO 27002 certification does not exist.

ISO 27002 provides the security controls of ISO 27001, Annex A, along with implementation guidance. There are 14 security control clauses which collectively contain a total of 35 main security categories and 114 controls. The restructured 2022 version contains 93 controls, divided over 4 chapters.

Why should you implement the ISO 27002 framework?

ISO 27002, first and foremost, was created to assist organizations in achieving ISO 27001 compliance. Consequently, while ISO 27002 is not a certifiable standard in and of itself, compliance with its information security management guidelines brings your company that much closer to achieving the coveted ISO 27001 certification.

Adopting ISO 27002 provides additional benefits. It enables you to:

  • Implement an established ISO/IEC process for information security controls
  • Prove information security assurance to third parties
  • Gain increased awareness of information security
  • Identify and control your sensitive assets and information
  • Implement control policies with a straightforward approach
  • Identify risks and mitigate weaknesses
  • Demonstrate compliance with ISO 27001
  • Gain a competitive advantage over other companies
  • Improve your organization with well-designed and managed processes and mechanisms
  • Reduce costs with prevention of information security incidents
  • Advance compliance with legislation and other regulations

How to achieve ISO 27002 compliance?

Although organizations can achieve ISO 27001 certification, it doesn’t work that way with ISO 27002. There is no certification or compliance factor with ISO 27002.

Essentially, ISO 27001 lays out the compliance requirements mandated to become certified. And ISO 27002 is designed to guide you in implementing the ISO 27001 ISMS best practices. It is not a certifiable standard.

Centraleyes has integrated the ISO 27002 standard in its comprehensive and centralized platform, with specific guidance for organizations in selecting controls within the process of achieving ISO/IEC 27001 certification. 

Our pre-loaded ISO 27002 framework can also be applied as a guide for implementing commonly accepted information security controls, as well as for organizations looking to develop industry and organizational information security management guidelines, factoring in their particular risk environment(s).

The Centraleyes platform offers fast and easy data collection, automated scoring and tiering and control crosswalking for significant time and resources savings, enhancing the accuracy of your ISO compliance activities.

We are continuously monitoring for the updated ISO 27001 release, and when that happens, the platform will promptly be updated with the latest versions of ISO 27001 and ISO 27002.

Read more:
ISO/IEC 27002:2013
ISO/IEC 27002:2022

Related Content

ISO 27001

What is ISO/IEC 27001? ISO/IEC 27001 is a member of the ISO 27000 family of standards.…

PCI DSS

What is PCI DSS? The Payment Card Industry Security Standards Council establishes technical and operational requirements…

SOC 2 Type II

What is SOC 2 Type II compliance? SOC 2 (System and Organization Controls 2) is an…