This website uses cookies. View our cookie policy
Select regional store:

ISO 27002: Security Controls

What is ISO 27002?

ISO/IEC 27002 is the international standard that outlines best practices for implementing information security controls.

This standard covers the information security controls that are an important part of information security management for all organizations. Any organization that stores and manages information should have controls in place to address information risk and vulnerabilities. Although the specific requirements for handling information security may be different, there are a lot of similar controls organizations can put in place to secure their data and comply with legal standards.

Purchase a copy of ISO/IEC 27002:2013 here.


ISO/IEC 27002 is a code of practice for information security controls. The Standard recommends controls that address security objectives involved in the confidentiality, integrity, and availability of information.

Organizations can use this standard for guidance to assess their own information risks, identify goals, and apply controls.

What are the ISO 27002 controls?

ISO 27002 contains 114 controls, broken down into 14 control categories in chapters 5 to 18.

The table below shows the layout for the control categories and their corresponding chapters.

Structure (chapters 0–4)


Security Policy (chapter 5)


Organization of Information Security (chapter 6)


Human Resources Security (chapter 7)


Asset Management (chapter 8)


Access Control (chapter 9)


Cryptography (chapter 10)


Physical and Environmental Security (chapter 11)


Operations Security (chapter 12)


Communications Security (chapter 13)


Information Systems Acquisition, Development, Maintenance (chapter 14)


Supplier Relationships (chapter 15)


Information Security Incident Management (chapter 16)


Information Security Aspects of Business Continuity (chapter 17)


Compliance (chapter 18)

Protect your organization

Here are some tools that can help you implement ISO 27002:2013 security controls.

Our self-assessment tool quickly and clearly identifies the extent to which your organization has implemented the controls and addressed the control objectives in ISO 27002.

Purchase our ISO27002:2013 ISMS Controls Gap Analysis Tool here.


Our pocket guide provides you with a useful overview of the ISO 27002 security controls as well as how you can implement ISO 27001, the only accredited international framework for an information security management system (ISMS).


Purchase ISO27001/ISO27002 A Pocket Guide here.