What is ISO 27002?
ISO/IEC 27002 is the international standard that outlines best practices for implementing information security controls. ISO/ IEC 27002 is the companion standard for ISO/IEC 27001, the international standard that outlines the specifications for an information security management system (ISMS).
This standard covers the controls that are an important part of information security management for all organizations. Any organization that stores and manages information should have controls in place to address information security risks.
Although the specific requirements for handling information security may be different, there are a lot of similar controls organizations can put in place to secure their data and comply with legal standards.
ISO/IEC 27002:2013 has been updated to reflect the many changes which have taken effect in ISO/IEC27001, and is fully aligned to the new 2013 version of ISO 27001.
- The number of controls in ISO/IEC 27002 has been changed to match the number in ISO/IEC 27001, and ISO 27002 now specifies 35 control objectives, each of which is supported by at least one control, giving a total number of 114
- As the structure of Annex A in ISO 27001 has been updated, so ISO 27002 has been updated to reflect the new structure
- The terminology used in the standard has been revised to be aligned with that in ISO 27001
Find out more
What is the difference between ISO 27002 and ISO 27001?
ISO 27001 is the international standard that describes the requirements for an ISMS (information security management system). It is the only standard in the ISO/IEC 27000 family that provides an independently audited certification.
Achieving accredited certification to ISO 27001 provides an independent, expert assessment that information security is managed in line with international best practice and business objectives.
Although an organization cannot certify to ISO 27002, the standard serves as a guidance document, aiding ISO 27001 implementation by providing best practice guidance on applying the controls listed in Annex A of ISO 27001.
We offer fully accredited training courses that can supplement your ISO 27002 training.
Developed by Alan Calder and Steve Watkins, joint authors of IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, this fully accredited, three-day live online course equips you to lead an ISO/IEC 27001 ISMS project and help your organization mitigate cyber crime risks while winning new business and delivering information assurance.
By attending this course, you will achieve the ISO27001 Certified ISMS Lead Implementer (CIS LI) qualification (ISO 17024-certificated) when completing and passing the online exam (online exam included in course).
Select a training method that suits you
Build your career as a lead audit and ensure your organization achieves ISO 27001 certification. This fully certificated, practitioner-led course equips you to execute an ISO/IEC 27001:2013-compliant ISMS audit. Learn from experts with real-world expertise and insights.
By attending this course, you will achieve the ISO 27001 Certified ISMS Lead Auditor (CIS LA) qualification (ISO 17024-certificated) when completing and passing the online exam (online exam included in course).
Find out more
ISO 27002 controls
ISO/IEC 27002 recommends controls that address security objectives involved in managing the confidentiality, integrity, and availability of information. Organizations can use this standard for guidance to assess their own information risks, identify goals, and apply controls.
ISO 27002 114 controls are broken down into 14 control categories in chapters 5 to 18.
The below shows the layout for the control categories and their corresponding chapters:
- Structure (chapters 0–4)
- Security Policy (chapter 5)
- Organization of Information Security (chapter 6)
- Human Resources Security (chapter 7)
- Asset Management (chapter 8)
- Access Control (chapter 9)
- Cryptography (chapter 10)
- Physical and Environmental Security (chapter 11)
- Operations Security (chapter 12)
- Communications Security (chapter 13)
- Information Systems Acquisition, Development, Maintenance (chapter 14)
- Supplier Relationships (chapter 15)
- Information Security Incident Management (chapter 16)
- Information Security Aspects of Business Continuity (chapter 17)
- Compliance (chapter 18)
ISO 27001 controls – A guide to implementing and auditing
Ideal for information security managers, auditors, consultants and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001.
The book covers:
- Implementation guidance – what needs to be considered to fulﬁl the requirements of the controls from ISO/IEC 27001, Annex A. This guidance is aligned with ISO/IEC 27002, which gives advice on implementing the controls.
- Auditing guidance – what should be checked, and how, when examining the ISO/IEC 27001 controls to ensure that the implementation covers the ISMS control requirements.
Find out more
Protect your organization with ISO 27002
Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. We have a variety of products, tools, and services to support your ISO 27001 and 27002 projects.