USA
Select regional store:

The ISO 27002 Standard

Code of practice for information security controls

What is the ISO 27002 standard?

Official ISO/IEC 27001 2013 Standard

Part of the ISO 27000 family of information security standards, ISO/IEC 27002:2013 (ISO27002) is a reference for implementing security controls as part of an ISMS (information security management system) that complies with ISO/IEC 27001:2013.

Buy your copy of ISO 27002 here

What is the difference between ISO 27002 and ISO 27001?

ISO 27001 provides the specification for an ISMS, including requirements for the risk management process that you should use to choose the security measures appropriate to the risks your organization faces.

ISO 27002 serves as a guidance document, providing best-practice guidance on applying the controls listed in Annex A of ISO 27001. It supports, and should be read alongside, ISO 27001.

ISO 27001 is the only information security Standard against which organizations can achieve independently audited certification.
This provides independent, expert assurance that information security is managed in line with international best practice.

How to select and implement ISO 27001 security controls

Security controls are an important part of information security management for all organizations that store and manage confidential information.

Although the specific requirements for handling information security will vary from organization to organization, there are many common controls that organizations can implement to secure their data and meet their legal and contractual obligations.

Clause 6.1.2 of ISO 27001 sets out a risk management process that organizations should follow when selecting and implementing security controls.

It states that the risk assessment process must:

  • Establish and maintain certain information security risk criteria
  • Ensure that repeated risk assessments “produce consistent, valid and comparable results”
  • “identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”
  • Identify the owners of those risks
  • Analyze and evaluate information security risks according to certain criteria
  • Be documented

Learn more about ISO 27001 risk assessments

What are the ISO 27001/ISO 27002 controls?

Annex A of ISO 27001 lists 114 security controls divided into 14 control sets, each of which is expanded upon in Clauses 5–18 of ISO 27002:

A.5 Information security policies

Information security should be directed from the top of the organization and policies should be communicated clearly to all employees.

A.6. Organization of information security

A management framework should support the organization’s information security operations, both on- and off-site.
 

A.7 Human resource security

Employees and contractors should be aware of their role in safeguarding the organization’s information both before and during employment. The organization’s information should also be protected.

A.8 Asset management

Organizations should identify their physical and information assets and determine the appropriate level of protection necessary for each.
 

A.9 Access control

Access to information and information processing facilities should be limited to prevent unauthorized user access. Users should be responsible for safeguarding their authentication information, such as passwords.

A.10 Cryptography

Policies on cryptography and the use of cryptographic keys should be developed and implemented to protect the confidentiality, integrity, and/or availability of information.
 

A.11 Physical and environmental security

Controls should be introduced to prevent unauthorized physical access, damage, and interference to information processing facilities.

A.12 Operations security

Information and information processing facilities should be protected from malware, data loss, and the exploitation of technical vulnerabilities.

A.13 Communications security

Information should be protected in networks and as it is transferred, both within the organization and externally.

 

A.14 System acquisition, development and maintenance

Information security should be designed and implemented throughout information systems’ lifecycle. Test data should also be protected.

A.15 Supplier relationships

Any of the organization’s information assets that are accessible by suppliers should be appropriately protected.
 

A.16 Information security incident management

Information security incidents should be handled consistently and effectively.

A.17 Information security aspects of business continuity management

Information security continuity should be embedded in the organization’s business continuity management practices.

A.18 Compliance

Information should be protected to meet legal, statutory, regulatory, and contractual obligations, and in accordance with the organization’s policies and procedures.

ISO 27001 controls - A guide to implementing and auditing book

ISO 27001 controls – A guide to implementing and auditing 

Ideal for information security managers, auditors, consultants, and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS based on ISO 27001. 

The book covers:

  • Implementation guidance – what needs to be considered to fulfill the requirements of the controls from Annex A of ISO/IEC 27001. This guidance is aligned with ISO 27002.
  • Auditing guidance – what should be checked, and how, when examining the ISO 27001 controls to ensure that the implementation covers the ISMS control requirements. 

Find out more

Accredited ISO 27001 and ISO 27002 training courses

Certified ISO 27001 ISMS Lead Implementer Training Course

Certified ISO 27001 ISMS Lead Implementer Training Course

Developed by Alan Calder and Steve Watkins, this fully accredited, three-day online course will help you lead an ISO/IEC 27001 ISMS project, allowing your business to achieve and demonstrate compliance with key legislation where data security is essential, including 23 NYCRR 500 (the New York Department of Financial Services (NYDFS) Cybersecurity Requirements), HIPAA (the Health Insurance Portability and Accountability Act), FedRAMP (the Federal Risk and Authorization Management Program), and SOX (the Sarbanes–Oxley Act). 

Pass the online exam to gain the Certified ISMS Lead Implementer (CIS LI) qualification (online exam included in course). 

Book your place

Certified ISO 27001 ISMS Lead Auditor Training Course

Certified ISO 27001 ISMS Lead Auditor Training Course

Build your career as a lead auditor and ensure your organization achieves ISO 27001 certification. This certificated, practitioner-led course teaches you how to execute an ISO/IEC 27001:2013-compliant ISMS audit. Learn from experts with real-world expertise and insights. 

Pass the online exam to gain the ISO 27001 Certified ISMS Lead Auditor (CIS LA) qualification (online exam included in course).  

Book your place

Protect your organization with ISO 27002

Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. We have a variety of products, tools, and services to support your ISO 27001 and ISO 27002 projects. 

This website uses cookies. View our cookie policy
20% OFFTRAINING