Select regional store:

The ISO 27002 Standard

Code of practice for information security controls

What is the ISO 27002 standard?

Official ISO/IEC 27001 2013 Standard

ISO/IEC 27002:2013 is an information security standard published by the ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). It is part of the ISO/IEC 27000 family of standards.

The Standard provides guidance and recommendations for organizational ISMSs (information security management systems). It is designed to help organizations identify and manage the risks to their information security and provides a comprehensive set of controls to address those risks.

Buy your copy of ISO 27002 here

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

What is the purpose of ISO 27002?

The purpose of ISO 27002 is to provide guidance on how to develop and implement an ISMS.

It supports the ISO/IEC 27001 standard and contains a set of security controls that organizations can implement to protect their information assets.

ISO 27002 is not a mandatory standard, but it can be used as a basis for developing a security program that meets the needs of an organization.

What is the difference between ISO 27002 and ISO 27001?

ISO 27001 provides the specification for an ISMS, including requirements for the risk management process that you should use to choose the security measures appropriate to the risks your organization faces.

The ISO 27002 framework provides best-practice guidance on applying the controls listed in Annex A of ISO 27001. It supports and should be read alongside ISO 27001.

ISO 27001 is the only information security standard against which organizations can achieve independently audited certification. This provides independent, expert assurance that information security is managed in line with international best practices.

How to select and implement ISO 27001 security controls

Security controls are an essential part of information security management for all organizations that store and manage confidential information.

Although the specific requirements for handling information security will vary from business to business, organizations can implement common controls to secure their data and meet their legal and contractual obligations.

Clause 6.1.2 of ISO 27001 sets out a risk management process that organizations should follow when selecting and implementing security controls.

It states that the risk assessment process must:

  • Establish and maintain certain information security risk criteria
  • Ensure that repeated risk assessments “produce consistent, valid and comparable results”
  • “Identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system”
  • Identify the owners of those risks
  • Analyze and evaluate information security risks according to specific criteria
  • Be documented

Learn more about ISO 27001 risk assessments

ISO 27002 controls list

Annex A of ISO 27001 lists 114 security controls divided into 14 control sets, each of which is expanded upon in Clauses 5–18 of ISO 27002:

A.5 Information security policies

Information security should be directed from the top of the organization, and policies should be communicated clearly to all employees.

A.6. Organization of information security

A management framework should support the organization’s information security operations, both on- and off-site.

A.7 Human resource security

Employees and contractors should be aware of their role in safeguarding the organization’s information before and during employment. The organization’s information should also be protected.

A.8 Asset management

Organizations should identify their physical and information assets and determine the appropriate level of protection necessary for each.

A.9 Access control

Access to information and information processing facilities should be limited to prevent unauthorized user access. Users should be responsible for safeguarding their authentication information, such as passwords.

A.10 Cryptography

Policies on cryptography and the use of cryptographic keys should be developed and implemented to protect the confidentiality, integrity, and/or availability of information.

A.11 Physical and environmental security

Controls should be introduced to prevent unauthorized physical access, damage, and interference to information processing facilities.

A.12 Operations security

Information and information processing facilities should be protected from malware, data loss, and the exploitation of technical vulnerabilities.

A.13 Communications security

Information should be protected in networks and as it is transferred, both within the organization and externally.


A.14 System acquisition, development and maintenance

Information security should be designed and implemented throughout the lifecycle of information systems’. Test data should also be protected.

A.15 Supplier relationships

Any of the organization’s information assets that are accessible by suppliers should be appropriately protected.

A.16 Information security incident management

Information security incidents should be handled consistently and effectively.

A.17 Information security aspects of business continuity management

Information security continuity should be embedded in the organization’s business continuity management practices.

A.18 Compliance

Information should be protected to meet legal, statutory, regulatory, and contractual obligations and comply with the organization’s policies and procedures.

ISO 27001 controls - A guide to implementing and auditing book

ISO 27001 controls – A guide to implementing and auditing 

Ideal for information security managers, auditors, consultants, and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS based on ISO 27001. 

The book covers:

  • Implementation guidance – what needs to be considered to fulfill the requirements of the controls from Annex A of ISO/IEC 27001. This guidance is aligned with ISO 27002.
  • Auditing guidance – what should be checked, and how, when examining the ISO 27001 controls to ensure that the implementation covers the ISMS control requirements. 

Find out more

Accredited ISO 27001 and ISO 27002 training courses

Certified ISO 27001 ISMS Lead Implementer Training Course

Certified ISO 27001 ISMS Lead Implementer Training Course

Developed by Alan Calder and Steve Watkins, this fully accredited, three-day online course will help you lead an ISO/IEC 27001 ISMS project, allowing your business to achieve and demonstrate compliance with key legislation where data security is essential.

Pass the online exam to gain the Certified ISMS Lead Implementer (CIS LI) qualification (online exam included in course). 

Book your place

Certified ISO 27001 ISMS Lead Auditor Training Course

Certified ISO 27001 ISMS Lead Auditor Training Course

Build your career as a lead auditor and ensure your organization achieves ISO 27001 certification. This certificated, practitioner-led course teaches you how to execute an ISO/IEC 27001:2013-compliant ISMS audit. Learn from experts with real-world expertise and insights. 

Pass the online exam to gain the ISO 27001 Certified ISMS Lead Auditor (CIS LA) qualification (online exam included in course).  

Book your place

Protect your organization with ISO 27002

Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. We have a variety of products, tools, and services to help you meet the ISO 27002 requirements.

This website uses cookies. View our cookie policy