What is ISO 27002?
ISO/IEC 27002 is the international standard that outlines best practices for implementing information security controls. ISO/ IEC 27002 is the companion standard for ISO/IEC 27001, the international standard that outlines the specifications for an information security management system (ISMS).
This standard covers the controls that are an important part of information security management for all organizations. Any organization that stores and manages information should have controls in place to address information security risks.
Although the specific requirements for handling information security may be different, there are a lot of similar controls organizations can put in place to secure their data and comply with legal standards.
ISO/IEC 27002:2013 has been updated to reflect the many changes which have taken effect in ISO/IEC27001, and is fully aligned to the new 2013 version of ISO 27001.
- The number of controls in ISO/IEC 27002 has been changed to match the number in ISO/IEC 27001, and ISO 27002 now specifies 35 control objectives, each of which is supported by at least one control, giving a total number of 114
- As the structure of Annex A in ISO 27001 has been updated, so ISO 27002 has been updated to reflect the new structure
- The terminology used in the standard has been revised to be aligned with that in ISO 27001
What is the difference between ISO 27002 and ISO 27001?
ISO 27001 is the international standard that describes the requirements for an ISMS (information security management system). It is the only standard in the ISO/IEC 27000 family that provides an independently audited certification.
Achieving accredited certification to ISO 27001 provides an independent, expert assessment that information security is managed in line with international best practice and business objectives.
Although an organization cannot certify to ISO 27002, the standard serves as a guidance document, aiding ISO 27001 implementation by providing best practice guidance on applying the controls listed in Annex A of ISO 27001.
ISO 27002 controls
ISO/IEC 27002 recommends controls that address security objectives involved in managing the confidentiality, integrity, and availability of information. Organizations can use this standard for guidance to assess their own information risks, identify goals, and apply controls.
ISO 27002 114 controls are broken down into 14 control categories in chapters 5 to 18.
The below shows the layout for the control categories and their corresponding chapters:
- Structure (chapters 0–4)
- Security Policy (chapter 5)
- Organization of Information Security (chapter 6)
- Human Resources Security (chapter 7)
- Asset Management (chapter 8)
- Access Control (chapter 9)
- Cryptography (chapter 10)
- Physical and Environmental Security (chapter 11)
- Operations Security (chapter 12)
- Communications Security (chapter 13)
- Information Systems Acquisition, Development, Maintenance (chapter 14)
- Supplier Relationships (chapter 15)
- Information Security Incident Management (chapter 16)
- Information Security Aspects of Business Continuity (chapter 17)
- Compliance (chapter 18)
Protect your organization
Here are some tools that can help you implement ISO 27002:2013 security controls.
Our self-assessment tool quickly and clearly identifies the extent to which your organization has implemented the controls and addressed the control objectives in ISO 27002.
This tool has been designed to support organizations in initial project planning of the ISMS security controls. It provides those organizations with direction, helping project managers to identify the possible extent of activity required.
Our pocket guide provides you with a useful overview of the ISO 27002 security controls as well as how you can implement ISO 27001, the only accredited international framework for an information security management system (ISMS).
Speak to an expert
For more information on ISO 27002 certification, or our products and service, please get in touch.