What is ISO 27002?
ISO/IEC 27002:2022 is the companion standard to ISO 27001 — while ISO 27001 defines the requirements for an Information Security Management System (ISMS), ISO 27002 provides detailed guidance on the implementation of the Annex A controls. Think of ISO 27001 as the what and ISO 27002 as the how.
ISO 27002 is a reference document — it is not certifiable on its own. Organisations use it to understand how to implement each of the 93 controls listed in ISO 27001 Annex A. It provides context, guidance, implementation advice and additional information for each control.
| Standard Body | ISO/IEC — International Organization for Standardization |
| Current Version | ISO/IEC 27002:2022 |
| Certifiable | No — guidance only. Certification is through ISO 27001. |
| Geography | Global |
| Official Resource | iso.org/standard/75652 |
ISO 27001 vs ISO 27002
| Standard | Purpose | Certifiable? |
|---|---|---|
| ISO 27001:2022 | Specifies requirements for an ISMS — what you must do | Yes |
| ISO 27002:2022 | Provides guidance on implementing Annex A controls — how to do it | No |
The Four Control Themes
ISO 27002:2022 organises its guidance across the same four themes as ISO 27001:2022 Annex A.
| Theme | Controls | Guidance focus |
|---|---|---|
| Organisational (A.5) | 37 controls | Policy development, supplier management, incident management, cloud security governance |
| People (A.6) | 8 controls | Screening procedures, security awareness training design, remote working security |
| Physical (A.7) | 14 controls | Physical security zone design, monitoring systems, equipment protection and disposal |
| Technological (A.8) | 34 controls | Access control implementation, cryptography key management, secure development practices, vulnerability management |
New Controls in 2022
ISO 27002:2022 introduced 11 new controls not present in the 2013 version, reflecting modern threats and technologies.
| Control | Name | Theme |
|---|---|---|
| A.5.7 | Threat intelligence | Organisational |
| A.5.23 | Information security for use of cloud services | Organisational |
| A.5.30 | ICT readiness for business continuity | Organisational |
| A.6.7 | Remote working | People |
| A.7.4 | Physical security monitoring | Physical |
| A.8.9 | Configuration management | Technological |
| A.8.10 | Information deletion | Technological |
| A.8.11 | Data masking | Technological |
| A.8.12 | Data leakage prevention | Technological |
| A.8.16 | Monitoring activities | Technological |
| A.8.23 | Web filtering | Technological |
| A.8.28 | Secure coding | Technological |
Securitora Assessment
ISO 27002:2022 is essential reading for any organisation implementing ISO 27001. While ISO 27001 tells you what controls to have, ISO 27002 tells you how to implement them effectively. Security practitioners find it particularly valuable for the new controls covering threat intelligence, cloud security, data masking and secure coding — areas where many organisations lack clear internal guidance.
| Recommended for | Any organisation implementing ISO 27001 — use alongside 27001, not instead of it |
| Difficulty to implement | Medium — guidance document, not prescriptive requirements |
| Best used with | ISO 27001:2022 · ISO 27005 · NIST CSF 2.0 |
| Official resource | iso.org → |