{"id":88193,"date":"2023-10-27T16:28:25","date_gmt":"2023-10-27T16:28:25","guid":{"rendered":"https:\/\/staging.advisera.com\/27001academy\/?page_id=88193"},"modified":"2025-07-08T15:09:44","modified_gmt":"2025-07-08T15:09:44","slug":"what-is-iso-27002","status":"publish","type":"page","link":"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/","title":{"rendered":"What is ISO 27002?"},"content":{"rendered":"<div id=\"pl-88193\"  class=\"panel-layout\" ><div id=\"pg-88193-0\"  class=\"panel-grid panel-no-style\" ><div id=\"pgc-88193-0-0\"  class=\"panel-grid-cell\" ><div id=\"panel-88193-0-0-0\" class=\"so-panel widget widget_hero-with-buttons-widget panel-first-child\" data-index=\"0\" ><div\n\t\t\t\n\t\t\tclass=\"so-widget-hero-with-buttons-widget so-widget-hero-with-buttons-widget-default-d75171398898-88193\"\n\t\t\t\n\t\t><section class=\"iso-hero sans\" style=\"background: #03284d;\">\n    <div class=\"container\">\n        <h1 class=\"iso-hero_title  \">\n            What is ISO 27002?\n        <\/h1>\n        <p class=\"iso-hero_subtitle \">\n                ISO 27002, officially named \u201cISO\/IEC 27002 Information Security, Cybersecurity and Privacy Protection \u2013 Information Security Controls,\u201d is a widely used and well-known information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides detailed guidelines for the implementation of the controls listed in ISO 27001 Annex A, because ISO 27001 provides only a high-level description of each control. ISO 27002 has become an internationally recognized set of industry best practices that support the implementation of ISO 27001.\n        <\/p>\n        <div class=\"iso-hero_buttons\">\n                            <div class=\"iso-hero_button\">\n                    <div class=\"button-image\">\n                        <img decoding=\"async\" width=\"92\" height=\"92\" src=\"\/wp-content\/uploads\/sites\/5\/2021\/10\/ISO_27001-Compliance-software.png\" class=\"attachment-full size-full\" alt=\"-\">\n                    <\/div>\n                    <div class=\"button-content\">\n                        <span>ISO 27001 compliance software<\/span>\n                    <\/div>\n                    <a href=\"https:\/\/staging.advisera.com\/conformio\/\"><\/a>\n                <\/div>\n                            <div class=\"iso-hero_button\">\n                    <div class=\"button-image\">\n                        <img decoding=\"async\" width=\"92\" height=\"91\" src=\"\/wp-content\/uploads\/sites\/5\/2021\/10\/ISO-27001-Templates.png\" class=\"attachment-full size-full\" alt=\"-\">\n                    <\/div>\n                    <div class=\"button-content\">\n                        <span>ISO 27001 Templates<\/span>\n                    <\/div>\n                    <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/\"><\/a>\n                <\/div>\n                            <div class=\"iso-hero_button\">\n                    <div class=\"button-image\">\n                        <img decoding=\"async\" width=\"93\" height=\"93\" src=\"\/wp-content\/uploads\/sites\/5\/2021\/10\/ISO-27001-Online-training.png\" class=\"attachment-full size-full\" alt=\"-\">\n                    <\/div>\n                    <div class=\"button-content\">\n                        <span>ISO 27001 Courses<\/span>\n                    <\/div>\n                    <a href=\"https:\/\/staging.advisera.com\/training\/iso-27001-courses\/\"><\/a>\n                <\/div>\n                    <\/div>\n    <\/div>\n<\/section><\/div><\/div><div id=\"panel-88193-0-0-1\" class=\"so-panel widget widget_content-with-sidebar-widget panel-last-child\" data-index=\"1\" ><div\n\t\t\t\n\t\t\tclass=\"so-widget-content-with-sidebar-widget so-widget-content-with-sidebar-widget-default-d75171398898-88193\"\n\t\t\t\n\t\t><section class=\"content-with-sidebar\">\n<div class=\"container\">\n\n    <div class=\"sidebar-area\">\n        <div class=\"sidebar-bg\"><\/div>\n        <div class=\"sidebar-wrapper\">\n            <div class=\"sidebar\">\n\n                                    <div class=\"single-post--meta mobile\" style=\"display:none\">\n                        <div class=\"post--meta meta-bigger-space\">\n                            <a href=\"https:\/\/staging.advisera.com\/27001academy\/author\/dejankosutic\/\"\n                            class=\"post--meta__item author link link-blue decoration-none\">\n                                <img decoding=\"async\" class=\"author--avatar\" src=\"\/wp-content\/uploads\/blog_authors\/dejankosutic.jpg\"\n                                    alt=\"Advisera Dejan Kosutic\">\n                                Dejan Kosutic                            <\/a>\n                            <a href=\"https:\/\/www.linkedin.com\/in\/dejankosutic\/\" target=\"_blank\" rel=\"noopener\"><i class=\"icon-linkedin\"><\/i><\/a>                             <a href=\"https:\/\/www.youtube.com\/@DejanKosutic\" target=\"_blank\" rel=\"noopener\"><svg width=\"21\" id=\"youtube-svg-icon\" style=\"enable-background:new 0 0 1000 1000;\" version=\"1.1\" viewBox=\"0 0 1000 1000\" xml:space=\"preserve\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\"><style type=\"text\/css\">.st0{fill:#FF0000;}.st1{fill:#FFFFFF;}<\/style><title\/><g><path class=\"st0\" fill=\"#FF0000\" d=\"M500,1000L500,1000C223.9,1000,0,776.1,0,500v0C0,223.9,223.9,0,500,0h0c276.1,0,500,223.9,500,500v0   C1000,776.1,776.1,1000,500,1000z\"\/><path class=\"st1\" fill=\"#FFFFFF\" d=\"M818.2,339.1c-7.6-28.8-30.1-51.4-58.7-59.1c-51.8-14-259.4-14-259.4-14s-207.7,0-259.4,14   c-28.6,7.7-51.1,30.3-58.7,59.1C168,391.2,168,500,168,500s0,108.8,13.9,160.9c7.6,28.8,30.1,51.4,58.7,59.1   c51.8,14,259.4,14,259.4,14s207.7,0,259.4-14c28.6-7.7,51.1-30.3,58.7-59.1C832,608.8,832,500,832,500S832,391.2,818.2,339.1z    M432.1,598.7V401.3L605.6,500L432.1,598.7z\"\/><\/g><\/svg><\/a> \n                                                    <\/div>\n\n                                                <div class=\"social-share\">\n                            <a href=\"mailto:?subject=What is ISO 27002?&body= https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/\"\n                            target=\"_blank\"\n                            class=\"social-share--icon ripple\">\n                                <i class=\"icon-mail\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\" class=\"social-share--icon ripple facebook\"\n                            onclick=\"window.open('https:\/\/www.facebook.com\/sharer.php?u=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/','popup','width=800,height=600'); return false;\"\n                            target=\"_blank\">\n                                <i class=\"icon-fb\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\"\n                            onclick=\"window.open('https:\/\/twitter.com\/intent\/tweet?text=What is ISO 27002?&url=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/','popup','width=800,height=600'); return false;\"\n                            class=\"social-share--icon ripple twitter\" target=\"_blank\">\n                                <i class=\"icon-twit\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\"\n                            target=\"_blank\"\n                            onclick=\"window.open('https:\/\/www.linkedin.com\/shareArticle?mini=true&url=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/&title=What is ISO 27002?','popup','width=800,height=600'); return false;\"\n                            class=\"social-share--icon ripple linkedin\">\n                                <i class=\"icon-linkedin\"><\/i>\n                            <\/a>\n                            <a href=\"\/rss-feeds\/\"\n                                class=\"social-share--icon ripple rss\">\n                                <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 64 380 420\" width=\"22\" height=\"22\" aria-hidden=\"true\"><path d=\"M96 272 A144 144 0 0 1 240 416\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"64\" stroke-linecap=\"round\"\/><path d=\"M96 160 A256 256 0 0 1 352 416\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"64\" stroke-linecap=\"round\"\/><circle cx=\"96\" cy=\"416\" r=\"48\" fill=\"currentColor\"\/><\/svg>\n                            <\/a>\n                        <\/div>\n\n                    <\/div>\n                \n                <h2 class=\"sidebar-title\">\n                    Table of contents\n                <\/h2>\n\n                                                    <div class=\"sidebar-item sidebar-accordion-item \">\n                        <div class=\"sidebar-item-title \" data-id=\"\">\n                    <span>\n                        The basics\n                    <\/span>\n                            <div class=\"sidebar-item-arrow\"><\/div>\n                        <\/div>\n                        <div class=\"sidebar-item-links\" >\n                            <p><a href=\"#section1\">What is the purpose of ISO 27002?<\/a><br \/>\n<a href=\"#section2\">Why is ISO 27002 important?<\/a><br \/>\n<a href=\"#section3\">ISO 27002 certification \u2013 Is it possible?<\/a><br \/>\n<a href=\"#section4\">How does ISO 27002 support an ISMS?<\/a><br \/>\n<a href=\"#section5\">What is the current version of ISO 27002?<\/a><br \/>\n<a href=\"#section6\">What is the difference between ISO 27001 and 27002?<\/a><\/p>\n\n                        <\/div>\n                    <\/div>\n                                    <div class=\"sidebar-item sidebar-accordion-item \">\n                        <div class=\"sidebar-item-title \" data-id=\"\">\n                    <span>\n                        Requirements &amp; security controls\n                    <\/span>\n                            <div class=\"sidebar-item-arrow\"><\/div>\n                        <\/div>\n                        <div class=\"sidebar-item-links\" >\n                            <p><a href=\"#section7\">What are the requirements for ISO 27002?<\/a><br \/>\n<a href=\"#section8\">What are the sections of ISO 27002?<\/a><br \/>\n<a href=\"#section9\">What is a security control?<\/a><br \/>\n<a href=\"#section10\">How many controls are there in ISO 27002?<\/a><br \/>\n<a href=\"#section11\">What are control attributes?<\/a><br \/>\n<a href=\"#section12\">How are controls structured?<\/a><br \/>\n<a href=\"#section13\">How do you implement ISO 27002 controls?<\/a><\/p>\n\n                        <\/div>\n                    <\/div>\n                                    <div class=\"sidebar-item sidebar-accordion-item \">\n                        <div class=\"sidebar-item-title \" data-id=\"\">\n                    <span>\n                        What\u2019s new in ISO 27002:2022? \n                    <\/span>\n                            <div class=\"sidebar-item-arrow\"><\/div>\n                        <\/div>\n                        <div class=\"sidebar-item-links\" >\n                            <p><a href=\"#section14\">New controls<\/a><br \/>\n<a href=\"#section15\">Renamed controls<\/a><br \/>\n<a href=\"#section16\">No excluded controls<\/a><br \/>\n<a href=\"#section17\">Merged controls<\/a><br \/>\n<a href=\"#section18\">Split controls<\/a><br \/>\n<a href=\"#section19\">Controls that have stayed the same<\/a><\/p>\n\n                        <\/div>\n                    <\/div>\n                \n                            <\/div>\n        <\/div>\n    <\/div>\n    <div class=\"content-area\">\n        <div class=\"what-is-groups\">\n\n                            <div class=\"single-post--meta desktop\">\n                    <div class=\"post--meta meta-bigger-space\">\n                        <a href=\"https:\/\/staging.advisera.com\/27001academy\/author\/dejankosutic\/\" class=\"post--meta__item author link link-blue decoration-none\">\n                            <img decoding=\"async\" class=\"author--avatar\" src=\"\/wp-content\/uploads\/blog_authors\/dejankosutic.jpg\"\n                                alt=\"Advisera Dejan Kosutic\">\n                            Dejan Kosutic                        <\/a>\n                        <a href=\"https:\/\/www.linkedin.com\/in\/dejankosutic\/\" target=\"_blank\" rel=\"noopener\"><i class=\"icon-linkedin\"><\/i><\/a>                         <a href=\"https:\/\/www.youtube.com\/@DejanKosutic\" target=\"_blank\" rel=\"noopener\"><svg width=\"21\" id=\"youtube-svg-icon\" style=\"enable-background:new 0 0 1000 1000;\" version=\"1.1\" viewBox=\"0 0 1000 1000\" xml:space=\"preserve\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\"><style type=\"text\/css\">.st0{fill:#FF0000;}.st1{fill:#FFFFFF;}<\/style><title\/><g><path class=\"st0\" fill=\"#FF0000\" d=\"M500,1000L500,1000C223.9,1000,0,776.1,0,500v0C0,223.9,223.9,0,500,0h0c276.1,0,500,223.9,500,500v0   C1000,776.1,776.1,1000,500,1000z\"\/><path class=\"st1\" fill=\"#FFFFFF\" d=\"M818.2,339.1c-7.6-28.8-30.1-51.4-58.7-59.1c-51.8-14-259.4-14-259.4-14s-207.7,0-259.4,14   c-28.6,7.7-51.1,30.3-58.7,59.1C168,391.2,168,500,168,500s0,108.8,13.9,160.9c7.6,28.8,30.1,51.4,58.7,59.1   c51.8,14,259.4,14,259.4,14s207.7,0,259.4-14c28.6-7.7,51.1-30.3,58.7-59.1C832,608.8,832,500,832,500S832,391.2,818.2,339.1z    M432.1,598.7V401.3L605.6,500L432.1,598.7z\"\/><\/g><\/svg><\/a> \n                                                    \n                    <\/div>\n\n                                            <div class=\"social-share\">\n                            <a href=\"mailto:?subject=What is ISO 27002?&body= https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/\"\n                            target=\"_blank\"\n                            class=\"social-share--icon ripple\">\n                                <i class=\"icon-mail\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\" class=\"social-share--icon ripple facebook\"\n                            onclick=\"window.open('https:\/\/www.facebook.com\/sharer.php?u=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/','popup','width=800,height=600'); return false;\"\n                            target=\"_blank\">\n                                <i class=\"icon-fb\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\"\n                            onclick=\"window.open('https:\/\/twitter.com\/intent\/tweet?text=What is ISO 27002?&url=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/','popup','width=800,height=600'); return false;\"\n                            class=\"social-share--icon ripple twitter\" target=\"_blank\">\n                                <i class=\"icon-twit\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\"\n                            target=\"_blank\"\n                            onclick=\"window.open('https:\/\/www.linkedin.com\/shareArticle?mini=true&url=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27002\/&title=What is ISO 27002?','popup','width=800,height=600'); return false;\"\n                            class=\"social-share--icon ripple linkedin\">\n                                <i class=\"icon-linkedin\"><\/i>\n                            <\/a>\n                            <a href=\"\/rss-feeds\/\"\n                                class=\"social-share--icon ripple rss\">\n                                <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 64 380 420\" width=\"22\" height=\"22\" aria-hidden=\"true\"><path d=\"M96 272 A144 144 0 0 1 240 416\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"64\" stroke-linecap=\"round\"\/><path d=\"M96 160 A256 256 0 0 1 352 416\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"64\" stroke-linecap=\"round\"\/><circle cx=\"96\" cy=\"416\" r=\"48\" fill=\"currentColor\"\/><\/svg>\n                            <\/a>\n                        <\/div>\n\n                <\/div>\n            \n            <h2>The basics<\/h2>\n<h3 id=\"section1\"><strong>What is the purpose of ISO 27002?<\/strong><\/h3>\n<p>The main purpose of ISO 27002 is to help organizations implement the Annex A controls from ISO 27001, because ISO 27001 does not provide explanations for how these controls should be implemented. ISO 27002 is designed to work in conjunction with ISO 27001, as ISO 27001 describes how to manage security by implementing an Information Security Management System (ISMS).<\/p>\n<h3 id=\"section2\">Why is ISO 27002 important?<\/h3>\n<p>ISO 27002 is important because it is the only standard in the ISO 27k series that provides implementation guidance on all 93 controls defined in Annex A of ISO 27001. By using the detailed guidance in ISO 27002, companies can have a much better understanding of the best practices for controls.<\/p>\n<h3 id=\"section3\">ISO 27002 certification \u2013 Is it possible?<\/h3>\n<p>Certification against ISO 27002 is not possible. ISO 27002 is non-certifiable because, unlike ISO 27001, it is not a management standard. Instead, ISO 27002 is a code of practice (or best practices) for the implementation of security controls that support the ISMS defined in ISO 27001.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-88208\" src=\"\/wp-content\/uploads\/\/sites\/5\/2023\/10\/key-facts-about-iso-27002-1.png\" alt=\"Key facts about ISO 27002\" width=\"2500\" height=\"1309\" srcset=\"\/wp-content\/uploads\/sites\/5\/2023\/10\/key-facts-about-iso-27002-1.png 2500w, \/wp-content\/uploads\/sites\/5\/2023\/10\/key-facts-about-iso-27002-1-300x157.png 300w, \/wp-content\/uploads\/sites\/5\/2023\/10\/key-facts-about-iso-27002-1-768x402.png 768w, \/wp-content\/uploads\/sites\/5\/2023\/10\/key-facts-about-iso-27002-1-1024x536.png 1024w, \/wp-content\/uploads\/sites\/5\/2023\/10\/key-facts-about-iso-27002-1-1536x804.png 1536w, \/wp-content\/uploads\/sites\/5\/2023\/10\/key-facts-about-iso-27002-1-2048x1072.png 2048w\" sizes=\"(max-width: 2500px) 100vw, 2500px\" \/><\/p>\n<h3 id=\"section4\">How does ISO 27002 support the ISMS?<\/h3>\n<p>ISO 27002 supports the ISMS by providing detailed guidance on how to implement the controls necessary to establish and operate an ISMS within a company. For example, ISO 27002 takes a whole page to explain one control, while ISO 27001 dedicates only one sentence to each control. This ensures that organizations have a comprehensive set of guidelines to use as a framework to deploy an effective ISMS in a structured manner.<\/p>\n<h3 id=\"section5\">What is the current version of ISO 27002?<\/h3>\n<p>As of the publication date of this article, the current version of ISO 27002 is ISO\/IEC 27002:2022. The new 2022 revision of ISO 27002 was published on February 15, 2022.<\/p>\n<h3 id=\"section6\">What is the difference between ISO 27001 and 27002?<\/h3>\n<p>As already explained in brief, ISO 27001 is the main standard, and companies can get certified against it; companies cannot certify against ISO 27002:2022 because it is only a supporting standard.<\/p>\n<p>In its Annex A, ISO 27001 provides a list of security controls and what must be achieved with those controls, but it does not explain how they can be implemented. ISO 27002 lists those very same controls and provides guidance on how they could be implemented; however, this guidance in ISO 27002 is not mandatory, i.e., companies can decide whether to use those guidelines or not.<\/p>\n<h2>Requirements &amp; security controls<\/h2>\n<h3 id=\"section7\">What are the requirements for ISO 27002?<\/h3>\n<p>ISO 27002 does not contain explicit requirements for companies to follow \u2014 for requirements, you should see ISO 27001. However, ISO 27002 does provide guidance on information security controls that can be applied in an organization.<\/p>\n<h3 id=\"section8\">What are the sections of ISO 27002?<\/h3>\n<p>The structure of ISO 27002 is listed and briefly explained below:<\/p>\n<ul>\n<li>Clause 5: Organizational controls \u2013 This section contains all controls related to various organizational issues, comprising 37 controls.<\/li>\n<li>Clause 6: People controls \u2013 This section focuses on controls related to human resources security, comprising 8 controls.<\/li>\n<li>Clause 7: Physical controls \u2014 This section focuses on controls related to the physical environment and equipment, comprising 14 controls.<\/li>\n<li>Clause 8: Technological controls \u2014 This section focuses on controls related to technological solutions, comprising 34 controls.<\/li>\n<li>Annex A: Using attributes \u2014 This annex provides a matrix of all the new controls, it compares their attributes, and provides suggestions on how to use the controls according to their attributes.<\/li>\n<li>Annex B: Correspondence with ISO\/IEC 27002:2013 \u2014 This annex provides a mapping between controls from the 2022 revision and the controls from the previous 2013 version.<\/li>\n<\/ul>\n<h3 id=\"section9\">What is a security control?<\/h3>\n<p>ISO 27002 defines a control as \"a measure that modifies and\/or maintains risk.\" Put simply, a control (or a safeguard) is a practice that can be implemented to reduce a risk to an acceptable level. Some examples of security controls include an <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=access-control-policy\" target=\"_blank\" rel=\"noopener\">Access control policy<\/a> (5.15), <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=security-procedures-for-it-department\" target=\"_blank\" rel=\"noopener\">Configuration management<\/a> (8.9), and <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=secure-development-policy\" target=\"_blank\" rel=\"noopener\">Secure coding<\/a> (8.28).<\/p>\n<h3 id=\"section10\">How many controls are there in ISO 27002?<\/h3>\n<p>The 2022 revision of ISO 27002 has reduced the number of controls from 114 to 93. Some of the reasons for this reduction in the number of controls include technological advancements and an improvement in the understanding of how to apply security practices.<\/p>\n<h3 id=\"section11\">What are control attributes?<\/h3>\n<p>Control attributes provide a standardized way to sort and filter controls against different views to address the needs of different groups.<\/p>\n<p>Attributes options for each control are as follows:<\/p>\n<ul>\n<li><strong>Control types:<\/strong> Preventive, Detective, and Corrective<\/li>\n<li><strong>Information security properties:<\/strong> Confidentiality, Integrity, and Availability<\/li>\n<li><strong>Cybersecurity concepts:<\/strong> Identify, Protect, Detect, Respond, and Recover<\/li>\n<li><strong>Operational capabilities:<\/strong> Governance, Asset management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance<\/li>\n<li><strong>Security domains:<\/strong> Governance and Ecosystem, Protection, Defense, and Resilience<\/li>\n<\/ul>\n<p>These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework. You can read more about the differences between the 2013 and 2022 versions of ISO 27002 in the last section of this article.<\/p>\n<h3 id=\"section12\">How are the controls structured?<\/h3>\n<p>The layout for each ISO control in ISO 27002 consists of the following elements:<\/p>\n<ul>\n<li>Control title: The short name of the control<\/li>\n<li>Attribute table: A table that shows the value(s) of each attribute for the given control<\/li>\n<li>Control: A brief description of the control<\/li>\n<li>Purpose: An explanation of why the control should be implemented<\/li>\n<li>Guidance: Instructions for how the control should be implemented<\/li>\n<li>Other information: Additional explanatory text, or references to related documents<\/li>\n<\/ul>\n<p>The layout is designed to provide comprehensive information and guidance for each control, helping organizations understand and implement the necessary security measures.<\/p>\n<h3 id=\"section13\">How to implement ISO 27002 controls<\/h3>\n<p>To effectively implement ISO 27002 controls, follow a process that assesses the organization's needs; identifies the appropriate controls, and customizes them if necessary; implements them using a structured approach; and then monitors, measures, and continuously improves them. Once completed, the implemented control should address needs at a combined technological, organizational\/process, people, and documentation level.<\/p>\n<p>For example, the implementation of control 8.9 Configuration management will address the following aspects:<\/p>\n<p><strong>Technology<\/strong>. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.<\/p>\n<p><strong>Organization\/processes<\/strong>. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.<\/p>\n<p><strong>People<\/strong>. Make employees aware of why strict control of security configurations is needed, and train them to define and implement security configurations.<\/p>\n<p><strong>Documentation<\/strong>. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your security operating procedures. Larger companies will typically have a separate procedure that defines the configuration process.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>What\u2019s new in ISO 27002:2022?<\/h2>\n<p>It took nine years for the last revision of ISO\/IEC 27002 (published in 2013) to be replaced with the latest 2022 revision. The most important changes are as follows:<\/p>\n<ul>\n<li>There are 11 new controls.<\/li>\n<li>23 controls have changed their names.<\/li>\n<li>57 controls have been merged into 24 controls.<\/li>\n<li>1 control was split into 2 controls.<\/li>\n<li>Even though 35 controls remained the same, their control IDs have changed.<\/li>\n<\/ul>\n<h3 id=\"section14\">New controls<\/h3>\n<p>Here are the 11 controls that are new in ISO 27002:2022:<\/p>\n<ul>\n<li>5.7 Threat intelligence<\/li>\n<li>5.23 Information security for use of cloud services<\/li>\n<li>5.30 ICT readiness for business continuity<\/li>\n<li>7.4 Physical security monitoring<\/li>\n<li>8.9 Configuration management<\/li>\n<li>8.10 Information deletion<\/li>\n<li>8.11 Data masking<\/li>\n<li>8.12 Data leakage prevention<\/li>\n<li>8.16 Monitoring activities<\/li>\n<li>8.23 Web filtering<\/li>\n<li>8.28 Secure coding<\/li>\n<\/ul>\n<p>To learn more about these new controls and their requirements, read the article <a href=\"https:\/\/staging.advisera.com\/27001academy\/explanation-of-11-new-iso-27001-2022-controls\/\" target=\"_blank\" rel=\"noopener\">Detailed explanation of 11 new security controls in ISO 27001:2022<\/a>.<\/p>\n<h3 id=\"section15\">Renamed controls<\/h3>\n<p>In the current version of ISO 27002, 23 controls had their names changed for the sake of making them easier to understand. For example:<\/p>\n<ul>\n<li>Control 12.7.1 Information systems audit controls was changed to 8.34 Protection of information systems during audit testing.<\/li>\n<li>Control 15.1.3 Information and communication technology supply chain was changed to 5.21 Managing information security in the ICT supply chain.<\/li>\n<\/ul>\n<p>These changes help keep the focus on the information security aspects of business processes and activities, reducing the effort of implementing and maintaining the Information Security Management System.<\/p>\n<p>To see a full list of controls in the new ISO 27002, and to learn which controls were renamed and merged when compared to ISO 27002:2013, download this free white paper: <a href=\"https:\/\/info.staging.advisera.com\/27001academy\/free-download\/overview-of-new-security-controls-in-iso-27002\/\" target=\"_blank\" rel=\"noopener\">Overview of new security controls in ISO 27002:2022<\/a>.<\/p>\n<h3 id=\"section16\">No excluded controls<\/h3>\n<p>Although the number of controls has been reduced, no controls were excluded in this new version, only merged for the sake of better understanding.<\/p>\n<h3 id=\"section17\">Merged controls<\/h3>\n<p>A total of 57 controls have been merged into 24 controls. For example:<\/p>\n<ul>\n<li>Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security were merged into 5.1 Policies for information security.<\/li>\n<li>Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas were merged into 7.2 Physical entry.<\/li>\n<\/ul>\n<p>These consolidations were decided either because multiple related controls were natural steps of a bigger process, or because more efficient security could be achieved by considering them in a single control.<\/p>\n<h3 id=\"section18\">Split controls<\/h3>\n<p>There is only one control that was split: 18.2.3 Technical compliance review was split into 5.36 Conformance with policies, rules, and standards for information security and 8.8 Management of technical vulnerabilities.<\/p>\n<h3 id=\"section19\">Controls that have stayed the same<\/h3>\n<p>In the new ISO 27002, 35 controls remained the same, only changing their control numbers.<\/p>\n<h2>Why ISO 27002?<\/h2>\n<p>ISO 27002 is almost as popular as ISO 27001 for a very good reason \u2014 it provides tips and tricks for the implementation and the everyday operation of controls. This helps companies save lots of time with implementing an ISMS and going for the certification.<\/p>\n<p><em>To automate your compliance with ISO 27001\/ISO 27002 security controls, <\/em><a href=\"https:\/\/staging.advisera.com\/conformio\" target=\"_blank\" rel=\"noopener\">sign up for a free trial<\/a><em>\u00a0of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n<p><div id=\"custom-banner\" class=\"banner-shortcode no-bottom-border\"><\/div><\/p>\n\n\n                            <div class=\"author-resume\">\n                    <img decoding=\"async\" class=\"author--avatar\" src=\"\/wp-content\/uploads\/blog_authors\/dejankosutic.jpg\"\n                        alt=\"Advisera Dejan Kosutic\">\n                    <div class=\"author--role\">\n                        Author                    <\/div>\n                    <a href=\"https:\/\/staging.advisera.com\/27001academy\/author\/dejankosutic\/\" class=\"author--name\">\n                    Dejan Kosutic                    <\/a>\n                    <div class=\"author--bio\">\n                        <p>CEO &amp; Lead Expert for ISO 27001 NIS 2, and DORA<\/p><br \/>\n<p>Leading expert on cybersecurity &amp; information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera&#8217;s clients, and that AI technology is crucial for achieving this.<\/p><br \/>\n<p>As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.<\/p><br \/>\n                    <\/div>\n                                            <div class=\"author--connect\">\n                            <div class=\"author--connect_connect\">\n                                                                    Connect with Dejan:                                   \n                            <\/div>\n                            <div class=\"author--connect_social\">\n                                <a href=\"https:\/\/www.linkedin.com\/in\/dejankosutic\/\" target=\"_blank\" rel=\"noopener\"><i class=\"icon-linkedin\"><\/i><\/a>\n                                <a href=\"https:\/\/www.youtube.com\/@DejanKosutic\" target=\"_blank\" rel=\"noopener\"><svg width=\"32\" id=\"youtube-svg-icon\" style=\"enable-background:new 0 0 1000 1000;\" version=\"1.1\" viewBox=\"0 0 1000 1000\" xml:space=\"preserve\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\"><style type=\"text\/css\">.st0{fill:#FF0000;}.st1{fill:#FFFFFF;}<\/style><title\/><g><path class=\"st0\" fill=\"#FF0000\" d=\"M500,1000L500,1000C223.9,1000,0,776.1,0,500v0C0,223.9,223.9,0,500,0h0c276.1,0,500,223.9,500,500v0   C1000,776.1,776.1,1000,500,1000z\"\/><path class=\"st1\" fill=\"#FFFFFF\" d=\"M818.2,339.1c-7.6-28.8-30.1-51.4-58.7-59.1c-51.8-14-259.4-14-259.4-14s-207.7,0-259.4,14   c-28.6,7.7-51.1,30.3-58.7,59.1C168,391.2,168,500,168,500s0,108.8,13.9,160.9c7.6,28.8,30.1,51.4,58.7,59.1   c51.8,14,259.4,14,259.4,14s207.7,0,259.4-14c28.6-7.7,51.1-30.3,58.7-59.1C832,608.8,832,500,832,500S832,391.2,818.2,339.1z    M432.1,598.7V401.3L605.6,500L432.1,598.7z\"\/><\/g><\/svg><\/a> \n                                                            \n                            <\/div>\n                        <\/div>\n                    \n                                        <div class=\"contributor-resume\">\n                        <div class=\"contributor--avatar\">\n                            <img decoding=\"async\" class=\"author--avatar\" src=\"\/wp-content\/uploads\/blog_authors\/hughshepherd.jpg\"\n                            alt=\"Advisera Hugh Shepherd\">\n                        <\/div>\n                        <div class=\"author--role\">\n                            Contributor                        <\/div>\n                        <a href=\"https:\/\/staging.advisera.com\/27001academy\/author\/hughshepherd\/\" class=\"author--name\">\n                            Hugh Shepherd                        <\/a>\n                        <div class=\"author--bio\">\n                            Hugh Shepherd is a freelance consultant currently living in Bangkok, Thailand. He has over 20 years of professional experience spanning the military, telecommunications, information technology, cable television, and management consulting industries. He holds a master\u2019s degree in technology management and an MBA. Over the course of his career, he has earned certifications and\/or gained expertise in IT service management (ITIL, ISO 20000), telecom business processes (TM Forum), enterprise architecture (TOGAF), and cybersecurity (CISSP, CEH, Security+, ISO 27001). Previously, Hugh worked on various ICT projects in Washington, DC; New York City; Chicago, IL; Dallas, TX; and numerous other cities across the United States. While living overseas, he has done pro bono advisory work in cybersecurity and business strategy for several small businesses.                        <\/div>\n                    <\/div>\n                                <\/div>\n            \n        <\/div>\n    <\/div>\n<\/div>\n<\/section>\n<\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>What is ISO 27002? ISO 27002, officially named \u201cISO\/IEC 27002 Information Security, Cybersecurity and Privacy Protection \u2013 Information Security Controls,\u201d is a widely used and well-known information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides detailed guidelines for the implementation of the controls listed in ISO 27001 Annex A, because &#8230;<\/p>\n","protected":false},"author":6,"featured_media":88194,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-what-is-iso.php","meta":{"_acf_changed":false,"footnotes":""},"toolkit-document-types":[],"class_list":["post-88193","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/pages\/88193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=88193"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/pages\/88193\/revisions"}],"predecessor-version":[{"id":104292,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/pages\/88193\/revisions\/104292"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/88194"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=88193"}],"wp:term":[{"taxonomy":"toolkit-document-types","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/toolkit-document-types?post=88193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}