In the field of information security, organisations often hear about ISO/IEC 27001 and ISO/IEC 27002. While ISO27001 sets out the requirements for an Information Security Management System (ISMS), ISO27002 provides detailed guidance on implementing and improving information security controls. Understanding ISO27002 is essential for organisations that want to effectively manage risks and ensure compliance with both industry standards and regulatory requirements.
This article offers a comprehensive overview of ISO27002, highlighting what you need to know about its purpose, structure, key changes in the latest version, and how it complements ISO27001.
1. What is ISO/IEC 27002?
ISO/IEC 27002 is a best-practice guideline that supports the implementation of information security controls defined in Annex A of ISO/IEC 27001. It provides detailed explanations of each control, including their objectives, application, and how they can be tailored to an organisation’s needs.
The standard is not mandatory but serves as a reference for organisations implementing security measures to:
Mitigate risks.
Comply with regulatory and contractual requirements.
Protect sensitive data and critical systems.
Unlike ISO27001, which is designed for certification, ISO27002 is not certifiable. Instead, it acts as a practical companion, offering actionable advice for managing information security.
2. Purpose of ISO27002
The primary objective of ISO27002 is to help organisations:
Understand Security Controls:
The standard explains the purpose and application of various security controls, enabling organisations to choose the most appropriate measures for their risk environment.Implement and Maintain Controls:
ISO27002 provides guidance on implementing security controls effectively, including monitoring, maintenance, and continuous improvement.Customise Controls:
Organisations can adapt controls to their specific needs based on risk assessments, regulatory requirements, and operational constraints.Align with ISO27001:
The standard complements ISO27001 by providing detailed implementation advice for the controls listed in Annex A of ISO27001.
3. Key Differences Between ISO27001 and ISO27002
It’s important to understand how ISO27001 and ISO27002 work together but serve different purposes:
ISO27001 | ISO27002 |
|---|---|
Sets out the requirements for an ISMS | Provides guidelines for implementing security controls |
Designed for certification | Not certifiable – serves as a best-practice guide |
Focuses on risk management and governance | Focuses on control implementation and operations |
Contains Annex A, a list of 93 security controls | Expands on the controls in Annex A with detailed guidance |
By combining the requirements of ISO27001 with the recommendations of ISO27002, organisations can build a robust and well-documented security programme.
4. Structure of ISO27002
ISO27002 is structured around security controls grouped into key domains. The latest version of the standard, published in 2022, introduces 93 security controls organised into 4 themes:
Organisational Controls (37 controls)
These address governance, policies, risk management, and security awareness at the organisational level.People Controls (8 controls)
These focus on human resources and personnel security, including background checks, training, and user access management.Physical Controls (14 controls)
These deal with the physical protection of assets, such as access control to facilities, secure areas, and protection against environmental threats.Technological Controls (34 controls)
These focus on technical security measures, including encryption, network security, and application security.
The reorganisation of controls under these themes is intended to make the standard easier to navigate and apply.
5. Key Changes in the Latest Version of ISO27002 (2022)
The 2022 version of ISO27002 introduced several significant updates:
5.1. Control Reorganisation
The previous version of ISO27002 had 114 controls grouped into 14 categories. The 2022 update reorganised these into 93 controls across 4 themes. This change simplifies the structure and aligns with modern security practices.
5.2. Introduction of Control Attributes
Each control is now accompanied by attributes that provide additional context. These attributes include:
Control Type: Preventive, detective, or corrective.
Information Security Properties: Confidentiality, integrity, availability.
Cybersecurity Concepts: Identify, protect, detect, respond, recover (based on the NIST Cybersecurity Framework).
Operational Capabilities: Governance, risk management, and monitoring.
These attributes help organisations understand the purpose of each control and how it fits within their security strategy.
5.3. New and Updated Controls
Several new controls have been added to address emerging security risks. Examples include:
Threat Intelligence: Guidance on collecting and using threat intelligence to improve security posture.
Data Masking: Techniques to protect sensitive data by obscuring or anonymising it.
Secure Software Development: Best practices for integrating security into the software development lifecycle.
Configuration Management: Ensuring that systems are securely configured and maintained.
Existing controls have also been updated to reflect advancements in technology and evolving security threats.
6. Key Control Areas in ISO27002
The standard provides detailed guidance on implementing controls across various areas of information security. Below are some of the key control areas:
6.1. Access Control
Implement role-based access control (RBAC) to limit access to sensitive data and systems.
Enforce multi-factor authentication (MFA) for critical systems.
Regularly review and update access permissions.
6.2. Risk Assessment and Treatment
Conduct regular risk assessments to identify threats, vulnerabilities, and business impacts.
Apply a risk-based approach to selecting and implementing security controls.
Maintain a risk register and monitor changes to the threat landscape.
6.3. Incident Management
Develop and maintain an incident response plan (IRP).
Implement monitoring tools to detect and respond to security events in real time.
Conduct post-incident reviews to improve response processes.
6.4. Data Protection
Encrypt sensitive data both in transit and at rest.
Implement data masking and anonymisation techniques to protect personally identifiable information (PII).
Ensure data protection measures comply with regulatory requirements (e.g., GDPR).
6.5. Supply Chain Security
Assess the security posture of third-party vendors and suppliers.
Include security and audit requirements in vendor contracts.
Monitor third-party compliance with information security policies.
7. Benefits of ISO27002
Implementing ISO27002 offers several benefits for organisations:
Improved Security Posture:
By following best practices, organisations can reduce the likelihood and impact of cyber incidents.Regulatory Compliance:
ISO27002 helps organisations meet the security requirements of regulations such as GDPR, NIS2, and DORA.Enhanced Risk Management:
The standard’s risk-based approach enables organisations to prioritise security measures based on business impact.Operational Efficiency:
Clear guidelines on control implementation reduce ambiguity and ensure consistent application of security measures across the organisation.Audit Readiness:
Documentation of controls, risk assessments, and incident response activities provides evidence for audits and regulatory inspections.
8. Best Practices for Implementing ISO27002
To maximise the value of ISO27002, organisations should follow these best practices:
Align with Business Objectives:
Ensure that security controls support the organisation’s strategic goals and risk appetite.Conduct a Gap Analysis:
Identify gaps between current security practices and the recommendations in ISO27002. Use the results to develop a compliance roadmap.Tailor Controls to Your Environment:
Not all controls will be relevant to every organisation. Customise controls based on your risk assessment and regulatory obligations.Monitor and Review Regularly:
Continuously monitor the effectiveness of security controls and update them as needed to address new threats.Integrate with ISO27001:
Use ISO27002 to support the implementation and maintenance of your ISMS, ensuring alignment with ISO27001 requirements.
9. Conclusion
ISO/IEC 27002 is an essential guide for organisations seeking to implement effective information security controls. By providing detailed guidance on control selection, implementation, and maintenance, the standard helps organisations strengthen their security posture, manage risks, and achieve compliance with regulatory requirements. When integrated with ISO27001, ISO27002 forms a powerful framework for building a resilient and secure information security programme.
For more information on implementing ISO27002, conducting risk assessments, or achieving ISO27001 certification, contact our cybersecurity experts today.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article