You’re probably already familiar with ISO 27001, which establishes a framework for how organizations should manage the security of their data via an Information Security Management System, or ISMS.
But what is ISO 27002?
Put simply, ISO 27002 provides guidance on the implementation of controls from ISO 27001 Annex A. Most recently—on February 15, 2022—ISO 27002: 2013 was updated to 27002: 2022.
The biggest differences include changes made to Annex A, the grouping of domains, and the introduction of new controls.
Let’s take a look at each of those now.
Changes made to ISO 27001 Annex A
ISO 27002: 2013
In the 2013 release, there were are 114 ISO 27001 Annex A controls divided into 14 categories:
- Annex A.5 – Information security policies (2 controls): Describes how to handle information security policies.
- Annex A.6 – Organization of information security (7 controls): Provides a framework for information security by defining the internal organization and other information security aspects.
- Annex A.7 – Human resource security (6 controls): Outlines the information security aspects of HR.
- Annex A.8 – Asset management (6 controls): Ensures information security assets are identified and responsibilities for their security are designated.
- Annex A.9 – Access control (14 controls): Limits access to information assets based on real business needs.
- Annex A.10 – Cryptography (2 controls): Provides the basis for proper use of encryption solutions to protect the authenticity, confidentiality, and integrity of information.
- Annex A.11 – Physical and environmental security (15 controls): Prevents unauthorized access to physical areas, equipment, and facilities from human or natural intervention.
- Annex A.12 – Operations security (14 controls): Ensures the organization’s IT systems are secure and protected against data loss.
- Annex A.13 – Communications security (7 controls): Protects the network (infrastructure and services) and the information that travels through it.
- Annex A.14 – Systems acquisition, development, and maintenance (13 controls): Ensures that information security is prioritized when purchasing new information systems or upgrading existing ones.
- Annex A.15 – Supplier relationships (5 controls): Ensures that activities outsourced to suppliers/partners use the appropriate Information Security controls and describe how to monitor third-party security performance.
- Annex A.16 – Information security incident management (7 controls): Provides a framework to ensure the proper management and communication of security incidents.
- Annex A.17 – Information security aspects of business continuity management (4 controls): Ensures the continuity of information security management during disruptions as well as information system availability.
- Annex A.18 - Compliance (8 controls): Provides a framework to prevent legal, regulatory, statutory, and contractual breaches and audits whether your implemented information security meets the requirements of the ISO 27001 standard.
27002: 2022
In the 2022 release, however, the number of controls was decreased from 114 to 93 and are now grouped in 4 main domains:
- People (8 controls): This includes screening, education, training, disciplinary processes, responsibility, confidentiality, etc.
- Organizational (37 controls): This includes policies, management, inventory, classification, labeling, authentication, etc.
- Technological (34 controls): This includes information access, secure authentication, malware protection, data masking, network security, etc.
- Physical (14 controls): This includes security perimeters, offices, rooms, facilities, equipment, storage, cabling, monitoring, protection against environmental threats, and more.
New controls
The new controls released with 27002: 2022 include:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Distinguishing ISO 27002 from ISO 27001
Whereas ISO 27001 only provides a brief description of each control in one or two sentences, ISO 27002 gives more detailed guidance, dedicating an average of one page per control. However, ISO 27002 makes no distinctions between the controls that actually apply to a particular business, which is why both ISO 27001 and ISO 27002 must be used in concert.
And ISO 27002 isn’t ISO 27001’s only supplementary standard:
- ISO 27002: Covers the information security controls that organizations might choose to implement.
- ISO 27003: Covers ISMS implementation guidance.
- ISO 27004: Covers the monitoring, measurement, analysis, and evaluation of the ISMS.
When to use ISO 27002
Refer to ISO 27002 once you’ve planned your ISO 27001 and ISMS implementation and have identified the exact controls that you’ll be implementing. This way, you can leverage ISO 27002 to learn more about how each control works.
Remember, each control protects your organization’s valuable information, which is why it’s important to review ISO 27002 to learn how to best select the appropriate measures for your business based on the vulnerability, risk, and threat domain. By using ISO 27002 as a guide for identifying appropriate security controls within the process of implementing an ISMS, you’ll help ensure your organization’s selection, implementation, and management of controls is sound.
Last but not least, it’s important to note that ISO 27002 is a reference for selecting security controls, rather than a certification process in and of itself; ISO 27001 is the certified standard that ISO 27002 supports.