ISO/IEC 27002 Explained Simply: How It Supports ISO 27001 Certification

  • iso 27002
  • Published by: André Hammer on Apr 04, 2024
Group classes

ISO/IEC 27002 supports information security control implementation, while certification applies to ISO/IEC 27001. Organisations use ISO/IEC 27002 as guidance to choose, interpret, and implement controls, not as a certifiable standard.

That distinction matters because ISO/IEC 27002 is often where the practical work becomes clearer. ISO/IEC 27001 sets the requirements for an information security management system, while ISO/IEC 27002 explains how security controls can be applied in a risk-based way. A team preparing for certification would use ISO/IEC 27002 to support control selection, update policies, and justify decisions in the Statement of Applicability, but the audit itself is against ISO/IEC 27001.

What ISO/IEC 27002 is for

ISO/IEC 27002 is an international code of practice for information security controls. It gives implementation guidance for controls that can help protect confidentiality, integrity, and availability across people, processes, technology, and physical environments. It is part of the ISO/IEC 27000 family and is designed to support organisations that need a structured approach to information security.

The standard is useful because it turns broad security objectives into practical control guidance. For example, a risk assessment might show that a business depends heavily on cloud services and remote working. ISO/IEC 27002 helps that business think through access management, supplier relationships, logging, endpoint protection, acceptable use, and incident handling without treating every control as equally important.

It should not be used as a simple checklist. A small software company, a healthcare provider, and a manufacturer may all rely on ISO/IEC 27002, but their risks, regulatory pressures, and control priorities will differ. The better approach is to select controls because they treat identified risks, then document why those controls are applicable or not applicable.

What changed in ISO/IEC 27002:2022

The 2022 edition reorganised the control set into 4 themes and 93 controls. This replaced the older structure that many organisations knew from the 2013 edition and made the guidance easier to navigate alongside ISO/IEC 27001:2022 Annex A. The four themes are organisational, people, physical, and technological controls.

ISO/IEC 27002:2022 control themes and practical meaning
Theme What it covers Practical example
Organisational Governance, risk, supplier management, policies, incident management, and business continuity. A company defines who owns cloud security decisions and how supplier risks are reviewed before renewal.
People Employment lifecycle, awareness, responsibilities, confidentiality, and disciplinary processes. Joiners, movers, and leavers are handled through a repeatable process so access changes follow role changes.
Physical Secure areas, equipment protection, storage media, utilities, and environmental threats. A regional office restricts access to network cabinets and records visitors in areas where sensitive work is performed.
Technological Access control, authentication, logging, malware protection, secure coding, network security, and configuration. An application team adopts a secure coding standard and uses logging to detect suspicious behaviour in production systems.

The 2022 update also introduced 11 new controls. They reflect security realities that have become more prominent, including cloud use, threat intelligence, secure development, data leakage, monitoring, and configuration management.

Threat intelligence.

Information security for use of cloud services.

ICT readiness for business continuity.

Physical security monitoring.

Configuration management.

Information deletion.

Data masking.

Data leakage prevention.

Monitoring activities.

Web filtering.

Secure coding.

These controls are easiest to understand through everyday examples. Threat intelligence might mean using credible sources to understand which attack techniques are relevant to the organisation’s sector. Cloud service security may require documented shared-responsibility decisions, not merely a supplier contract. Secure coding may start with a development standard, code review expectations, and a way to handle known vulnerabilities before release.

The newer controls also create ownership challenges. Several of them do not sit neatly inside a traditional compliance team. Secure coding often belongs with application security and engineering, data masking and leakage prevention involve data owners, and cloud service controls require input from procurement, architecture, operations, and legal. In practice, ISO/IEC 27002 works better when control ownership is documented through a cross-functional RACI rather than assigned vaguely to “IT security”.

The control attribute model in plain English

One of the more useful changes in ISO/IEC 27002:2022 is the control attribute model. Instead of viewing each control only by its theme, organisations can tag controls by characteristics such as whether they are preventive, detective, or corrective; which security property they support; and how they relate to broader cybersecurity concepts such as identify, protect, detect, respond, and recover.

This matters because attributes make control sets easier to tailor and measure. A risk treatment plan that contains many preventive controls but very few detective controls may leave the organisation unable to see when something has gone wrong. Likewise, a programme that invests in access restrictions but ignores monitoring may look strong on paper while remaining weak operationally.

Attributes also help with reporting. Senior leaders rarely need a line-by-line discussion of all 93 controls, but they do need to know whether the organisation is improving its ability to prevent incidents, detect suspicious activity, respond consistently, and recover critical services. The attribute model gives security teams a more practical way to group controls and explain coverage.

How ISO/IEC 27002 supports ISO/IEC 27001 certification

ISO/IEC 27001 defines the certifiable requirements for an information security management system. ISO/IEC 27002 provides supporting guidance for selecting and implementing the controls that may be used to treat risks. This is where many teams make an early mistake: they try to “comply with 27002” before they have clearly assessed risk and defined the scope of the ISMS.

The practical sequence is risk first, control selection second, documentation third. A risk assessment identifies what could go wrong, which assets and processes are affected, and how serious the exposure is. The organisation then decides which controls are appropriate, records those decisions in the Statement of Applicability, and aligns the selected controls with ISO/IEC 27001 Annex A. Readers who need the requirements side should use an ISO training path to distinguish the certifiable ISO/IEC 27001 standard from supporting guidance such as ISO/IEC 27002.

A simple workflow for connecting risk decisions to ISO/IEC 27002 guidance is:

  1. Define the business context and ISMS scope.
  2. Complete the information security risk assessment.
  3. Make and record risk treatment decisions.
  4. Update the Statement of Applicability.
  5. Align the selected controls with Annex A.
  6. Use ISO/IEC 27002 to guide practical implementation.

The learning point is that ISO/IEC 27002 comes after the organisation understands its risks and certification scope. Teams should verify that each selected control traces back to a risk, obligation, or operating need before using the guidance to shape implementation.

The Statement of Applicability is especially important. It should explain which Annex A controls are included, which are excluded, and why. ISO/IEC 27002 helps teams describe what implementation can look like, but the reasoning must still come from the organisation’s risks, obligations, and operating model.

Practical implementation examples across the four themes

For organisational controls, consider a business that depends on several cloud service providers. The relevant work is broader than reviewing a supplier once during procurement. The organisation needs ownership for cloud risk decisions, criteria for onboarding services, review points for contractual and security changes, and incident communication expectations. ISO/IEC 27002 helps structure those practices so cloud use is governed continuously.

For people controls, a common starting point is the joiners-movers-leavers process. When someone changes role, access should change with them; when someone leaves, access should be removed promptly and consistently. This is a practical control area because it links HR, line managers, identity administration, and application owners. Weaknesses often arise when those teams each assume another function has completed the task.

For physical controls, the work may be as simple as understanding where sensitive information can be viewed, copied, stored, or removed. A small office might need locked storage, visitor controls, and a clear-desk practice in specific areas. A larger organisation may need monitoring for secure areas, protection for equipment, and procedures for media handling. The correct level depends on risk rather than the existence of a control heading.

For technological controls, quick wins often come before heavy tooling. A secure coding standard, baseline hardening for servers and endpoints, multi-factor authentication for privileged access, and consistent logging can usually be sequenced before more complex initiatives such as data leakage prevention or enterprise-wide configuration governance. That sequencing helps teams build credibility while planning the controls that require deeper architecture and operational change.

Migrating from the 2013 edition to the 2022 edition

Organisations that built their ISMS around the 2013 structure do not need to reinvent everything. The sensible approach is to map existing controls to the 2022 themes, re-tag them using the new attribute model where useful, and then update the Statement of Applicability so it reflects the current Annex A structure. Policy documents can then be refreshed in priority order instead of rewritten all at once.

Migration should begin with what already exists. Many controls will remain valid, even if their numbering and grouping have changed. The work is to confirm whether the control still treats the intended risk, whether ownership is clear, whether evidence exists, and whether the wording in policies and procedures reflects the 2022 language well enough for internal use and audit discussion.

The 11 new controls deserve particular attention because they often reveal gaps in modern operating models. Logging and monitoring, for example, may exist technically but lack defined review responsibilities or escalation criteria. Configuration management may be performed by infrastructure teams but not consistently applied across cloud resources, applications, and endpoints. Data leakage prevention may require decisions from data owners before technology choices make sense.

A pragmatic migration plan usually prioritises the areas that affect certification evidence and risk treatment decisions first: the Statement of Applicability, risk treatment plan, control ownership, key policies, and audit evidence. Once those foundations are aligned, teams can schedule deeper improvements such as data masking, secure development maturity, supplier assurance, and configuration governance.

Common mistakes when using ISO/IEC 27002

The first mistake is treating ISO/IEC 27002 as a requirements standard. It is guidance, while ISO/IEC 27001 contains the requirements for certification. That difference affects how evidence is prepared, how auditors evaluate the ISMS, and how teams explain control choices.

The second mistake is assuming that every control must be implemented in the same way by every organisation. ISO/IEC 27002 gives structured guidance, but risk determines relevance. A control may be applicable for one organisation and not applicable for another, provided the decision is justified properly in the Statement of Applicability.

The third mistake is using external frameworks imprecisely. NIST guidance, for example, can be useful for comparison and security programme design, but it is a separate framework rather than a supplementary ISO standard. Mapping frameworks can help with communication, but it should not be treated as one-to-one equivalence.

The fourth mistake is underestimating monitoring depth. The 2022 controls make areas such as monitoring activities, threat intelligence, configuration management, and cloud service security more visible. Organisations that document these controls but fail to define ownership, review frequency, escalation paths, and evidence collection may struggle to show that the controls are operating in practice.

Where ISO/IEC 27002 fits next

ISO/IEC 27002 is most valuable when it helps an organisation make better security decisions. It gives structure to control implementation, but it does not replace risk assessment, governance, leadership commitment, or day-to-day operational discipline. The standard works best when teams use it to clarify responsibilities, close practical gaps, and explain why selected controls are appropriate.

Organisations building capability around ISO standards can explore broader ISO courses and certifications, and teams that need wider security skills development may consider Unlimited Security Training. A practical next step is to compare the current Statement of Applicability with the 2022 control themes, identify unclear ownership, and prioritise improvements that reduce real risk rather than simply updating document numbers.

If a team wants to discuss training options or how ISO learning can support certification preparation, it can contact Readynez for guidance.

FAQ

What is ISO/IEC 27002?

ISO/IEC 27002 is guidance for information security controls. It helps organisations understand how controls can be selected and implemented to protect information assets, but it is not the standard organisations certify against.

Can an organisation be certified to ISO/IEC 27002?

No. Organisations certify to ISO/IEC 27001. ISO/IEC 27002 supports that work by providing implementation guidance for controls that may be included in the Statement of Applicability.

How is ISO/IEC 27002 different from ISO/IEC 27001?

ISO/IEC 27001 contains requirements for establishing, maintaining, and improving an information security management system. ISO/IEC 27002 provides guidance on information security controls that can support risk treatment and Annex A alignment.

What are the four themes in ISO/IEC 27002:2022?

The four themes are organisational, people, physical, and technological controls. They provide a clearer structure for understanding how controls apply across governance, staff responsibilities, premises, equipment, systems, and technical security.

Does ISO/IEC 27002 help with compliance?

It can support compliance work by providing recognised information security control guidance. However, compliance depends on the specific law, regulation, contract, or certification requirement being addressed, so ISO/IEC 27002 should be used alongside a proper assessment of obligations and risks.

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}