ISO/IEC 27002: Relationship with ISO/IEC 27001

  • What does ISO 27002 stand for?
  • Published by: André Hammer on Apr 04, 2024
Blog Alt EN

ISO/IEC 27002 is the guidance standard for selecting and implementing the controls referenced by ISO/IEC 27001 Annex A. Organisations are certified against ISO/IEC 27001 rather than ISO/IEC 27002, despite the common misconception that ISO/IEC 27002 itself can be used for certification.

That distinction matters because ISO/IEC 27002 is often used at the most practical point in an information security management system: turning risk treatment decisions into controls that can be operated, evidenced, reviewed, and improved. It helps security and compliance teams interpret what a control is trying to achieve, how it may be implemented, and what evidence could show that it is working.

What ISO/IEC 27002 means in practice

ISO/IEC 27002 is a code of practice for information security controls. It sits within the ISO/IEC 27000 family and gives implementation guidance for controls that support confidentiality, integrity, and availability across people, process, technology, and physical environments.

Unlike ISO/IEC 27001, it does not define the requirements for running an information security management system, usually called an ISMS. ISO/IEC 27001 sets the management system requirements, including risk assessment, risk treatment, leadership, internal audit, continual improvement, and the Statement of Applicability. ISO/IEC 27002 explains the control guidance that organisations can use when those risk treatment decisions point to controls aligned with Annex A.

In practice, ISO/IEC 27002 is most useful when it is treated as guidance rather than a checklist. A control should be selected because it addresses a risk, a legal or contractual obligation, or a business requirement. Selecting controls without that risk basis can create a large control set that looks complete on paper but is difficult to justify during an audit.

How ISO/IEC 27002 relates to ISO/IEC 27001 Annex A

Annex A belongs to ISO/IEC 27001. It provides a reference set of information security controls that organisations consider when treating risk. ISO/IEC 27002 is aligned to that control set and gives more detailed implementation guidance for the same control topics.

This relationship becomes visible in the Statement of Applicability, often shortened to SoA. The SoA should show which Annex A controls are applicable, which are excluded, why those decisions were made, and whether each applicable control has been implemented. Auditors expect the SoA to connect logically to the risk assessment, the risk treatment plan, and the evidence that controls are operating.

A common weakness during transition projects is leaving the SoA with old control names from the 2013 version while claiming alignment with the 2022 standards. That creates avoidable confusion because evidence, policies, risk treatment actions, and audit references no longer point cleanly to the updated control structure. Readers updating their ISMS may find it useful to review Readynez training options for ISO standards through the ISO courses overview, especially when internal teams need a shared understanding of the 27001 and 27002 relationship.

What changed in ISO/IEC 27002:2022

ISO/IEC 27002:2022 reorganised the control guidance to make it easier to use with modern security programmes. The 2022 edition contains 93 controls grouped into four themes: organisational, people, physical, and technological. This replaced the older structure of many separate domains and made the standard easier to navigate alongside ISO/IEC 27001:2022 Annex A.

The update also introduced control attributes. These attributes help teams view controls through different lenses, such as whether a control is preventive, detective, or corrective; which security properties it supports; and how it relates to operational capabilities. From a practical perspective, this helps security leaders prioritise work, group controls for reporting, and explain why a control matters to different audiences.

For example, a security team may group controls by operational capability when assigning ownership to infrastructure, HR, legal, procurement, or application development teams. Meanwhile, a risk committee may prefer reporting by control type or by business risk. The attributes make the same control library more useful for planning, measurement, and governance.

The 11 new controls in ISO/IEC 27002:2022

The 2022 revision introduced 11 new controls that reflect how security work has changed since the previous edition. They do not replace the need for risk assessment, but they highlight areas that many organisations now need to consider explicitly.

Threat intelligence: using information about threat actors, attack techniques, and sector-specific risks to inform security decisions.

Information security for use of cloud services: defining security responsibilities, configuration expectations, and monitoring requirements for cloud adoption.

ICT readiness for business continuity: ensuring technology services can support continuity and recovery objectives during disruption.

Physical security monitoring: using appropriate monitoring to detect unauthorised physical access to sensitive areas.

Configuration management: maintaining secure and consistent configurations across systems, services, and devices.

Information deletion: removing information when it is no longer required, including from systems, storage media, and cloud services.

Data masking: reducing exposure of sensitive data in development, testing, analytics, or operational use cases.

Data leakage prevention: detecting and reducing unauthorised movement of sensitive information through email, endpoints, cloud platforms, or networks.

Monitoring activities: collecting and reviewing activity information to detect suspicious behaviour or policy violations.

Web filtering: restricting access to malicious or inappropriate web destinations based on organisational risk.

Secure coding: building security practices into software development to reduce vulnerabilities before deployment.

Several of these controls reflect ordinary implementation challenges rather than unusual security scenarios. Cloud services use is a good example. Many organisations have cloud contracts, tenant settings, identity integrations, backup arrangements, and shared responsibility assumptions spread across several teams. ISO/IEC 27002:2022 gives those teams a common control language, but the organisation still has to decide what level of control is proportionate to its risks.

Migrating from ISO/IEC 27002:2013 to 2022

A practical migration from the 2013 edition should start with mapping, not redesign. Most organisations already have policies, procedures, technical controls, supplier clauses, access rules, monitoring activities, and audit evidence that can be mapped to the 2022 control structure. Rebuilding the ISMS from the beginning is rarely necessary unless the original system was poorly defined.

The first task is to map existing controls to the updated Annex A structure and ISO/IEC 27002:2022 control names. After that, the organisation can identify gaps against the new controls, update the SoA, revise policy references, and check whether control ownership is still accurate. The strongest migration work usually focuses on traceability: each applicable control should connect back to a risk, a decision, an owner, and evidence of operation.

Tooling can help, but it can also create noise. Governance, risk, and compliance platforms often contain legacy control libraries, duplicated policy references, or inherited mappings from older frameworks. Before importing new mappings, teams should check whether the control names, evidence fields, ownership records, and reporting categories match the 2022 structure. Otherwise, the migration may appear complete in a dashboard while audit evidence remains fragmented.

Using ISO/IEC 27002 for audit-ready evidence

Auditors do not usually expect every ISO/IEC 27002 implementation suggestion to be followed literally. They look for a coherent ISMS where the organisation can explain why a control applies, how it was implemented, who owns it, and how its effectiveness is checked. ISO/IEC 27002 supports that conversation by giving a common interpretation of control intent.

Evidence should be proportionate to the control and the risk. For access control, evidence might include access review records, joiner and leaver workflows, privileged access approvals, and identity configuration screenshots. For secure coding, it may include development standards, code review records, vulnerability testing results, and remediation tracking. For threat intelligence, it may include defined sources, triage records, and examples of security decisions influenced by intelligence.

The important point is that evidence should show operation, not only design. A policy stating that access is reviewed is weaker than a completed review showing findings, exceptions, approvals, and follow-up actions. This is where many ISMS programmes become more mature: they move from documenting intent to proving that controls are active and managed.

Where ISO/IEC 27017, 27018, and 27701 fit

ISO/IEC 27002 should not be confused with related extensions in the ISO family. ISO/IEC 27001 defines the ISMS requirements, while ISO/IEC 27002 provides control guidance. If an organisation processes personally identifiable information and needs a privacy extension to its ISMS, ISO/IEC 27701 may be relevant. If the organisation is a cloud service provider or cloud service customer, ISO/IEC 27017 and ISO/IEC 27018 may help address cloud-specific roles and privacy expectations.

These standards should be added because the business context requires them, not because a larger standards library looks more mature. A cloud software provider handling customer personal data may have reason to consider several related standards. By contrast, a smaller organisation using a limited set of managed cloud services may first need to strengthen its ISO/IEC 27001 risk assessment, supplier management, identity controls, and cloud configuration governance before extending the framework.

FAQ

Can an organisation be certified to ISO/IEC 27002?

No. Organisations are certified against ISO/IEC 27001, not ISO/IEC 27002. ISO/IEC 27002 provides guidance for implementing information security controls, while ISO/IEC 27001 contains the certifiable ISMS requirements.

What is ISO/IEC 27002 and why is it important?

ISO/IEC 27002 is a code of practice for information security controls. It is important because it helps organisations turn risk treatment decisions into practical controls for areas such as access management, supplier security, cloud services, monitoring, secure development, and physical security.

How does ISO/IEC 27002 support ISO/IEC 27001?

ISO/IEC 27001 requires organisations to assess information security risks, select appropriate controls, and maintain a Statement of Applicability. ISO/IEC 27002 helps by explaining the intent and implementation considerations for controls aligned with ISO/IEC 27001 Annex A.

What are the main changes in ISO/IEC 27002:2022?

ISO/IEC 27002:2022 reorganised the control set into 93 controls across four themes and introduced 11 new controls. It also added control attributes that help organisations prioritise, group, measure, and report controls in a more risk-based way.

How should companies prepare for ISO/IEC 27002:2022?

Companies should map existing controls to the updated structure, refresh the Statement of Applicability, assess gaps against the new controls, update policies and evidence references, and confirm transition expectations with their certification body. The goal is to preserve what already works while making the ISMS traceable to the 2022 control structure.

Applying ISO/IEC 27002 without overcomplicating the ISMS

ISO/IEC 27002 is most valuable when it improves decisions, evidence, and accountability. The 2022 edition gives organisations a clearer structure for control guidance, but the work still depends on risk-based selection, realistic ownership, and evidence that controls operate in practice.

A practical next step is to review the current SoA, check whether control titles and evidence references align with the 2022 structure, and identify any gaps around the new controls. Teams that need broader security upskilling can explore Unlimited Security Training, or contact Readynez for a conversation about ISO certification preparation and related security learning paths.

Related resources

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}