Basket
{{item.CourseTitle}}
Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}
Browse by Topic
Browse by Vendor
Unlimited Training
Attend all the top-notch LIVE Instructor-led Courses you want for the price of less than one course.
In an environment where cyber threats to UK businesses are constantly evolving, having a robust defence strategy is no longer optional. While many organisations are familiar with ISO 27001 as the foundation for an Information Security Management System (ISMS), the real challenge lies in implementation. This is where ISO 27002 comes in, providing the detailed, practical guidance needed to build and maintain your security controls. Let's explore how this standard can fortify your organisation's defences.
It's essential to first clarify the distinct roles of ISO 27001 and ISO 27002, as they are designed to work in tandem. Think of it this way: ISO 27001 is the architect's blueprint for building a secure house. It outlines the mandatory requirements for your Information Security Management System (ISMS), defining what needs to be built and how to manage it through risk assessment and continual improvement. It’s the standard you get certified against.
ISO 27002, in contrast, is the detailed construction manual. It doesn't set requirements but provides a comprehensive code of practice for implementing the security controls listed in ISO 27001’s Annex A. For each control, it offers in-depth guidance, implementation advice, and best practice, explaining *how* to install the windows, wire the electrics, and fit the locks securely. One sets the framework for management; the other provides the practical toolkit for security techniques.
The 2022 revision of ISO 27002 streamlined the standard, making it more accessible and relevant to the modern threat landscape. The most significant change was the restructuring of controls from 14 clauses into four key themes:
This version also introduced 11 new controls to address emerging challenges, including threat intelligence, information security for cloud services, and web filtering. This ensures the guidance remains current and provides organisations with the tools to manage today’s cyber security risks effectively.
The true value of ISO 27002 lies in its applicability. Any organisation, regardless of size or whether it is pursuing ISO 27001 certification, can use this standard as a best-practice catalogue. It provides a structured approach to improving your security posture. You can assess your operations against its controls to identify gaps in areas like access control, data security, and physical security.
For businesses looking to enhance their cyber resilience, ISO 27002 serves as a foundational guide. It aids in protecting against data breaches, ensuring compliance with regulations like UK GDPR, and demonstrating a commitment to privacy protection. The standard’s principles on confidentiality, integrity, and availability offer a universal benchmark for robust security management systems.
This is a frequent question, and the answer is no. ISO 27002 is a supporting standard that provides guidance; it is not a management system standard with requirements to audit against. Organisations achieve certification for their ISMS based on the requirements outlined in ISO 27001. Auditors will, however, expect to see that a company has reviewed the controls in ISO 27002 (via ISO 27001 Annex A) and implemented them where applicable based on a thorough risk assessment.
Managing the array of controls detailed in ISO 27002 can be complex. This is where specialised platforms can streamline the process. A platform like ISMS.online helps organisations navigate the implementation of ISO 27002 controls in alignment with an ISO 27001 framework. It offers guidance on security management, privacy protection, and risk assessment, translating the standard’s advice into actionable tasks. Using such a tool can centralise efforts in asset management, access control, and governance, creating a cohesive and manageable security programme that aligns with international standards and UK-specific regulations.
Ultimately, ISO 27002 is an indispensable resource for any UK organisation committed to protecting its information. It translates the high-level requirements of ISO 27001 into a practical, actionable set of security controls. By leveraging its detailed guidance, businesses can build a resilient security posture, manage risks effectively, and safeguard their data against ever-present threats.
Readynez offers an extensive portfolio of ISO Courses and Certifications, providing you with all the learning and support you need to successfully prepare for the exams and certifications. All our other ISO courses are also included in our unique Unlimited Security Training offer, where you can attend the ISO courses and 60+ other Security courses for just €249 per month, the most flexible and affordable way to get your Security Certifications.
Please reach out to us with any questions or if you would like a chat about your opportunity with the ISO certifications and how you best achieve it.
The main purpose of ISO 27002 is to provide a detailed set of best-practice guidelines for implementing information security controls. It acts as a practical manual to help organisations protect the confidentiality, integrity, and availability of their information.
No, you are not required to have ISO 27001 in place to use ISO 27002. Any organisation can use ISO 27002 as a standalone reference to improve its security measures. However, its controls are designed to directly support the implementation of an ISO 27001-compliant ISMS.
The key changes in ISO 27002:2022 include a new structure that groups controls into four themes (Organisational, People, Physical, Technological), the consolidation of some controls, and the introduction of 11 new controls to address modern risks like cloud security and threat intelligence.
No, organisations cannot get "certified" to ISO 27002. Certification is only available for ISO 27001, which is the management system standard. ISO 27002 is a code of practice that provides guidance to help implement the controls needed to achieve ISO 27001 certification.
Cyber Essentials is a UK government scheme that focuses on five core technical controls. ISO 27002 is far more comprehensive, covering a much broader range of organisational, people, physical, and technical controls. While there is overlap, achieving Cyber Essentials can be seen as a great first step towards the more holistic security approach detailed in ISO 27002.
Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course.