ISO 27002

What Is ISO 27002

ISO/IEC 27002 (often shortened to ISO 27002) is an international standard providing guidelines and best practices for information security controls. It is part of the ISO/IEC 27000 family of standards. While ISO 27001 defines requirements for establishing, managing, and maintaining an Information Security Management System (ISMS), ISO 27002 offers detailed guidance on choosing, implementing, and operating specific controls to protect information assets, reduce risks, and support legal, contractual, and regulatory obligations. 

Why ISO 27002 Matters to Businesses

What Businesses Are Expected To Do

• Use ISO 27002 as a reference for selecting appropriate security controls, especially when aiming to meet ISO 27001 requirements.
• Align internal security practices, policies, and procedures to the control guidance in ISO 27002 to improve risk management and information protection. 

Implementation & Documentation Requirements

• Identify information assets, systems, processes, people, and external parties relevant to your organization, then map risks to these. Use ISO 27002 as a control catalog to decide which controls are applicable.
• For each control adopted, document:
  
  • the purpose and rationale (why this control),
  • how the control will be implemented (procedures, technical and administrative measures),
  • who is responsible,
  • how effectiveness will be measured or monitored.
• Maintain policies, guidelines, etc., aligned with control categories (organizational, people, physical, technological) and keep them updated.

Legal & Regulatory Context

• Many legal, regulatory, and contractual obligations require that organizations “take appropriate security measures” or show “due care.” Using ISO 27002 demonstrates alignment with internationally accepted best practices, which helps in regulatory compliance (for example GDPR, HIPAA, and other data protection/privacy laws) and when contracts or clients demand robust security.
• While ISO 27002 itself is not certifiable, its guidance is often called upon during audits or assessments (e.g. as evidence of best practices and control implementation) in contexts such as ISO 27001 certification.

How ISO 27002 Works: Structure & Process

Structure of ISO 27002

• The version published in 2022 (ISO/IEC 27002:2022) features 93 controls grouped into four themes:

• Organizational controls
• People controls
• Physical controls
• Technological controls

• Earlier versions (e.g. 2013) had 114 controls across more categories. The update cleaned up redundancies, merged or removed some controls, and added or updated others to better reflect current practices and risk environments.

• Each control in ISO 27002 offers:

• A title
• Purpose (why the control)
• Guidance (how to implement)
• Often attributes or metadata to help organizations sort or filter controls (e.g. risk type, domain, control type).

Process for Using ISO 27002 Controls

Here is a typical process an organization might follow when using ISO 27002:

1. Risk Assessment / Context Definition

• Identify assets, threats, vulnerabilities.
• Define impact, likelihood, risk appetite.

2. Select Controls

• Review ISO 27002 controls in light of risks found.
• Determine which controls are relevant / feasible given business, technical and legal context.

3. Customize or Tailor Controls

• Adapt the implementation guidance to fit size, industry, regulatory obligations, etc.
• If certain controls are inapplicable, document why.

4. Document Deployment

• Policies, procedures, responsibilities, scope.
• Evidence of implementation: logs, settings, configuration, training records etc.

5. Monitor & Measure

• Monitor performance of deployed controls.
• Internal audits, metrics, reviews.

6. Update & Improve

• As threat environment, business model, technology change, revisit controls.
• Add or adjust controls; decommission obsolete ones.

Real-World Examples & Use Cases

• A tech startup moving into regulated sectors (e.g. handling customer sensitive data) uses ISO 27002 to identify which controls they need to put in place quickly (access control, encryption, incident response) to satisfy both contract requirements and customers’ trust.

• A manufacturing company integrating suppliers and third parties into its network uses ISO 27002 to define clear controls for supplier management, secure communication, audit logs, and physical security of facilities.

• A cloud service provider designing a compliance program for clients—leveraging ISO 27002 guidance to help shape their internal policies, technical configuration (e.g. encryption, network monitoring), workforce training, and incident reporting.

• An organization seeking ISO 27001 certification uses ISO 27002 to build out Annex A (the control set) implementations; uses it also as a reference when assessing whether controls are implemented effectively.

How Apptega Supports ISO 27002 Guidance & Implementation

• On the Apptega Framework Library, ISO 27002 is offered as one of the frameworks you can adopt to guide choosing and implementing controls. It helps you map controls based on ISO 27001 assessment, and manage evidence and documentation. 
• In the ISO 27001 Compliance Guide, Apptega discusses “Comparing ISO Control Categorization: ISO 27001, Annex A, and ISO 27002” which helps clarify how ISO 27002 relates to ISO 27001 controls.
• Apptega supports control-crosswalking, evidence collection, task tracking, and audit readiness so that organizations implementing ISO 27002 guidance can keep documentation up to date and simplify reporting.

‍