“This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organisations: (a) within the context of an information security management system (ISMS) based on ISO/IEC27001; (b) for implementing information security controls based on internationally recognized best practices; [and] (c) for developing organisation-specific information security management guidelines.”
ISO/IEC 27002 is a popular international standard describing a generic selection of ‘good practice’ information security controls, typically used to mitigate unacceptable risks to the confidentiality, integrity and availability of information.
Its lineage stretches back to BS 7799 in the mid-1990s.
ISO/IEC 27002 is an advisory document, a recommendation rather than a formal specification such as ISO/IEC 27001. Organisations are advised to identify and evaluate their own information risks, selecting and applying suitable information security controls to mitigate unacceptable risks using ISO/IEC 27002 and other relevant standards and sources for guidance.
Like governance and risk management, information security management is a broad topic with ramifications for all organisations. Information security, and hence ISO/IEC 27002, is relevant to all types of organisation including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies – in fact, any organisation that handles and depends on information. The specific information risks and hence control requirements differ in detail but there is a lot of common ground, for instance, most organisations need to address information risks relating to their employees plus contractors, consultants, and third party suppliers of various information and IT services such as cloud computing.
IMPORTANT! The standard is explicitly concerned with information security, meaning the security of all forms of information (e.g. computer data, documentation, knowledge, and intellectual property) and not just IT/systems/network/cyber security.
The standard lays out a ‘reference set’ of 93 generic information security controls and implementation guidance, categorized into 4 clauses based on these ‘themes’:
- Organisational controls – a large and misleadingly-named catch-all group of 37 controls that don’t fit neatly into the remaining themes;
- People control – 8 controls involving or relating to people e.g. individuals’ behaviors, activities, roles and responsibilities, terms and conditions of employment, etc.;
- Physical controls – 14 tangible controls to secure tangible [information] assets;
- Technological controls – 34 controls involving or relating to technologies, IT in particular.
The 93 controls are each tagged with one or more values from each of 5 ‘attributes’ so they can be grouped, selected or filtered in other ways too:
- Control type: preventive, detective and/or corrective;
- Information security properties: confidentiality, integrity and/or availability;
- Cybersecurity concepts: identify, protect, detect, respond and/or recover;
- Operational capabilities: governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships securit, legal and compliance, information security event management, and information security assurance.
- Security domains: governance and ecosystem, protection, defence and resilience.
This makes the standard even more complicated but reflects these complexities:
- A given control may have several applications (e.g. backups help protect against malware, hacks, bugs, accidents, mechanical breakdowns, fires etc., and can include deputies and multi-skilled replacements for critical people, and alternative suppliers/sources of necessary information services, as well as data backups);
- An unacceptable risk typically requires several controls (e.g. malware can be mitigated using backups, awareness, antivirus, network access controls plus IDS/IPS, authentication, patching, testing, system integrity controls etc., while avoiding infection can be a powerful approach if bolstered with controls such as policies and procedures, blacklisting etc.);
- Many of the ‘controls’ identified in the standard are not atomic, being composed of several smaller elements or pieces (e.g. backups involve strategies, policies and procedures, software, hardware, testing, incident recovery, physical protection of backup media etc.).
Some of the themes and attributes are arbitrarily assigned: for example, a commercial card access lock on a building entrance may fall into any, arguably all four of the themes listed above, but if it and other such controls were covered several times, the standard would become unwieldy. More likely, it would be categorised as a physical control, possibly with references to other elements.
Organisations can define their own attributes as well.
An Information Security Management System as specified in ISO/IEC 27001 is a systematic approach to managing information risks, including the multitude of information security controls required to mitigate unacceptable risks plus other risk treatments: don’t forget that risks may be avoided, shared or accepted. The ISMS is a framework for managing them all, consistently.
ISO/IEC 27001 Annex A briefly summarises/outlines the information security controls from [the second edition of] ISO/IEC 27002 on the basis that they are generally applicable good practices, worth considering. However, organisations are free to implement whichever controls they feel are appropriate and necessary to mitigate their unacceptable information risks. Variants of the Annex A controls may well be better, and in some cases entirely different control suites (such as the new third edition of ISO/IEC 27002, or the NIST Cyber Security Framework) are more appropriate.
In practice, most organisations that adopt ISO/IEC 27001 also use Annex A and hence ISO/IEC 27002 as a general framework or structure for their controls, making various changes as necessary to suit their specific information risk treatment requirements.
Status of the standard
The first edition was published in 2005.
The second edition was published in 2013.
The completely restructured and updated third edition was published in February 2022.
There are officially 21 fewer controls in the third edition than the second despite adding 11 new controls. Several second edition controls have been updated or merged. The actual control count is far higher (a few hundred) if you distinguish all the ‘atomic controls’ mentioned in or implied by the details.
The next edition of ISO/IEC 27001 will replace Annex A with one that aligns with the 2022 version of ISO/IEC 27002, sometime this year (hopefully!). Other ISO27k standards based on ISO/IEC 27002 will also need to be updated in due course. Given the extensive changes in ‘27002, it will take SC 27 some time to work through them all.
ISO/IEC 27002 ISMS implementation guides
Note: these currently refer to the second edition & need to be updated.
A collection of ISMS implementation guidelines and sample documents is available to download in the free ISO27k Toolkit, and implementation tips are sprinkled liberally throughout our ISO27k FAQ.
ISO/IEC 27003 provides generic ISMS implementation guidance, focusing on the management system rather than the security controls.
There are also a few ‘sector-specific’ ISMS implementation guidelines i.e. ISO/IEC 27011 for the telecoms sector, ISO 27799 for healthcare, and ISO/IEC 27019 for the energy utility sector.
For purchasing an official copy of this standard, please visit www.iso.org