What is ISO 27002?

What is ISO 27002?

ISO 27002 is an international standard that provides implementation guidance for the information security controls referenced in ISO 27001 Annex A. While ISO 27001 specifies the requirements for an ISMS and lists controls in Annex A, ISO 27002 explains how to implement each control in practice. It is a guidance document, not a certification standard — organizations are certified against ISO 27001, not ISO 27002.

Relationship to ISO 27001

ISO 27001 and ISO 27002 work together as a pair:

• ISO 27001 defines the management system requirements and lists controls in Annex A with brief descriptions
• ISO 27002 expands on each Annex A control with detailed guidance, purpose statements, and implementation considerations

Think of ISO 27001 Annex A as the "what" (which controls to consider) and ISO 27002 as the "how" (practical guidance for implementation). When an organization is deciding how to implement a particular Annex A control, ISO 27002 is the primary reference.

Structure of ISO 27002:2022

The 2022 revision of ISO 27002 reorganized its structure to match the updated Annex A in ISO 27001:2022:

• Clause 5: Organizational controls (37 controls) — covering policies, asset management, access control, supplier relationships, and more
• Clause 6: People controls (8 controls) — covering hiring, training, awareness, and termination
• Clause 7: Physical controls (14 controls) — covering physical security, equipment, and environmental protection
• Clause 8: Technological controls (34 controls) — covering endpoint security, access management, cryptography, network security, and secure development

What each control entry includes

For each of the 93 controls, ISO 27002 provides:

• Control statement — what the control requires
• Purpose — why the control exists and what risk it addresses
• Guidance — detailed recommendations for implementation
• Other information — additional context, references, or considerations

This structure makes ISO 27002 a practical handbook for security teams tasked with designing and implementing controls.

Control attributes

ISO 27002:2022 introduced a new concept of control attributes, which allow organizations to filter and view controls from different perspectives:

• Control type — preventive, detective, or corrective
• Information security properties — confidentiality, integrity, or availability
• Cybersecurity concepts — mapped to identify, protect, detect, respond, or recover (aligned with NIST CSF)
• Operational capabilities — such as governance, asset management, identity management, or threat management
• Security domains — governance and ecosystem, protection, defense, or resilience

These attributes help organizations map ISO 27002 controls to other frameworks and organize their control environment by operational function.

When to use ISO 27002

ISO 27002 is valuable in several scenarios:

• Implementing ISO 27001 — as the primary reference for how to implement Annex A controls
• Designing a security program — even without pursuing certification, ISO 27002 provides a comprehensive set of best practices
• Gap analysis — comparing current controls against ISO 27002 guidance to identify areas for improvement
• Cross-framework mapping — the control attributes facilitate mapping to SOC 2, NIST CSF, and other frameworks

How episki helps

episki incorporates ISO 27002 guidance directly into its control library, providing implementation recommendations alongside each Annex A control. This helps your team understand not just what controls are needed but how to implement them effectively. Learn more on our ISO 27001 compliance page.