ISO 27002: Information Security Controls Explained

In the race to execute digital transformation strategies, the rear-view mirror never fails to shake off the looming cyber threats that are a significant stumbling block to any organizational objectives.

Today, nearly 48% of organizations are experiencing more cyberattacks than the previous year. Considering that the impacts go beyond data unavailability — looking at you, reputation damage and regulatory penalties — the need to secure information and the related IT systems continues to be a critical endeavor.

Addressing risks to information security requires the right set of controls that are geared towards effectively preventing or mitigating the afore listed impacts.

The ISO 27002 standard is one of the world’s leading guidelines for determining and implementing commonly accepted information security controls (measures to modify or maintain risks) that have been selected in accordance to an organization’s information risk treatment strategy. These controls include policies, processes, technology systems and other measures — all designed to preserve the confidentiality, integrity and availability of an enterprise’s information assets.

In this article, we will look at the origin story of the ISO 27002 standard, as well as its structure, and how to apply the guidelines.

History of ISO 27002

ISO 27002 began its journey as a British standard BS 7799:1995 that outlined how to setup an information security management infrastructure. It comprised two parts:

• Part 1 that was a code of practice for information security management.
• Part 2 that was a specification for information security management systems (ISMS).

The code of practice described operational, technical and people centric controls ranging from policies, systems access, processes and compliance among others. This standard was updated in 1999, to cover developments in networks and communications, as well as provide greater emphasis on business involvement in and responsibility for information security.

Origin timeline of the ISO 27002 Standard

The following year, Part 1 of BS 7799 was then adopted under a special “fast-track procedure” as an ISO standard ISO/IEC 17799:20000, which established guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It included a generic chapter on information risk management, grouping the controls into 11 broad topics as shown below.

A list of controls groupings in ISO/IEC 17799

This standard was then updated in 2005, then a decision was made to change its reference number from 17779 to 27002 which created the ISO/IEC 27002:2005 whose technical content was identical.

The ISO 27002 standard was then updated in 2013, and subsequently in 2022, with greater emphasis on addressing risks related to information security, introducing modern controls while also guiding organizations seeking to comply with the requirements of the ISO 27001 standard for establishing and maintaining information security management systems.

(Read all about ISO 27001, the companion to this standard.)

Structure of ISO 27002

The ISO 27002 standard provides a practical blueprint for organizations aiming to effectively safeguard their information assets against cyber threats.

Its third edition introduced a fundamental change in the grouping of the information security controls, presenting them using a simple taxonomy and associated attributes. The 93 controls were grouped into four main themes:

ISO/IEC 27002:2022 Controls Themes

• Organizational controls. Clause 5 of the standard presents 37 controls that do not fall under the other three themes, such as policies, compliance, business processes, and dealing with third party providers and external stakeholders.
• People controls. Clause 6 of the standard presents 8 controls that concern individual people including screening, onboarding and offboarding, training and remote working.
• Physical controls. Clause 7 describes 14 controls that concern physical objects such as buildings, perimeters, offices and workstations.
• Technological controls. Clause 8 offers 34 controls that concern technology including data, networks, and applications development and support.

In addition to the themes, each ISO 27002 control is assigned attributes as a way of creating different views that can cater for the perspectives of different stakeholders. These attributes can be used to sort, filter or present controls for presentation to selected audiences. The five attributes are as follow:

The attributes are generic, and organizations are encouraged to adapt them to their own context and even create their own attributes and views.

An example of how the attributes apply to a security control is shown in the table below. The hashtags are used to facilitate easy search across the standard.

The ISO 27002 standard presents each control in the following layout:

• Control title: Short name of the control.
• Attribute table: A table shows the value(s) of each attribute for the given control (as seen in the example above).
• Control: A summary of what the control is.
• Purpose: The reason why the control should be implemented.
• Guidance: Details of how the control should be implemented.
• Other information: Explanatory text or references to other related documents.

Applying the ISO 27002 guidelines: 3 use cases

Applicable to any organizational size or industry, the ISO 27002 standard serves as a reference for three main use cases.

Implementing controls to meet ISO 27001

First, use ISO 27002 to better enable your ISO 27001 alignment. You can determine and implement controls for information security treatment in an ISMS based on the ISO 27001 standard. The statement of applicability that an organization creates to meet the ISO 27001 requirements can borrow heavily from the list of controls in the ISO 27002 standard.

Implementing controls for compliance requirements

It can also be used as guidance for implementing commonly accepted information security controls for any compliance need such as PCI-DSS, HIPAA or GDPR.

Supporting risk-contextualized InfoSec

Finally, you can use this standard to support the development of industry and organizational-specific information security management guidelines, by considering their risk context.

Getting started with ISO 27002: prioritize your risks

Importantly, one should note that the ISO 27002 standard does not give a start point for implementing the controls. Organizations should use their risk management framework to do two things:

1. Identify the priority risks that need to be addressed.
2. Pick the applicable controls that can address the said risks.

The decisions on implementing the listed controls also have to be informed by the resources and investment versus the business value. There is no point investing millions of dollars to buy the latest and greatest security technology, while the value of the business data being protected is nowhere near that worth.

As the old Chinese saying goes “Don’t use a cannon to kill a mosquito.” The selection of controls should be a balanced approach that considers cost effectiveness and business impact in the even a security incident materializes.