ISO 27002
ISO 27002 provides detailed implementation guidance for the 93 security controls referenced by ISO 27001, organized into four themes (Organizational, People, Physical, Technological) with attribute-based tagging for flexible filtering.
Continue your mission
ISO 27002 provides detailed implementation guidance for the 93 security controls referenced by ISO 27001, organized into four themes (Organizational, People, Physical, Technological) with attribute-based tagging for flexible filtering.
# ISO 27002
Domain: Risk Governance & Assurance (RGA), Strategic Planning & Hierarchy (SPH), Data Protection & Security (DPS)
ISO/IEC 27002 is the implementation playbook for information security controls. While its companion standard ISO 27001 defines the requirements for an Information Security Management System (ISMS), ISO 27002 provides the practical guidance organizations need to actually implement each security control effectively. Think of ISO 27001 as the blueprint and ISO 27002 as the construction manual with detailed instructions, materials lists, and quality specifications.
The standard exists because organizational security teams consistently struggled with a fundamental gap: ISO 27001 would specify that organizations must implement access control, but provided no guidance on what effective access control looked like in practice. Security professionals were left to interpret broad control objectives without concrete implementation guidance. ISO 27002 fills this implementation void with specific guidance on how to deploy, configure, and maintain each control.
The 2022 revision represents the most significant restructuring of the standard since its inception. The previous 14 control domains were consolidated into four streamlined categories: Organizational (37 controls covering governance, risk management, and policies), People (8 controls addressing human resource security and awareness), Physical (14 controls for environmental and physical protection), and Technological (34 controls spanning technical safeguards). More importantly, the revision introduced an attribute-based classification system that allows organizations to filter and organize controls by cybersecurity function, security property, operational capability, and security domain.
This restructuring reflects how modern security organizations actually operate. Instead of working through controls in the arbitrary order of the previous 14 domains, security teams can now organize their implementation efforts around operational realities like incident response capabilities or regulatory compliance requirements. The attribute system enables custom views that align with existing security frameworks and organizational structures.
Each control in ISO 27002 follows a consistent four-part structure: control description, purpose statement, implementation guidance, and supplementary information. The control description defines what the control does in operational terms. The purpose statement explains why the control matters and what security outcome it achieves. The implementation guidance provides specific steps, considerations, and options for deploying the control effectively. The supplementary information offers additional context, references to related controls, and guidance on customization for different organizational contexts.
Consider Control 5.7, Threat Intelligence, one of the new controls added in the 2022 revision. The control description specifies that "information relating to security threats shall be collected and analyzed to produce threat intelligence." The purpose statement explains that threat intelligence enables proactive security by identifying relevant threats before they impact the organization. The implementation guidance details how to establish threat intelligence sources, validate intelligence quality, integrate intelligence into security operations, and share intelligence with relevant stakeholders. The supplementary information references related controls like incident management and vulnerability management.
The attribute system transforms how organizations work with the controls. Each control is tagged with multiple attributes across five categories. Control type attributes identify whether a control is preventive, detective, or corrective. Information security property attributes map to confidentiality, integrity, and availability. Cybersecurity concept attributes align with the NIST Cybersecurity Framework functions of identify, protect, detect, respond, and recover. Operational capability attributes organize controls by security domains like governance, asset management, human resource security, physical security, system security, network security, application security, secure configuration, identity and access management, cryptography, systems security, network security controls, application security, secure configuration, identity and access management, cryptography, systems security, supplier security, and incident management.
Security teams use these attributes to create focused implementation roadmaps. An organization building incident response capabilities can filter controls by the "respond" cybersecurity concept to see all controls that contribute to incident response effectiveness. A team working on cloud security can combine multiple filters to identify controls relevant to their specific environment and compliance requirements. This approach eliminates the traditional linear progression through all 93 controls in favor of targeted implementation aligned with business priorities and operational capabilities.
The 2022 revision added eleven new controls addressing modern security challenges. Control 5.7 (Threat Intelligence) formalizes threat intelligence as a core organizational capability. Control 5.23 (Information Security for Use of Cloud Services) provides specific guidance for securing cloud environments. Control 5.30 (ICT Readiness for Business Continuity) addresses the integration of information and communications technology into business continuity planning. Controls 8.11 (Data Masking) and 8.12 (Data Leakage Prevention) respond to growing data protection requirements. Control 8.28 (Secure Coding) acknowledges that application security begins in the development process.
Organizations building their Statement of Applicability (SoA) for ISO 27001 certification use ISO 27002 as their primary reference. The SoA requires organizations to justify the inclusion or exclusion of each control based on their risk assessment and business context. ISO 27002's implementation guidance helps organizations understand what effective implementation looks like and whether a particular control is appropriate for their environment. The attribute system supports this process by enabling organizations to map controls to their specific risk profile and operational model.
The standard also supports security maturity progression. Organizations can begin with foundational controls marked as preventive and gradually add detective and corrective controls as their capabilities mature. The operational capability attributes help organizations understand control dependencies and optimal implementation sequences. For example, organizations need strong identity and access management capabilities before implementing advanced cryptography controls that depend on key management and access control integration.
ISO 27002 solves the implementation gap that derails most security programs. Organizations invest significant resources in achieving ISO 27001 certification only to discover that their controls are ineffective in practice because they focused on compliance documentation rather than operational security. Without clear implementation guidance, security teams default to checkbox compliance: deploying controls that meet audit requirements but fail to provide meaningful protection against real threats.
The business impact extends beyond compliance. Effective implementation of ISO 27002 controls provides measurable risk reduction. Organizations that follow the standard's implementation guidance experience fewer security incidents, faster incident response times, and improved regulatory compliance outcomes. The 2022 revision's focus on modern threats like cloud security and data leakage prevention directly addresses the attack vectors that cause the most business damage in contemporary threat environments.
Poor implementation carries serious consequences. Organizations with ineffective access controls suffer privileged access abuse. Those with inadequate incident response capabilities experience extended dwell times that amplify breach damage. Companies that implement security awareness programs without following ISO 27002's people-focused controls continue to experience phishing and social engineering attacks. The standard's implementation guidance directly addresses these failure modes with specific countermeasures and deployment strategies.
The economic argument for proper implementation is compelling. Organizations that treat ISO 27002 as implementation guidance rather than compliance documentation report lower total cost of security ownership. Properly implemented controls reduce the need for expensive compensating controls and emergency response measures. The standard's emphasis on integration and automation leads to operational efficiencies that offset implementation costs within the first year of deployment.
Common misconceptions about ISO 27002 limit its effectiveness. Many organizations view it as prescriptive rather than adaptive, implementing controls exactly as described without customization for their environment. The standard explicitly encourages adaptation based on organizational context, risk profile, and business requirements. Another misconception treats ISO 27002 controls as independent rather than integrated. The attribute system and cross-references between controls emphasize that effective security comes from coordinated control implementation, not isolated control deployment.
The standard's global adoption creates network effects that benefit individual organizations. Suppliers, partners, and customers increasingly expect ISO 27002-aligned security controls as a baseline for business relationships. Organizations with mature ISO 27002 implementations can demonstrate security capabilities through standardized language and frameworks that accelerate vendor assessments, partnership negotiations, and customer acquisition processes.
CDA approaches ISO 27002 through the lens of Perpetual Compliance Assurance (PCA), which holds that "compliance is not an event, it is a state." Most organizations implement ISO 27002 controls in preparation for certification audits, creating a compliance event with a beginning and an end. Controls are implemented, documented, and demonstrated for the auditor. After certification, the controls begin to drift as operational pressures override compliance requirements. By the next audit cycle, the organization has recreated the same implementation challenges they solved the previous year.
PCA reframes ISO 27002 implementation as a continuous operational state rather than a project with a defined endpoint. Controls are designed for perpetual operation with built-in monitoring, automated compliance validation, and continuous improvement processes. The 2022 revision's attribute system aligns naturally with PCA principles by enabling dynamic control management based on changing threat landscapes, business requirements, and operational capabilities.
The Risk Governance & Assurance (RGA) domain owns ISO 27002 implementation strategy and oversight. RGA establishes the governance framework that determines which controls to implement, how to customize them for organizational context, and how to measure their ongoing effectiveness. The Strategic Planning & Hierarchy (SPH) domain manages the operational aspects of control implementation, including resource allocation, implementation sequencing, and integration with existing security capabilities. The Data Protection & Security (DPS) domain handles the technical implementation of controls that directly protect data assets and information systems.
This multi-domain approach reflects CDA's understanding that effective security controls require governance oversight, strategic coordination, and technical execution. Organizations that assign ISO 27002 implementation to a single team or domain typically struggle with either governance gaps, resource constraints, or technical implementation challenges. The CDA model distributes responsibilities according to domain expertise while maintaining coordination through the PDM framework.
CDA differs from conventional ISO 27002 implementation in several key ways. Traditional approaches implement controls in the order they appear in the standard or based on audit requirements. CDA prioritizes controls based on risk reduction impact and operational feasibility, using the attribute system to create implementation roadmaps aligned with business priorities. Conventional implementations often treat controls as isolated requirements. CDA emphasizes control integration and synergy, designing control sets that reinforce each other and provide defense in depth.
The CDA approach also emphasizes automation and continuous monitoring from the initial implementation phase. Instead of implementing manual controls that require periodic review, CDA designs controls with automated compliance validation and exception reporting. This approach transforms ISO 27002 from a compliance burden into an operational capability that provides continuous security assurance.
• ISO 27002 provides the practical implementation guidance that transforms ISO 27001's control objectives into operational security capabilities, with the 2022 revision introducing an attribute-based system that enables dynamic control management aligned with business priorities.
• The four-part control structure (description, purpose, guidance, supplementary information) combined with five attribute categories enables organizations to create customized implementation roadmaps based on cybersecurity function, operational capability, and organizational context rather than following the standard's sequential order.
• Effective implementation requires treating ISO 27002 as adaptive guidance rather than prescriptive requirements, with controls customized for organizational risk profile, business model, and operational environment while maintaining the standard's core security objectives.
• The standard's business value comes from operational security improvement rather than compliance achievement, with properly implemented controls providing measurable risk reduction, operational efficiency gains, and competitive advantages in security-conscious markets.
• Modern organizations should implement ISO 27002 as a continuous operational state rather than a periodic compliance project, using automation and continuous monitoring to maintain control effectiveness and adapt to evolving threats and business requirements.
• [Perpetual Compliance Assurance (PCA): Compliance Is a State] • [ISO 27001 Implementation Framework] • [Risk Assessment and Treatment Planning] • [Security Control Testing and Validation] • [Compliance Automation and Continuous Monitoring]
• ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls. International Organization for Standardization. • NIST Cybersecurity Framework Version 1.1. National Institute of Standards and Technology Special Publication 800-53. • Information Security Forum. "ISO 27002:2022 Implementation Guide." ISF-22-001, 2022. • ISACA. "Mapping of ISO/IEC 27002:2022 to COBIT 2019." ISACA Technical Brief, 2022.
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.