ISO/IEC 27002:2022 - Information security controls

<div class="standard-number ">ISO/IEC 27002:2022</div>
<div class="standard-title">Information security, cybersecurity and privacy protection — Information security controls</div>
<div class="standard-edition"> Edition&nbsp;3<br/>2022-02</div> </div> <img src="/modules/iso-jahia-service-module/img/iso-standard-cover-thumbnail.png" class="d-none" itemprop="image" id="standard-image"/> <figcaption class="text-center"> <a class="btn btn-sm btn-light" href="!iso:std:75652:en">Read sample</a> </figcaption> </figure> </div> <div class="col-12 col-xs-8 order-1 order-xs-2"> <div class="visually-hidden" itemprop="category"></div> <div class="visually-hidden" itemprop="name">ISO/IEC 27002:2022</div> <div class="visually-hidden" itemprop="productID">75652</div> <div class="visually-hidden" itemprop="brand" itemscope itemtype=""> <div itemprop="logo" itemscope itemtype=""> <meta itemprop="url" content="/modules/isoorg-template/img/iso/iso-logo-print.gif"/> <meta itemprop="width" content="350"> <meta itemprop="height" content="350"> </div> <meta itemprop="name" content="ISO - International Organization for Standardization"> </div> <nav role="navigation" aria-label="Children Navigation" class="heading-condensed nav-relatives"> <div ISO/IEC 27002:2022
Information security, cybersecurity and privacy protection — Information security controls
Published (Edition 3, 2022) class="row"> <div class="col-md-7"> <h2>What is ISO/IEC 27002?</h2> <p>ISO/IEC 27002 is an international standard that provides guidance for organizations looking to <strong>establish, implement, and improve an Information Security Management System</strong> (ISMS) focused on <strong>cybersecurity</strong>. While ISO/IEC 27001 outlines the requirements for an ISMS, ISO/IEC 27002 offers best practices and control objectives related to key cybersecurity aspects including <strong>access control, cryptography, human resource security, and incident response</strong>. The standard serves as a <strong>practical blueprint</strong> for organizations aiming to effectively safeguard their information assets against cyber threats. By following ISO/IEC 27002 guidelines, companies can take a proactive approach to cybersecurity risk management and protect critical information from unauthorized access and loss.</p> <h2>Why is ISO/IEC 27002 important?</h2> <p>The rapidly evolving digital landscape has ushered in unprecedented opportunities for businesses, but it has also introduced a myriad of vulnerabilities and threats. ISO/IEC 27002 emerges as a <strong>crucial tool</strong> in this context, <strong>assisting organizations in navigating the intricate web of information security challenges</strong>. It equips businesses with a tried and tested <strong>framework of best practices</strong>, ensuring they not only protect their sensitive data but also foster trust among stakeholders, clients, and partners. This site is protected by reCAPTCHA and the Google <a href="">Privacy Policy</a> and <a href="">Terms of Service</a> apply.</p> </details></div></div><h2>Benefits</h2> <ul class="list-unstyled" id="benefits" role="list"> <li><i class="bi bi-check-circle-fill text-success"></i>&nbsp;<strong>Comprehensive Security Framework</strong>: Provides a detailed set of guidelines and best practices covering various dimensions of information security.</li> <li><strong><i class="bi bi-check-circle-fill text-success"></i> Risk Management</strong>: Enables organizations to identify, assess, and effectively manage information security risks.</li> <li><strong><i class="bi bi-check-circle-fill text-success"></i> Enhanced Stakeholder Trust</strong>: Demonstrates a commitment to safeguarding sensitive data, bolstering the organization&#39;s credibility.</li> <li><strong><i class="bi bi-check-circle-fill text-success"></i></strong> <strong>Regulatory Compliance</strong>: Assists in adhering to various legal, contractual, and regulatory data protection mandates.</li> <li><strong><i class="bi bi-check-circle-fill text-success"></i> Operational Resilience</strong>: Reduces the likelihood of security incidents that can disrupt business operations.</li> <li><strong><i class="bi bi-check-circle-fill text-success"></i> Competitive Advantage</strong>: In a data-driven marketplace, having a robust information security posture can differentiate an organization from its competitors.</li> </ul><h3>FAQ</h3><div class="accordion faqs" id="id-e542296c-0e62-4902-9272-7e588416b15c"> <div class="accordion-item"> <h3 class="accordion-header" id="heading-0c2bfded-8fb5-46a3-b825-667a540b44e3"><button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#id-0c2bfded-8fb5-46a3-b825-667a540b44e3" aria-expanded="true" aria-controls="id-0c2bfded-8fb5-46a3-b825-667a540b44e3"> Who should adopt ISO/IEC 27002?</button> </h3><div id="id-0c2bfded-8fb5-46a3-b825-667a540b44e3" class="accordion-collapse collapse " aria-labelledby="heading-0c2bfded-8fb5-46a3-b825-667a540b44e3" data-bs-parent="#id-e542296c-0e62-4902-9272-7e588416b15c"> <div class="accordion-body"> <p><strong>Any organization</strong>, irrespective of size or industry, that aims to bolster its information security framework, particularly those that have or are pursuing ISO/IEC 27001 certification.</p> </div> </div> </div><div class="accordion-item"> <h3 class="accordion-header" id="heading-df628438-129f-4975-862d-a9efd7ba4ed8"><button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#id-df628438-129f-4975-862d-a9efd7ba4ed8" aria-expanded="true" aria-controls="id-df628438-129f-4975-862d-a9efd7ba4ed8"> How does ISO/IEC 27002 relate to ISO/IEC 27001?</button> </h3><div id="id-df628438-129f-4975-862d-a9efd7ba4ed8" class="accordion-collapse collapse " aria-labelledby="heading-df628438-129f-4975-862d-a9efd7ba4ed8" data-bs-parent="#id-e542296c-0e62-4902-9272-7e588416b15c"> <div class="accordion-body"> <p>While ISO/IEC 27001 specifies the <strong>requirements</strong> for establishing an ISMS, ISO/IEC 27002 provides the <strong>detailed best practices and controls</strong> that can be applied within the ISMS.</p> </div> </div> </div><div class="accordion-item"> <h3 class="accordion-header" id="heading-64f490ec-c36a-452f-a438-88b5368f87b9"><button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#id-64f490ec-c36a-452f-a438-88b5368f87b9" aria-expanded="true" aria-controls="id-64f490ec-c36a-452f-a438-88b5368f87b9"> Does ISO/IEC 27002 lead to certification?</button> </h3><div id="id-64f490ec-c36a-452f-a438-88b5368f87b9" class="accordion-collapse collapse " aria-labelledby="heading-64f490ec-c36a-452f-a438-88b5368f87b9" data-bs-parent="#id-e542296c-0e62-4902-9272-7e588416b15c"> <div class="accordion-body"> <p><strong>No</strong>, ISO/IEC 27002 provides best practice recommendations and cannot be certified to. But organizations <strong>can get certified to ISO/IEC 27001</strong> which references ISO/IEC 27002 guidance.</p> </div> </div> </div><div class="accordion-item"> <h3 class="accordion-header" id="heading-9596024c-c083-402f-a4cf-0baceff0225f"><button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#id-9596024c-c083-402f-a4cf-0baceff0225f" aria-expanded="true" aria-controls="id-9596024c-c083-402f-a4cf-0baceff0225f"> Does ISO/IEC 27002 cover cybersecurity threats?</button> </h3><div id="id-9596024c-c083-402f-a4cf-0baceff0225f" class="accordion-collapse collapse " aria-labelledby="heading-9596024c-c083-402f-a4cf-0baceff0225f" data-bs-parent="#id-e542296c-0e62-4902-9272-7e588416b15c"> <div class="accordion-body"> <p><strong>Yes</strong>, the standard encompasses a broad range of information security topics, including those related to <strong>cybersecurity threats and vulnerabilities</strong>.</p> </div> </div> </div></div></div> <div class="col-md-4 col-md-offset-1"> <div class="d-flex justify-content-between align-items-center"> <h3>General information</h3> </div> <ul class="refine"> <li> <div class="" id="publicationStatus"> <div class="entry-label">Status</div>&nbsp;:&nbsp;<span>Published</span> </div> <div class="" id="publicationDate"> <div class="entry-label">Publication date</div>&nbsp;:&nbsp;<span itemprop="releaseDate">2022-02</span> <br/> <div class="entry-label">Corrected version (en)</div>&nbsp;:&nbsp;<span itemprop="dateModified">2022-03</span> </div> <div class="" id="stageId"> <div class="entry-label">Stage</div> : International Standard published [<a class="page-scroll" href="#lifecycle">60.60</a>] </div> </li> <li> <div class=""> <div class="entry-label">Edition</div>&nbsp;:&nbsp;3</div> <div class=""> <div class="entry-label">Number of pages</div>&nbsp;:&nbsp;152</div> </li> <li> <div> <div class="entry-label">Technical Committee&nbsp;:</div> <span class="entry-name entry-block"> <a title="Information security, cybersecurity and privacy protection" href="/committee/45306.html">ISO/IEC JTC 1/SC 27</a></span> </div> <div> <div class="entry-label"><abbr class="popover-primary" tabindex="0" role="button" data-bs-toggle="popover" data-bs-custom-class="popover-light text-sm shadow-sm pt-2" data-bs-trigger="focus" data-bs-placement="bottom" data-bs-content="International Classification for Standards">ICS</abbr>&nbsp;:</div> <span class="entry-name entry-block"> <a title="IT Security" href="/ics/35.030.html"> 35.030</a>&nbsp; </span> </div> </li> <li class="text-xs"> <i class="bi-rss-fill me-1 align-baseline text-sm" style="color: #F99000;"></i><a href="/contents/data/standard/07/56/75652.detail.rss">RSS</a>&nbsp;updates</li> </ul> </div> </div> </div> </section> </div> <section id="lifecycle" class="z-2"> <div class="container"> <div class="row"> <div class="col-md-12"> <h3>Life cycle</h3> <div class="lifecycle"> <ul class="steps"> <li class="time-step"> <h4 class="ms-sm-3 text-muted">Previously</h4> <div class="step step-dark"> <div class="step-item"> <div class="section-head">Withdrawn</div> <h5><a href="/standard/54533.html">ISO/IEC 27002:2013</a></h5> </div> <div class="step-item"> <div class="section-head">Withdrawn</div> <h5><a href="/standard/66806.html">ISO/IEC 27002:2013/Cor 1:2014</a></h5> </div> <div class="step-item"> <div class="section-head">Withdrawn</div> <h5><a href="/standard/69379.html">ISO/IEC 27002:2013/Cor 2:2015</a></h5> </div> </div> </li> <li class="time-step"> <h4 class="ms-sm-3 text-muted">Now</h4> <div class="step step-success active"> <div class="section-head">Published</div> <h5>ISO/IEC 27002:2022</h5> <a data-bs-toggle="collapse" role="button" aria-expanded="false" href="#stages" class="dropdown-toggle current-stage text-sm collapsed">Stage: <strong>60.60</strong></a> </div> <ul class="stages collapse" id="stages"> <li class="dropdown alert-info"> <a href="javascript:void(0)" role="button" aria-haspopup="true" aria-expanded="false"> <span class="stage-code">00</span> <div class="stage-title">Preliminary</div> </a> </li> <li class="dropdown alert-info"> <a href="javascript:void(0)" class="dropdown-toggle" data-bs-display="static" data-bs-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"> <span class="stage-code">10</span> <div class="stage-title">Proposal</div> </a> <ul class="dropdown-menu"> <li > <a href="/stage-codes.html#10_99"> <span class="stage-code">10.99</span> <span class="stage-date">2018-03-26</span> <div class="stage-title"> New project approved</div> </a> </li></ul> </li> <li class="dropdown alert-info"> <a href="javascript:void(0)" class="dropdown-toggle" data-bs-display="static" data-bs-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"> <span class="stage-code">20</span> <div class="stage-title">Preparatory</div> </a> <ul class="dropdown-menu"> <li > <a href="/stage-codes.html#20_00"> <span class="stage-code">20.00</span> <span class="stage-date">2018-03-26</span> <div class="stage-title"> New project registered in TC/SC work programme</div> </a> </li><li > <a href="/stage-codes.html#20_20"> <span class="stage-code">20.20</span> <span class="stage-date">2018-06-07</span> <div class="stage-title"> Working draft (WD) study initiated</div> </a> </li><li > <a href="/stage-codes.html#20_60"> <span class="stage-code">20.60</span> <span class="stage-date">2018-07-28</span> <div class="stage-title"> Close of comment period</div> </a> </li><li > <a href="/stage-codes.html#20_20"> <span class="stage-code">20.20</span> <span class="stage-date">2018-11-16</span> <div class="stage-title"> Working draft (WD) study initiated</div> </a> </li><li > <a href="/stage-codes.html#20_60"> <span class="stage-code">20.60</span> <span class="stage-date">2019-02-05</span> <div class="stage-title"> Close of comment period</div> </a> </li><li > <a href="/stage-codes.html#20_20"> <span class="stage-code">20.20</span> <span class="stage-date">2019-05-20</span> <div class="stage-title"> Working draft (WD) study initiated</div> </a> </li><li > <a href="/stage-codes.html#20_60"> <span class="stage-code">20.60</span> <span class="stage-date">2019-07-17</span> <div class="stage-title"> Close of comment period</div> </a> </li></ul> </li> <li class="dropdown alert-info"> <a href="javascript:void(0)" class="dropdown-toggle" data-bs-display="static" data-bs-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"> <span class="stage-code">30</span> <div class="stage-title">Committee</div> </a> <ul class="dropdown-menu"> <li > <a href="/stage-codes.html#30_00"> <span class="stage-code">30.00</span> <span class="stage-date">2019-11-15</span> <div class="stage-title"> Committee draft (CD) registered</div> </a> </li><li > <a href="/stage-codes.html#30_20"> <span class="stage-code">30.20</span> <span class="stage-date">2019-11-15</span> <div class="stage-title"> CD consultation initiated</div> </a> </li><li > <a href="/stage-codes.html#30_60"> <span class="stage-code">30.60</span> <span class="stage-date">2020-02-08</span> <div class="stage-title"> Close of comment period</div> </a> </li><li > <a href="/stage-codes.html#30_92"> <span class="stage-code">30.92</span> <span class="stage-date">2020-05-28</span> <div class="stage-title"> CD referred back to Working Group</div> </a> </li><li > <a href="/stage-codes.html#30_20"> <span class="stage-code">30.20</span> <span class="stage-date">2020-05-28</span> <div class="stage-title"> CD consultation initiated</div> </a> </li><li > <a href="/stage-codes.html#30_60"> <span class="stage-code">30.60</span> <span class="stage-date">2020-07-24</span> <div class="stage-title"> Close of comment period</div> </a> </li><li > <a href="/stage-codes.html#30_99"> <span class="stage-code">30.99</span> <span class="stage-date">2020-11-20</span> <div class="stage-title"> CD approved for registration as DIS</div> </a> </li></ul> </li> <li class="dropdown alert-info"> <a href="javascript:void(0)" class="dropdown-toggle" data-bs-display="static" data-bs-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"> <span class="stage-code">40</span> <div class="stage-title">Enquiry</div> </a> <ul class="dropdown-menu"> <li > <a href="/stage-codes.html#40_00"> <span class="stage-code">40.00</span> <span class="stage-date">2020-11-26</span> <div class="stage-title"> DIS registered</div> </a> </li><li > <a href="/stage-codes.html#40_20"> <span class="stage-code">40.20</span> <span class="stage-date">2021-01-28</span> <div class="stage-title"> DIS ballot initiated: 12 weeks</div> </a> </li><li > <a href="/stage-codes.html#40_60"> <span class="stage-code">40.60</span> <span class="stage-date">2021-04-23</span> <div class="stage-title"> Close of voting</div> </a> </li><li > <a href="/stage-codes.html#40_99"> <span class="stage-code">40.99</span> <span class="stage-date">2021-08-20</span> <div class="stage-title"> Full report circulated: DIS approved for registration as FDIS</div> </a> </li></ul> </li> <li class="dropdown alert-info"> <a href="javascript:void(0)" class="dropdown-toggle" data-bs-display="static" data-bs-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"> <span class="stage-code">50</span> <div class="stage-title">Approval</div> </a> <ul class="dropdown-menu"> <li > <a href="/stage-codes.html#50_00"> <span class="stage-code">50.00</span> <span class="stage-date">2021-08-23</span> <div class="stage-title"> Final text received or FDIS registered for formal approval</div> </a> </li><li > <a href="/stage-codes.html#50_20"> <span class="stage-code">50.20</span> <span class="stage-date">2021-10-21</span> <div class="stage-title"> Proof sent to secretariat or FDIS ballot initiated: 8 weeks</div> </a> </li><li > <a href="/stage-codes.html#50_60"> <span class="stage-code">50.60</span> <span class="stage-date">2021-12-17</span> <div class="stage-title"> Close of voting. Proof returned by secretariat</div> </a> </li></ul> </li> <li class="dropdown bg-success active"> <a href="javascript:void(0)" class="dropdown-toggle" data-bs-display="static" data-bs-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"> <span class="stage-code">60</span> <div class="stage-title">Publication</div> </a> <ul class="dropdown-menu"> <li > <a href="/stage-codes.html#60_00"> <span class="stage-code">60.00</span> <span class="stage-date">2021-12-17</span> <div class="stage-title"> International Standard under publication</div> </a> </li><li class="active"> <a href="/stage-codes.html#60_60"> <span class="stage-code">60.60</span> <span class="stage-date">2022-02-15</span> <div class="stage-title"> International Standard published</div> </a> </li></ul> </li> <li class="dropdown alert-muted"> <a href="javascript:void(0)" class="dropdown-toggle" data-bs-display="static" data-bs-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"> <span class="stage-code">90</span> <div class="stage-title">Review</div> </a> <ul class="dropdown-menu"> <li class='list-separation'> <a href="/stage-codes.html#90_20"> <span class="stage-code">90.20</span> <span class="stage-date"></span> <div class="stage-title"> International Standard under systematic review</div> </a> </li><li > <a href="/stage-codes.html#90_60"> <span class="stage-code">90.60</span> <span class="stage-date"></span> <div class="stage-title"> Close of review</div> </a> </li><li > <a href="/stage-codes.html#90_92"> <span class="stage-code">90.92</span> <span class="stage-date"></span> <div class="stage-title"> International Standard to be revised</div> </a> </li><li > <a href="/stage-codes.html#90_93"> <span class="stage-code">90.93</span> <span class="stage-date"></span> <div class="stage-title"> International Standard confirmed</div> </a> </li><li > <a href="/stage-codes.html#90_99"> <span class="stage-code">90.99</span> <span class="stage-date"></span> <div If you have any questions or suggestions regarding the accessibility of this site, please <a href="" style="white-space: nowrap">contact us</a>.</p> <p class="text-sm"><a href="#copyright" target="_self" data-bs-toggle="collapse" aria-expanded="false" aria-controls="copyright">© All Rights Reserved</a> <span id="copyright" class="collapse">All ISO publications and materials are protected by copyright and are subject to the user’s acceptance of ISO’s conditions of copyright. Any use, including reproduction requires our written permission. 