AuditXYZ

Compliance Framework

ISO/IEC 27002:2022 Information Security, Cybersecurity and Privacy Protection — Information Security Controls

ISO 27002 provides detailed implementation guidance for the 93 information security controls referenced by ISO 27001. Learn how to use it as your control selection and implementation companion.

$5,000–$50,0002–8 months2022
Request a ConsultationSee process
Issuing BodyInternational Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)
First Published2000-02-15
Latest Version2022
Typical Cost$5,000–$50,000
Typical Timeline2–8 months
Audit RequiredNo
Audit FrequencyNot independently audited; controls are assessed as part of ISO 27001 certification audits
Geographyglobal

ISO 27002: Guide to Information Security Controls

ISO/IEC 27002 is the companion standard to ISO 27001, providing detailed implementation guidance for each of the 93 controls listed in Annex A. While ISO 27001 defines what an ISMS must achieve, ISO 27002 explains how to implement each control effectively.

What ISO 27002 Covers

The 2022 revision restructured controls from 14 domains into four themes: organizational, people, physical, and technological. Each control includes implementation guidance, explanatory notes, and attributes such as control type, cybersecurity concept, and operational capability. This attribute-based taxonomy makes it far easier to map controls to other frameworks and filter by relevance.

New controls added in the 2022 edition address modern threats including threat intelligence, cloud service security, ICT readiness for business continuity, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.

Who Needs ISO 27002

ISO 27002 is essential for anyone implementing ISO 27001. Security teams use it as a practical reference when designing controls, writing policies, and building procedures. Risk managers reference it when evaluating whether selected controls adequately address identified risks.

Organizations not pursuing ISO 27001 certification still benefit from ISO 27002 as a comprehensive control catalogue. It serves as a best-practice reference for building security programs regardless of whether formal certification is the goal.

How to Use ISO 27002

  1. Start with your risk assessment — Identify threats and vulnerabilities relevant to your organization
  2. Select applicable controls — Use the Statement of Applicability to determine which of the 93 controls apply
  3. Review implementation guidance — ISO 27002 provides detailed how-to for each control
  4. Adapt to your context — Tailor implementation guidance to your size, industry, and risk appetite
  5. Document decisions — Record why controls were selected or excluded

Relationship to ISO 27001

ISO 27002 does not carry its own certification. Organizations certify against ISO 27001, using ISO 27002 as the implementation guide. Auditors frequently reference ISO 27002 when evaluating whether controls meet the intent of Annex A requirements.

Get the ISO 27002 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001nist-800-53cis-controlsnist-csf

Get matched with a ISO 27002 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CIS Controls
Framework
CIS Critical Security Controls provide a prioritized set of 18 cybersecurity best practices. Learn how to implement CIS Controls v8.1 based on your organization's size and resources.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
NIST CSF
Framework
The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Learn how CSF 2.0 helps organizations of all sizes improve their security posture.
View
NIST 800-53
Framework
NIST SP 800-53 Rev 5 defines over 1,000 security and privacy controls for federal systems and organizations. Learn how to navigate control baselines and implement effectively.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View