ISO/IEC 27002 is an international standard providing a set of recommendations and best practices for implementing information security controls.
It provides a comprehensive set of recommendations and best practices to help organisations of all sizes and in all sectors to :
- Identify and assess their risks information security.
- Selecting and implementing safety measures to address these risks.
- Establish, implement, maintain and improve their information security management system (WSIS).
Its latest version is ISO/IEC 27002:2022published in February 2022, which simplified and reorganised controls into four main areas (organisational, people-related, physical and technological) and introduced new attributes to facilitate their application in a modern cybersecurity context.
More details
- International standard : ISO/IEC 27002 is developed and published jointly by theInternational Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). which means that it is recognised and applicable worldwide.
- Code of good practice : unlike a certification standard such asISO 27001ISO 27002 is a guide and a collection of recommendations. It does not specify requirements for certification, but it does detail the security measures (or 'controls') that organisations can and should implement to effectively manage their information security risks. It serves as a reference for the development and implementation of an information security management system (ISMS).
- Information security, cybersecurity and privacy : the standard covers a broad spectrum of security, including not only information security in the broadest sense, but also the cyber security (protection of digital systems and networks) and the protection of privacy (management of personal data). The 2022 edition places even greater emphasis on cybersecurity and privacy, reflecting today's evolving threats and concerns.
- Recommendations for information security measures (Controls) : The core of the ISO/IEC 27002 standard consists of a set ofof security measuresalso known as security checks. These controls are actions or mechanisms that organisations can put in place to mitigate risks related to information security. These controls cover a wide range of areas, from security policies and physical security to information systems security and incident management.
Relationship with ISO/IEC 27001
It is crucial to understand the relationship between ISO/IEC 27002 and ISO/IEC 27001.
- ISO/IEC 27001 is the standard that specifies the requirements for an information security management system (ISMS). This is the standard certifiable.
- ISO/IEC 27002 is a code of practice which provides recommendations and guidelines for implementing security checks, mentioned and suggested in ISO 27001 Annex A. ISO 27002 details how implement controls to meet the requirements of ISO 27001.
In other words, an organisation wishing to obtain ISO 27001 certification will use ISO 27002 to guide to select and implement the appropriate security measures. ISO 27002 is therefore a essential tool for the implementation of an ISMS compliant with ISO 27001.
