ISO/IEC 27002:2022 is the implementation companion to ISO 27001. Where ISO 27001 defines the requirements for an Information Security Management System (ISMS) and lists the controls in Annex A, ISO 27002 provides the detailed guidance on how to implement each of those controls. The two standards share the same 93 controls, but ISO 27002 adds the context, implementation options, and operational detail that Annex A deliberately leaves out. This guide explains what ISO 27002 covers, how the controls are structured, and how to use the standard effectively alongside ISO 27001.
ISO/IEC 27002:2022, formally titled “Information security, cybersecurity and privacy protection — Information security controls,” is a guidance standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It was most recently revised on 15 February 2022.
The standard provides a reference set of information security controls together with implementation guidance for each control. It is not certifiable on its own. Organisations cannot be “ISO 27002 certified.” Certification is issued against ISO 27001, which defines the management system requirements. ISO 27002 exists to help organisations decide which controls to implement and how to implement them.
In practice, the relationship works like this: ISO 27001 Annex A lists 93 controls with a one-line description of each. ISO 27002 takes each of those 93 controls and expands it into a multi-page section that includes the control statement, purpose, implementation guidance, and supplementary information. When an auditor assesses your ISMS against ISO 27001, they will reference ISO 27002 to understand what “good implementation” looks like for each applicable control.
The two standards are designed to be used together, but they serve different functions.
| Â | ISO 27001 | ISO 27002 |
|---|---|---|
| Type | Requirements standard (certifiable) | Guidance standard (not certifiable) |
| Purpose | Defines what an ISMS must include | Explains how to implement information security controls |
| Controls | Lists 93 controls in Annex A (one-line descriptions) | Provides detailed implementation guidance for all 93 controls |
| Audience | Management, auditors, certification bodies | Security practitioners, control owners, implementation teams |
| Mandatory? | Yes, for certification | No, but strongly recommended as implementation reference |
The workflow is straightforward. An organisation conducting a risk assessment under ISO 27001 identifies which controls from Annex A are applicable. The Statement of Applicability (SoA) documents which controls are included and excluded. For each included control, the organisation uses ISO 27002 to determine how to implement it in a way that is appropriate for the organisation’s size, risk profile, and operating environment.
Organisations pursuing ISO 27001 certification are not required to purchase or formally reference ISO 27002, but in practice nearly every organisation uses it as the primary implementation reference. Auditors also use it as a benchmark for evaluating whether controls are implemented adequately.
ISO 27002:2022 organises its 93 controls into four thematic categories. This structure was introduced in the 2022 revision, replacing the 14-domain structure used in the previous edition.
Organisational controls address policies, governance, and management-level measures that apply across the entire organisation. They cover information security policies, roles and responsibilities, threat intelligence, asset management, access control policies, supplier relationships, incident management, and compliance. This is the largest category because many information security controls are fundamentally about how the organisation governs and manages risk rather than about specific technical measures.
Key controls in this category include information security policies (A.5.1), information security risk management processes, asset inventory and classification, identity management, and supplier security requirements.
People controls focus on the human element of information security. They cover screening processes before employment, terms and conditions of employment, information security awareness and training, disciplinary processes, responsibilities after termination, confidentiality agreements, and remote working arrangements.
This is the smallest category at eight controls, but the implementation guidance in ISO 27002 is substantial. Each control includes specific recommendations for what organisations should consider when designing their human resource security processes.
Physical controls address the protection of premises, equipment, and physical assets. They cover security perimeters, physical entry controls, office and facility security, physical security monitoring, protection against environmental threats, working in secure areas, clear desk and clear screen policies, equipment siting and protection, security of assets off-premises, storage media handling, and supporting utilities.
Technological controls form the second-largest category and cover the technical measures that protect information systems. They include user endpoint devices, privileged access rights, information access restriction, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, configuration management, information deletion, data masking, data leakage prevention, backup, redundancy, logging, monitoring, network security, web filtering, use of cryptography, secure development lifecycle, security testing, and secure coding.
Several of the 11 new controls introduced in the 2022 revision sit in this category, including configuration management (A.8.9), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28).
For each of the 93 controls, ISO 27002 provides four layers of detail that Annex A does not.
Control statement. A concise definition of what the control requires. This matches the Annex A description but is sometimes expanded with additional qualifying language.
Purpose. An explanation of why the control exists and what security objective it addresses. This is useful for risk assessment and for justifying control inclusion in the SoA.
Implementation guidance. The core of ISO 27002. This section provides specific, actionable recommendations for how to implement the control. It typically includes multiple sub-points covering different aspects or scenarios. For example, the implementation guidance for A.8.2 (Privileged access rights) covers how to identify privileged accounts, how to authorise and review privileged access, how to manage privileged credentials, and how to log and monitor privileged activity.
Other information. Supplementary context, references to related controls, and notes on how the control intersects with other standards or regulations. This section often points to specific ISO or IEC standards that provide deeper technical guidance for a given topic.
This layered structure means that ISO 27002 is significantly longer than Annex A. Where Annex A covers all 93 controls in approximately 20 pages, ISO 27002 devotes roughly 150 pages to the same controls with full implementation detail.
ISO 27002:2022 introduced a control attribute system that tags each control with metadata across five dimensions. These attributes provide alternative views of the control set beyond the four thematic categories.
These attributes are informative, not normative. They are not audited. Their value is practical: they allow organisations to filter and view the control set from different perspectives depending on the task at hand. A security operations team might filter by “Detective” and “Respond” to identify the controls most relevant to their monitoring and incident response work.
ISO 27002 is a reference document, not a checklist. The standard itself states that organisations should select controls based on the results of their risk assessment, not implement every control regardless of applicability. Here is how to use it effectively.
During risk treatment. After completing the risk assessment, use ISO 27002 to evaluate which controls from Annex A are appropriate for treating each identified risk. The implementation guidance section helps you determine whether a control is relevant and what level of implementation is proportionate to the risk.
During implementation. For each control you include in the SoA, use the ISO 27002 implementation guidance as a baseline for designing your specific policies, procedures, and technical measures. The guidance provides the minimum expectations. Your implementation may go beyond the guidance where your risk profile demands it.
During internal audit. Use ISO 27002 as the benchmark for evaluating whether controls are operating effectively. The implementation guidance defines what “good” looks like, and internal auditors can compare actual practice against the guidance to identify gaps.
During gap analysis. Organisations preparing for ISO 27001 certification often use ISO 27002 as the basis for a self-assessment or readiness check. Walking through the implementation guidance for each applicable control reveals where the organisation meets expectations and where additional work is needed.
Can you get certified in ISO 27002?
No. ISO 27002 is a guidance standard, not a requirements standard. Certification is issued against ISO 27001, which defines the ISMS requirements. ISO 27002 provides implementation guidance for the controls listed in ISO 27001 Annex A, but it is not auditable or certifiable on its own.
Is ISO 27002 mandatory for ISO 27001 certification?
Purchasing or formally referencing ISO 27002 is not a requirement for ISO 27001 certification. However, ISO 27002 is the recognised reference for implementing the Annex A controls, and auditors use it as a benchmark. In practice, most organisations use it as their primary implementation guide.
How many controls does ISO 27002 have?
ISO 27002:2022 contains 93 controls organised into four categories: Organisational (37), People (8), Physical (14), and Technological (34). These are the same 93 controls that appear in ISO 27001:2022 Annex A.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 defines the requirements for establishing, implementing, maintaining, and improving an ISMS. It is the certifiable standard. ISO 27002 provides detailed implementation guidance for the security controls listed in ISO 27001 Annex A. It explains how to implement each control, not just what the control is. Organisations use ISO 27001 for the management system framework and ISO 27002 for the practical control implementation detail.
Implementing the controls from ISO 27002 across an organisation requires structured tracking, evidence collection, and policy documentation for each applicable control. Copla’s platform maps every ISO 27002 control to the corresponding Annex A reference and tracks implementation status, evidence, and ownership in a single view. The onboarding process begins with a structured intake that generates the core policy and procedure pack, and Copla’s consultants work alongside your team to scope the Statement of Applicability, close control gaps, and prepare for the Stage 1 and Stage 2 audits. For organisations maintaining multiple frameworks, controls documented for ISO 27001 carry over to SOC 2, NIS2, or DORA without duplicating effort.
Book a consultation with Copla to walk through how this would look for your team.
