Most businesses tend to be familiar with the ISO/IEC 27001 standard for information security, but how much do you know about ISO/IEC 27002? In today’s blog, we are going through the basics of the ISO/IEC 27000 series, with the view of demystifying ISO 27002, and demonstrating the value it brings to organisations looking to certify to ISO 27001.
What is the ISO 27000 series?
To understand ISO 27002, we must first go back to the basics, starting with: What is the ISO 27000 series?
The ISO 27000 series constitutes a family of internationally accepted information security standards that have been jointly published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC).
The standards outline the best practices for managing information security risks within the framework of an Information Security Management System (ISMS). The purpose of these standards is to foster best information security practices within the certified organisations. Accordingly, the ISO 27000 series enables organisations to enhance their information security, data privacy, and information technology protections.
What is ISO/IEC 27001?
The next step towards understanding ISO/IEC 27002 involves securing our knowledge on ISO/IEC 27001.
ISO 27001 is the primary standard of the ISO 27000 series. It is an internationally recognised standard that provides guidelines regarding the establishment, implementation, and management of an ISMS. Its overarching aim is to assist organisations in protecting themselves against cyberattacks, and their securing sensitive information.
The latest revision of the standard is ISO/IEC 27001:2022. Organisations certified to ISO/IEC 27001:2013 have until 31/10/25 to update their systems to align with this.
In order to certify their Information Security Management Systems to ISO 27001, businesses must adhere to seven mandatory requirements:
- Clause 4: Context of the Organisation
- Clause 5: Leadership
- Clause 6: Planning
- Clause 7: Support
- Clause 8: Operation
- Clause 9: Performance Evaluation
- Clause 10: Improvement
The official ISO 27001 standard contains detailed directions regarding the specific requirements of these clauses.
Beyond this, ISO 27001 also contains Annex A, which outlines a list of information security controls. It is up to each organisation to determine which of these controls are applicable to their business, and how they want to implement and monitor these. Nevertheless, all of the applicable controls must be adhered to if a business is to successfully certify to ISO 27001. There are 93 different controls within Annex A, which have been grouped into the following four categories:
- Control 5: Organisational Controls
- Control 6: People Controls
- Control 7: Physical Controls
- Control 8: Technological Controls
The ISO 27001 standard only outlines these controls in brief, and does not offer a comprehensive view of their specific requirements.
In summary, ISO 27001 is the standard that businesses certify their Information Security Management Systems to. The standard consists of seven groups of mandatory requirements, which are set out in detail in the document. Annex A of the standard also briefly outlines additional security controls which must be adhered to if they are applicable to an organisation’s business.
What is ISO/IEC 27002?
Now that we have a good understanding of ISO/IEC 27001, we can finally move on to look at ISO 27002.
ISO 27002 is formally named: “Information security, cybersecurity and privacy protection – Information security controls from the Code of Practice”. It is a supplementary standard that provides guidance to organisations on how to implement the security controls outlined in Annex A of ISO 27001. Whilst ISO 27001 Annex A only outlines the controls in brief, ISO 27002 provides a huge amount of detailed guidance on what should be considered for each control, what its objective and purpose is, and how to implement it effectively. Therefore, ISO 27002 is not a certifiable standard, but instead a standard that supports businesses certifying to ISO 27001.
As such, ISO 27001 and 27002 are intended to be used together, to create a comprehensive roadmap which directs businesses on how to successfully certify to ISO 27001. Organisations should first implement the mandatory requirements in ISO 27001 and determine which Annex A controls are relevant to their business, and then turn to ISO 27002 for detailed guidance on implementing these controls.
Aligned to the structure of ISO 27001, the 93 controls are divided into four different categories in ISO 27002:
- Control 5: Organisational Controls
- Control 6: People Controls
- Control 7: Physical Controls
- Control 8: Technological Controls
In summary, organisations should use ISO 27002 to help them implement the applicable controls from Annex A of ISO 27001. Accordingly, the standard acts as supplementary guidance that assists businesses in certifying to the 27001 standard.
Why should you use ISO 27002?
ISO 27001 alone constitutes a fairly lengthy document, so you might be wondering if you really need to look into the detail of ISO 27002 when you have already gone through the summary in Annex A. Accordingly, the final issue to address is how this extra step will benefit your business.
1. Additional layer of security
ISO 27002 offers a level of detail that completely surmounts that found in Annex A of ISO 27001. Accordingly, it has the ability to highlight key vulnerabilities that your organisation might otherwise overlook. Therefore, the supplementary standard helps to bolster your security and protect your organisation.
2. Increased trust from customers and partners
Taking the additional step to understand the different controls and ensure that your organisation is implementing all the relevant ones will demonstrate your organisation’s commitment to information security. This will engender trust and respect from your partners and clients.
3. Efficient use of resources
Using ISO 27002 to understand the different controls and the situations in which they must be implemented will ensure that your organisation makes efficient use of its budget; you will not waste any time or money implementing controls that are not required for your business to certify to ISO 27001.
If that isn’t enough, it is important to point out that ISO 27002 offers a simple and easy to follow guide on how to implement the relevant controls. If you are committed to creating an effective Information Security Management System, then referencing the standard is a non-negotiable!
Want help certifying to ISO 27001?
If your business is looking to certify to ISO/IEC 27001:2022, our experts are ready to help! Whether you need advice on which controls are applicable for your business, guidance on implementing the necessary processes, or assistance in conducting a pre-audit assessment, we are here to help.
Get in contact with our experts today, so we can get the ball rolling on ISO/IEC 27001:2022!