ISO/IEC 27002:2022
Information Security, Cybersecurity, and Privacy Protection
"This document provides a set of general information security controls, including an implementation guide. This document is designed for use by organizations to implement information security controls based on internationally recognized best practices within the context of an information security management system (ISMS) based on ISO/IEC 27001 and to develop organization-specific information security management guides."
Introduction
ISO/IEC 27002 is a popular international standard that defines a general selection of 'good practice' information security controls typically used to reduce unacceptable risks to the confidentiality, integrity, and availability of information. Its origins date back over 30 years to its predecessors.
​
ISO/IEC 27002 is a guidance document rather than a formal specification like ISO/IEC 27001. Organizations are recommended to identify and assess their own information risks by selecting and implementing appropriate information security controls using ISO/IEC to reduce unacceptable risks. 27002 includes other relevant standards and resources for guidance.
Information security management, like governance and risk management, is a broad subject and process that must be followed by all organizations.
Information security and thus ISO/IEC 27002 are relevant to any type of organization that processes and relies on information, including commercial businesses of all sizes (from sole traders to multinational corporations), non-profit organizations, charities, government agencies, and semi-autonomous bodies. Specific information risks and thus control requirements vary in detail, but there are many commonalities, such as the need for most organizations to address information risks associated with employees and various information and IT service providers such as cloud, contractors, consultants, and third-party suppliers.