What is ISO/IEC 27002? 

ISO/IEC 27002 is an international standard that provides detailed guidelines for implementing information security controls. It complements ISO 27001, which focuses on the requirements for establishing an Information Security Management System (ISMS). ISO 27002 offers a comprehensive set of best practices for the security controls identified in Annex A of ISO 27001. It is an essential resource for organizations looking for guidance on information security best practices.

To whom it applies?

ISO 27002 is applicable to all organisations, regardless of size, type or industry. Its purpose is to help organisations select and implement appropriate security controls, according to the risks they face.

ISO 27002 Controls

  • The structure of the standard is divided into its controls in four main categories:

    Organizational controls

    The main objective of these controls is to provide an operational framework for information security. They focus on:

    • Definition of governance structures and roles.
    • Establishing clear policies.
    • Fostering a culture of information security.
    • Ensuring regulatory compliance.
    • Proactive risk management.
    • Adaptability to change.
    • Encouraging a constant search for improvement.

    People controls

    These controls recognise the importance of the human factor in information security. They focus on:

    • Staff awareness and training.
    • Establishment of secure recruitment processes.
    • Clear definition of responsibilities in recruitment.
    • Regular appraisals and discipline for non-compliance.
    • Termination protocols that ensure continuity of security.

    Physical controls

    Security is not only digital, and these controls address tangible protection. They address:

    • Safeguarding of equipment and devices.
    • Protection of storage media.
    • Security of physical facilities.
    • Preventive measures against incidents, whether natural or intentional.

    Technological controls

    With a focus on technology infrastructure, these controls cover:

    • Secure processes from design to implementation of systems.
    • Network maintenance and configuration.
    • Ongoing monitoring.
    • Periodic analysis and testing.
    • Incident audit and recovery procedures.

    ISO 27002 provides 93 detailed controls but emphasizes flexibility, enabling organizations to select and implement controls that best fit their specific needs. It serves as a guide rather than a mandate, aiming to assist in the creation of efficient and effective security management systems.

Connection between ISO 27001 and ISO 27002

ISO 27001 and ISO 27002 are closely related standards that work together to establish and maintain effective information security management within an organization:

ISO 27001: This standard specifies the requirements for an Information Security Management System (ISMS). It provides a framework for organizations to manage and systematically approach the management of information security risks. ISO 27001 outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS, which is a systematic approach to managing sensitive company information so that it remains secure.

ISO 27002: The ISO 27002 provides guidelines and best practices for implementing the controls listed in Annex A of ISO 27001. It details a comprehensive set of security controls and organizational measures that can be used to help organizations address specific security risks they face. ISO 27002 is thus a supporting document that offers practical guidance on how to implement the security controls defined in ISO 27001.

Relationship:

Complementary Standards: ISO 27001 sets out the requirements for an ISMS, while ISO 27002 provides the guidelines and best practices for implementing the controls necessary to meet those requirements.

Implementation Guidance: ISO 27002 helps organizations interpret the requirements of ISO 27001 and offers practical advice on how to design and implement specific security controls.

Customization: ISO 27002 allows organizations to adapt the security controls to their specific context, taking into account their size, structure, risk profile, and regulatory requirements.

To sum up, ISO 27001 specifies what needs to be achieved (requirements for an ISMS), while ISO 27002 provides guidance on how to achieve it (implementation guidance for security controls). Together, they form a comprehensive framework for managing information security effectively within an organization.