ISO 27002

The ISO/IEC 27002 standard is the security controls framework associated with ISO/IEC 27001. It is a structured catalogue of controls designed to address the risks identified by the ISMS (Information Security Management System) defined under ISO/IEC 27001.

Comprising 93 physical and logical security controls, ISO/IEC 27002 details each control, recalls the objective to be achieved, and recommends one or more implementation measures.

CHAPTERS ►

1. INTRODUCTION

2. ISMS

3. ISO 27002

SUBCHAPTERS ►

3.1 – The 4 ISO 27002 Themes

3.2 – Attributes

3.3 – Example of a control

3.4 – Statement (SoA)

3.5 – The 93 controls

The ISO/IEC 27002 standard, also referred to as the ISO/IEC 27001 toolbox, is a recognized reference for addressing most physical and logical security threats and for implementing the requirements of directives such as NIS 2 and CER in Europe. It is structured around four themes grouping 93 security controls.

Each control includes a title, a set of attributes, a description, an objective, and implementation guidance.

Key takeaways:

  • ISO/IEC 27002 is not a checklist. Each control must be adapted to the organization’s context, documented, and monitored.
  • ISO/IEC 27002 is not certifiable; it supports the implementation of the controls listed in Annex A of ISO/IEC 27001.
  • A Statement of Applicability (SoA, for Statement of Applicability) is used to formalize and justify, within the ISMS (ISO/IEC 27001), the decisions made for each security control (ISO/IEC 27002).

The 4 ISO 27002 Themes

Organizational Controls
(37 – Clause 5)

They cover governance, policies, risk management, supplier relationships, and compliance. Examples include:

  • information security policies,
  • identity and access management,
  • supply chain security,
  • incident management

People-related Controls
(8 – Clause 6)

They address the human factor throughout the HR lifecycle.
Examples include:

  • awareness and training,
  • contractual clauses,
  • remote working,
  • offboarding management.

Physical Security Controls
(14 – Clause 7)

They protect premises, equipment, and physical environments. Examples include:

  • physical perimeters and access controls,
  • surveillance,
  • environmental threats,
  • media security.

Technological Controls
(34 – Clause 8)

They relate to information systems, networks, and applications. Examples include:

  • secure authentication,
  • logging and monitoring,
  • encryption,
  • secure application development

ISO/IEC 27002 Attributes

Each security control is associated with attributes that enable a cross-cutting view of ISO/IEC 27002, simplifying control mapping, alignment with directives such as NIS 2 / CER, and the justification of decisions made. You may even define your own attributes, but the intent is to remain generic.

There are five different attributes:

  • Control type: indicates when and how the control affects risk.
  • Security property: indicates which information property is preserved.
  • Cybersecurity concept: indicates the objective of the control.
  • Operational capabilities: indicate the skills and roles involved in the control.
  • Security domains: refer to the four domains of information security.

Control
type

  • Preventive
  • Detective
  • Corrective

Security Property

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity concept

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Operational capabilities

  • Governance
  • Asset management
  • Physical security
  • System and network security

Security domains

  • Governance and ecosystem
  • Protection
  • Defense
  • Resilience

Use case 1: I am looking to identify preventive controls aimed at ensuring data integrity. I can achieve this by first filtering by control type, then by security property.

Use case 2: I am responsible for access control systems and want to list controls related to badge readers. I use the Operational capabilities filter and apply the value “Physical_security“.

Example of a Security Control

Let’s take an example to visualize what a security control looks like:

Theme: Physical security controls (Clause 7)
Title: Physical entry points (Clause 7.2)
Attributes:

Security control type Preventive
Information security properties Confidentiality
Integrity
Availability
Cybersecurity concepts Protect
Operational capabilities Physical security
Identity and access management
Security domains Protection

Description: Secured areas should be protected by appropriate access security measures and entry points.

Objective: Ensure that only authorized physical access to the organization’s information and other associated assets is permitted.

Recommendations (extracts): Access points should be monitored. The following guidelines should be taken into account, including: updating and revoking authorizations; authentication mechanisms such as the use of access cards, biometrics, or two-factor authentication; reinforcement of measures in the event of an increased likelihood of a physical incident; creation and protection of access logs; authentication and monitoring of visitors.

As you can see, the recommendations are fairly detailed but must be complemented by expert guidance from a qualified provider (in this case, particularly regarding badges, readers, and the access control management system) in order to identify the most appropriate solutions.

Statement of Applicability (SoA)

The Statement of Applicability (SoA) is a core element of an ISMS compliant with ISO/IEC 27001:2022. It formalizes, for each of the 93 security controls defined in ISO/IEC 27002:2022, the organization’s decision to include or exclude the control, along with the associated justification.

The SoA demonstrates that the security controls implemented are directly derived from the risk assessment and aligned with the organization’s context, business objectives, and applicable legal, regulatory, and contractual requirements.

As discussed above, ISO/IEC 27002 provides the reference framework used to document these decisions: control description, intended security objectives, implementation guidance, and associated attributes. A control may be excluded where the corresponding risk does not exist, is accepted, or is addressed by alternative measures, provided that the decision is clearly documented, justified, and regularly reviewed.

The SoA is therefore neither a checklist nor a purely documentary exercise. It is a security governance tool, essential for demonstrating consistency, relevance, and traceability of security controls within the ISMS.

In practice, the SoA is formalized as a structured document listing all 93 controls of ISO/IEC 27002:2022, specifying at a minimum for each control:

  • the control status (applicable or not applicable),
  • the justification for this decision,
  • the link to identified risks,
  • the selected implementation measures,
  • references to existing policies, procedures, or operational controls.

This document is only valid if it is kept up to date and effectively reviewed during internal and external audits, as well as by top management.

The objective is not to apply all 93 controls, but to build a coherent, proportionate, and traceable security framework based on risk. The details are outlined above.

The 93 ISO/IEC 27002 Security Controls

Clause 5 – Organizational Security Controls (37)
  • 5.1 Information security policies
  • 5.2 Information security roles and responsibilities
  • 5.3 Segregation of duties
  • 5.4 Management responsibilities
  • 5.5 Contact with authorities
  • 5.6 Contact with special interest groups
  • 5.7 Threat intelligence
  • 5.8 Information security in project management
  • 5.9 Inventory of information and other associated assets
  • 5.10 Acceptable use of information and other associated assets
  • 5.11 Return of assets
  • 5.12 Information classification
  • 5.13 Information labeling
  • 5.14 Information transfer
  • 5.15 Access control
  • 5.16 Identity management
  • 5.17 Authentication information
  • 5.18 Access rights
  • 5.19 Information security in supplier relationships
  • 5.20 Information security within supplier agreements
  • 5.21 Managing information security in the ICT supply chain
  • 5.22 Monitoring, review, and change management of supplier services
  • 5.23 Information security for use of cloud services
  • 5.24 Information security incident management planning and preparation
  • 5.25 Assessment and decision-making for information security events
  • 5.26 Response to information security incidents
  • 5.27 Learning from information security incidents
  • 5.28 Collection of evidence
  • 5.29 Information security during disruption
  • 5.30 ICT readiness for business continuity
  • 5.31 Legal, statutory, regulatory, and contractual requirements
  • 5.32 Intellectual property rights
  • 5.33 Protection of records
  • 5.34 Privacy and protection of personally identifiable information
  • 5.35 Independent review of information security
  • 5.36 Compliance with information security policies and standards
  • 5.37 Documented operating procedures
Clause 6 – People-related Security Controls (8)
  • 6.1 Screening
  • 6.2 Terms and conditions of employment
  • 6.3 Information security awareness, education, and training
  • 6.4 Disciplinary process
  • 6.5 Responsibilities after termination or change of employment
  • 6.6 Confidentiality or non-disclosure agreements
  • 6.7 Remote working
  • 6.8 Reporting information security events
Clause 7 – Physical Security Controls (14)
  • 7.1 Physical security perimeters
  • 7.2 Physical entry controls
  • 7.3 Securing offices, rooms, and facilities
  • 7.4 Physical security monitoring
  • 7.5 Protection against physical and environmental threats
  • 7.6 Working in secure areas
  • 7.7 Clear desk and clear screen
  • 7.8 Equipment siting and protection
  • 7.9 Security of assets off-premises
  • 7.10 Storage media
  • 7.11 Supporting utilities
  • 7.12 Cabling security
  • 7.13 Equipment maintenance
  • 7.14 Secure disposal or reuse of equipment
Clause 8 – Technological Security Controls (34)
  • 8.1 User endpoint devices
  • 8.2 Privileged access rights
  • 8.3 Information access restriction
  • 8.4 Access to source code
  • 8.5 Secure authentication
  • 8.6 Capacity management
  • 8.7 Protection against malware
  • 8.8 Management of technical vulnerabilities
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.13 Information backup
  • 8.14 Redundancy of information processing facilities
  • 8.15 Logging
  • 8.16 Monitoring activities
  • 8.17 Clock synchronization
  • 8.18 Use of privileged utility programs
  • 8.19 Installation of software on operational systems
  • 8.20 Network security
  • 8.21 Security of network services
  • 8.22 Network segregation
  • 8.23 Web filtering
  • 8.24 Use of cryptography
  • 8.25 Secure development lifecycle
  • 8.26 Application security requirements
  • 8.27 Secure system engineering and architecture principles
  • 8.28 Secure coding
  • 8.29 Security testing in development and acceptance
  • 8.30 Outsourced development
  • 8.31 Separation of development, test, and operational environments
  • 8.32 Change management
  • 8.33 Test information
  • 8.34 Protection of information systems during audit testing

ISO 27002 Services

Join SPAC Alliance

The SPAC Alliance Club is particularly well suited if you are concerned by ISO/IEC 27002 and provides knowledge, tools, training, and support from all members.

Join the Club

You can submit your application to become a SPAC Alliance Member, contribute with us to building European sovereignty, and defend the interests of our market.

Become a member

THE NEWS