ISO/IEC 27002:2022 is an international standard that provides a comprehensive and practical guide for organizations seeking to implement, maintain, and strengthen information security within an Information Security Management System (ISMS).
While ISO/IEC 27001 defines the requirements an ISMS must meet — and is certifiable — ISO/IEC 27002 complements it by offering guidelines, control objectives, and best practices to effectively implement security controls.
In this way, the standard serves as a flexible and adaptable framework that helps organizations protect their information assets against a wide range of cyber threats, while simultaneously enhancing their resilience and cybersecurity maturity.
Structure of ISO/IEC 27002:2022
The 2022 version of ISO 27002 adopts a clearer, risk-based structure, organized into four main control domains:
- Organizational Controls (Clause 5):
Policies, roles, risk management, supplier relationships, legal compliance, and security governance.
(Examples: information classification, supplier management, threat intelligence, project security management). - People Controls (Clause 6):
Human factors influencing security, including personnel selection, training, remote work, and incident reporting.
(Examples: awareness programs, confidentiality agreements, disciplinary procedures) - Physical Controls (Clause 7):
Protection of physical environments, equipment, and facilities.
(Examples: physical access control, asset storage, environmental protection, secure disposal of devices) - Technological Controls (Clause 8):
Technical measures to protect systems, networks, applications, and data.
(Examples: secure authentication, vulnerability management, malware protection, encryption, backups, and secure software development.)
Each control follows a consistent structure, including:
- Title: Name of the control
- Purpose: Why it is necessary
- Guidance: How to apply it
- Additional information: Examples or complementary references
New Attributes Introduced in the 2022 Edition
One of the main innovations of the 2022 version is the introduction of “attributes”, which allow controls to be classified and viewed from multiple perspectives:
- Control type: Preventive, Detective, or Corrective
- Security properties: Confidentiality, Integrity, and Availability
- Cybersecurity concepts: Identify, Protect, Detect, Respond, Recover (aligned with the NIST CSF model)
- Operational capabilities: Governance, Asset Management, Human Resource Security, among others
- Security domains: Governance & Ecosystem, Protection, Defense, and Resilience
This attribute-based approach makes the standard more flexible and interoperable, facilitating alignment with other frameworks such as NIST CSF, CIS Controls, or COBIT.
Benefits of Implementing ISO/IEC 27002
Adopting the ISO/IEC 27002 guidelines enables organizations to:
- Build a comprehensive, risk-based control environment aligned with business objectives.
- Strengthen cyber resilience and reduce the likelihood of breaches or disruptions.
- Ensure legal, regulatory, and contractual compliance in security and privacy matters.
- Increase trust among customers, partners, suppliers, and auditors.
Promote an organizational culture of awareness and accountability in information security.
A Flexible and Evolving Standard
ISO/IEC 27002:2022 is not prescriptive. Each organization can select and tailor controls based on its risk profile, maturity level, and strategic objectives.
The new edition also integrates information security, cybersecurity, and privacy protection, promoting a more holistic view of digital risk management.
Its adaptive and continuously improving approach makes ISO/IEC 27002 a key tool for advancing the maturity and resilience of Information Security Management Systems (ISMS).