List of ISO 27002 Controls (Complete Overview)

Meeba Gracy

Meeba Gracy

Jan 26, 2024

ISO 27002 controls

Are you tired of constantly worrying about your organization’s security? Do you want to ensure that your company’s sensitive data is protected at all times? If so, then this guide on ISO 27002 controls is for you.

In this article, you will learn what ISO 27002 is, the changes implemented since the update last year, and the difference between ISO 27002 controls and ISO 27001. 

Let’s dive in…

What are ISO/IEC 27002 controls?

ISO/IEC 27002 controls are a collection of information security, cyber security, and privacy protection measures, along with implementation recommendations that are based on globally accepted industry standards.

The latest version of the ISO/IEC 27002 has been updated to ensure that it reflects developments and the most up-to-date information security practices that are being used in different sectors across businesses and governments.

After months of work, the new edition was finally published on February 15th, 2022 for all to use. 

How to select and Implement ISO 27002 controls?

The organization’s risk profile, compliance considerations and keeping aligned with ISO 27002 control objectives should be the rationale when selecting and implementing ISO 27002 controls. You may add, enhance, exclude, or consolidate controls addressing similar concerns.

Here are the five steps that can help you evaluate the right controls and implement them:

1. Define key objectives

Establishing clear and meaningful objectives will require engagement from several stakeholders like IT teams, legal departments etc. They are in a better position to give deep insights about current business needs.

Other than broader business objectives, regulatory requirements, customer needs and industry best practices should be considered to define key objectives.

2. Conduct a risk assessment

A comprehensive assessment identifying critical assets and the associated risks must be conducted to determine risk profile. This helps in understanding the likelihood and impact of potential threats as well as prioritize the selection of controls. 

3. Make a selection based on applicability

In order to tailor the control selection as per your business needs, consider operational requirements and technological capabilities along with the above two. Also ask a lot of questions for determining the applicability like:

  • Are there any controls mandated by industry or regulatory frameworks?
  • Does excluding a control leave any critical risks unaddressed?
  • What are the costs and benefits of implementing each of these controls?
  • Are there multiple controls for similar risks that can be streamlined into one control?

4. Create a tactical implementation plan

A well-documented plan with specific, measurable and time-bound objectives defined along with outlined tasks and procedures form a solid tactical implementation plan. It should also include the KPIs and KRIs that will be used to measure the effectiveness of control implementation.

5. Train and educate workforce

A combination of communication and training will help the workforce understand the rationale behind the process and implement controls well. Tailor the training program as per skill gaps and keep it engaging for maximum participation.

6. Continuously improve to stay compliant

Periodic reviews, internal audits, and other surveillance techniques must be implemented to get progress visibility as well addressing any ingrained weaknesses that persist. To stay compliant, businesses must be ‘always watchful.

Also, check out this video on ISO 27002 to learn more:

Becoming ISO 27001 compliant should not be this complex

ISO 27002 Controls List

The ISO 27002:2022 as a revision to ISO 27002:2013 now consists of 93 controls and an additional 11 new ones. While the 2013 release had 114 controls under 14 clauses, the 2022 version has only 4 domains. To improve navigation, 24 controls have been merged and 58 updated from the previous version, streamlining the entire framework and enhancing overall usability.

ISO 27002 controls list

New controls have been added to the revised list keeping in mind the need for even more robust security requirements with evolving threat sophistication.

Instantly access the complete and expertly curated ISO 27002:2022 controls list now by downloading from below:

Here is the List of ISO 27002 controls (As per the latest version 2022):

A.5.7 Threat intelligence

Threat intelligence involves collecting, analyzing, and contextualizing data regarding such risks. By doing so, companies can acquire comprehensive insights into potential threats—ultimately making them better prepared against attacks.

A.5.23 Information security for cloud services

Businesses of all sizes embrace the advantages of cloud services, but with their growing popularity comes the heightened risk of information security. To mitigate risks the 5.23 is the way to go and it is a game-changer that proactively creates processes for the acquisition, use, management, and exit from cloud services. 

This helps ensure that businesses have the procedures to protect their data and optimally manage their security posture when using these services. 

A.5.30 ICT Readiness for Business Continuity

The importance of maintaining ICT platforms and services cannot be understated to ensure business continuity in the face of disruption or a critical event. 

Control 5.30 guides organizations on managing and optimizing ICT systems in light of this, outlining the processes for a response, recovery, and restoration that should be adhered to, as well as analyzing key metrics such as RTOs and BIA results. 

This assists organizations in ensuring their ICT readiness is sufficient for maintaining continuous operation throughout severe episodes.

A.7.4 Physical security monitoring

Ensuring physical security is of utmost importance for organizations wishing to protect their critical data. Physical security monitoring offers a cost-effective solution for safeguarding premises and deterring any unauthorized access to restricted areas. 

This includes deploying CCTV cameras, motion sensors, and even tamper-proof locks to monitor security around buildings with confidential information. 

A.8.9 Configuration management

Configuration management is a critical element of any organization’s security infrastructure. It enables hardware, software, and entire networks to be configured with the appropriate policies to protect an organization from unwanted outside influences. 

Configuration files can dictate network security measures like block lists, port forwarding, virtual LANs, and VPN information among others. Also, it can help organizations meet compliance standards that are important for the security audit processes. 

A.8.10 Information deletion

Information deletion is essential in mitigating data risk, as it can reduce the impact of a potential security breach or failure to comply with legal standards. Control 8.10 ensures organizations comply with relevant laws and regulations regarding data erase strategies by providing a complementary approach designed around the company’s current data retention practices.

A.8.11 Data masking

Data masking is an effective method to protect PII stored within an organization’s systems. Data masking takes access control measures further, ensuring that sensitive data stored within systems is obfuscated or encrypted so that it is not readily accessible. 

This goes beyond the scope of regular access controls and can be required due to statutory or regulatory compliance. 

A.8.12 Data leakage prevention

Data leakage prevention is vital to protecting and limiting organizations’ vulnerabilities. Implementing Control 8.12 – a dual-purpose preventive and detective control measure supports proactively detecting, preventing, and responding to data leakage from internal and external sources. 

A.8.16 Monitoring activities

Network monitoring is a critical part of the IT support and information security process, constituting an integral layer of the organization’s defense-in-depth security strategy. 

Control 8.16 provides protective and corrective capabilities in mitigating risks through careful observance and examination of unusual activities, allowing for a speedy resolution to incidents and events. This, in turn, results in improved systems performance and safeguarding of valuable assets from malicious cyber attacks.

A.8.23 Web filtering

Web filtering is a critical control that organizations must use to guard against security risks and ensure the safety of their information systems. By using web filtering technology, organizations can restrict access to malicious websites, helping to protect their networks from malware attacks and data breaches. 

This process also reduces staff distraction and potential waste of resources as users cannot access external sites that do not offer any business value. Implementing effective web filtering is essential to guarantee corporate networks’ health and integrity.

A.8.28 Secure coding

Secure coding practices protect information systems against today’s sophisticated cyber threats. Without secure coding, organizations risk exposing vulnerabilities and running the risk of compromise to their critical assets. 

To prevent this, implementing Control 8.28 ensures that applications and networks are designed with security throughout the entire process by eliminating potential risks before they become an issue. 

This preventive control can protect your company from cyber attacks associated with poor coding practices, such as weak key generation and improper input validation.

Specific ISO 27002 Control Changes

Here is a detailed overview of ISO 27002:2022 control changes:

New Controls11
Domains13 down to 4
Split controls1 divided into 2
Merged controls56 reduced to 24
Overall114 down to  just 93

The latest update of ISO/IEC 27002 significantly improves how it structures control sets. Previously, 14 control domains were established, but now all those domains have been consolidated into just four security categories that are streamlined, organized, and easier to understand. 

ISO 27002 security categories

These include:

  • Organizational
  • People
  • Physical
  • Technological

The standard now consists of 93 controls and an additional 11 new ones. To improve navigation, 24 controls have been merged from 2, 3, or more security controls from the 2013 version, streamlining the entire framework and making it easier to navigate. 

This upgrade can attest to the fact that users are now unrestricted by complications in following basic Information Security practices – they are now free to explore a range of new-and-improved navigation options with assured security being maintained at all times.

Annex A was created to guide for applying these attributes, along with Annex B, allowing for an easier reference suite for on-demand information about control numbers/identifiers. 

It goes beyond simply telling users what is different from ISO/IEC 27001 2013 by creating two tables that cross-reference this information, providing clarity and a better understanding of how cyber security has changed over time.

Difference between ISO 27001 and ISO 27002

The main difference between ISO 27001 and ISO 27002 is that – ISO 27001 presents a broad framework for effective information security management, while ISO 27002 provides the necessary details to turn that framework into practice.

As an in-depth supplement to ISO 27001, it shows how to choose and implement controls according to best practices, giving organizations the tools they need for secure data protection.

The 114 security controls listed in Appendix A are divided into 14 categories for referencing in ISO 27001 documents. Thanks to this complementary relationship between ISO 27001 and ISO 27002, organizations can ensure that their information security practices are up to industry standards.

Organizations can use ISO 27002 security controls as a guiding beacon on how to meet the requirements of ISO 27001. However, it is not a certification standard in itself.

As such, an assessment against ISO 27001 outlines the accomplishments needed for organizational approval and verification that the ISMS is secure and meets internationally accepted standards.

What’s Next?

Complying with ISO 27001 can be a daunting prospect due to the length of requirements.  By understanding the requirements and mapping out a plan, you can ensure your organization takes the necessary steps to protect its data. 

And if you need help, Sprinto’s compliance automation makes it much simpler. Our continuous monitoring solution and employee training module helps speed up the process. 

At the same time, the internal audit feature allows for improved visibility in existing systems and helps identify areas for improvement. With Sprintos’s intuitive tools and comprehensive resources, you can be certain that your organization is ISO 27001 compliant in no time.

We hope this guide has helped get you started on your compliance journey. What other questions do you have about ISO 27002 controls? Talk to us to know more!


Is ISO 27002 A control framework?

The ISO 27002 framework offers extensive guidance and industry expertise on incorporating the essential controls listed in Annex A of ISO 27001. An invaluable resource to ensure optimal security measures are taken, this should be read alongside its sister standard – ISO27001.

What is ISO 27002 used for?

ISO 27002 provides comprehensive guidance on selecting information security controls, giving organizations all they need to protect their data. Annex A in ISO 27001 outlines a number of potential tools and strategies that companies can use to ensure secure operations. Information security experts leverage these resources when crafting sound cybersecurity initiatives for businesses everywhere.

How many controls does 27002:2022 have?

ISO 27002 2022 has 93 controls to address their information security needs. Compared with its 2013 predecessor, this new standard is longer and more robust – some controls are merged or removed while others were added for additional support.

How many ISO 27001 controls are there?

ISO 27001 compliance involves following a comprehensive set of controls to ensure the security and integrity of your organization’s data. This includes 114 distinct controls spread across 14 domains that must be satisfied for ISO certification.

Meeba Gracy

Meeba Gracy

Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.