ISO/IEC 27002:2022 in detail

 ISO/IEC 27002:2022 iso.org

This third edition cancels and replaces the second edition (ISO/IEC 27002:2013), which has been technically revised. It also incorporates the Technical Corrigenda ISO/IEC 27002:2013/Cor. 1:2014 and ISO/IEC 27002:2013/Cor. 2:2015.

The main changes are as follows:

• — the title has been modified.
• — the structure of the document has been changed, presenting the controls using a simple taxonomy and associated attributes.
• — some controls have been merged, some deleted and several new controls have been introduced. The complete correspondence can be found in Annex B.

This corrected version of ISO/IEC 27002:2022 incorporates the following corrections:

• — non-functioning hyperlinks throughout the document have been restored.
• — in the introductory table in subclause 5.22 and in Table A.1 (row 5.22), "#information_security_assurance" has been moved from the column headed "Security domains" to the column headed "Operational capabilities".

Introduction

0.1   Background and context

This document is designed for organizations of all types and sizes. It is to be used as a reference for determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO/IEC 27001. It can also be used as a guidance document for organizations determining and implementing commonly accepted information security controls. Furthermore, this document is intended for use in developing industry and organization-specific information security management guidelines, taking into consideration their specific information security risk environment(s). Organizational or environment-specific controls other than those included in this document can be determined through risk assessment as necessary.

Organizations of all types and sizes (including public and private sector, commercial and non-profit) create, collect, process, store, transmit and dispose of information in many forms, including electronic, physical and verbal (e.g. conversations and presentations).

The value of information goes beyond written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and other associated assets deserve or require protection against various risk sources, whether natural, accidental or deliberate.

Information security is achieved by implementing a suitable set of controls, including policies, rules, processes, procedures, organizational structures and software and hardware functions. To meet its specific security and business objectives, the organization should define, implement, monitor, review and improve these controls where necessary. An ISMS such as that specified in ISO/IEC 27001 takes a holistic, coordinated view of the organization’s information security risks in order to determine and implement a comprehensive suite of information security controls within the overall framework of a coherent management system.

Many information systems, including their management and operations, have not been designed to be secure in terms of an ISMS as specified in ISO/IEC 27001 and this document. The level of security that can be achieved only through technological measures is limited and should be supported by appropriate management activities and organizational processes. Identifying which controls should be in place requires careful planning and attention to detail while carrying out risk treatment.

A successful ISMS requires support from all personnel in the organization. It can also require participation from other interested parties, such as shareholders or suppliers. Advice from subject matter experts can also be needed.

A suitable, adequate and effective information security management system provides assurance to the organization’s management and other interested parties that their information and other associated assets are kept reasonably secure and protected against threats and harm, thereby enabling the organization to achieve the stated business objectives.

0.2   Information security requirements

It is essential that an organization determines its information security requirements. There are three main sources of information security requirements:

• a) the assessment of risks to the organization, considering the organization’s overall business strategy and objectives. This can be facilitated or supported through an information security-specific risk assessment. This should result in the determination of the controls necessary to ensure that the residual risk to the organization meets its risk acceptance criteria.
• b) the legal, statutory, regulatory and contractual requirements that an organization and its interested parties (trading partners, service providers, etc.) must comply with and their socio-cultural environment.
• c) the set of principles, objectives and business requirements for all the steps of the life cycle of information that an organization has developed to support its operations.

0.3   Controls

A control is defined as a measure that modifies or maintains risk. Some of the controls in this document are controls that modify risk, while others maintain risk. An information security policy, for example, can only maintain risk, whereas compliance with the information security policy can modify risk. Moreover, some controls describe the same generic measure in different risk contexts. This document provides a generic mixture of organizational, people, physical and technological information security controls derived from internationally recognized best practices.

0.4   Determining controls

Determining controls is dependent on the organization’s decisions following a risk assessment, with a clearly defined scope. Decisions related to identified risks should be based on the criteria for risk acceptance, risk treatment options and the risk management approach applied by the organization. The determination of controls should also take into consideration all relevant national and international legislation and regulations. Control determination also depends on the manner in which controls interact with one another to provide defence in depth.

The organization can design controls as required or identify them from any source. In specifying such controls, the organization should consider the resources and investment needed to implement and operate a control against the business value realized. See ISO/IEC TR 27016 for guidance on decisions regarding the investment in an ISMS and the economic consequences of these decisions in the context of competing requirements for resources.

There should be a balance between the resources deployed for implementing controls and the potential resulting business impact from security incidents in the absence of those controls. The results of a risk assessment should help guide and determine the appropriate management action, priorities for managing information security risks and for implementing controls determined necessary to protect against these risks.

Some of the controls in this document can be considered as guiding principles for information security management and as being applicable for most organizations. More information about determining controls and other risk treatment options can be found in ISO/IEC 27005.

0.5   Developing organization-specific guidelines

This document can be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this document can be applicable to all organizations. Additional controls and guidelines not included in this document can also be required to address the specific needs of the organization and the risks that have been identified. When documents are developed containing additional guidelines or controls, it can be useful to include cross-references to clauses in this document for future reference.

0.6   Life cycle considerations

Information has a life cycle, from creation to disposal. The value of, and risks to, information can vary throughout this life cycle (e.g. unauthorized disclosure or theft of a company’s financial accounts is not significant after they have been published, but integrity remains critical) therefore, information security remains important to some extent at all stages.

Information systems and other assets relevant to information security have life cycles within which they are conceived, specified, designed, developed, tested, implemented, used, maintained and eventually retired from service and disposed of. Information security should be considered at every stage. New system development projects and changes to existing systems provide opportunities to improve security controls while taking into account the organization’s risks and lessons learned from incidents.

0.7   Related International Standards

While this document offers guidance on a broad range of information security controls that are commonly applied in many different organizations, other documents in the ISO/IEC 27000 family provide complementary advice or requirements on other aspects of the overall process of managing information security.

Refer to ISO/IEC 27000 for a general introduction to both ISMS and the family of documents. ISO/IEC 27000 provides a glossary, defining most of the terms used throughout the ISO/IEC 27000 family of documents, and describes the scope and objectives for each member of the family.

There are sector-specific standards that have additional controls which aim at addressing specific areas (e.g. ISO/IEC 27017 for cloud services, ISO/IEC 27701 for privacy, ISO/IEC 27019 for energy, ISO/IEC 27011 for telecommunications organizations and ISO 27799 for health). Such standards are included in the Bibliography and some of them are referenced in the guidance and other information sections in Clauses 5-8.

1   Scope

This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:

• a) within the context of an information security management system (ISMS) based on ISO/IEC 27001;
• b) for implementing information security controls based on internationally recognized best practices.
• c) for developing organization-specific information security management guidelines.

2   Normative references

There are no normative references in this document.

3   Terms, definitions and abbreviated terms

3.1   Terms and definitions

For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

• — ISO Online browsing platform: available at https://www.iso.org/obp
• — IEC Electropedia: available at https://www.electropedia.org/

3.1.1

access control

means to ensure that physical and logical access to assets (3.1.2) is authorized and restricted based on business and information security requirements

3.1.2

asset

anything that has value to the organization

Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:

• — the primary assets:
• — information;
• — businessprocesses (3.1.27) and activities.
• — the supporting assets (on which the primary assets rely) of all types, for example:
• — hardware;
• — software;
• — network;
• — personnel (3.1.20);
• — site;
• — organization’s structure.

3.1.3

attack

successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an asset (3.1.2) or any attempt to expose, steal, or make unauthorized use of an asset (3.1.2)

3.1.4

authentication

provision of assurance that a claimed characteristic of an entity (3.1.11) is correct

3.1.5

authenticity

property that an entity (3.1.11) is what it claims to be

3.1.6

chain of custody

demonstrable possession, movement, handling and location of material from one point in time until another

Note 1 to entry: Material includes information and other associated assets (3.1.2) in the context of ISO/IEC 27002.

[SOURCE:ISO/IEC 27050-1:2019, 3.1, modified — “Note 1 to entry” added]

3.1.7

confidential information

information that is not intended to be made available or disclosed to unauthorized individuals, entities (3.1.11) or processes (3.1.27)

3.1.8

control

measure that maintains and/or modifies risk

Note 1 to entry: Controls include, but are not limited to, any process (3.1.27), policy (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.

Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.

[SOURCE:ISO 31000:2018, 3.8]

3.1.9

disruption

incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organization’s objectives

[SOURCE:ISO 22301:2019, 3.10]

3.1.10

endpoint device

network connected information and communication technology (ICT) hardware device

Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.

3.1.11

entity

item relevant for the purpose of operation of a domain that has recognizably distinct existence

Note 1 to entry: An entity can have a physical or a logical embodiment.

Example:

A person, an organization, a device, a group of such items, a human subscriber to a telecom service, a SIM card, a passport, a network interface card, a software application, a service or a website.

[SOURCE:ISO/IEC 24760-1:2019, 3.1.1]

3.1.12

information processing facility

any information processing system, service or infrastructure, or the physical location housing it

[SOURCE:ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.]

3.1.13

information security breach

compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed

3.1.14

information security event

occurrence indicating a possible information securitybreach (3.1.13) or failure of controls (3.1.8)

[SOURCE:ISO/IEC 27035-1:2016, 3.3, modified — “breach of information security” has been replaced with “information security breach”]

3.1.15

information security incident

one or multiple related and identified information security events (3.1.14) that can harm an organization’s assets (3.1.2) or compromise its operations

[SOURCE:ISO/IEC 27035-1:2016, 3.4]

3.1.16

information security incident management

exercise of a consistent and effective approach to the handling of information security incidents (3.1.15)

[SOURCE:ISO/IEC 27035-1:2016, 3.5]

3.1.17

information system

set of applications, services, information technology assets (3.1.2), or other information-handling components

[SOURCE:ISO/IEC 27000:2018, 3.35]

3.1.18

interested party

stakeholder

person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity

[SOURCE:ISO/IEC 27000:2018, 3.37]

3.1.19

non-repudiation

ability to prove the occurrence of a claimed event or action and its originating entities (3.1.11)

3.1.20

personnel

persons doing work under the organization’s direction

Note 1 to entry: The concept of personnel includes the organization’s members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.

3.1.21

personally identifiable information

PII

any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.

Note 1 to entry: The “natural person” in the definition is the PII principal (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.

[SOURCE:ISO/IEC 29100:2011/Amd.1:2018, 2.9]

3.1.22

PII principal

natural person to whom the personally identifiable information (PII) (3.1.21) relates

Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.

[SOURCE:ISO/IEC 29100:2011, 2.11]

3.1.23

PII processor

privacy stakeholder that processes personally identifiable information (PII) (3.1.21) on behalf of and in accordance with the instructions of a PII controller

[SOURCE:ISO/IEC 29100:2011, 2.12]

3.1.24

policy

intentions and direction of an organization, as formally expressed by its top management

[SOURCE:ISO/IEC 27000:2018, 3.53]

3.1.25

privacy impact assessment

PIA

overall process (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of personally identifiable information(PII) (3.1.21), framed within an organization’s broader risk management framework

[SOURCE:ISO/IEC 29134:2017, 3.7, modified — Note 1 to entry removed.]

3.1.26

procedure

specified way to carry out an activity or a process (3.1.27)

[SOURCE:ISO 30000:2009, 3.12]

3.1.27

process

set of interrelated or interacting activities that uses or transforms inputs to deliver a result

[SOURCE:ISO 9000:2015, 3.4.1, modified— Notes to entry removed.]

3.1.28

record

information created, received and maintained as evidence and as an asset (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business

Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.

[SOURCE:ISO 15489-1:2016, 3.14, modified— “Note 1 to entry” added.]

3.1.29

recovery point objective

RPO

point in time to which data are to be recovered after a disruption (3.1.9) has occurred

[SOURCE:ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".]

3.1.30

recovery time objective

RTO

period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a disruption (3.1.9) has occurred

[SOURCE:ISO/IEC 27031:2011, 3.13, modified — "must" replaced by "are to be".]

3.1.31

reliability

property of consistent intended behaviour and results

3.1.32

rule

accepted principle or instruction that states the organization’s expectations on what is required to be done, what is allowed or not allowed

Note 1 to entry: Rules can be formally expressed in topic-specific policies (3.1.35) and in other types of documents.

3.1.33

sensitive information

information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety

3.1.34

threat

potential cause of an unwanted incident, which can result in harm to a system or organization

[SOURCE:ISO/IEC 27000:2018, 3.74]

3.1.35

topic-specific policy

intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management

Note 1 to entry: Topic-specific policies can formally express rules (3.1.32) or organization standards.

Note 2 to entry: Some organizations use other terms for these topic-specific policies.

Note 3 to entry: The topic-specific policies referred to in this document are related to information security.

EXAMPLE:

Topic-specific policy on access control (3.1.1), topic-specific policy on clear desk and clear screen.

3.1.36

user

interested party (3.1.18) with access to the organization’s information systems (3.1.17)

EXAMPLE:

Personnel (3.1.20), customers, suppliers.

3.1.37

user endpoint device

endpoint device (3.1.10) used by users to access information processing services

Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc.

3.1.38

vulnerability

weakness of an asset (3.1.2) or control (3.1.8) that can be exploited by one or more threats (3.1.34)

[SOURCE:ISO/IEC 27000:2018, 3.77]

3.2   Abbreviated terms

This page is from the official version ISO/IEC 27002:2022 iso.org