If ISO 27001 is the standard you certify against, ISO 27002 is the manual you reach for when you actually have to build the controls. It takes each control named in Annex A and explains its purpose and good practice in real detail.
This overview explains what ISO 27002 is, how it is structured, what changed in the 2022 edition, and how to use it effectively alongside your work toward iso 27001 certification.
What ISO 27002 is
ISO/IEC 27002 is an international standard that serves as a code of practice for information security controls. Rather than defining a management system, it provides detailed guidance on implementing the controls that ISO 27001’s Annex A references.
It is advisory in tone — written with ‘should’ rather than ‘shall’ — which is why you cannot be certified against it. Its job is to make the controls actionable, not to be audited.
Think of it as the difference between a building code (ISO 27001) and a detailed construction manual (ISO 27002).
How it relates to ISO 27001
The two are deliberately paired. ISO 27001’s Annex A lists the controls with brief statements of intent; ISO 27002 expands each into full guidance using the same numbering. When you select a control in your Statement of Applicability, ISO 27002 is where you learn how to implement it well.
You are certified against ISO 27001; you implement guided by ISO 27002. The relationship is complementary, not competitive.
This pairing is why most successful implementations keep both documents close at hand.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
The 2022 restructure into four themes
The 2022 edition reorganised the controls from the older 14 domains into four themes: Organizational, People, Physical, and Technological. The total moved to 93 controls, consolidating overlaps and adding modern topics.
This made the catalogue easier to navigate and aligned it with how organisations actually think about security — by who and what is being protected rather than by abstract domains.
Because ISO 27001:2022 Annex A mirrors this structure, the two standards stayed perfectly in step.
The new 'attributes' feature
A notable 2022 addition is attributes: each control is tagged with characteristics such as control type (preventive, detective, corrective), the security properties it supports (confidentiality, integrity, availability), cybersecurity concepts, operational capabilities, and security domains.
Attributes let you slice the control set in different ways — for example, listing all detective controls, or all controls that support availability — which is genuinely useful for planning, reporting, and communicating with leadership.
They are optional to use but a helpful lens once you are comfortable with the basics.
The eleven new controls
The 2022 update introduced eleven new controls reflecting the modern threat landscape: threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
Most address realities — cloud, supply chain, and modern development — that the older edition handled only implicitly. ISO 27002 explains each in practical terms.
If you are migrating from older guidance, these are the areas most likely to need fresh attention.
How to use ISO 27002 in a project
In practice you use ISO 27002 reactively: as your risk assessment and SoA identify controls to implement, you consult the matching ISO 27002 section to design each one. It helps you scope the control sensibly, avoid gaps, and document a defensible implementation.
It is also a useful training and reference resource for control owners, giving everyone a common understanding of what ‘good’ looks like for, say, access control or supplier security.
Used this way, it dramatically reduces the guesswork of a first implementation.
What ISO 27002 is not
ISO 27002 is not a certification, not a management-system standard, and not a checklist you must implement in full. It does not tell you which controls apply — that is the job of your ISO 27001 risk assessment — only how to do the ones you choose.
Treating it as a mandatory checklist leads to over-implementation and wasted effort. Treating it as a guidance library for selected controls is exactly right.
Keeping this boundary clear keeps your program focused on real risk.
Related standards in the family
ISO 27002 sits within the broader ISO 27000 family. ISO 27000 provides vocabulary; ISO 27005 guides risk management; and sector or topic standards (ISO 27017 and 27018 for cloud and personal data, ISO 27701 for privacy) extend the model further.
For most organisations, ISO 27001 plus ISO 27002 covers the core need, with the others added only where specific risks or obligations demand them.
Knowing the family helps you reach for the right reference rather than over-buying standards you will not use.
Getting value from it without drowning in detail
ISO 27002 is long, and reading it cover to cover is rarely the best use of time. The efficient approach is to let your risk-driven control selection point you to the relevant sections, and to capture the guidance into your own templates and procedures so the knowledge is reusable.
A partner who has implemented the controls many times effectively distils ISO 27002 into ready-made, audit-ready artefacts — which is faster than interpreting the standard from scratch.
That is part of what ISpectra provides: control implementations built to ISO 27002 good practice, with free VAPT and a multi-framework discount.
The bottom line
ISO 27002 is the implementation guidance that makes ISO 27001’s controls real. You cannot certify against it, but you will rely on it constantly to implement the Annex A controls your risk assessment selects — especially the modern 2022 additions for cloud, secure coding, and data protection.
Use ISO 27001 to decide what is required and which controls apply, and ISO 27002 to implement each one well. Together they produce a program that is both certifiable and genuinely secure.
If interpreting the guidance feels heavy, that is exactly the work a specialist partner removes — turning the standard into working, evidenced controls on the way to certification.
Worked example: supplier security
Suppose your risk assessment flags third-party suppliers as a concern. ISO 27001 requires you to include the relevant Annex A controls in your Statement of Applicability and operate them. ISO 27002 then explains what good supplier security looks like — due-diligence checks, security clauses in contracts, monitoring of service delivery, and managing changes to supplier services.
You implement the control following that guidance, keep the evidence such as contracts and review records, and your auditor tests it under ISO 27001. ISO 27002 has turned a one-line control into a concrete, defensible implementation.
Multiply that across every control your risk assessment selects and it becomes clear why ISO 27002 is the workhorse reference of any serious implementation, even though it never appears on the certificate.
The bottom line
ISO 27002 is the implementation guidance that makes ISO 27001’s controls real. You cannot certify against it, but you will rely on it constantly to implement the Annex A controls your risk assessment selects — especially the modern 2022 additions for cloud services, secure coding, and data protection.
Use ISO 27001 to decide what is required and which controls apply, and ISO 27002 to implement each one well. Together they produce a program that is both certifiable and genuinely secure.
If interpreting the detailed guidance feels heavy, that is exactly the work a specialist partner removes, with free VAPT and a multi-framework discount included. ISpectra helps organisations achieve iso 27001 certification efficiently, from gap analysis through to the certificate.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.