ISO 27002, the Unsung Hero

The first thing to note is that is that ISO 27002 is a guidance standard, not a requirements standard, therefore no certification can be achieved against it, and it works alongside the ISO 27001 certification Standard.  ISO 27002 provides a perfect reference for those organisations looking for practical guidance on determining and implementing information security controls from Annex A of ISO 27001.

ISO 27002 has been designed to be applicable to organisations of all types and sizes and to help them determine and implement information security controls.  The ISO 27001 Annex A Controls are widely regarded as a summary of industry best practices or measures which assist you in protecting your information assets.  However, some organisations may be unsure which controls are appropriate and relevant to them, and this is where ISO 27002 comes in.  It helps you determine which controls are applicable to you by categorising them within different themes and attributes before going on to advise on implementing the controls.

The information security controls within ISO 27002:2022 are split into 4 main clauses (5-8) which are aligned with the 4 themes identified in Annex A – ‘Information security controls reference’ of ISO 27001.  The 4 themes are ‘People’ for the controls that concern personnel, ‘Physical’ if the controls concern physical objects, ‘Technological’ if they concern technology, and ‘Organisational’ for all remaining controls.  

In addition, within ISO 27002 there are also 5 attributes associated with each control.  These attributes are; Control types, Information security properties, Cybersecurity concepts, Operational capabilities and Security domains.

‍

The purpose of ISO 27002 Attributes is to enhance and facilitate the implementation, assessment, and comparison of security controls within an organisation's information security management system (ISMS).  The framework of control attributes can help you/organisations categorise, manage, and interpret information security controls more effectively by providing additional context and allowing you to align them with organisational goals, risk management practices, and compliance needs.

1. With the Control types attribute, you can classify the role and function of the security control in terms of its action or nature.  As an example, with information security incidents, you can identify which controls are preventive, detective and corrective when dealing with an incident.  By understanding the control type, organisations are better able to implement a balanced approach to security, ensuring they can prevent, detect, and respond to incidents appropriately.
2. Information security properties aligns each control with the fundamental information security principles of confidentiality, integrity and availability (CIA).  Such attributes help organisations to choose controls that meet specific security objectives based on the nature of the information being protected and ensure they align with key business requirements.  To learn more about these principles, see our blog on What is the CIA Security Triad? Confidentiality, Integrity, and Availability Explained.
3. The Cybersecurity concepts attribute is aligned with the NIST Cybersecurity Framework, and helps organisations map controls to different phases of cybersecurity, such as identify, protect, detect, respond and recover, with the goal of ensuring comprehensive coverage across the entire incident lifecycle.
4. The Operational capabilities attribute emphasises the organisational context and helps align controls with the capabilities that are necessary to manage and operate a secure environment.  As such, operational activities or practices that controls can be linked with can be used to view controls from an organisational perspective, such as governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationship security, legal and compliance, information security event management and information security assurance.
5. The Security domains work together to provide a comprehensive approach to information security, covering protection measures, defence against threats, recovery strategies, and oversight of security practices across internal and external environments.  Protection ensures proactive measures are in place to prevent data loss or compromise.  Defence focuses on safeguarding against attacks by implementing defensive layers of security.  Resilience ensures the organisation can recover quickly from disruptions and minimise damage whilst Governance and Ecosystem ensures security is properly managed, including relationships with third parties, and aligns with organisational and regulatory requirements

ISO 27002 uses the above 5 attributes because they are considered generic and can, therefore, fit all types of organisations.

How, then, are these attribute values applied to the controls?  We will use the example of Annex A Control 6.3 Information security awareness, education and training, as this control has universal appeal to virtually every organisation.  In ISO 27001 and ISO 27002, Control 6.3 sits within the ‘people’ themed controls.   Its ‘Control type’ attribute value is ‘Preventative’, as ensuring that personnel are aware of and trained in information security is a means of preventing information security incidents from occurring.   Its ‘Information security properties’ values include ‘confidentiality, integrity and availability’ as an organisation’s people will be exposed to corporate information that requires maintenance of its availability, its integrity and its confidentiality.  The ‘Cybersecurity concepts’ attribute value of Control 6.3 is ‘Protect’, as training and awareness in staff play a pivotal role in protecting the organisation’s information assets and they will require training on how best to carry out that role.  The ‘Operational capabilities’ attribute value of Control 6.3 is ‘Human resource security’ which is to be expected of a ‘people’ themed control.  The ‘Security domains’ attribute value for Control 6.3 is ‘Governance and Ecosystem’ as an organisation’s information security awareness, education and training programme forms a key part of their governance and risk management, and the individuals involved are stakeholders of the organisation’s information and therefore part of the information security ecosystem.

Whilst ISO 27001 simply defines the requirements for an ISMS that is conformant to the Standard, ISO 27002 provides guidance on the implementation of Annex A Controls from ISO 27001, describing what each control is, its purpose and explaining how and why a control should be implemented. The control attributes table included in ISO 27002 can significantly lighten the load when it comes to determining the relevance and applicability of different controls, and for selecting those that are found to be relevant.  The attributes can be used in conjunction with each other to create a shortlist of controls that you can implement to meet a given purpose, e.g., if you are looking to increase your defences against confidentiality related attacks, combining ‘prevent’ and ‘confidentiality’ will provide you with a more focused list of controls for consideration.  Attributes can also be used should you want to check the balance of your established controls.  For example, you can use it to check whether you have implemented adequate controls to detect information security events and not just those to prevent information security incidents.

There are a number of different ways that ISO 27002 can be utilised.  As discussed above, its primary purpose is to guide your implementation of the Annex A Control set from ISO 27001.  For example, the opening organisational control, 5.1 Polices for information security, states that information security policy and topic-specific policies should be defined, however many organisations may struggle to determine which other topic-specific policies are required beyond their information security policy.  Within the guidance for Control 5.1, ISO 27002 lists several examples of topics that could be considered within a documented policy, such as access control, asset management, network security, backup, and information classification and handling.  This guidance not only provides practical examples of the type of information security policies required, but also encourages the organisation to consider a whether a topic-specific policy is required or if the topic is already incorporated elsewhere.  

Internal and external auditors of ISMS’ can also use ISO 27002 to their advantage, particularly if they are auditing an ISO 27001 certified ISMS.  The guidance provided for each Annex A Control can be used by auditors to develop questions to ask during an audit, especially if the auditee has struggled to fully understand the importance of the control, or they have implemented a control based on previous experience and have not considered a more holistic approach.

ISO 27002 can also act as a guide for continual improvement of your organisation’s ISMS by considering the ‘other information’ guidance for the implementation and management of the Annex A Controls.  You may not consider the ‘other information’ sections in the early stages of maintaining an ISMS, but, along with the performance evaluation, the additional guidance can provide opportunity to develop and enhance the effectiveness of an organisation’s ISMS after it has been established.

Using the attributes table provided in ISO 27002, you can also consider and categorise the controls through an alternative lens to the 4-theme approach used in Annex A of ISO 27001, which may be more useful and relevant to your organisation’s unique needs.  For example, if your organisation prefers to be less risk adverse, then you may choose to focus more on the controls with a control type of ‘Corrective’.  These alternative categories for the controls may prove beneficial when delivering feedback to senior management, who potentially require less detail about the controls but are responsive to a set of control types or cybersecurity concepts.

ISO 27002 is an extremely valuable tool for any organisation looking to establish and implement an ISO 27001-conformant/certified ISMS.  While ISO 27001 is focused on defining what you need to have in place to conform to the Standard, ISO 27002 works in conjunction with this by providing further information on how conformance can be achieved.  As well as providing implementation guidance that is informed by best practice, ISO 27002 can assist you to select appropriate and applicable controls, and to effectively manage controls after they have been implemented.  As such, we would always strongly recommend purchasing ISO 27002 and thoroughly considering its guidance in your efforts to achieve and maintain ISO 27001 certification.