BS EN ISO/IEC 27002:2022 - TC

If you have previously purchased ISO/IEC 27002:2022 you will receive an email about BS EN ISO/IEC 27002:2022 and how to purchase your free copy.

What is BS EN ISO/IEC 27002 - Information security controls about?

BS EN ISO/IEC 27002 is the internationally recognized guidance document covering selecting, implementing, and managing controls for organizations who have - or who are in the process of establishing - an information security management system (ISMS) based on BS EN ISO/IEC 27001.

Not sure what BS EN ISO/IEC 27001 is? Learn more about this key information security standard here.

BS EN ISO/IEC 27002 ultimately provides recommendations that helps businesses to strengthen their information security – vital in today's world where the number and sophistication of cyber-attacks is on the rise.

It has been developed to be used by any organization, of any size or sector, wanting to implement commonly accepted information security controls, such as threat intelligence and data leakage prevention.

It’s a supplementary document to BS EN ISO/IEC 27001 that helps users to identify and implement the information security controls that are most appropriate to their organization’s needs and which in turn can help strengthen the way in which information is protected.

Discover more about how this standard can help your business with our article, The 4 pillars of control: A modern approach to information security controls.

What are the benefits of BS EN ISO/IEC 27002 - Information security controls?

By adopting the guidance in BS EN ISO/IEC 27002 and changing your process to conform to its requirements, businesses can benefit from:

• Identifying suitable and proportionate security controls within the process of setting up an ISMS
• Achieving best practices in information security management
• Meeting legal, statutory, regulatory, and contractual requirements in relation to information security
• Strengthening risk management and reduce the likelihood of information security breaches
• Increasing confidence in the organization’s ISMS

BS EN ISO/IEC 27002 contributes to UN Sustainable Development Goal 9 on industry, innovation, and infrastructure.

Who is BS EN ISO/IEC 27002 - Information security controls for?

BS EN ISO/IEC 27002 was developed specifically so that it guidance could be used by businesses of every size and sector – from multi-nationals to SMEs.

Users of this information security controls standard will typically be anyone with an interest in information security and risk management within their business, where activities such as the creation, collection, processing, storing, transmitting, and disposing of information takes place.

Those who use this standard can include:

• Chief information security officers (CISO)
• Cyber security risk analysts/advisors
• Information security consultants
• Risk managers in compliance and information security

If your business handles with sensitive employee or client data, you might also want to consider also implementing standard BS EN ISO/IEC 27701. This document serves as an extension to BS EN ISO/IEC 27001 and BS EN ISO/IEC 27002 and can help business manage its privacy risks with confidence.

What does BS EN ISO/IEC 27002- Information security controls cover?

BS EN ISO/IEC 27002 provides recommended information security controls including guidance on how businesses can implement them into their processes. It is designed to be used by organizations:

• Within the context of an ISMS based on BS EN ISO/IEC 27001
• For implementing information security controls based on internationally recognized best practices
• For developing their own information security management guidelines

Some other important information security standards include:

• BS EN ISO/IEC 27001 Information security, cybersecurity and privacy protection. Information security management systems. Requirements
• BS ISO/IEC 27003 Information technology. Security techniques. Information security management systems. Guidance
• BS ISO/IEC 27004 Information technology. Security techniques. Information security management. Monitoring, measurement, analysis and evaluation
• BS ISO/IEC 27005 Information security, cybersecurity and privacy protection. Guidance on managing information security risks

What’s new about BS EN ISO/IEC 27002 - Information security controls?

BS EN ISO/IEC 27002:2022 is a revision of BS EN ISO/IEC 27002:2017. The key changes in BS EN ISO/IEC 27002:2022 are:

• The phrase “code of practice” has been omitted to reflect better its purpose of being a reference set of information security controls
• The number of security control listed has decreased from 114 to 93, with some controls being removed as they no longer reflect best practices.
• Eleven new controls have been introduced in the latest version. These reflect the evolvement in technologies and industrial practices including threat intelligence, information security for use of cloud services, and data leakage prevention.
• The 2022 edition provides references to the 2013 edition control identifiers to better facilitate companies’ transition to the latest edition

Got a question about the revision of this standard, or the changes that have been introduced? Read our FAQ: ISO/IEC 27002 Revision.