ISO IEC 27002-2022 PDF

Full title and description

ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls. This third edition provides a modernized and reorganized catalogue of information security controls intended as guidance for selecting and implementing controls within an Information Security Management System (ISMS).

Abstract

ISO/IEC 27002:2022 replaces the 2013 edition and reorganizes the controls into a streamlined, attribute-driven framework. The revision reduces the number of listed controls (by consolidating and renaming) while adding new topics relevant to contemporary cybersecurity, cloud services and privacy protection. The standard is intended as a reference of best-practice controls to be used when establishing, maintaining or improving information security arrangements.

General information

• Status: Published
• Publication date: 2022-02 (corrected version in March 2022)
• Publisher: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
• ICS / categories: 35.030 (information security / IT security techniques)
• Edition / version: Edition 3 (2022)
• Number of pages: 152

Key bibliographic and lifecycle details above follow the official ISO bibliographic entry and published metadata.

Scope

ISO/IEC 27002:2022 provides guidance on information security controls applicable to all types and sizes of organizations. It describes a set of controls that can be selected and applied taking into account organizational needs, risk assessment results and legal or contractual requirements. The 2022 revision broadened the framing from a "code of practice" toward an explicit emphasis on information security, cybersecurity and privacy protection to better reflect current threat landscapes and privacy obligations.

Key topics and requirements

• Control catalogue reorganized into thematic clauses (Organizational, People, Physical and Technological controls).
• Streamlined set of controls (the 2022 edition reconciles and restructures the previous 114 controls into a reduced set; modern sources describe this as 93 controls with several new additions and many merged/renamed items).
• Introduction of explicit control attributes to help selection and implementation (control type, information security properties, operational capabilities, and more).
• New and emphasized topics: threat intelligence, configuration management, information deletion, secure coding / application security, cloud and supply‑chain related controls, monitoring and logging, and privacy-protecting measures.
• Practical guidance to map controls into an ISMS context (selection based on risk assessment and organizational requirements rather than blanket application).

Summaries and implementation guidance for the revised control set are discussed in multiple professional guidance notes and practitioner summaries that accompanied the 2022 release.

Typical use and users

ISO/IEC 27002:2022 is used by information security managers, ISMS implementers, risk owners, security architects, privacy officers, auditors, consultants and procurement/supplier-relations teams. Typical uses include selecting and justifying security controls, aligning security practice with industry best practice, informing policy and procedure development, and mapping technical and organizational measures to risks and compliance obligations.

Related standards

Part of the ISO/IEC 27000 family; commonly referenced alongside ISO/IEC 27001 (ISMS requirements), ISO/IEC 27000 (vocabulary and overview), ISO/IEC 27005 (risk management), and other sector or topic-specific standards (for example ISO/IEC 27017, 27018, 27701). The 2022 catalogue is intended to be used as control guidance in conjunction with ISO/IEC 27001 requirements.

Keywords

information security controls, cybersecurity, privacy protection, ISMS, control catalogue, access control, incident management, secure development, supply chain security, cloud security, threat intelligence, configuration management, information deletion.

FAQ

Q: What is this standard?

A: An international guidance standard that describes information security controls and implementation guidance to support organizations in protecting information assets and addressing cybersecurity and privacy concerns.

Q: What does it cover?

A: A modernized catalogue of security controls across organizational, people, physical and technological domains, with descriptive attributes to help selection, implementation and mapping to risk and legal requirements.

Q: Who typically uses it?

A: Security and privacy professionals, ISMS implementers and maintainers, auditors, senior management making control selection decisions, and suppliers/contracting parties aligning contractual security requirements.

Q: Is it current or superseded?

A: The 2022 edition (third edition) is the current published edition; it supersedes and replaces the 2013 edition (which has been withdrawn). For bibliographic details and publication metadata refer to the official ISO entries.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of standards and is intended to be used together with ISO/IEC 27001 and related standards for risk management, cloud controls and privacy/security governance.

Q: What are the key keywords?

A: Information security, cybersecurity, privacy protection, controls, ISMS, access control, incident response, secure development, supply chain, cloud security.