ISO 27002
control catalogue and implementation guidance

ISO 27002 in context: the implementation companion to ISO 27001

ISO 27002 is the international standard for information security controls. The 2022 revision (ISO/IEC 27002:2022) restructured the catalogue from 14 domains and 114 controls into 4 themes and 93 controls, introduced 11 new controls, and added a five-attribute taxonomy that cross-cuts the theme structure. ISO 27002 supplies the implementation guidance, purpose statements, and worked detail behind each control; it does not certify and is not normative on its own.

The relationship most teams need to keep clear is the split between ISO 27001 and ISO 27002. The ISO 27001 framework page covers the management system standard: the requirements an organisation meets to certify its ISMS. ISO 27001:2022 Annex A states the 93 controls in single sentences and is the certifiable obligation. ISO 27002:2022 carries the same 93 controls and adds the implementation guidance. The Statement of Applicability cites ISO 27001; the implementation evidence is grounded against ISO 27002. Treating one as a substitute for the other is the root cause of most early-stage SoA failures.

The four themes at a glance

ISO 27002:2022 organises the 93 controls into four themes. The themes are not a domain hierarchy in the 2013 sense; they are a top-level grouping that lets a reader navigate the catalogue without flattening the cross-cutting attributes underneath. The number of controls per theme is intentional rather than incidental: organisational controls dominate because most security work is governance work, technological controls run a close second because most evidence work is engineering work.

The five attribute axes

The 2022 revision introduced a hashtag-style attribute set that runs across all 93 controls. Each control carries values on five axes, which lets a team navigate the catalogue from any of those angles without restructuring it. Attributes complement the four themes; they do not replace them. The attribute set is one of the most useful additions in the 2022 revision because it lets a CISO or compliance lead pull a coherent slice of the catalogue without rewriting the controls.

The attribute most often misused is “cybersecurity concepts” because its values map to the NIST CSF functions. The right reading is that the attribute provides a cross-walk to NIST CSF, not that ISO 27002 inherits NIST CSF semantics. For organisations running both, the NIST Cybersecurity Framework page covers the underlying NIST function model and the NIST 800-53 framework page covers the federal control catalogue many organisations align to alongside ISO 27002.

Eleven new controls in ISO 27002:2022

The 2022 revision did not relax obligations; it codified work that the 2013 version addressed obliquely or distributed across multiple older controls. The eleven new controls below are the ones an existing ISMS most often needs to add evidence for during the migration to the 2022 standard.

Several of the new controls land squarely in penetration testing scope. Configuration management (8.9), monitoring activities (8.16), and secure coding (8.28) are evidenced by engagement output that a security testing programme already produces. The discipline is linking that output to the specific control identifier rather than letting the evidence float in a separate document. For technical vulnerability management (8.8), the remediation tracking workflow carries the closure evidence the audit asks for.

Mapping ISO 27002 to ISO 27001 Annex A

Practical implication: the Statement of Applicability is structured around ISO 27001 Annex A control identifiers, and the implementation evidence is structured around the corresponding ISO 27002 guidance per control. Teams that built their SoA against ISO 27001:2013 carry old domain numbers and need an explicit migration step before the next surveillance audit. The ISO 27001 audit checklist covers the upstream surveillance and recertification rhythm that consumes the SoA and the per-control evidence. For organisations that operate cloud workloads in the certification scope, the ISO 27017 framework page covers the cloud-specific extension that adds seven CLD controls and per-control cloud guidance on top of the ISO 27002 catalogue. Where the cloud workload processes personal data on behalf of customers, the ISO 27018 framework page covers the public cloud PII processor obligations that layer on top of ISO 27017 and ISO 27002.

Building the per-control evidence base

Audit findings against ISO 27001 most often centre on evidence rather than on control intent. The control is in the SoA, the policy is written, and the team can describe what the control does, but the artefact a certification body asks for is missing or stale. The evidence model below is what survives surveillance review.

For pentest and vulnerability evidence specifically, the discipline is anchoring each finding to the controls it bears on. A SQL injection finding evidences technical vulnerability management (8.8), secure coding (8.28), and access control (5.15 to 5.18) depending on the failure mode. The SQL injection guide and the broken access control guide cover the technical context behind those findings, and the pentest evidence management workflow covers the durability discipline that keeps the linked evidence intact across engagements.

How SecPortal aligns to ISO 27002 implementation work

SecPortal is the workspace that holds the engagement, the findings record, and the audit trail that the SoA implementation evidence references. The platform does not certify the ISMS and is not a substitute for the certification body audit, but it does hold the work the implementation team relies on when building and maintaining the per-control evidence base.

For the technological controls (Theme 8), the platform is most directly load-bearing. Findings link to specific control identifiers, scanner output is preserved at import, and the activity trail records every status change without manual tracking. The scanner output deduplication guide covers how to preserve evidence quality when scanner findings feed into control evidence, and the false positives guide covers the validation discipline that protects the per-control evidence chain.

Common implementation mistakes

The mistakes below recur across organisations migrating from ISO 27002:2013 to the 2022 revision and across organisations implementing ISO 27001 for the first time. Each one is recoverable with a documented correction; each one is hard to recover when discovered at the certification body audit.

Where ISO 27002 sits alongside other frameworks

Most organisations running ISO 27001 also run at least one other compliance regime, and the controls overlap heavily because the underlying obligations are similar. The page cross-walks below cover the most common parallel regimes that organisations layer on top of an ISO 27002 implementation.

Scope and limitations

ISO/IEC 27002:2022 is published by the International Organization for Standardization and the International Electrotechnical Commission. SecPortal is the workspace that holds the engagement, the findings, the evidence, and the audit trail; certification under ISO 27001 remains the registrant is responsibility, carried out through an accredited certification body. This page describes the structure of the standard and how a workspace-driven programme plays against the implementation guidance; the authoritative reference for the obligations remains the published standard text and any subsequent ISO and IEC revisions.

Nothing on this page is legal or audit advice. ISO 27001 certification decisions require the involvement of the organisation is information security leadership, internal audit, and the chosen certification body. The platform supports the underlying work record those roles rely on; it does not substitute for the certification body audit that determines whether the ISMS meets the standard.