UnixTime

Research Note

ISO 27002 Knowledge Base

ISO/IEC 27002 provides guidance for information security controls. In this KB, it supports interpretation of ISO/IEC 27001 Annex A controls, evidence expectations, implementatio...

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This is the ISO/IEC 27002 section of the vault. It answers:

What does the Annex A control mean and how can it be implemented?

ISO/IEC 27002 provides guidance for information security controls. In this KB, it supports interpretation of ISO/IEC 27001 Annex A controls, evidence expectations, implementation guidance, and exam distinction notes.

Core relationship

Standard Practical role
ISO 27001 Knowledge Base MOC States ISMS requirements and Annex A control reference
ISO 27002 Knowledge Base MOC Explains control purpose, attributes, implementation guidance, and examples
ISO 27005 Knowledge Base MOC Explains risk logic behind control selection and treatment

ISO 27002 source notes

Control themes

ISO 27002 theme Current vault coverage
Organizational controls A.5 Organizational Controls MOC
People controls Future section
Physical controls Future section
Technological controls Future section

Control interpretation workflow

For each Annex A control, maintain:

  1. ISO 27001 control reference;
  2. ISO 27002 interpretation and implementation guidance;
  3. ISO 27005 risk logic;
  4. implementer actions;
  5. auditor evidence expectations;
  6. exam traps;
  7. software-object mapping.

Research basis

ISO describes ISO/IEC 27002:2022 as a standard for information security, cybersecurity, and privacy protection controls. It is control guidance, not the certifiable ISMS requirements standard.

External references