ISO 27002 Annex A Control Interpretation Map
This map separates the ISO/IEC 27002 interpretation layer from the ISO/IEC 27001 requirement layer.
ISO27002 domain with 157 resources grouped for implementation and audit work.
Domain guide
Control-by-control implementation meaning across organizational, people, and physical control families.
Guide + resources
Implementation context, reference notes, and explanatory material.
This map separates the ISO/IEC 27002 interpretation layer from the ISO/IEC 27001 requirement layer.
This note explains how ISO/IEC 27002 control attributes should be used in this KB.
ISO/IEC 27002 provides guidance for information security controls. In this KB, it supports interpretation of ISO/IEC 27001 Annex A controls, evidence expectations, implementatio...
Control-level notes and control-domain references.
Organizational controls establish governance, accountability, policy, process, and oversight for the ISMS.
Research note.
A.5 is mostly governance and organizational control design. A.6 is about personnel trust and behavior. In an audit, A.6 evidence usually comes from HR, recruitment, line managem...
A.5 defines organizational governance and A.6 defines people behavior and personnel lifecycle controls. A.7 tests whether the physical environment supports those decisions. The...
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant...
People must know how they are allowed to use organizational information and assets, and how they must handle information based on sensitivity and classification.
When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or s...
Information must be grouped by protection need so people know how carefully to handle it.
If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.
The organization must define how information can be transferred safely, both internally and externally.
The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.
Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.
The organization must control how secret authentication information is issued, changed, protected, reset, and handled.
Access rights must be granted, changed, reviewed, and removed through a controlled process.
The organization must manage information security risks created by suppliers, supplier products, and supplier services.
Information security roles and responsibilities must be defined and allocated according to organizational needs.
The organization must put the right security requirements into supplier contracts or agreements before the supplier receives access to information, systems, facilities, or servi...
The organization must manage security risks that come through ICT suppliers and the suppliers behind those suppliers.
Supplier security does not end when the contract is signed. The organization must keep checking whether the supplier is delivering the agreed service securely, whether controls...
Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services...
The organization must prepare before incidents happen. It needs defined and communicated incident management processes, roles, responsibilities, escalation paths, and recovery c...
The organization must review reported security events and make a clear, recorded decision: is this just an event, or is it an information security incident that needs formal res...
Once an event is categorized as an incident, the organization must respond using documented procedures rather than improvising.
The organization must turn incident experience into better controls, procedures, awareness, risk treatment, and response capability.
The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.
The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.
No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.
The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.
The organization must know which legal, statutory, regulatory, and contractual information security requirements apply, document them, keep them current, and define how it will...
The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trade...
The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released w...
The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then...
The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.
The organization must regularly check whether people, processes, and systems comply with its information security policies, rules, standards, and technical implementation requir...
The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.
Management must require all personnel to apply information security in accordance with the organization's information security policy, topic-specific policies, and procedures.
The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory reques...
The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated...
The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.
Projects must handle information security from the start, not as a late review before go-live.
The organization must know what information and related assets it has, where they are, who owns them, how important they are, and how they are protected.
The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or re...
People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security...
People need to know how to behave securely in their actual role. Everyone needs baseline awareness, but people with specific responsibilities need deeper training that matches t...
The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and mana...
When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duti...
The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally u...
When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices...
People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people...
The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area,...
The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carr...
Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and bu...
Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they...
Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep m...
Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no lon...
If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are...
The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.
The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of...
The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threa...
The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cov...
People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, al...
The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.
The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.
Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they can cause outages, interference, safety issues, interception, or tampering.
Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep maintenance and fault records, and protect confidential information during maintenance.
Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no longer recoverable.
Query-first control card for A.8.1 User End Point Devices. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.10 Information Deletion. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.11 Data Masking. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.12 Data Leakage Prevention. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.13 Information Backup. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.14 Redundancy of Information Processing Facilities. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.15 Logging. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.16 Monitoring Activities. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.19 Installation of Software on Operational Systems. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.2 Privileged Access Rights. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.20 Networks Security. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.21 Security of Network Services. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.22 Segregation of Networks. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.23 Web Filtering. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.24 Use of Cryptography. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.25 Secure Development Life Cycle. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.26 Application Security Requirements. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.27 Secure System Architecture and Engineering Principles. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.28 Secure Coding. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.29 Security Testing in Development and Acceptance. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.3 Information Access Restriction. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.30 Outsourced Development. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.31 Separation of Development Test and Production Environments. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.32 Change Management. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.33 Test Information. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.34 Protection of Information Systems During Audit Testing. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.4 Access to Source Code. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.5 Secure Authentication. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.6 Capacity Management. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.7 Protection Against Malware. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.8 Management of Technical Vulnerabilities. Use the linked detailed note for mentor-style implementation and audit guidance.
Query-first control card for A.8.9 Configuration Management. Use the linked detailed note for mentor-style implementation and audit guidance.
The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carriers such as USB drives, backup tapes, disks, removable drives, CDs/DVDs, printed records, and other portable media.
Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and building management systems can all affect availability.
The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.
The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.
The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or receive access.
People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security responsibility addenda should clearly state what personnel must do to protect information and what the organization is responsible for.
People need to know how to behave securely in their actual role. Everyone needs baseline awareness, but people with specific responsibilities need deeper training that matches their work, systems, information access, and security duties.
The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and managers should know how to trigger the process fairly and consistently.
When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duties, such as confidentiality, may continue after the relationship ends.
The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally usable, review them regularly, and make sure the right parties sign them before receiving confidential information.
When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices, shared workspaces, and other remote locations.
People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people do not hide mistakes.
The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area, reception barrier, secure office, server room, records archive, or customer-specific zone.
If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are controlled, and how access records are reviewed.
The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.
The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of both.
The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threats from neighboring premises.
The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cover what people may know, bring in, take out, record, discuss, supervise, and modify while inside the secure area.
People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, alter, or discard them.
The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released without authorization.
The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then implement controls to meet those requirements.
The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.
The organization must regularly check whether people, processes, and systems comply with its information security policies, rules, standards, and technical implementation requirements.
The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.
Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services in line with its security requirements.
The organization must prepare before incidents happen. It needs defined and communicated incident management processes, roles, responsibilities, escalation paths, and recovery coordination.
The organization must review reported security events and make a clear, recorded decision: is this just an event, or is it an information security incident that needs formal response?
Once an event is categorized as an incident, the organization must respond using documented procedures rather than improvising.
The organization must turn incident experience into better controls, procedures, awareness, risk treatment, and response capability.
The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.
The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.
The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.
The organization must know which legal, statutory, regulatory, and contractual information security requirements apply, document them, keep them current, and define how it will meet them.
The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trademarks, patents, subscription content, and AI-generated or AI-assisted material.
The organization needs a formal information security policy structure, not random documents sitting in a shared folder.
People must know how they are allowed to use organizational information and assets, and how they must handle information based on sensitivity and classification.
When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or securely removed.
Information must be grouped by protection need so people know how carefully to handle it.
If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.
The organization must define how information can be transferred safely, both internally and externally.
The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.
Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.
The organization must control how secret authentication information is issued, changed, protected, reset, and handled.
Access rights must be granted, changed, reviewed, and removed through a controlled process.
The organization must manage information security risks created by suppliers, supplier products, and supplier services.
People must know what they are responsible for, and the organization must be able to prove those responsibilities were assigned, communicated, accepted, and kept current.
The organization must put the right security requirements into supplier contracts or agreements before the supplier receives access to information, systems, facilities, or services.
The organization must manage security risks that come through ICT suppliers and the suppliers behind those suppliers.
Supplier security does not end when the contract is signed. The organization must keep checking whether the supplier is delivering the agreed service securely, whether controls still work, and whether supplier changes create new risk.
No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.
Managers must actively ensure that people follow information security requirements.
The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory request, or emergency happens.
The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated training.
The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.
Projects must handle information security from the start, not as a late review before go-live.
The organization must know what information and related assets it has, where they are, who owns them, how important they are, and how they are protected.
Link to this domain with /research/iso27002/control-interpretation/ . Link directly to exact notes from any resource card above.