During an audit preparation workshop the question comes up: “What exactly does the auditor expect under A.5.7 Threat Intelligence?” The Annex A description in ISO 27001 is two sentences long. The detailed answer sits in ISO 27002 — three pages of implementation guidance, from source selection through analysis to operational use. Implementing ISO 27001 without ISO 27002 is like building without a blueprint.
ISO/IEC 27002:2022 is the implementation guidance for the 93 security controls listed in Annex A of ISO/IEC 27001. The standard explains the purpose, implementation and additional notes for each control. It is not separately certifiable; ISO 27002 serves as a reference for ISMS leads, auditors and consultants.
What does the standard cover?
ISO 27002:2022 documents four elements for each of the 93 controls from ISO 27001 Annex A: the control text, the purpose, the implementation guidance and other information. Each control is preceded by an attribute block with five classifications.
The four themes
- A.5 — Organisational controls (37): policies, roles, supplier relationships, incident management, classification, threat intelligence, cloud usage.
- A.6 — People controls (8): background checks, terms of employment, awareness, disciplinary process, remote working, confidentiality.
- A.7 — Physical controls (14): security perimeter, access, protection against physical threats, equipment, secure disposal, working in secure areas.
- A.8 — Technological controls (34): endpoint protection, network security, cryptography, secure development, configuration management, logging, backup, vulnerability management.
The five attributes per control
Each control carries attributes that enable analysis and filtering:
- Control type: preventive, detective or corrective
- Information security properties: confidentiality, integrity, availability
- Cybersecurity concept: Identify, Protect, Detect, Respond, Recover (aligned with NIST CSF)
- Operational capabilities: for example asset management, identity and access management, threat and vulnerability management
- Security domains: governance and ecosystem, protection, defence, resilience
New controls since 2022
Eleven controls were added with the 2022 revision because they reflect technological and operational developments:
- A.5.7 Threat intelligence
- A.5.23 Information security for use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
Relation to ISO 27001
ISO 27002 on its own is not certifiable. An organisation can only be certified against ISO 27001. During the audit the certification body checks the Statement of Applicability against the Annex A controls from ISO 27001 — the implementation assessment, however, typically draws on the guidance in ISO 27002.
Concretely: when the auditor asks how A.8.7 (Protection against malware) is implemented, they compare the answer with the five points of implementation guidance from ISO 27002. Saying only “we have an antivirus scanner” formally meets the control but misses aspects such as awareness, prevention of unauthorised software execution or control of external media.
Mapping to other standards
| Standard | Relation to ISO 27002 |
|---|---|
| ISO/IEC 27001:2022 | ISO 27002 provides the implementation guidance for Annex A |
| ISO/IEC 27005:2022 | Complements ISO 27002 with risk management methodology |
| NIST SP 800-53 | US control catalogue with greater depth; mapping tables available |
| NIST Cybersecurity Framework | The five NIST functions (Identify-Recover) are an attribute in ISO 27002 |
| CIS Controls v8 | 18 concrete technical controls that map to individual A.8 controls |
| BSI IT-Grundschutz | Modules cover comparable topics, but in greater detail and more procedural |
| C5 (BSI) | Cites ISO 27002 controls directly in the criteria catalogue |
Implementation effort
ISO 27002 itself is not “implemented” — it is read and applied. The effort arises in implementing the individual controls, documented via the Statement of Applicability under ISO 27001.
Practical use in the project:
- Build-up phase: ISO 27002 is the bible for desk work on the SoA. 30-60 minutes of reading and discussion per control, multiplied by 93 controls — realistically 50-100 hours during build-up.
- Audit preparation: for each control, compare the implementation guidance against your own practice, mark gaps, collect evidence.
- Training: excerpts from ISO 27002 work well for awareness training because the language is more practical than the Annex A text.
Related standards
- ISO/IEC 27001: the certifiable main standard whose Annex A is explained by ISO 27002.
- ISO/IEC 27005: methodological guidance for risk assessment and treatment in the ISMS.
- BSI IT-Grundschutz: German standard with greater detail per module.
- BSI C5: cloud-specific criteria that integrate ISO 27002 controls.
Sources
- ISO/IEC 27002:2022 (ISO Online Browsing Platform) — official standard information
- Beuth Verlag — German translation as DIN EN ISO/IEC 27002 (paid)
- BSI: Mapping IT-Grundschutz to ISO 27001/27002 — mapping tables