International Standard
ISO/IEC 27002:2022
Information security, cybersecurity and privacy protection — Information security controls
Reference number
ISO/IEC 27002:2022
Edition 3
International Standard
Read sample
ISO/IEC 27002:2022
Published (Edition 3, 2022)

ISO/IEC 27002:2022

ISO/IEC 27002:2022
CHF 216
Convert Swiss francs (CHF) to your currency

What is ISO/IEC 27002?

ISO/IEC 27002 is an international standard that provides guidance for organizations looking to establish, implement, and improve an Information Security Management System (ISMS) focused on cybersecurity. While ISO/IEC 27001 outlines the requirements for an ISMS, ISO/IEC 27002 offers best practices and control objectives related to key cybersecurity aspects including access control, cryptography, human resource security, and incident response. The standard serves as a practical blueprint for organizations aiming to effectively safeguard their information assets against cyber threats. By following ISO/IEC 27002 guidelines, companies can take a proactive approach to cybersecurity risk management and protect critical information from unauthorized access and loss.

Why is ISO/IEC 27002 important?

The rapidly evolving digital landscape has ushered in unprecedented opportunities for businesses, but it has also introduced a myriad of vulnerabilities and threats. ISO/IEC 27002 emerges as a crucial tool in this context, assisting organizations in navigating the intricate web of information security challenges. It equips businesses with a tried and tested framework of best practices, ensuring they not only protect their sensitive data but also foster trust among stakeholders, clients, and partners. Implementing the controls and guidelines of ISO/IEC 27002 signifies a proactive approach to information security, minimizing the risks of data breaches, unauthorized access, and potential financial and reputational damages.


Get extra value in your mailbox

Register for related resources and updates, starting with an information security maturity checklist.

To learn how your data will be used, please see our privacy notice.


  •  Comprehensive Security Framework: Provides a detailed set of guidelines and best practices covering various dimensions of information security.
  • Risk Management: Enables organizations to identify, assess, and effectively manage information security risks.
  • Enhanced Stakeholder Trust: Demonstrates a commitment to safeguarding sensitive data, bolstering the organization's credibility.
  • Regulatory Compliance: Assists in adhering to various legal, contractual, and regulatory data protection mandates.
  • Operational Resilience: Reduces the likelihood of security incidents that can disrupt business operations.
  • Competitive Advantage: In a data-driven marketplace, having a robust information security posture can differentiate an organization from its competitors.

Any organization, irrespective of size or industry, that aims to bolster its information security framework, particularly those that have or are pursuing ISO/IEC 27001 certification.

While ISO/IEC 27001 specifies the requirements for establishing an ISMS, ISO/IEC 27002 provides the detailed best practices and controls that can be applied within the ISMS.

No, ISO/IEC 27002 provides best practice recommendations and cannot be certified to. But organizations can get certified to ISO/IEC 27001 which references ISO/IEC 27002 guidance.

Yes, the standard encompasses a broad range of information security topics, including those related to cybersecurity threats and vulnerabilities.

General information

  •  : Published
     : 2022-02
     : 2022-03
    : International Standard published [60.60]
  •  : 3
     : 152
  • ISO/IEC JTC 1/SC 27
  • RSS updates

Life cycle

Got a question?

Check out our Help and Support

Check out our FAQs

Customer care
+41 22 749 08 88

Opening hours:
Monday to Friday - 09:00-12:00, 14:00-17:00 (UTC+1)