Cybereen / Standards / ISO/IEC 27002
INTERNATIONAL · ISO/IEC 27002:2022

ISO 27002, the implementation guidance behind every Annex A control.

27001 names the controls. 27002 tells you how to build them — purpose, guidance, and context for all 93. Cybereen embeds the 27002:2022 text against every control, so the "how" is one click from the "what".

See it mapped to your SoA → Jump to the 4 themes
At a glance → Owner · ISO + IEC (Geneva) Version · 27002:2022 Structure · 93 controls · 4 themes · 5 attributes Relationship · Companion to 27001 (not certifiable) Cybereen status · Embedded against every control
WHAT IT IS

The "how" — not the "whether".

ISO/IEC 27002:2022 is the code of practice for information security controls. Where ISO 27001 Annex A lists each control as a single line, 27002 gives it a purpose, detailed implementation guidance, and supporting context.

You don't certify against 27002 — it isn't an auditable management system. You implement with it. It's the reference your engineers, HR leads, and facilities team actually read when they build a control, and the source your Statement of Applicability justifications lean on.

The 2022 revision was a structural reset: 114 controls collapsed into 93, regrouped from 14 domains into four themes, with 11 new controls reflecting cloud, privacy, and modern threats — plus a new five-attribute taxonomy so you can slice the catalogue by control type, CIA property, or cybersecurity concept.

The honest version: 27002 is 150-plus pages of guidance. The trap is treating it as a document to file once and forget. Cybereen surfaces the relevant 27002 text inline against each control you're implementing — no separate PDF, no copy-paste drift.
ANATOMY OF A CONTROL

Every 27002 entry, in four parts. Cybereen keeps all four together.

2022 gave each control a consistent layout. Read it once and every control reads the same way — and so does Cybereen's control detail view.

CONTROL

What to put in place.

The control statement itself — the measure you implement. The same wording you'll cite in your Annex A Statement of Applicability.

  • One-line control text
  • Maps to a 27001 Annex A ref
  • Include / exclude decision
PURPOSE

Why it exists.

The risk or objective the control addresses — the sentence your auditor wants when they ask "why is this applicable?".

  • Risk it mitigates
  • SoA justification source
  • Plain-English rationale
GUIDANCE

How to implement it.

The detailed "how" — the bulk of 27002. Step-by-step implementation advice your team works from, not a one-liner.

  • Implementation detail
  • Policy + config pointers
  • What evidence to keep
ATTRIBUTES

How to slice it.

Five tags per control — type, CIA property, cyber concept, operational capability, security domain — so you can build filtered views and cross-walks.

  • Preventive / detective / corrective
  • Maps to NIST CSF functions
  • Filterable in Cybereen
THE CATALOGUE · 2022

93 controls. Four themes. Guidance on every one.

27002 shares 27001's four-theme structure exactly — so the guidance lines up one-to-one with your Annex A. Cybereen carries the 27002 text against each control, with its purpose and attributes.

5
Organisational controls

Policies, roles, supplier and cloud security, threat intelligence, asset management. The "who-decides-what" layer — and the largest theme.

37 controls SoA-heavy
6
People controls

Screening, terms of employment, awareness, remote working, disciplinary process. Pre-, during-, and post-employment.

8 controls HR-owned
7
Physical controls

Secure areas, equipment, physical-security monitoring, clear desk/screen, supporting utilities. The doors, locks, and cameras.

14 controls Facilities-owned
8
Technological controls

Access management, cryptography, secure development, network security, logging, data masking, DLP, web filtering. The deepest theme.

34 controls IT/Sec-owned
New in 2022 — the eleven additions →
5.7
Threat intelligence

Collect and analyse threat information systematically, and feed it into your risk reviews.

Quarterly digest
5.23
Cloud services security

Acquire, use, and exit cloud services securely — shared-responsibility and exit plans documented.

Cloud usage policy
8.11
Data masking

Mask, pseudonymise, or anonymise data to limit exposure — especially in non-production environments.

Masking ruleset
8.28
Secure coding

Build-time guardrails — code review, SAST, dependency hygiene — evidenced from your CI pipeline.

CI export
Control + purpose — cited in your Statement of Applicability Evidence — collected per control, dated, audit-trailed 27002:2022 guidance — embedded inline against the control
INSIDE CYBEREEN

Guidance, inline. Against every control.

Open any Annex A control and the 27002:2022 purpose and guidance are right there — no second tab, no out-of-date PDF. Your SoA justification writes itself from the purpose text.

  • Guidance text embedded — the 27002 "how" sits against the matching 27001 control.
  • Purpose → SoA — the control's purpose pre-fills your Statement of Applicability justification.
  • Five-attribute filters — slice the catalogue by control type, CIA, or cyber concept.
  • 2013 → 2022 mapping — see merged, retired, and new controls side by side.
  • One source of truth — update guidance once; every framework that reuses the control sees it.
app.cybereen.com / controls / a.8.28 / guidance
LIVE
Cybereen control detail — ISO 27002:2022 purpose and guidance text embedded against an Annex A control, with attributes and evidence
COMMON MISTAKES

Three ways teams misuse 27002.

Patterns Cybereen sees when 27002 is treated as a document instead of a working reference.

Mistake 01

Trying to "certify against 27002".

You can't. 27002 is guidance, not a management system — there's no certificate. You certify against 27001 and implement with 27002. Procurement teams that ask for an "ISO 27002 certificate" mean 27001.

Fix: Certify 27001; cite 27002 as your implementation basis.
Mistake 02

Pasting guidance into policy verbatim.

27002's text is generic by design. Copying it word-for-word produces policies that don't match how your organisation actually works — and auditors notice immediately.

Fix: Adapt the guidance to your context; keep the reference linked.
Mistake 03

Ignoring the 2022 attributes.

The five attributes aren't decoration — they're how you build cross-walks to NIST CSF, prioritise by control type, and report by security domain. Skipping them means rebuilding those views by hand.

Fix: Use Cybereen's attribute filters instead of spreadsheets.
ISO 27002 FAQ

27002 vs 27001, and what changed in 2022.

If yours isn't here, the contact form has a free-text field — answers go in the next page revision.

What's the difference between ISO 27001 and 27002?
27001 is the certifiable standard — the management-system requirements (clauses 4–10) plus Annex A, which lists the 93 controls as one-liners. 27002 is the code of practice — the detailed purpose and implementation guidance behind each of those same controls. You certify against 27001; you build with 27002.
Do we need both?
You're required to have 27001 to certify. 27002 isn't mandatory, but in practice your team needs it — Annex A's one-liners aren't enough to actually implement a control. Cybereen embeds the 27002:2022 guidance against every control, so you don't need to buy and circulate a separate copy.
What changed in the 2022 revision?
Three big things: controls were consolidated from 114 to 93; the 14 old domains became four themes (organisational, people, physical, technological); and 11 new controls were added — including cloud services security, threat intelligence, data masking, and secure coding. Each control also gained five attributes for filtering. Cybereen runs the 2013→2022 mapping automatically.
What are the five attributes for?
Each control is tagged by control type (preventive/detective/corrective), information security properties (CIA), cybersecurity concepts (which align with NIST CSF's identify/protect/detect/respond/recover), operational capabilities, and security domains. They let you build filtered views and cross-framework mappings without a spreadsheet — Cybereen exposes them as filters.
How does Cybereen use 27002?
The 27002:2022 purpose and guidance text sits inline against the matching Annex A control. When you mark a control applicable, its purpose pre-fills your SoA justification; when you implement it, the guidance is right there. Update it once and every framework that reuses the control — SOC 2, Essential Eight, NIST CSF — inherits the change.

See the 27002 guidance against your own controls.

Open a control, read the purpose and guidance, generate the SoA line — without a 150-page PDF on the side. Book a walk-through and we'll show you on your frameworks.

Book a 20-minute walk-through → See ISO 27001 (the certifiable side)
Other standards on Cybereen →
Essential Eight ISO 27001 ISO 27002 APRA CPS 234 NIST CSF 2.0