Relationship to ISO 27001
The two standards are closely linked but serve different purposes:| ISO 27001:2022 | ISO 27002:2022 | |
|---|---|---|
| Type | Requirement specification | Implementation guidance |
| Language | ”Shall” (mandatory) | “Should” (recommended) |
| Certifiable | Yes | No |
| Purpose | Define ISMS requirements | Guide control implementation |
| Annex A | References ISO 27002 controls | Is the source of Annex A |
Organisations are certified against ISO 27001, not ISO 27002. ISO 27002 is a supporting guidance document — you cannot receive ISO 27002 certification.
The 2022 restructure
ISO 27002 was significantly restructured in its 2022 edition. The previous 2013 edition had 14 control domains and 114 controls. The 2022 edition reorganized these into 4 themes and 93 controls, eliminating duplication and adding 11 new controls to address modern threats.| Edition | Domains / Themes | Controls |
|---|---|---|
| ISO 27002:2013 | 14 domains | 114 controls |
| ISO 27002:2022 | 4 themes | 93 controls |
The four control themes
ISO 27002:2022 organizes all 93 controls into four themes. ISOwl uses the Spanish domain names in its data model:| Theme (English) | Domain (Spanish — ISOwl) | ID range | Control count | Coverage area |
|---|---|---|---|---|
| Organizational | Organizacionales | A.5.x | 37 | Policies, roles, asset management, supplier relations, incident management, business continuity, compliance |
| People | Personas | A.6.x | 8 | Screening, terms of employment, awareness, disciplinary process, remote working |
| Physical | Físicos | A.7.x | 14 | Physical perimeters, entry controls, equipment security, clear desk, secure disposal |
| Technological | Tecnológicos | A.8.x | 34 | User endpoints, privileged access, malware protection, backup, logging, cryptography, secure coding, vulnerability management |
Organizational controls (A.5.x — 37 controls)
The largest domain covers governance and management-level controls:- Information security policies (A.5.1)
- Information security roles and responsibilities (A.5.2)
- Threat intelligence (A.5.7) — new in 2022
- Information security in project management (A.5.8)
- Supplier relationships and cloud services (A.5.19–A.5.23)
- Information security incident management (A.5.24–A.5.28)
- Business continuity (A.5.29–A.5.30)
- Compliance with legal and regulatory requirements (A.5.31–A.5.36)
People controls (A.6.x — 8 controls)
Controls relating to individuals:- Pre-employment screening (A.6.1)
- Terms and conditions of employment (A.6.2)
- Information security awareness and training (A.6.3)
- Disciplinary process (A.6.4)
- Remote working (A.6.7)
- Information security event reporting (A.6.8)
Physical controls (A.7.x — 14 controls)
Controls protecting physical environments:- Physical security perimeters (A.7.1)
- Physical entry controls (A.7.2)
- Securing offices and facilities (A.7.3)
- Physical security monitoring (A.7.4)
- Protecting against environmental threats (A.7.5)
- Equipment maintenance and disposal (A.7.9–A.7.14)
Technological controls (A.8.x — 34 controls)
The second-largest domain covers technical and digital controls:- User endpoint devices (A.8.1)
- Privileged access rights (A.8.2)
- Information access restriction (A.8.3)
- Authentication (A.8.5)
- Malware protection (A.8.7)
- Management of technical vulnerabilities (A.8.8)
- Configuration management (A.8.9)
- Information deletion and masking (A.8.10–A.8.11)
- Data leakage prevention (A.8.12)
- Backup (A.8.13)
- Redundancy (A.8.14)
- Logging and monitoring (A.8.15–A.8.16)
- Cryptography (A.8.24)
- Secure development (A.8.25–A.8.34)
Control attributes
ISO 27002:2022 introduced a structured set of attributes for each control that help organisations filter and map controls to their context:| Attribute | Values |
|---|---|
| Control type | Preventive, Detective, Corrective |
| Information security properties | Confidentiality, Integrity, Availability |
| Cybersecurity concepts | Identify, Protect, Detect, Respond, Recover |
| Operational capabilities | Governance, Asset management, Information protection, etc. |
| Security domains | Governance and ecosystem, Protection, Defence, Resilience |
ISOwl does not currently expose control attributes as filterable fields in the UI. The
ISO_CONTROLS data model stores id, domain, name, and description per control.New controls in 2022
The 2022 edition introduced 11 controls that did not exist in ISO 27002:2013:| Control | Name |
|---|---|
| A.5.7 | Threat intelligence |
| A.5.23 | Information security for use of cloud services |
| A.5.30 | ICT readiness for business continuity |
| A.7.4 | Physical security monitoring |
| A.8.9 | Configuration management |
| A.8.10 | Information deletion |
| A.8.11 | Data masking |
| A.8.12 | Data leakage prevention |
| A.8.16 | Monitoring activities |
| A.8.23 | Web filtering |
| A.8.28 | Secure coding |
ISOwl implementation
ISOwl represents all 93 ISO 27002:2022 controls in theISO_CONTROLS array. Each control’s evaluation status is tracked per tenant in the Zustand store.
ISO controls reference
Technical reference for the
ISO_CONTROLS array, data shape, and domain breakdown.Annex A module
User-facing documentation for evaluating and tracking Annex A controls.
SoA export
Export your Statement of Applicability listing all 93 controls and their status.
ISO 27001
The parent standard that references ISO 27002 controls in its Annex A.