Executive Introduction: The Strategic Role of ISO 27002 in Modern Governance
In the contemporary landscape of digital governance, information security has transcended its traditional role as a technical support function to become a central pillar of enterprise risk management. At the heart of this transformation lies the relationship between management standards and implementation guidance. While ISO/IEC 27001 serves as the normative standard defining the requirements for an Information Security Management System (ISMS), it is ISO/IEC 27002 that provides the granular, actionable guidance necessary to operationalize these requirements. The release of ISO/IEC 27002:2022 marks a significant paradigm shift in this domain, representing not merely a routine update but a fundamental restructuring of how security controls are conceptualized, categorized, and implemented.1
The 2022 revision addresses the evolving threat landscape by introducing critical modern controls such as threat intelligence, cloud security, and data leakage prevention, while simultaneously reorganizing the control taxonomy from fourteen IT-centric domains into four holistic themes: Organizational, People, Physical, and Technological.3 This shift reflects a recognition that effective security is cross-functional, requiring the synchronized effort of human resources, facilities management, legal departments, and IT operations. Furthermore, the introduction of the "Attribute" system allows organizations to create dynamic, multi-dimensional views of their security posture, bridging the gap between technical controls and business objectives.5
This comprehensive report provides an exhaustive analysis of the practical application of ISO 27002:2022. It dissects the structural evolution of the standard, provides detailed implementation roadmaps for high-priority controls, and elucidates the strategic use of attributes for governance reporting. By integrating insights from risk management frameworks (ISO 27005) and compliance documentation (Statement of Applicability), this document serves as a definitive guide for practitioners seeking to transition from theoretical compliance to robust, defensible security operations.
Part I: The Structural Evolution and Thematic Architecture
To practically utilize ISO 27002, one must first navigate its architectural transformation. The transition from the 2013 version to the 2022 version is not merely cosmetic; it reflects a deeper philosophical change in information security management, moving away from siloed domains toward integrated themes that mirror modern organizational structures.
1.1 The Shift from Domains to Themes
The previous iteration, ISO 27002:2013, organized 114 controls into 14 specific domains (e.g., Cryptography, Access Control, Human Resources Security). While this structure was logical for traditional IT departments, it often created friction when assigning responsibilities across a broader organization. For instance, "Supplier Relationships" and "Compliance" were often buried within technical domains, obscuring their relevance to legal and procurement teams.
The 2022 revision radically consolidates these into 93 controls organized under four distinct themes. This thematic restructuring facilitates a more intuitive assignment of ownership and accountability:
Table 1: The Four Themes of ISO 27002:2022
Source: 3
1.1.1 Organizational Controls
The 37 Organizational controls serve as the "nervous system" of the ISMS. They address the structural aspects of security, including policies, return of assets, and supplier relationships. Practical implementation here involves defining the "rules of the game." For example, Control 5.7 (Threat Intelligence) and Control 5.23 (Cloud Services) fall under this theme, emphasizing that these are not just technical tasks but strategic organizational capabilities.3
1.1.2 People Controls
The 8 People controls focus on the human element, addressing risks associated with employees, contractors, and remote workers. These controls act as the "immune system" of the organization, ensuring that personnel are vetted, trained, and held accountable. Implementation requires close collaboration with HR to embed security checks into the hiring, onboarding, and offboarding processes.3
1.1.3 Physical Controls
The 14 Physical controls cover the tangible assets and environments. In an era of cloud computing, physical security remains critical for securing the endpoints (laptops, mobiles) and the offices where sensitive conversations occur. Facilities management teams utilize these controls to secure perimeters and prevent unauthorized physical access.3
1.1.4 Technological Controls
The 34 Technological controls remain the domain of IT and engineering, covering the logical safeguards such as encryption, malware protection, and vulnerability management. This theme has seen significant modernization, with new controls for Secure Coding (8.28) and Data Leakage Prevention (8.12) addressing the realities of modern software development and data mobility.3
1.2 The Reduction and Consolidation of Controls
The reduction from 114 to 93 controls does not imply a lowering of standards. Rather, it indicates a streamlining of redundant or overlapping guidance. Fifty-seven previous controls were merged into 24 broad controls, and one control was split. Crucially, 11 new controls were added to address modern technological realities.2
Table 2: The 11 New Controls in ISO 27002:2022
Source: 2
The practical implication of this consolidation is that a single control in the 2022 standard often requires a multi-faceted implementation strategy. For example, a merged control might now encompass both the policy aspect (Organizational) and the technical enforcement aspect (Technological), requiring coordination between Governance and IT teams.
1.3 The Symbiotic Relationship with ISO 27001
It is vital to maintain the distinction that ISO 27001 is the management standard containing the requirements (Clauses 4-10) and the list of controls (Annex A), while ISO 27002 is the guidance standard. ISO 27001 tells an organization what to do (e.g., "manage access rights"), while ISO 27002 explains how to do it (e.g., "implement a formal user registration and de-registration process").1
Practitioners should use ISO 27001 to determine the necessity of a control based on risk assessment, and ISO 27002 to design the control's implementation details. The two standards work in tandem: 27001 provides the skeleton (the ISMS structure), and 27002 provides the muscle (the control capabilities).2 While an organization cannot be certified against ISO 27002, using its guidance is the most direct path to satisfying the certification requirements of ISO 27001.10
Part II: Mastering the Attribute System for Governance
Perhaps the most significant innovation in ISO 27002:2022 for practical usage is the introduction of Attributes. These attributes are a tagging system that allows organizations to create different "views" of their control set, catering to different audiences and reporting requirements. This transforms the standard from a static list into a multi-dimensional database.5
2.1 The Five Attribute Categories
Each control in ISO 27002 is now tagged with values from five specific attribute categories. Understanding and utilizing these is essential for modern governance, dashboarding, and stakeholder communication.
2.1.1 Control Types
This attribute classifies controls based on when they act relative to a risk event.
#Preventive: Measures that stop a threat from occurring (e.g., biometrics, encryption).
#Detective: Measures that identify when a threat has occurred (e.g., SIEM logs, intrusion detection).
#Corrective: Measures that resolve the issue after detection (e.g., backups, incident response).6
Practical Application: A CISO can filter controls by these tags to assess defense-in-depth. If a gap analysis reveals that 90% of implemented controls are #Preventive and only 10% are #Detective, the organization may be vulnerable to "dwelling" threats that bypass the perimeter and remain unnoticed. A balanced portfolio is essential.6
2.1.2 Information Security Properties
This attribute aligns controls with the fundamental CIA Triad.
#Confidentiality
#Integrity
#Availability.6
Practical Application: During the risk assessment (ISO 27005), if a specific asset (e.g., a public-facing e-commerce server) has a critical "Availability" requirement but low "Confidentiality" requirement, the practitioner can filter ISO 27002 for all controls tagged #Availability to ensure all relevant safeguards (redundancy, DDoS protection) are considered.12
2.1.3 Cybersecurity Concepts
This attribute aligns ISO 27002 with the ISO/IEC TS 27110 framework and the NIST Cybersecurity Framework (CSF).
#Identify
#Protect
#Detect
#Respond
#Recover.1
Practical Application: This is critical for organizations operating in jurisdictions where NIST compliance is required or for communicating with Boards of Directors familiar with the NIST functions. It allows for seamless mapping between the ISMS and other global cybersecurity frameworks, facilitating cross-standard compliance without duplicating effort.11
2.1.4 Operational Capabilities
This attribute views controls from a practitioner's perspective or departmental responsibility.
Values include Governance, Asset Management, Human Resource Security, Physical Security, Identity and Access Management, Threat and Vulnerability Management, Legal and Compliance, etc..6
Practical Application: This is the primary mechanism for assigning work. An organization can filter for all controls tagged #Human_Resource_Security and hand that specific list to the HR Director as their compliance roadmap. Similarly, controls tagged #Physical_Security can be exported for the Facilities Manager. This ensures that stakeholders only see what is relevant to them, reducing "compliance fatigue".1
2.1.5 Security Domains
This attribute looks at controls from a high-level field of expertise or ecosystem perspective.
#Governance_and_Ecosystem
#Protection
#Defence
#Resilience.1
Practical Application: These tags are useful for high-level executive reporting, showing broad areas of investment and maturity. For instance, a report showing heavy investment in #Protection but little in #Resilience might prompt a strategic shift toward business continuity planning.
2.2 Creating Dynamic Dashboards and Views
The practical power of attributes lies in creating matrixed views of the security posture. Instead of a static list of 93 controls, a practitioner can create a dynamic dashboard that answers complex questions about the organization's security stance.
Table 3: Example Attribute-Based Control Matrix
Source: 3
By utilizing these attributes, an organization can verify alignment with its risk appetite. If the primary business risk is data theft, the dashboard should show a heavy weighting of implemented controls tagged #Confidentiality and #Data_Protection. Conversely, if the dashboard shows a lack of #Detective controls, it highlights a blind spot in the organization's ability to identify active breaches.1
Part III: Deep Dive – Theme 1: Organizational Controls
Organizational controls (5.1–5.37) are the most numerous and diverse group, establishing the governance framework. They require strong leadership and policy enforcement.
3.1 Implementing Threat Intelligence (Control 5.7)
This new control reflects the shift from reactive security to proactive defense. It requires organizations to collect and analyze information about threats to mitigate them before impact.1
Implementation Strategy:
Define Intelligence Requirements: Organizations must identify what intelligence is relevant. This involves determining the "threat landscape" specific to their industry (e.g., FinTech, Healthcare), region, and technology stack.
Establish Intelligence Tiers:
Strategic Intelligence: High-level trends for the Board (e.g., "Ransomware groups are targeting our sector").
Tactical Intelligence: TTPs (Tactics, Techniques, and Procedures) for security architects to harden systems.
Operational Intelligence: IOCs (Indicators of Compromise) like malicious IP addresses or file hashes fed directly into firewalls and SIEMs.16
Operational Integration: Intelligence must drive action. If intel suggests a rise in phishing campaigns targeting HR, the awareness training (Control 6.3) should be immediately adjusted to focus on phishing simulations for HR staff.
3.2 Information Security for Use of Cloud Services (Control 5.23)
With the ubiquity of SaaS and IaaS, this control is critical for managing third-party risk. It requires defining security requirements for cloud services throughout their lifecycle.9
Implementation Strategy:
Inventory and Classification: Maintain a register of all cloud services. Establish a policy that explicitly states which services are approved (Allow-listing) and the process for acquiring new ones.
Shared Responsibility Model: For every provider (AWS, Salesforce, Slack), document the Shared Responsibility Matrix. Explicitly define where the provider's security ends and the organization's begins. For example, while AWS secures the physical data center (Control 7.2), the organization is responsible for securing the OS, data, and access management (Control 8.1).19
Exit Strategy: The control specifically requires defining how data is returned or deleted upon contract termination. This must be negotiated and written into the initial contract before data is migrated.15
3.3 ICT Readiness for Business Continuity (Control 5.30)
This control bridges the gap between IT Disaster Recovery (ITDR) and Business Continuity Planning (BCP). It ensures that ICT services are resilient enough to support business objectives during a disruption.8
Implementation Strategy:
Business Impact Analysis (BIA): Use the BIA to determine the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for all critical ICT services.
Continuity Plans: Develop specific ICT continuity plans that are linked to the broader BCP. These plans should detail the technical steps to failover to backup sites or restore from backups.
Testing: Regular testing is mandatory. This can range from tabletop exercises to full failover tests. The results must be documented and used to improve the plans.4
Part IV: Deep Dive – Theme 2: People Controls
The People theme (6.1–6.8) addresses the human firewall. These controls are essential for mitigating insider threats and social engineering attacks.
4.1 Screening (Control 6.1)
Screening is a preventive control designed to verify the trustworthiness of candidates before they access sensitive information.20
Implementation Strategy:
Proportionality: Screening rigor must be proportional to the risk and information classification associated with the role.
Tier 1 (General Staff): Identity check, 2 employment references.
Tier 2 (Admin/Finance/IT): Criminal record check, credit check, academic verification, detailed background check.22
Continuous Screening: ISO 27002:2022 emphasizes "ongoing" screening. This implies that for high-privilege roles, checks should be repeated periodically (e.g., every 2-3 years) or upon promotion to a more sensitive role, ensuring the employee's risk profile has not changed.22
4.2 Information Security Awareness, Education, and Training (Control 6.3)
This control requires a multifaceted approach to education, moving beyond simple compliance training.24
Implementation Strategy:
Role-Based Training: Implement a training matrix that targets specific groups.
Developers: Secure coding practices (OWASP Top 10).
HR/Finance: Business Email Compromise (BEC) and data privacy.
Executives: Whaling attacks and travel security.3
Simulation and Testing: Use phishing simulations to test the effectiveness of training. The results (click rates, reporting rates) serve as key metrics for control effectiveness.24
4.3 Remote Working (Control 6.7)
As remote work becomes standard, this control dictates the security of the decentralized perimeter.25
Implementation Strategy:
Physical Environment: The policy must address the physical security of the remote site. This includes "clean desk" rules at home and preventing family members from using work devices.25
Technical Enforcements:
Mandatory VPN or Zero Trust Network Access (ZTNA) for accessing internal resources.
Full Disk Encryption (Control 8.7 alignment) on all portable devices to protect data in case of theft.
Remote Wipe capability for lost/stolen devices.27
Paper Security: Explicit rules regarding printing. Practical guidance often involves prohibiting printing of Confidential data at home unless a compliant cross-cut shredder is available.28
Part V: Deep Dive – Theme 3: Physical Controls
Physical controls (7.1–7.14) secure the tangible assets. In an era of hybrid work, these controls extend beyond the office to include home offices and mobile equipment.
5.1 Physical Security Monitoring (Control 7.4)
This new control emphasizes the need to monitor physical access continuously to detect unauthorized entry.2
Implementation Strategy:
Surveillance Systems: Deploy CCTV at all entry points and critical areas (e.g., server rooms). Ensure footage is retained for a period defined by policy (e.g., 30 or 90 days) to allow for post-incident investigation.
Log Correlation: Integrate physical access logs (badge swipes) with logical logs (system logins). For example, if an employee's badge swipes into the London office at 3:00 AM, but their user account logs into the VPN from New York at 3:05 AM, the correlation creates a high-fidelity alert indicating a potential compromise.15
5.2 Physical Entry (Control 7.2)
This control manages access to the organization's premises.13
Implementation Strategy:
Zoning: Implement security zoning. Public areas (reception) should be separated from operational areas, which in turn are separated from critical areas (server rooms, archives).
Access Control Mechanisms: Use card readers, biometrics, or PINs. Crucially, access rights must be regularly reviewed and immediately revoked upon termination (linking to Control 6.5).
Visitor Management: All visitors must be logged, issued a visible badge, and escorted in secure areas. The logs should be auditable.13
5.3 Clear Desk and Clear Screen (Control 7.7)
This control prevents unauthorized access to information left unattended.
Implementation Strategy:
Technical Enforcement: Configure Group Policy Objects (GPO) or MDM profiles to lock screens automatically after a short period of inactivity (e.g., 5 minutes).
Physical Enforcement: Provide lockable storage (pedestals/lockers) for every employee to facilitate the clear desk policy. Conduct periodic "sweeps" to check for sensitive documents left on printers or desks.
Part VI: Deep Dive – Theme 4: Technological Controls
Technological controls (8.1–8.34) form the backbone of the technical defense. This theme includes the most updates and new controls.
6.1 Secure Coding (Control 8.28)
This new control is essential for organizations developing their own software, integrating security into the Software Development Life Cycle (SDLC).4
Implementation Strategy:
DevSecOps Integration: Move security "left." Integrate Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools directly into the CI/CD pipeline.
Standards: adopt industry-standard coding guidelines such as OWASP or CERT secure coding standards.
Vulnerability Management: Ensure that open-source libraries are scanned for vulnerabilities (SCA - Software Composition Analysis) before being included in the build.4
6.2 Data Leakage Prevention (Control 8.12)
This control addresses the risk of unauthorized data exfiltration.4
Implementation Strategy:
Data Classification: DLP cannot work without classification (Control 5.12). Identify what data is "Confidential" or "Restricted."
Endpoint Agents: Deploy DLP agents to endpoints to monitor and block unauthorized transfers to USB drives or personal cloud storage.
Network Gateways: Configure email gateways to scan outgoing mail for PII or credit card numbers and block non-compliant transmissions.9
6.3 Configuration Management (Control 8.9)
This new control requires managing the configuration of hardware, software, services, and networks to prevent "drift" and insecurity.4
Implementation Strategy:
Baselines: Define secure configuration baselines for all asset types (e.g., CIS Benchmarks for Windows/Linux servers).
Enforcement: Use configuration management tools (e.g., Ansible, Puppet, Microsoft Intune) to enforce these baselines automatically.
Monitoring: Continuously monitor for deviations from the baseline and automatically remediate or alert on unauthorized changes.16
Part VII: Strategic Integration with Risk Management (ISO 27005)
ISO 27002 controls are not mandatory in isolation; they are tools selected to treat risks identified during the risk assessment process. Practical use requires a tight coupling between ISO 27005 (Risk Management) and ISO 27002.29
7.1 The Risk Assessment to Control Selection Pathway
The process of utilizing ISO 27002 begins after the risk assessment is underway.
Context Establishment: Define the scope, risk criteria, and risk appetite of the organization.31
Risk Identification: Identify assets, threats, and vulnerabilities. This can be done using an asset-based approach (identifying servers, data, people and then their risks) or an event-based approach (identifying scenarios like "Ransomware attack" or "Data Breach").30
Risk Analysis & Evaluation: Assess the likelihood and impact of the risks to produce a risk score. Compare this score against the risk appetite.
Risk Treatment: If the risk is unacceptable, a decision is made to treat (modify) it. This is the precise moment ISO 27002 is utilized. The practitioner consults the standard to select the appropriate control to mitigate the specific risk.5
Insight: A common implementation error is selecting controls because they are "best practice" without linking them to a risk. Practical usage dictates that every implemented control must trace back to a specific risk or legal requirement. If a control exists but treats no risk and satisfies no law, it consumes resources without adding verifiable value.31
7.2 Building the Risk Treatment Plan (RTP)
The Risk Treatment Plan is the operational document that dictates the implementation of controls.
Table 4: Example Risk Treatment Plan Entry
Source: 34
The attributes of ISO 27002 can validate the RTP. If a risk is identified as a "Loss of Availability" (e.g., Ransomware), but the selected controls are all tagged #Confidentiality, the attribute system highlights a misalignment in the treatment plan.12
Part VIII: The Statement of Applicability (SoA) – The Central Artifact
The Statement of Applicability (SoA) is the bridge between the theoretical risk assessment and the practical reality of the organization's security posture. It is a mandatory document for ISO 27001 certification (Clause 6.1.3) and acts as the primary checklist for auditors.36
8.1 Constructing the SoA
To practically create an SoA, the practitioner must list all 93 controls from ISO 27001 Annex A (which mirrors ISO 27002) and declare for each:
Applicability: Is this control required? (Yes/No)
Implementation Status: Is it fully implemented, partially implemented, or planned?
Justification: Why is it included or excluded?.36
8.2 The Art of Justification
The quality of the SoA depends heavily on the justification. This is where auditors focus their attention. A good justification links back to the Risk Assessment (ISO 27005) or a specific legal/contractual requirement.
Table 5: Good vs. Bad SoA Justifications
Insight: A practical SoA is a living document. It should be reviewed whenever the risk assessment is updated or when the technological environment changes. It serves as the master inventory of the organization's security commitments.36
Part IX: Transition and Gap Analysis
For organizations already using ISO 27002:2013, "practical use" involves a systematic transition to the 2022 version. Certification bodies typically allow a transition period (e.g., until October 2025).41
9.1 The Gap Analysis Workflow
Map Existing Controls: Use a correlation table (Annex B of ISO 27002:2022) to map the current 114 controls to the new 93. Most controls will map 1-to-1 or Many-to-1.
Example: 2013 Controls 8.1.1 (Inventory of assets) and 8.1.2 (Ownership of assets) map to 2022 Control 5.9 (Inventory of information and other associated assets).42
Identify the "New 11": Focus immediate attention on the 11 completely new controls. These likely represent genuine gaps in the ISMS that require new policies or technologies to be procured.2
Update the SoA: Rewrite the SoA to reflect the new structure. This involves re-justifying controls based on the new definitions and risk context.44
Attribute Tagging: Take the opportunity to tag existing controls with the new attributes. This is not mandatory for compliance but provides high value for the "practical" management of the ISMS and future reporting.11
9.2 Managing the Transition Project
The transition should be treated as a project with a clear roadmap.
Phase 1 (Months 1-3): Gap analysis and training of internal auditors on the new standard.
Phase 2 (Months 4-9): Implementation of the "New 11" controls and updating of policies to reference new control numbers.
Phase 3 (Months 10-12): Internal audit against the 2022 standard and update of the Statement of Applicability.
Phase 4 (External Audit): Schedule the transition audit with the certification body.44
Part X: Measuring Effectiveness – KPIs and Metrics
ISO 27001 Clause 9.1 requires monitoring, measurement, analysis, and evaluation. Practical implementation of ISO 27002 is incomplete without a feedback loop to determine if the controls are actually functioning and reducing risk.46
10.1 Developing KPIs for Controls
Metrics should move beyond binary checks (Implemented/Not Implemented) to quantitative performance data that drives improvement.
Table 6: Strategic KPIs for ISO 27002 Themes
10.2 Reporting to Management
Using the attribute system, these KPIs can be aggregated for executive reporting.
Executive View: Show the "Total Risk Score" reduction achieved by controls tagged #Protection.
Operational View: Show the "Mean Time to Rollout" for controls tagged #Technological.
Compliance View: Show the % of controls tagged #Legal_and_Compliance that are fully effective.50
Conclusion: The Holistic Application of ISO 27002
Practically using ISO 27002:2022 requires a shift in mindset from "compliance" to "capability." The standard’s evolution into four themes and the introduction of attributes transforms it from a static reference document into a dynamic database of security safeguards.
Effective implementation follows a clear lifecycle:
Assess Risk (ISO 27005): Identify what needs protection using asset or event-based scenarios.
Select Controls (ISO 27002): Use the themes and attributes to find the right tool for the job.
Document (SoA): Justify the inclusion and exclusion based on business reality, linking back to specific risks.
Operationalize: Build specific policies and procedures for high-impact controls like Threat Intelligence and Remote Work.
Measure (KPIs): Use data to prove the controls are reducing risk and driving continuous improvement.
By leveraging the attribute system to create tailored views for different stakeholders—preventive views for security architects, governance views for the Board, and operational views for IT managers—organizations can ensure that ISO 27002 serves as the backbone of a resilient, business-aligned security posture. The practical value of the standard lies not in the text of the controls themselves, but in how they are woven into the fabric of the organization’s daily operations.
Works cited
ISO 27002:2022, Security Controls. Complete Overview - ISMS.online, accessed November 23, 2025, https://www.isms.online/iso-27002/
ISO 27001 vs ISO 27002: What's the Difference? | Secureframe, accessed November 23, 2025, https://secureframe.com/hub/iso-27001/vs-iso-27002
ISO 27002 Controls List : 2022 changes - Sprinto, accessed November 23, 2025, https://sprinto.com/blog/iso-27002-controls/
Key Changes In ISO/IEC 27002:2022 - SGS, accessed November 23, 2025, https://www.sgs.com/en/news/2022/07/key-changes-in-iso-iec-27002-2022
ISO 27002: Information Security Controls Explained - Splunk, accessed November 23, 2025, https://www.splunk.com/en_us/blog/learn/iso-27002.html
What are the Attributes in ISO 27002? - Schellman, accessed November 23, 2025, https://www.schellman.com/blog/iso-certifications/iso-27002-attributes
ISO 27001:2022 Annex A Controls - A Complete Guide - IT Governance, accessed November 23, 2025, https://www.itgovernance.co.uk/blog/iso-27001-the-14-control-sets-of-annex-a-explained
The complete guide to ISO/IEC 27002:2022 - High Table, accessed November 23, 2025, https://hightable.io/the-ultimate-guide-to-iso-27002-changes-2022/
ISO 27002:2022 – Control 5.23 – Information Security for Use of Cloud Services, accessed November 23, 2025, https://www.isms.online/iso-27002/control-5-23-information-security-for-use-of-cloud-services/
ISO 27001 2013 vs. 2022 revision – What has changed? - Advisera, accessed November 23, 2025, https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
Value of Attributes in New ISO 27002:2022 - Pivot Point Security, accessed November 23, 2025, https://www.pivotpointsecurity.com/the-value-of-attributes-in-the-new-iso-270022022/
ISO 27002, the Unsung Hero | URM Consulting, accessed November 23, 2025, https://www.urmconsulting.com/blog/iso-27002-the-unsung-hero
ISO 27002:2022, Control 7.2, Physical Entry | ISMS.online, accessed November 23, 2025, https://www.isms.online/iso-27002/control-7-2-physical-entry/
Using ISO 27002: 2022 to Improve Information Security Practices - UpGuard, accessed November 23, 2025, https://www.upguard.com/blog/what-is-iso27002
2023 Volume 7 A Guide to the Updated ISO IEC 27002 2022 Standard Part 1 - ISACA, accessed November 23, 2025, https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-7/a-guide-to-the-updated-iso-iec-27002-2022-standard-part-1
The Ultimate Guide to ISO 27001:2022 Annex A 5.7 - Threat Intelligence - High Table, accessed November 23, 2025, https://hightable.io/iso-27001-annex-a-5-7-threat-intelligence/
Implementing an ISO-compliant threat intelligence program - Cisco Talos Blog, accessed November 23, 2025, https://blog.talosintelligence.com/implementing-an-iso-compliant-threat-intelligence-program/
ISO 27002:2022 Control 5.23 InfoSec for Cloud Services Use - BreachLock, accessed November 23, 2025, https://www.breachlock.com/resources/blog/iso-270022022-control-5-23-information-security-for-use-of-cloud-services/
ISO/IEC 27017 - Compliance - Google Cloud, accessed November 23, 2025, https://cloud.google.com/security/compliance/iso-27017
ISO 27001:2022 Annex A 6.1 Checklist - ISMS.online, accessed November 23, 2025, https://www.isms.online/iso-27001/checklist/annex-a-6-1-checklist/
ISO 27002:2022, Control 6.1 - Screening | ISMS.online, accessed November 23, 2025, https://www.isms.online/iso-27002/control-6-1-screening/
The Ultimate Guide to ISO 27001:2022 Annex A 6.1 Screening - High Table, accessed November 23, 2025, https://hightable.io/iso-27001-annex-a-6-1-screening/
ISO IEC 27001 2022 clauses, accessed November 23, 2025, https://www.nsai.ie/images/uploads/general/AD-27-05_-_NSAI_ISO_27001.2022_Readiness_Questionnaire_-_Rev_1_.01.xlsx
What are ISO 27001 KPIs & How to Measure them? - Scytale, accessed November 23, 2025, https://scytale.ai/center/iso-27001/understanding-iso-27001-key-performance-indicators-kpis-and-their-benefits/
ISO 27002:2022, Control 6.7, Remote Working | ISMS.online, accessed November 23, 2025, https://www.isms.online/iso-27002/control-6-7-remote-working/
6.7 Remote Working for ISO 27002:2022 - AvISO Consultancy, accessed November 23, 2025, https://www.avisoconsultancy.co.uk/iso-27001-2022-annex-a/6-7-remote-working
ISO 27001:2022 Annex A 6.7 – Remote Working - ISMS.online, accessed November 23, 2025, https://www.isms.online/iso-27001/annex-a-2022/6-7-remote-working-2022/
The Ultimate Guide to ISO 27001:2022 Annex A 6.7 Remote Working - High Table, accessed November 23, 2025, https://hightable.io/iso-27001-annex-a-6-7-remote-working/
Understanding the Differences Between ISO 27005:2018 and ISO 27005:2022 - Drata, accessed November 23, 2025, https://drata.com/blog/iso-27005-2018-vs-iso-27005-2022
The ISO 27005 Approach to Information Security Risk Management: 2022 Updates Explained - Secureframe, accessed November 23, 2025, https://secureframe.com/blog/iso-27005
ISO 27005 | IT Governance USA, accessed November 23, 2025, https://www.itgovernanceusa.com/cyber-security-solutions/iso27001/iso-27005
Risk Management Standards - ENISA, accessed November 23, 2025, https://www.enisa.europa.eu/sites/default/files/publications/O.7.2-T2-Risk_Management_standards.pdf
How To Create A Risk Treatment Plan According to ISO 27001 - Iseo Blue, accessed November 23, 2025, https://iseoblue.com/post/how-to-create-a-risk-treatment-plan-according-to-iso-27001/
ISO 27001 risk treatment plan: How to develop the right one - DataGuard, accessed November 23, 2025, https://www.dataguard.com/blog/iso-27001-risk-treatment-plan-what-you-need-to-know
How to create ISO 27001 Risk Treatment Plan? (Downloadable template) - Sprinto, accessed November 23, 2025, https://sprinto.com/blog/iso-27001-risk-treatment-plan/
ISO 27001: How to Write a Statement of Applicability - Drata, accessed November 23, 2025, https://drata.com/grc-central/iso-27001/statement-of-applicability
What is Statement of Applicability? | Blog - OneTrust, accessed November 23, 2025, https://www.onetrust.com/blog/what-is-statement-of-applicability/
ISO 27001:2022- The Statement of Applicability (SoA) - ISMS.online, accessed November 23, 2025, https://www.isms.online/iso-27001/statement-of-applicability/
The Complete Guide to ISO 27001 Statement of Applicability (SoA) - Compleye, accessed November 23, 2025, https://compleye.io/articles/the-complete-guide-to-iso-27001-statement-of-applicability-soa/
How to Write an ISO 27001 Statement of Applicability: Free Template + Example, accessed November 23, 2025, https://secureframe.com/blog/iso-27001-statement-of-applicability
ISO 27001 vs. ISO 27002: Understanding the difference (FAQ) - Nemko, accessed November 23, 2025, https://www.nemko.com/iso-27001-vs-iso-27002
ISO 27002 Information Security Controls Gap Analysis Tool - IT Governance USA, accessed November 23, 2025, https://www.itgovernanceusa.com/shop/product/iso-27002-information-security-controls-gap-analysis-tool
Gap Analysis Tool - NQA, accessed November 23, 2025, https://www.nqa.com/getmedia/ff7e361d-f5d4-47f2-94fa-ea69f0e54d8a/GAP-ANALYSIS-ISO-27001_2022-v1-1.xlsx
Transitioning from ISO 27001:2013 to ISO 27001:2022: A Comprehensive Guide - EisnerAmper, accessed November 23, 2025, https://www.eisneramper.com/insights/risk-compliance/iso-27001-transition-guide-1124/
Transitioning to ISO 27001:2022: How to Meet the New Requirements | URM Consulting, accessed November 23, 2025, https://www.urmconsulting.com/blog/transitioning-to-iso-27001-2022
ISO 27001: How to Measure Your ISMS and Meet the Requirements of Clause 9.1, accessed November 23, 2025, https://www.itgovernanceusa.com/blog/iso-27001-how-to-measure-your-isms-and-meet-the-requirements-of-clause-91
ISO 27001 key performance indicators (KPIs) - Scrut Automation, accessed November 23, 2025, https://www.scrut.io/glossary/iso-27001-key-performance-indicators-kpis
ISO 27001 Clause 9.1: Monitoring, Measurement, Analysis and Evaluation - DataGuard, accessed November 23, 2025, https://www.dataguard.com/iso-27001/clause-9-1-monitoring-measurement-analysis-and-evaluation/
Measuring ISO 27001 ISMS processes - HubSpot, accessed November 23, 2025, https://cdn2.hubspot.net/hubfs/163742/pdf_files/iso27001isms-kpi.pdf?t=1438891985360
19 Essential KPIs to Track Your ISMS's Effectiveness - Kordon.app, accessed November 23, 2025, https://kordon.app/19-essential-kpis-to-track-your-ismss-effectiveness/
No comments:
Post a Comment