ISO/IEC 27002 focuses on information security controls and how to implement them. It is designed for organizations of all types and sizes who create, collect, process, store, transmit and dispose of electronic, physical or verbal information like conversations and presentations.
The value of information goes beyond written words, numbers and images. In an interconnected world, information requires protection against various risk sources. Information security is achieved by implementing a suitable set of controls, including policies, rules, processes, procedures, organizational structures and software and hardware functions.
ISO/IEC 27002 is meant to be used as part of an information security management system. It is intended to be used for implementing information security controls based on internationally recognized best practices or for developing organization-specific information security management guidelines.
It can be used by organizations to help them protect their information and follow best practices. The document is meant to be used as part of an information security management system, which is based on international standards. To meet its specific security and business objectives, the organization should define, implement, monitor, review and improve these controls where necessary.
The text of the international standard has been approved in Europe as EN ISO/IEC 27002:2022 without any changes and it supersedes EN ISO/IEC 27002:2017.
