Back to Frameworks

ISO 27002:2022

International
v2022
7 domains
94 controls

Information security, cybersecurity and privacy protection - Information security controls

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

Clause 0 – ISO 27002:2022

6 controls
Controls in the Clause 0 – ISO 27002:2022 domain of ISO 27002:20226 controls
CodeTitle
iso-27002-2022::0.1Background and context
iso-27002-2022::0.2Information security requirements
iso-27002-2022::0.3Controls
iso-27002-2022::0.4Determining controls
iso-27002-2022::0.5Developing organization-specific guidelines
iso-27002-2022::0.6Life cycle considerations

Organizational controls – ISO 27002:2022

33 controls
Controls in the Organizational controls – ISO 27002:2022 domain of ISO 27002:202233 controls
CodeTitle
iso-27002-2022::5.1Policies for information security
iso-27002-2022::5.10Acceptable use of information and other associated assets
iso-27002-2022::5.11Return of assets
iso-27002-2022::5.12Classification of information
iso-27002-2022::5.13Labelling of information
iso-27002-2022::5.14Information transfer
iso-27002-2022::5.16Identity management
iso-27002-2022::5.17Authentication information
iso-27002-2022::5.18Access rights
iso-27002-2022::5.19Information security in supplier relationships
iso-27002-2022::5.2Information security roles and responsibilities
iso-27002-2022::5.20Addressing information security within supplier agreements
iso-27002-2022::5.21Managing information security in the ICT supply chain
iso-27002-2022::5.22Monitoring, review and change management of supplier services
iso-27002-2022::5.23Information security for use of cloud services
iso-27002-2022::5.24Information security incident management planning and preparation
iso-27002-2022::5.25Assessment and decision on information security events
iso-27002-2022::5.26Response to information security incidents
iso-27002-2022::5.27Learning from information security incidents
iso-27002-2022::5.28Collection of evidence
iso-27002-2022::5.29Information security during disruption
iso-27002-2022::5.3Segregation of duties
iso-27002-2022::5.30ICT readiness for business continuity
iso-27002-2022::5.31Legal, statutory, regulatory and contractual requirements
iso-27002-2022::5.32Intellectual property rights
iso-27002-2022::5.33Protection of records
iso-27002-2022::5.34Privacy and protection of PII
iso-27002-2022::5.35Independent review of information security
iso-27002-2022::5.36Compliance with policies, rules and standards for information security
iso-27002-2022::5.37Documented operating procedures
iso-27002-2022::5.4Management responsibilities
iso-27002-2022::5.5Contact with authorities
iso-27002-2022::5.6Contact with special interest groups

People controls – ISO 27002:2022

8 controls
Controls in the People controls – ISO 27002:2022 domain of ISO 27002:20228 controls
CodeTitle
iso-27002-2022::6.1Screening
iso-27002-2022::6.2Terms and conditions of employment
iso-27002-2022::6.3Information security awareness, education and training
iso-27002-2022::6.4Disciplinary process
iso-27002-2022::6.5Responsibilities after termination or change of employment
iso-27002-2022::6.6Confidentiality or non-disclosure agreements
iso-27002-2022::6.7Remote working
iso-27002-2022::6.8Information security event reporting

Physical controls – ISO 27002:2022

14 controls
Controls in the Physical controls – ISO 27002:2022 domain of ISO 27002:202214 controls
CodeTitle
iso-27002-2022::7.1Physical security perimeters
iso-27002-2022::7.10Storage media
iso-27002-2022::7.11Supporting utilities
iso-27002-2022::7.12Cabling security
iso-27002-2022::7.13Equipment maintenance
iso-27002-2022::7.14Secure disposal or re-use of equipment
iso-27002-2022::7.2Physical entry
iso-27002-2022::7.3Securing offices, rooms and facilities
iso-27002-2022::7.4Physical security monitoring
iso-27002-2022::7.5Protecting against physical and environmental threats
iso-27002-2022::7.6Working in secure areas
iso-27002-2022::7.7Clear desk and clear screen
iso-27002-2022::7.8Equipment siting and protection
iso-27002-2022::7.9Security of assets off-premises

Structure of this document – ISO 27002:2022

3 controls
Controls in the Structure of this document – ISO 27002:2022 domain of ISO 27002:20223 controls
CodeTitle
iso-27002-2022::4.1Clauses
iso-27002-2022::4.2Themes and attributes
iso-27002-2022::4.3Control layout

Technological controls – ISO 27002:2022

28 controls
Controls in the Technological controls – ISO 27002:2022 domain of ISO 27002:202228 controls
CodeTitle
iso-27002-2022::8.1User endpoint devices
iso-27002-2022::8.10Information deletion
iso-27002-2022::8.11Data masking
iso-27002-2022::8.12Data leakage prevention
iso-27002-2022::8.13Information backup
iso-27002-2022::8.14Redundancy of information processing facilities
iso-27002-2022::8.15Logging
iso-27002-2022::8.16Monitoring activities
iso-27002-2022::8.17Clock synchronization
iso-27002-2022::8.18Use of privileged utility programs
iso-27002-2022::8.19Installation of software on operational systems
iso-27002-2022::8.20Networks security
iso-27002-2022::8.21Security of network services
iso-27002-2022::8.22Segregation of networks
iso-27002-2022::8.23Web filtering
iso-27002-2022::8.24Use of cryptography
iso-27002-2022::8.25Secure development life cycle
iso-27002-2022::8.26Application security requirements
iso-27002-2022::8.27Secure system architecture and engineering principles
iso-27002-2022::8.28Secure coding
iso-27002-2022::8.29Security testing in development and acceptance
iso-27002-2022::8.30Outsourced development
iso-27002-2022::8.31Separation of development, test and production environments
iso-27002-2022::8.32Change management
iso-27002-2022::8.33Test information
iso-27002-2022::8.34Protection of information systems during audit testing
iso-27002-2022::8.6Capacity management
iso-27002-2022::8.9Configuration management

Terms, definitions and abbreviated terms – ISO 27002:2022

2 controls
Controls in the Terms, definitions and abbreviated terms – ISO 27002:2022 domain of ISO 27002:20222 controls
CodeTitle
iso-27002-2022::3.1Terms and definitions
iso-27002-2022::3.2Abbreviated terms

Your Compliance Coverage

If you comply with ISO 27002:2022, you already cover:

Maps to 105 other frameworks

94 total controls
ISO 27018:2019
29 source controls mapped|32 target controls covered
31%
ISO 27001:2022
19 source controls mapped|19 target controls covered
20%
ISO/IEC 27011:2024
17 source controls mapped|18 target controls covered
18%
ISO 19011:2018
12 source controls mapped|16 target controls covered
13%
ISO 27701:2019
8 source controls mapped|7 target controls covered
9%
ISO 27017:2015
7 source controls mapped|6 target controls covered
7%
ISO/IEC 29100:2024
7 source controls mapped|3 target controls covered
7%
ISO/IEC 38500:2024
7 source controls mapped|4 target controls covered
7%
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1
7 source controls mapped|9 target controls covered
7%
ISO 27018
6 source controls mapped|1 target controls covered
6%
ISO/IEC 27018:2019
6 source controls mapped|1 target controls covered
6%
CFTC System Safeguards (17 CFR 37, 38, 39, 49)
6 source controls mapped|1 target controls covered
6%
ISO/SAE 21434
4 source controls mapped|3 target controls covered
4%
ISO 27043
4 source controls mapped|3 target controls covered
4%
Annex 11 to EU GMP - Computerised Systems
4 source controls mapped|2 target controls covered
4%
API 1164
4 source controls mapped|4 target controls covered
4%
Australian Energy Sector Cyber Security Framework (AESCSF)
3 source controls mapped|3 target controls covered
3%
C5 (Germany)
3 source controls mapped|5 target controls covered
3%
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)
3 source controls mapped|2 target controls covered
3%
NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements
3 source controls mapped|2 target controls covered
3%
EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600)
3 source controls mapped|2 target controls covered
3%
3%
ISO/IEC 17025:2017 - General Requirements for Testing and Calibration
3 source controls mapped|2 target controls covered
3%
PCI DSS 4.0
3 source controls mapped|3 target controls covered
3%
ISO 27019
3 source controls mapped|4 target controls covered
3%
PCI SSF
3 source controls mapped|3 target controls covered
3%
ISO/IEC TR 24028:2020
2 source controls mapped|2 target controls covered
2%
ISO 45001:2018
2 source controls mapped|3 target controls covered
2%
ISO/IEC 29115:2023 - Entity Authentication Assurance Framework
2 source controls mapped|2 target controls covered
2%
APRA CPS 230 Operational Risk Management
2 source controls mapped|2 target controls covered
2%
ISO/IEC 27010:2015
2 source controls mapped|2 target controls covered
2%
ISO/IEC 27701:2019
2 source controls mapped|2 target controls covered
2%
SOC 1 (SSAE 18 / ISAE 3402)
2 source controls mapped|3 target controls covered
2%
FFIEC IT Examination Handbook
2 source controls mapped|2 target controls covered
2%
Taiwan PDPA
2 source controls mapped|1 target controls covered
2%
Protective Security Policy Framework (PSPF) Release 2024
2 source controls mapped|1 target controls covered
2%
CISA Industrial Control Systems (ICS) Security Guidance
2 source controls mapped|1 target controls covered
2%
BRCGS Global Standard for Food Safety Issue 9
2 source controls mapped|1 target controls covered
2%
C-TPAT - Customs-Trade Partnership Against Terrorism
2 source controls mapped|1 target controls covered
2%
ISO/IEC 27006:2024
2 source controls mapped|2 target controls covered
2%
NIST SP 800-53 Rev 5
2 source controls mapped|3 target controls covered
2%
FedRAMP High
2 source controls mapped|2 target controls covered
2%
NIST SP 800-53 Revision 5.1 HIGH
2 source controls mapped|2 target controls covered
2%
FedRAMP Moderate
2 source controls mapped|2 target controls covered
2%
NIST SP 800-53 Rev 5 MODERATE
2 source controls mapped|2 target controls covered
2%
ISO/IEC 30111:2019
2 source controls mapped|4 target controls covered
2%
ISO/IEC 29147:2018
2 source controls mapped|4 target controls covered
2%
ISO 26262:2018 - Functional Safety for Road Vehicles
2 source controls mapped|2 target controls covered
2%
AICPA SOC 3
2 source controls mapped|2 target controls covered
2%
NIST SP 1800-32
2 source controls mapped|2 target controls covered
2%
ISO 20000-1
2 source controls mapped|2 target controls covered
2%
ITIL 4
2 source controls mapped|2 target controls covered
2%
IEC 62443
2 source controls mapped|2 target controls covered
2%
NY DFS 23 NYCRR 500
2 source controls mapped|2 target controls covered
2%
ISO 14001:2015
1 source controls mapped|1 target controls covered
1%
ISO 27017
1 source controls mapped|1 target controls covered
1%
NIST SP 800-207
1 source controls mapped|2 target controls covered
1%
AML/CTF Act 2006 (Australia)
1 source controls mapped|1 target controls covered
1%
Equator Principles (EP4, 2020)
1 source controls mapped|1 target controls covered
1%
ISO 10005:2005
1 source controls mapped|1 target controls covered
1%
EDM Council CDMC - Cloud Data Management Capability Framework
1 source controls mapped|1 target controls covered
1%
SANS Incident Handler's Handbook and PICERL Methodology
1 source controls mapped|1 target controls covered
1%
CMMC 2.0 Level 1
1 source controls mapped|1 target controls covered
1%
CMMC 2.0
1 source controls mapped|1 target controls covered
1%
Cambodia Sub-Decree on Personal Data Protection (Sub-Decree No. 134)
1 source controls mapped|1 target controls covered
1%
AICPA Privacy Management Framework (PMF)
1 source controls mapped|1 target controls covered
1%
NIST SP 800-171 Rev 3
1 source controls mapped|1 target controls covered
1%
ISO/IEC 29134:2023
1 source controls mapped|2 target controls covered
1%
ISO/IEC 27014:2020
1 source controls mapped|2 target controls covered
1%
ISO/IEC 38500:2024 - Governance of IT
1 source controls mapped|1 target controls covered
1%
EAR - Export Administration Regulations
1 source controls mapped|1 target controls covered
1%
ISO/IEC 27557:2022 - Organisational Privacy Risk Management
1 source controls mapped|2 target controls covered
1%
ISO/IEC 23837 - Security Requirements for Quantum Key Distribution
1 source controls mapped|2 target controls covered
1%
ISO/IEC 27004:2016
1 source controls mapped|1 target controls covered
1%
ISO/IEC 27050 - Electronic Discovery (Parts 1-4)
1 source controls mapped|1 target controls covered
1%
ISO/IEC 27400:2022
1 source controls mapped|2 target controls covered
1%
ISO 55001:2014
1 source controls mapped|1 target controls covered
1%
SOC 2
1 source controls mapped|1 target controls covered
1%
ISO 45001
1 source controls mapped|1 target controls covered
1%
ISO 55001
1 source controls mapped|1 target controls covered
1%
Bermuda Personal Information Protection Act 2016 (PIPA)
1 source controls mapped|1 target controls covered
1%
Botswana Data Protection Act (2024)
1 source controls mapped|1 target controls covered
1%
CNCF Security Technical Advisory Group (TAG)
1 source controls mapped|1 target controls covered
1%
DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)
1 source controls mapped|1 target controls covered
1%
ISO 10007:2017
1 source controls mapped|1 target controls covered
1%
NIST SP 800-128
1 source controls mapped|2 target controls covered
1%
Automotive SPICE (ASPICE) v4.0 - Process Assessment Model
1 source controls mapped|1 target controls covered
1%
ASIC Cyber Resilience Good Practices
1 source controls mapped|1 target controls covered
1%
NIST SP 800-160
1 source controls mapped|2 target controls covered
1%
AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence
1 source controls mapped|1 target controls covered
1%
FBI CJIS Security Policy
1 source controls mapped|2 target controls covered
1%
Canada ITSG-33 - IT Security Risk Management
1 source controls mapped|1 target controls covered
1%
Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct
1 source controls mapped|1 target controls covered
1%
Australia NHMRC National Statement on Ethical Conduct in Human Research
1 source controls mapped|1 target controls covered
1%
ISO 14064 - Greenhouse Gas Accounting and Verification (Parts 1-3)
1 source controls mapped|1 target controls covered
1%
SSAE 18 - Attestation Standards (SOC Reporting)
1 source controls mapped|1 target controls covered
1%
NIST SP 800-218
1 source controls mapped|1 target controls covered
1%
ISO 19011
1 source controls mapped|2 target controls covered
1%
ISO 31000:2018
1 source controls mapped|2 target controls covered
1%
ISO/IEC 25012:2008 - Data Quality Model
1 source controls mapped|2 target controls covered
1%
Digital Services Act (DSA) - Regulation (EU) 2022/2065
1 source controls mapped|1 target controls covered
1%

Frequently Asked Questions

What is ISO 27002:2022?

ISO 27002:2022 is a compliance framework from International with 7 domains and 94 controls. Information security, cybersecurity and privacy protection - Information security controls It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does ISO 27002:2022 have?

ISO 27002:2022 has 94 controls organised across 7 domains. The largest domains are Organizational controls – ISO 27002:2022 (33 controls), Technological controls – ISO 27002:2022 (28 controls), Physical controls – ISO 27002:2022 (14 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does ISO 27002:2022 map to?

ISO 27002:2022 maps to 105 other compliance frameworks. The top mapping partners are ISO 27018:2019 (31% coverage), ISO 27001:2022 (20% coverage), ISO/IEC 27011:2024 (18% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with ISO 27002:2022 compliance?

Start your ISO 27002:2022 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ISO 27002:2022 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 94 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.

Get Started Free →

Free forever — no credit card required