ISO 27002 is a code of practice for information security published by the [[ISO|ISO]]. It is a generic advisory document, as opposed to [[ISO 27001]], which is a standard. It describes a set of controls for protecting the [[confidentiality]], [[integrity]], and [[availability]] of information assets within an organisation.
The most recent version of this standard was published in 2022. It marks a significant change to the previous approach, and the notes below only refer to 27002:2022
93 controls are listed in 27002. Controls are organised into four broad categories: organisational, people, physical, and technological [[control|controls]]. The standard details which of confidentiality, integrity, and availability each control aims to support. Each control could also be classified as reactive or preventive.
Reactive controls can be further subdivided into detective and corrective controls.
## Organisational
This is the largest group, containing 37 controls in total. They are fundamental to cybersecurity, and give guidance (among other things) on the formulation of security policy
## People
There are only 8 controls in this category, making it the smallest in 27002. They are nonetheless vital, given the massive importance of people in securing systems.
## Physical
There are 14 controls in this category, and unfortunately we tend to forget them. We do cyber, right? And cyber is not physical. Unfortunately this is completely inaccurate. The two are intertwined and we've got to have a grip on the physical
## Technological
The second largest set of controls, with 34 items. This is where the controls that we're most familiar with, as cybersecurity professionals, can be found