Summary
ISO 27002 is a code of practice for the controls of an ISMS, and it goes into far more detail than ISO 27001’s Annex A controls. The list of 93 controls, divided into 4 control sets, is expanded in clauses A.5 to A.8 of ISO 27002:2022.
While ISO 27002 is not a certifiable standard in and of itself, following its information security management principles will help the company satisfy ISO 27001 certification requirements. It explains how to comply with the ISO 27001 standard and how to implement it.
Because there is no one-size-fits-all information security solution, the appropriate information security controls must be decided on based on their risk assessment and appropriate controls. The CIA triad can be used to define information security in this context.
In the upcoming chapter, we will see one of the most significant aspects of the entire information security auditing process – risk management. The important steps of identifying, analyzing, measuring...
