gartner-reviews-dark 4.2/5 (49)

ISO 27002 Compliance Software

ISO 27002 Controls: Implemented, Evidenced, Audit-Ready

ISO 27002 is the implementation guide behind every ISO 27001 Annex A control. SureCloud gives compliance managers and CISOs a structured platform to apply those controls, capture evidence, and maintain continuous oversight — without the spreadsheet sprawl.
Book a Demo
ISO 27002 Compliance

ISO 27002: The Implementation Guide for Information Security Controls

ISO/IEC 27002:2022 is the internationally recognised reference standard for information security controls.
Published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), it provides detailed guidance on selecting and implementing the controls that underpin an Information Security Management System (ISMS).

Where ISO 27001 defines the requirements for an ISMS and lists 93 controls in Annex A, ISO 27002 explains how those controls should be designed and operated in practice. It is the operational companion organisations use when building, deploying, and evidencing their control environment — not a standard you certify against directly, but one you cannot practically implement ISO 27001 without.

The 2022 edition restructured the previous 114 controls from 14 domains into 93 controls across four themes: Organisational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). It introduced 11 new controls addressing threats such as threat intelligence, cloud service security, data masking, and physical security monitoring — and added an attribute tagging system to help organisations map controls to cybersecurity frameworks and filter by operational capability.

Key Facts
Governing body ISO/IEC (International Organisation for Standardisation / International Electrotechnical Commission)
Applies to Any organisation implementing information security controls — particularly those pursuing or maintaining ISO 27001 certification
Certification required No — ISO 27002 is a guidance document, not a certifiable standard. Certification is awarded against ISO 27001.
Audit frequency N/A for ISO 27002 directly. ISO 27001 audits assess whether Annex A controls are implemented — ISO 27002 provides the implementation guidance reviewed in that process.
Latest version ISO/IEC 27002:2022 (published February 2022)

Why ISO 27002 Is the Difference Between Controls on Paper and Controls in Practice

reduced-icon-tabbed-SKILLS-AGENTS-004

It bridges the gap between requirement and implementation.

ISO 27001 tells you which controls to apply; ISO 27002 tells you how. Without it, organisations interpret Annex A in isolation, producing inconsistent, poorly evidenced controls that rarely survive external audit scrutiny.
reduced-icon-tabbed-architecture-002

It speeds up your ISO 27001 certification journey.

Teams with a structured approach to ISO 27002 implementation spend less time debating what "good" looks like for each control and more time building the evidence trail that auditors actually need to see. 
reduced-icon-tabbed-architecture-001

It closes the security gaps that misapplied controls create.

Controls designed without implementation guidance are frequently incomplete, poorly scoped, or missing key components. Following ISO 27002 reduces the risk of a control that looks right on paper but fails in practice.
reduced-icon--tabbed-architecture-ICONS-001

It gives your teams a shared language.

ISO 27002's attribute taxonomy and control themes provide a common reference for security architects, compliance managers, and technical teams — so everyone is working from the same framework when designing, reviewing, and evidencing controls.

How SureCloud Supports ISO 27002 Implementation

From Control Guidance to Controlled Evidence — In One Platform.

reduced-tile-verts-critical-infractructure-02

Pre-built ISO 27002 control framework

SureCloud's Compliance Management product includes a pre-mapped ISO/IEC 27002:2022 control set, giving your team an immediate starting point rather than building a framework from scratch. Assign control owners, set review cadences, track implementation status, and manage your Statement of Applicability — all within a single compliance dashboard. When the standard updates, your framework evolves with it. 

93 Controls. Four Themes. One Coherent Framework.

Control Theme
What It Covers

Organisational controls (37 controls)

Policies, roles, responsibilities, information classification, supplier relationships, incident management, business continuity, and information security governance — the structural foundations of how an organisation manages security.

People controls (8 controls)

Screening, terms of employment, information security awareness, training and education, disciplinary processes, and responsibilities that continue after employment ends.

Physical controls (14 controls)

Physical security perimeters, access controls to secure areas, equipment protection, clear desk and screen requirements, securing physical media, and protecting assets against environmental threats.

Technological controls (34 controls)

User endpoint protection, access management, cryptography, network security, vulnerability management, configuration management, secure development practices, and continuous monitoring. The largest control theme — covering most of the technical control landscape.

New controls in ISO 27002:2022

11 controls were added in the 2022 update, including threat intelligence, information security for cloud services, ICT readiness for business continuity, data masking, data leakage prevention, web filtering, and physical security monitoring.

Internal audit programme (Clause 9)

Run planned internal audits to verify the ISMS operates as intended. Non-conformities identified internally are far less costly than those found by an external auditor.

Continual improvement (Clause 10)

Address non-conformities with corrective actions and track them to closure. Demonstrate ongoing improvement in your security posture between surveillance and recertification audits.

See How SureCloud Covers Each Control Theme

Frequently Asked ISO:27002 Questions

What is ISO 27002?

ISO/IEC 27002:2022 is the internationally recognised standard that provides implementation guidance for information security controls. It complements ISO 27001 by explaining how to design and operate the 93 Annex A controls that underpin an Information Security Management System. Organisations use ISO 27002 as a reference document when selecting, implementing, and evidencing controls — particularly during ISO 27001 certification. 

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable management system standard — it defines the requirements for establishing, maintaining, and improving an ISMS. ISO 27002 is the companion guidance standard that explains how to implement the controls listed in ISO 27001's Annex A. Organisations achieve certification against ISO 27001; ISO 27002 is the reference used to ensure those controls are designed and implemented correctly. 

Can you get ISO 27002 certified?

No. ISO 27002 is a guidance document, not a certifiable standard — there is no formal certification against ISO 27002 itself. Certification is awarded against ISO 27001, which references the same 93 controls that ISO 27002 provides guidance for. Organisations implementing ISO 27001 will typically use ISO 27002 as the implementation reference throughout the process. 

What changed in ISO 27002:2022?

The 2022 update restructured 114 controls from 14 domains into 93 controls across four themes: Organisational, People, Physical, and Technological. Eleven new controls were added, covering threat intelligence, cloud service security, data masking, ICT readiness for business continuity, physical security monitoring, and web filtering, among others. An attribute tagging system was also introduced to help organisations map controls to cybersecurity concepts and operational capabilities.

Do I need to implement all 93 ISO 27002 controls?

Not necessarily. ISO 27001 requires organisations to document which controls apply to their ISMS scope and justify any exclusions in a Statement of Applicability (SoA). ISO 27002 provides implementation guidance for all 93 controls, but which controls your organisation applies depends on your risk assessment, scope, and business context. Some controls will be essential; others can be formally excluded with documented justification. 

How does software help with ISO 27002 compliance?

Implementing and evidencing 93 controls — each with owners, review cycles, and audit trails — is not manageable in spreadsheets at any scale. GRC software automates evidence collection, assigns control ownership, tracks implementation status, and maps controls directly to your risk register. The result is a continuously maintained control environment, rather than a point-in-time snapshot assembled under pressure before each audit. 

Related ISO 27001 Resources

IEC 27002_2022 Explained Controls, Implementation, and Best Practices
ISO 27002
ISO 27002 Guide: Controls, Changes & Implementation
Beginners Guide to ISO 27001
ISO 27001
Beginner's Guide to ISO 27001
ISO 27001 Compared to Other Information Security Standards_ What’s the Difference_
ISO 27001, ISO 27002
ISO 27001 vs Other Security Standards Explained
Explore ISO 27001 and ISO 27002 Resources
g2-orange
Reviews

Read Our G2 Reviews

Review us on G2

4.5 out of 5

"Excellent support team"We've been happy with the product and the support and communication has been excellent throughout the migration and onboarding process.

Posted on
G2 - SureCloud

5 out of 5

"Great customer support"

 The SureCloud team can't do enough to ensure that the software meets our organisation's requirements. 

Posted on
G2 - SureCloud

4.5 out of 5

 "Solid core product with friendly support team"

 We use SureCloud for Risk Management and Control Compliance. The core product is strong, especially in validating data as it is... 

Posted on
G2 - SureCloud

5 out of 5

 "Excellent GRC tooling and professional service"

We've been happy with the product and the support and communication has been excellent throughout the migration and onboarding process.

Posted on
G2 - SureCloud

4.5 out of 5

"Straightforward Implementation, Intuitive Use, and Brilliant Support"

SureCloud has been straightforward to implement and tailor to our framework. It’s intuitive to use, so our teams have adopted it quickly...

Posted on
G2 - SureCloud

5 out of 5

"Easy to Use, Beautiful Graphs, and a Helpful, Responsive Team"
Very easy to use and really nice graphs are created. The team are also very helpful and quick to respond

Posted on
G2 - SureCloud

Your GRC team, amplified. See Gracie in action.
Book a Demo