ISO/IEC 27002:2022 Explained Controls, Implementation, and Best Practices

The 2022 edition introduces 11 new controls to cover modern practice, from cloud and coding to data loss prevention. In brief:

• 5.7 Threat intelligence: Gather, assess, and use threat intel to inform prevention and response.
• 5.23 Information security for use of cloud services: Select, onboard, govern, and offboard cloud services securely.
• 5.30 ICT readiness for business continuity: Keep critical IT/OT services resilient during disruption.
• 7.4 Physical security monitoring: Monitor sites and sensitive areas to deter and detect physical threats.
• 8.9 Configuration management: Set baselines and manage changes across systems and software.
• 8.10 Information deletion: Delete data securely when it is no longer needed.
• 8.11 Data masking: Limit exposure of sensitive data in business processes and non-production.
• 8.12 Data leakage prevention: Detect and prevent unauthorized data movement.
• 8.16 Monitoring activities: Define and operate monitoring to detect anomalies and events.
• 8.23 Web filtering: Control access to web content to reduce malware and exfiltration risk.
• 8.28 Secure coding: Build and verify security in the software development lifecycle.

• Identity and access lifecycle clarified: Former user-access activities are now expressed as 5.15 Access control, 5.16 Identity management, 5.17 Authentication information, and 5.18 Access rights—a cleaner joiner-mover-leaver flow with clear duties.
  
  
• Logging and monitoring simplified: 2013 logging topics consolidate into 8.15 Logging and 8.16 Monitoring activities, reducing duplicate guidance and clarifying what to monitor and how.
  
  
• Supplier oversight organized end-to-end: Topics now span 5.19–5.22 (supplier requirements, agreements, ICT supply chain, and service monitoring/change), aligning onboarding through continuous assurance.
  
  
• Four-theme model replaces 14 domains: Controls are grouped to match how teams work today (governance and risk, people, facilities, and technology).

Note: For definitive wording, consult your licensed copy of ISO/IEC 27002:2022.

• Cleaner mapping to your risk register, policies, and owners.
  
  
• Fewer gray areas for auditors and assessors.
  
  
• Better fit for cloud-first and distributed teams.
  
  
• Clearer metrics for performance and accountability.

What good looks like

• A risk-based control set that matches your business model and threat profile
• Policies that say what must happen; procedures that say how it happens
• Named owners for each control, with clear due dates and review cycles
• An SoA that is current, scoped, and traceable to evidence
• Supplier and third-party oversight from onboarding through exit
• Business continuity that factors people, tech, sites, and suppliers

Common mistakes

• Copy-pasting controls that don’t fit your risk
• Policies that are too broad to enforce or too narrow to scale
• An SoA that is written once and left to age
• “One-and-done” vendor due diligence without ongoing checks
• Continuity plans that miss upstream vendors or single points of failure

Practical implementation tips

• Start with your top risks and build outward. Avoid “control inflation.”
• Keep policies short and testable; link procedures to ticketed workflows.
• Track exceptions in the SoA with owners, time limits, and mitigating actions.
• Classify suppliers by risk. Apply deeper reviews to higher-risk tiers.
• Rehearse continuity plans. Time the steps. Capture lessons learned.

Metrics to track

• % of in-scope suppliers with completed due diligence this quarter
• % of controls with named owners and on-time reviews
• Mean time to close security exceptions / policy deviations
• % of business units with up-to-date business impact analyses

What good looks like

• Background screening and role-based access before Day 1
• Joiner/mover/leaver flows with timely provisioning and revocation
• Security awareness tailored to job function and risk
• Clear reporting lines, code of conduct, and disciplinary process
• Privileged users with enhanced training and extra checks

Common mistakes

• Delayed access revocation on leavers
• Generic “check-the-box” training that doesn’t change behavior
• Privileged users treated like everyone else
• No proof of acknowledgment for key policies

Practical implementation tips

• Tie identity changes to HR events so access updates happen automatically.
• Split training into short, role-based modules; include micro-simulations.
• Add a privileged user track with secure admin, change control, and logging.
• Capture sign-offs for critical policies with versioning and audit trails.

Metrics to track

• Access revocation SLA on terminations and role changes
• Security training completion and pass rates by role
• Phishing simulation fail rate trend
• % of privileged users who completed enhanced training

What good looks like

• Secure areas with layered access (badge + secondary factor, where needed)
• Visitor management with escorts, logs, and clear badges
• Camera coverage for critical zones, with retention and tamper checks
• Environmental safeguards (power, HVAC, fire detection/suppression)
• Clean desk and clear screen rules with spot checks

Common mistakes

• Shared badges or tailgating in secure areas
• CCTV without regular health checks or retention compliance
• Inconsistent asset return at offboarding
• Equipment disposal without certified data destruction

Practical implementation tips

• Audit physical access rights regularly and remove dormant access.
• Test CCTV coverage and retention quarterly; log and fix gaps.
• Barcode assets and reconcile at onboarding, moves, and exits.
• Use chain-of-custody for devices awaiting reuse or disposal.

Metrics to track

• % of secure areas audited on schedule
• Physical access review completion rate
• CCTV/log retention compliance rate vs policy
• % of incidents with complete physical evidence attached

What good looks like

• Strong identity and access management with least privilege and MFA
• Secure configuration baselines enforced and drift corrected quickly
• Centralized logging with coverage for critical assets and noisy-signal tuning
• Patch and vulnerability management with risk-based SLAs
• Secure development lifecycle with code reviews, secrets hygiene, and dependency scanning
• Cloud controls mapped to shared responsibility and services in use

Common mistakes

• MFA for users, but not for admins or service accounts
• “Gold images” that drift without detection
• Alert fatigue due to un-tuned log sources
• Patch SLAs that ignore asset criticality
• Secrets in code repos and pipelines
• Assuming the cloud provider covers everything

Practical implementation tips

• Require MFA for all privileged, service, and break-glass accounts.
• Monitor configuration drift; auto-remediate where safe.
• Start logging with your most critical assets and high-value transactions.
• Set vulnerability SLAs by asset criticality and exploit likelihood.
• Add pre-commit hooks and secret scanners; rotate exposed credentials fast.
• Map cloud controls to specific services (IaaS, PaaS, SaaS) and your shared-responsibility line.

Metrics to track

• % of identities with MFA enforced
• % of systems meeting secure configuration baseline (and drift MTTR)
• % of critical assets with full log coverage and alerting
• Mean time to remediate high-severity vulnerabilities

Do not implement controls by copying a list. Start with business and security risk. Use your risk register to select controls that cut the biggest risk first. Note any exceptions and compensating controls in the SoA with owners and time limits.

1. Assess:
   
   • Scope your ISMS, assets, and data flows.

1. • Map current controls to 27002 themes; log gaps.

1. • Prioritize by risk and regulatory drivers.
     
     
2. Prioritize:
   
   • Sequence work into sprints.

1. • Assign owners, due dates, and success metrics.

1. • Define evidence up front (what will “done” look like?).
     
     
2. Implement:
   
   • Update policies and procedures; integrate with ticketing.

1. • Configure technical controls and instrument logging.

1. • Train people by role; test joiner/mover/leaver flows.
     
     
2. Monitor:
   
   • Track metrics from this guide in dashboards.

1. • Review exceptions; retest high-risk controls.

1. • Tune alerts and adjust SLAs with real data.
     
     
2. Review:
   
   • Run internal audits; close findings.

1. • Update the SoA and risk treatment plan.

1. • Feed lessons learned into the next cycle.

• Control mapping: Connect risks → controls → owners → evidence.
• Evidence management: Link tasks to artifacts; keep an audit trail.
• Continuous checks: Monitor key controls and surface drift early.
• Reporting: Generate role-specific views for leadership, auditors, and teams.