Skip to main content

ISO/IEC 27002

logo

Summary

ISO/IEC 27002 is used as a reference for determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO/IEC 27001. It describes a suite of information security controls to mitigate unacceptable risks to the confidentiality, integrity and availability of information. Organizations identify and evaluate their own information risks, selecting and applying suitable information security controls to mitigate unacceptable risks using ISO/IEC 27002 for guidance. The version used in this section is ISO/IEC 27002:2022.

Definitions

DefinitionRequirements
5_16. Identity management085. Allow session history queries
096. Set user's required privileges
143. Unique access credentials
5_17. Authentication information127. Store hashed passwords
319. Make authentication options equally secure
380. Define a password management tool
5_22. Monitoring, review and change management of supplier services262. Verify third-party components
5_28. Collection of evidence377. Store logs based on valid regulation
5_33. Protection of records080. Prevent log modification
377. Store logs based on valid regulation
5_34. Privacy and protection of Personal Identifiable Information (PII)331. Guarantee legal compliance
5_35. Independent review of information security378. Use of log management system
5_37. Documented operating procedures232. Require equipment identity
7_2. Physical entry controls096. Set user's required privileges
114. Deny access with inactive credentials
143. Unique access credentials
7_3. Securing offices, rooms and facilities235. Define credential interface
257. Access based on user credentials
7_9. Security of assets off-premises205. Configure PIN
213. Allow geographic location
326. Detect rooted devices
7_10. Storage media214. Allow data destruction
350. Enable memory protection mechanisms
7_14. Secure disposal or re-use of equipment183. Delete sensitive data securely
360. Remove unnecessary sensitive information
8_1. User endpoint devices205. Configure PIN
209. Manage passwords in cache
210. Delete information from mobile devices
261. Avoid exposing sensitive information
350. Enable memory protection mechanisms
373. Use certificate pinning
8_2. Privileged access rights035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
8_3. Information access restriction033. Restrict administrative access
096. Set user's required privileges
8_4. Access to source code176. Restrict system objects
229. Request access credentials
265. Restrict access to critical processes
8_5. Secure authentication228. Authenticate using standard protocols
319. Make authentication options equally secure
8_7. Protection against malware118. Inspect attachments
273. Define a fixed security suite
353. Schedule firmware updates
374. Use of isolation methods in running applications
8_8. Management of technical vulnerabilities077. Avoid disclosing technical information
259. Segment the organization network
353. Schedule firmware updates
365. Avoid exposing technical information
8_9. Configuration management062. Define standard configurations
8_10. Information deletion183. Delete sensitive data securely
360. Remove unnecessary sensitive information
8_11. Data masking300. Mask sensitive data
8_15. Logging080. Prevent log modification
377. Store logs based on valid regulation
8_16. Monitoring activities075. Record exceptional events in logs
376. Register severity level
8_17. Clock synchronization363. Synchronize system clocks
8_19. Installation of software on operational systems352. Enable trusted execution
353. Schedule firmware updates
8_20. Network controls173. Discard unsafe inputs
251. Change access point IP
252. Configure key encryption
254. Change SSID name
356. Verify sub-domain names
8_21. Security of network services249. Locate access points
250. Manage access points
253. Restrict network access
255. Allow access only to the necessary ports
257. Access based on user credentials
8_22. Web filtering258. Filter website content
8_23. Segregation in networks259. Segment the organization network
8_24. Use of cryptography145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
151. Separate keys for encryption and signatures
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
346. Use initialization vectors once
361. Replace cryptographic keys
370. Use OAEP padding with RSA
371. Use GCM Padding with AES
372. Proper Use of Initialization Vector (IV)
8_25. Secure development lifecycle036. Do not deploy temporary files
051. Store source code in a repository
159. Obfuscate code
171. Remove commented-out code
180. Use mock data
322. Avoid excessive logging
8_26. Application security requirements029. Cookies with security attributes
050. Control calls to interpreted code
077. Avoid disclosing technical information
155. Application free of malicious code
161. Define secure default options
173. Discard unsafe inputs
176. Restrict system objects
184. Obfuscate application data
209. Manage passwords in cache
266. Disable insecure functionalities
326. Detect rooted devices
364. Provide extended validation (EV) certificates
373. Use certificate pinning
374. Use of isolation methods in running applications
375. Remove sensitive data from client-side applications
8_27. Secure system architecture and engineering principles062. Define standard configurations
266. Disable insecure functionalities
273. Define a fixed security suite
8_28. Secure coding156. Source code without sensitive information
158. Use a secure programming language
161. Define secure default options
162. Avoid duplicate code
164. Use optimized structures
168. Initialize variables explicitly
171. Remove commented-out code
172. Encrypt connection strings
302. Declare dependencies explicitly
323. Exclude unverifiable files
342. Validate request parameters
344. Avoid dynamic code execution
348. Use consistent encoding
366. Associate type to variables
8_31. Separation of development, test and production environments180. Use mock data