This article provides an overview and  summary of ISO27002 and why it would be used by an organisation.

ISO 27002 is an increasingly popular standard of good practice for information security that is being deployed by organisations world-wide. The standard provides organisations information security management controls and guidelines within the process of implementing Information Security Management System (ISMS).

In modern business environment, it is imperative for organisations to protect their critical data and information. This requires identification of security requirements and controls through:

  1. Assessment of the risks based on business strategy and environment;
  2. Legal, regulatory, and contractual requirements and;
  3. Set of internal governance principles pertaining to information management.

ISO 27002 provides extensive set of controls that can be selected by the organisations to meet their specific needs and can also be supplemented with controls from other sources – i.e. COBIT, ITIL, SOX 404 etc. The standard is a great starting point for organisation’s to create information security guidelines by selecting controls depending on the criteria for risk acceptance, risk treatment options and the general risk management framework within the organisation.

Whilst the specific information security risks and controls can differ between different organisations in different industry sectors, there is a lot of common ground in how organisations address information security risks relating to their customers, employees and suppliers.

ISO 27002 standard is concerned with information security that covers all forms of information (computer data, documentation, knowledge and intellectual property, information/data assets, information transfer) and the scope is not just confined to the IT systems security (or Cybersecurity) – it covers all organisational functions.


For more information please contact Morland-Austin at