ISO/IEC 27002:2022
Code of practice for information security controls. Provides guidance on organizational security standards and information security management practices.
Controls: 118
Total Mappings: 305
Publisher: ISO/IEC
Version: 2022
AC (10) AT (3) AU (7) CA (3) CM (7) CP (7) IA (5) IR (6) MA (3) MP (6) PE (13) PL (3) PS (6) PT (6) RA (3) SA (8) SC (6) SI (6) SR (10)
AC Access Control
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 5.15.155.185.37 |
| AC-02 | Account Management | 5.155.165.18 |
| AC-03 | Access Enforcement | 5.18 |
| AC-04 | Information Flow Enforcement | 5.148.208.3 |
| AC-05 | Separation Of Duties | 5.185.3 |
| AC-06 | Least Privilege | 5.155.188.128.3 |
| AC-07 | Unsuccessful Login Attempts | 8.1 |
| AC-17 | Remote Access | 6.7 |
| AC-18 | Wireless Access Restrictions | 8.21 |
| AC-19 | Access Control For Portable And Mobile Devices | 8.1 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 5.15.378.158.16 |
| AU-02 | Auditable Events | 8.128.158.168.258.268.38.58.9 |
| AU-03 | Content Of Audit Records | 8.15 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 8.15 |
| AU-07 | Audit Reduction And Report Generation | 6.88.15 |
| AU-08 | Time Stamps | 8.17 |
| AU-09 | Protection Of Audit Information | 8.15 |
CA Security Assessment and Authorization
CM Configuration Management
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | 5.15.378.128.38.9 |
| CM-02 | Baseline Configuration | 8.128.258.268.38.58.9 |
| CM-03 | Configuration Change Control | 8.198.32 |
| CM-05 | Access Restrictions For Change | 8.19 |
| CM-06 | Configuration Settings | 8.128.258.268.38.58.9 |
| CM-07 | Least Functionality | 8.128.38.9 |
| CM-08 | Information System Component Inventory | 5.9 |
CP Contingency Planning
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 5.15.295.305.37 |
| CP-02 | Contingency Plan | 5.295.30 |
| CP-04 | Contingency Plan Testing And Exercises | 5.295.30 |
| CP-06 | Alternate Storage Site | 8.14 |
| CP-07 | Alternate Processing Site | 8.14 |
| CP-09 | Information System Backup | 8.13 |
| CP-10 | Information System Recovery And Reconstitution | 5.295.30 |
IA Identification and Authentication
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 5.15.145.155.185.377.17.5 |
| PE-02 | Physical Access Authorizations | 5.155.187.1 |
| PE-03 | Physical Access Control | 5.155.187.17.4 |
| PE-04 | Access Control For Transmission Medium | 7.12 |
| PE-06 | Monitoring Physical Access | 7.4 |
| PE-08 | Access Records | 7.2 |
| PE-09 | Power Equipment And Power Cabling | 7.117.12 |
| PE-10 | Emergency Shutoff | 7.11 |
| PE-11 | Emergency Power | 7.11 |
| PE-12 | Emergency Lighting | 7.11 |
| PE-16 | Delivery And Removal | 7.2 |
| PE-18 | Location Of Information System Components | 7.127.37.57.8 |
| PE-19 | Information Leakage | 8.12 |
PL Planning
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| PT-01 | Policy and Procedures | 5.15.345.378.128.268.27 |
| PT-02 | Authority to Process Personally Identifiable Information | 5.33 |
| PT-03 | Personally Identifiable Information Processing Purposes | 5.335.34 |
| PT-04 | Consent | 5.33 |
| PT-05 | Privacy Notice | 5.34 |
| PT-07 | Specific Categories of Personally Identifiable Information | 5.33 |
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | 5.15.378.258.268.278.288.30 |
| SA-03 | Life Cycle Support | 5.88.258.32 |
| SA-04 | Acquisitions | 5.195.205.228.258.298.30 |
| SA-05 | Information System Documentation | 5.12 |
| SA-08 | Security Engineering Principles | 8.128.258.268.278.38.58.9 |
| SA-09 | External Information System Services | 5.198.30 |
| SA-10 | Developer Configuration Management | 8.308.32 |
| SA-11 | Developer Security Testing | 8.258.298.30 |
SC System and Communications Protection
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | 5.15.145.378.128.208.218.268.27 |
| SC-05 | Denial Of Service Protection | 8.6 |
| SC-07 | Boundary Protection | 8.208.21 |
| SC-08 | Transmission Integrity | 5.148.248.26 |
| SC-11 | Trusted Path | 8.5 |
| SC-13 | Use Of Cryptography | 5.318.248.26 |
SI System and Information Integrity
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | 5.15.378.128.268.27 |
| SI-02 | Flaw Remediation | 8.78.8 |
| SI-03 | Malicious Code Protection | 8.78.8 |
| SI-04 | Information System Monitoring Tools And Techniques | 8.158.16 |
| SI-05 | Security Alerts And Advisories | 5.7 |
| SI-12 | Information Output Handling And Retention | 5.338.10 |
SR Supply Chain Risk Management
| Control | Name | ISO 27002:2022 References |
|---|---|---|
| SR-01 | Policy and Procedures | 5.15.195.205.378.30 |
| SR-02 | Supply Chain Risk Management Plan | 5.195.215.228.30 |
| SR-03 | Supply Chain Controls and Processes | 5.195.22 |
| SR-04 | Provenance | 5.21 |
| SR-05 | Acquisition Strategies, Tools, and Methods | 5.215.22 |
| SR-06 | Supplier Assessments and Reviews | 5.195.205.228.21 |
| SR-07 | Supply Chain Operations Security | 5.215.378.30 |
| SR-08 | Notification Agreements | 5.21 |
| SR-09 | Tamper Resistance and Detection | 7.9 |
| SR-12 | Component Disposal | 7.148.10 |