← Frameworks / Controls Guidance

ISO/IEC 27002:2022

Code of practice for information security controls. Provides guidance on organizational security standards and information security management practices.

Clauses: 93
Avg Coverage: 85.8%
Publisher: ISO/IEC Version: 2022
ISO 27002:2022 → SP 800-53 SP 800-53 → ISO 27002:2022 Coverage Analysis
Clause Title SP 800-53 Controls
5.1 Policies for information security
PL-01 PM-01 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 PT-01 SR-01
5.2 Information security roles and responsibilities
PM-02 PS-01 PS-02 PL-01 PS-09
5.3 Segregation of duties
AC-05
5.4 Management responsibilities
PM-02 PM-13 PS-07 AT-01 PM-29
5.5 Contact with authorities
IR-06 PM-15
5.6 Contact with special interest groups
PM-15 PM-16
5.7 Threat intelligence
PM-16 RA-03 RA-05 SI-05 RA-10 RA-07
5.8 Information security in project management
SA-03 SA-04 SA-08 PM-07
5.9 Inventory of information and other associated assets
CM-08 PM-05 CM-12 CM-13
5.10 Acceptable use of information and other associated assets
PL-04 AC-20 MP-07
5.11 Return of assets
PS-04 PS-05
5.12 Classification of information
RA-02 AC-16
5.13 Labelling of information
MP-03 AC-16 RA-02
5.14 Information transfer
SC-07 SC-08 SC-12 AC-04 AC-17 AC-20 MP-05 SC-46
5.15 Access control
AC-01 AC-02 AC-03 AC-06 AC-07 AC-08 AC-10 AC-11 AC-12 AC-14 AC-17 AC-21 AC-24
5.16 Identity management
IA-02 IA-04 IA-05 IA-08 IA-12
5.17 Authentication information
IA-05 IA-06 IA-07 IA-11
5.18 Access rights
AC-02 AC-06 AC-25
5.19 Information security in supplier relationships
SA-04 SA-09 SR-01 SR-02 SR-03 SR-05
5.20 Addressing information security within supplier agreements
SA-04 SA-09 SR-03
5.21 Managing information security in the ICT supply chain
SR-01 SR-02 SR-03 SR-05 SR-06 SR-09 SR-10 SR-11
5.22 Monitoring, review and change management of supplier services
SA-09 SR-06 CA-07
5.23 Information security for use of cloud services
SA-09 AC-20 SC-07 SA-04
5.24 Information security incident management planning and preparation
IR-01 IR-02 IR-03 IR-04 IR-07 IR-08
5.25 Assessment and decision on information security events
IR-04 IR-05 IR-06 SI-04
5.26 Response to information security incidents
IR-04 IR-05 IR-06 IR-07 IR-09
5.27 Learning from information security incidents
IR-03 IR-04
5.28 Collection of evidence
IR-04 AU-03 AU-06 AU-09 AU-11
5.29 Information security during disruption
CP-01 CP-02 CP-03 CP-04 CP-05 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13
5.30 ICT readiness for business continuity
CP-02 CP-04 CP-07 CP-08 CP-09 CP-10
5.31 Legal, statutory, regulatory and contractual requirements
PL-04 PM-01 SA-04 PM-08
5.32 Intellectual property rights
5.33 Protection of records
AU-11 SI-12 AU-09
5.34 Privacy and protection of PII
PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08 PM-25 PM-26 PM-27 PM-28 SI-18 RA-08
5.35 Independent review of information security
CA-02 CA-07 PM-06
5.36 Compliance with policies, rules and standards
CA-02 AU-06 PM-06 CA-07
5.37 Documented operating procedures
PL-02 SA-05 CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-08 CM-09 CM-10 CM-11
6.1 Screening
PS-03
6.2 Terms and conditions of employment
PS-06 PL-04 PS-07 PS-09
6.3 Information security awareness, education and training
AT-02 AT-03 AT-04 PM-13 PM-14 AT-06
6.4 Disciplinary process
PS-08
6.5 Responsibilities after termination or change of employment
PS-04 PS-05 PS-06
6.6 Confidentiality or non-disclosure agreements
PS-06 SA-09
6.7 Remote working
AC-17 PE-17 SC-28
6.8 Information security event reporting
IR-06 IR-07 IR-01
7.1 Physical security perimeters
PE-03 PE-04
7.2 Physical entry
PE-02 PE-03 PE-06 PE-08 PE-07
7.3 Securing offices, rooms and facilities
PE-03 PE-05 PE-18
7.4 Physical security monitoring
PE-06 PE-08
7.5 Protecting against physical and environmental threats
PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-21 PE-23
7.6 Working in secure areas
PE-02 PE-03 PE-07
7.7 Clear desk and clear screen
AC-11 MP-04 PE-05
7.8 Equipment siting and protection
PE-14 PE-18 PE-01 PE-23
7.9 Security of assets off-premises
AC-17 MP-05 SC-28 AC-19
7.10 Storage media
MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 MP-08
7.11 Supporting utilities
PE-09 PE-10 PE-11 PE-12
7.12 Cabling security
PE-04 PE-09
7.13 Equipment maintenance
MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 MA-07
7.14 Secure disposal or re-use of equipment
MP-06 MP-08
8.1 User endpoint devices
AC-19 CM-07 SC-28 CM-08 SC-41
8.2 Privileged access rights
AC-06 AC-02 AC-05
8.3 Information access restriction
AC-03 AC-04 AC-06 AC-24
8.4 Access to source code
CM-05 AC-03 SA-10
8.5 Secure authentication
IA-02 IA-05 IA-08 IA-11
8.6 Capacity management
AU-04 CP-02 SC-05 SA-04
8.7 Protection against malware
SI-03 SI-08 SC-44
8.8 Management of technical vulnerabilities
RA-05 SI-02 SI-05
8.9 Configuration management
CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-08 CM-09 CM-14
8.10 Information deletion
MP-06 SI-12
8.11 Data masking
SI-19 PT-06 PT-07 SC-28 SI-20
8.12 Data leakage prevention
AC-04 PE-19 SC-07 SI-04 SC-31
8.13 Information backup
CP-09 CP-06
8.14 Redundancy of information processing facilities
CP-06 CP-07 CP-08 SC-36
8.15 Logging
AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12
8.16 Monitoring activities
SI-04 AU-06 CA-07 IR-04
8.17 Clock synchronization
AU-08 SC-45
8.18 Use of privileged utility programs
CM-07 CM-11 AC-06
8.19 Installation of software on operational systems
CM-05 CM-07 CM-11 SA-22 CM-14
8.20 Networks security
SC-07 SC-08 AC-04 CA-09
8.21 Security of network services
SC-07 SC-08 SA-09
8.22 Segregation of networks
SC-07 SC-32
8.23 Web filtering
SC-07 SI-03 AC-04
8.24 Use of cryptography
SC-12 SC-13 SC-28
8.25 Secure development life cycle
SA-03 SA-08 SA-10 SA-11 SA-15 SA-17
8.26 Application security requirements
SA-04 SA-08 SA-11
8.27 Secure system architecture and engineering principles
SA-08 SA-17 SC-07 SC-32 PL-08
8.28 Secure coding
SA-11 SA-15 SA-16
8.29 Security testing in development and acceptance
SA-11 CA-02 SA-04
8.30 Outsourced development
SA-04 SA-09 SA-10 SA-11 SA-21
8.31 Separation of development, test and production environments
CM-04 SA-11 SC-32 CM-02
8.32 Change management
CM-03 CM-04 CM-05 SA-10
8.33 Test information
SA-11 SA-15
8.34 Protection of information systems during audit testing
CA-02 AU-06 CA-08