The standard provides a set of generic Cybersecurity and Privacy controls including implementation guidance. It should be used by organizations having an information security management system (ISMS) adhering to ISO/IEC27001 for implementing controls that are based on internationally recognized best practices and for developing organization-specific information security management guidelines.
The new standard changes its name to cover Cybersecurity and Privacy, with a controls structure built on 4 domains:
- Organizational Controls
- People Controls
- Physical Controls
- Technological Controls
- Control type (Preventive, Detective, Corrective);
- Information security properties (Confidentiality, Integrity, Availability);
- Cybersecurity concepts (Identify, Protect, Detect, Respond and Recover);
- Operational capabilities (Security capabilities);
- Security domains (Governance and Ecosystem, Protection, Defense, Resilience).
- Control title: Short name of the control;
- Attribute table: A table shows the value(s) of each attribute for the given control;
- Control: What the control is;
- Purpose: Why the control should be implemented;
- Guidance: How the control should be implemented;
- Other information: Explanatory text or references to other related documents.
A specific new Threat intelligence control-set is introduced as 27002 5.7.
The link to the ISO 27002:2022 standard