ISO 27002

ISO 27002 is an international standard that provides a detailed code of practice for information security controls. It is designed to support the implementation and continual improvement of an Information Security Management System (ISMS), typically aligned with ISO 27001.

What ISO 27002 includes

ISO 27002 describes a broad set of information security controls and associated implementation guidance. These controls commonly cover areas such as:

• Information security policies and governance
• Organization of information security and roles
• Human resource security (onboarding, offboarding, awareness)
• Asset management and classification
• Access control and user account management
• Cryptography and key management
• Physical and environmental security
• Operations security, including backup and logging
• Communications and network security
• System acquisition, development, and maintenance
• Supplier relationships and third-party access
• Information security incident management
• Business continuity aspects related to information security
• Compliance-related controls and documented evidence

In industrial and manufacturing environments, these controls are applied across IT and OT systems, including MES, SCADA, PLC networks, engineering workstations, and integrated ERP or quality systems.

What ISO 27002 is not

• It is not a management system standard; it does not define ISMS requirements in the same way ISO 27001 does.
• It is not a certification on its own; organizations are typically certified against ISO 27001, not ISO 27002.
• It is not specific to any single technology, vendor platform, or industry sector.

Instead, ISO 27002 serves as a reference catalog of controls and guidance that organizations can select, adapt, and justify, for example as part of the ISO 27001 Statement of Applicability.

Operational meaning in manufacturing environments

In regulated, brownfield manufacturing settings, ISO 27002 is commonly used to:

• Inform security baselines for production networks, plant-floor servers, and MES infrastructure.
• Align information security policies with existing QMS, validation, and change control procedures.
• Define access control, logging, and backup expectations for systems used in batch records, traceability, and quality investigations.
• Structure evidence for audits by mapping implemented controls to ISO 27001/27002 control references.

Organizations usually tailor ISO 27002 controls to legacy OT systems, vendor constraints, and existing safety or quality controls, documenting justifications where full technical enforcement is not practical.

Relationship to ISO 27001

ISO 27001 defines the requirements for establishing, implementing, maintaining, and improving an ISMS. ISO 27002 complements it by:

• Providing detailed descriptions and guidance for many of the controls referenced by ISO 27001.
• Helping organizations select, design, and document controls that address identified information security risks.
• Supporting the development of policy, standards, procedures, and records within the overall ISO 27001 framework.

In practice, an ISO 27001 project in a manufacturing organization often uses ISO 27002 as the main reference when writing detailed security standards and work instructions that affect plant-floor and enterprise systems.

Common confusion

• ISO 27002 vs ISO 27001: ISO 27001 sets ISMS requirements and is commonly used for certification. ISO 27002 provides supporting control guidance; it is not a standalone certification standard.
• ISO 27002 vs internal policy: ISO 27002 is a public international standard, while a company’s information security policy framework is an internal set of documents that may draw on ISO 27002 but is specific to that organization.

Link to the information security policy framework

When designing an information security policy framework under ISO 27001, ISO 27002 is typically used as the primary reference for which controls should be considered and how they can be implemented. For manufacturing organizations, this often includes mapping ISO 27002 controls to plant procedures, validated systems, and IT/OT governance documents without implying that ISO 27002 adoption alone guarantees any regulatory or audit outcome.