ISO/IEC 27002

ISO/IEC 27002 is an international standard that provides a detailed catalog of information security controls and implementation guidance. It is used to design, implement, maintain, and improve information security controls, often in support of an information security management system (ISMS) based on ISO/IEC 27001.

The standard describes commonly accepted security controls in areas such as access control, asset management, cryptography, operations security, supplier relationships, and incident management. It focuses on what controls to consider and how they can be applied, rather than defining management system requirements or certification criteria.

Role in industrial and regulated environments

In industrial operations and manufacturing, ISO/IEC 27002 is commonly used to:

• Support ISO/IEC 27001 implementations by selecting and tailoring security controls for OT and IT systems
• Structure security policies, procedures, and technical safeguards for MES, ERP, historians, and plant networks
• Align information security practices with other management system standards, such as quality or risk frameworks
• Address security of production data, recipes, configuration baselines, remote access, and supplier connections

The controls in ISO/IEC 27002 can be applied to both traditional IT assets and operational technology, including controllers, SCADA, and industrial networks, provided they are interpreted with industrial constraints and safety requirements in mind.

How ISO/IEC 27002 relates to ISO/IEC 27001

ISO/IEC 27001 defines the requirements for an information security management system. ISO/IEC 27002 provides detailed guidance on individual controls that can be selected to meet those requirements.

• ISO/IEC 27001: requirement standard for establishing, implementing, maintaining, and continually improving an ISMS
• ISO/IEC 27002: reference for selecting, describing, and implementing controls to treat identified information security risks

Organizations often use ISO/IEC 27002 during risk assessment and risk treatment planning to justify which controls are applicable and how they are implemented. The presence or absence of a control from ISO/IEC 27002 does not by itself determine conformity to ISO/IEC 27001; effectiveness depends on context and risk.

Common confusion

• ISO/IEC 27001 vs ISO/IEC 27002: ISO/IEC 27001 contains auditable ISMS requirements. ISO/IEC 27002 provides guidance on controls and is not an auditable management system standard.
• Compliance and certification: Organizations may seek certification to ISO/IEC 27001, not to ISO/IEC 27002. ISO/IEC 27002 is used as a reference for control design and implementation.

Use in practice

In a manufacturing or regulated setting, ISO/IEC 27002 is commonly used to:

• Define access control models for MES, LIMS, and ERP systems
• Set rules for handling production data, design records, and technical documentation
• Guide logging, monitoring, and incident handling processes on plant networks
• Structure supplier and third-party security requirements for outsourced manufacturing and maintenance

It is typically combined with organization-specific policies, risk assessments, and sector regulations to build a coherent information security control environment.