ISO/IEC 27002:2022 control identifier ISO/IEC 27002:2013 control identifier

5.1 05.1.1, 05.1.2

5.2 06.1.1
5.3 06.1.2
5.4 07.2.1
5.5 06.1.3
5.6 06.1.4
5.7 New
5.8 06.1.5, 14.1.1
5.9 08.1.1, 08.1.2
5.10 08.1.3, 08.2.3
5.11 08.1.4
5.12 08.2.1
5.13 08.2.2
5.14 13.2.1, 13.2.2, 13.2.3
5.15 09.1.1, 09.1.2
5.16 09.2.1
5.17 09.2.4, 09.3.1, 09.4.3
5.18 09.2.2, 09.2.5, 09.2.6
5.19 15.1.1
5.20 15.1.2
5.21 15.1.3
5.22 15.2.1, 15.2.2
5.23 New
5.24 16.1.1
5.25 16.1.4
5.26 16.1.5
5.27 16.1.6
5.28 16.1.7
5.29 17.1.1, 17.1.2, 17.1.3
5.30 New
5.31 18.1.1, 18.1.5
5.32 18.1.2
5.33 18.1.3
5.34 18.1.4
5.35 18.2.1
5.36 18.2.2, 18.2.3
5.37 12.1.1
6.1 07.1.1
6.2 07.1.2
6.3 07.2.2
6.4 07.2.3
6.5 07.3.1
6.6 13.2.4
6.7 06.2.2
6.8 16.1.2, 16.1.3
7.1 11.1.1
7.2 11.1.2, 11.1.6
7.3 11.1.3
7.4 New
7.5 11.1.4
7.6 11.1.5
7.7 11.2.9
7.8 11.2.1
7.9 11.2.6
7.10 08.3.1, 08.3.2, 08.3.3, 11.2.5
7.11 11.2.2
7.12 11.2.3
7.13 11.2.4
7.14 11.2.7
8.1 06.2.1, 11.2.8
8.2 09.2.3
8.3 09.4.1
8.4 09.4.5
8.5 09.4.2
8.6 12.1.3
8.7 12.2.1
8.8 12.6.1, 18.2.3
8.9 New
8.10 New
8.11 New
8.12 New
8.13 12.3.1
8.14 17.2.1
8.15 12.4.1, 12.4.2, 12.4.3
8.16 New
8.17 12.4.4
8.18 09.4.4
8.19 12.5.1, 12.6.2
8.20 13.1.1
8.21 13.1.2
8.22 13.1.3
8.23 New
8.24 10.1.1, 10.1.2
8.25 14.2.1
8.26 14.1.2, 14.1.3
8.27 14.2.5
8.28 New
8.29 14.2.8, 14.2.9
8.30 14.2.7
8.31 12.1.4, 14.2.6
8.32 12.1.2, 14.2.2, 14.2.3, 14.2.4
8.33 14.3.1
8.34 12.7.1
Control name

Policies for information security

Information security roles and responsibilities
Segregation of duties
Management responsibilities
Contact with authorities
Contact with special interest groups
Threat intelligence
Information security in project management
Inventory of information and other associated assets
Acceptable use of information and other associated assets
Return of assets
Classification of information
Labelling of information
Information transfer
Access control
Identity management
Authentication information
Access rights
Information security in supplier relationships
Addressing information security within supplier agreements
Managing information security in the ICT supply chain
Monitoring, review and change management of supplier services
Information security for use of cloud services
Information security incident management planning and preparation
Assessment and decision on information security events
Response to information security incidents
Learning from information security incidents
Collection of evidence
Information security during disruption
ICT readiness for business continuity
Legal, statutory, regulatory and contractual requirements
Intellectual property rights
Protection of records
Privacy and protection of PII
Independent review of information security
Compliance with policies, rules and standards for information security
Documented operating procedures
Screening
Terms and conditions of employment
Information security awareness, education and training
Disciplinary process
Responsibilities after termination or change of employment
Confidentiality or non-disclosure agreements
Remote working
Information security event reporting
Physical security perimeters
Physical entry
Securing offices, rooms and facilities
Physical security monitoring
Protecting against physical and environmental threats
Working in secure areas
Clear desk and clear screen
Equipment siting and protection
Security of assets off-premises
Storage media
Supporting utilities
Cabling security
Equipment maintenance
Secure disposal or re-use of equipment
User endpoint devices
Privileged access rights
Information access restriction
Access to source code
Secure authentication
Capacity management
Protection against malware
Management of technical vulnerabilities
Configuration management
Information deletion
Data masking
Data leakage prevention
Information backup
Redundancy of information processing facilities
Logging
Monitoring activities
Clock synchronization
Use of privileged utility programs
Installation of software on operational systems
Networks security
Security of network services
Segregation of networks
Web filtering
Use of cryptography
Secure development life cycle
Application security requirements
Secure system architecture and engineering principles
Secure coding
Security testing in development and acceptance
Outsourced development
Separation of development, test and production environments
Change management
Test information
Protection of information systems during audit testing
ISO/IEC 27002:2013 control identifier

6.1
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.2
6.2.1
6.2.2
7
7.1
7.1.1
7.1.2
7.2
7.2.1
7.2.2
7.2.3
7.3
7.3.1
8
8.1
8.1.1
8.1.2
8.1.3
8.1.4
8.2
8.2.1
8.2.2
8.2.3
8.3
8.3.1
8.3.2
8.3.3
9
9.1
9.1.1
9.1.2
9.2
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.3
9.3.1
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
10
10.1.
10.1.1
10.1.2
11
11.1
11.1.1
11.1.2
11.1.3
11.1.4
11.1.5
11.1.6
11.2
11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9
12
12.1
12.1.1
12.1.2
12.1.3
12.1.4
12.2
12.2.1
12.3
12.3.1
12.4
12.4.1
12.4.2
12.4.3
12.4.4
12.5
12.5.1
12.6
12.6.1
12.6.2
12.7
12.7.1
13
13.1
13.1.1
13.1.2
13.1.2
13.1.3
13.2
13.2.1
13.2.2
13.2.3
13.2.4
14
14.1
14.1.1
14.1.2
14.1.3
14.2
14.2.1
14.2.2
14.2.3
14.2.4
14.2.5
14.2.6
14.2.7
14.2.8
14.2.9
14.3
14.3.1
15
15.1
15.1.1
15.1.2
15.1.3
15.2
15.2.1
15.2.2
16
16.1
16.1.1
16.1.2
16.1.3
16.1.4
16.1.5
16.1.6
16.1.7
17
17.1
17.1.1
17.1.2
17.1.3
17.2
17.2.1
18
18.1
18.1.1
18.1.2
18.1.3
18.1.4
18.1.5
18.2
18.2.1
18.2.2
18.2.3
Iso/EC 27002: 2022 control identifier

5.2
5.3
5.5
5.6
5.8

8.1
6.7

6.1
6.2

5.4
6.3
6.4

6.5

5.9
5.9
5.10
5.11

5.12
5.13
5.10

7.10
7.10
7.10

5.15
5.15
5.16
5.18
8.2
5.17
5.18
5.18

5.17

8.3
8.5
5.17
8.18
8.4

8.24
8.24

7.1
7.2
7.3
7.5
7.6
7.2

7.8
7.11
7.12
7.13
7.10
7.9
7.14
8.1
7.7

5.37
8.32
8.6
8.31

8.7

8.13

8.15
8.15
8.15
8.17

8.19

8.8
8.19

8.34

8.20
8.21
8.22

5.14
5.14
5.14
6.6

5.8
8.26
8.26

8.25
8.32
8.32
8.32
8.27
8.31
8.30
8.29
8.29
8.33

5.19
5.20
5.21

5.22
5.22

5.24
6.8
6.8
5.25
5.26
5.27
5.28

5.29
5.29
5.29

8.14

5.31
5.32
5.33
5.34
5.31

5.35
5.36
5.36, 8.8
Control name according to ISO/IEC 27002:2013

Internal organization
Information security roles and responsibilities
Segregation of duties
Contact with authorities
Contact with special interest groups
Information security in project management
Mobile devices and teleworking
Mobile device policy
Teleworking
Human resource security
Prior to employment
Screening
Terms and conditions of employment
During employment
Management responsibilities
Information security awareness, education and training
Disciplinary process
Termination and change of employment
Termination or change of employment responsibilities
Asset management
Responsibility for assets
Inventory of assets
Ownership of assets
Acceptable use of assets
Return of assets
Information classification
Classification of information
Labelling of information
Handling of assets
Media handling
Management of removable media
Disposal of media
Physical media transfer
Access control
Business requirements of access control
Access control policy
Access to networks and network services
User access management
User registration and de-registration
User access provisioning
Management of privileged access rights
Management of secret authentication information of users
Review of user access rights
Removal or adjustment of access rights
User responsibilities
Use of secret authentication information
System and application access control
Information access restriction
Secure log-on procedures
Password management system
Use of privileged utility programs
Access control to program source code
Cryptography
Cryptographic controls
Policy on the use of cryptographic controls
Key management
Physical and environmental security
Secure areas
Physical security perimeter
Physical entry controls
Securing offices, rooms and facilities
Protecting against external and environmental threats
Working in secure areas
Delivery and loading areas
Equipment
Equipment siting and protection
Supporting utilities
Cabling security
Equipment maintenance
Removal of assets
Security of equipment and assets off-premises
Secure disposal or reuse of equipment
Unattended user equipment
Clear desk and clear screen policy
Operations security
Operational procedures and responsibilities
Documented operating procedures
Change management
Capacity management
Separation of development, testing and operational environments
Protection from malware
Controls against malware
Backup
Information backup
Logging and monitoring
Event logging
Protection of log information
Administrator and operator logs
Clock synchronization
Control of operational software
Installation of software on operational systems
Technical vulnerability management
Management of technical vulnerabilities
Restrictions on software installation
Information systems audit considerations
Information systems audit controls
Communications security
Network security management facilities
Network controls
Security of network services
Segregation in networks
Information transfer
Information transfer policies and procedures
Agreements on information transfer
Electronic messaging
Confidentiality or nondisclosure agreements
System acquisition, development and maintenance
Security requirements of information systems
Information security requirements analysis and specification
Securing application services on public networks
Protecting application services transactions
Security in development and support processes
Secure development policy
System change control procedures
Technical review of applications after operating platform changes
Restrictions on changes to software packages
Secure system engineering principles
Secure development environment
Outsourced development
System security testing
System acceptance testing
Test data
Protection of test data
Supplier relationships
Information security in supplier relationships
Information security policy for supplier relationships
Addressing security within supplier agreements
Information and communication technology supply chain
Supplier service delivery management
Monitoring and review of supplier services
Managing changes to supplier services
Information security incident management
Management of information security incidents and improvements
Responsibilities and procedures
Reporting information security events
Reporting information security weaknesses
Assessment of and decision on information security events
Response to information security incidents
Learning from information security incidents
Collection of evidence
Information security aspects of business continuity management
Information security continuity
Planning information security continuity
Implementing information security continuity
Verify, review and evaluate information security continuity
Redundancies
Availability of information processing facilities
Compliance
Compliance with legal and contractual requirements
Identification of applicable legislation and contractual requirements
Intellectual property rights
Protection of records
Privacy and protection of personally identifiable information
Regulation of cryptographic controls
Information security reviews
Independent review of information security
Compliance with security policies and standards
Technical compliance review