ISO/IEC 27002

Summary

ISO/IEC 27002 is used as a reference for determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO/IEC 27001. It describes a suite of information security controls to mitigate unacceptable risks to the confidentiality, integrity and availability of information.
Organizations identify and evaluate their own information risks, selecting and applying suitable information security controls to mitigate unacceptable risks using ISO/IEC 27002 for guidance. The version used in this section is ISO/IEC 27002:2022.

Definitions

Definition	Requirements
5_16. Identity management	085. Allow session history queries 096. Set user's required privileges 143. Unique access credentials
5_17. Authentication information	127. Store hashed passwords 319. Make authentication options equally secure 380. Define a password management tool
5_22. Monitoring, review and change management of supplier services	262. Verify third-party components
5_28. Collection of evidence	377. Store logs based on valid regulation
5_33. Protection of records	080. Prevent log modification 377. Store logs based on valid regulation
5_34. Privacy and protection of Personal Identifiable Information (PII)	331. Guarantee legal compliance
5_35. Independent review of information security	378. Use of log management system
5_37. Documented operating procedures	232. Require equipment identity
7_2. Physical entry controls	096. Set user's required privileges 114. Deny access with inactive credentials 143. Unique access credentials
7_3. Securing offices, rooms and facilities	235. Define credential interface 257. Access based on user credentials
7_9. Security of assets off-premises	205. Configure PIN 213. Allow geographic location 326. Detect rooted devices
7_10. Storage media	214. Allow data destruction 350. Enable memory protection mechanisms
7_14. Secure disposal or re-use of equipment	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
8_1. User endpoint devices	205. Configure PIN 209. Manage passwords in cache 210. Delete information from mobile devices 261. Avoid exposing sensitive information 350. Enable memory protection mechanisms 373. Use certificate pinning
8_2. Privileged access rights	035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
8_3. Information access restriction	033. Restrict administrative access 096. Set user's required privileges
8_4. Access to source code	176. Restrict system objects 229. Request access credentials 265. Restrict access to critical processes
8_5. Secure authentication	228. Authenticate using standard protocols 319. Make authentication options equally secure
8_7. Protection against malware	118. Inspect attachments 273. Define a fixed security suite 353. Schedule firmware updates 374. Use of isolation methods in running applications
8_8. Management of technical vulnerabilities	077. Avoid disclosing technical information 259. Segment the organization network 353. Schedule firmware updates 365. Avoid exposing technical information
8_9. Configuration management	062. Define standard configurations
8_10. Information deletion	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
8_11. Data masking	300. Mask sensitive data
8_15. Logging	080. Prevent log modification 377. Store logs based on valid regulation
8_16. Monitoring activities	075. Record exceptional events in logs 376. Register severity level
8_17. Clock synchronization	363. Synchronize system clocks
8_19. Installation of software on operational systems	352. Enable trusted execution 353. Schedule firmware updates
8_20. Network controls	173. Discard unsafe inputs 251. Change access point IP 252. Configure key encryption 254. Change SSID name 356. Verify sub-domain names
8_21. Security of network services	249. Locate access points 250. Manage access points 253. Restrict network access 255. Allow access only to the necessary ports 257. Access based on user credentials
8_22. Web filtering	258. Filter website content
8_23. Segregation in networks	259. Segment the organization network
8_24. Use of cryptography	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 151. Separate keys for encryption and signatures 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 346. Use initialization vectors once 361. Replace cryptographic keys 370. Use OAEP padding with RSA 371. Use GCM Padding with AES 372. Proper Use of Initialization Vector (IV)
8_25. Secure development lifecycle	036. Do not deploy temporary files 051. Store source code in a repository 159. Obfuscate code 171. Remove commented-out code 180. Use mock data 322. Avoid excessive logging
8_26. Application security requirements	029. Cookies with security attributes 050. Control calls to interpreted code 077. Avoid disclosing technical information 155. Application free of malicious code 161. Define secure default options 173. Discard unsafe inputs 176. Restrict system objects 184. Obfuscate application data 209. Manage passwords in cache 266. Disable insecure functionalities 326. Detect rooted devices 364. Provide extended validation (EV) certificates 373. Use certificate pinning 374. Use of isolation methods in running applications 375. Remove sensitive data from client-side applications
8_27. Secure system architecture and engineering principles	062. Define standard configurations 266. Disable insecure functionalities 273. Define a fixed security suite
8_28. Secure coding	156. Source code without sensitive information 158. Use a secure programming language 161. Define secure default options 162. Avoid duplicate code 164. Use optimized structures 168. Initialize variables explicitly 171. Remove commented-out code 172. Encrypt connection strings 302. Declare dependencies explicitly 323. Exclude unverifiable files 342. Validate request parameters 344. Avoid dynamic code execution 348. Use consistent encoding 366. Associate type to variables
8_31. Separation of development, test and production environments	180. Use mock data

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.