ISO/IEC 27002 is an international standard used as a reference for selecting and implementing information security controls listed in Annex A of ISO/IEC 27001. It also provides guidance on the best practices of information security management that help organizations select, implement, and manage controls, policies, processes, procedures, and organizational structures’ roles and responsibilities.
ISO/IEC 27002 was originally published in 2005 as a revised version of ISO/IEC 17799, which outlined general guidance for information security. The standard was revised and renamed so that it becomes in alignment with ISO/IEC 27001 with the intention of having two complementary documents that can be used together.
ISO/IEC 27002 provides a list of security objectives and controls generally practiced in the information security industry. In particular, clauses 5 to 18 provide detailed implementation guidance to support the controls specified in Annex A of ISO/IEC 27001 (controls A.5 to A.18). It applies to all types of organizations (public and private sector, commercial and non-profit, etc.) that face information security risks.