INTERNATIONAL STANDARD ISO/IEC 27002 Third edition 2022-02 Information security, cybersecurity and privacy protection — Information security controls m o c . 5 Sécurité de l'information, cybersécurité et protection de la vie privée — Mesures de sécurité de l'information h t i g b u Reference number ISO/IEC 27002:2022(E) © ISO/IEC 2022 ISO/IEC 27002:2022(E) m o c . 5 --`,,,,`,,,`,``,`,`,`,,,`,,,,-`-`,,`,,`,`,,`--- b u h t i g COPYRIGHT PROTECTED DOCUMENT © ISO/IEC 2022 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester. ISO copyright office CP 401 • Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Email: [email protected] Website: www.iso.org Published in Switzerland ii   © ISO/IEC 2022 – All rights reserved ISO/IEC 27002:2022(E) Contents Page Foreword........................................................................................................................................................................................................................................ vi Introduction..............................................................................................................................................................................................................................vii 1 Scope.................................................................................................................................................................................................................................. 1 3 4 5 Normative references...................................................................................................................................................................................... 1 Terms, definitions and abbreviated terms............................................................................................................................... 1 3.1 Terms and definitions....................................................................................................................................................................... 1 3.2 Abbreviated terms............................................................................................................................................................................... 6 Structure of this document........................................................................................................................................................................ 7 4.1 Clauses............................................................................................................................................................................................................ 7 4.2 Themes and attributes..................................................................................................................................................................... 8 4.3 Control layout........................................................................................................................................................................................... 9 --`,,,,`,,,`,``,`,`,`,,,`,,,,-`-`,,`,,`,`,,`--- 2 m o c . 5 Organizational controls................................................................................................................................................................................ 9 5.1 Policies for information security............................................................................................................................................. 9 5.2 Information security roles and responsibilities..................................................................................................... 11 5.3 Segregation of duties...................................................................................................................................................................... 12 5.4 Management responsibilities.................................................................................................................................................. 13 5.5