AS NZS ISO IEC 27002-2022 PDF

Full title and description

AS/NZS ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls. This joint Australian/New Zealand adoption identically reproduces ISO/IEC 27002:2022 and provides a reference set of generic information security controls together with implementation guidance for organisations seeking to establish, implement or improve information security and privacy protections.

Abstract

The 2022 edition of ISO/IEC 27002 (adopted as AS/NZS ISO/IEC 27002:2022) reorganises and updates guidance on information security controls. It reduces and consolidates previous controls into a streamlined set of 93 controls grouped into four themes (organisational, people, physical and technological), introduces control attributes to aid selection and application, and adds new controls addressing modern cyber risks (for example threat intelligence, cloud security, secure coding, data masking and data deletion). The document is intended as guidance (not a certifiable requirement) to support implementation of an ISMS and to complement ISO/IEC 27001.

General information

• Status: Current (AS/NZS adoption of ISO/IEC 27002:2022).
• Publication date: ISO publication: 15 February 2022 (ISO/IEC 27002:2022); AS/NZS joint adoption published: 9 December 2022.
• Publisher: Standards Australia / Standards New Zealand (identical adoption of ISO/IEC 27002:2022).
• ICS / categories: 35.030 (Information technology — Security techniques / Information security).
• Edition / version: 3rd edition (2022).
• Number of pages: 152 (third-edition length as published internationally; AS/NZS publication reflects the identical text).

Scope

Provides guidance on selection, implementation and management of information security controls within the context of an information security management system (ISMS) or as standalone security guidance. The standard covers controls for governance, people, physical and technological protection measures, and includes implementation guidance and attributes to help organisations choose controls appropriate to their context, risk appetite and legal/regulatory obligations.

Key topics and requirements

• Reference set of 93 information security controls (consolidated from earlier editions).
• New control structure grouped into four themes: Organisational, People, Physical and Technological.
• Control attributes (type, security properties, cybersecurity concepts, operational capabilities, security domains) to support filtering and selection.
• Implementation guidance and purpose statements for each control to assist real-world application.
• Introduction of modern controls such as threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering and secure coding.
• Emphasis on risk-based selection and tailoring of controls rather than a one-size-fits-all checklist.

Typical use and users

Used by information security managers, ISMS implementers, auditors, compliance officers, IT and security architects, risk managers, consultants and organisations of all sizes seeking best-practice guidance for selecting and applying security controls. It is commonly used alongside ISO/IEC 27001 when designing and operating an ISMS, and by teams updating security controls to address cloud, software development and modern threat landscapes.

Related standards

Part of the ISO/IEC 27000 family. Commonly referenced alongside ISO/IEC 27001:2022 (requirements for ISMS), AS/NZS ISO/IEC 27001 (local adoption), ISO/IEC 27005 (risk management), ISO/IEC 27017 (cloud security guidance), ISO/IEC 27018 (personal data in the cloud), and sector-specific or implementation guidance standards within the 27000 series.

Keywords

information security, cybersecurity, privacy protection, ISMS, security controls, control attributes, cloud security, threat intelligence, secure coding, data masking, ISO/IEC 27002, AS/NZS

FAQ

Q: What is this standard?

A: AS/NZS ISO/IEC 27002:2022 is the Australian/New Zealand adoption of ISO/IEC 27002:2022, a code of practice that provides guidance and a reference set of information security controls and implementation advice.

Q: What does it cover?

A: It covers guidance on selection, implementation and management of information security controls across organisational, people, physical and technological domains and includes attributes and purpose statements to help tailor controls to organisational needs.

Q: Who typically uses it?

A: Information security and risk professionals, ISMS implementers, auditors, IT/security architects, compliance teams, consultants and any organisation seeking to apply recognised best-practice security controls.

Q: Is it current or superseded?

A: It is the current edition (third edition, 2022). It replaces earlier editions (including the 2013/2015 AS/ISO versions). International publication was 15 February 2022 and the AS/NZS joint adoption was published 9 December 2022.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of standards addressing information security management systems, guidance, risk management and related topics.

Q: What are the key keywords?

A: Information security, cybersecurity, privacy protection, ISMS, controls, control attributes, cloud, threat intelligence, secure coding, data protection.