Quiz Entry - updated: 2026.03.01
How is ISO 27002 structured internally — what is the hierarchy of domains, control objectives, and controls?
ISO 27002 is structured as: 14 Domains > 35 Control Objectives > 114 Controls, each with implementation guidance.
Using Access Control as an example:
9 Access Control ← Domain (1 of 14)
9.1 Business requirements ← Control Objective (1 of 35)
Objective: To limit access to information and
information processing facilities.
9.1.1 Access control policy ← Control (1 of 114)
Control: An access control policy should be
established, documented and reviewed...
Implementation guidance: Asset owners should
determine appropriate access control rules...
Key points:
- Each control has a brief statement of what "should" be done
- Implementation guidance provides practical advice on how to implement it
- Access controls are both logical and physical — they should be considered together
- The "should" language confirms these are recommendations, not hard requirements