LOGBOOK

HELP

Quiz Entry - updated: 2026.03.01

How is ISO 27002 structured internally — what is the hierarchy of domains, control objectives, and controls?

ISO 27002 is structured as: 14 Domains > 35 Control Objectives > 114 Controls, each with implementation guidance.

Using Access Control as an example:

9  Access Control                    ← Domain (1 of 14)
  9.1  Business requirements         ← Control Objective (1 of 35)
    Objective: To limit access to information and
    information processing facilities.
    9.1.1  Access control policy      ← Control (1 of 114)
      Control: An access control policy should be
      established, documented and reviewed...
      Implementation guidance: Asset owners should
      determine appropriate access control rules...

Key points:

  • Each control has a brief statement of what "should" be done
  • Implementation guidance provides practical advice on how to implement it
  • Access controls are both logical and physical — they should be considered together
  • The "should" language confirms these are recommendations, not hard requirements

From Quiz: ISM / Standards & Frameworks I (ISO, BSI) | Updated: Mar 01, 2026