Quiz Entry - updated: 2026.07.05
How is the ISO 27002 chapter structure organised, using "8.1 User endpoint devices" as a concrete example?
Each control has a tag set (Control type / Information security properties / Cybersecurity concepts / Operational capabilities / Security domains), followed by Control, Purpose, and Guidance sections.
A 27002 control looks like:
8 Technological controls ← one of four themes
8.1 User endpoint devices ← one of ~93 controls
| Control type | Information | Cybersecurity | Operational | Security |
| | security props | concepts | capabilities | domains |
| #Preventive | #Confidentiality| #Protect | #Asset_management | #Protection |
| | #Integrity | | #Information_protection | |
| | #Availability | | | |
Control: "Information stored on, processed by or accessible via user endpoint devices
should be protected."
Purpose: "To protect information against the risks introduced by using user endpoint
devices."
Guidance: General — establish topic-specific policy for endpoint configuration etc.
a) the type of information and classification level that the endpoint can handle
b) registration of user endpoint devices …
The tag set ("#Preventive", "#Identify", etc.) is new in the 2022 revision — it lets you slice the catalogue by NIST CSF function, CIA goal, or operational capability.
Tip: The tags exist to map 27002 controls to other frameworks: filter on #Protect to see what NIST CSF Protect functions correspond, or #Confidentiality for everything that defends C in CIA. Hugely useful for unified GRC dashboards.
Go deeper:
ISO/IEC 27002:2022 — themes, attributes and control layout — the four themes and the 2022 attribute tags that let you slice controls by NIST CSF function or CIA goal.