LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How is the ISO 27002 chapter structure organised, using "8.1 User endpoint devices" as a concrete example?

Each control has a tag set (Control type / Information security properties / Cybersecurity concepts / Operational capabilities / Security domains), followed by Control, Purpose, and Guidance sections.

A 27002 control looks like:

8 Technological controls       ← one of four themes
8.1 User endpoint devices      ← one of ~93 controls

| Control type | Information     | Cybersecurity | Operational             | Security    |
|              | security props  | concepts      | capabilities            | domains     |
| #Preventive  | #Confidentiality| #Protect      | #Asset_management       | #Protection |
|              | #Integrity      |               | #Information_protection |             |
|              | #Availability   |               |                         |             |

Control:    "Information stored on, processed by or accessible via user endpoint devices
             should be protected."

Purpose:    "To protect information against the risks introduced by using user endpoint
             devices."

Guidance:   General — establish topic-specific policy for endpoint configuration etc.
            a) the type of information and classification level that the endpoint can handle
            b) registration of user endpoint devices …

The tag set ("#Preventive", "#Identify", etc.) is new in the 2022 revision — it lets you slice the catalogue by NIST CSF function, CIA goal, or operational capability.

Tip: The tags exist to map 27002 controls to other frameworks: filter on #Protect to see what NIST CSF Protect functions correspond, or #Confidentiality for everything that defends C in CIA. Hugely useful for unified GRC dashboards.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026