LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is ISO 27002 and why can't you get certified against it?

ISO 27002 is the "Code of Practice" that defines 114 security controls with implementation guidance, but it only uses "should" language (recommendations), so certification isn't possible.

Key characteristics:

  • Often abbreviated as CoP (Code of Practice)
  • Defines 114 controls (also called measures or checkpoints) for secure handling of information
  • Each control includes implementation guidance, but with relatively low detail
  • Uses "should" (recommendations), not "shall" (requirements)

Good for baseline protection: The standard is excellent for implementing a baseline security level (Grundschutz) — minimum security requirements that every organization should meet.

Relationship to ISO 27001: The controls in ISO 27002 are referenced in Annex A of ISO 27001. When building an ISMS, you select applicable ISO 27002 controls and document them in your Statement of Applicability.

Tip: Think of ISO 27001 as the "what you must do" and ISO 27002 as the "how you could do it."

Go deeper:

  • doc ISO/IEC 27002 (Wikipedia) — der Code of Practice und seine Steuerungsmassnahmen; der Artikel zeigt auch, wie die 2022er-Neufassung die 14 Domänen zu vier Themengruppen umgebaut hat.

From Quiz: ISM / Standards & Frameworks I (ISO, BSI) | Updated: Jul 05, 2026