The four pillars of control: A modern approach to information security management

An important information security standard has been newly revised.

BS EN ISO/IEC 27002 Information technology, cybersecurity and privacy protection—Information security controls provides guidance for organizational information security standards and offers best practices for information security management. It takes into consideration a business’ unique information security risk environment, by focusing on the organization’s selection, implementation and management of security controls.

The revision of this standard brings a modern approach to managing security controls. It aims to provide businesses, of every size and sector, with updated security control guidance, with the aim of simplifying it to make it more versatile for choosing and assessing the type of security controls most suited to the organisation.

Why is BS EN ISO/IEC 27002 important for your business?

BS EN ISO/IEC 27002 is an important standard which underpins all cybersecurity systems across sectors.

Cybersecurity is a key priority of the Digital Sector Strategy and the wider UK Government’s plan in protecting and growing the UK economy, especially with growing frequency of cyber-attacks. As a result, BS EN ISO/IEC 27002 is a practical tool to support the desired outcomes of the 2021- 2026 National Cyber Security Strategy.

Every business needs to be implementing measures to protect their information assets. The forced acceleration of digitalization and shift to hybrid working many organizations have experienced since the start of the COVID-19 pandemic, have led to greater vulnerabilities, whilst cybercrime technology has also become more advanced.

BS EN ISO/IEC 27002:2022 will help your business to:

  • Identify suitable and proportionate security controls within the process of setting up an Information Security Management System (ISMS)
  • Achieve best practice in information security management
  • Meet legal, statutory, regulatory and contractual requirements in relation to information security
  • Strengthen risk management and reduce the likelihood of information security breaches
  • Increase confidence in the organization’s ISMS
  • Increase the overall robustness and resilience of ISMS and strengthen risk management
  • Contribute to UN Sustainable Development Goal 9 on industry, innovation and infrastructure 

BS EN ISO/IEC 27002 is best used as a supplementary guide based on BS EN ISO 27001 for identifying suitable and appropriate security controls within the processing of setting up an ISMS and aids businesses in demonstrating a stable ISMS.

To read more about how an information security system can support your business, click here.

What has changed in the revised BS EN ISO/IEC 27002:2021?

Within the revised BS EN ISO/IEC 27002:2022, users will find that there has been a re-structure of the existing controls and the number of security control listed has decreased from 114 to 93, with some controls being removed as they no longer reflect best practices.

Steve Watkins, Chair of IST 33, says “The welcome update of ISO/IEC 27002 brings the control options and descriptions up to date and introduces the concepts of themes and attributes to assist organisations in their selection and deployment of them to manage cyber security risks.”

Eleven new controls have been introduced in the latest version of the BS EN ISO/IEC 27002 standard. These reflect the evolvement in technologies and industrial practices including threat intelligence, information security for use of cloud services and data leakage prevention. This will ensure that businesses are able to maintain continuous control over their information security, despite the nature of cyberattacks changing.

BS EN ISO/IEC 27002:2022 aims to ensure that no necessary control has been overlooked and that the security guidance is consolidated into four key areas, making it easier for businesses to adopt. These four thematic categories of controls are: Organizational, People, Physical and Technological. Attributes can also be used to filter, sort, and present controls from different perspectives for different audiences.


Organizational controls are controls which help to embed a culture of information security and digital trust in your business. They help your organization to identify threats intelligently. Examples of the organizational controls identified in BS EN ISO/IEC 27002:2022 include threat intelligence, identity management, and business continuity readiness.


People controls help your business to manage the information risk associated with its stakeholders, to protect peoples’ privacy. These people could be employees, customers, supply chain partners, etc. Examples of the people controls identified in BS EN ISO/IEC 27002:2022 include controls relevant to the activities of Human Resources (HR).


Physical controls help your business physically monitor what is happening within your organization to minimize the risk of cyberattacks. Examples of the physical controls identified in BS EN ISO/IEC 27002:2022 include physical entry controls and physical security monitoring.


Technological controls help your business to protect its information using technology to secure your systems. Examples of the technological controls identified in BS EN ISO/IEC 27002:2022 include data leakage prevention and information deletion and data obfuscation, or masking, for privacy and secure coding.

Is your business future-ready? Ensure your organization has the tools it needs to create a culture of information resilience and prevent cyberattacks, by adding the revised BS EN ISO/IEC 27002:2022 to your collection today.