This short note considers the standard ISO/IEC 27002:2022's posture as a comprehensive tool set for information security, at least to meet the requirements of ISO/IEC 27001.

A truly comprehensive control set that can be applied by all organizations that have a need to protect their information is not really possible though the industry expects such a publication that is a readymade solution for them. Practically, it is impossible for the simple reason that every organisation has its own risks and hence the need for its own set of controls.

Let us examine what these specific risks of organizations originate from and what factors further contribute to them, we may be able to consider only a very few of them here though.

• Primarily, the business activities and their characteristics (product development, services - internal or external, delivery model like cloud model etc.);

• the industry sector they belong to (financial, insurance etc.);

• the industry sector they belong to and that makes the threats interested in them (power generation, oil and gas etc.);

• the specific data protection requirements due to regulations or specific customer requirements (GDPR, CCPA, HIPAA etc.);

• the level of technology adoption of organisation (cognitive computing, blockchain etc.);

• the external and internal relationships (acts of rival countries or such);

• the organization's specific managemental policies (unethical practices in the name of security);

• the geographical factors and that may result in natural calamities (countries like Indonesia);

• the political situations (internal unrest, civil issues etc.);

• the technological advancements and the knowledge about them (emerging threats);

• the availability of toolsets and expertise in the industry, across the world (several powerful and inexpensive hacking tools are accessible to anyone) and

• the reputation loss of the organisation due to data breach and the rival's gain (perpetrated or otherwise)

While implementing controls, an organisation will be in need of very distinct and precise set of controls to veritably deal with their risks. This, also points to the relationship between risk and control.

Due to this fact, since an organisation is in need of risk-specific controls and generic controls cannot help an organisation to effectively address their risks, they need to define most appropriate controls that may help them addressing their risks.

Here's where ISO/IEC 27002 (2022) provides with a set of recommendations on control areas based on a set of generic and common risk areas from where risk-specific controls based on the organization's specific environment, can be derived and implemented. This support from the standard should be looked at differently from a dependency on the standard for a fully comprehensive specific control set. As appropriate, an organisation may also want to implement controls recommended (or demanded) from other standards and frameworks (like PCI DSS, NIST CSF etc.).

Again, ISO/IEC 27002:2022 does not contain just 93 controls as against the general understanding, but, has pointers to numerous controls that may run into several hundreds, literally. Look at the cloud related controls recommended in 5.23 of the standard. There is no specific control recommended than a generic guidance on the need to establish cloud related controls as required by the organisation. The organisation can pick controls from Cloud Control Matrix (from CSA) or many other standards and frameworks. This holds good for many other (almost all, in fact) controls areas. Hence the term control area will be more suitable than controls in ISO/IEC 27002:2022.

Never be driven by a thought or understanding that the standard has only 93 controls! And, ISO/IEC 27002:2022 is NOT a comprehensive tool set either, but inevitable for an organisation while implementing controls to get have a fair set of controls considered.