Upon completion of this course, participants will be able to:

• Understand the structure, intent, and attributes (e.g., control type, security property) of ISO 27002:2022.
• Select and justify the appropriate set of controls to mitigate identified information security risks.
• Master the implementation guidance for all 93 controls across the four control themes.
• Develop detailed security documentation and procedures based on 27002 control objectives.
• Map organizational security controls to the ISO 27001 Statement of Applicability (SoA).
• Apply the controls to modern environments, including cloud, DevOps, and mobile computing.
• Differentiate between the required controls and the optional control guidance provided.
• Audit the implementation status and effectiveness of 27002 controls within an organization.

• Information Security Officers and Analysts
• Control Implementers and Security Engineers
• Internal and External Security Auditors
• IT/Security Policy Writers and Architects
• ISO 27001 Implementers and Consultants

• Group Control Mapping and Documentation Workshops (Risk to Control)
• Case Studies of Control Implementation Challenges in Modern Environments.
• Audit Simulation: Checking Compliance Against 27002 Controls.
• Individual Drafting of Detailed Security Procedures for Key Controls.
• Discussions on Control Selection Justification for the SoA.

Unit 1: Structure and Application of ISO 27002

• Overview of ISO 27002:2022, its relationship to 27001, and the new control count (93 controls).
• Understanding the four control themes: Organizational, People, Physical, and Technological.
• Analyzing the purpose and attributes (e.g., control type, operational capability) of each control.
• Methodologies for mapping risks to specific controls for effective mitigation.
• The process of tailoring the control set to the organization's specific needs and scope.

Unit 2: Organizational and People Controls

• Detailed review of Information Security Policies (5.1) and roles/responsibilities (5.2).
• Implementing risk management controls (5.3-5.5) and external party security (5.22).
• Guidance on personnel security controls (6.1-6.8): screening, terms, and disciplinary processes.
• Mastering controls for remote working (6.7) and confidentiality agreements (6.3).
• Designing an effective security awareness, education, and training program (6.3).

Unit 3: Physical Controls

• Implementing physical security perimeters and secure areas (7.1-7.3).
• Guidance on physical entry controls, secure facilities, and securing offices/rooms.
• Controls for protecting assets off-premises (7.5) and supporting utilities.
• Security guidelines for working in secure areas and managing equipment removal.
• Implementing physical security for data centers and secure data storage.

Unit 4: Technological Controls - Part 1

• Mastering logical access control implementation (8.1-8.5): identity, authentication, authorization.
• Guidance on privileged access management (8.2) and user access review (8.3).
• Implementing cryptographic controls: key management, encryption, and hashing (8.24).
• Network security controls (8.16): network segregation, network access controls, and secure services.
• Data leakage prevention and controls for information transfer (8.22-8.28).

Unit 5: Technological Controls - Part 2 and Assurance

• Implementing application security controls (8.29-8.31) and secure coding principles.
• Guidance on configuration management (8.9), patching, and vulnerability management.
• Logging, monitoring, and clock synchronization controls (8.10-8.15).
• Backup management, data deletion, and physical media protection controls (8.18-8.21).
• Techniques for auditing control implementation and checking for compliance gaps.