ISO 27002 compliance: what it means for your data and your outsourcing partners
- ISO 27002 compliance means following the international code of practice for information security controls, covering 93 controls across organizational, people, physical, and technological themes.
- It is a guidance standard, not a certifiable one. ISO 27001 is what providers get certified against; ISO 27002 explains how to implement the controls behind that certification.
- For companies that outsource, a provider’s adherence to ISO 27002 is a signal that data handling, access control, and incident response are managed by recognized practice rather than guesswork.
- The 2022 revision modernized the standard for cloud, zero-trust, and supply-chain risk, which is why many BPO and call center firms now reference it in security disclosures.
ISO 27002 compliance describes how an organization aligns its information security practices with ISO/IEC 27002, the international code of practice that details how to select and operate security controls. The standard does not hand out certificates.
Instead, it spells out the “how” behind the controls that a certifiable framework like ISO 27001 requires. For any business weighing whether to hand customer records, payment data, or patient files to a third party, that distinction matters.
A provider citing ISO 27002 is telling you its controls are built on a documented, internationally recognized playbook rather than improvised internal rules.
What ISO 27002 compliance actually covers
ISO 27002 is a register of controls that supplements ISO 27001, and the 2022 version reorganized everything into four themes.
The current edition defines 93 controls grouped under organizational, people, physical, and technological categories.
The published standard from ISO describes each control’s purpose and implementation guidance, from access management and cryptography to supplier relationships and incident handling.
The themes replaced the older 14-domain structure, making the framework easier to map against modern environments like cloud services and remote workforces.
The 2022 edition also introduced 11 new controls, covering areas such as threat intelligence, information security for cloud use, data masking, and secure coding, that reflect how attack surfaces have shifted in the past decade.
Each control now carries attributes such as control type and security property. These tags let a security team filter the catalog and pull, for instance, every preventive control tied to identity.
For a buyer, the value is traceability: a provider can show which controls apply to your engagement and why.
Organizational and people controls
These controls govern policy, accountability, and human behavior, which is where most breaches start.
Organizational controls cover policies, roles, supplier security, and threat intelligence. People controls address screening, training, and the responsibilities staff carry after employment ends.
For an outsourcing arrangement, this is the layer that determines whether agents handling your data are vetted and trained consistently.
A call center processing payment details, for example, should be able to show background-check records, a signed acceptable-use policy, and recurring phishing-awareness training rather than a single onboarding session.
Physical and technological controls
These controls protect the facilities and systems where data lives.
Physical controls include secure areas, clear-desk rules, and equipment disposal. Technological controls span encryption, logging, network security, and secure development.
Together they form the part of ISO 27002 compliance most clients ask to see evidence of during vendor due diligence.
In a delivery center, that might look like badge-controlled floors, locked-down USB ports, encrypted disks, and logging that flags an agent pulling more records than their role requires.
Why ISO 27002 compliance matters when you outsource
Outsourcing moves sensitive data outside your walls, so the control standard your provider follows becomes your control standard by extension.
The financial stakes are concrete. The global average cost of a data breach reached USD 4.88 million in 2024, up from USD 4.45 million the year before.
A provider that operates documented ISO 27002 controls reduces the odds that your data becomes part of that statistic, and it gives you a defensible answer when regulators or clients ask how you vetted the relationship.
Regulators increasingly expect that diligence in writing. If a breach traces back to a vendor, “we trusted them” is not a defense.
Showing that you required a recognized control standard and built the obligation into the contract is what shifts a finding from negligence to reasonable care.
There is also a contractual angle. Strong agreements name the security standard the provider must maintain, the breach-notification window, and audit rights.
Adherence to ISO 27002 gives both sides a shared vocabulary for those clauses, so a phrase like “supplier security controls” maps to a specific, agreed set of practices instead of being open to interpretation.
You can read more on locking down vendor relationships in our guide to data security in outsourcing.
ISO 27002 compliance vs. ISO 27001 certification
The two standards are siblings, and confusing them leads to wasted procurement effort.
Here is how they line up against the questions buyers usually ask.
| Aspect | ISO 27001 | ISO 27002 |
|---|---|---|
| Type | Certifiable management-system standard | Guidance code of practice |
| What it defines | Requirements for an ISMS | How to implement security controls |
| Audit outcome | Formal certificate from an accredited body | No certificate; supports 27001 |
| Best used for | Proving an audited program exists | Building and operating the controls |
| What to request | The certificate and scope statement | Evidence the controls are applied |
The takeaway: ask a prospective provider for its ISO 27001 certificate if you need third-party assurance, and ask how it applies ISO 27002 controls if you want to understand the substance behind that certificate.
Check the certificate’s scope statement, since a firm can be certified for one site while the team serving you sits outside that boundary. A firm that can speak to both is usually further along than one that waves a logo without detail.
How providers demonstrate ISO 27002 compliance
Credible providers back claims with artifacts, not adjectives.
Common evidence includes a documented Statement of Applicability, access-control logs, encryption policies, employee security training records, and results from internal or external audits.
The Statement of Applicability is the document worth reading first: it lists each control, whether the provider applies it, and the justification for any exclusion.
Firms that run their own facilities often pair this with physical safeguards described in our overview of managed data centers. Ask to see how controls are reviewed over time, since a one-off assessment tells you little about day-to-day discipline.
Individuals weighing their own exposure can also review practical steps in our digital privacy guide.
Frequently asked questions about ISO 27002 compliance
Buyers and providers tend to raise the same handful of questions when this standard comes up.
Can a company be certified to ISO 27002?
No. ISO 27002 is a guidance standard, so organizations cannot be certified against it. Certification applies to ISO 27001, and ISO 27002 supports that effort by detailing how to implement the underlying controls.
How many controls does ISO 27002 contain?
The 2022 edition defines 93 controls across four themes: organizational, people, physical, and technological. This replaced the earlier structure of 114 controls spread across 14 domains.
Does ISO 27002 compliance satisfy GDPR or HIPAA?
Not on its own. ISO 27002 strengthens the security practices that regulations like GDPR and HIPAA expect, but each regulation carries its own legal requirements that must be addressed separately.
Should I require ISO 27002 from an outsourcing provider?
Reference it in vendor due diligence and contracts as the control baseline, then ask for the provider’s ISO 27001 certificate as formal proof. The two together give you both substance and assurance.
Key takeaways
ISO 27002 compliance is less about a badge and more about whether security controls are documented, applied, and reviewed.
- ISO 27002 is the guidance code that explains the controls behind ISO 27001 certification.
- The 2022 revision defines 93 controls across organizational, people, physical, and technological themes.
- When outsourcing, treat ISO 27002 as a shared control vocabulary and ask for the ISO 27001 certificate as formal proof.
- Demand evidence (logs, policies, audit results), not adjectives, before trusting a provider with sensitive data.
Independent
