The ISO 27002 control library, made operational
ISO 27002 gives you 93 security controls — the hard part is turning them into work people can actually complete. Rizzqo delivers the whole catalog ready to run: clear ownership, evidence in one place, and progress you can see through to done.
Browse the catalog by theme
The 2022 revision organizes every control into four themes. Rizzqo ships all of them pre-built, so ownership is clear and every control is audit-ready from day one.
Organizational
Policies, roles, supplier rules and the governance that frames everything else.
Example controls
- Policies for information security
- Segregation of duties
- Inventory of information & assets
- Information security in supplier relationships
People
How the people who handle information are screened, trained and held accountable.
Example controls
- Screening
- Terms and conditions of employment
- Information security awareness & training
- Remote working
Physical
Securing the buildings, equipment and media that hold or process information.
Example controls
- Physical security perimeters
- Securing offices, rooms & facilities
- Equipment siting & protection
- Secure disposal or re-use of equipment
Technological
The technical controls: access, cryptography, logging, secure development and more.
Example controls
- User endpoint devices
- Management of technical vulnerabilities
- Logging & monitoring
- Secure development life cycle
Inside a control: how guidance becomes work
A control on paper is one line in a catalog. In Rizzqo, every control comes ready to act on: practical guidance, scoped to where it actually applies, and turned into tracked work for the right owners.
The control
Start from any catalog entry — the ISO 27002 implementation guidance is already built in.
Scoped to what matters
The control applies only where it is relevant — never a blanket checklist across everything you own.
Concrete steps
Each control becomes specific, practical work — what good actually looks like, not vague intent.
Tracked to done
Owners, evidence and progress in one place, so you always know how far along each control is.
Five attributes for filtering the whole catalog
Beyond the four themes, ISO 27002 tags every control with five attributes. They let you filter the catalog the way you actually work: pull up every preventive control, every one that protects confidentiality, or every control that maps to another framework you run.
Control type
When the control acts relative to an incident.
Information security properties
Which property of information the control protects.
Cybersecurity concepts
Where the control sits in the cybersecurity life cycle.
Operational capabilities
The practitioner capability the control belongs to.
Security domains
The broad domain the control contributes to.
ISO 27002 vs ISO 27001: the how vs the system
They are written to work together. One tells you how to implement a control; the other is the management system that decides which controls you need and proves the whole thing runs.
A guidance catalog
A reference of 93 controls with detailed, practical guidance for implementing each one. You cannot certify against ISO 27002; it is the toolbox, not the standard you audit to.
- 93 controls with implementation guidance
- 4 themes, 5 attributes
- Maps directly to ISO 27001 Annex A
- Best-practice reference, not certifiable
A certifiable ISMS
The management system you certify against. It defines how you scope, run and continually improve security, and uses Annex A (the same controls) to decide what is in or out via a Statement of Applicability.
- The certifiable management system
- Risk-driven scope & Statement of Applicability
- PDCA: plan, do, check, act
- Annex A draws on the 27002 controls
Put the whole control catalog to work
Activate ISO 27002 and all 93 controls are ready to run — no spreadsheets, no starting from scratch, and no duplicated effort with ISO 27001.