IMPLEMENTATION GUIDANCE

The ISO 27002 control library, made operational

ISO 27002 gives you 93 security controls — the hard part is turning them into work people can actually complete. Rizzqo delivers the whole catalog ready to run: clear ownership, evidence in one place, and progress you can see through to done.

93controls in the catalog
4control themes
5control attributes

Browse the catalog by theme

The 2022 revision organizes every control into four themes. Rizzqo ships all of them pre-built, so ownership is clear and every control is audit-ready from day one.

93across four themes, all built in
A.537controls

Organizational

Policies, roles, supplier rules and the governance that frames everything else.

Example controls

  • Policies for information security
  • Segregation of duties
  • Inventory of information & assets
  • Information security in supplier relationships
A.68controls

People

How the people who handle information are screened, trained and held accountable.

Example controls

  • Screening
  • Terms and conditions of employment
  • Information security awareness & training
  • Remote working
A.714controls

Physical

Securing the buildings, equipment and media that hold or process information.

Example controls

  • Physical security perimeters
  • Securing offices, rooms & facilities
  • Equipment siting & protection
  • Secure disposal or re-use of equipment
A.834controls

Technological

The technical controls: access, cryptography, logging, secure development and more.

Example controls

  • User endpoint devices
  • Management of technical vulnerabilities
  • Logging & monitoring
  • Secure development life cycle

Inside a control: how guidance becomes work

A control on paper is one line in a catalog. In Rizzqo, every control comes ready to act on: practical guidance, scoped to where it actually applies, and turned into tracked work for the right owners.

01

The control

Start from any catalog entry — the ISO 27002 implementation guidance is already built in.

02

Scoped to what matters

The control applies only where it is relevant — never a blanket checklist across everything you own.

03

Concrete steps

Each control becomes specific, practical work — what good actually looks like, not vague intent.

04

Tracked to done

Owners, evidence and progress in one place, so you always know how far along each control is.

Five attributes for filtering the whole catalog

Beyond the four themes, ISO 27002 tags every control with five attributes. They let you filter the catalog the way you actually work: pull up every preventive control, every one that protects confidentiality, or every control that maps to another framework you run.

#

Control type

When the control acts relative to an incident.

PreventiveDetectiveCorrective
#

Information security properties

Which property of information the control protects.

ConfidentialityIntegrityAvailability
#

Cybersecurity concepts

Where the control sits in the cybersecurity life cycle.

IdentifyProtectDetectRespondRecover
#

Operational capabilities

The practitioner capability the control belongs to.

GovernanceAsset managementIdentity & accessApplication security
#

Security domains

The broad domain the control contributes to.

Governance & ecosystemProtectionDefenceResilience

ISO 27002 vs ISO 27001: the how vs the system

They are written to work together. One tells you how to implement a control; the other is the management system that decides which controls you need and proves the whole thing runs.

ISO 27002 · THE HOW

A guidance catalog

A reference of 93 controls with detailed, practical guidance for implementing each one. You cannot certify against ISO 27002; it is the toolbox, not the standard you audit to.

  • 93 controls with implementation guidance
  • 4 themes, 5 attributes
  • Maps directly to ISO 27001 Annex A
  • Best-practice reference, not certifiable
vs
ISO 27001 · THE SYSTEM

A certifiable ISMS

The management system you certify against. It defines how you scope, run and continually improve security, and uses Annex A (the same controls) to decide what is in or out via a Statement of Applicability.

  • The certifiable management system
  • Risk-driven scope & Statement of Applicability
  • PDCA: plan, do, check, act
  • Annex A draws on the 27002 controls
See the ISO 27001 solution

Put the whole control catalog to work

Activate ISO 27002 and all 93 controls are ready to run — no spreadsheets, no starting from scratch, and no duplicated effort with ISO 27001.

All 93 controls pre-builtMapped to ISO 27001 Annex AEvidence captured as you go