ISO 27002:2022 Controls Part 2 – PowerPoint PPTX Template

ISO 27002:2022 Controls Implementation Guide with Practical Examples

Part II: Organizational Controls (Theme 1)
Control 5.1 – Policies for Information Security
• "Management must establish, approve, communicate, and review a comprehensive set of information security policies."
• "Practical example: A financial services firm creates a tiered policy architecture – master security policy at board level, topic-specific policies at department level, and operational procedures at team level."
• Executive boardroom with a large screen displaying a policy hierarchy pyramid, serious faces in focused discussion
Control 5.2 – Information Security Roles and Responsibilities
• "Every security role must be clearly defined, assigned, and communicated to relevant individuals across the organization."
• "Practical example: A healthcare provider maps all 93 ISO controls to named role owners in an RACI matrix, reviewed annually during performance appraisals."
• RACI matrix visualization on a glass whiteboard, team members pointing to ownership lanes with purpose
Control 5.3 – Segregation of Duties
• "Conflicting duties and areas of responsibility must be separated to reduce opportunities for unauthorized modification or misuse of assets."
• "Practical example: In a bank, the developer who writes code cannot also approve code deployment – a second authorized person must review and push to production."
• Two distinct hands each holding a key – neither can open the vault alone – dramatic low-key lighting with golden vault door
Control 5.7 – Threat Intelligence (NEW)
• "Organizations must collect and analyze information about threats to produce actionable threat intelligence."
• "Practical example: A retail company subscribes to industry ISAC feeds, ingests IOCs into their SIEM, and holds weekly threat briefings with the security team to prioritize patching."
• Cybersecurity analyst in a dark operations center, multiple screens showing threat maps, face lit blue by data streams
Control 5.9 – Inventory of Information and Other Assets
• "A complete and accurate inventory of all information and associated assets must be maintained and kept up to date."
• "Practical example: A manufacturing company deploys an automated discovery tool that continuously scans and updates a CMDB, tagging each asset with owner, classification, and criticality."
• Vast warehouse with glowing digital tags floating above every physical object – order from chaos visualization
Control 5.15 – Access Control
• "Rules for access to information and assets must be established and implemented based on business and information security requirements."
• "Practical example: A tech company implements role-based access control (RBAC) where a junior developer receives read-only access to staging environments but zero access to production databases."
• Person at security checkpoint – biometric scan in progress, green approval light, layered security doors behind them
Control 5.23 – Information Security for Use of Cloud Services (NEW)
• "Processes for acquisition, use, management, and exit from cloud services must be established based on the organization's requirements."
• "Practical example: A logistics firm creates a Cloud Security Policy covering approved providers, data residency requirements, encryption standards, and exit plans before any cloud adoption."
• Aerial view of server farms beneath dramatic storm clouds, with glowing data pathways connecting them to city skylines
Control 5.24 – ICT Readiness for Business Continuity (NEW)
• "ICT readiness must be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements."
• "Practical example: An insurance company conducts quarterly failover tests to their DR site, measuring RTO and RPO against documented targets, with results reported to the board."
• Split screen: office fully operational vs same office dark and empty – a clock counting seconds in the middle
Control 5.29 – Information Security During Disruption
• "The organization must plan how information security will be maintained during a disruptive incident."
• "Practical example: A hospital maintains a manual backup authentication protocol printed and sealed in envelopes at each nursing station for use when digital systems go offline during a cyberattack."
• Hospital corridor with emergency lighting, staff using paper checklists, calm determination on their faces
Control 5.30 – ICT Readiness for Business Continuity
• "ICT continuity plans must be implemented, tested, and reviewed to ensure availability of information processing at a required level and time."
• "Practical example: A global airline tests its full DR runbook annually in a live simulation, bringing 300 staff into a war-room scenario without warning to measure true response capability."
• War room scenario: dozens of analysts in dim lighting staring at dashboards, team leader at whiteboard directing the response