Which document provides a code of practice for information security controls?

ISO/IEC 27002 serves as a crucial standard that outlines a code of practice for information security controls. This standard provides guidelines and best practices for establishing, implementing, maintaining, and continually improving information security management systems (ISMS). It details specific security controls and offers suggestions for their implementation, which organizations can adopt to safeguard their information assets effectively.

By using ISO/IEC 27002, businesses and organizations can ensure they are addressing various aspects of information security, such as risk assessment, security policy, organization of information security, and access control, among others. This framework is instrumental in helping organizations to create a robust security posture tailored to their specific needs and regulatory requirements.

In contrast, while ISO/IEC 27001 includes the requirements for establishing an ISMS and is a standard against which organizations can be certified, it does not delve into the detailed practices for the security controls themselves, which is precisely the purpose of ISO/IEC 27002. The other standards mentioned (ISO/IEC 27003 and ISO/IEC 27005) focus on different areas: ISO/IEC 27003 deals with the implementation of an ISMS, while ISO/IEC 27005 concentrates on information security risk management.