ISO/IEC 27002:2022 — the chosen baseline
ISO/IEC 27002:2022 organises information security controls into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls) — for a total of 93 controls. The 2022 revision consolidated and renumbered the previous 114-control structure and introduced five attribute axes (control type, security properties, cybersecurity concepts, operational capabilities, security domains) that the framework reuses where applicable.
In-scope subset
This study evaluates the Organizational and Technological themes only — 71 controls in nominal scope, 70 of which appear in the active scoring instrument. The People and Physical themes are explicitly out of scope.
| Theme | Controls | In scope? | Rationale |
|---|---|---|---|
| Organizational | 37 (O01–O37) | ✓ In scope | Governance, policy, supplier relationships, incident management, threat intelligence — directly applicable to LLM control evaluation. |
| People | 8 (P1–P8) | Out of scope | Excluded to create methodological continuity with the GAISO research stream. See callout below for the implication this carries for shadow AI. |
| Physical | 14 | Out of scope | Excluded for the same reason; physical controls have limited LLM-specific applicability except in fine-tuned on-premise deployments. |
| Technological | 34 (T01–T34) | ✓ In scope | Endpoint, network, application, and identity controls — the technical surface on which LLM integration most often fails. |
Excluding the People theme has methodological consequences for the shadow AI risk domain. Shadow AI is fundamentally a people-and-process problem (awareness, acceptable use, training) that escapes through gaps in the people-control surface. The framework acknowledges this and treats the resulting blind spot as a known limitation, addressed primarily through the Accountability Gap classification rather than through a direct control evaluation.
Control domains (D1–D10): a presentation layer
For readability of the resulting heatmap, individual ISO 27002 controls are grouped into ten functional control domains. The grouping is for presentation and aggregation only; the unit of analysis remains the individual control.
| Domain | Functional purpose | Representative ISO 27002:2022 clauses |
|---|---|---|
| D1 Governance & Policy | Information security strategy, policy framework, roles, segregation of duties. | 5.1, 5.2, 5.4, 5.31 |
| D2 Data Classification & Handling | Classification, labelling, data masking, leak prevention. | 5.12–5.14, 8.11, 8.12 |
| D3 Identity & Access Management | Access rights, authentication, privileged access, identity lifecycle. | 5.15–5.18, 8.2, 8.3 |
| D4 Secure Integration & Development | Secure development lifecycle, secure coding, application security testing. | 8.25–8.29, 8.31 |
| D5 Supplier Oversight | Supplier relationships, supply chain security, monitoring of supplier services. | 5.19–5.23, 8.30 |
| D6 Logging & Monitoring | Logging, monitoring activities, clock synchronization. | 8.15–8.17 |
| D7 Awareness & Training | Information security awareness, education, training. | 6.3 |
| D8 Incident Response | Incident management planning, assessment, response, learning, evidence. | 5.24–5.28, 6.8 |
| D9 Change Management | Change management, capacity management, configuration management. | 8.9, 8.32 |
| D10 Assurance & Review | Independent review, compliance assessment, ISMS audit. | 5.35, 5.36, 8.34 |
ISO 27002:2022 itself is the canonical reference; the D1–D10 grouping above is a presentation aid for the heatmap and does not redefine, replace, or modify the ISO control set.