LibraryDocumentsControl Baseline
DOCUMENT 03 · MODULE

Control Baseline

ISO/IEC 27002:2022 organizational and technological controls in scope (70 of 93). People and Physical themes are explicitly excluded; rationale and the resulting implication for shadow AI evaluation are documented.

ISO 27002:202270 controls2 themes excluded

ISO/IEC 27002:2022 — the chosen baseline

ISO/IEC 27002:2022 organises information security controls into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls) — for a total of 93 controls. The 2022 revision consolidated and renumbered the previous 114-control structure and introduced five attribute axes (control type, security properties, cybersecurity concepts, operational capabilities, security domains) that the framework reuses where applicable.

In-scope subset

This study evaluates the Organizational and Technological themes only — 71 controls in nominal scope, 70 of which appear in the active scoring instrument. The People and Physical themes are explicitly out of scope.

ThemeControlsIn scope?Rationale
Organizational37 (O01–O37)✓ In scope Governance, policy, supplier relationships, incident management, threat intelligence — directly applicable to LLM control evaluation.
People8 (P1–P8)Out of scope Excluded to create methodological continuity with the GAISO research stream. See callout below for the implication this carries for shadow AI.
Physical14Out of scope Excluded for the same reason; physical controls have limited LLM-specific applicability except in fine-tuned on-premise deployments.
Technological34 (T01–T34)✓ In scope Endpoint, network, application, and identity controls — the technical surface on which LLM integration most often fails.
Scope limitation

Excluding the People theme has methodological consequences for the shadow AI risk domain. Shadow AI is fundamentally a people-and-process problem (awareness, acceptable use, training) that escapes through gaps in the people-control surface. The framework acknowledges this and treats the resulting blind spot as a known limitation, addressed primarily through the Accountability Gap classification rather than through a direct control evaluation.

Control domains (D1–D10): a presentation layer

For readability of the resulting heatmap, individual ISO 27002 controls are grouped into ten functional control domains. The grouping is for presentation and aggregation only; the unit of analysis remains the individual control.

DomainFunctional purposeRepresentative ISO 27002:2022 clauses
D1 Governance & PolicyInformation security strategy, policy framework, roles, segregation of duties.5.1, 5.2, 5.4, 5.31
D2 Data Classification & HandlingClassification, labelling, data masking, leak prevention.5.12–5.14, 8.11, 8.12
D3 Identity & Access ManagementAccess rights, authentication, privileged access, identity lifecycle.5.15–5.18, 8.2, 8.3
D4 Secure Integration & DevelopmentSecure development lifecycle, secure coding, application security testing.8.25–8.29, 8.31
D5 Supplier OversightSupplier relationships, supply chain security, monitoring of supplier services.5.19–5.23, 8.30
D6 Logging & MonitoringLogging, monitoring activities, clock synchronization.8.15–8.17
D7 Awareness & TrainingInformation security awareness, education, training.6.3
D8 Incident ResponseIncident management planning, assessment, response, learning, evidence.5.24–5.28, 6.8
D9 Change ManagementChange management, capacity management, configuration management.8.9, 8.32
D10 Assurance & ReviewIndependent review, compliance assessment, ISMS audit.5.35, 5.36, 8.34

ISO 27002:2022 itself is the canonical reference; the D1–D10 grouping above is a presentation aid for the heatmap and does not redefine, replace, or modify the ISO control set.

PreviousRisk scenarios