Which ISO standard serves as a security control catalogue?

The correct answer is ISO 27002, which serves as a security control catalog. This standard provides guidelines for organizations on the selection, implementation, and management of information security controls based on the organization's risk environment.

ISO 27002 outlines best practices for establishing, maintaining, and improving information security management, which includes a comprehensive list of controls that can effectively mitigate security risks. Each control element is described in detail, allowing organizations to tailor their information security measures according to their specific needs.

In contrast, ISO 27003 focuses on the implementation of an Information Security Management System (ISMS) but doesn't provide a detailed catalog of security controls. ISO 27004 deals with the measurement of information security, guiding organizations on how to assess the effectiveness of their security measures rather than directly providing a catalogue of controls. ISO 27005 is focused on risk management in relation to information security, emphasizing the process of identifying, assessing, and treating risks rather than detailing individual controls. Thus, ISO 27002 is uniquely positioned as the standard that specifically supplies the catalog of security controls for organizations to implement.