Which standard defines security controls and provides guidelines for organizational security standards?

The selection of the standard that defines security controls and provides guidelines for organizational security standards points directly to ISO/IEC 27002. This standard is part of the ISO/IEC 27000 family of standards and focuses specifically on establishing, implementing, maintaining, and continually improving an information security management system (ISMS). ISO/IEC 27002 provides a comprehensive set of security controls covering areas such as organizational, human resource, physical, and technical security.

Furthermore, this standard serves as a practical guideline for selecting, implementing, and managing security controls, making it essential for organizations looking to bolster their information security posture. It works in conjunction with ISO/IEC 27001, which is the specification for an ISMS, by detailing the controls that organizations can adopt based on their risk assessments.

In contrast, the other options pertain to different aspects of security frameworks. ISO/IEC 27701 focuses on privacy information management, while ISO/IEC 27017 and ISO/IEC 27018 specifically address cloud security and the protection of personally identifiable information (PII) in public clouds, respectively. These other standards do not serve the broad purpose of defining organizational security standards in the same way that ISO/IEC 27002 does.