Topic-specific policies
ISO/IEC 27028

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27028 - Guidance on ISO/IEC 27002 attributes [PRE-DRAFT]







Scope of the standard

The standard may “provide guidance on the use and developing of attributes aligned to ISO/IEC 27002:2022”. [Source: design specification]


Content of the standard

The standard may cover:

  • “Guidance on the development of customized sets of attributes and their usage;
  • Attributes can be used to check that an organization's risk treatment plan(s) are tolerant of control failures;
  • This concept can be used to confirm that controls cover the different aspects an organization has regarding its risks within scope of an ISMS.”

[Source: design specification]


Status of the standard

October update Work started on this standard in 2021. It is almost at first Working Draft stage, progressing nicely.  It is expected to be published in 2024.


Personal comments

A reasonably complete donor document was prepared along with the design specifications in the hope of whizzing through the formalities of PWI, WD, CD, DIS and FDIS stages in just 2 short years (!) ... although the latest draft released by the project team for SC 27 contributions is skeletal - barely a set of headings! Ho hum ...

The third edition of ISO/IEC 27002 introduced a new structure for the information security controls, based around ‘themes’ and ‘attributes’. ‘27002 notes that organisations may prefer to use their own attributes as well or instead: ISO/IEC 27028 may explain how to do that, in practice, and may suggest a variety of attributes with which to classify/characterise information security controls in various ways for various purposes. However, the agreed design specification has a narrower scope and purpose (see above) and “is now finalized and fixed for the full duration of the development of this project” - so it may not: we’ll have to wait and see how it turns out ...

... meanwhile, a free guideline in the ISO27k Toolkit explains how control attributes can be used creatively within an ISO27k ISMS, or indeed any other information risk-based framework that involves mitigating unacceptable risks with controls.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.