< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27028 — Guidance on ISO/IEC 27002 attributes [DRAFT]
Abstract
[TBA]
Introduction
TBA
Scope of the standard
The standard may “provide guidance on the use and developing of attributes aligned to ISO/IEC 27002:2022”. [Source: design specification]
Content of the standard
The standard may cover:
- “Guidance on the development of customized sets of attributes and their usage;
- Attributes can be used to check that an organization's risk treatment plan(s) are tolerant of control failures;
- This concept can be used to confirm that controls cover the different aspects an organization has regarding its risks within scope of an ISMS.”
[Source: design specification]
Status of the standard
Work started on this standard in 2021 and is progressing nicely. It is expected to be published in 2024.
Personal comments
A reasonably complete donor document was prepared along with the design specifications in the hope of whizzing through the formalities of PWI, WD, CD, DIS and FDIS stages in just 2 short years (!) ... although the latest draft released by the project team for SC 27 contributions is skeletal - barely a set of headings! Ho hum ...
The third edition of ISO/IEC 27002 introduced a new structure for the information security controls, based around ‘themes’ and ‘attributes’. ‘27002 notes that organisations may prefer to use their own attributes as well or instead: ISO/IEC 27028 may explain how to do that, in practice, and may suggest a variety of attributes with which to classify/characterise information security controls in various ways for various purposes. However, the agreed design specification has a narrower scope and purpose (see above) and “is now finalized and fixed for the full duration of the development of this project” - so it may not: we’ll have to wait and see how it turns out ...
... meanwhile, a free guideline in the ISO27k Toolkit explains how control attributes can be used creatively within an ISO27k ISMS, or indeed any other information risk-based framework that involves mitigating unacceptable risks with controls.
< Previous standard ^ Up a level ^ Next standard >
|