Topic-specific policies
ISO/IEC 27028


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27028 - Guidance on ISO/IEC 27002 attributes [DRAFT]

 

Abstract

TBA
[Source: none yet]
 

Introduction

TBA

 

Scope of the standard

May update The standard will “provide guidance on the use and developing of attributes aligned to ISO/IEC 27002:2022”.  [Source: design specification]

 

Content of the standard

May update The standard will cover:

  • “Guidance on the development of customized sets of attributes and their usage;
  • Attributes can be used to check that an organization's risk treatment plan(s) are tolerant of control failures;
  • This concept can be used to confirm that controls cover the different aspects an organization has regarding its risks within scope of an ISMS.” [Source: design specification]

 

Status of the standard

May update A design specification and outline document has been approved, and drafting has commenced.

 

Personal comments

May update The third edition of ISO/IEC 27002 introduced a new structure for the information security controls, based around ‘themes’ and ‘attributes’. ‘27002 notes that organisations may prefer to use their own attributes as well or instead: ISO/IEC 27028 may explain how to do that, in practice, and may suggest a variety of attributes with which to classify/characterise information security controls in various ways for various purposes. However, the agreed design specification has a narrower scope and purpose (see above) and “is now finalized and fixed for the full duration of the development of this project” - so it may not: we’ll have to wait and see how it turns out ...

... meanwhile, a free guideline in the ISO27k Toolkit explains how control attributes can be used creatively within an ISO27k ISMS, or indeed any other information risk-based framework that involves mitigating unacceptable risks with controls.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.