Topic-specific policies
ISO/IEC 27028

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27028 Guidance on ISO/IEC 27002 attributes [DRAFT]







Scope of the standard

The standard may “provide guidance on the use and developing of attributes aligned to ISO/IEC 27002:2022”. [Source: design specification]


Content of the standard

The standard may cover:

  • “Guidance on the development of customized sets of attributes and their usage;
  • Attributes can be used to check that an organization's risk treatment plan(s) are tolerant of control failures;
  • This concept can be used to confirm that controls cover the different aspects an organization has regarding its risks within scope of an ISMS.”

[Source: design specification]


Status of the standard

Work started on this standard in 2021 and is progressing nicely.  It is expected to be published in 2024.


Personal comments

A reasonably complete donor document was prepared along with the design specifications in the hope of whizzing through the formalities of PWI, WD, CD, DIS and FDIS stages in just 2 short years (!) ... although the latest draft released by the project team for SC 27 contributions is skeletal - barely a set of headings! Ho hum ...

The third edition of ISO/IEC 27002 introduced a new structure for the information security controls, based around ‘themes’ and ‘attributes’. ‘27002 notes that organisations may prefer to use their own attributes as well or instead: ISO/IEC 27028 may explain how to do that, in practice, and may suggest a variety of attributes with which to classify/characterise information security controls in various ways for various purposes. However, the agreed design specification has a narrower scope and purpose (see above) and “is now finalized and fixed for the full duration of the development of this project” - so it may not: we’ll have to wait and see how it turns out ...

... meanwhile, a free guideline in the ISO27k Toolkit explains how control attributes can be used creatively within an ISO27k ISMS, or indeed any other information risk-based framework that involves mitigating unacceptable risks with controls.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT Ltd.