Topic-specific policies
ISO/IEC TS 27028


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC TS 27028 Information security, cybersecurity and privacy protection — Guidance on ISO/IEC 27002 attributes [DRAFT]

 

Abstract

“This document provides guidance on the use and development of attributes aligned to ISO/IEC 27002:2022.”
[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]
 

Introduction

ISO/IEC 27002:2022 introduced a new structure for the information security controls, based around ‘themes’ and ‘attributes’, noting that organizations may prefer to use their own attributes as well or instead. ISO/IEC 27028 will explain how to do that, in practice, suggesting a variety of attributes with which to classify or characterise, select or design information security controls in various ways for various information security and business management purposes.

 

Scope of the standard

The standard will expand upon the control attributes from ISO/IEC 27002, providing practical guidance on how to use the specified attributes and how to develop additional attributes and attribute values where appropriate.

 

Content of the standard

The standard may cover:

  • “Guidance on the development of customized sets of attributes and their usage;
  • Attributes can be used to check that an organization's risk treatment plan(s) are tolerant of control failures;
  • This concept can be used to confirm that controls cover the different aspects an organization has regarding its risks within scope of an ISMS.”

[Source: design specification]

 

Status of the standard

Work started on this project in 2021. It looks likely to be published during 2025.

It will be a Technical Specification rather than a full International Standard since the approach is innovative and not yet proven by experience.

Oct status update The drafting project is coming along nicely, with some restructuring due for the Draft International Standard stage, and publication is due at the end of 2025.

 

Personal comments

There has been significant interest and support for the control attributes concept from ISO/IEC JTC 1/SC 27. When eventually published, I believe ISO/IEC TS 27028 will be a valuable contribution to the field, expanding on the value and utility of ISO/IEC 27002.

Meanwhile, a free guideline in the ISO27k Toolkit explains how control attributes can be used creatively within an ISO27k ISMS, or indeed any other information risk-based framework that involves mitigating unacceptable risks using appropriate information security controls. Thinking about which attributes or characteristics of controls are relevant, plus the importance of the corresponding attribute values, helps round-off the analysis and so select appropriate controls.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights