< Previous standard ^ Up a level ^ Next standard >

IEC 27002 attributes [DRAFT]

Abstract

“This document provides guidance on the use and development of attributes aligned to ISO/IEC 27002:2022.”

[Source: ISO/IEC JTC 1/SC 27 SD11]

Introduction

The third edition of ISO/IEC 27002 introduced a new structure for the information security controls, based around ‘themes’ and ‘attributes’. ‘27002 notes that organisations may prefer to use their own attributes as well or instead: ISO/IEC 27028 will explain how to do that, in practice, and will suggest a variety of attributes with which to classify/characterise information security controls in various ways for various purposes.

Scope of the standard

The standard will expand upon the control attributes introduced with the 2022 release of ISO/IEC 27002, providing guidance on how to use the attributes in practice, and how to develop additional attributes where appropriate.

Content of the standard

The standard may cover:

“Guidance on the development of customized sets of attributes and their usage;
Attributes can be used to check that an organization's risk treatment plan(s) are tolerant of control failures;
This concept can be used to confirm that controls cover the different aspects an organization has regarding its risks within scope of an ISMS.”

[Source: design specification]

Status of the standard

Work started on this standard in 2021 and is progressing steadily. It is expected to be published in 2026. It is at Working Draft stage.

Personal comments

Despite having started with a reasonably complete donor document and design specification in the hope of whizzing through the usual formalities, the project is expected to take at least 4 years.

Meanwhile, a free guideline in the ISO27k Toolkit explains how control attributes can be used creatively within an ISO27k ISMS, or indeed any other information risk-based framework that involves mitigating unacceptable risks with controls.

< Previous standard ^ Up a level ^ Next standard >