What are the “Attributes” in ISO 27002?
Chances are, if you know anything about our space program, you know that when we send a manned mission beyond our atmosphere, those astronauts remain in constant communication with their fellows back at Mission Control.
That’s because those folks back on Earth have more resources and information at their disposal to resolve potential obstacles than those flying around the universe in a high-tech tin can. Consistently passing information up to the stars helps these missions be successful and return the astronauts to solid ground.
While we’re not suggesting that you’re lost in the compliance “space,” we understand that it can feel that way sometimes—especially after a big, new update to an important standard like the one that just dropped for ISO 27002.
Revised in mid-February, the ISO 27002 standard is now version 2022, or ISO/IEC ISO 27002:2022, and it introduced a lot of changes that organizations seeking ISO compliance will need to accommodate.
All that is made easier with greater understanding, so let us be your Mission Control on that journey by passing on important information.
In this article, we’re going to break down one of the newly established concepts in the updated ISO 27002 standard—the role of attributes. Among the many changes in this new version, attributes represent one of the big ones made to the content and structure of the control set itself.
Which means that they are particularly important to understand. As an ISO certification body that must remain familiar with all these standards for the sake of our clients, we want you to feel as secure as we do as you move forward with this update—no matter whom you choose to contract with for your certification.
After reading this, you’ll have a better understanding of one of the main changes to ISO 27002—the role of attributes—which will make your ongoing transition easier.
Understanding the New ISO 27002 Themes
Before we jump into attributes, it’s important to first understand the change in the structure of the control set itself within the new standard.
Previously, we all understood the 114 controls of Annex A within ISO 27001:2013, or A.5 – A.18 to be organized into control objectives and underlying control activities. But now, they’ve been consolidated into a set of four clauses—referred to as “themes.” The standard categorizes these themes as follows:
- Clause 5 – Organizational
- Clause 6 – People
- Clause 7 – Physical
- Clause 8 – Technological
This is where attributes come in. They allow organizations to dive deeper than just those four clauses or themes to provide deeper insights.
What is the Role of Attributes in ISO 27002?
But how do they actually work?
It may help to think of attributes as sub-categories for the controls within the four new main clauses (5-8) we mentioned before. Those clauses have fairly broad descriptors—organizational, people, physical, and technological—but attributes can help you determine more specificity than just that for each control.
Different attributes provide different lenses for viewing controls so that you’re able to discern easier whether you need them or not. They’re actually discussed in detail within Annex A of the new ISO 27002 standard, including very useful guidance on how you can use attributes defined by the standard—or how to create your own, since they are versatile and customizable by design. The annex also contains a table summarizing the attribute values of each of the 93 controls within the 27002 standard.
These unique perspectives now offer new opportunities to both speed up your process of control selection and implementation and to better understand potential use cases of each control.
What are the Attributes in ISO 27002?
So you can better reap those benefits, let’s break down each of the five attribute examples defined by the standard.1. Control Types: Takes the perspective of when and how the control impacts the risk outcome during an information security incident. These attribute values consist of:
- Preventive - the control acts before a threat occurs;
- Detective - the control acts when a threat occurs; and
- Corrective - the control acts after a threat occurs.
This attribute can lighten your load when it comes to making these determinations on your own, and you can also use it should you want to check the balance of your established controls. For example, you can use it to check if you’ve put adequate controls to detect information security events into place—not just those to prevent information security incidents.
2. Information Security Properties: Takes the perspective of which characteristic of information the control will contribute to preserving. Attribute values consist of:
- Integrity; and
Commonly referred to as “CIA,” this attribute can be very helpful during the risk assessment process since considering mitigation of risks associated with CIA is one of the requirements of ISMS clause 6.1.2 within ISO 27001.
3. Cybersecurity Properties: Takes the perspective of the association of controls to cybersecurity concepts defined in the cybersecurity framework described in the ISO Technical Standard ISO/IEC TS 27110. These attribute values consist of:
- Respond; and
If you’ve established both an ISMS and cybersecurity framework, then this attribute can help you. It can present the relevance between your ISMS controls described in the ISO 27002 standard and the five concepts of cybersecurity framework described in ISO/IEC TS 27110.
4. Operational Capabilities: Takes a practitioner’s perspective of information security capabilities. Say you want to assign a risk or associated control to the responsible departments, you can do so based on these attribute values (e.g., HR, facilities, etc.). There are several possible attribute values, which include but are not limited to:
- Asset Management;
- Information Protection;
- Human Resource Security; and
- Physical Security, etc.
You can use these more granular sub-categorizations of each control for delineating or assigning risk/control ownership.
5. Security Domains: Takes the perspective of information security fields, expertise, services, and products. Attribute values consist of:
- Governance and Ecosystem;
- Defence; and
The standard details all these attributes as we mentioned but you may choose to disregard one or more. They’re included because they’re considered generic enough for different types of organizations to use since the attribute values are not dependent on the organization itself.
If you would prefer more customized views into your controls, you’re also permitted to create attributes of your own with the corresponding attribute values. The standard provides examples of this in Clause A.2. Also included are additional example attribute values such as maturity, implementation state, priority, etc.
When to Use Attributes in ISO 27002
With all that said, the key takeaway here is that attributes are not hard requirements to follow. Rather, you should consider them tools during your risk assessment and risk treatment/control implementation process.
And helpful tools they are. They can speed up your fulfillment of ISO 27001 ISMS clause 6.1.3 c—one of their main benefits. That requirement compares your controls determined through the process of risk treatment—referred to as “necessary” controls—with those in Annex A of ISO 27001 to ensure you haven’t overlooked any that you need.
Next Steps for ISO 27002
Attributes represent only one of the changes made within the new version of ISO 27002. A major shift, their addition supports the notion that this standard is much more than just a new control set—rather, you should consider it a holistic toolset to optimize an ISMS, with attributes serving as a key component of that toolset.
And now that you better understand how they work and how they can help you, discerning the rest of the updates to the standard will be next. You more than likely still have several questions—including big ones about how these updates will affect your (potential) certification.
As we continue to familiarize ourselves with these updates, we will continue to act as a public sort of “Mission Control” to keep you from getting “lost in space. We have plans to publish more articles breaking down the exciting new changes within ISO 27001/27002, including this one regarding transition requirements.
Should you have more specific, organizational questions regarding your ISO certification, we would encourage you to reach out to us directly. We’re happy to set up a more personal conversation that will help ease whatever concerns you may have.
About DANNY MANIMBO
Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice as well as the development and oversight of Schellman's SOC practice line as well as specialty practices such as HIPAA. Danny has been with Schellman for eight years and has over 11 years of experience in providing data security audit and compliance services.