moved to Vault Structure
This commit is contained in:
parent
a26b03c1fa
commit
d45797d121
1 changed files with 0 additions and 61 deletions
|
|
@ -1,61 +0,0 @@
|
||||||
# ISO 27002 Themes and Attributes
|
|
||||||
|
|
||||||
## Themes
|
|
||||||
In ISO 27002, controls are categorized into four main themes:
|
|
||||||
* **Organizational** (Clause 5)
|
|
||||||
* **People** (Clause 6)
|
|
||||||
* **Physical** (Clause 7)
|
|
||||||
* **Technological** (Clause 8)
|
|
||||||
|
|
||||||
## Attributes
|
|
||||||
Every control is associated with five attributes, which allow organizations to view and categorize the controls from different perspectives. The attributes and their possible values are:
|
|
||||||
|
|
||||||
### 1. Control Type
|
|
||||||
Views controls from the perspective of when and how the control modifies risk regarding the occurrence of an information security incident.
|
|
||||||
* Preventive
|
|
||||||
* Detective
|
|
||||||
* Corrective
|
|
||||||
|
|
||||||
### 2. Information Security Properties
|
|
||||||
Views controls from the perspective of which characteristic of information the control contributes to preserving.
|
|
||||||
* Confidentiality
|
|
||||||
* Integrity
|
|
||||||
* Availability
|
|
||||||
|
|
||||||
### 3. Cybersecurity Concepts
|
|
||||||
Based on the cybersecurity framework concepts defined in ISO/IEC TS 27110.
|
|
||||||
|
|
||||||
|**Attribute**|**Description**|**Purpose**|**Control Examples**|
|
|
||||||
|---|---|---|---|
|
|
||||||
|**Identify**|Activities to understand the business context, the resources that support critical functions, and the related risks.|To develop the organizational understanding to manage risk to systems, assets, data, and capabilities.|Inventory of information (5.9), Risk assessment (5.1), Identification of legal requirements (5.31).|
|
|
||||||
|**Protect**|Safeguards to ensure the delivery of critical infrastructure services and limit the impact of a potential security event.|To prevent or contain the impact of a potential cybersecurity event.|Access control (8.3), Information encryption (8.24), Secure authentication (8.5), Physical security (7.1).|
|
|
||||||
|**Detect**|Activities to identify the occurrence of a cybersecurity event in a timely manner.|To enable timely discovery of security events to minimize damage.|Logging (8.15), Monitoring activities (8.16), Intrusion detection (8.1).|
|
|
||||||
|**Respond**|Actions taken regarding a detected cybersecurity incident to contain its impact.|To take action once an incident is discovered to keep it from spreading or getting worse.|Incident response planning (5.24), Reporting events (5.25), Incident management (5.26).|
|
|
||||||
|**Recover**|Activities to restore any capabilities or services that were impaired due to a cybersecurity incident.|To restore "business as usual" and support timely resilience.|Backup (8.13), ICT readiness for business continuity (5.30), Post-incident learning.|
|
|
||||||
### 4. Operational Capabilities
|
|
||||||
The Operational Capabilities help practitioners understand the functional area a control belongs to.
|
|
||||||
|
|
||||||
|**Capability**|**Description**|
|
|
||||||
|---|---|
|
|
||||||
|**Governance**|Policies, frameworks, and management oversight.|
|
|
||||||
|**Asset Management**|Identification and protection of information assets and hardware.|
|
|
||||||
|**Information Protection**|Technical and organizational measures to keep data secure.|
|
|
||||||
|**Human Resource Security**|Security relating to the lifecycle of employment (hiring to termination).|
|
|
||||||
|**Physical Security**|Protecting physical premises, equipment, and facilities.|
|
|
||||||
|**System and Network Security**|Hardening infrastructure, managing traffic, and securing connections.|
|
|
||||||
|**Application Security**|Security within software development and business applications.|
|
|
||||||
|**Secure Configuration**|Standardizing settings for hardware, software, and services.|
|
|
||||||
|**Identity and Access Management**|Managing who can access what (IAM).|
|
|
||||||
|**Threat and Vulnerability Management**|Identifying risks and patching security holes.|
|
|
||||||
|**Continuity**|Resilience and recovery planning for disruptions.|
|
|
||||||
|**Supplier Relationships Security**|Managing risks from third parties and the supply chain.|
|
|
||||||
|**Legal and Compliance**|Meeting laws, regulations, and contractual obligations.|
|
|
||||||
|**Information Security Assurance**|Auditing and monitoring to ensure controls are working.|
|
|
||||||
|**Information Security Incident Management**|Detecting and responding to security events.|
|
|
||||||
|
|
||||||
**5. Security Domains**
|
|
||||||
Views controls from the perspective of four high-level information security domains.
|
|
||||||
* Governance_and_Ecosystem
|
|
||||||
* Protection
|
|
||||||
* Defence
|
|
||||||
* Resilience
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue