# Themes and Attributes in ISO 27002 ## Themes In ISO 27002, controls are categorized into four main themes: * **Organizational** (Clause 5 - all controls numbered 5.n) * **People** (Clause 6 - all controls numbered 6.n) * **Physical** (Clause 7 - all controls numbered 7.n) * **Technological** (Clause 8 - all controls numbered 8.n) ## Attributes Every control is associated with five attributes, which allow organizations to view and categorize the controls from different perspectives. The attributes and their possible values are: ### Information Security Properties Views controls from the perspective of which characteristic of information the control contributes to preserving. * Confidentiality * Integrity * Availability ### Control Type Views controls from the perspective of when and how the control modifies risk regarding the occurrence of an information security incident. * Preventive * Detective * Corrective ### 3. Cybersecurity Concepts Based on the cybersecurity framework concepts defined in ISO/IEC TS 27110. |**Attribute**|**Description**|**Purpose**|**Control Examples**| |---|---|---|---| |**Identify**|Activities to understand the business context, the resources that support critical functions, and the related risks.|To develop the organizational understanding to manage risk to systems, assets, data, and capabilities.|Inventory of information (5.9), Risk assessment (5.1), Identification of legal requirements (5.31).| |**Protect**|Safeguards to ensure the delivery of critical infrastructure services and limit the impact of a potential security event.|To prevent or contain the impact of a potential cybersecurity event.|Access control (8.3), Information encryption (8.24), Secure authentication (8.5), Physical security (7.1).| |**Detect**|Activities to identify the occurrence of a cybersecurity event in a timely manner.|To enable timely discovery of security events to minimize damage.|Logging (8.15), Monitoring activities (8.16), Intrusion detection (8.1).| |**Respond**|Actions taken regarding a detected cybersecurity incident to contain its impact.|To take action once an incident is discovered to keep it from spreading or getting worse.|Incident response planning (5.24), Reporting events (5.25), Incident management (5.26).| |**Recover**|Activities to restore any capabilities or services that were impaired due to a cybersecurity incident.|To restore "business as usual" and support timely resilience.|Backup (8.13), ICT readiness for business continuity (5.30), Post-incident learning.| ### 4. Operational Capabilities The Operational Capabilities help practitioners understand the functional area a control belongs to. |**Capability**|**Description**| |---|---| |**Governance**|Policies, frameworks, and management oversight.| |**Asset Management**|Identification and protection of information assets and hardware.| |**Information Protection**|Technical and organizational measures to keep data secure.| |**Human Resource Security**|Security relating to the lifecycle of employment (hiring to termination).| |**Physical Security**|Protecting physical premises, equipment, and facilities.| |**System and Network Security**|Hardening infrastructure, managing traffic, and securing connections.| |**Application Security**|Security within software development and business applications.| |**Secure Configuration**|Standardizing settings for hardware, software, and services.| |**Identity and Access Management**|Managing who can access what (IAM).| |**Threat and Vulnerability Management**|Identifying risks and patching security holes.| |**Continuity**|Resilience and recovery planning for disruptions.| |**Supplier Relationships Security**|Managing risks from third parties and the supply chain.| |**Legal and Compliance**|Meeting laws, regulations, and contractual obligations.| |**Information Security Assurance**|Auditing and monitoring to ensure controls are working.| |**Information Security Incident Management**|Detecting and responding to security events.| ### 5. Security Domains Views controls from the perspective of four high-level information security domains. * Governance_and_Ecosystem * Protection * Defence * Resilience