# ISO 27002 Themes and Attributes

## Themes
In ISO 27002, controls are categorized into four main themes:
*   **Organizational** (Clause 5)
*   **People** (Clause 6)
*   **Physical** (Clause 7)
*   **Technological** (Clause 8)

## Attributes
Every control is associated with five attributes, which allow organizations to view and categorize the controls from different perspectives. The attributes and their possible values are:

**1. Control Type**
Views controls from the perspective of when and how the control modifies risk regarding the occurrence of an information security incident.
*   Preventive
*   Detective
*   Corrective

**2. Information Security Properties**
Views controls from the perspective of which characteristic of information the control contributes to preserving.
*   Confidentiality
*   Integrity
*   Availability

**3. Cybersecurity Concepts**
Views controls based on their association with the cybersecurity framework concepts defined in ISO/IEC TS 27110.
*   Identify
*   Protect
*   Detect
*   Respond
*   Recover

**4. Operational Capabilities**
Views controls from the practitioner’s perspective of information security capabilities.
*   Governance
*   Asset_management
*   Information_protection
*   Human_resource_security
*   Physical_security
*   System_and_network_security
*   Application_security
*   Secure_configuration
*   Identity_and_access_management
*   Threat_and_vulnerability_management
*   Continuity
*   Supplier_relationships_security
*   Legal_and_compliance
*   Information_security_event_management
*   Information_security_assurance

**5. Security Domains**
Views controls from the perspective of four high-level information security domains.
*   Governance_and_Ecosystem
*   Protection
*   Defence
*   Resilience