richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO27x/about/ISO 27028.md

25 KiB
Raw Permalink Blame History

tags
iso27028
LLMgenerated

ISO 27028 Guidance on ISO/IEC 27002 attributes

Still in development as per 3 juli 2025

ISO/IEC TS 27028, "Information security, cybersecurity and privacy protection — Guidance on ISO/IEC 27002 attributes," is a technical specification that aims to provide guidance on the use and development of attributes aligned with ISO/IEC 27002:2022.1 Essentially, it helps organizations better classify, select, and design information security controls for various purposes.

While ISO 27002 provides a catalog of information security controls, ISO 27028 delves deeper into how to categorize and use these controls effectively through the concept of "attributes." These attributes can help an organization understand the characteristics of a control (e.g., preventive, detective, corrective) and how it contributes to their overall information security posture.

Practical applications of ISO 27028

Here are some practical applications of ISO 27028:

  • Tailoring Information Security Management Systems (ISMS):

    • Risk-based control selection: Organizations can use the attributes to select controls that are most relevant to their specific risks and business needs. For example, if a high risk is identified for data confidentiality, the attributes can help identify preventive controls that directly address this.

    • Customizing control sets: While ISO 27002 offers a comprehensive list, not every control is applicable to every organization.5 ISO 27028 can help in developing customized sets of controls based on attribute values, ensuring that only necessary and effective controls are implemented.

    • Optimizing resource allocation: By understanding the attributes of controls, organizations can prioritize investments in security measures that provide the greatest impact on mitigating identified risks, optimizing their security budget.

  • Improving Control Effectiveness and Assurance:

    • Enhanced control design: The guidance in ISO 27028 can help organizations design more robust controls by considering various attributes during the implementation phase.

    • Better monitoring and reporting: Attributes can be used to categorize and track the performance of controls. This allows for more meaningful monitoring, measurement, and reporting of security posture to management and stakeholders.

    • Auditing and compliance: Auditors can use the attribute-based approach to assess the completeness and effectiveness of an organization's controls against specific requirements, whether internal policies or external regulations.

  • Facilitating Communication and Understanding:

    • Clearer security objectives: By using attributes, security professionals can articulate the purpose and function of controls more clearly to non-technical stakeholders, fostering a better understanding of information security throughout the organization.

    • Standardized terminology: The standard promotes a consistent way of describing and categorizing controls, which can improve communication and collaboration within an organization and with external partners.6

  • Responding to Evolving Threats:

    • Adaptability: The attribute-based approach allows organizations to be more agile in adapting their security controls as new threats and vulnerabilities emerge. They can quickly identify which types of controls are needed to address new risks.

    • Proactive security: By considering attributes like "preventive" or "detective," organizations can build a more balanced and proactive security architecture rather than solely reacting to incidents.7

In essence, ISO 27028 acts as a valuable tool for organizations that are serious about implementing and optimizing their information security management systems, moving beyond a simple checklist approach to a more intelligent and tailored application of security controls.

Developing your own attributes

Here's how ISO 27028 supports the development of custom attributes:

  • Tailored Views: Organizations can create attributes that provide more granular or relevant perspectives on their controls. For instance, a highly regulated industry might introduce attributes specific to their compliance obligations (e.g., "GDPR relevance" or "HIPAA applicability").

  • Enhanced Risk Treatment: Custom attributes can help in better linking controls to specific risks identified in an organization's risk assessment. If a risk treatment plan requires controls with a very specific characteristic not covered by standard attributes, custom ones can fill that gap.

  • Improved Reporting: Custom attributes allow organizations to generate reports and metrics that are more meaningful to their internal stakeholders and management. For example, an attribute for "responsible department" could enable clear reporting on ownership of controls.

  • Integration with Existing Frameworks: If an organization uses other security frameworks (like NIST CSF or CIS Controls) alongside ISO 27001/27002, they can develop custom attributes that map to the terminology and concepts of those frameworks, facilitating integration and consistency.

  • Optimized Control Selection and Design: By developing attributes that directly reflect their unique operational environment and security objectives, organizations can make more informed decisions about which controls to implement and how to design them effectively.

Developing a system of specific attributes for information security controls, as guided by ISO/IEC TS 27028, is crucial for tailoring an organization's security posture. Here's what's important:

Alignment with Organizational Context 🎯

The most critical aspect is ensuring the attributes directly support your organization's unique needs, objectives, and risk profile. This means:

  • Business Objectives: Attributes should help in achieving specific business goals, such as maintaining service availability, protecting customer data, or ensuring regulatory compliance.

  • Risk Landscape: They must be designed to classify controls in a way that directly assists in mitigating the organization's specific threats and vulnerabilities.

  • Regulatory & Compliance Requirements: For organizations in regulated industries, attributes should facilitate demonstrating adherence to laws, standards, and industry-specific mandates (e.g., GDPR, HIPAA, PCI DSS).

  • Strategic Security Goals: The attributes should reflect and reinforce the overarching security strategy of the organization.

Clarity and Unambiguity 🧐

Each attribute and its possible values should be clearly defined and easily understood by anyone who will use them.

  • Precise Definitions: Avoid vague language. Define what each attribute means and what its specific values represent. For example, if you have an attribute "Control Function," its values like "Preventive," "Detective," and "Corrective" should have clear definitions.

  • Mutual Exclusivity: Where appropriate, attribute values should be mutually exclusive, meaning a control can only have one value for a given attribute to avoid confusion.

  • Consistency: The application of attributes must be consistent across all controls and by all personnel involved in the process. This might require training and clear documentation.

Practicality and Usability 🛠️

The attribute system must be easy to implement and maintain within your existing security processes.

  • Simplicity: Don't overcomplicate it. Too many attributes or overly complex definitions can make the system cumbersome and lead to low adoption.

  • Integration: Consider how the attribute system will integrate with existing tools and processes, such as risk management platforms, control frameworks, and reporting mechanisms.

  • Maintainability: The system should be manageable. As your organization evolves, the attributes may need to be reviewed and updated. Ensure there's a process for this.

  • Actionability: Attributes should provide actionable insights. They should help you make decisions about control selection, implementation, monitoring, and reporting. If an attribute doesn't lead to better decision-making, it might not be necessary.

Scalability and Adaptability ⚖️

The attribute system should be flexible enough to evolve with your organization and the changing threat landscape.

  • Future-Proofing: While you can't predict everything, design the system with some flexibility to accommodate new technologies, business processes, or emerging threats without a complete overhaul.1

  • Granularity: Choose an appropriate level of granularity. Too broad, and the attributes are unhelpful; too fine, and they become unmanageable.2 Find a balance that provides meaningful insights without excessive detail.

Communication and Documentation ✍️

Effective communication and thorough documentation are essential for the successful adoption and longevity of the attribute system.

  • Comprehensive Documentation: Create clear documentation explaining each attribute, its purpose, its possible values, and how to apply it. This serves as a critical reference for users.

  • Training and Awareness: Provide training to relevant stakeholders on how to use and interpret the attribute system.

  • Stakeholder Buy-in: Involve key stakeholders from different departments (e.g., IT, legal, business units) in the development process to ensure their needs are met and to foster ownership.

By focusing on these key aspects, organizations can develop a system of specific attributes that significantly enhances their ability to manage information security controls effectively and strategically.

Methodologies Suggested by ISO 27028 for Developing and Applying Attributes

ISO 27028 provides structured guidance for organizations to develop and apply attributes to information security controls, building on the concepts introduced in ISO/IEC 27002:2022. The methodologies recommended include:

  1. Event-Consequence Scenario Method • Event-consequence scenarios are central to ISO 27028s approach. Organizations are encouraged to analyze potential security events and their consequences to identify which attributes are most relevant for their controls. • This scenario-based method helps in customizing attributes and their values to reflect the organizations unique operational context and risk profile.
  2. Customization and Extension of Attributes • Organizations may modify, extend, or disregard the default attributes provided in ISO/IEC 27002. • ISO 27028 suggests a methodology for developing customized attributes, such as: • Defining new attributes based on organizational needs (e.g., department, asset type, maturity level, priority, implementation status). • Assigning attribute values that are meaningful for the organizations structure and risk management processes.
  3. Attribute-Based Control Selection and Gap Analysis • Attributes can be used to classify, select, or design information security controls for various management and business purposes. • The methodology includes: • Using attributes to filter and select controls that align with specific security objectives (e.g., confidentiality, integrity, availability). • Applying attributes to identify gaps in the risk treatment plan and assess resilience against control failures.
  4. Iterative Review and Improvement • The process of developing and applying attributes is iterative. Organizations are advised to periodically review and refine attributes and their values based on lessons learned from incidents and changes in the operational environment. In summary: ISO 27028 emphasizes a practical, scenario-driven approach (event-consequence analysis), supports the customization of attributes, and encourages using attributes for control selection and ongoing risk management. This methodology is designed to help organizations tailor their security framework to their specific needs and enhance resilience.

Using an Event-Consequence Scenario Method

Overview

The Event-Consequence Scenario Method is a structured approach recommended by ISO 27028 for developing and applying attributes to information security controls. It guides organizations to analyze potential security events and their consequences, then use this analysis to tailor attributes that best reflect their operational context and risk profile. This method is particularly relevant for implementing and customizing controls from ISO/IEC 27002:2022[1][2].

Key Steps in the Method

  • Identify plausible security events: Consider a range of possible incidents, from common to rare, that could impact the organization.
  • Analyze consequences: Assess the potential impact of each event on information assets, operations, and compliance.
  • Map controls to scenarios: Link specific ISO 27002 controls to the identified scenarios, evaluating how attributes (such as control type, security property, or operational capability) align with the organization's needs.
  • Customize attributes: Adjust or create new attributes based on the findings to improve control selection, risk treatment, and resilience[1][2].

Examples Relevant to ISO 27002

Below are practical examples illustrating how the Event-Consequence Scenario Method can be applied to ISO 27002 controls:

Example 1: Ransomware Attack Scenario

  • Event: Employee opens a phishing email, triggering ransomware.
  • Consequence: Critical business files are encrypted, leading to downtime, data loss, and possible ransom demands.
  • Relevant ISO 27002 Controls:
    • Control 5.30 ICT Readiness for Business Continuity: Ensures backup and recovery plans are in place to restore data and operations.
    • Control 8.7 Protection Against Malware: Focuses on deploying anti-malware solutions and user awareness training.
  • Attribute Application: Controls are tagged with attributes like confidentiality, availability, operational capability: recovery, and control type: preventive/detective to ensure comprehensive coverage for ransomware scenarios[3][4].

Example 2: Physical Intrusion Scenario

  • Event: Unauthorized individual gains access to a secure server room.
  • Consequence: Potential theft, tampering, or destruction of critical IT infrastructure.
  • Relevant ISO 27002 Controls:
    • Control 7.4 Physical Security Monitoring: Involves surveillance, alarms, and access controls.
  • Attribute Application: Controls are assigned attributes such as security domain: physical, control type: preventive, and information security property: integrity/availability to address physical threats[4].

Example 3: Data Breach Due to Weak Passwords

  • Event: Attacker exploits weak passwords to access sensitive customer data.
  • Consequence: Loss of confidentiality, regulatory fines, and reputational damage.
  • Relevant ISO 27002 Controls:
    • Control 8.2 Privileged Access Rights: Ensures strong authentication for sensitive accounts.
    • Control 8.3 User Registration and De-registration: Manages user access lifecycle.
  • Attribute Application: Controls are mapped with attributes like confidentiality, control type: preventive, and cybersecurity concept: access control to strengthen defenses against this scenario[1][2].

Practical Benefits

  • Gap Analysis: By mapping controls and attributes to specific scenarios, organizations can more easily identify coverage gaps in their risk treatment plans.
  • Customization: Attributes can be tailored to reflect unique operational needs, such as department, asset type, or implementation status.
  • Resilience Assessment: The method helps organizations test their resilience to control failures by simulating real-world events and consequences[1][2].

This scenario-driven approach grounds the selection and customization of controls in realistic threats, making the information security framework more robust and relevant to the organization's actual risk landscape.

Sources [1] Alireza Ghahrood - Guidance on ISO/IEC 27002 Attributes - LinkedIn https://www.linkedin.com/posts/alirezaghahrood_iso-27028-guidance-on-isoiec-27002-attributes-activity-7302656222434877441-X94G [2] [PDF] Control attributes - ISO 27001 Security https://www.iso27001security.com/SecAware_white_paper_on_security_control_attributes_v2_1_.pdf [3] The two approaches for information security risk identification ... https://rigcert.education/resources/the-approaches-for-information-security-risk-identification-according-to-iso-27005 [4] ISO 27002 Essentials: A Comprehensive Overview - NordLayer https://nordlayer.com/learn/iso/iso-27002/ [5] ISO 27001 Learning From Information Security Incidents: Annex A 5.27 https://hightable.io/iso-27001-annex-a-5-27-learning-from-information-security-incidents/ [6] ISO/IEC TS 27028 Control attributes https://www.iso27001security.com/html/27028.html [7] #iso27001 #isms #iso27002 | Dipen Das, CISM, CISSP, CRISC https://www.linkedin.com/posts/dipendas1979_iso27001-isms-iso27002-activity-7300514829008613376-Vrs6 [8] ISO 27002:2022 Control 6.8 Information Security Event Reporting https://www.isms.online/iso-27002/control-6-8-information-security-event-reporting/ [9] ISO 27001 Attributes Explained Simply - High Table https://hightable.io/iso-27001-attributes-the-ultimate-guide/ [10] Guidance on ISO/IEC 27002 attributes https://www.iso.org/obp/ui/en/ [11] [PDF] Control attributes - ISO 27001 Security https://www.iso27001security.com/ISO27k_ISMS_6.1_guideline_on_security_control_attributes_2022.pdf [12] ISO 27002:2022 Control 8.25 Secure Development Life Cycle https://www.isms.online/iso-27002/control-8-25-secure-development-life-cycle/ [13] [PDF] sc27 committee document 11: 2024 (1) - Introduction https://committee.iso.org/files/live/sites/jtc1sc27/files/resources/SC27%20COMMITTEE%20DOCUMENT%2011.pdf [14] ISO 27002:2022, Security Controls. Complete Overview - ISMS.online https://www.isms.online/iso-27002/ [15] [PDF] Untitled http://clean-ecology.com/Upload/files/39431062656.pdf [16] XM The ISO 27000 Family of Standards 230516 | PDF - Scribd https://www.scribd.com/document/698051303/Xm-the-ISO-27000-Family-of-Standards-230516 [17] ISO27002:2022 explained Technological controls - ICT Institute https://ictinstitute.nl/iso270022022-explained-technological-controls/ [18] ISO/IEC 27005 risk management https://www.iso27001security.com/html/27005.html [19] ISO/IEC 27002:2022(en), Information security, cybersecurity and ... https://www.iso.org/obp/ui/es/ [20] ISO/IEC DIS 27028 https://www.iso.org/standard/61007.html

Developing a taxonomy of Organization-Specific Attributes

Developing your taxonomy is a multi-step process that involves gathering information, brainstorming, refining, and validating. The goal is to create a set of labels (attributes) that allow you to slice, dice, and view your security controls from multiple, meaningful perspectives.

Step 1: Gather Foundational Inputs

Before you can define custom attributes, you must understand the landscape they need to describe. This involves collecting and analyzing key organizational documents. Think of this as gathering your raw materials.

  • Risk Register: This is your most important input. It tells you what youre trying to protect against. Your attributes should help you select controls that directly mitigate your top risks.

  • Asset Inventory: You need to know what you're protecting. A good inventory will classify assets by type (e.g., servers, laptops, cloud services) and criticality.

  • Business Process Maps: How does the organization create value? Understanding critical processes (like payment processing or patient data management) helps you link controls directly to business operations.

  • Compliance Requirements: Create a master list of all legal, regulatory, and contractual obligations (e.g., GDPR, PCI DSS, HIPAA, client contracts). Your attributes must be able to flag controls needed for compliance.

  • Stakeholder Analysis: Identify the people involved with controls: owners (accountable for the risk), implementers (responsible for building/configuring the control), and assessors (who monitor effectiveness).

Step 2: Start with the Standard, then Customize

Don't reinvent the wheel entirely. ISO/IEC 27002:2022 provides five default attributes that offer a great starting point. Understand them first, then build upon them.

  • ISO 27002 Default Attributes:

    • Control types: (e.g., #preventive, #detective, #corrective) - When the control acts in relation to a security incident.

    • Information security properties: (e.g., #confidentiality, #integrity, #availability) - _What_characteristic of information the control protects.

    • Cybersecurity concepts: (e.g., #identify, #protect, #detect, #respond, #recover) - How the control maps to cybersecurity incident management capabilities.

    • Operational capabilities: (e.g., #governance, #asset_management) - Which practical security function the control belongs to.

    • Security domains: (e.g., #governance_and_ecosystem, #protection, #defence, #resilience) - A high-level categorization of the control's purpose.

Now, based on your Step 1 inputs, brainstorm organization-specific attributes that add the context your organization needs.

  • Brainstorming Categories:

    • Business Context: To link controls to operations.

      • Examples: Business Unit (e.g., Finance, HR, R&D), Applicable Business Process (e.g., Payroll, Client Onboarding), Strategic Objective Supported.

    • Asset & Data Context: To link controls to what they protect.

      • Examples: Asset Type (e.g., Cloud Database, User Endpoint, OT Sensor), Data Classification(e.g., Public, Internal, Confidential).

    • Compliance Context: To streamline audits and reporting.

      • Examples: Applicable Regulation (e.g., GDPR, CCPA, SOX), Audit Target (e.g., Internal Audit Q3, External Pen Test).

    • Responsibility Context: To clarify ownership. 🤝

      • Examples: Control Owner (e.g., Director of IT, Head of HR), Implementation Team (e.g., Network Ops, Cloud Engineering).

    • Implementation Context: To manage the control lifecycle.

      • Examples: Implementation Status (e.g., Implemented, Planned, Not Started), Automation Level(e.g., Manual, Automated, Hybrid).

Step 3: Define a Controlled Vocabulary

For each attribute, you must define a specific, limited set of possible values. This is crucial for consistency and reporting. Free-text fields are the enemy of a clean taxonomy.

This is the difference between:

  • Bad (Free Text): Applicable Regulation = "That EU privacy law"

  • Good (Controlled Vocabulary): Applicable Regulation = GDPR

Example Attribute & Value Set:

Attribute Controlled Values Description
Data Classification PublicInternalConfidentialRestricted The sensitivity level of data the control protects.
Implementation Status PlannedIn ProgressImplementedRetired The current lifecycle stage of the control.
Automation Level ManualHybridFully Automated The degree to which the control operates without human intervention.

Step 4: Review, Refine, and Validate

Assemble a working group of the stakeholders you identified in Step 1 (IT, security, legal, business representatives). Present your draft taxonomy and ask critical questions:

  • Is it useful? Will this attribute help us make better risk decisions or select controls more easily?

  • Is it clear? Is the meaning of the attribute and its values unambiguous?

  • Is it sustainable? Can we realistically and consistently apply these attributes to our controls?

  • Is it lean? Are there redundant attributes? Can we combine any? Avoid "analysis paralysis" by keeping the taxonomy as simple as possible while still being effective.

The output of this step is a validated and agreed-upon taxonomy, ready for documentation.

By following these steps, you create a rich, multi-faceted taxonomy. This allows anyone in the organization—from a CISO wanting a high-level view of risk mitigation to an engineer selecting controls for a new system—to filter and understand security controls through a lens that is directly relevant to their role and responsibilities.