richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/metadata/themes-and-attributes-in-iso-27002.md

67 lines
No EOL
4.1 KiB
Markdown
Raw Permalink Blame History

# Themes and Attributes in ISO 27002
## Themes
In ISO 27002, controls are categorized into four main themes:
* **Organizational** (Clause 5 - all controls numbered 5.n)
* **People** (Clause 6 - all controls numbered 6.n)
* **Physical** (Clause 7 - all controls numbered 7.n)
* **Technological** (Clause 8 - all controls numbered 8.n)
## Attributes
Every control is associated with five attributes, which allow organizations to view and categorize the controls from different perspectives. The attributes and their possible values are:
### Information Security Properties
Views controls from the perspective of which characteristic of information the control contributes to preserving.
* Confidentiality
* Integrity
* Availability
### Control Type
Views controls from the perspective of when and how the control modifies risk regarding the occurrence of an information security incident.
* Preventive
* Detective
* Corrective
### 3. Cybersecurity Concepts
Based on the cybersecurity framework concepts defined in ISO/IEC TS 27110.
|**Attribute**|**Description**|**Purpose**|**Control Examples**|
|---|---|---|---|
|**Identify**|Activities to understand the business context, the resources that support critical functions, and the related risks.|To develop the organizational understanding to manage risk to systems, assets, data, and capabilities.|Inventory of information (5.9), Risk assessment (5.1), Identification of legal requirements (5.31).|
|**Protect**|Safeguards to ensure the delivery of critical infrastructure services and limit the impact of a potential security event.|To prevent or contain the impact of a potential cybersecurity event.|Access control (8.3), Information encryption (8.24), Secure authentication (8.5), Physical security (7.1).|
|**Detect**|Activities to identify the occurrence of a cybersecurity event in a timely manner.|To enable timely discovery of security events to minimize damage.|Logging (8.15), Monitoring activities (8.16), Intrusion detection (8.1).|
|**Respond**|Actions taken regarding a detected cybersecurity incident to contain its impact.|To take action once an incident is discovered to keep it from spreading or getting worse.|Incident response planning (5.24), Reporting events (5.25), Incident management (5.26).|
|**Recover**|Activities to restore any capabilities or services that were impaired due to a cybersecurity incident.|To restore "business as usual" and support timely resilience.|Backup (8.13), ICT readiness for business continuity (5.30), Post-incident learning.|
### 4. Operational Capabilities
The Operational Capabilities help practitioners understand the functional area a control belongs to.
|**Capability**|**Description**|
|---|---|
|**Governance**|Policies, frameworks, and management oversight.|
|**Asset Management**|Identification and protection of information assets and hardware.|
|**Information Protection**|Technical and organizational measures to keep data secure.|
|**Human Resource Security**|Security relating to the lifecycle of employment (hiring to termination).|
|**Physical Security**|Protecting physical premises, equipment, and facilities.|
|**System and Network Security**|Hardening infrastructure, managing traffic, and securing connections.|
|**Application Security**|Security within software development and business applications.|
|**Secure Configuration**|Standardizing settings for hardware, software, and services.|
|**Identity and Access Management**|Managing who can access what (IAM).|
|**Threat and Vulnerability Management**|Identifying risks and patching security holes.|
|**Continuity**|Resilience and recovery planning for disruptions.|
|**Supplier Relationships Security**|Managing risks from third parties and the supply chain.|
|**Legal and Compliance**|Meeting laws, regulations, and contractual obligations.|
|**Information Security Assurance**|Auditing and monitoring to ensure controls are working.|
|**Information Security Incident Management**|Detecting and responding to security events.|
### 5. Security Domains
Views controls from the perspective of four high-level information security domains.
* Governance_and_Ecosystem
* Protection
* Defence
* Resilience
Reference in a new issue View git blame Copy permalink