Themes and Attributes in ISO 27002

Themes

In ISO 27002, controls are categorized into four main themes:

Organizational (Clause 5 - all controls numbered 5.n)
People (Clause 6 - all controls numbered 6.n)
Physical (Clause 7 - all controls numbered 7.n)
Technological (Clause 8 - all controls numbered 8.n)

Attributes

Every control is associated with five attributes, which allow organizations to view and categorize the controls from different perspectives. The attributes and their possible values are:

Information Security Properties

Views controls from the perspective of which characteristic of information the control contributes to preserving.

Confidentiality
Integrity
Availability

Control Type

Views controls from the perspective of when and how the control modifies risk regarding the occurrence of an information security incident.

Preventive
Detective
Corrective

3. Cybersecurity Concepts

Based on the cybersecurity framework concepts defined in ISO/IEC TS 27110.

Attribute	Description	Purpose	Control Examples
Identify	Activities to understand the business context, the resources that support critical functions, and the related risks.	To develop the organizational understanding to manage risk to systems, assets, data, and capabilities.	Inventory of information (5.9), Risk assessment (5.1), Identification of legal requirements (5.31).
Protect	Safeguards to ensure the delivery of critical infrastructure services and limit the impact of a potential security event.	To prevent or contain the impact of a potential cybersecurity event.	Access control (8.3), Information encryption (8.24), Secure authentication (8.5), Physical security (7.1).
Detect	Activities to identify the occurrence of a cybersecurity event in a timely manner.	To enable timely discovery of security events to minimize damage.	Logging (8.15), Monitoring activities (8.16), Intrusion detection (8.1).
Respond	Actions taken regarding a detected cybersecurity incident to contain its impact.	To take action once an incident is discovered to keep it from spreading or getting worse.	Incident response planning (5.24), Reporting events (5.25), Incident management (5.26).
Recover	Activities to restore any capabilities or services that were impaired due to a cybersecurity incident.	To restore "business as usual" and support timely resilience.	Backup (8.13), ICT readiness for business continuity (5.30), Post-incident learning.

4. Operational Capabilities

The Operational Capabilities help practitioners understand the functional area a control belongs to.

Capability	Description
Governance	Policies, frameworks, and management oversight.
Asset Management	Identification and protection of information assets and hardware.
Information Protection	Technical and organizational measures to keep data secure.
Human Resource Security	Security relating to the lifecycle of employment (hiring to termination).
Physical Security	Protecting physical premises, equipment, and facilities.
System and Network Security	Hardening infrastructure, managing traffic, and securing connections.
Application Security	Security within software development and business applications.
Secure Configuration	Standardizing settings for hardware, software, and services.
Identity and Access Management	Managing who can access what (IAM).
Threat and Vulnerability Management	Identifying risks and patching security holes.
Continuity	Resilience and recovery planning for disruptions.
Supplier Relationships Security	Managing risks from third parties and the supply chain.
Legal and Compliance	Meeting laws, regulations, and contractual obligations.
Information Security Assurance	Auditing and monitoring to ensure controls are working.
Information Security Incident Management	Detecting and responding to security events.

5. Security Domains

Views controls from the perspective of four high-level information security domains.

Governance_and_Ecosystem
Protection
Defence
Resilience

4.1 KiB Raw Blame History