1.7 KiB
ISO 27002 Themes and Attributes
Themes
In ISO 27002, controls are categorized into four main themes:
- Organizational (Clause 5)
- People (Clause 6)
- Physical (Clause 7)
- Technological (Clause 8)
Attributes
Every control is associated with five attributes, which allow organizations to view and categorize the controls from different perspectives. The attributes and their possible values are:
1. Control Type Views controls from the perspective of when and how the control modifies risk regarding the occurrence of an information security incident.
- Preventive
- Detective
- Corrective
2. Information Security Properties Views controls from the perspective of which characteristic of information the control contributes to preserving.
- Confidentiality
- Integrity
- Availability
3. Cybersecurity Concepts Views controls based on their association with the cybersecurity framework concepts defined in ISO/IEC TS 27110.
- Identify
- Protect
- Detect
- Respond
- Recover
4. Operational Capabilities Views controls from the practitioner’s perspective of information security capabilities.
- Governance
- Asset_management
- Information_protection
- Human_resource_security
- Physical_security
- System_and_network_security
- Application_security
- Secure_configuration
- Identity_and_access_management
- Threat_and_vulnerability_management
- Continuity
- Supplier_relationships_security
- Legal_and_compliance
- Information_security_event_management
- Information_security_assurance
5. Security Domains Views controls from the perspective of four high-level information security domains.
- Governance_and_Ecosystem
- Protection
- Defence
- Resilience