56 lines
No EOL
1.7 KiB
Markdown
56 lines
No EOL
1.7 KiB
Markdown
# ISO 27002 Themes and Attributes
|
||
|
||
## Themes
|
||
In ISO 27002, controls are categorized into four main themes:
|
||
* **Organizational** (Clause 5)
|
||
* **People** (Clause 6)
|
||
* **Physical** (Clause 7)
|
||
* **Technological** (Clause 8)
|
||
|
||
## Attributes
|
||
Every control is associated with five attributes, which allow organizations to view and categorize the controls from different perspectives. The attributes and their possible values are:
|
||
|
||
**1. Control Type**
|
||
Views controls from the perspective of when and how the control modifies risk regarding the occurrence of an information security incident.
|
||
* Preventive
|
||
* Detective
|
||
* Corrective
|
||
|
||
**2. Information Security Properties**
|
||
Views controls from the perspective of which characteristic of information the control contributes to preserving.
|
||
* Confidentiality
|
||
* Integrity
|
||
* Availability
|
||
|
||
**3. Cybersecurity Concepts**
|
||
Views controls based on their association with the cybersecurity framework concepts defined in ISO/IEC TS 27110.
|
||
* Identify
|
||
* Protect
|
||
* Detect
|
||
* Respond
|
||
* Recover
|
||
|
||
**4. Operational Capabilities**
|
||
Views controls from the practitioner’s perspective of information security capabilities.
|
||
* Governance
|
||
* Asset_management
|
||
* Information_protection
|
||
* Human_resource_security
|
||
* Physical_security
|
||
* System_and_network_security
|
||
* Application_security
|
||
* Secure_configuration
|
||
* Identity_and_access_management
|
||
* Threat_and_vulnerability_management
|
||
* Continuity
|
||
* Supplier_relationships_security
|
||
* Legal_and_compliance
|
||
* Information_security_event_management
|
||
* Information_security_assurance
|
||
|
||
**5. Security Domains**
|
||
Views controls from the perspective of four high-level information security domains.
|
||
* Governance_and_Ecosystem
|
||
* Protection
|
||
* Defence
|
||
* Resilience |