4 KiB
ISO 27002 Themes and Attributes
Themes
In ISO 27002, controls are categorized into four main themes:
- Organizational (Clause 5)
- People (Clause 6)
- Physical (Clause 7)
- Technological (Clause 8)
Attributes
Every control is associated with five attributes, which allow organizations to view and categorize the controls from different perspectives. The attributes and their possible values are:
1. Control Type
Views controls from the perspective of when and how the control modifies risk regarding the occurrence of an information security incident.
- Preventive
- Detective
- Corrective
2. Information Security Properties
Views controls from the perspective of which characteristic of information the control contributes to preserving.
- Confidentiality
- Integrity
- Availability
3. Cybersecurity Concepts
Based on the cybersecurity framework concepts defined in ISO/IEC TS 27110.
| Attribute | Description | Purpose | Control Examples |
|---|---|---|---|
| Identify | Activities to understand the business context, the resources that support critical functions, and the related risks. | To develop the organizational understanding to manage risk to systems, assets, data, and capabilities. | Inventory of information (5.9), Risk assessment (5.1), Identification of legal requirements (5.31). |
| Protect | Safeguards to ensure the delivery of critical infrastructure services and limit the impact of a potential security event. | To prevent or contain the impact of a potential cybersecurity event. | Access control (8.3), Information encryption (8.24), Secure authentication (8.5), Physical security (7.1). |
| Detect | Activities to identify the occurrence of a cybersecurity event in a timely manner. | To enable timely discovery of security events to minimize damage. | Logging (8.15), Monitoring activities (8.16), Intrusion detection (8.1). |
| Respond | Actions taken regarding a detected cybersecurity incident to contain its impact. | To take action once an incident is discovered to keep it from spreading or getting worse. | Incident response planning (5.24), Reporting events (5.25), Incident management (5.26). |
| Recover | Activities to restore any capabilities or services that were impaired due to a cybersecurity incident. | To restore "business as usual" and support timely resilience. | Backup (8.13), ICT readiness for business continuity (5.30), Post-incident learning. |
4. Operational Capabilities
The Operational Capabilities help practitioners understand the functional area a control belongs to.
| Capability | Description |
|---|---|
| Governance | Policies, frameworks, and management oversight. |
| Asset Management | Identification and protection of information assets and hardware. |
| Information Protection | Technical and organizational measures to keep data secure. |
| Human Resource Security | Security relating to the lifecycle of employment (hiring to termination). |
| Physical Security | Protecting physical premises, equipment, and facilities. |
| System and Network Security | Hardening infrastructure, managing traffic, and securing connections. |
| Application Security | Security within software development and business applications. |
| Secure Configuration | Standardizing settings for hardware, software, and services. |
| Identity and Access Management | Managing who can access what (IAM). |
| Threat and Vulnerability Management | Identifying risks and patching security holes. |
| Continuity | Resilience and recovery planning for disruptions. |
| Supplier Relationships Security | Managing risks from third parties and the supply chain. |
| Legal and Compliance | Meeting laws, regulations, and contractual obligations. |
| Information Security Assurance | Auditing and monitoring to ensure controls are working. |
| Information Security Incident Management | Detecting and responding to security events. |
5. Security Domains Views controls from the perspective of four high-level information security domains.
- Governance_and_Ecosystem
- Protection
- Defence
- Resilience