Attributes Table in 2022 version

 Please note that “attributes” are defined in ISO 27002, which application is not mandatory for implementation of ISO 27001.

ISO 27002 is a supporting standard that provides guidance for the implementation of ISO 27001 Annex A controls, and the attributes’ purpose is to help organizations sort controls according to specific criteria:

• Control types: Preventive, Detective, and Corrective
• Information security properties: Confidentiality, Integrity, and Availability
• Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
• Operational capabilities: Governance, Asset Management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
• Security domains: Governance and ecosystem, Protection, Defense, and Resilience

For example, if an organization’s control implementation strategy is to consider a “type” approach, then the attribute can help the organization identifies which controls have a preventive approach.

For further information, see:

• Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/