Attributes Table in 2022 version
I took part in your recent "Discover Best-in-class Practices for ISO 27001 Risk Assessment live virtual training". No mention was made of the new Attributes Table in the 2022 version - the text of the Standard would appear to indicate that their use is not compulsory? Can you please clarify and if not mandatory what is their purpose? Many thanks
Assign topic to the user
Please note that “attributes” are defined in ISO 27002, which application is not mandatory for implementation of ISO 27001.
ISO 27002 is a supporting standard that provides guidance for the implementation of ISO 27001 Annex A controls, and the attributes’ purpose is to help organizations sort controls according to specific criteria:
- Control types: Preventive, Detective, and Corrective
- Information security properties: Confidentiality, Integrity, and Availability
- Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
- Operational capabilities: Governance, Asset Management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
- Security domains: Governance and ecosystem, Protection, Defense, and Resilience
For example, if an organization’s control implementation strategy is to consider a “type” approach, then the attribute can help the organization identifies which controls have a preventive approach.
For further information, see:
- Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/
Comment as guest or Sign in
Apr 28, 2023