Expert Advice Community

Guest

New control names

  Quote
Guest
Guest user Created:   Oct 21, 2022 Last commented:   Oct 21, 2022

New control names

Hi Dejan just wanted to send you a thank you e-mail regarding the webinar today it was the best explanation I have come across since the new ISO 27001: 2022 emerged. One thing I wanted to, hopefully others could benefit from this too. I have read somewhere the new control names will be divided into: 

1. Detective Control
2. Corrective control
3. Preventive control

Is this true? And is this just a general description or mandatory part of the change as in do these names have to mentioned after each control on the SOA 

0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 21, 2022

First is important to note that such classifications are defined only in ISO 27002, and they are not mandatory to be used to be compliant with ISO 27001.

Considering that, these classifications are known in ISO 27002 as control attributes, and they provide a standardized way to sort and filter controls against different views to address the needs of different groups. 

The detective, corrective and preventive attributes belong to the “control type” attribute category. ISO 27002 provides other four categories that can be used instead of “control type” to sort controls:

  • Information security properties: Confidentiality, Integrity, and Availability
  • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
  • Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
  • Security domains: Governance and ecosystem, Protection, Defense, and Resilience

For example, control 5.1 Policies for Information Security, in its attribute Control type is classified as preventive, while its Concept attribute is identify. As for control 7.4 Physical Security Monitoring in its attribute Control type is classified as preventive and detective, while its Concept attribute is protect and detect.

For further information, see:

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Oct 21, 2022

Oct 21, 2022