New control names
Hi Dejan just wanted to send you a thank you e-mail regarding the webinar today it was the best explanation I have come across since the new ISO 27001: 2022 emerged. One thing I wanted to, hopefully others could benefit from this too. I have read somewhere the new control names will be divided into:
1. Detective Control
2. Corrective control
3. Preventive control
Is this true? And is this just a general description or mandatory part of the change as in do these names have to mentioned after each control on the SOA
Assign topic to the user
First is important to note that such classifications are defined only in ISO 27002, and they are not mandatory to be used to be compliant with ISO 27001.
Considering that, these classifications are known in ISO 27002 as control attributes, and they provide a standardized way to sort and filter controls against different views to address the needs of different groups.
The detective, corrective and preventive attributes belong to the “control type” attribute category. ISO 27002 provides other four categories that can be used instead of “control type” to sort controls:
- Information security properties: Confidentiality, Integrity, and Availability
- Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
- Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
- Security domains: Governance and ecosystem, Protection, Defense, and Resilience
For example, control 5.1 Policies for Information Security, in its attribute Control type is classified as preventive, while its Concept attribute is identify. As for control 7.4 Physical Security Monitoring in its attribute Control type is classified as preventive and detective, while its Concept attribute is protect and detect.
For further information, see:
- Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/
Comment as guest or Sign in
Oct 21, 2022