ISO/IEC TS 27028
ISO/IEC TS 27028 — Information security, cybersecurity and privacy protection — Guidance on ISO/IEC 27002 attributes
[DRAFT]
Abstract
ISO/IEC TS 27028 "provides guidance on the use and development of attributes aligned to ISO/IEC 27002:2022.”
[Source: ISO/IEC JTC 1/SC 27 Committee Doc 11, May 2025]
Introduction
ISO/IEC 27002:2022 introduced a new structure for the information security controls, based around ‘themes’ and ‘attributes’, noting that organisations may prefer to use their own attributes as well or instead. ISO/IEC 27028 will explain how to do that, in practice, suggesting a variety of attributes with which to classify or characterise, select or design information security controls in various ways for various information security and business management purposes.
Scope
The standard will expand upon the control attributes from ISO/IEC 27002, providing practical guidance on how to use the specified attributes and how to develop additional attributes and attribute values where appropriate.
Structure
Main sections (from the Committee Draft):
5: Overview on attribute approach
6: Additional attributes
Some 17 attributes are suggested in addition to those in ISO/IEC 27002, and there is advice on extending the approach to other controls and other attributes.
Status
Work started on this project in 2021.
It will be a Technical Specification rather than a full International Standard since the approach is innovative and not yet proven by experience.
Structural and content comments on the Draft International Standard, plus revision of the title (becoming “Guideline on using information security control attributes”) and scope (“This document provides guidance on the use of information security control attributes. The guidance set out given in this document is generic and is intended to be applicable to all organizations, regardless of type, size, or nature.”), mean another DIS version is in preparation, necessitating an extension to the project timescale. The standard is now unlikely to be published until the second half of 2026.
Commentary
There has been significant interest and support for the control attributes concept from ISO/IEC JTC 1/SC 27. When it is finally published, ISO/IEC TS 27028 will be a valuable contribution to the field, expanding on the value and utility of ISO/IEC 27002.
Meanwhile, a free guideline in the ISO27k Toolkit explains how control attributes can be used creatively within an ISO27k ISMS, or indeed any other information risk-based framework that involves mitigating unacceptable risks using appropriate information security controls. Thinking about which attributes or characteristics of controls are relevant, plus the importance of the corresponding attribute values or parameters, helps round-off the analysis and select or design appropriate controls. As usual, exploring objectives in detail generates insight that leads to a more successful outcome.