Infosec control attributes

ISO/IEC TS 27028 moved a step closer to publication by passing a vote at DIS stage.

When released in the middle of 2026, the standard will have a new title not now mentioning ISO/IEC 27002:

and a succinct scope:

The idea of tagging infosec controls in ISO/IEC 27002:2022, the current third edition, with control attributes arose during the committee's deliberations concerning how best to organise the controls from the 2013 second edition. It allowed the committee to agree on the document structure with the ~93 controls split across four 'themes' (organisational, people, physical, technological), while also providing other useful ways to characterise and group them (e.g. preventive, detective, corrective).

The 'themes' are not entirely orthogonal or distinct, so various controls could have been covered in various or multiple themes, perhaps with minor wording changes to emphasise different aspects. That meant somewhat arbitrary committee decisions when assigning controls to particular themes, in order to document each control just once. A padlock, for instance, is both physical and technological, with associated processes that involve people.

The attributes identify additional control characteristics, sometimes including multiples of each type e.g.

So, the supplier relationship security control, for instance, is concerned with information confidentiality, integrity and availability, and with governance and protection: it isn't arbitrarily assigned to just one of those values of each type.

Control 5.19 could therefore be identified by someone systematically searching or filtering the '27002 controls for relevant guidance on integrity and governance, or availability, or ... various other permutations and combinations, according to their particular security needs.