ISO/IEC 27028 Control attributes DIS

An updated Draft International Standard ISO/IEC 27028 has been released to ISO/IEC JTC 1/SC 27 for voting by early February 2026.

I have been expecting a 'Technical Specification' rather than full International Standard but maybe I missed the memo. Not to worry.

The DIS is in good shape. So far I spotted just a few minor grammatical issues and concerns about terminology (risk tolerance denotes a different concept to risk appetite, - these are not synonyms; likewise for 'cost' and 'value') but, overall, I feel this will be one of the most creative additions to ISO27k in quite a while - thanks to whoever it was that suggested using 'attributes' and 'themes' to reorganise the controls in ISO/IEC 27002.