March 16, 2022

Last Updated on September 12, 2024

In the new ISO 27002:2022, each of the 93 controls is tagged with a series of attributes. What is the point of all this extra tagging? Doesn’t it just reintroduce complexity that restructuring the controls helped eliminate? How are we meant to use the ISO 27002 attributes to enhance our cybersecurity programs?

To explain all the changes in ISO 27002:2022, a recent episode of The Virtual CISO Podcast features Danny Manimbo and Ryan Mackie, Principals and ISO certification practice co-leads at Schellman. Hosting the show is John Verry, Pivot Point Security’s CISO and Managing Partner.

Introducing the new ISO 27002 attributes

ISO 27002 now offers five groups of attributes as part of the control taxonomy:

  1. Control type: preventive, detective, corrective
  2. Information security properties: confidentiality, integrity, availability (the familiar CIA triad)
  3. Cybersecurity concepts: identify, detect, protect, respond, recover (perfect for cross-referencing the NIST Cybersecurity Framework)
  4. Operational capabilities: application security, asset management, continuity, governance, human resource security, identity and access management, information protection, information security assurance, information security event management, legal and compliance, physical security, secure configuration, system and network security, supplier relationships security, threat and vulnerability management
  5. Security domains: defense, governance and ecosystem, protection and resilience

Each control is assigned attributes from the above five groups. The attributes are often written as #hashtags, probably more for searchability than to garner attention on social media.

Using the ISO 27002 attributes

Danny offers some guidance on how to make the ISO 27002 attributes work for you. (ISO does, too, in Annex A of the new standard.)

“It’s a lot of information,” Danny acknowledges. “You look at the table, there’s several columns for each control, and they’ve got all these attributes. What am I supposed to do with these? But I think if you break them down in silos, you can determine how they might work for you.”

Danny continues: “The attributes are actually my favorite part of the new ISO 27002 standard because they’re generic enough to be used by anybody. You can also customize them. They are meant to be tools to assist with what are you using the controls for, right? You’re using them to mitigate risks identified through your risk assessment process. You’re using them through your risk treatment process. If you’re new to ISO, you’re using them to assist with the controls implementation process if you have a new management system. So, this now breaks it down to where you can filter, sort, and present these controls to different audiences to [help explain] what you’re doing.

“For example, the control type attributes are cool because they breaks down whether a control is preventative, detective, or corrective. Pretty straightforward. But it takes the guesswork out when you’re going through the risk mitigation process, especially if you’re new to ISO. Do we only have detective controls here? Do I need to evaluate and determine if there are any preventative controls or corrective controls that we need to add to this process as well? So, it really does keep you honest in terms of ensuring when you’re looking at that inventory of control that you have, that they’re versatile enough to accomplish the task, which is mitigating that risk sufficiently,” says Danny.

Similarly, the information security properties attributes mirror the CIA capabilities that are part of the risk assessment. Again, having the attributes already assigned to the controls takes the guesswork out of the process. ISO has already done the analysis for you. The standard tells you, for example, that a control pertains to availability, or confidentiality, or a combination of all three. This is intended to help streamline your risk assessment efforts.

ISO has done the heavy lifting

With new taxonomic tools like attributes, mappings and other new information that comes with ISO 27002, the new version is intended to provide what Danny calls “a holistic toolset to really optimize your ISMS.”

“If your ISMS has been staying up to date with technological trends, changes in regulations and things like GDPR, it should be well positioned to absorb this change,” asserts Danny. “But I think it’s going to benefit not just newer folks, but folks who are transitioning, too.”

The new ISO 27002:2022 offers additional visibility and insight into each control, helping certified organizations take a deeper look at their ISMS with an eye on identifying ways to make improvements.

“It takes out the guesswork, which I think is nice,” Danny adds. “Because ISO’s already done that heavy lifting for you.”

The new tools also make it much easier to align your ISMS with other cyber frameworks you may need to conform to, like the NIST Cybersecurity Framework for critical infrastructure or NIST 800-171 for defense suppliers.

What’s next?

To catch the full podcast episode ISO 27002:2022 with experts from Schellman, click here.

What will the coming ISO 27001 update mean for your organization? John Verry shares his view in this blog post: What the New ISO 27001:2021 Release Will Mean to You