Infomation security control attributes

Today I published a 20-page white paper about 'control attributes', inspired by those presented in ISO/IEC 27002:2022

The concept behind the paper has been quietly brewing for a couple of months or more, taking the past few weeks to crystallise into words in a form that I'm happy to share publicly.

In a nutshell, 'attributes' are characteristics or features that can be used to categorise, sort or rank information security controls by various criteria. That simplistic concept turns out to unlock some powerful possibilities, described pragmatically in the paper. 

It's a more innovative and valuable technique than it may appear.

Along the way, I regret inadvertently upsetting the team of JTC 1/SC 27 editors working on ISO/IEC 27028 by sharing an incomplete draft with them in the hope it might become the basis of the initial draft of the new standard.  

During a Zoom meeting. At 3:00am, NZ time. I wasn't at my best. Ooops.

Anyway, now the paper is published, I'm hoping to prompt debate and insightful comments, gathering useful feedback and especially improvement suggestions from readers, leading in turn to a better document to submit (through the proper process, this time!) to the SC 27 project team. We may unfortunately have missed our opportunity to deliver a complete 'donor document' to use as the first working draft of the new standard but all is not lost. The paper's suggestions on how to use attributes will, I hope, make a substantial contribution to the second working draft, and in time inform the issued standard.

It is published under a Creative Commons licence. Exposure, discussion and insightful comment is what I'm after so, in addition to this blog, I have notified the 4,500 members of the ISO27k Forum about the paper and released it to an unknown number of LinkeDinners.

Care to join the gang? Download the latest version of the paper here.  It is refined and updated occasionally, hence it may never be 'finished'.

Share and discuss it with your peers and colleagues.

Rip it to shreds. 

 

Find creative angles to expand on it. 

 

Imagine even better ways to milk every last drop of value from those control attributes.

Then email me: Gary@isect.com

 

The first working draft of ISO/IEC 27028 accompanying a formal proposal for SC 27 to develop the standard is due out this month for voting and comments by mid-April.

PS  A while (7 years!) ago, I blogged about a suggestion to evaluate the organisation's information security budget according to the proportions of spending on preventive, detective and corrective controls. I was unimpressed with the low PRAGMATIC value of the metric ... but nevertheless the idea of using control attributes to review budgets remains intriguing.