Security control categories and attributes



On LinkeDin this morning, Morten Ingvard asked:

"As part of updating and reshaping some parts of our information security management system (ISMS), I'm not convinced that the new categorization of controls in ISO/IEC 27002:2022 (Organizational, people, physical and technical), is the best suit for our organization to rationally identify relevant controls for their work. I understand there is an increased focus on the use of attribution - so controls can be selected based on different perspectives, but I want to have a "default view" that the organization can read and understand, and currently, I'm strongly considering sticking with a categorization structure looking more like the older 2013-version in ISO/IEC 27001."

Here's my response to Morten:

"The categories are primarily a convenient way to sequence the controls in the standard. It was the 'default view' selected by ISO/IEC JTC1/SC27.

Some controls could legitimately belong in more than one category, so they were arbitrarily assigned to whichever category seemed 'most appropriate' simply to avoid duplicating them.

Aside from the categories, the control attributes show various other ways to characterise and group related controls ... and SC27 is currently drafting ISO/IEC 27028 with yet more possible attributes to consider. The idea is to make it easier for us to refine the long list of controls for particular purposes. For example, we might be looking for cheap preventive controls that don't involve technology, or strong, reliable access controls regardless of cost, or whatever. Sorting and filtering the controls by the corresponding attributes should lead us to the most likely candidates. Attributes could also be used to check that we have at least considered all relevant types of control when designing or reviewing information processes and systems e.g. have we incorporated any/sufficient resilience controls?

Restructure and use the standard as you wish, for your own purposes!"

I didn't mention that a year ago I provided the 27028 project team with a white paper on control attributes to kick-start the standard development process, and continue working alongside the project team to knock it into shape. This month, we have been revising the draft wording into "plain English" to facilitate translating the standard into other languages - quite a challenge given such a technical, conceptual topic.  Struggling to adapt my usual writing style into "plain English", I gratefully accepted help from Google Bard plus the editorial team to revise the donated content - a productive bit of AI-enabled collaborative writing teamwork.

"Plain English" is explained in the ISO House Style, supplementing ISO guidance on drafting standards and the formal rules (ISO/IEC Directives). Pretty good advice there, potentially of value in drafting corporate policies, standards and guidelines. As I'm writing new content (and when I next update the SecAware policy templates), I will make the effort to adopt plain English, well as plain as I can manage without destroying the value.