Last Updated on September 8, 2023
How ISO 27002:2022 Attributes Might Impact Your Certification Audit (and Improve Your Security)
Among the bigger improvements in the new ISO 27002:2022 are attributes, aka #hashtags. Each of the 93 controls in ISO 27002 is tagged with one or more attributes from each of five attribute groupings.
ISO 27001’s Annex A offers some advice on how to use attributes. They’re customizable tools to help orgs understand and evaluate exactly what their controls cover—and what they don’t cover. This makes attributes useful for risk assessment, risk treatment, and even with controls implementation and updates.
Example of applying attributes to a control
Say you’re looking at the Annex A 7.4 for physical security monitoring. You have security cameras at entrances, which is a #detective control. You also have door locks, which are a #preventive control.
So, do you also need a #corrective control for physical security monitoring, such as an alarm-activated police alert? If not, does your risk register justify why you’re accepting the risk of not having a corrective control for physical security?
Will auditors use attributes?
Another way attributes or #hashtags have direct applicability to your risk assessment is to help you consider the impacts of a risk manifesting to the confidentiality, integrity, and availability of data. With ISO 27002:2022 you now have the “CIA hashtags” to help you.
It’s an open question whether auditors will use attributes to help them evaluate your controls in a similar way. Like, “Is X a risk to confidentiality, integrity, and/or availability? And do you have all the applicable properties covered?
Whether insights come through auditors or your own analysis, attributes have the potential to improve the completeness and accuracy of your risk register. It’s easy to envision how considering the CIA triad, or whether controls are preventive, detective, and/or corrective could help businesses manage risk more effectively.
ISO 27001:2022 is still new, but forward-looking orgs are probably updating their risk methodologies to incorporate using attributes.
For more guidance on this topic, listen to Episode 118 of The Virtual CISO Podcast with guest Andrew Frost from Pivot Point Security.