UnixTime

Research Note

ISO27002 Control Attributes

A control is the actual safeguard. An attribute is a label describing the safeguard.

On this page

Core idea

Control attributes are metadata labels assigned to ISO/IEC 27002 controls.

They help categorize, analyze, compare, select, review, and map controls.

A control is the actual safeguard.
An attribute is a label describing the safeguard.

Important distinction

Control attributes are optional. They are not additional mandatory controls.

They support better analysis of the control environment but do not create new ISO/IEC 27001 requirements by themselves.

Typical attribute views

Attribute view What it helps you understand
Control type Whether the control is preventive, detective, or corrective
Information security property Whether it supports confidentiality, integrity, or availability
Cybersecurity concept Whether it relates to identify, protect, detect, respond, or recover
Operational capability Which security/business capability it supports
Security domain Whether it is more about governance, protection, defence, or resilience

Simple examples

Control Possible attribute examples
Access control policy Preventive, confidentiality, protect, identity and access management
Logging and monitoring Detective, integrity/availability, detect, event management
Backup and recovery Corrective/recovery, availability, recover, continuity
Supplier security requirements Preventive/governance, confidentiality/integrity/availability, protect, supplier relationships
Incident response plan Corrective/respond, availability/integrity, respond, incident management

Why attributes matter

Without attributes, an organization may have a long list of controls but no easy way to see patterns.

Attributes help ask better questions:

  • Are we too focused on detection and not enough on prevention?
  • Are we over-investing in one area because of a recent incident?
  • Are confidentiality, integrity, and availability covered proportionately?
  • Do our controls support NIST CSF, CIS Controls, SOC 2, PCI DSS, or other frameworks?
  • Does the selected control actually reduce the risk in the intended way?

Main uses

1. Identifying imbalanced controls

If there are many detective controls but few preventive controls, the organization may detect problems but fail to reduce their frequency.

If there are many preventive controls but few detective controls, the organization may fail to notice when prevention fails.

If there are many preventive and detective controls but few recovery controls, the organization may struggle after an incident.

2. Identifying over-protection

After an incident, organizations often over-correct in the area where the incident occurred.

Example: after a phishing incident, the organization may add excessive email restrictions, warnings, approval gates, and tools, while neglecting backups, incident response, supplier controls, or access reviews.

A review by attribute helps identify whether too much resource is concentrated in one operational capability.

3. Supporting control selection

Attributes help select controls that match the desired risk treatment effect.

Desired effect Suitable control attribute
Reduce likelihood Preventive
Detect occurrence Detective
Reduce damage or recovery time Corrective/recovery
Improve accountability Governance/management
Reduce supplier exposure Supplier relationship/security attributes
Reduce human error Awareness, competence, procedural controls

4. Supporting control review

Attributes help test whether a selected control actually treats the assigned risk.

Examples:

Existing control Claimed purpose Issue
Logging Prevent unauthorized access Logging detects; it does not prevent access
Backup Prevent ransomware Backup reduces impact; it does not prevent ransomware
Awareness training Stop all phishing Awareness reduces likelihood but cannot be the only control
Policy document Secure systems Policy alone does not prove implementation

5. Mapping to other frameworks

Attributes support mapping ISO controls to frameworks outside ISO.

Example mapping:

ISO/IEC 27002 area Possible external framework relationship
Asset management NIST CSF Identify
Access control NIST CSF Protect
Logging and monitoring NIST CSF Detect
Incident management NIST CSF Respond
Backup and continuity NIST CSF Recover

Important nuance

The course reading may state that if a risk is intended to be controlled by reducing its impact, a preventive control would be appropriate. In normal risk language, this is questionable.

A more practical mapping is:

Risk treatment objective Usual control type
Reduce likelihood Preventive
Discover occurrence Detective
Reduce impact, duration, or damage Corrective/recovery

For exams, answer according to the course wording if it clearly expects a specific phrase. For real ISMS work, use the practical mapping above.

Practical example

Risk: loss of sensitive customer data due to unauthorized access.

Control Attribute view Risk treatment effect
MFA Preventive, protect, access control Reduces likelihood
Role-based access control Preventive, confidentiality, identity and access management Reduces likelihood
Access reviews Detective/preventive, governance/access control Identifies excessive access
Logging and monitoring Detective, detect, event management Detects suspicious activity
Incident response plan Corrective/respond Reduces damage after incident
Encryption Protective, confidentiality Reduces impact if data is exposed

Common exam traps

  • Control attributes are optional and analytical.
  • Attributes are not mandatory ISO 27001 requirements.
  • Attributes do not replace risk assessment.
  • Attributes do not replace the Statement of Applicability.
  • Attributes help categorize and analyze controls.
  • Attributes can help identify imbalance and over-protection.
  • Attributes can support mapping to non-ISO frameworks.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

Control attributes are optional metadata in ISO/IEC 27002. They help categorize controls, analyze balance, identify over-protection, support control selection and review, and map controls to other frameworks. They are not controls themselves and do not create additional mandatory requirements.