Core idea
Control attributes are metadata labels assigned to ISO/IEC 27002 controls.
They help categorize, analyze, compare, select, review, and map controls.
A control is the actual safeguard.
An attribute is a label describing the safeguard.
Important distinction
Control attributes are optional. They are not additional mandatory controls.
They support better analysis of the control environment but do not create new ISO/IEC 27001 requirements by themselves.
Typical attribute views
| Attribute view | What it helps you understand |
|---|---|
| Control type | Whether the control is preventive, detective, or corrective |
| Information security property | Whether it supports confidentiality, integrity, or availability |
| Cybersecurity concept | Whether it relates to identify, protect, detect, respond, or recover |
| Operational capability | Which security/business capability it supports |
| Security domain | Whether it is more about governance, protection, defence, or resilience |
Simple examples
| Control | Possible attribute examples |
|---|---|
| Access control policy | Preventive, confidentiality, protect, identity and access management |
| Logging and monitoring | Detective, integrity/availability, detect, event management |
| Backup and recovery | Corrective/recovery, availability, recover, continuity |
| Supplier security requirements | Preventive/governance, confidentiality/integrity/availability, protect, supplier relationships |
| Incident response plan | Corrective/respond, availability/integrity, respond, incident management |
Why attributes matter
Without attributes, an organization may have a long list of controls but no easy way to see patterns.
Attributes help ask better questions:
- Are we too focused on detection and not enough on prevention?
- Are we over-investing in one area because of a recent incident?
- Are confidentiality, integrity, and availability covered proportionately?
- Do our controls support NIST CSF, CIS Controls, SOC 2, PCI DSS, or other frameworks?
- Does the selected control actually reduce the risk in the intended way?
Main uses
1. Identifying imbalanced controls
If there are many detective controls but few preventive controls, the organization may detect problems but fail to reduce their frequency.
If there are many preventive controls but few detective controls, the organization may fail to notice when prevention fails.
If there are many preventive and detective controls but few recovery controls, the organization may struggle after an incident.
2. Identifying over-protection
After an incident, organizations often over-correct in the area where the incident occurred.
Example: after a phishing incident, the organization may add excessive email restrictions, warnings, approval gates, and tools, while neglecting backups, incident response, supplier controls, or access reviews.
A review by attribute helps identify whether too much resource is concentrated in one operational capability.
3. Supporting control selection
Attributes help select controls that match the desired risk treatment effect.
| Desired effect | Suitable control attribute |
|---|---|
| Reduce likelihood | Preventive |
| Detect occurrence | Detective |
| Reduce damage or recovery time | Corrective/recovery |
| Improve accountability | Governance/management |
| Reduce supplier exposure | Supplier relationship/security attributes |
| Reduce human error | Awareness, competence, procedural controls |
4. Supporting control review
Attributes help test whether a selected control actually treats the assigned risk.
Examples:
| Existing control | Claimed purpose | Issue |
|---|---|---|
| Logging | Prevent unauthorized access | Logging detects; it does not prevent access |
| Backup | Prevent ransomware | Backup reduces impact; it does not prevent ransomware |
| Awareness training | Stop all phishing | Awareness reduces likelihood but cannot be the only control |
| Policy document | Secure systems | Policy alone does not prove implementation |
5. Mapping to other frameworks
Attributes support mapping ISO controls to frameworks outside ISO.
Example mapping:
| ISO/IEC 27002 area | Possible external framework relationship |
|---|---|
| Asset management | NIST CSF Identify |
| Access control | NIST CSF Protect |
| Logging and monitoring | NIST CSF Detect |
| Incident management | NIST CSF Respond |
| Backup and continuity | NIST CSF Recover |
Important nuance
The course reading may state that if a risk is intended to be controlled by reducing its impact, a preventive control would be appropriate. In normal risk language, this is questionable.
A more practical mapping is:
| Risk treatment objective | Usual control type |
|---|---|
| Reduce likelihood | Preventive |
| Discover occurrence | Detective |
| Reduce impact, duration, or damage | Corrective/recovery |
For exams, answer according to the course wording if it clearly expects a specific phrase. For real ISMS work, use the practical mapping above.
Practical example
Risk: loss of sensitive customer data due to unauthorized access.
| Control | Attribute view | Risk treatment effect |
|---|---|---|
| MFA | Preventive, protect, access control | Reduces likelihood |
| Role-based access control | Preventive, confidentiality, identity and access management | Reduces likelihood |
| Access reviews | Detective/preventive, governance/access control | Identifies excessive access |
| Logging and monitoring | Detective, detect, event management | Detects suspicious activity |
| Incident response plan | Corrective/respond | Reduces damage after incident |
| Encryption | Protective, confidentiality | Reduces impact if data is exposed |
Common exam traps
- Control attributes are optional and analytical.
- Attributes are not mandatory ISO 27001 requirements.
- Attributes do not replace risk assessment.
- Attributes do not replace the Statement of Applicability.
- Attributes help categorize and analyze controls.
- Attributes can help identify imbalance and over-protection.
- Attributes can support mapping to non-ISO frameworks.
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
Control attributes are optional metadata in ISO/IEC 27002. They help categorize controls, analyze balance, identify over-protection, support control selection and review, and map controls to other frameworks. They are not controls themselves and do not create additional mandatory requirements.
- Iso27002
- Control attributes
- Annex a
- Risk treatment
- Exam
Note Metadata
Aliases: Control Attributes, ISO 27002 Attributes
Source: 01 Fundamentals/ISO27002 Control Attributes.md
Related Notes
- ISO27001 ISMS KB - Start Here
- Annex A and the Statement of Applicability
- Statement of Applicability
- A.5 Organizational Controls MOC
- EXAM-003 - ISO 27002 Control Attributes
- EXAM-007 - Preventive vs Detective vs Corrective Controls
- ISO 27002 Control Attributes Evidence Map
- ISO 27002 Knowledge Base
- Annex A Controls MOC
- Exam Cues Index
- ISO 27001 Overview