Purpose
How to use this page
Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.
This note explains how ISO/IEC 27002 control attributes should be used in this KB.
Control attributes are optional metadata that help categorize, analyze, select, review, and map controls. They do not replace risk assessment, the Statement of Applicability, or evidence of control operation.
Practical use
| Attribute use | Implementer value | Auditor value | Software-object value |
|---|---|---|---|
| Categorize controls | Group controls by theme and purpose | Build audit scope and sampling | Control metadata |
| Identify imbalance | See over/under-reliance on control types | Challenge weak control coverage | Dashboard analytics |
| Support control selection | Choose proportional treatment | Verify treatment rationale | Risk-to-control recommendation |
| Support review | Reassess control mix after changes | Test continuing suitability | Review workflow |
| Map frameworks | Link ISO to other frameworks later | Support integrated audits | Framework mapping object |
Evidence caution
Attributes are not evidence that a control operates.
| Weak claim | Better evidence |
|---|---|
| Control has a preventive attribute | Show the preventive activity operating |
| Control is mapped to confidentiality | Show the asset, risk, treatment, and evidence |
| Control is marked organizational | Show ownership, process, records, and review |
| Control has risk treatment effect metadata | Show risk treatment decision and residual risk review |
Related notes
- Iso27002
- Control attributes
- Evidence
- Mapping
Note Metadata
Aliases: Control Attributes Evidence Map
Source: 11 ISO 27002 Knowledge Base/ISO 27002 Control Attributes Evidence Map.md