UnixTime

Research Note

ISO 27002 Control Attributes Evidence Map

This note explains how ISO/IEC 27002 control attributes should be used in this KB.

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This note explains how ISO/IEC 27002 control attributes should be used in this KB.

Control attributes are optional metadata that help categorize, analyze, select, review, and map controls. They do not replace risk assessment, the Statement of Applicability, or evidence of control operation.

Practical use

Attribute use Implementer value Auditor value Software-object value
Categorize controls Group controls by theme and purpose Build audit scope and sampling Control metadata
Identify imbalance See over/under-reliance on control types Challenge weak control coverage Dashboard analytics
Support control selection Choose proportional treatment Verify treatment rationale Risk-to-control recommendation
Support review Reassess control mix after changes Test continuing suitability Review workflow
Map frameworks Link ISO to other frameworks later Support integrated audits Framework mapping object

Evidence caution

Attributes are not evidence that a control operates.

Weak claim Better evidence
Control has a preventive attribute Show the preventive activity operating
Control is mapped to confidentiality Show the asset, risk, treatment, and evidence
Control is marked organizational Show ownership, process, records, and review
Control has risk treatment effect metadata Show risk treatment decision and residual risk review
  • Iso27002
  • Control attributes
  • Evidence
  • Mapping

Note Metadata

Aliases: Control Attributes Evidence Map

Source: 11 ISO 27002 Knowledge Base/ISO 27002 Control Attributes Evidence Map.md