When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this when reviewing whether a selected control matches the intended risk treatment effect.
| Field | Entry |
|---|---|
| Control ID / Name | |
| Related ISO/IEC 27002 control | |
| Related risk | |
| Risk treatment objective | Reduce likelihood / reduce impact / improve detection / improve recovery / meet compliance need |
| Control type | Preventive / detective / corrective |
| Security property | Confidentiality / integrity / availability |
| Cybersecurity concept | Identify / protect / detect / respond / recover |
| Operational capability | Governance / asset management / access control / supplier security / event management / continuity / etc. |
| Current implementation status | Not implemented / partially implemented / implemented / optimized |
| Evidence available | Policy, procedure, logs, screenshots, tickets, review records, reports |
| Is the control suitable for the risk? | Yes / no / partially |
| Is there over-protection? | Yes / no |
| Is there under-protection? | Yes / no |
| Action required | Keep / improve / replace / remove / consolidate |
| Owner | |
| Review date |
- Template
- Control attributes
- Iso27002
Note Metadata
Aliases: Control Attribute Review
Source: 90 Templates/Control Attribute Review.md