ISO 27001 Attributes: the ultimate guide

Home / ISO 27001 / ISO 27001 Attributes: the ultimate guide

What are ISO 27001 Attributes?

ISO 27001 Attributes are a way to categorise the ISO 27001 Annex A Controls.

Why are ISO 27001 Attributes important?

Attributes can be used to create different views of the information security controls an organisation has based on themes.

They can be used to filter, sort or present controls in different ways for different audiences.

Who uses the ISO 27001 Attributes?

People that want to view controls from different perspectives. The reality is no one uses them. They are an academic framework with little to no real world practical application for 99% of implementations.

Are ISO 27001 Attributes mandatory?

No. The standard is very explicit that the use of attributes is not mandatory. You can choose to not use them, use a subset of them, use your own or use a combination.

Can you ignore and not use attributes?

Yes you can ignore them and not use them. For 99% of implementations the use of ISO 27001 attributes is over-kill and will never be used in practice and day to day operation.

Can you create your own attributes?

Yes, you can create your own attribute values. The attributes they give are selected because they considered them generic enough to be used by different types of organisations. You can choose to disregard one or more of the attributes and create attributes of your own.

How many ISO 27001 Attributes are there?

The standard provides 5 attributes with associated values.

What are the ISO 27001 Attributes and Values?

Control Type

The Control type is an attribute that allows us to view controls from the perspective of when and how the control modifies a risk in relation to the timing of the occurrence of an information security incident.

Control Type attribute values:

  • Preventive – a control that is intended to prevent the information security incident from happening
  • Detective – a control that acts when an information security incident is happening
  • Corrective – a control that acts after an information security incident has happened

Information Security Properties

Information Security Properties is an attribute that allows us to view controls from the perspective of which tenant of information security the control will address:

Information Security Properties attribute values:

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

Cybersecurity Concepts is an attribute that allows us to view controls from the perspective of how the control links to the cybersecurity concepts defined in the cybersecurity framework described in ISO/IEC TS 27110.

Cybersecurity Concepts attribute values:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Operational Capabilities

Operational Capabilities is an attribute to view controls from a practitioner’s perspective of information security capabilities.

Operational Capabilities attribute values:

  • Governance
  • Asset management
  • Information protection
  • Human resource security
  • Physical security
  • System and network security
  • Application security
  • Secure configuration
  • Identity and access management
  • Threat and vulnerability management
  • Continuity
  • Supplier relationships security
  • Legal and compliance
  • Information security event management
  • Information security assurance

Security Domains

Security domains is an attribute to view controls from the perspective of four information security domains:

Security Domains attribute values:

  • Governance and Ecosystem – this includes Information System Security Governance & Risk Management and Ecosystem cybersecurity management (as well as internal and external stakeholders)
  • Protection – this includes IT Security Architecture, IT Security Administration, Identity and access management, IT Security Maintenance and Physical and environmental security
  • Defence – this includes Detection and Computer Security Incident Management
  • Resilience -this includes Continuity of operations and Crisis management

Why does the standard use the “#” symbol?

The standard uses and references the “#” symbol to indicate that the term is a searchable term. It is intended that the term should be searchable in your management system, documentation and control list. It takes is lead from popular social media platforms that use the character to allow fast searching of related content.

The standard links words together with the “_” character to donate that the phrase is a searchable term. It is intended that the term should be searchable in your management system, documentation and control list.

Do you need to use the attributes?

No. The standard is very explicit that the use of attributes is not mandatory. You can choose to not use them, use a subset of them, use your own or use a combination.

When were attributes introduced to ISO 27001?

The ISO 27001:2022 update introduced the concepts of attributes.

Why did they introduced attributes?

The ISO 27001:2022 update introduced attributes to acknowledge that more and more people are using digital management systems and to influence the implementation of those systems in a standardised way for reporting. This is much more about a technical implementation of documentation and the management system than it is about information security and making you more secure.