Today I published a 20-page white paper about 'control attributes', inspired by those presented in ISO/IEC 27002:2022
The concept behind the paper has been quietly brewing for a couple of months or more, taking the past few weeks to crystallise into words in a form that I'm happy to share publicly.
In a nutshell, 'attributes' are characteristics or features that can be used to categorise, sort or rank information security controls by various criteria. That simplistic concept turns out to unlock some powerful possibilities, described pragmatically in the paper.
It's a more innovative and valuable technique than it may appear.
Along the way, I regret inadvertently upsetting the team of JTC 1/SC 27 editors working on ISO/IEC 27028 by sharing an incomplete draft with them in the hope it might become the basis of the initial draft of the new standard.
During a Zoom meeting. At 3:00am, NZ time. I wasn't at my best. Ooops.
Anyway, now the paper is published, I'm hoping to prompt debate and insightful comments, gathering useful feedback
and especially improvement suggestions from readers, leading in turn to a better
document to submit (through the proper process, this time!) to the SC
27 project team. We may unfortunately have missed our opportunity to deliver a complete 'donor document' to use as the first working draft of the new standard but all is not lost. The paper's suggestions on how to use attributes will, I hope, make a substantial contribution to the second working draft, and in time inform the issued standard.