It includes the following summary:
"This document extends the concept of ‘control attributes’ introduced in ISO/IEC 27002:2022, discussing a wider variety of factors potentially worth bearing in mind when considering, selecting, designing, using and reviewing information security controls. Control attributes are a powerful and flexible tool for information security management purposes, a novel way to design, manage and improve an organisation’s approach to mitigating unacceptable information risks, supplementing more traditional or conventional methods. The document includes pragmatic suggestions on how to make use of control attributes in the business context, with a worked example illustrating the approach."
Once the comments are submitted, we
must wait patiently to see how much of it (if any!) makes it through to
the Working Draft, blended with inputs and comments from other committee
members. Although it seems to take 'forever' to develop new standards, I'm hoping that the donor document will set the project off to a flying start.
Meanwhile, I'm actively looking for opportunities for clients to start using control attributes as an integral part of their ISO27k information risk and security management activities - designing better, more relevant and meaningful security metrics for instance. If that or any other ideas in the paper catch your imagination, please comment below or email me (Gary@isect.com). I see a lot of potential business value in control attributes: how about you?