October 13, 2025 • 16 mins
ISO 27002:2022 introduced a new attribute model to help organizations slice and categorize controls in multiple ways. Each control now includes attributes such as control type, information security properties, cybersecurity concepts, operational capabilities, and physical versus organizational dimensions. These attributes enable analytics, visualization, and easier mapping to other frameworks. Understanding them is vital for certification preparation, as they directly influence how an auditor interprets your control environment and how you justify control inclusion or exclusion within the Statement of Applicability (SoA).
The SoA is the linchpin of an ISMS—it lists all Annex A controls, identifies applicability, implementation status, and justification for exclusions. A well-constructed SoA demonstrates risk-based rationale and traceability to the risk treatment plan. Candidates must be able to explain how control attributes strengthen the SoA’s defensibility and support cross-framework alignment, for instance with NIST 800-53 or CIS 18. In audits, inconsistencies between control attributes, risk assessments, and SoA statements often trigger findings. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
ISO 27002 occupies a unique and indispensable place in the broader ISO 27000 ecosystem. Unlike ISO 27001, which specifies the formal requirements for establishing and maintaining an Information Security Management System, ISO 27002 serves as a companion guide—providing the practical context that transforms theory into action. It is not a certifiable standard, meaning organizations cannot be officially certified against it, but its influence is profound. It expands upon the Annex A controls of ISO 27001, explaining how they can be implemented, interpreted, and tailored to fit organizational realities. While ISO 27001 defines what must be done, ISO 27002 explains how it can be done effectively. Together, they form the foundation of a balanced ISMS (00:00):
one that satisfies compliance requirements while remaining operationally relevant. ISO 27002’s role is to bridge management-level requirements with day-to-day security practices, ensuring that implementation reflects both strategic intent and practical execution.
(01:11):
One of the most important innovations introduced in the 2022 revision of ISO 27002 is the use of control attributes. These attributes are essentially metadata—structured descriptors that classify each control according to specific lenses or dimensions. In previous editions, controls existed as a simple list, but the introduction of attributes transformed the catalog into a multi-dimensional framework. Each control now carries several layers of contextual information that describe its purpose, relationship to security principles, and functional area. This design makes ISO 27002 far more flexible, allowing organizations to interpret and apply controls according to their unique environment. Attributes empower practitioners to organize, compare, and cross-map controls dynamically, improving the ability to tailor security strategies while maintaining consistency with the standard’s intent.
(02:06):
The first and most fundamental attribute is the Security Properties attribute, which connects each control to the classic triad of confidentiality, integrity, and availability. These three principles, often referred to as the CIA triad, represent the foundational objectives of information security. By tagging controls according to which of these properties they protect, organizations can quickly identify where their greatest vulnerabilities or redundancies lie. For example, a control emphasizing confidentiality might focus on encryption or access restrictions, while one focused on availability might involve redundancy or disaster recovery. This mapping helps organizations select proportional protections and ensures that controls align with their actual risk priorities. It also simplifies communication—executives can easily see how each control supports core organizational values related to data protection.
Another major attribute introduced in ISO 27002 is the Cybersecurity Concepts attribute, which mirrors the five functions of the NIST Cybersecurity Framework (03:00):
Identify, Protect, Detect, Respond, and Recover. By tagging controls under these functional categories, ISO created a natural bridge between its own management system approach and other globally recognized frameworks. This interoperability is a significant advantage for organizations that need to demonstrate alignment across multiple standards or regulatory regimes. The mapping enhances clarity for non-technical stakeholders as well—business leaders can better understand how their ISMS supports capabilities like detection or response, without having to translate technical jargon. The attribute also fosters maturity, helping organizations evaluate whether their control sets are balanced across all phases of the cybersecurity lifecycle.
(03:55):
The Operational Capabilities attribute categorizes controls according to the management functions they support—areas such as governance, asset management, protection, and incident management. This classification helps clarify where ownership and accountability should reside within the organization. For instance, governance-oriented controls often fall under executive or compliance teams, while protection-related controls may be managed by technical security or IT operations. This functional categorization ensures that controls are not only implemented but also owned and maintained by the appropriate stakeholders. It assists leadership in resource allocation, clarifies role boundaries, and provides a framework for structuring the ISMS around operational realities. In larger organizations, this attribute becomes an indispensable tool for aligning security management with organizational hierarchy.
(04:50):
ISO 27002 also includes the Security Domains attribute, which groups controls under four broad categories—organizational, people, physical, and technological. These domains directly align with the themes introduced in the 2022 revision of ISO 27001, creating consistency across both standards. The organizational domain addresses governance and policy; the people domain focuses on awareness, competence, and behavior; the physical domain covers facility protection; and the technological domain encompasses systems and infrastructure safeguards. This structure simplifies how controls are communicated across departments, making it easier to train employees, plan audits, or present reports to executives. Because these domains reflect tangible aspects of daily operations, they make security less abstract and more relatable to everyone involved.
(05:47):
Perhaps the most business-oriented addition to the attribute framework is the Business Process attribute. This dimension links controls directly to the core functions of the enterprise—such as human resources, finance, procurement, or operations. The intent is to demonstrate that information security extends far beyond the IT department. For example, access control procedures affect HR onboarding, data retention policies influence finance and legal compliance, and supplier security impacts procurement. This attribute helps organizations visualize the real-world touchpoints of each control, ensuring that security becomes embedded into everyday workflows. It reinforces the message that an ISMS is not a technical silo but an enterprise-wide management system, influencing every corner of the business ecosystem.
(06:37):
Collectively, these attributes give ISO 27002 an unprecedented level of analytical and strategic depth. They enable multi-dimensional analysis of the control environment, allowing organizations to filter, group, and prioritize based on specific needs. A company undergoing a cloud migration can focus on controls tagged under “availability” and “technological” domains; another seeking regulatory alignment can prioritize controls linked to confidentiality and governance. The attribute system also simplifies crosswalking to other standards, since the structured metadata allows direct comparison across frameworks. By supporting both top-down and bottom-up analysis, it empowers organizations to manage their ISMS with precision and purpose. In effect, attributes turn ISO 27002 into a living map of the security landscape—flexible, integrated, and deeply connected to business strategy.
(07:34):
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Within an Information Security Management System, the Statement of Applicability—commonly referred to as the SoA—is one of the most important and visible documents. It is the centerpiece that connects high-level management intent to operational execution. The SoA lists every Annex A control from ISO 27001, along with a clear decision on whether each control is applied, partially applied, or excluded. For every choice, it provides a rationale that ties back to the organization’s unique risk landscape. In practice, the SoA becomes the backbone of the audit process—an authoritative reference showing how the organization interprets and applies the ISO standard. It demonstrates to internal and external stakeholders alike that information security decisions are deliberate, justified, and aligned with risk management outcomes. For many auditors, the SoA is the first—and most revealing—artifact in assessing an organization’s ISMS maturity.
(08:45):
Beyond its administrative function, the SoA acts as a powerful tool for linking risks to controls in a visible, defensible manner. Each control in the SoA traces directly to a corresponding risk identified in the organization’s risk assessment. This risk linkage is what transforms the ISMS from a compliance checklist into a living management system. It demonstrates to auditors, regulators, and executive stakeholders that control decisions are evidence-based and tailored to the organization’s context. This alignment helps prevent checkbox-driven compliance, where controls are implemented mechanically without understanding their purpose. A well-constructed SoA tells a story of intentionality—it shows that management understands its risks, has evaluated its options, and has made informed decisions about how to mitigate them within acceptable levels of exposure.
(09:37):
The SoA also plays a critical role in organizational transparency. It gives leadership, regulators, and customers a window into how information security responsibilities are being managed. For regulators or clients performing due diligence, the SoA provides reassurance that security measures are structured, documented, and auditable. It clarifies management choices and demonstrates accountability for every inclusion or exclusion. Internally, it serves as a communication artifact that fosters alignment between departments by showing how each control supports organizational priorities. Externally, it acts as a trust-building tool—particularly in supplier and partnership contexts where visibility into security practices is limited. When an organization can produce a clear and current SoA, it signals maturity, responsibility, and openness—qualities that are increasingly important in today’s interconnected business environment.
(10:34):
Under the 2022 revision of ISO 27001, the SoA evolved to become even more strategic and streamlined. The consolidation of controls and introduction of attributes simplified how organizations could document justifications and maintain traceability. Instead of listing controls in isolation, the SoA now connects them through metadata that reflects their security properties, domains, and operational roles. This multidimensional view allows organizations to align their SoA with business objectives more clearly than ever before. The revised structure also made audit evaluation more straightforward, as auditors could quickly trace decisions back to their risk origins. By reinforcing linkages between risk, control, and justification, the new SoA format strengthens its role as both a compliance record and a management decision framework.
(11:27):
From an auditor’s perspective, the SoA is not only a compliance document but also a diagnostic tool for assessing ISMS maturity. It is typically the first document requested during an audit and serves as a roadmap for the evaluation process. Auditors use it to verify that the organization’s policies, procedures, and practices are consistent with the controls claimed to be in place. They assess the completeness of justifications, the quality of evidence, and the internal consistency between risk assessment results and control selections. An SoA that is well-documented, current, and coherent reflects a mature and well-governed ISMS. Conversely, one that appears generic, outdated, or disconnected from reality often signals underlying weaknesses in management oversight or program implementation.
(12:17):
Despite its importance, many organizations stumble in preparing or maintaining their SoA effectively. A common pitfall is providing vague or boilerplate justifications such as “control implemented for compliance reasons” without linking to specific risks or operational needs. Others fail to update their SoA as the organization evolves—leaving controls that no longer apply or omitting new measures that have been adopted. Misalignment between what is documented and what is practiced is another frequent issue, often exposed during internal or external audits. Some organizations also rely too heavily on generic templates, assuming that one-size-fits-all documentation will suffice. These oversights undermine the credibility of the ISMS and can lead to nonconformities or audit findings that damage trust and delay certification.
Best practices for developing an effective SoA begin with treating it as a living document rather than a static report. It should be reviewed and updated regularly—ideally in sync with management reviews and risk assessments—to ensure it reflects the organization’s current environment. Cross-functional input is critical (13:07):
the SoA benefits from perspectives across IT, compliance, operations, legal, and HR. Each department contributes unique insights into how controls influence their part of the business. Justifications should be clear, concise, and tied to measurable risks or regulatory requirements. Maintaining version control, approval workflows, and change logs ensures accountability and traceability. An SoA that evolves in parallel with the business remains relevant and audit-ready at all times, supporting the continuous improvement ethos of ISO 27001.
(14:00):
The integration of ISO 27002 attributes has added new strategic value to the SoA. Attributes allow organizations to enrich their control justifications with multiple perspectives—technical, operational, and managerial. By tagging controls with properties such as confidentiality or integrity, or aligning them with cybersecurity functions like Detect or Respond, the SoA becomes more than a checklist; it becomes a multidimensional management dashboard. This approach also makes it easier to communicate decisions to non-technical stakeholders, such as board members or external partners, who can now see at a glance how each control contributes to overarching goals. Attributes help bridge gaps between disciplines like privacy, resilience, and risk management, creating an ISMS that is both integrated and future-ready. They turn the SoA from a compliance artifact into a decision intelligence tool that supports long-term organizational growth.
(15:00):
Ultimately, the combination of ISO 27002’s attribute system and a well-managed Statement of Applicability represents a significant evolution in how organizations design and maintain their ISMS. The attribute model introduces precision and flexibility, while the SoA ensures traceability and accountability. Together, they bring clarity to the complex interplay between business strategy, risk management, and security implementation. By embracing these tools, organizations can build a management system that not only satisfies audit requirements but also drives continuous improvement, alignment, and trust across all levels of the enterprise. The result is an ISMS that is not static but self-reinforcing—capable of learning, adapting, and thriving in the face of an ever-changing threat landscape.
one that satisfies compliance requirements while remaining operationally relevant. ISO 27002’s role is to bridge management-level requirements with day-to-day security practices, ensuring that implementation reflects both strategic intent and practical execution.
(01:11):
One of the most important innovations introduced in the 2022 revision of ISO 27002 is the use of control attributes. These attributes are essentially metadata—structured descriptors that classify each control according to specific lenses or dimensions. In previous editions, controls existed as a simple list, but the introduction of attributes transformed the catalog into a multi-dimensional framework. Each control now carries several layers of contextual information that describe its purpose, relationship to security principles, and functional area. This design makes ISO 27002 far more flexible, allowing organizations to interpret and apply controls according to their unique environment. Attributes empower practitioners to organize, compare, and cross-map controls dynamically, improving the ability to tailor security strategies while maintaining consistency with the standard’s intent.
(02:06):
The first and most fundamental attribute is the Security Properties attribute, which connects each control to the classic triad of confidentiality, integrity, and availability. These three principles, often referred to as the CIA triad, represent the foundational objectives of information security. By tagging controls according to which of these properties they protect, organizations can quickly identify where their greatest vulnerabilities or redundancies lie. For example, a control emphasizing confidentiality might focus on encryption or access restrictions, while one focused on availability might involve redundancy or disaster recovery. This mapping helps organizations select proportional protections and ensures that controls align with their actual risk priorities. It also simplifies communication—executives can easily see how each control supports core organizational values related to data protection.
Another major attribute introduced in ISO 27002 is the Cybersecurity Concepts attribute, which mirrors the five functions of the NIST Cybersecurity Framework (03:00):
Identify, Protect, Detect, Respond, and Recover. By tagging controls under these functional categories, ISO created a natural bridge between its own management system approach and other globally recognized frameworks. This interoperability is a significant advantage for organizations that need to demonstrate alignment across multiple standards or regulatory regimes. The mapping enhances clarity for non-technical stakeholders as well—business leaders can better understand how their ISMS supports capabilities like detection or response, without having to translate technical jargon. The attribute also fosters maturity, helping organizations evaluate whether their control sets are balanced across all phases of the cybersecurity lifecycle.
(03:55):
The Operational Capabilities attribute categorizes controls according to the management functions they support—areas such as governance, asset management, protection, and incident management. This classification helps clarify where ownership and accountability should reside within the organization. For instance, governance-oriented controls often fall under executive or compliance teams, while protection-related controls may be managed by technical security or IT operations. This functional categorization ensures that controls are not only implemented but also owned and maintained by the appropriate stakeholders. It assists leadership in resource allocation, clarifies role boundaries, and provides a framework for structuring the ISMS around operational realities. In larger organizations, this attribute becomes an indispensable tool for aligning security management with organizational hierarchy.
(04:50):
ISO 27002 also includes the Security Domains attribute, which groups controls under four broad categories—organizational, people, physical, and technological. These domains directly align with the themes introduced in the 2022 revision of ISO 27001, creating consistency across both standards. The organizational domain addresses governance and policy; the people domain focuses on awareness, competence, and behavior; the physical domain covers facility protection; and the technological domain encompasses systems and infrastructure safeguards. This structure simplifies how controls are communicated across departments, making it easier to train employees, plan audits, or present reports to executives. Because these domains reflect tangible aspects of daily operations, they make security less abstract and more relatable to everyone involved.
(05:47):
Perhaps the most business-oriented addition to the attribute framework is the Business Process attribute. This dimension links controls directly to the core functions of the enterprise—such as human resources, finance, procurement, or operations. The intent is to demonstrate that information security extends far beyond the IT department. For example, access control procedures affect HR onboarding, data retention policies influence finance and legal compliance, and supplier security impacts procurement. This attribute helps organizations visualize the real-world touchpoints of each control, ensuring that security becomes embedded into everyday workflows. It reinforces the message that an ISMS is not a technical silo but an enterprise-wide management system, influencing every corner of the business ecosystem.
(06:37):
Collectively, these attributes give ISO 27002 an unprecedented level of analytical and strategic depth. They enable multi-dimensional analysis of the control environment, allowing organizations to filter, group, and prioritize based on specific needs. A company undergoing a cloud migration can focus on controls tagged under “availability” and “technological” domains; another seeking regulatory alignment can prioritize controls linked to confidentiality and governance. The attribute system also simplifies crosswalking to other standards, since the structured metadata allows direct comparison across frameworks. By supporting both top-down and bottom-up analysis, it empowers organizations to manage their ISMS with precision and purpose. In effect, attributes turn ISO 27002 into a living map of the security landscape—flexible, integrated, and deeply connected to business strategy.
(07:34):
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Within an Information Security Management System, the Statement of Applicability—commonly referred to as the SoA—is one of the most important and visible documents. It is the centerpiece that connects high-level management intent to operational execution. The SoA lists every Annex A control from ISO 27001, along with a clear decision on whether each control is applied, partially applied, or excluded. For every choice, it provides a rationale that ties back to the organization’s unique risk landscape. In practice, the SoA becomes the backbone of the audit process—an authoritative reference showing how the organization interprets and applies the ISO standard. It demonstrates to internal and external stakeholders alike that information security decisions are deliberate, justified, and aligned with risk management outcomes. For many auditors, the SoA is the first—and most revealing—artifact in assessing an organization’s ISMS maturity.
(08:45):
Beyond its administrative function, the SoA acts as a powerful tool for linking risks to controls in a visible, defensible manner. Each control in the SoA traces directly to a corresponding risk identified in the organization’s risk assessment. This risk linkage is what transforms the ISMS from a compliance checklist into a living management system. It demonstrates to auditors, regulators, and executive stakeholders that control decisions are evidence-based and tailored to the organization’s context. This alignment helps prevent checkbox-driven compliance, where controls are implemented mechanically without understanding their purpose. A well-constructed SoA tells a story of intentionality—it shows that management understands its risks, has evaluated its options, and has made informed decisions about how to mitigate them within acceptable levels of exposure.
(09:37):
The SoA also plays a critical role in organizational transparency. It gives leadership, regulators, and customers a window into how information security responsibilities are being managed. For regulators or clients performing due diligence, the SoA provides reassurance that security measures are structured, documented, and auditable. It clarifies management choices and demonstrates accountability for every inclusion or exclusion. Internally, it serves as a communication artifact that fosters alignment between departments by showing how each control supports organizational priorities. Externally, it acts as a trust-building tool—particularly in supplier and partnership contexts where visibility into security practices is limited. When an organization can produce a clear and current SoA, it signals maturity, responsibility, and openness—qualities that are increasingly important in today’s interconnected business environment.
(10:34):
Under the 2022 revision of ISO 27001, the SoA evolved to become even more strategic and streamlined. The consolidation of controls and introduction of attributes simplified how organizations could document justifications and maintain traceability. Instead of listing controls in isolation, the SoA now connects them through metadata that reflects their security properties, domains, and operational roles. This multidimensional view allows organizations to align their SoA with business objectives more clearly than ever before. The revised structure also made audit evaluation more straightforward, as auditors could quickly trace decisions back to their risk origins. By reinforcing linkages between risk, control, and justification, the new SoA format strengthens its role as both a compliance record and a management decision framework.
(11:27):
From an auditor’s perspective, the SoA is not only a compliance document but also a diagnostic tool for assessing ISMS maturity. It is typically the first document requested during an audit and serves as a roadmap for the evaluation process. Auditors use it to verify that the organization’s policies, procedures, and practices are consistent with the controls claimed to be in place. They assess the completeness of justifications, the quality of evidence, and the internal consistency between risk assessment results and control selections. An SoA that is well-documented, current, and coherent reflects a mature and well-governed ISMS. Conversely, one that appears generic, outdated, or disconnected from reality often signals underlying weaknesses in management oversight or program implementation.
(12:17):
Despite its importance, many organizations stumble in preparing or maintaining their SoA effectively. A common pitfall is providing vague or boilerplate justifications such as “control implemented for compliance reasons” without linking to specific risks or operational needs. Others fail to update their SoA as the organization evolves—leaving controls that no longer apply or omitting new measures that have been adopted. Misalignment between what is documented and what is practiced is another frequent issue, often exposed during internal or external audits. Some organizations also rely too heavily on generic templates, assuming that one-size-fits-all documentation will suffice. These oversights undermine the credibility of the ISMS and can lead to nonconformities or audit findings that damage trust and delay certification.
Best practices for developing an effective SoA begin with treating it as a living document rather than a static report. It should be reviewed and updated regularly—ideally in sync with management reviews and risk assessments—to ensure it reflects the organization’s current environment. Cross-functional input is critical (13:07):
the SoA benefits from perspectives across IT, compliance, operations, legal, and HR. Each department contributes unique insights into how controls influence their part of the business. Justifications should be clear, concise, and tied to measurable risks or regulatory requirements. Maintaining version control, approval workflows, and change logs ensures accountability and traceability. An SoA that evolves in parallel with the business remains relevant and audit-ready at all times, supporting the continuous improvement ethos of ISO 27001.
(14:00):
The integration of ISO 27002 attributes has added new strategic value to the SoA. Attributes allow organizations to enrich their control justifications with multiple perspectives—technical, operational, and managerial. By tagging controls with properties such as confidentiality or integrity, or aligning them with cybersecurity functions like Detect or Respond, the SoA becomes more than a checklist; it becomes a multidimensional management dashboard. This approach also makes it easier to communicate decisions to non-technical stakeholders, such as board members or external partners, who can now see at a glance how each control contributes to overarching goals. Attributes help bridge gaps between disciplines like privacy, resilience, and risk management, creating an ISMS that is both integrated and future-ready. They turn the SoA from a compliance artifact into a decision intelligence tool that supports long-term organizational growth.
(15:00):
Ultimately, the combination of ISO 27002’s attribute system and a well-managed Statement of Applicability represents a significant evolution in how organizations design and maintain their ISMS. The attribute model introduces precision and flexibility, while the SoA ensures traceability and accountability. Together, they bring clarity to the complex interplay between business strategy, risk management, and security implementation. By embracing these tools, organizations can build a management system that not only satisfies audit requirements but also drives continuous improvement, alignment, and trust across all levels of the enterprise. The result is an ISMS that is not static but self-reinforcing—capable of learning, adapting, and thriving in the face of an ever-changing threat landscape.
Popular Podcasts
Spooky Podcasts from iHeartRadio
Whether you’re a scaredy-cat or a brave bat, this collection of episodes from iHeartPodcasts will put you in the Halloween spirit. Binge stories, frights, and more that may keep you up at night!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.