richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixed internal control references

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-20 16:11:21 +02:00
parent 24f913e5a0
commit 065201318d
7 changed files with 19 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.24_OT Information security incident management planning and preparation.md
View file

@ -15,7 +15,7 @@ The organization should establish appropriate information security incident mana
The following should be considered:
a\) establishing a common method for reporting information security events including point of contact (see [[ISO_27002_OT n.n Title\|6.8]]);
a\) establishing a common method for reporting information security events including point of contact (see [6.8](ISO_27002_2022_6.8_OT%20Information%20security%20event%20reporting.md));
b\) establishing an incident management process to provide the organization with capability for managing information security incidents including administration, documentation, detection, triage, prioritization, analysis, communication and coordinating interested parties;
@ -33,15 +33,15 @@ Management should ensure that an information security incident management plan i
a\) evaluation of information security events according to criteria for what constitutes an information security incident;
b\) monitoring (see [[ISO_27002_OT n.n Title\|8.15]] and [[ISO_27002_OT n.n Title\|8.16]]), detecting (see [[ISO_27002_OT n.n Title\|8.16]]), classifying (see [[ISO_27002_OT n.n Title\|5.25]]), analysing and reporting (see [[ISO_27002_OT n.n Title\|6.8]]) of information security events and incidents (by human or automatic means);
b\) monitoring (see [8.15](ISO_27002_2022_8.15_OT%20Logging.md) and [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md)), detecting (see [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md)), classifying (see [5.25](ISO_27002_2022_5.25_OT%20Assessment%20and%20decision%20on%20information%20security%20events.md)), analysing and reporting (see [6.8](ISO_27002_2022_6.8_OT%20Information%20security%20event%20reporting.md)) of information security events and incidents (by human or automatic means);
c\) managing information security incidents to conclusion, including response and escalation (see [[ISO_27002_OT n.n Title\|5.26]]), according to the type and the category of the incident, possible activation of crisis management and activation of continuity plans, controlled recovery from an incident and communication to internal and external interested parties;
c\) managing information security incidents to conclusion, including response and escalation (see [5.26](ISO_27002_2022_5.26_OT%20Response%20to%20information%20security%20incidents.md)), according to the type and the category of the incident, possible activation of crisis management and activation of continuity plans, controlled recovery from an incident and communication to internal and external interested parties;
d\) coordination with internal and external interested parties such as authorities, external interest groups and forums, suppliers and clients (see [[ISO_27002_OT 5.5 Contact with authorities|5.5]] and [[ISO_27002_OT 5.6 Contact with special interest groups\|5.6]]);
d\) coordination with internal and external interested parties such as authorities, external interest groups and forums, suppliers and clients (see [5.5](ISO_27002_2022_5.5_OT%20Contact%20with%20authorities.md) and [5.6](ISO_27002_2022_5.6_OT%20Contact%20with%20special%20interest%20groups.md));
e\) logging incident management activities;
f\) handling of evidence (see [[ISO_27002_OT n.n Title\|5.28]]);
f\) handling of evidence (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md));
g\) root cause analysis or post-mortem procedures;

4
Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.27_OT Learning from information security incidents.md
View file

@ -12,11 +12,11 @@ The organization should establish procedures to quantify and monitor the types,
The information gained from the evaluation of information security incidents should be used to:
a\) enhance the incident management plan including incident scenarios and procedures (see [[ISO_27002_OT 5.24 Information security incident management planning and preparation|5.24]]);
a\) enhance the incident management plan including incident scenarios and procedures (see [5.24](ISO_27002_2022_5.24_OT%20Information%20security%20incident%20management%20planning%20and%20preparation.md));
b\) identify recurring or serious incidents and their causes to update the organizations information security risk assessment and determine and implement necessary additional controls to reduce the likelihood or consequences of future similar incidents. Mechanisms to enable that include collecting, quantifying and monitoring information about incident types, volumes and costs;
c\) enhance user awareness and training (see [[ISO_27002_OT 6.3 Information security awareness, education and training|6.3]]) by providing examples of what can happen, how to respond to such incidents and how to avoid them in the future.
c\) enhance user awareness and training (see [6.3](ISO_27002_2022_6.3_OT%20Information%20security%20awareness%2C%20education%20and%20training.md)) by providing examples of what can happen, how to respond to such incidents and how to avoid them in the future.
#### Other information

2
Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.2_OT Information security roles and responsibilities.md
View file

@ -8,7 +8,7 @@ Information security roles and responsibilities should be defined and allocated
To establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization.
### Guidance
Allocation of information security roles and responsibilities should be done in accordance with the information security policy and topic-specific policies (see [[ISO_27002_OT 5.1 Policies for information security\|5.1]]). The organization should define and manage responsibilities for:
Allocation of information security roles and responsibilities should be done in accordance with the information security policy and topic-specific policies (see [5.1](ISO_27002_2022_5.1_OT%20Policies%20for%20information%20security.md)). The organization should define and manage responsibilities for:
a)   protection of information and other associated assets;
b)   carrying out specific information security processes;

4
Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.8_OT Information security in project management.md
View file

@ -14,7 +14,7 @@ The project management in use should require that:
a)   information security risks are assessed and treated at an early stage and periodically as part of project risks throughout the project life cycle;
b)   information security requirements \[e.g. application security requirements ([[ISO_27002_OT 8.26 Application security requirements|8.26]]), requirements for complying with intellectual property rights ([[ISO_27002_OT 5.32 Intellectual property rights|5.32]]), etc.] are addressed in the early stages of projects;
b)   information security requirements \[e.g. application security requirements ([8.26](ISO_27002_2022_8.26_OT%20Application%20security%20requirements.md)), requirements for complying with intellectual property rights ([5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md)), etc.] are addressed in the early stages of projects;
c)   information security risks associated with the execution of projects, such as security of internal and external communication aspects are considered and treated throughout the project life cycle;
@ -28,7 +28,7 @@ Information security requirements for products or services to be delivered by th
Information security requirements should be determined for all types of projects, not only ICT development projects. The following should also be considered when determining these requirements:
a)   what information is involved (information determination), what are the corresponding information security needs (classification; see [[ISO_27002_OT 5.12 Classification of information\|5.12]]) and the potential negative business impact which can result from lack of adequate security;
a)   what information is involved (information determination), what are the corresponding information security needs (classification; see [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md)) and the potential negative business impact which can result from lack of adequate security;
b)   the required protection needs of information and other associated assets involved, particularly in terms of confidentiality, integrity and availability;

2
Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.26_OT Application security requirements.md
View file

@ -22,7 +22,7 @@ Application security requirements can cover a wide range of topics, depending on
Application security requirements should include, as applicable:
a\) level of trust in identity of entities \[e.g. through authentication (see [[ISO_27002_OT 5.17 Authentication information|5.17]], [[ISO_27002_OT 8.2 Privileged access rights\|8.2]] and [[ISO_27002_OT 8.5 Secure authentication|8.5]])];
a\) level of trust in identity of entities \[e.g. through authentication (see [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md), [8.2](ISO_27002_2022_8.2_OT%20Privileged%20access%20rights.md) and [8.5](ISO_27002_2022_8.5_OT%20Secure%20authentication.md))];
b\) identifying the type of information and classification level to be processed by the application;

8
Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.28_OT Secure coding.md
View file

@ -51,7 +51,7 @@ c) using structured programming techniques;
d) documenting code and removing programming defects, which can allow information security vulnerabilities to be exploited;
e) prohibiting the use of insecure design techniques (e.g. the use of hard-coded passwords, unapproved code samples and unauthenticated web services).
Testing should be conducted during and after development (see [[ISO_27002_OT 8.29 Security testing in development and acceptance|8.29]]). Static application security testing (SAST) processes can identify security vulnerabilities in software.
Testing should be conducted during and after development (see [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md)). Static application security testing (SAST) processes can identify security vulnerabilities in software.
Before software is made operational, the following should be evaluated:
a) attack surface and the principle of least privilege;
@ -62,7 +62,7 @@ b) conducting an analysis of the most common programming errors and documenting
After code has been made operational:
a) updates should be securely packaged and deployed;
b) reported information security vulnerabilities should be handled (see [[ISO_27002_OT 8.8 Management of technical vulnerabilities|8.8]]);
b) reported information security vulnerabilities should be handled (see [8.8](ISO_27002_2022_8.8_OT%20Management%20of%20technical%20vulnerabilities.md));
c) errors and suspected attacks should be logged and logs regularly reviewed to make adjustments to the code as necessary;
d) source code should be protected against unauthorized access and tampering (e.g. by using configuration management tools, which typically provide features such as access control and version control).
@ -95,5 +95,5 @@ More information on ICT security evaluation can be found in the ISO/IEC 15408 se
# Related:
- [[ISO_27002_PE 8.28 Secure coding]]
- [[ISO_27002_OT 8.29 Security testing in development and acceptance]]
- [[ISO_27002_OT 8.8 Management of technical vulnerabilities]]
- [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md)
- [8.8](ISO_27002_2022_8.8_OT%20Management%20of%20technical%20vulnerabilities.md)

8
Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.7_OT Protection against malware.md
View file

@ -13,11 +13,11 @@ To ensure information and other associated assets are protected against malware.
Protection against malware should be based on malware detection and repair software, information security awareness, appropriate system access and change management controls. Use of malware detection and repair software alone is not usually adequate. The following guidance should be considered:
a)   implementing rules and controls that prevent or detect the use of unauthorized software \[e.g. application allowlisting (i.e. using a list providing allowed applications)] (see [[ISO_27002_OT 8.19 Installation of software on operational systems|8.19]] and [[ISO_27002_OT 8.32 Change management|8.32]])
a)   implementing rules and controls that prevent or detect the use of unauthorized software \[e.g. application allowlisting (i.e. using a list providing allowed applications)] (see [8.19](ISO_27002_2022_8.19_OT%20Installation%20of%20software%20on%20operational%20systems.md) and [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md))
b)   implementing controls that prevent or detect the use of known or suspected malicious websites (e.g. blocklisting);
c)   reducing vulnerabilities that can be exploited by malware \[e.g. through technical vulnerability management (see [[ISO_27002_OT 8.8 Management of technical vulnerabilities|8.8]] and [[ISO_27002_OT 8.19 Installation of software on operational systems|8.19]])];
c)   reducing vulnerabilities that can be exploited by malware \[e.g. through technical vulnerability management (see [8.8](ISO_27002_2022_8.8_OT%20Management%20of%20technical%20vulnerabilities.md) and [8.19](ISO_27002_2022_8.19_OT%20Installation%20of%20software%20on%20operational%20systems.md))];
d)   conducting regular automated validation of the software and data content of systems, especially for systems supporting critical business processes; investigating the presence of any unapproved files or unauthorized amendments;
@ -41,13 +41,13 @@ h)   taking care to protect against the introduction of malware during maintena
i) implementing a process to authorize temporarily or permanently disable some or all measures against malware, including exception approval authorities, documented justification and review date. This can be necessary when the protection against malware causes disruption to normal operations;
j) preparing appropriate business continuity plans for recovering from malware attacks, including
all necessary data and software backup (including both online and offline backup) and recovery measures (see [[ISO_27002_OT 8.13 Information backup|8.13]]);
all necessary data and software backup (including both online and offline backup) and recovery measures (see [8.13](ISO_27002_2022_8.13_OT%20Information%20backup.md));
k)   isolating environments where catastrophic consequences can occur;
l) defining procedures and responsibilities to deal with protection against malware on systems, including training in their use, reporting and recovering from malware attacks;
m)  providing awareness or training (see [[ISO_27002_OT 6.3 Information security awareness, education and training|6.3]]) to all users on how to identify and potentially mitigate the receipt, sending or installation of malware infected emails, files or programs \[the information collected in n) and o) can be used to ensure awareness and training are kept up-to-date];
m)  providing awareness or training (see [6.3](ISO_27002_2022_6.3_OT%20Information%20security%20awareness%2C%20education%20and%20training.md)) to all users on how to identify and potentially mitigate the receipt, sending or installation of malware infected emails, files or programs \[the information collected in n) and o) can be used to ensure awareness and training are kept up-to-date];
n)   implementing procedures to regularly collect information about new malware, such as subscribing to mailing lists or reviewing relevant websites;