Moved a directory, changed some filenames
This commit is contained in:
parent
ae27a60bcf
commit
347706835e
195 changed files with 696 additions and 255 deletions
|
|
@ -54,6 +54,6 @@ tags:
|
||||||
[Application architecture](System%20alternative/Application%20architecture.md)
|
[Application architecture](System%20alternative/Application%20architecture.md)
|
||||||
[iso27DYI architecture with LLM](System%20alternative/iso27DYI%20architecture%20with%20LLM.md)
|
[iso27DYI architecture with LLM](System%20alternative/iso27DYI%20architecture%20with%20LLM.md)
|
||||||
[iso27DIY stack deployment](System%20alternative/iso27DIY%20stack%20deployment.md)
|
[iso27DIY stack deployment](System%20alternative/iso27DIY%20stack%20deployment.md)
|
||||||
[SurveyJS](../Corpus/Standards/SurveyJS.md)
|
[SurveyJS](System%20alternative/SurveyJS.md)
|
||||||
[WeWeb Security Pre-Launch Checklist](../Corpus/ISMS/Policy%20examples/WeWeb%20Security%20Pre-Launch%20Checklist.md)
|
[WeWeb Security Pre-Launch Checklist](../Corpus/ISMS/Policy%20examples/WeWeb%20Security%20Pre-Launch%20Checklist.md)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
# Access Control
|
# Access Control
|
||||||
|
|
||||||
While [authorization](../Standards/ISO27x/Authorization.md) is primarily concerned with establishing the policies and rules that dictate access (i.e. *what* a person or system is allowed to do), **access control** is the _system_ or _process_ that enforces those defined permissions.
|
While [authorization](../Standards/ISO27x/about/Authorization.md) is primarily concerned with establishing the policies and rules that dictate access (i.e. *what* a person or system is allowed to do), **access control** is the _system_ or _process_ that enforces those defined permissions.
|
||||||
|
|
||||||
See:
|
See:
|
||||||
- [Gedachten over rechtenstructuren](../Information%20Security/Gedachten%20over%20rechtenstructuren.md)
|
- [Gedachten over rechtenstructuren](../Information%20Security/Gedachten%20over%20rechtenstructuren.md)
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ tags:
|
||||||
|
|
||||||
# Authorization vs. Access Control
|
# Authorization vs. Access Control
|
||||||
|
|
||||||
[Authorization](../Standards/ISO27x/Authorization.md) defines _what_ a user (or system) is allowed to do, [access control ](Access%20Control.md) is the _system_ or _process_ that enforces those defined permissions.
|
[Authorization](../Standards/ISO27x/about/Authorization.md) defines _what_ a user (or system) is allowed to do, [access control ](Access%20Control.md) is the _system_ or _process_ that enforces those defined permissions.
|
||||||
|
|
||||||
## Authorization
|
## Authorization
|
||||||
|
|
||||||
|
|
@ -23,8 +23,8 @@ tags:
|
||||||
- **What it is:** Access control is the **mechanism or system that enforces the authorization policies**. It's the technical implementation that actually grants or denies access to a resource based on the authorized permissions.
|
- **What it is:** Access control is the **mechanism or system that enforces the authorization policies**. It's the technical implementation that actually grants or denies access to a resource based on the authorized permissions.
|
||||||
- **The "How":** It answers the question, "How is the 'what' actually applied and managed?"
|
- **The "How":** It answers the question, "How is the 'what' actually applied and managed?"
|
||||||
- **Enforcement:** Access control is the act of putting those policies into practice. It involves:
|
- **Enforcement:** Access control is the act of putting those policies into practice. It involves:
|
||||||
- Checking a user's identity ([Authentication](../Standards/ISO27x/Authentication.md)).
|
- Checking a user's identity ([Authentication](../Standards/ISO27x/about/Authentication.md)).
|
||||||
- Consulting the pre-defined [Authorization](../Standards/ISO27x/Authorization.md)authorization rules.
|
- Consulting the pre-defined [Authorization](../Standards/ISO27x/about/Authorization.md)authorization rules.
|
||||||
- Granting or denying access to specific resources (files, applications, data, network segments, physical locations, etc.) or actions (read, write, delete, execute).
|
- Granting or denying access to specific resources (files, applications, data, network segments, physical locations, etc.) or actions (read, write, delete, execute).
|
||||||
- **Examples:**
|
- **Examples:**
|
||||||
- An Access Control List (ACL) on a file system that specifies which users or groups can read, write, or execute a particular file.
|
- An Access Control List (ACL) on a file system that specifies which users or groups can read, write, or execute a particular file.
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
A straightforward governance structure for your Information Security Management System based on ISO 27001 and ISO 27002.
|
A straightforward governance structure for your Information Security Management System based on ISO 27001 and ISO 27002.
|
||||||
|
|
||||||
*Based on [Governance model for Policies and Controls](../Standards/ISO27x/Governance%20model%20for%20Policies%20and%20Controls.md), which contains the references to the Standard.*
|
*Based on [Governance model for Policies and Controls](../Standards/ISO27x/about/Governance%20model%20for%20Policies%20and%20Controls.md), which contains the references to the Standard.*
|
||||||
## Policy Lifecycle: Who Does What
|
## Policy Lifecycle: Who Does What
|
||||||
|
|
||||||
### Key Players
|
### Key Players
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ A Business Impact Analysis (BIA) examines the potential impacts of disruptions,
|
||||||
The outcomes help to prioritize business activities and resources to enable the resumption of product and service delivery after a (major) disruption[^1].
|
The outcomes help to prioritize business activities and resources to enable the resumption of product and service delivery after a (major) disruption[^1].
|
||||||
|
|
||||||
Guidelines and tooling:
|
Guidelines and tooling:
|
||||||
- [Guidelines for business impact analysis ISO 22317](../Standards/ISO27x/ISO%2022317%20Guidelines%20for%20business%20impact%20analysis.md)
|
- [Guidelines for business impact analysis ISO 22317](../Standards/ISO27x/about/ISO%2022317%20Guidelines%20for%20business%20impact%20analysis.md)
|
||||||
- [Assessing reputational risks](../Various/Assessing%20reputational%20risks.md)
|
- [Assessing reputational risks](../Various/Assessing%20reputational%20risks.md)
|
||||||
- [BIA Workshop](../Standards/ISO27x/Implementation%20Products/BIA%20Workshop.md)
|
- [BIA Workshop](../Standards/ISO27x/Implementation%20Products/BIA%20Workshop.md)
|
||||||
- [TLP impact matrix](Data%20classification/Traffic%20Light%20Protocol%20TLP.md)
|
- [TLP impact matrix](Data%20classification/Traffic%20Light%20Protocol%20TLP.md)
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@ Science. 2015101601. October 16, 2015. http://techscience.org/a/2015101601; PDF
|
||||||
|
|
||||||
Related:
|
Related:
|
||||||
- [ISO 27001 A 8.2 Information classification](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2%20Information%20classification.md)
|
- [ISO 27001 A 8.2 Information classification](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2%20Information%20classification.md)
|
||||||
- [Privacy in ISO 27001](../../Standards/ISO27x/Privacy%20in%20ISO%2027001.md)
|
- [Privacy in ISO 27001](../../Standards/ISO27x/about/Privacy%20in%20ISO%2027001.md)
|
||||||
|
|
||||||
Sweeney et all have developed a privacy oriented data classification system with six levels:
|
Sweeney et all have developed a privacy oriented data classification system with six levels:
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,4 +25,4 @@ W. Krag Brotby and Gary Hinson (PRAGMATIC Security Metrics, 2013) state metrics
|
||||||
|
|
||||||
|
|
||||||
Standards and Frameworks:
|
Standards and Frameworks:
|
||||||
- [ISO 27004](../Standards/ISO27x/ISO%2027004.md)
|
- [ISO 27004](../Standards/ISO27x/about/ISO%2027004.md)
|
||||||
|
|
|
||||||
|
|
@ -4,9 +4,9 @@
|
||||||
See also under [Threat](../📚️%20Literature%20notes/Threat.md)
|
See also under [Threat](../📚️%20Literature%20notes/Threat.md)
|
||||||
|
|
||||||
[Open Group Risk Analysis Standard (O-RA)](https://pubs.opengroup.org/security/o-ra/)
|
[Open Group Risk Analysis Standard (O-RA)](https://pubs.opengroup.org/security/o-ra/)
|
||||||
[Open Group FAIR \ ISO 27005 Cookbook for Risk Assessment](../Standards/ISO27x/FAIR%20ISO%2027005%20Cookbook.pdf)
|
[Open Group FAIR \ ISO 27005 Cookbook for Risk Assessment](../Standards/ISO27x/about/FAIR%20ISO%2027005%20Cookbook.pdf)
|
||||||
|
|
||||||
[SURF Toolkit risicobeoordeling](../Standards/SURF%20Toolkit%20risicobeoordeling.md)
|
[SURF Toolkit risicobeoordeling](../Standards/SURF/SURF%20Toolkit%20risicobeoordeling.md)
|
||||||
|
|
||||||
[](../Information%20Security/Risks/Risk_Assessment_Process.gif)
|
[](../Information%20Security/Risks/Risk_Assessment_Process.gif)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -6,4 +6,4 @@ Different stakeholders have different interests. Think of your stereotypical IT
|
||||||
|
|
||||||
## Related
|
## Related
|
||||||
- [ISO 27001_OT C 4 Context of the organization](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties)
|
- [ISO 27001_OT C 4 Context of the organization](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties)
|
||||||
- [ISO31000-5.4.1-Understanding-the-organization-and-its-context](../Standards/ISO27x/ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
|
- [ISO31000-5.4.1-Understanding-the-organization-and-its-context](../Standards/ISO27x/about/ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ Producten:
|
||||||
## Literatuur
|
## Literatuur
|
||||||
|
|
||||||
- BCP.mindnode op iCloud > Best Practices
|
- BCP.mindnode op iCloud > Best Practices
|
||||||
- evt. [CIS Controls](../Standards/CIS%20Controls.md) als raamwerk
|
- evt. [CIS Controls](../Standards/CIS/CIS%20Controls.md) als raamwerk
|
||||||
- ISO-22301-2019 'Business continuity management systems' en ISO-22313-2020 'Guidance on the use of ISO 22301'
|
- ISO-22301-2019 'Business continuity management systems' en ISO-22313-2020 'Guidance on the use of ISO 22301'
|
||||||
- [CISSP, Chapter 3](../Standards/CISSP/CISSP_OSG_Chapter_3.md)
|
- [CISSP, Chapter 3](../Standards/CISSP/CISSP_OSG_Chapter_3.md)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,14 +3,14 @@
|
||||||
Identification is the claim of a subject of its identity.
|
Identification is the claim of a subject of its identity.
|
||||||
|
|
||||||
See also:
|
See also:
|
||||||
- [Authentication](../Standards/ISO27x/Authentication.md)
|
- [Authentication](../Standards/ISO27x/about/Authentication.md)
|
||||||
- [Authorization](../Standards/ISO27x/Authorization.md)
|
- [Authorization](../Standards/ISO27x/about/Authorization.md)
|
||||||
- [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
|
- [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
|
||||||
|
|
||||||
# Identification
|
# Identification
|
||||||
Identification is the claim of a subject of its identity.
|
Identification is the claim of a subject of its identity.
|
||||||
|
|
||||||
See also:
|
See also:
|
||||||
- [Authentication](../Standards/ISO27x/Authentication.md)
|
- [Authentication](../Standards/ISO27x/about/Authentication.md)
|
||||||
- [Authorization](../Standards/ISO27x/Authorization.md)
|
- [Authorization](../Standards/ISO27x/about/Authorization.md)
|
||||||
- [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
|
- [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
|
||||||
|
|
|
||||||
|
|
@ -8,8 +8,8 @@ An _allow policy_, also known as an _IAM policy_, defines and enforces what ro
|
||||||
|
|
||||||
See:
|
See:
|
||||||
- [Identification](Identification.md) – "This is who I am"
|
- [Identification](Identification.md) – "This is who I am"
|
||||||
- [Authentication](../Standards/ISO27x/Authentication.md) – "This is how I prove it"
|
- [Authentication](../Standards/ISO27x/about/Authentication.md) – "This is how I prove it"
|
||||||
- [Authorization](../Standards/ISO27x/Authorization.md) – "... then this is what you get access to"
|
- [Authorization](../Standards/ISO27x/about/Authorization.md) – "... then this is what you get access to"
|
||||||
- [CISSP_Domain_5_1](../Standards/CISSP/CISSP_Domain_5_1.md), [CISSP_Domain_5_2](../Standards/CISSP/CISSP_Domain_5_2.md)
|
- [CISSP_Domain_5_1](../Standards/CISSP/CISSP_Domain_5_1.md), [CISSP_Domain_5_2](../Standards/CISSP/CISSP_Domain_5_2.md)
|
||||||
- [Roles in Identity and Access Management (IAM)](Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)
|
- [Roles in Identity and Access Management (IAM)](Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)
|
||||||
|
|
||||||
|
|
@ -23,7 +23,7 @@ An _allow policy_, also known as an _IAM policy_, defines and enforces what ro
|
||||||
|
|
||||||
See:
|
See:
|
||||||
- [Identification](Identification.md) – "This is who I am"
|
- [Identification](Identification.md) – "This is who I am"
|
||||||
- [Authentication](../Standards/ISO27x/Authentication.md) – "This is how I prove it"
|
- [Authentication](../Standards/ISO27x/about/Authentication.md) – "This is how I prove it"
|
||||||
- [Authorization](../Standards/ISO27x/Authorization.md) – "... then this is what you get access to"
|
- [Authorization](../Standards/ISO27x/about/Authorization.md) – "... then this is what you get access to"
|
||||||
- [CISSP_Domain_5_1](../Standards/CISSP/CISSP_Domain_5_1.md), [CISSP_Domain_5_2](../Standards/CISSP/CISSP_Domain_5_2.md)
|
- [CISSP_Domain_5_1](../Standards/CISSP/CISSP_Domain_5_1.md), [CISSP_Domain_5_2](../Standards/CISSP/CISSP_Domain_5_2.md)
|
||||||
- [Roles in Identity and Access Management (IAM)](Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)
|
- [Roles in Identity and Access Management (IAM)](Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)
|
||||||
|
|
@ -10,5 +10,5 @@ Zero trust is an approach to cybersecurity that assumes that no one is trusted b
|
||||||
Zero trust can consist of monitoring all network communications, avoiding default configurations, tracking all devices, and implementing multifactor authentication.
|
Zero trust can consist of monitoring all network communications, avoiding default configurations, tracking all devices, and implementing multifactor authentication.
|
||||||
|
|
||||||
Related:
|
Related:
|
||||||
- [Zero Trust and ISO 27001](../Standards/ISO27x/Zero%20Trust%20and%20ISO%2027001.md)
|
- [Zero Trust and ISO 27001](../Standards/ISO27x/about/Zero%20Trust%20and%20ISO%2027001.md)
|
||||||
- [Checklist for auditing Zero Trust approach](../Literature/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Zero%20Trust%20approach.md)
|
- [Checklist for auditing Zero Trust approach](../Literature/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Zero%20Trust%20approach.md)
|
||||||
|
|
@ -15,19 +15,19 @@ tags:
|
||||||
[Assets, Vulnerabilities, Threats, Risks](📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
|
[Assets, Vulnerabilities, Threats, Risks](📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
|
||||||
[Assets, Vulnerabilities, Threats, Risks](/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
|
[Assets, Vulnerabilities, Threats, Risks](/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
|
||||||
[Attack Surface Analysis](📚️%20Literature%20notes/Attack%20Surface%20Analysis.md)
|
[Attack Surface Analysis](📚️%20Literature%20notes/Attack%20Surface%20Analysis.md)
|
||||||
[Authentication](../Standards/ISO27x/Authentication.md)
|
[Authentication](../Standards/ISO27x/about/Authentication.md)
|
||||||
[Multi-factor authentication](/Multi-factor%20authentication.md) (MFA)
|
[Multi-factor authentication](/Multi-factor%20authentication.md) (MFA)
|
||||||
[Passwordless Authentication](/Passwordless%20Authentication.md)
|
[Passwordless Authentication](/Passwordless%20Authentication.md)
|
||||||
[Risk-Based Authentication](/Risk-Based%20Authentication.md)
|
[Risk-Based Authentication](/Risk-Based%20Authentication.md)
|
||||||
[Single Sign On (SSO)](📚️%20Literature%20notes/Single%20Sign%20On%20(SSO).md)
|
[Single Sign On (SSO)](📚️%20Literature%20notes/Single%20Sign%20On%20(SSO).md)
|
||||||
[Tokens](/Tokens.md)
|
[Tokens](/Tokens.md)
|
||||||
[Authorization](../Standards/ISO27x/Authorization.md)
|
[Authorization](../Standards/ISO27x/about/Authorization.md)
|
||||||
[Access Control](/Access%20Control.md)
|
[Access Control](/Access%20Control.md)
|
||||||
[Awareness](/Awareness.md)
|
[Awareness](/Awareness.md)
|
||||||
[BCP_Bedrijfscontinuïteitsplanning](📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
|
[BCP_Bedrijfscontinuïteitsplanning](📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
|
||||||
[Business Impact Analysis (BIA)](/Business%20Impact%20Analysis%20(BIA).md)
|
[Business Impact Analysis (BIA)](/Business%20Impact%20Analysis%20(BIA).md)
|
||||||
[Disaster Recovery Planning](/Disaster%20Recovery%20Planning.md)
|
[Disaster Recovery Planning](/Disaster%20Recovery%20Planning.md)
|
||||||
[Change management Change Management in ISO 27002](../Standards/ISO27x/Change%20management%20Change%20Management%20in%20ISO%2027002.md)
|
[Change management Change Management in ISO 27002](../Standards/ISO27x/about/Change%20management%20Change%20Management%20in%20ISO%2027002.md)
|
||||||
[Classification](/Classification.md)
|
[Classification](/Classification.md)
|
||||||
[Compliance](/Compliance.md)
|
[Compliance](/Compliance.md)
|
||||||
[Data Breach](💡Permanent%20ideas/Data%20Breach.md)
|
[Data Breach](💡Permanent%20ideas/Data%20Breach.md)
|
||||||
|
|
@ -39,10 +39,10 @@ Frameworks
|
||||||
[[Hardening]]
|
[[Hardening]]
|
||||||
[Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
|
[Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
|
||||||
[Identification](Identification.md)
|
[Identification](Identification.md)
|
||||||
[Authentication](../Standards/ISO27x/Authentication.md)
|
[Authentication](../Standards/ISO27x/about/Authentication.md)
|
||||||
[Authorization](../Standards/ISO27x/Authorization.md)
|
[Authorization](../Standards/ISO27x/about/Authorization.md)
|
||||||
Impact
|
Impact
|
||||||
[Change management Change Management in ISO 27002](../Standards/ISO27x/Change%20management%20Change%20Management%20in%20ISO%2027002.md)
|
[Change management Change Management in ISO 27002](../Standards/ISO27x/about/Change%20management%20Change%20Management%20in%20ISO%2027002.md)
|
||||||
[Impact of Disruption](Sparks/Impact%20of%20Disruption.md)
|
[Impact of Disruption](Sparks/Impact%20of%20Disruption.md)
|
||||||
[Incidents](/Incidents.md)
|
[Incidents](/Incidents.md)
|
||||||
[Maturity Models](📚️%20Literature%20notes/Maturity%20Models.md)
|
[Maturity Models](📚️%20Literature%20notes/Maturity%20Models.md)
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ Relevant ISO 27001 clauses/controls:
|
||||||
|
|
||||||
Related:
|
Related:
|
||||||
[External audits](../../Sparks/External%20audits.md)
|
[External audits](../../Sparks/External%20audits.md)
|
||||||
[ISO 27001 audit process](../../Standards/ISO27x/ISO%2027001%20audit%20process.md)
|
[ISO 27001 audit process](../../Standards/ISO27x/about/ISO%2027001%20audit%20process.md)
|
||||||
|
|
||||||
|
|
||||||
1. Can you assess the impact any pending regulatory change will have on your business including governance, compliance and risk management frameworks?
|
1. Can you assess the impact any pending regulatory change will have on your business including governance, compliance and risk management frameworks?
|
||||||
|
|
|
||||||
|
Before Width: | Height: | Size: 286 KiB After Width: | Height: | Size: 286 KiB |
|
|
@ -31,7 +31,7 @@ IG3 assets contain sensitive information or functions that are subject to regula
|
||||||
Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.
|
Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Source: CIS Controls v8.1 PDF, pp 8-12
|
Source: CIS Controls v8.1 PDF, pp 8-12
|
||||||
|
|
||||||
|
|
||||||
|
Before Width: | Height: | Size: 57 KiB After Width: | Height: | Size: 57 KiB |
|
|
@ -1,12 +0,0 @@
|
||||||
# Authentication
|
|
||||||
Authentication is the proof of identity that is achieved through providing credentials to the access control mechanism.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
See also:
|
|
||||||
- [a-8.5-Secure-authentication](OST/27002/EN/a-8.5-Secure-authentication.md)
|
|
||||||
- [Authentication Methods Used for Network Security](../../Information%20Security/Authentication%20Methods%20Used%20for%20Network%20Security.md)
|
|
||||||
- [Identity and Access Management (IAM)](../../Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
|
|
||||||
- [Authorization](Authorization.md)
|
|
||||||
- [Identification](../../Information%20Security/Identification.md)
|
|
||||||
|
|
||||||
|
|
@ -1,13 +0,0 @@
|
||||||
# Authorization
|
|
||||||
Authorization is the mechanism that determines the access level(s) of the subjects to the objects.
|
|
||||||
|
|
||||||
See also:
|
|
||||||
- [Authorization vs Access Control](../../ISMS/Authorization%20vs%20Access%20Control.md)
|
|
||||||
- [Access Control Models](../../ISMS/Access%20Control%20Models.md)
|
|
||||||
- [Authentication](Authentication.md)
|
|
||||||
- [Identification](../../Information%20Security/Identification.md)
|
|
||||||
- [CASSM Consumer Authentication Strength Maturity Model](../../Information%20Security/CASSM%20Consumer%20Authentication%20Strength%20Maturity%20Model.md)
|
|
||||||
- [Identity and Access Management (IAM)](../../Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
|
|
||||||
- [a-5.15-Access-control](OST/27002/EN/a-5.15-Access-control.md) ???
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1,54 +0,0 @@
|
||||||
---
|
|
||||||
tags:
|
|
||||||
- iso27001
|
|
||||||
- iso27002
|
|
||||||
- type/MoC
|
|
||||||
- nen7510
|
|
||||||
---
|
|
||||||
# ISO and NEN security standards
|
|
||||||
## ISO 27001 & 27002
|
|
||||||
|
|
||||||
Indexes:
|
|
||||||
- [ISO 27001:2022 EN](ISO_27001_2022_Index.md)
|
|
||||||
- [ISO 27002:2022 EN](ISO_27001_2022_Index%20EXT.md) – Includes references to 2013 version!
|
|
||||||
- [ISO 27001:2023 NL](OST/ISO_27001_2023_NL_Index.md)
|
|
||||||
- [ISO 27002:2022 NL](OST/ISO_27002_2022_NL_Index.md)
|
|
||||||
- [Vertaaltabel Engels-Nederlands](ISO_27002_2022_Vertaaltabel_Engels_Nederlands.md)
|
|
||||||
|
|
||||||
EN source tekst:
|
|
||||||
- ISO 27001:2022 [PDF](OST/27001/EN/ISO_27001_2022_EN.pdf)
|
|
||||||
- ISO 27002:2022 [PDF](OST/27002/EN/ISO_27002_2022_EN.pdf)
|
|
||||||
|
|
||||||
NL brontekst:
|
|
||||||
- ISO 27001:2023 [PDF](OST/27001/NL/ISO_27001_2023_NL_PDF.md)
|
|
||||||
- ISO 27002:2022 [PDF](OST/ISO_27002_2022_NL_PDF.md)
|
|
||||||
|
|
||||||
|
|
||||||
See also:
|
|
||||||
- [Plain English ISO IEC 27002 2005 from Praxiom](https://www.praxiom.com/iso-17799-objectives.htm)
|
|
||||||
- [Changes in ISO 27001:2022 (table)](OST/27001/Detailed%20comparison%20between%202017%20and%202022.md)
|
|
||||||
- [[ISO 27002 2022 What's New]]
|
|
||||||
- [ISO_27001_2023_NL_Aanpassingen](OST/ISO_27001_2023_NL_Aanpassingen.md)
|
|
||||||
- [Changes in ISO 27001_2022_Advisera](../../../../iso27DIY-gis/reference/Changes%20in%20ISO%2027001_2022_Advisera.md)
|
|
||||||
- [IBB op hoofdlijnen](OST/IBB%20op%20hoofdlijnen.md)
|
|
||||||
- [ISO 27001 2023 Processen en Artefacten](OST/ISO%2027001%202023%20Processen%20en%20Artefacten.md)
|
|
||||||
- [Advised Documents for ISO 27001](../../../../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md)
|
|
||||||
- [Types of Controls](Types%20of%20Controls.md)
|
|
||||||
|
|
||||||
Depreciated:
|
|
||||||
[ISO_27001_2013_EN_Index](legacy/ISO%2027001%202013/ISO_27001_2013_EN_Index.md)
|
|
||||||
[ISO_27001_2017_NL_Index](legacy/ISO%2027001%202017%20NL/ISO_27001_2017_NL_Index.md)
|
|
||||||
|
|
||||||
## Related ISO standards
|
|
||||||
- [ISO 27k family](../../../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md)
|
|
||||||
- [ISO 27000](ISO%2027000%20MoC.md)
|
|
||||||
- [ISO 27005](ISO%2027005.md)
|
|
||||||
- NEN 7510
|
|
||||||
- [NEN 7510-1:2024](OST/7510/NEN7510_2024_NL_1.md)
|
|
||||||
- [NEN 7510-2:2024](OST/7510/NEN7510_2024_NL_2.md)
|
|
||||||
- [NEN 7510-1:2024 Bijlage A](OST/7510/NEN7510_2024_NL_1_A.md)
|
|
||||||
- [NEN 7510-1:2024 Bijlage B](OST/7510/NEN7510_2024_NL_1_B.md)
|
|
||||||
- [NEN 7510-1:2024 Bijlage C](OST/7510/NEN7510_2024_NL_1_C.md)
|
|
||||||
- [NEN 7510-1:2024 vs. ISO 27001:2022](OST/7510/NEN%207510%20vs%20ISO%2027001.md)
|
|
||||||
- [Lijst met relevante risico's](OST/7510/NEN7510%20Risicos.md)
|
|
||||||
|
|
||||||
|
|
@ -1,52 +0,0 @@
|
||||||
#iso27001/2022/EN
|
|
||||||
# ISO 27001:2022 EN Index
|
|
||||||
|
|
||||||
| Clause | Title |
|
|
||||||
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
|
||||||
| **F** | **[Foreword](../ISO-27001-OST/ISO27001-EN-2022/ISO_27001_OT%20F%20Foreword.md)** |
|
|
||||||
| **0** | **[Introduction](../ISO-27001-OST/ISO27001-EN-2022/c-0-Introduction.md)** |
|
|
||||||
| **1** | **[Scope](../ISO-27001-OST/ISO27001-EN-2022/c-1-Scope.md)** |
|
|
||||||
| **2** | **[Normative references](../ISO-27001-OST/ISO27001-EN-2022/c-2-Normative-references.md)** |
|
|
||||||
| **3** | **[Terms and definitions](../ISO-27001-OST/ISO27001-EN-2022/ISO_27001_OT%20Terms%20and%20definitions.md)** |
|
|
||||||
| **4** | **[Context of the organization](ISO_27001_2022_4_MoC%20Context%20of%20the%20organization.md)** |
|
|
||||||
| 4.1 | [Understanding the organization and its context ](../../MoCs/ISO_27001_2022_4.1_MoC%20Understanding%20the%20organization%20and%20its%20context.md) |
|
|
||||||
| 4.2 | [Understanding the needs and expectations of interested parties ](../../MoCs/ISO_27001_2022_4.2_MoC%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md) |
|
|
||||||
| 4.3 | [Determining the scope of the information security management system ](../../MoCs/ISO_27001_2022_4.3_MoC%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system.md) |
|
|
||||||
| 4.4 | [Information security management system ](../../MoCs/ISO_27001_2022_4.4_MoC%20Information%20security%20management%20system.md) |
|
|
||||||
| **5** | **[Leadership](../../MoCs/ISO_27001_2022_5_MoC%20Leadership.md)** |
|
|
||||||
| 5.1 | [Leadership and commitment ](../../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md) |
|
|
||||||
| 5.2 | [Policy ](../../MoCs/ISO_27001_2022_5.2_MoC%20Policy.md) |
|
|
||||||
| 5.3 | [Organizational roles, responsibilities and authorities ](../../MoCs/ISO_27001_2022_5.3_MoC%20Organizational%20roles,%20responsibilities%20and%20authorities.md) |
|
|
||||||
| **6** | **[Planning](../../MoCs/ISO_27001_2022_6_MoC%20Planning.md)** |
|
|
||||||
| 6.1 | [Actions to address risks and opportunities ](../../MoCs/ISO_27001_2022_6.1_MoC%20Actions%20to%20address%20risks%20and%20opportunities.md) |
|
|
||||||
| 6.1.1 | [General ](../../MoCs/ISO_27001_2022_6.1.1_MoC%20General.md) |
|
|
||||||
| 6.1.2 | [Information security risk assessment ](../../ISMS/Qualifying%20vs%20quantifying%20risks.md) |
|
|
||||||
| 6.1.3 | [Information security risk treatment ](../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md) |
|
|
||||||
| 6.2 | [Information security objectives and planning to achieve them ](../../MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md) |
|
|
||||||
| 6.3 | [Planning of changes ](../../MoCs/ISO_27001_2022_6.3_MoC%20Planning%20of%20changes.md) |
|
|
||||||
| **7** | **[Support](../../MoCs/ISO_27001_2022_7_MoC%20Support.md)** |
|
|
||||||
| 7.1 | [ Resources ](../../MoCs/ISO_27001_2022_7.1_MoC%20Resources.md) |
|
|
||||||
| 7.2 | [ Competence ](../../MoCs/ISO_27001_2022_7.2_MoC%20Competence.md) |
|
|
||||||
| 7.3 | [ Awareness ](../../MoCs/ISO_27001_2022_7.3_MoC%20Awareness.md) |
|
|
||||||
| 7.4 | [ Communication ](../../MoCs/ISO_27001_2022_7.4_MoC%20Communication.md) |
|
|
||||||
| 7.5 | [ Documented information ](../../MoCs/ISO_27001_2022_7.5_MoC%20Documented%20information.md) |
|
|
||||||
| 7.5.1 | General ↑ |
|
|
||||||
| 7.5.2 | Creating and updating ↑ |
|
|
||||||
| 7.5.3 | Control of documented information ↑ |
|
|
||||||
| **8** | **[Operation](../../MoCs/ISO_27001_2022_8_MoC%20Operation.md)** |
|
|
||||||
| 8.1 | [Operational planning and control ](../../MoCs/ISO_27001_2022_8.1_MoC%20Operational%20planning%20and%20control.md) |
|
|
||||||
| 8.2 | [Information security risk assessment ](../../MoCs/ISO_27001_2022_8.2_MoC%20Information%20security%20risk%20assessment.md) |
|
|
||||||
| 8.3 | [Information security risk treatment ](../../MoCs/ISO_27001_2022_8.3_MoC%20Information%20security%20risk%20treatment.md) |
|
|
||||||
| **9** | **[Performance evaluation](../../MoCs/ISO_27001_2022_9_MoC%20Performance%20evaluation.md)** |
|
|
||||||
| 9.1 | [Monitoring, measurement, analysis and evaluation ](../../MoCs/ISO_27001_2022_9.1_MoC%20Monitoring,%20measurement,%20analysis%20and%20evaluation.md) |
|
|
||||||
| 9.2 | [Internal audit ](../../MoCs/ISO_27001_2022_9.2_MoC%20Internal%20audit.md) |
|
|
||||||
| 9.2.1 | General ↑ |
|
|
||||||
| 9.2.2 | Internal audit programme ↑ |
|
|
||||||
| 9.3 | [Management review ](../../MoCs/ISO_27001_2022_9.3_MoC%20Management%20review.md) |
|
|
||||||
| 9.3.1 | General ↑ |
|
|
||||||
| 9.3.2 | Management review inputs ↑ |
|
|
||||||
| 9.3.3 | Management review results ↑ |
|
|
||||||
| **10** | **[Improvement](../../MoCs/ISO_27001_2022_10_MoC%20Improvement.md)** |
|
|
||||||
| 10.1 | [Continual improvement ](../../MoCs/ISO_27001_2022_10.1_MoC%20Continual%20improvement.md) |
|
|
||||||
| 10.2 | [Nonconformity and corrective action ](../../MoCs/ISO_27001_2022_10.2_MoC%20Nonconformity%20and%20corrective%20action.md) |
|
|
||||||
| **[Annex A](ISO_27001_2022_Index%20EXT.md)** | **Information security controls reference** |
|
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
| Volgende herzieningsdatum | [Datum] |
|
| Volgende herzieningsdatum | [Datum] |
|
||||||
| Status | [Concept/Goedgekeurd] |
|
| Status | [Concept/Goedgekeurd] |
|
||||||
|
|
||||||
*Noot: Oorspronkelijke versie gebaseerd op ISO/IEC 27001:2013; [Toevoegingen IBB ISO27001-2022](../Toevoegingen%20IBB%20ISO27001-2022.md) zijn hierin verwerkt.*
|
*Noot: Oorspronkelijke versie gebaseerd op ISO/IEC 27001:2013; [Nieuwe beheersmaatregelen in ISO 27001-2022](../about/Nieuwe%20beheersmaatregelen%20in%20ISO%2027001-2022.md) zijn hierin verwerkt.*
|
||||||
|
|
||||||
## Inhoudsopgave
|
## Inhoudsopgave
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,19 +0,0 @@
|
||||||
# MoC Roles and responsibilities in ISO 27001
|
|
||||||
|
|
||||||
**See**:
|
|
||||||
|
|
||||||
Recent:
|
|
||||||
- [Explicitly mentioned roles in ISO 27001](Explicitly%20mentioned%20roles%20in%20ISO%2027001.md)
|
|
||||||
- [ISO 27001 Leadership Responsibilities](ISO%2027001%20Leadership%20Responsibilities.md)
|
|
||||||
- [ISO 27001 Top Management responsibilities](ISO%2027001%20Top%20Management%20responsibilities.md)
|
|
||||||
- [Governance model for Policies and Controls](Governance%20model%20for%20Policies%20and%20Controls.md)
|
|
||||||
- [Basic ISMS governance model](../../ISMS/Basic%20ISMS%20governance%20model.md)
|
|
||||||
- [m400-more-governance](../../../../iso27DIY-gis/guide/m400/m400-more-governance.md)
|
|
||||||
|
|
||||||
Older:
|
|
||||||
- [Roles and Responsibilities](../../ISMS/Roles%20and%20Responsibilities.md)
|
|
||||||
- [Risk ownership](../../Information%20Security/Risks/Risk%20ownership.md)
|
|
||||||
- [Ideas on Risk Ownership](../../ISMS/Ideas%20on%20Risk%20Ownership.md)
|
|
||||||
- [Asset ownership](../../Sparks/Asset%20ownership.md)
|
|
||||||
- [Procuratieregeling](../../Various/Procuratieregeling.md)
|
|
||||||
- [Control ownership](../../ISMS/Control%20ownership.md)
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
According to [Mark Bernard](https://www.linkedin.com/posts/markesbernard_the-changes-to-isoiec-27001-isms-are-not-activity-7344467878198329344-nZN7) , 28 juni 2025, "The changes to ISO/IEC 27001 ISMS are not straightforward. Some believe that the total number of controls was reduced; however, the truth is that new controls were added while existing controls were consolidated and streamlined."
|
According to [Mark Bernard](https://www.linkedin.com/posts/markesbernard_the-changes-to-isoiec-27001-isms-are-not-activity-7344467878198329344-nZN7) , 28 juni 2025, "The changes to ISO/IEC 27001 ISMS are not straightforward. Some believe that the total number of controls was reduced; however, the truth is that new controls were added while existing controls were consolidated and streamlined."
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## New ISMS Control Objectives - ISO 27001:2022 CLAUSE 4 TO 10
|
## New ISMS Control Objectives - ISO 27001:2022 CLAUSE 4 TO 10
|
||||||
|
|
|
||||||
|
|
@ -15,4 +15,4 @@ status: active
|
||||||
For the purposes of this document, the terms and definitions given in
|
For the purposes of this document, the terms and definitions given in
|
||||||
ISO/IEC 27000 apply.
|
ISO/IEC 27000 apply.
|
||||||
|
|
||||||
[ISO 27000 MoC](../../../ISO%2027000%20MoC.md)
|
[ISO 27000 MoC](../../../about/ISO%2027000%20MoC.md)
|
||||||
|
|
@ -15,5 +15,5 @@ status: active
|
||||||
|
|
||||||
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
|
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
|
||||||
|
|
||||||
NOTE Determining these issues refers to establishing the external and internal context of the organization considered in [Clause 5.4.1](../../../ISO31000-5.4.1-Understanding-the-organization-and-its-context.md) of ISO 31000:2018.
|
NOTE Determining these issues refers to establishing the external and internal context of the organization considered in [Clause 5.4.1](../../../about/ISO31000-5.4.1-Understanding-the-organization-and-its-context.md) of ISO 31000:2018.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,53 +1,53 @@
|
||||||
# Index to the original texts of ISO 27001
|
# Index to the original texts of ISO 27001
|
||||||
2022 version
|
2022 version
|
||||||
|
|
||||||
| Clause | Title |
|
| Clause | Title |
|
||||||
| ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
| ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||||
| **F** | **[Foreword](27001/EN/c-f-Foreword.md)** |
|
| **F** | **[Foreword](27001/EN/c-f-Foreword.md)** |
|
||||||
| **0** | **[Introduction](27001/EN/c-0-Introduction.md)** |
|
| **0** | **[Introduction](27001/EN/c-0-Introduction.md)** |
|
||||||
| **1** | **[Scope](27001/EN/c-1-Scope.md)** |
|
| **1** | **[Scope](27001/EN/c-1-Scope.md)** |
|
||||||
| **2** | **[Normative references](27001/EN/c-2-Normative-references.md)** |
|
| **2** | **[Normative references](27001/EN/c-2-Normative-references.md)** |
|
||||||
| **3** | **[Terms and definitions](27001/EN/c-3-Terms-and-definitions.md)** |
|
| **3** | **[Terms and definitions](27001/EN/c-3-Terms-and-definitions.md)** |
|
||||||
| **4** | **Context of the organization** |
|
| **4** | **Context of the organization** |
|
||||||
| 4.1 | [Understanding the organization and its context ](27001/EN/c-4.1-Understanding-the-organization-and-its-context.md) |
|
| 4.1 | [Understanding the organization and its context ](27001/EN/c-4.1-Understanding-the-organization-and-its-context.md) |
|
||||||
| 4.2 | [Understanding the needs and expectations of interested parties ](27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md) |
|
| 4.2 | [Understanding the needs and expectations of interested parties ](27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md) |
|
||||||
| 4.3 | [Determining the scope of the information security management system ](27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md) |
|
| 4.3 | [Determining the scope of the information security management system ](27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md) |
|
||||||
| 4.4 | [Information security management system ](27001/EN/c-4.4-Information-security-management-system.md) |
|
| 4.4 | [Information security management system ](27001/EN/c-4.4-Information-security-management-system.md) |
|
||||||
| **5** | **Leadership** |
|
| **5** | **Leadership** |
|
||||||
| 5.1 | [Leadership and commitment ](27001/EN/c-5.1-Leadership-and-commitment.md) |
|
| 5.1 | [Leadership and commitment ](27001/EN/c-5.1-Leadership-and-commitment.md) |
|
||||||
| 5.2 | [Policy ](27001/EN/c-5.2-Policy.md) |
|
| 5.2 | [Policy ](27001/EN/c-5.2-Policy.md) |
|
||||||
| 5.3 | [Organizational roles, responsibilities and authorities ](27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md) |
|
| 5.3 | [Organizational roles, responsibilities and authorities ](27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md) |
|
||||||
| **6** | **Planning** |
|
| **6** | **Planning** |
|
||||||
| 6.1 | Actions to address risks and opportunities *(no content)* |
|
| 6.1 | Actions to address risks and opportunities *(no content)* |
|
||||||
| 6.1.1 | [General ](27001/EN/c-6.1.1-General.md) |
|
| 6.1.1 | [General ](27001/EN/c-6.1.1-General.md) |
|
||||||
| 6.1.2 | [Information security risk assessment ](27001/EN/c-6.1.2-Information-security-risk-assessment.md) |
|
| 6.1.2 | [Information security risk assessment ](27001/EN/c-6.1.2-Information-security-risk-assessment.md) |
|
||||||
| 6.1.3 | [Information security risk treatment ](27001/EN/c-6.1.3-Information-security-risk-treatment.md) |
|
| 6.1.3 | [Information security risk treatment ](27001/EN/c-6.1.3-Information-security-risk-treatment.md) |
|
||||||
| 6.2 | [Information security objectives and planning to achieve them ](27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md) |
|
| 6.2 | [Information security objectives and planning to achieve them ](27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md) |
|
||||||
| 6.3 | [Planning of changes ](27001/EN/c-6.3-Planning-of-changes.md) |
|
| 6.3 | [Planning of changes ](27001/EN/c-6.3-Planning-of-changes.md) |
|
||||||
| **7** | **Support** |
|
| **7** | **Support** |
|
||||||
| 7.1 | [ Resources ](27001/EN/c-7.1-Resources.md) |
|
| 7.1 | [ Resources ](27001/EN/c-7.1-Resources.md) |
|
||||||
| 7.2 | [ Competence ](27001/EN/c-7.2-Competence.md) |
|
| 7.2 | [ Competence ](27001/EN/c-7.2-Competence.md) |
|
||||||
| 7.3 | [ Awareness ](27001/EN/c-7.3-Awareness.md) |
|
| 7.3 | [ Awareness ](27001/EN/c-7.3-Awareness.md) |
|
||||||
| 7.4 | [ Communication ](27001/EN/c-7.4-Communication.md) |
|
| 7.4 | [ Communication ](27001/EN/c-7.4-Communication.md) |
|
||||||
| 7.5 | [ Documented information ](27001/EN/c-7.5-Documented-information.md) |
|
| 7.5 | [ Documented information ](27001/EN/c-7.5-Documented-information.md) |
|
||||||
| 7.5.1 | General ↑ |
|
| 7.5.1 | General ↑ |
|
||||||
| 7.5.2 | Creating and updating ↑ |
|
| 7.5.2 | Creating and updating ↑ |
|
||||||
| 7.5.3 | Control of documented information ↑ |
|
| 7.5.3 | Control of documented information ↑ |
|
||||||
| **8** | **Operation** |
|
| **8** | **Operation** |
|
||||||
| 8.1 | [Operational planning and control ](27001/EN/c-8.1-Operational-planning-and-control.md) |
|
| 8.1 | [Operational planning and control ](27001/EN/c-8.1-Operational-planning-and-control.md) |
|
||||||
| 8.2 | [Information security risk assessment ](27001/EN/c-8.2-Information-security-risk-assessment.md) |
|
| 8.2 | [Information security risk assessment ](27001/EN/c-8.2-Information-security-risk-assessment.md) |
|
||||||
| 8.3 | [Information security risk treatment ](27001/EN/c-8.3-Information-security-risk-treatment.md) |
|
| 8.3 | [Information security risk treatment ](27001/EN/c-8.3-Information-security-risk-treatment.md) |
|
||||||
| **9** | **Performance evaluation** |
|
| **9** | **Performance evaluation** |
|
||||||
| 9.1 | [Monitoring, measurement, analysis and evaluation ](27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md) |
|
| 9.1 | [Monitoring, measurement, analysis and evaluation ](27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md) |
|
||||||
| 9.2 | [Internal audit ](27001/EN/c-9.2-Internal-audit.md) |
|
| 9.2 | [Internal audit ](27001/EN/c-9.2-Internal-audit.md) |
|
||||||
| 9.2.1 | General ↑ |
|
| 9.2.1 | General ↑ |
|
||||||
| 9.2.2 | Internal audit programme ↑ |
|
| 9.2.2 | Internal audit programme ↑ |
|
||||||
| 9.3 | [Management review ](27001/EN/c-9.3-Management-review.md) |
|
| 9.3 | [Management review ](27001/EN/c-9.3-Management-review.md) |
|
||||||
| 9.3.1 | General ↑ |
|
| 9.3.1 | General ↑ |
|
||||||
| 9.3.2 | Management review inputs ↑ |
|
| 9.3.2 | Management review inputs ↑ |
|
||||||
| 9.3.3 | Management review results ↑ |
|
| 9.3.3 | Management review results ↑ |
|
||||||
| **10** | **Improvement** |
|
| **10** | **Improvement** |
|
||||||
| 10.1 | [Continual improvement ](27001/EN/c-10.1-Continual-improvement.md) |
|
| 10.1 | [Continual improvement ](27001/EN/c-10.1-Continual-improvement.md) |
|
||||||
| 10.2 | [Nonconformity and corrective action ](27001/EN/c-10.2-Nonconformity-and-corrective-action.md) |
|
| 10.2 | [Nonconformity and corrective action ](27001/EN/c-10.2-Nonconformity-and-corrective-action.md) |
|
||||||
| **Annex A** | **[Information security controls reference ](Index%20to%20the%20original%20texts%20of%20ISO%2027002.md)** |
|
| **Annex A** | **[Information security controls reference ](ISO_27002_2022_EN_Index.md)** |
|
||||||
|
|
||||||
|
|
@ -32,7 +32,7 @@ A very important thing to bring up early, is **risk ownership**. We need to be c
|
||||||
|
|
||||||
As an auditor I expect to see a clearly defined and understandable risk assessment process, and evidence for its execution, by maybe getting somebody to take me through risk assessments that have been performed.
|
As an auditor I expect to see a clearly defined and understandable risk assessment process, and evidence for its execution, by maybe getting somebody to take me through risk assessments that have been performed.
|
||||||
|
|
||||||
Although Clause 6.1.2 tells you what should be considered when doing risk assessments, it does not tell you *how* to conduct a risk assessment. It doesn't tell you to use a risk calculation scale of 1 to 10, or high, medium and low, or using some other kind of formula, and neither does the ISO 27002 implementation guidance, of the [ISO 27005](../ISO%2027005.md) (Guidance on managing information security risks).
|
Although Clause 6.1.2 tells you what should be considered when doing risk assessments, it does not tell you *how* to conduct a risk assessment. It doesn't tell you to use a risk calculation scale of 1 to 10, or high, medium and low, or using some other kind of formula, and neither does the ISO 27002 implementation guidance, of the [ISO 27005](../about/ISO%2027005.md) (Guidance on managing information security risks).
|
||||||
|
|
||||||
What it *does* tell us, is that we need to have an agreed way of conducting risk assessments, and that we need predefined risk acceptance criteria.
|
What it *does* tell us, is that we need to have an agreed way of conducting risk assessments, and that we need predefined risk acceptance criteria.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@ This was previously called risk transfer, but this term was dropped because you
|
||||||
|
|
||||||
### Risk modification by implementing controls
|
### Risk modification by implementing controls
|
||||||
|
|
||||||
Clause 8.3 of [ISO 27005](../ISO%2027005.md), the guidance document on risk management[^1], says that we shall select controls in order to address risks. These can be preventative, detective or corrective in nature.
|
Clause 8.3 of [ISO 27005](../about/ISO%2027005.md), the guidance document on risk management[^1], says that we shall select controls in order to address risks. These can be preventative, detective or corrective in nature.
|
||||||
|
|
||||||
Which controls will be implemented by the organization, is specified in the Statement of Applicability (6.1.3d).
|
Which controls will be implemented by the organization, is specified in the Statement of Applicability (6.1.3d).
|
||||||
|
|
||||||
|
|
|
||||||
Binary file not shown.
|
After Width: | Height: | Size: 91 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 148 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 156 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 87 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 195 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 96 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 132 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 142 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 102 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 67 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 78 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 76 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 112 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 100 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 144 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 96 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 190 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 76 KiB |
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: true
|
||||||
---
|
---
|
||||||
# S01 Course objectives and structure
|
# S01 Course objectives and structure
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: true
|
||||||
---
|
---
|
||||||
# S02.1 Introduction to management systems and ISO 27000 family of standards
|
# S02.1 Introduction to management systems and ISO 27000 family of standards
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: true
|
||||||
---
|
---
|
||||||
# S02.2 Introduction to management systems and ISO 27000 family of standards
|
# S02.2 Introduction to management systems and ISO 27000 family of standards
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: true
|
||||||
---
|
---
|
||||||
# S02.3 Introduction to management systems and ISO 27000 family of standards
|
# S02.3 Introduction to management systems and ISO 27000 family of standards
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: true
|
||||||
---
|
---
|
||||||
# S03 Certification process
|
# S03 Certification process
|
||||||
|
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S06.1 Fundamental audit concepts and principles
|
# S06.1 Fundamental audit concepts and principles
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S06.2 Fundamental audit concepts and principles
|
# S06.2 Fundamental audit concepts and principles
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S06.3 Fundamental audit concepts and principles
|
# S06.3 Fundamental audit concepts and principles
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S06.4 Fundamental audit concepts and principles
|
# S06.4 Fundamental audit concepts and principles
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S06.5 Fundamental audit concepts and principles
|
# S06.5 Fundamental audit concepts and principles
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S06.6 Fundamental audit concepts and principles
|
# S06.6 Fundamental audit concepts and principles
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S07.1 The impact of trends and technology in auditing
|
# S07.1 The impact of trends and technology in auditing
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S07.2 The impact of trends and technology in auditing
|
# S07.2 The impact of trends and technology in auditing
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S08.1 Evidence based auditing
|
# S08.1 Evidence based auditing
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S08.2 Evidence based auditing
|
# S08.2 Evidence based auditing
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S09 Risk based audit
|
# S09 Risk based audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S10.1 Initiation of the audit process
|
# S10.1 Initiation of the audit process
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S10.2 Initiation of the audit process
|
# S10.2 Initiation of the audit process
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S10.3 Initiation of the audit process
|
# S10.3 Initiation of the audit process
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S11.1 Stage 1 audit
|
# S11.1 Stage 1 audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S11.2 Stage 1 audit
|
# S11.2 Stage 1 audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S12.1 Preparing for stage 2 audit
|
# S12.1 Preparing for stage 2 audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S12.2 Preparing for stage 2 audit
|
# S12.2 Preparing for stage 2 audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S13.1 Stage 2 audit
|
# S13.1 Stage 2 audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S13.2 Stage 2 audit
|
# S13.2 Stage 2 audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S14.1 Communication during the audit
|
# S14.1 Communication during the audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S14.2 Communication during the audit
|
# S14.2 Communication during the audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S15.1 Audit procedures
|
# S15.1 Audit procedures
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S15.2 Audit procedures
|
# S15.2 Audit procedures
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S15.3 Audit procedures
|
# S15.3 Audit procedures
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S15.4 Audit procedures
|
# S15.4 Audit procedures
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S15.5 Audit procedures
|
# S15.5 Audit procedures
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ isotags:
|
||||||
- C.4.2
|
- C.4.2
|
||||||
- C.7.5.3
|
- C.7.5.3
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S16.1 Creating audit test plans
|
# S16.1 Creating audit test plans
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,6 +25,7 @@ isotags:
|
||||||
- C.10.1
|
- C.10.1
|
||||||
- C.10.2
|
- C.10.2
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S16.2 Creating audit test plans
|
# S16.2 Creating audit test plans
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S17.1 Drafting audit findings and nonconformity reports
|
# S17.1 Drafting audit findings and nonconformity reports
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S17.2 Drafting audit findings and nonconformity reports
|
# S17.2 Drafting audit findings and nonconformity reports
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ tags:
|
||||||
isotags:
|
isotags:
|
||||||
- C.7.5.2
|
- C.7.5.2
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S18 Audit documentation and quality review
|
# S18 Audit documentation and quality review
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S19.1 Closing of the audit
|
# S19.1 Closing of the audit
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ tags:
|
||||||
- PECB-LA
|
- PECB-LA
|
||||||
isotags: []
|
isotags: []
|
||||||
status: active
|
status: active
|
||||||
|
processed: false
|
||||||
---
|
---
|
||||||
# S19.2 Closing of the audit
|
# S19.2 Closing of the audit
|
||||||
|
|
||||||
|
|
|
||||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue