Renamed some folders
This commit is contained in:
parent
3542083f69
commit
3c800ae860
278 changed files with 113 additions and 113 deletions
|
|
@ -6,7 +6,7 @@ See:
|
|||
- [Gedachten over rechtenstructuren](Gedachten%20over%20rechtenstructuren.md)
|
||||
- [Authorization vs Access Control](Authorization%20vs%20Access%20Control.md)
|
||||
- [Access Control Models](Access%20Control%20Models.md)
|
||||
- [ISO 27001 A 9 Access control](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A%209%20Access%20control.md)
|
||||
- [ISO 27001 A 9 Access control](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%209%20Access%20control.md)
|
||||
- [a-5.15-Access-control](../Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ In essence, an information asset is a piece of information that holds value and
|
|||
## Related:
|
||||
|
||||
- [Assets, Vulnerabilities, Threats, Risks](Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
|
||||
- [Asset management in ISO 27001](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A%208%20Asset%20management.md)
|
||||
- [Asset management in ISO 27001](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208%20Asset%20management.md)
|
||||
- [Asset lifecycle in the Defensive Security Handbook](../📚️%20Literature%20notes/Asset%20lifecycle.md)
|
||||
- [Asset ownership](Asset%20ownership.md)
|
||||
- [How to develop an Asset Inventory](How%20to%20develop%20an%20Asset%20Inventory.md)
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
The ISO27DIY video series teaches you a workshop based approach for implementing an ISO 27001-compliant Information Security Management System (ISMS) in your own organization. The ISO27DIY video series will be available for free.
|
||||
|
||||
These are the current blurbs on the different properties:
|
||||
– see also [🧰 Resource portal](../Standards/ISO27x/archive/iso27DIY%20mk%20I/🧰%20Resource%20portal.md)
|
||||
– see also [🧰 Resource portal](../Standards/ISO27x/legacy/iso27DIY%20mk%20I/🧰%20Resource%20portal.md)
|
||||
|
||||
# ISO27DIY.com website
|
||||
Main website via [Carrd.co](https://iso27diy.com):
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ description: What instruments do we have to classify the necessity of integrity
|
|||
tags:
|
||||
- clippings
|
||||
---
|
||||
See also: [Business Impact Analysis (BIA)](Business%20Impact%20Analysis%20(BIA).md), [A 8.2 Information Classification](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A%208.2%20Information%20classification.md#ISO%2027001%20A%208.2%20Information%20classification)
|
||||
See also: [Business Impact Analysis (BIA)](Business%20Impact%20Analysis%20(BIA).md), [A 8.2 Information Classification](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2%20Information%20classification.md#ISO%2027001%20A%208.2%20Information%20classification)
|
||||
|
||||
Prompt: `In the field of information security, we identify and implement risk mitigating measures to safeguard the confidentiality, integrity, and availability of information. To establish levels of confidentiality, we use the instrument of data classification to establish levels of availability we can use business impact analysis. What instruments do we have to classify the necessity of integrity of information`
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
[CISSP_OSG_Chapter_4](../Standards/CISSP/CISSP_OSG_Chapter_4.md)
|
||||
[Continuous Compliance products](Continuous%20Compliance%20products.md)
|
||||
[ISO 27001 A 18 Compliance](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
|
||||
[ISO 27001 A 18 Compliance](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md)
|
||||
|
|
|
|||
|
|
@ -5,4 +5,4 @@ Previous work:
|
|||
|
||||
|
||||
Relevant ISO 27001 clauses/controls:
|
||||
- [ISO 27001 A 16.1 Management of information security incidents and improvements](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A%2016.1%20Management%20of%20information%20security%20incidents%20and%20improvements.md)
|
||||
- [ISO 27001 A 16.1 Management of information security incidents and improvements](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1%20Management%20of%20information%20security%20incidents%20and%20improvements.md)
|
||||
|
|
|
|||
|
|
@ -2,6 +2,6 @@ ISO 27001 seems to have a sort of outdated linear view of building and testing.
|
|||
How do the controls fit in with DevSecOps?
|
||||
|
||||
Related:
|
||||
[ISO 27001 A.14.2.8 System security testing](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A.14.2.8%20System%20security%20testing.md)
|
||||
[ISO 27001 A.14.2.9 System acceptance testing](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A.14.2.9%20System%20acceptance%20testing.md)
|
||||
[ISO 27001 A.14.2.8 System security testing](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2.8%20System%20security%20testing.md)
|
||||
[ISO 27001 A.14.2.9 System acceptance testing](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2.9%20System%20acceptance%20testing.md)
|
||||
[Red, Blue, and Purple Teams](../📚️%20Literature%20notes/Red,%20Blue,%20and%20Purple%20Teams.md)
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
ISO 27001 is a framework, and you cannot successfully implement it by treating the text of the standard as a series of instructions to be followed in the order in which they were printed. If you try that, things will become very confusing very quickly.
|
||||
|
||||
For example, the requirement of having an information security policy is first (?) mentioned in [Chapter 5.1](../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), "Leadership and commitment", where it says that top management must have it established, *together* with information security objectives. Then in [Chapter 5.2](../Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md), 'Policy', it states that these objectives form *part of* the information security policy, referencing forward to [Chapter 6.2](../MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md), "Information security objectives and planning to achieve them", which demands that organizations should set objectives consistent with the policy. Of course there's also a corresponding Control called "Policies for information security" ([5.1](../Standards/ISO27x/archive/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)), which explains that there will be an information security policy at the highest level of the organization, including objectives "or the framework for setting objectives", and further "topic-specific policies as needed", which of course need their own objectives.
|
||||
For example, the requirement of having an information security policy is first (?) mentioned in [Chapter 5.1](../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), "Leadership and commitment", where it says that top management must have it established, *together* with information security objectives. Then in [Chapter 5.2](../Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md), 'Policy', it states that these objectives form *part of* the information security policy, referencing forward to [Chapter 6.2](../MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md), "Information security objectives and planning to achieve them", which demands that organizations should set objectives consistent with the policy. Of course there's also a corresponding Control called "Policies for information security" ([5.1](../Standards/ISO27x/legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)), which explains that there will be an information security policy at the highest level of the organization, including objectives "or the framework for setting objectives", and further "topic-specific policies as needed", which of course need their own objectives.
|
||||
|
||||
Programmers may love this kind of recursiveness when it's in coding exercises.
|
||||
|
||||
|
|
|
|||
|
|
@ -24,5 +24,5 @@ tags:
|
|||
- [ISO_27002_2022_5.3_PE Segregation of duties](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.3_PE%20Segregation%20of%20duties.md)
|
||||
- [ISO_27002_2022_8.9_PE Configuration management](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_8.9_PE%20Configuration%20management.md)
|
||||
- [ISO_27002_2022_8.26_PE Application security requirements](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_8.26_PE%20Application%20security%20requirements.md)
|
||||
- [ISO 27x Control PE template](../Standards/ISO27x/archive/iso27DIY%20mk%20I/📒%20Templates/ISO%2027x%20Control%20PE%20template.md)
|
||||
- [ISO 27x Control PE template](../Standards/ISO27x/legacy/iso27DIY%20mk%20I/📒%20Templates/ISO%2027x%20Control%20PE%20template.md)
|
||||
-
|
||||
|
|
@ -1,8 +1,8 @@
|
|||
https://www.isms.online/iso-27001/how-to-develop-an-asset-inventory-for-iso-27001/
|
||||
|
||||
Relevant ISO 27001 clauses/controls:
|
||||
- [ISO 27001 A 8.1.1 Inventory of assets](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A%208.1.1%20Inventory%20of%20assets.md)
|
||||
- [ISO 27001 C 6.1.2 Information security risk assessment](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20C%206.1.2%20Information%20security%20risk%20assessment.md)
|
||||
- [ISO 27001 A 8.1.1 Inventory of assets](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.1.1%20Inventory%20of%20assets.md)
|
||||
- [ISO 27001 C 6.1.2 Information security risk assessment](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20C%206.1.2%20Information%20security%20risk%20assessment.md)
|
||||
|
||||
See also:
|
||||
- [Assets, Vulnerabilities, Threats, Risks](Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ There wil also be other project todos specific for the organization. Incorporate
|
|||
## PDCA cycle
|
||||
Controls from Annex A 'come alive' by connecting them to a real world Risk. Next, a Policy had to be defined (we are going to mitigate this risk by ...), the implementation of the Control and its associated Measuring mechanism needs to be planned, then after the Implementation the measurements need to be Evaluated and additional actions need to be identified (and planned) for the next cycle.
|
||||
|
||||
Related: [About ISO27DIY Policy Cards](../Standards/ISO27x/archive/About%20ISO27DIY%20Policy%20Cards.md)
|
||||
Related: [About ISO27DIY Policy Cards](../Standards/ISO27x/legacy/About%20ISO27DIY%20Policy%20Cards.md)
|
||||
|
||||
|
||||
## Activities and Artifacts
|
||||
|
|
|
|||
|
|
@ -8,5 +8,5 @@ Related:
|
|||
- [Checklist for auditing Cyber Operations](../📚️%20Literature%20notes/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Cyber%20Operations.md)
|
||||
|
||||
Relevant ISO 27001 clauses/controls:
|
||||
- [ISO 27001 C 5.3 Organizational roles, responsibilities and authorities](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20C%205.3%20Organizational%20roles,%20responsibilities%20and%20authorities.md)
|
||||
- [ISO 27001 A 6.1 Internal organization](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A%206.1%20Internal%20organization.md)
|
||||
- [ISO 27001 C 5.3 Organizational roles, responsibilities and authorities](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20C%205.3%20Organizational%20roles,%20responsibilities%20and%20authorities.md)
|
||||
- [ISO 27001 A 6.1 Internal organization](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%206.1%20Internal%20organization.md)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
Related:
|
||||
- [ISO 27001 A.14.2 Security in development and support processes](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A.14.2%20Security%20in%20development%20and%20support%20processes.md)
|
||||
- [ISO 27001 A.14.2 Security in development and support processes](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2%20Security%20in%20development%20and%20support%20processes.md)
|
||||
|
||||
|
||||
**Impact-Urgentie-matrix**
|
||||
|
|
|
|||
|
|
@ -5,5 +5,5 @@ See this [Wikipedia page](https://en.wikipedia.org/wiki/Stakeholder_analysis) on
|
|||
Different stakeholders have different interests. Think of your stereotypical IT Guy, who wants to screw everything down, and Marketing Guy, who wants maximum freedom in the data lake.
|
||||
|
||||
## Related
|
||||
- [ISO 27001_OT C 4 Context of the organization](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties)
|
||||
- [ISO 27001_OT C 4 Context of the organization](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties)
|
||||
- [ISO31000-5.4.1-Understanding-the-organization-and-its-context](../Standards/ISO27x/ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
[Zero Trust](../📚️%20Literature%20notes/Zero%20Trust.md) is a security principle that can be applied to systems and processes. [ISO 27001 A.13.2 Information transfer](../Standards/ISO27x/archive/ISO%2027001%202013/ISO%2027001%20A.13.2%20Information%20transfer.md) is a method to manage security risks.
|
||||
[Zero Trust](../📚️%20Literature%20notes/Zero%20Trust.md) is a security principle that can be applied to systems and processes. [ISO 27001 A.13.2 Information transfer](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.13.2%20Information%20transfer.md) is a method to manage security risks.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue