Merge enrich-27002 changes into 27002-metadata

Corpus/Information security concepts MoC.md

@@ -0,0 +1,75 @@
+---
+Related:
+  - "[ISO\\_27002\\_OT 3 Terms, definitions and abbreviated terms](Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated%20terms.md)"
+  - https://csiac.org/databases/acronyms/
+tags:
+  - type/MoC
+---
+[Assets](🎇%20Sparks/Assets.md)
+	[NIST Asset Types](📚️%20Literature%20notes/NIST%20Asset%20Types.md)
+	[Asset lifecycle](📚️%20Literature%20notes/Asset%20lifecycle.md)
+	[Asset ownership](🎇%20Sparks/Asset%20ownership.md)
+	[[Asset ownership DEL]]
+	[Assets, Vulnerabilities, Threats, Risks](📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
+[Assets, Vulnerabilities, Threats, Risks](🎇%20Sparks/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
+[Attack Surface Analysis](📚️%20Literature%20notes/Attack%20Surface%20Analysis.md)
+[Authentication](Standards/ISO27x/Authentication.md)
+	[Multi-factor authentication](🎇%20Sparks/Multi-factor%20authentication.md) (MFA)
+	[Passwordless Authentication](🎇%20Sparks/Passwordless%20Authentication.md)
+	[Risk-Based Authentication](🎇%20Sparks/Risk-Based%20Authentication.md)
+	[Single Sign On (SSO)](📚️%20Literature%20notes/Single%20Sign%20On%20(SSO).md)
+	[Tokens](🎇%20Sparks/Tokens.md)
+[Authorization](Standards/ISO27x/Authorization.md)
+	[Access Control](🎇%20Sparks/Access%20Control.md)
+[Awareness](🎇%20Sparks/Awareness.md)
+[BCP_Bedrijfscontinuïteitsplanning](📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
+	[Business Impact Analysis (BIA)](🎇%20Sparks/Business%20Impact%20Analysis%20(BIA).md)
+	[Disaster Recovery Planning](🎇%20Sparks/Disaster%20Recovery%20Planning.md)
+[Change management MoC](MoCs/Change%20management%20MoC.md)
+[Classification](🎇%20Sparks/Classification.md)
+[Compliance](🎇%20Sparks/Compliance.md)
+[Data Breach](💡Permanent%20ideas/Data%20Breach.md)
+[Data Governance](📚️%20Literature%20notes/Data%20Governance.md)
+Frameworks
+	[ISO 27k family](../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md)
+	[NIST articles list](Standards/NIST/NIST%20articles%20list.md)
+[Governance](🎇%20Sparks/Governance.md)
+[[Hardening]]
+[Identity and Access Management (IAM)](💡Drafts%20and%20Ideas/Identity%20and%20Access%20Management%20(IAM).md)
+	[Identification](💡Drafts%20and%20Ideas/Identification.md)
+	[Authentication](Standards/ISO27x/Authentication.md)
+	[Authorization](Standards/ISO27x/Authorization.md)
+Impact
+	[Change management MoC](MoCs/Change%20management%20MoC.md)
+	[Impact of Disruption](💡Drafts%20and%20Ideas/Impact%20of%20Disruption.md)
+[Incidents](🎇%20Sparks/Incidents.md)
+[Maturity Models](📚️%20Literature%20notes/Maturity%20Models.md)
+[Metrics](📚️%20Literature%20notes/InfoSec%20Metrics.md)
+[Operational Technology](💡Drafts%20and%20Ideas/Operational%20Technology.md) or OT Security
+[Policies](📚️%20Literature%20notes/Policies.md)
+[[Posture Management]]
+[Ransomware](🎇%20Sparks/Ransomware.md)
+[Risks](🎇%20Sparks/Risks.md)
+	[Risk analysis](🎇%20Sparks/Risk%20analysis.md)
+	[Risk appetite](💡Drafts%20and%20Ideas/Risk%20appetite.md)
+	[Risk inventories](🎇%20Sparks/Risk%20inventories.md)
+	[Risk management](🎇%20Sparks/Risk%20management.md)
+	[Risk ownership](🎇%20Sparks/Risk%20ownership.md)
+	[Risk ownership](🎇%20Sparks/Risk%20ownership.md)
+	[Risk prioritization](🎇%20Sparks/Risk%20prioritization.md)
+	[Risk tolerance](🎇%20Sparks/Risk%20tolerance.md)
+	[Risk treatment](🎇%20Sparks/Risk%20treatment.md)
+	[Risks vs Threats vs Vulnerabilities](🎇%20Sparks/Risks%20vs%20Threats%20vs%20Vulnerabilities.md)
+[Roles and Responsibilities](🎇%20Sparks/Roles%20and%20Responsibilities.md)
+[Threat](📚️%20Literature%20notes/Threat.md)
+	[Threat Intelligence](🎇%20Sparks/Threat%20Intelligence.md)
+	[Security Threat Modeling](📚️%20Literature%20notes/Security%20Threat%20Modeling.md)
+	[Privacy Threat Modeling](📚️%20Literature%20notes/Privacy%20Threat%20Modeling.md)
+	[AI Threat Modeling](🎇%20Sparks/AI%20Threat%20Modeling.md)
+	[Threat Catalogues](📚️%20Literature%20notes/Threat%20Catalogues.md)
+[Vendor security MoC](🎇%20Sparks/Vendor%20security%20MoC.md) or Supply chain security
+[Vulnerability](💡Drafts%20and%20Ideas/Vulnerability.md)
+	[Bug bounty program](🎇%20Sparks/Bug%20bounty%20program.md)
+[Zero Trust](📚️%20Literature%20notes/Zero%20Trust.md)
+
+

Corpus/Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated-terms.md

@@ -1,7 +1,6 @@
+      
 ## 3.1 Terms and definitions
 
-  
-
 For the purposes of this document, the following terms and definitions apply.
 
   
@@ -72,7 +71,7 @@ ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, co
 
   
 
-— organization's structure.
+— organization’s structure.
 
   
 
@@ -112,7 +111,7 @@ Note 1 to entry: Material includes information and other associated _assets_ (3.
 
   
 
-[SOURCE: ISO/IEC 27050-1:2019, 3.1, modified — "Note 1 to entry" added]
+[SOURCE: ISO/IEC 27050-1:2019, 3.1, modified — “Note 1 to entry” added]
 
   
 
@@ -148,7 +147,7 @@ Note 2 to entry: Controls may not always exert the intended or assumed modifying
 
 **disrupti****on**
 
-incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organization's objectives
+incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organization’s objectives
 
   
 
@@ -248,7 +247,7 @@ occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or f
 
   
 
-[SOURCE: ISO/IEC 27035-1:2016, 3.3, modified — "breach of information security" has been replaced with "information security breach"]
+[SOURCE: ISO/IEC 27035-1:2016, 3.3, modified — “breach of information security” has been replaced with “information security breach”]
 
   
 
@@ -256,7 +255,7 @@ occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or f
 
 **information** **security incident**
 
-one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organization's _assets_ (3.1.2) or compromise its operations
+one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organization’s _assets_ (3.1.2) or compromise its operations
 
   
 
@@ -306,11 +305,11 @@ ability to prove the occurrence of a claimed event or action and its originating
 
 **pers****onnel**
 
-persons doing work under the organization's direction
+persons doing work under the organization’s direction
 
   
 
-Note 1 to entry: The concept of personnel includes the organization's members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.
+Note 1 to entry: The concept of personnel includes the organization’s members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.
 
   
 
@@ -348,7 +347,7 @@ any information that (a) can be used to establish a link between the information
 
   
 
-Note 1 to entry: The "natural person" in the definition is the _PII_ _principal_ (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.
+Note 1 to entry: The “natural person” in the definition is the _PII_ _principal_ (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.
 
   
 
@@ -364,7 +363,7 @@ natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.
 
   
 
-Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym "data subject" can also be used instead of the term "PII principal".
+Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.
 
   
 
@@ -394,7 +393,7 @@ intentions and direction of an organization, as formally expressed by its top ma
 
 **privacy** **impact** **assessment** **PIA**
 
-overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organization's broader risk management framework
+overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organization’s broader risk management framework
 
   
 
@@ -434,11 +433,37 @@ information created, received and maintained as evidence and as an _asset_ (3.1.
 
   
 
+  
+
+  
+
+  
+
+**4** © ISO/IEC 2022 – All rights reserved
+
+Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
+
+ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
+
+  
+
+  
+
+  
+
+**ISO/IEC 27002:2022(E)**
+
+  
+
+  
+
+  
+
 Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.
 
   
 
-[SOURCE: ISO 15489-1:2016, 3.14, modified— "Note 1 to entry" added.]
+[SOURCE: ISO 15489-1:2016, 3.14, modified— “Note 1 to entry” added.]
 
   
 
@@ -472,7 +497,7 @@ property of consistent intended behaviour and results
 
 **rule**
 
-accepted principle or instruction that states the organization's expectations on what is required to be done, what is allowed or not allowed
+accepted principle or instruction that states the organization’s expectations on what is required to be done, what is allowed or not allowed
 
   
 
@@ -516,7 +541,7 @@ EXAMPLE Topic-specific policy on _access_ _control_ (3.1.1), topic-specific poli
 
 **u****ser**
 
-_interested_ _party_ (3.1.18) with access to the organization's _information_ _systems_ (3.1.17)
+_interested_ _party_ (3.1.18) with access to the organization’s _information_ _systems_ (3.1.17)
 
   
 
@@ -524,6 +549,40 @@ EXAMPLE _Personnel_ (3.1.20), customers, suppliers.
 
   
 
+  
+
+  
+
+  
+
+© ISO/IEC 2022 – All rights reserved
+
+  
+
+  
+
+  
+
+  
+
+  
+
+**5**
+
+  
+
+  
+
+  
+
+**ISO/IEC 27002:2022(E)**
+
+  
+
+  
+
+  
+
 **3.1.37**
 
 **user** **endpoint** **device**
@@ -554,90 +613,202 @@ weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one
 
 ABAC attribute-based access control
 
+  
+
 ACL access control list
 
+  
+
 BIA business impact analysis
 
+  
+
 BYOD bring your own device
 
+  
+
 CAPTCHA completely automated public Turing test to tell computers and humans apart
 
+  
+
 CPU central processing unit
 
+  
+
 DAC discretionary access control
 
+  
+
 DNS domain name system
 
+  
+
 GPS global positioning system
 
+  
+
 IAM identity and access management
 
+  
+
 ICT information and communication technology
 
+  
+
 ID identifier
 
+  
+
 IDE integrated development environment
 
+  
+
 IDS intrusion detection system
 
+  
+
 IoT internet of things
 
+  
+
 IP internet protocol
 
+  
+
 IPS intrusion prevention system
 
+  
+
 IT information technology
 
+  
+
 ISMS information security management system
 
+  
+
 MAC mandatory access control
 
+  
+
 NTP network time protocol
 
+  
+
 PIA privacy impact assessment
 
+  
+
 PII personally identifiable information
 
+  
+
+  
+
+  
+
+**6** © ISO/IEC 2022 – All rights reserved
+
+Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
+
+ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
+
+  
+
+  
+
+  
+
+**ISO/IEC 27002:2022(E)**
+
+  
+
+  
+
+  
+
 PIN personal identification number
 
+  
+
 PKI public key infrastructure
 
+  
+
 PTP precision time protocol
 
+  
+
 RBAC role-based access control
 
+  
+
 RPO recovery point objective
 
+  
+
 RTO recovery time objective
 
+  
+
 SAST static application security testing
 
+  
+
 SD secure digital
 
+  
+
 SDN software-defined networking
 
+  
+
 SD-WAN software-defined wide area networking
 
+  
+
 SIEM security information and event management
 
+  
+
 SMS short message service
 
+  
+
 SQL structured query language
 
+  
+
 SSO single sign on
 
+  
+
 SWID software identification
 
+  
+
 UEBA user and entity behaviour analytics
 
+  
+
 UPS uninterruptible power supply
 
+  
+
 URL uniform resource locator
 
+  
+
 USB universal serial bus
 
+  
+
 VM virtual machine
 
+  
+
 VPN virtual private network
 
+  
+
 WiFi wireless fidelity

Corpus/Standards/ISO27x/OST/27002/EN/a-5.12-Classification-of-information.md

@@ -1,5 +1,3 @@
-#iso27002/2022/EN
-
 ## 5.12 Classification of information
 
 | Control type | Information security properties           | Cybersecurity concepts | Operational capabilities | Security domains     |

Corpus/Standards/ISO27x/OST/27002/EN/a-8.28-Secure-coding.md

@@ -1,8 +1,3 @@
-| Control type | Information security properties           | Cybersecurity concepts | Operational capabilities                           | Security domains |
-| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------------------- | ---------------- |
-| #Preventive  | #Confidentiality #Integrity #Availability | #Protect               | #Application_security #System_and_network_security | #Protection      |
-
-  
 ## 8.28 Secure coding
 
 #### Control

Corpus/Standards/ISO27x/OST/27002/EN/a-8.7-Protection-against-malware.md

@@ -1,4 +1,4 @@
-## 8.7  **Protection** **against** **malware**
+## 8.7  Protection against malware
 
 ## Control 
 Protection against malware should be implemented and supported by appropriate user awareness. 

Corpus/Standards/MoCs/ISO_27002_2022_8.25_MoC Secure development life cycle.md

@@ -1,5 +0,0 @@
-[[ISO_27002_2022_8.25_OT Secure development life cycle \|Original Text]]
-[[ISO_27002_2022_8.25_PE Secure development life cycle \|Plain English]]
-ISO 27002:2013: 14.2.1
-
-![[../../../../iso27DIY-gis/reference/examples/ci-cd-pipeline-security-best-practices.pdf]]