diff --git a/Corpus/Standards/ISO-27002-OST/en_reference_mapping_report.md b/Corpus/Standards/ISO-27002-OST/en_reference_mapping_report.md new file mode 100644 index 0000000..5f20a82 --- /dev/null +++ b/Corpus/Standards/ISO-27002-OST/en_reference_mapping_report.md @@ -0,0 +1,111 @@ +# ISO 27002:2022 EN Reference Mapping Report + +**Generated:** 2026-04-21T15:32:31+02:00 + +## Summary +- Total references found: 100 +- Successfully matched: 100 +- Match accuracy: 100.0% + +| Source Control | Preceding 10 Words | Reference | Target Control | Match % | +| -------------- | ------------------------------------------------------------------------------------------------- | --------- | ---------------------------------------------------------------------- | ------- | +| Control 5.10 | the full information life cycle in accordance with its classification | 5.12 | 5.12 Classification of information | 100% | +| Control 5.10 | of assets associated with information in accordance with manufacturers’ specifications | 7.8 | 7.8 Equipment siting and protection | 100% | +| Control 5.10 | (electronic or physical) for the attention of the authorized recipient | 7.10 | 7.10 Storage media | 100% | +| Control 5.10 | of information and other associated assets and supported deletion method(s) | 8.10 | 8.10 Information deletion | 100% | +| Control 5.11 | transferred to the organization and securely deleted from the equipment | 7.14 | 7.14 Secure disposal or re-use of equipment | 100% | +| Control 5.12 | should be aligned to the topic-specific policy on access control | 5.1 | 5.1 Policies for information security | 100% | +| Control 5.14 | and maintained to protect information in all forms in transit | 5.10 | 5.10 Acceptable use of information and other associated assets | 100% | +| Control 5.14 | to protect sensitive information, such as use of cryptographic techniques | 8.24 | 8.24 Use of cryptography | 100% | +| Control 5.14 | is immediately understood and that the information is appropriately protected | 5.13 | 5.13 Labelling of information | 100% | +| Control 5.14 | policy or guidelines on acceptable use of information transfer facilities | 5.10 | 5.10 Acceptable use of information and other associated assets | 100% | +| Control 5.14 | that can be transmitted through the use of electronic communications | 8.7 | 8.7 Protection against malware | 100% | +| Control 5.15 | the information and other associated assets; b\) security of applications | 8.26 | 8.26 Application security requirements | 100% | +| Control 5.15 | information (see 5.10, 5.12, 5.13); e\) restrictions to privileged access | 8.2 | 8.2 Privileged access rights | 100% | +| Control 5.15 | requests (see 5.16and 5.18); j\) the management of access rights | 5.18 | 5.18 Access rights | 100% | +| Control 5.15 | mapping appropriate access rights and restrictions to the relevant entities | 5.16 | 5.16 Identity management | 100% | +| Control 5.15 | generally permitted unless expressly forbidden”; b\) changes in information labels | 5.13 | 5.13 Labelling of information | 100% | +| Control 5.16 | treated. This can include controls related to the third parties | 5.19 | 5.19 Information security in supplier relationships | 100% | +| Control 5.16 | the identity, based on appropriate authorization or entitle ment decisions | 5.18 | 5.18 Access rights | 100% | +| Control 5.17 | rules is also included in terms and conditions of employment | 6.2 | 6.2 Terms and conditions of employment | 100% | +| Control 5.17 | should be performed according to approved cryptographic techniques for passwords | 8.24 | 8.24 Use of cryptography | 100% | +| Control 5.18 | for the use of the information and other associated assets | 5.9 | 5.9 Inventory of information and other associated assets | 100% | +| Control 5.18 | is in accordance with the topic-specific policies on access control | 5.15 | 5.15 Access control | 100% | +| Control 5.26 | responded to by a designated team with the required competency | 5.24 | 5.24 Information security incident management planning and preparation | 100% | +| Control 5.26 | spread, the systems affected by the incident; b\) collecting evidence | 5.28 | 5.28 Collection of evidence | 100% | +| Control 5.26 | recording it; h\) conducting information security forensic analysis, as required | 5.28 | 5.28 Collection of evidence | 100% | +| Control 5.26 | Ensure it is documented and communicated according to defined procedures | 5.27 | 5.27 Learning from information security incidents | 100% | +| Control 5.31 | stated in: a\) contracts with clients; b\) contracts with suppliers | 5.20 | 5.20 Addressing information security within supplier agreements | 100% | +| Control 5.33 | records for the length of time the records are retained | 8.24 | 8.24 Use of cryptography | 100% | +| Control 5.35 | security stated in the information security policy and topic-specific policies | 5.1 | 5.1 Policies for information security | 100% | +| Control 5.36 | report the results to the persons carrying out independent reviews | 5.35 | 5.35 Independent review of information security | 100% | +| Control 5.37 | and handling of information, both automated and manual; d\) backup | 8.13 | 8.13 Information backup | 100% | +| Control 5.37 | exceptional conditions \[e.g. restrictions on the use of utility programs | 8.18 | 8.18 Use of privileged utility programs | 100% | +| Control 5.37 | log information (see 8.15 and 8.17) and video monitoring systems | 7.4 | 7.4 Physical security monitoring | 100% | +| Control 5.4 | security relevant to their roles and responsibilities within the organization | 6.3 | 6.3 Information security awareness, education and training | 100% | +| Control 5.9 | be classified in accordance with the classification of the information | 5.12 | 5.12 Classification of information | 100% | +| Control 5.9 | for the acceptable use of information and other associated assets | 5.10 | 5.10 Acceptable use of information and other associated assets | 100% | +| Control 6.2 | to being given access to information and other associated assets | 6.6 | 6.6 Confidentiality or non-disclosure agreements | 100% | +| Control 6.2 | to be taken if personnel disregard the organization’s security requirements | 6.4 | 6.4 Disciplinary process | 100% | +| Control 6.2 | for a defined period after the end of the employment | 6.5 | 6.5 Responsibilities after termination or change of employment | 100% | +| Control 6.4 | prior verification that an information security policy violation has occurred | 5.28 | 5.28 Collection of evidence | 100% | +| Control 6.5 | as well as responsibilities contained within any other confidentiality agreement | 6.6 | 6.6 Confidentiality or non-disclosure agreements | 100% | +| Control 6.5 | be contained in the individual’s terms and conditions of employment | 6.2 | 6.2 Terms and conditions of employment | 100% | +| Control 6.7 | information and other associated assets, and information security event reporting | 6.8 | 6.8 Information security event reporting | 100% | +| Control 7.10 | securely deleting data or formatting the storage media before reuse | 8.10 | 8.10 Information deletion | 100% | +| Control 7.10 | be physically destroyed rather than sent for repair or discarded | 7.14 | 7.14 Secure disposal or re-use of equipment | 100% | +| Control 7.13 | for remote maintenance; h\) applying security measures for assets off-premises | 7.9 | 7.9 Security of assets off-premises | 100% | +| Control 7.13 | k\) applying measures for secure disposal or re-use of equipment | 7.14 | 7.14 Secure disposal or re-use of equipment | 100% | +| Control 7.2 | include the provision, periodical review, update and revocation of authorizations | 5.18 | 5.18 Access rights | 100% | +| Control 7.2 | electronic audit trail of all access and protecting all logs | 5.33 | 5.33 Protection of records | 100% | +| Control 7.9 | of such removals in order to maintain an audit trail | 5.14 | 5.14 Information transfer | 100% | +| Control 7.9 | equipment outside of the organization’s premises: a\) physical security monitoring | 7.4 | 7.4 Physical security monitoring | 100% | +| Control 8.13 | meet the objectives of incident response and business continuity plans | 5.30 | 5.30 ICT readiness for business continuity | 100% | +| Control 8.13 | archive copies. The organization should consider the deletion of information | 8.10 | 8.10 Information deletion | 100% | +| Control 8.14 | strong relationship between redundancy and ICT readiness for business continuity | 5.30 | 5.30 ICT readiness for business continuity | 100% | +| Control 8.15 | is important for all systems to have synchronized time sources | 8.17 | 8.17 Clock synchronization | 100% | +| Control 8.15 | on data retention or requirements to collect and retain evidence | 5.28 | 5.28 Collection of evidence | 100% | +| Control 8.15 | logs should be de-identified where possible using data masking techniques | 8.11 | 8.11 Data masking | 100% | +| Control 8.15 | personally identifiable information. Appropriate privacy protection measures should be taken | 5.34 | 5.34 Privacy and protection of PII | 100% | +| Control 8.15 | considered. Event logging sets the foundation for automated monitoring systems | 8.16 | 8.16 Monitoring activities | 100% | +| Control 8.16 | the following activities: auditing, security evaluation, vulnerability scanning and monitoring | 5.25 | 5.25 Assessment and decision on information security events | 100% | +| Control 8.16 | manner, in order to minimize the effect of adverse events | 5.26 | 5.26 Response to information security incidents | 100% | +| Control 8.16 | monitoring can be enhanced by: a\) leveraging threat intelligence systems | 5.7 | 5.7 Threat intelligence | 100% | +| Control 8.18 | programs to the minimum practical number of trusted, authorized users | 8.2 | 8.2 Privileged access rights | 100% | +| Control 8.19 | operational software only by trained administrators upon appropriate management authorization | 8.5 | 8.5 Secure authentication | 100% | +| Control 8.19 | and with appropriate authorization. The supplier’s activities should be monitored | 5.22 | 5.22 Monitoring, review and change management of supplier services | 100% | +| Control 8.1 | web services and web applications; m\) end user behaviour analytics | 8.16 | 8.16 Monitoring activities | 100% | +| Control 8.1 | recommendations on this control should be enforced through configuration management | 8.9 | 8.9 Configuration management | 100% | +| Control 8.20 | operational responsibility for networks from ICT system operations where appropriate | 5.3 | 5.3 Segregation of duties | 100% | +| Control 8.22 | be in accordance with the topic-specific policy on access control | 5.15 | 5.15 Access control | 100% | +| Control 8.22 | has passed through a gateway in accordance with network controls | 8.20 | 8.20 Networks security | 100% | +| Control 8.23 | and control servers; d\) malicious website acquired from threat intelligence | 5.7 | 5.7 Threat intelligence | 100% | +| Control 8.24 | use of cryptography; 2\) the key management, including key generation | 8.24 | 8.24 Use of cryptography | 100% | +| Control 8.24 | well as the issues of trans-border flow of encrypted information | 5.31 | 5.31 Legal, statutory, regulatory and contractual requirements | 100% | +| Control 8.24 | of services and response times for the provision of services | 5.22 | 5.22 Monitoring, review and change management of supplier services | 100% | +| Control 8.29 | should include testing of: a\) security functions \[e.g. user authentication | 8.5 | 8.5 Secure authentication | 100% | +| Control 8.29 | that the system works as expected and only as expected | 5.8 | 5.8 Information security in project management | 100% | +| Control 8.29 | Contracts with the supplier should address the identified security requirements | 5.20 | 5.20 Addressing information security within supplier agreements | 100% | +| Control 8.29 | to the organization’s environment and that the tests are reliable | 8.31 | 8.31 Separation of development, test and production environments | 100% | +| Control 8.2 | in accordance with the relevant topic-specific policy on access control | 5.15 | 5.15 Access control | 100% | +| Control 8.2 | basis in line with the topic-specific policy on access control | 5.15 | 5.15 Access control | 100% | +| Control 8.2 | competence still qualify them for working with privileged access rights | 5.18 | 5.18 Access rights | 100% | +| Control 8.2 | configuration capabilities. Managing and protecting authentication information of such identities | 5.17 | 5.17 Authentication information | 100% | +| Control 8.30 | ownership and intellectual property rights related to the outsourced content | 5.32 | 5.32 Intellectual property rights | 100% | +| Control 8.30 | acceptance testing for the quality and accuracy of the deliverables | 8.29 | 8.29 Security testing in development and acceptance | 100% | +| Control 8.30 | processes and controls; j\) security requirements for the development environment | 8.31 | 8.31 Separation of development, test and production environments | 100% | +| Control 8.31 | or staging environment prior to being applied to production systems | 8.29 | 8.29 Security testing in development and acceptance | 100% | +| Control 8.32 | parties; d\) tests and acceptance of tests for the changes | 8.29 | 8.29 Security testing in development and acceptance | 100% | +| Control 8.32 | include all of the above; h\) ensuring that operating documentation | 5.37 | 5.37 Documented operating procedures | 100% | +| Control 8.32 | ensuring that ICT continuity plans and response and recovery procedures | 5.30 | 5.30 ICT readiness for business continuity | 100% | +| Control 8.32 | an environment segregated from both the production and development environments | 8.31 | 8.31 Separation of development, test and production environments | 100% | +| Control 8.33 | should not be copied into the development and testing environments | 8.31 | 8.31 Separation of development, test and production environments | 100% | +| Control 8.33 | audit trail; d\) protecting sensitive information by removal or masking | 8.11 | 8.11 Data masking | 100% | +| Control 8.4 | access to source code in accordance with change control procedures | 8.32 | 8.32 Change management | 100% | +| Control 8.8 | reporting, handling and disclosure, including the requirements in applicable contracts | 5.20 | 5.20 Addressing information security within supplier agreements | 100% | +| Control 8.8 | code for vulnerabilities. This should be included in secure coding | 8.28 | 8.28 Secure coding | 100% | +| Control 8.8 | the action according to the controls related to change management | 8.32 | 8.32 Change management | 100% | +| Control 8.8 | reporting the cloud service provider's actions relating to technical vulnerabilities | 5.23 | 5.23 Information security for use of cloud services | 100% | +| Control 8.8 | can take advantage of the change management processes and procedures | 8.32 | 8.32 Change management | 100% | +| Control 8.9 | of inactivity; h) verifying that licence requirements have been met | 5.32 | 5.32 Intellectual property rights | 100% | +| Control 8.9 | templates. Changes to configurations should follow the change management process | 8.32 | 8.32 Change management | 100% | \ No newline at end of file diff --git a/Corpus/Standards/ISO-27002-OST/identify_en_links.py b/Corpus/Standards/ISO-27002-OST/identify_en_links.py new file mode 100644 index 0000000..75e0481 --- /dev/null +++ b/Corpus/Standards/ISO-27002-OST/identify_en_links.py @@ -0,0 +1,109 @@ +#!/usr/bin/env python3 +import os +import re +from pathlib import Path + + +def version_parse(v): + return tuple(map(int, (v.split(".")))) + + +# Configuration +EN_FOLDER = "ISO27002-EN-2022" +EN_PATTERN = re.compile(r"ISO_27002_2022_([\d\.]+)_OT(.*)\.md") +EN_REF_PATTERN = re.compile(r"((?:\S+\s+){15})\(see ([\d\.]+)\)") + + +def main(): + # Build index of EN files by section number + en_index = {} + for filename in os.listdir(EN_FOLDER): + if not filename.endswith(".md"): + continue + match = EN_PATTERN.match(filename) + if match: + section = match.group(1) + title = match.group(2).strip() + en_index[section] = { + "filename": filename, + "title": title, + "display": f"{section} {title}", + } + + report_content = [] + report_content.append("# ISO 27002:2022 EN Reference Mapping Report") + report_content.append("") + report_content.append(f"**Generated:** {os.popen('date -Iseconds').read().strip()}") + report_content.append("") + report_content.append("## Summary") + + total_references = 0 + matched = 0 + + # Collect all entries first + entries = [] + + # Scan all EN files + for filename in sorted(os.listdir(EN_FOLDER)): + if not filename.endswith(".md"): + continue + file_path = os.path.join(EN_FOLDER, filename) + + # Extract source control number + src_match = EN_PATTERN.match(filename) + if not src_match: + continue + src_section = src_match.group(1) + src_control = f"Control {src_section}" + + with open(file_path, "r", encoding="utf-8") as f: + content = f.read() + + matches = EN_REF_PATTERN.findall(content) + for preceding_text, ref in matches: + total_references += 1 + ref_norm = ref.strip() + + preceding_words = " ".join(preceding_text.strip().split()[-10:]) + + if ref_norm in en_index: + probability = 100 + target_control = en_index[ref_norm]["display"] + matched += 1 + else: + probability = 0 + target_control = "NO MATCH" + + entries.append( + [src_control, preceding_words, ref_norm, target_control, probability] + ) + + report_content.append(f"- Total references found: {total_references}") + report_content.append(f"- Successfully matched: {matched}") + report_content.append( + f"- Match accuracy: {round(matched / total_references * 100, 1)}%" + ) + report_content.append("") + report_content.append( + "| Source Control | Preceding 10 Words | Reference | Target Control | Match % |" + ) + report_content.append( + "|----------------|--------------------|-----------|----------------|---------|" + ) + + for entry in entries: + report_content.append( + f"| {entry[0]} | {entry[1]} | {entry[2]} | {entry[3]} | {entry[4]}% |" + ) + + with open("en_reference_mapping_report.md", "w", encoding="utf-8") as f: + f.write("\n".join(report_content)) + + print(f"Markdown report written to en_reference_mapping_report.md") + print( + f"Summary: {matched}/{total_references} references matched ({round(matched / total_references * 100, 1)}%)" + ) + + +if __name__ == "__main__": + main()