richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

checks before turning references into markdown links

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-21 15:38:53 +02:00
parent 8d7bcf8c46
commit 5bb847a75e
2 changed files with 220 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

111
Corpus/Standards/ISO-27002-OST/en_reference_mapping_report.md Normal file
View file

@ -0,0 +1,111 @@
# ISO 27002:2022 EN Reference Mapping Report
**Generated:** 2026-04-21T15:32:31+02:00
## Summary
- Total references found: 100
- Successfully matched: 100
- Match accuracy: 100.0%
| Source Control | Preceding 10 Words | Reference | Target Control | Match % |
| -------------- | ------------------------------------------------------------------------------------------------- | --------- | ---------------------------------------------------------------------- | ------- |
| Control 5.10 | the full information life cycle in accordance with its classification | 5.12 | 5.12 Classification of information | 100% |
| Control 5.10 | of assets associated with information in accordance with manufacturers specifications | 7.8 | 7.8 Equipment siting and protection | 100% |
| Control 5.10 | (electronic or physical) for the attention of the authorized recipient | 7.10 | 7.10 Storage media | 100% |
| Control 5.10 | of information and other associated assets and supported deletion method(s) | 8.10 | 8.10 Information deletion | 100% |
| Control 5.11 | transferred to the organization and securely deleted from the equipment | 7.14 | 7.14 Secure disposal or re-use of equipment | 100% |
| Control 5.12 | should be aligned to the topic-specific policy on access control | 5.1 | 5.1 Policies for information security | 100% |
| Control 5.14 | and maintained to protect information in all forms in transit | 5.10 | 5.10 Acceptable use of information and other associated assets | 100% |
| Control 5.14 | to protect sensitive information, such as use of cryptographic techniques | 8.24 | 8.24 Use of cryptography | 100% |
| Control 5.14 | is immediately understood and that the information is appropriately protected | 5.13 | 5.13 Labelling of information | 100% |
| Control 5.14 | policy or guidelines on acceptable use of information transfer facilities | 5.10 | 5.10 Acceptable use of information and other associated assets | 100% |
| Control 5.14 | that can be transmitted through the use of electronic communications | 8.7 | 8.7 Protection against malware | 100% |
| Control 5.15 | the information and other associated assets; b\) security of applications | 8.26 | 8.26 Application security requirements | 100% |
| Control 5.15 | information (see 5.10, 5.12, 5.13); e\) restrictions to privileged access | 8.2 | 8.2 Privileged access rights | 100% |
| Control 5.15 | requests (see 5.16and 5.18); j\) the management of access rights | 5.18 | 5.18 Access rights | 100% |
| Control 5.15 | mapping appropriate access rights and restrictions to the relevant entities | 5.16 | 5.16 Identity management | 100% |
| Control 5.15 | generally permitted unless expressly forbidden”; b\) changes in information labels | 5.13 | 5.13 Labelling of information | 100% |
| Control 5.16 | treated. This can include controls related to the third parties | 5.19 | 5.19 Information security in supplier relationships | 100% |
| Control 5.16 | the identity, based on appropriate authorization or entitle ment decisions | 5.18 | 5.18 Access rights | 100% |
| Control 5.17 | rules is also included in terms and conditions of employment | 6.2 | 6.2 Terms and conditions of employment | 100% |
| Control 5.17 | should be performed according to approved cryptographic techniques for passwords | 8.24 | 8.24 Use of cryptography | 100% |
| Control 5.18 | for the use of the information and other associated assets | 5.9 | 5.9 Inventory of information and other associated assets | 100% |
| Control 5.18 | is in accordance with the topic-specific policies on access control | 5.15 | 5.15 Access control | 100% |
| Control 5.26 | responded to by a designated team with the required competency | 5.24 | 5.24 Information security incident management planning and preparation | 100% |
| Control 5.26 | spread, the systems affected by the incident; b\) collecting evidence | 5.28 | 5.28 Collection of evidence | 100% |
| Control 5.26 | recording it; h\) conducting information security forensic analysis, as required | 5.28 | 5.28 Collection of evidence | 100% |
| Control 5.26 | Ensure it is documented and communicated according to defined procedures | 5.27 | 5.27 Learning from information security incidents | 100% |
| Control 5.31 | stated in: a\) contracts with clients; b\) contracts with suppliers | 5.20 | 5.20 Addressing information security within supplier agreements | 100% |
| Control 5.33 | records for the length of time the records are retained | 8.24 | 8.24 Use of cryptography | 100% |
| Control 5.35 | security stated in the information security policy and topic-specific policies | 5.1 | 5.1 Policies for information security | 100% |
| Control 5.36 | report the results to the persons carrying out independent reviews | 5.35 | 5.35 Independent review of information security | 100% |
| Control 5.37 | and handling of information, both automated and manual; d\) backup | 8.13 | 8.13 Information backup | 100% |
| Control 5.37 | exceptional conditions \[e.g. restrictions on the use of utility programs | 8.18 | 8.18 Use of privileged utility programs | 100% |
| Control 5.37 | log information (see 8.15 and 8.17) and video monitoring systems | 7.4 | 7.4 Physical security monitoring | 100% |
| Control 5.4 | security relevant to their roles and responsibilities within the organization | 6.3 | 6.3 Information security awareness, education and training | 100% |
| Control 5.9 | be classified in accordance with the classification of the information | 5.12 | 5.12 Classification of information | 100% |
| Control 5.9 | for the acceptable use of information and other associated assets | 5.10 | 5.10 Acceptable use of information and other associated assets | 100% |
| Control 6.2 | to being given access to information and other associated assets | 6.6 | 6.6 Confidentiality or non-disclosure agreements | 100% |
| Control 6.2 | to be taken if personnel disregard the organizations security requirements | 6.4 | 6.4 Disciplinary process | 100% |
| Control 6.2 | for a defined period after the end of the employment | 6.5 | 6.5 Responsibilities after termination or change of employment | 100% |
| Control 6.4 | prior verification that an information security policy violation has occurred | 5.28 | 5.28 Collection of evidence | 100% |
| Control 6.5 | as well as responsibilities contained within any other confidentiality agreement | 6.6 | 6.6 Confidentiality or non-disclosure agreements | 100% |
| Control 6.5 | be contained in the individuals terms and conditions of employment | 6.2 | 6.2 Terms and conditions of employment | 100% |
| Control 6.7 | information and other associated assets, and information security event reporting | 6.8 | 6.8 Information security event reporting | 100% |
| Control 7.10 | securely deleting data or formatting the storage media before reuse | 8.10 | 8.10 Information deletion | 100% |
| Control 7.10 | be physically destroyed rather than sent for repair or discarded | 7.14 | 7.14 Secure disposal or re-use of equipment | 100% |
| Control 7.13 | for remote maintenance; h\) applying security measures for assets off-premises | 7.9 | 7.9 Security of assets off-premises | 100% |
| Control 7.13 | k\) applying measures for secure disposal or re-use of equipment | 7.14 | 7.14 Secure disposal or re-use of equipment | 100% |
| Control 7.2 | include the provision, periodical review, update and revocation of authorizations | 5.18 | 5.18 Access rights | 100% |
| Control 7.2 | electronic audit trail of all access and protecting all logs | 5.33 | 5.33 Protection of records | 100% |
| Control 7.9 | of such removals in order to maintain an audit trail | 5.14 | 5.14 Information transfer | 100% |
| Control 7.9 | equipment outside of the organizations premises: a\) physical security monitoring | 7.4 | 7.4 Physical security monitoring | 100% |
| Control 8.13 | meet the objectives of incident response and business continuity plans | 5.30 | 5.30 ICT readiness for business continuity | 100% |
| Control 8.13 | archive copies. The organization should consider the deletion of information | 8.10 | 8.10 Information deletion | 100% |
| Control 8.14 | strong relationship between redundancy and ICT readiness for business continuity | 5.30 | 5.30 ICT readiness for business continuity | 100% |
| Control 8.15 | is important for all systems to have synchronized time sources | 8.17 | 8.17 Clock synchronization | 100% |
| Control 8.15 | on data retention or requirements to collect and retain evidence | 5.28 | 5.28 Collection of evidence | 100% |
| Control 8.15 | logs should be de-identified where possible using data masking techniques | 8.11 | 8.11 Data masking | 100% |
| Control 8.15 | personally identifiable information. Appropriate privacy protection measures should be taken | 5.34 | 5.34 Privacy and protection of PII | 100% |
| Control 8.15 | considered. Event logging sets the foundation for automated monitoring systems | 8.16 | 8.16 Monitoring activities | 100% |
| Control 8.16 | the following activities: auditing, security evaluation, vulnerability scanning and monitoring | 5.25 | 5.25 Assessment and decision on information security events | 100% |
| Control 8.16 | manner, in order to minimize the effect of adverse events | 5.26 | 5.26 Response to information security incidents | 100% |
| Control 8.16 | monitoring can be enhanced by: a\) leveraging threat intelligence systems | 5.7 | 5.7 Threat intelligence | 100% |
| Control 8.18 | programs to the minimum practical number of trusted, authorized users | 8.2 | 8.2 Privileged access rights | 100% |
| Control 8.19 | operational software only by trained administrators upon appropriate management authorization | 8.5 | 8.5 Secure authentication | 100% |
| Control 8.19 | and with appropriate authorization. The suppliers activities should be monitored | 5.22 | 5.22 Monitoring, review and change management of supplier services | 100% |
| Control 8.1 | web services and web applications; m\) end user behaviour analytics | 8.16 | 8.16 Monitoring activities | 100% |
| Control 8.1 | recommendations on this control should be enforced through configuration management | 8.9 | 8.9 Configuration management | 100% |
| Control 8.20 | operational responsibility for networks from ICT system operations where appropriate | 5.3 | 5.3 Segregation of duties | 100% |
| Control 8.22 | be in accordance with the topic-specific policy on access control | 5.15 | 5.15 Access control | 100% |
| Control 8.22 | has passed through a gateway in accordance with network controls | 8.20 | 8.20 Networks security | 100% |
| Control 8.23 | and control servers; d\) malicious website acquired from threat intelligence | 5.7 | 5.7 Threat intelligence | 100% |
| Control 8.24 | use of cryptography; 2\) the key management, including key generation | 8.24 | 8.24 Use of cryptography | 100% |
| Control 8.24 | well as the issues of trans-border flow of encrypted information | 5.31 | 5.31 Legal, statutory, regulatory and contractual requirements | 100% |
| Control 8.24 | of services and response times for the provision of services | 5.22 | 5.22 Monitoring, review and change management of supplier services | 100% |
| Control 8.29 | should include testing of: a\) security functions \[e.g. user authentication | 8.5 | 8.5 Secure authentication | 100% |
| Control 8.29 | that the system works as expected and only as expected | 5.8 | 5.8 Information security in project management | 100% |
| Control 8.29 | Contracts with the supplier should address the identified security requirements | 5.20 | 5.20 Addressing information security within supplier agreements | 100% |
| Control 8.29 | to the organizations environment and that the tests are reliable | 8.31 | 8.31 Separation of development, test and production environments | 100% |
| Control 8.2 | in accordance with the relevant topic-specific policy on access control | 5.15 | 5.15 Access control | 100% |
| Control 8.2 | basis in line with the topic-specific policy on access control | 5.15 | 5.15 Access control | 100% |
| Control 8.2 | competence still qualify them for working with privileged access rights | 5.18 | 5.18 Access rights | 100% |
| Control 8.2 | configuration capabilities. Managing and protecting authentication information of such identities | 5.17 | 5.17 Authentication information | 100% |
| Control 8.30 | ownership and intellectual property rights related to the outsourced content | 5.32 | 5.32 Intellectual property rights | 100% |
| Control 8.30 | acceptance testing for the quality and accuracy of the deliverables | 8.29 | 8.29 Security testing in development and acceptance | 100% |
| Control 8.30 | processes and controls; j\) security requirements for the development environment | 8.31 | 8.31 Separation of development, test and production environments | 100% |
| Control 8.31 | or staging environment prior to being applied to production systems | 8.29 | 8.29 Security testing in development and acceptance | 100% |
| Control 8.32 | parties; d\) tests and acceptance of tests for the changes | 8.29 | 8.29 Security testing in development and acceptance | 100% |
| Control 8.32 | include all of the above; h\) ensuring that operating documentation | 5.37 | 5.37 Documented operating procedures | 100% |
| Control 8.32 | ensuring that ICT continuity plans and response and recovery procedures | 5.30 | 5.30 ICT readiness for business continuity | 100% |
| Control 8.32 | an environment segregated from both the production and development environments | 8.31 | 8.31 Separation of development, test and production environments | 100% |
| Control 8.33 | should not be copied into the development and testing environments | 8.31 | 8.31 Separation of development, test and production environments | 100% |
| Control 8.33 | audit trail; d\) protecting sensitive information by removal or masking | 8.11 | 8.11 Data masking | 100% |
| Control 8.4 | access to source code in accordance with change control procedures | 8.32 | 8.32 Change management | 100% |
| Control 8.8 | reporting, handling and disclosure, including the requirements in applicable contracts | 5.20 | 5.20 Addressing information security within supplier agreements | 100% |
| Control 8.8 | code for vulnerabilities. This should be included in secure coding | 8.28 | 8.28 Secure coding | 100% |
| Control 8.8 | the action according to the controls related to change management | 8.32 | 8.32 Change management | 100% |
| Control 8.8 | reporting the cloud service provider's actions relating to technical vulnerabilities | 5.23 | 5.23 Information security for use of cloud services | 100% |
| Control 8.8 | can take advantage of the change management processes and procedures | 8.32 | 8.32 Change management | 100% |
| Control 8.9 | of inactivity; h) verifying that licence requirements have been met | 5.32 | 5.32 Intellectual property rights | 100% |
| Control 8.9 | templates. Changes to configurations should follow the change management process | 8.32 | 8.32 Change management | 100% |

109
Corpus/Standards/ISO-27002-OST/identify_en_links.py Normal file
View file

@ -0,0 +1,109 @@
#!/usr/bin/env python3
import os
import re
from pathlib import Path
def version_parse(v):
return tuple(map(int, (v.split("."))))
# Configuration
EN_FOLDER = "ISO27002-EN-2022"
EN_PATTERN = re.compile(r"ISO_27002_2022_([\d\.]+)_OT(.*)\.md")
EN_REF_PATTERN = re.compile(r"((?:\S+\s+){15})\(see ([\d\.]+)\)")
def main():
# Build index of EN files by section number
en_index = {}
for filename in os.listdir(EN_FOLDER):
if not filename.endswith(".md"):
continue
match = EN_PATTERN.match(filename)
if match:
section = match.group(1)
title = match.group(2).strip()
en_index[section] = {
"filename": filename,
"title": title,
"display": f"{section} {title}",
}
report_content = []
report_content.append("# ISO 27002:2022 EN Reference Mapping Report")
report_content.append("")
report_content.append(f"**Generated:** {os.popen('date -Iseconds').read().strip()}")
report_content.append("")
report_content.append("## Summary")
total_references = 0
matched = 0
# Collect all entries first
entries = []
# Scan all EN files
for filename in sorted(os.listdir(EN_FOLDER)):
if not filename.endswith(".md"):
continue
file_path = os.path.join(EN_FOLDER, filename)
# Extract source control number
src_match = EN_PATTERN.match(filename)
if not src_match:
continue
src_section = src_match.group(1)
src_control = f"Control {src_section}"
with open(file_path, "r", encoding="utf-8") as f:
content = f.read()
matches = EN_REF_PATTERN.findall(content)
for preceding_text, ref in matches:
total_references += 1
ref_norm = ref.strip()
preceding_words = " ".join(preceding_text.strip().split()[-10:])
if ref_norm in en_index:
probability = 100
target_control = en_index[ref_norm]["display"]
matched += 1
else:
probability = 0
target_control = "NO MATCH"
entries.append(
[src_control, preceding_words, ref_norm, target_control, probability]
)
report_content.append(f"- Total references found: {total_references}")
report_content.append(f"- Successfully matched: {matched}")
report_content.append(
f"- Match accuracy: {round(matched / total_references * 100, 1)}%"
)
report_content.append("")
report_content.append(
"| Source Control | Preceding 10 Words | Reference | Target Control | Match % |"
)
report_content.append(
"|----------------|--------------------|-----------|----------------|---------|"
)
for entry in entries:
report_content.append(
f"| {entry[0]} | {entry[1]} | {entry[2]} | {entry[3]} | {entry[4]}% |"
)
with open("en_reference_mapping_report.md", "w", encoding="utf-8") as f:
f.write("\n".join(report_content))
print(f"Markdown report written to en_reference_mapping_report.md")
print(
f"Summary: {matched}/{total_references} references matched ({round(matched / total_references * 100, 1)}%)"
)
if __name__ == "__main__":
main()