renamed 27002 EN versions

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.10-Acceptable-use-of-information-and-other-associated-assets.md

@@ -21,7 +21,7 @@ b\) permitted and prohibited use of information and other associated assets;
 
 c\) monitoring activities being performed by the organization.
 
-Acceptable use procedures should be drawn up for the full information life cycle in accordance with its classification (see [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md)) and determined risks. The following items should be considered:
+Acceptable use procedures should be drawn up for the full information life cycle in accordance with its classification (see [5.12](a-5.12-Classification-of-information.md)) and determined risks. The following items should be considered:
 
 a\) access restrictions supporting the protection requirements for each level of classification;
 
@@ -29,11 +29,11 @@ b\) maintenance of a record of the authorized users of information and other ass
 
 c\) protection of temporary or permanent copies of information to a level consistent with the protection of the original information;
 
-d\) storage of assets associated with information in accordance with manufacturers’ specifications (see [7.8](ISO_27002_2022_7.8_OT%20Equipment%20siting%20and%20protection.md));
+d\) storage of assets associated with information in accordance with manufacturers’ specifications (see [7.8](a-7.8-Equipment-siting-and-protection.md));
 
-e\) clear marking of all copies of storage media (electronic or physical) for the attention of the authorized recipient (see [7.10](ISO_27002_2022_7.10_OT%20Storage%20media.md));
+e\) clear marking of all copies of storage media (electronic or physical) for the attention of the authorized recipient (see [7.10](a-7.10-Storage-media.md));
 
-f\) authorization of disposal of information and other associated assets and supported deletion method(s) (see [8.10](ISO_27002_2022_8.10_OT%20Information%20deletion.md)).
+f\) authorization of disposal of information and other associated assets and supported deletion method(s) (see [8.10](a-8.10-Information-deletion.md)).
 
 **Other information**
 It can be the case that the assets concerned do not directly belong to the organization, such as public cloud services. The use of such third-party assets and any assets of the organization associated with such external assets (e.g. information, software) should be identified as applicable and controlled, for example, through agreements with cloud service providers. Care should also be taken when a collaborative working environment is used.

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.11-Return-of-assets.md

@@ -16,7 +16,7 @@ To protect the organization’s assets as part of the process of changing or ter
 
 The change or termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization.
 
-In cases where personnel and other interested parties purchase the organization’s equipment or use their own personal equipment, procedures should be followed to ensure that all relevant information is traced and transferred to the organization and securely deleted from the equipment (see [7.14](ISO_27002_2022_7.14_OT%20Secure%20disposal%20or%20re-use%20of%20equipment.md)).
+In cases where personnel and other interested parties purchase the organization’s equipment or use their own personal equipment, procedures should be followed to ensure that all relevant information is traced and transferred to the organization and securely deleted from the equipment (see [7.14](a-7.14-Secure-disposal-or-re-use-of-equipment.md)).
 
 In cases where personnel and other interested parties have knowledge that is important to ongoing operations, that information should be documented and transferred to the organization.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.14-Information-transfer.md

@@ -13,13 +13,13 @@ To maintain the security of information transferred within an organization and w
 **Guidance**
 
 <u>General</u>
-The organization should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit (see [5.10](ISO_27002_2022_5.10_OT%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md)).
+The organization should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit (see [5.10](a-5.10-Acceptable-use-of-information-and-other-associated-assets.md)).
 
 Information transfer can happen through electronic transfer, physical storage media transfer and verbal transfer.
 
 For all types of information transfer, rules, procedures and agreements should include:
 
-a\) controls designed to protect transferred information from interception, unauthorized access, copying, modification, misrouting, destruction and denial of service, including levels of access control commensurate with the classification of the information involved and any special controls that are required to protect sensitive information, such as use of cryptographic techniques (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md));
+a\) controls designed to protect transferred information from interception, unauthorized access, copying, modification, misrouting, destruction and denial of service, including levels of access control commensurate with the classification of the information involved and any special controls that are required to protect sensitive information, such as use of cryptographic techniques (see [8.24](a-8.24-Use-of-cryptography.md));
 
 b\) controls to ensure traceability and non-repudiation, including maintaining a chain of custody for information while in transit;
 
@@ -27,22 +27,22 @@ c\) identification of appropriate contacts related to the transfer including inf
 
 d\) responsibilities and liabilities in the event of information security incidents, such as loss of physical storage media or data;
 
-e\) use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected (see [5.13](ISO_27002_2022_5.13_OT%20Labelling%20of%20information.md));
+e\) use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected (see [5.13](a-5.13-Labelling-of-information.md));
 
 f\) reliability and availability of the transfer service;
 
-g\) the topic-specific policy or guidelines on acceptable use of information transfer facilities (see [5.10](ISO_27002_2022_5.10_OT%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md));
+g\) the topic-specific policy or guidelines on acceptable use of information transfer facilities (see [5.10](a-5.10-Acceptable-use-of-information-and-other-associated-assets.md));
 
 h\) retention and disposal guidelines for all business records, including messages;
 
 NOTE Local legislation and regulations can exist regarding retention and disposal of business records.
 
-i\) the consideration of any other relevant legal, statutory, regulatory and contractual requirements (see [5.31](ISO_27002_2022_5.31_OT%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md), [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md), [5.33](ISO_27002_2022_5.33_OT%20Protection%20of%20records.md), [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md)) related to transfer of information (e.g. requirements for electronic signatures).
+i\) the consideration of any other relevant legal, statutory, regulatory and contractual requirements (see [5.31](a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md), [5.32](a-5.32-Intellectual-property-rights.md), [5.33](a-5.33-Protection-of-records.md), [5.34](a-5.34-Privacy-and-protection-of-PII.md)) related to transfer of information (e.g. requirements for electronic signatures).
 
 <u>Electronic transfer</u>
 Rules, procedures and agreements should also consider the following items when using electronic communication facilities for information transfer:
 
-a\) detection of and protection against malware that can be transmitted through the use of electronic communications (see [8.7](ISO_27002_2022_8.7_OT%20Protection%20against%20malware.md));
+a\) detection of and protection against malware that can be transmitted through the use of electronic communications (see [8.7](a-8.7-Protection-against-malware.md));
 
 b\) protection of communicated sensitive electronic information that is in the form of an attachment;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.15-Access-control.md

@@ -19,27 +19,27 @@ These requirements and the topic-specific policy should consider the following:
 
 a\) determining which entities require which type of access to the information and other associated assets;
 
-b\) security of applications (see [8.26](ISO_27002_2022_8.26_OT%20Application%20security%20requirements.md));
+b\) security of applications (see [8.26](a-8.26-Application-security-requirements.md));
 
-c\) physical access, which needs to be supported by appropriate physical entry controls (see [7.2](ISO_27002_2022_7.2_OT%20Physical%20entry.md), [7.3](ISO_27002_2022_7.3_OT%20Securing%20offices,%20rooms%20and%20facilities.md), [7.4](ISO_27002_2022_7.4_OT%20Physical%20security%20monitoring.md));
+c\) physical access, which needs to be supported by appropriate physical entry controls (see [7.2](a-7.2-Physical-entry.md), [7.3](a-7.3-Securing-offices-rooms-and-facilities.md), [7.4](a-7.4-Physical-security-monitoring.md));
 
-d\) information dissemination and authorization (e.g. the need-to-know principle) and information security levels and classification of information (see [5.10](ISO_27002_2022_5.10_OT%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md), [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md), [5.13](ISO_27002_2022_5.13_OT%20Labelling%20of%20information.md));
+d\) information dissemination and authorization (e.g. the need-to-know principle) and information security levels and classification of information (see [5.10](a-5.10-Acceptable-use-of-information-and-other-associated-assets.md), [5.12](a-5.12-Classification-of-information.md), [5.13](a-5.13-Labelling-of-information.md));
 
-e\) restrictions to privileged access (see [8.2](ISO_27002_2022_8.2_OT%20Privileged%20access%20rights.md));
+e\) restrictions to privileged access (see [8.2](a-8.2-Privileged-access-rights.md));
 
-f\) segregation of duties (see [5.3](ISO_27002_2022_5.3_OT%20Segregation%20of%20duties.md));
+f\) segregation of duties (see [5.3](a-5.3-Segregation-of-duties.md));
 
-g\) relevant legislation, regulations and any contractual obligations regarding limitation of access to data or services (see [5.31](ISO_27002_2022_5.31_OT%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md), [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md), [5.33](ISO_27002_2022_5.33_OT%20Protection%20of%20records.md), [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md), [8.3](ISO_27002_2022_8.3_OT%20Information%20access%20restriction.md));
+g\) relevant legislation, regulations and any contractual obligations regarding limitation of access to data or services (see [5.31](a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md), [5.32](a-5.32-Intellectual-property-rights.md), [5.33](a-5.33-Protection-of-records.md), [5.34](a-5.34-Privacy-and-protection-of-PII.md), [8.3](a-8.3-Information-access-restriction.md));
 
 h\) segregation of access control functions (e.g. access request, access authorization, access administration);
 
-i\) formal authorization of access requests (see [5.16](ISO_27002_2022_5.16_OT%20Identity%20management.md), [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md));
+i\) formal authorization of access requests (see [5.16](a-5.16-Identity-management.md), [5.18](a-5.18-Access-rights.md));
 
-j\) the management of access rights (see [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md));
+j\) the management of access rights (see [5.18](a-5.18-Access-rights.md));
 
-k\) logging (see [8.15](ISO_27002_2022_8.15_OT%20Logging.md)).
+k\) logging (see [8.15](a-8.15-Logging.md)).
 
-Access control rules should be implemented by defining and mapping appropriate access rights and restrictions to the relevant entities (see [5.16](ISO_27002_2022_5.16_OT%20Identity%20management.md)). An entity can represent a human user as well as a technical or logical item (e.g. a machine, device or a service). To simplify the access control management, specific roles can be assigned to entity groups.
+Access control rules should be implemented by defining and mapping appropriate access rights and restrictions to the relevant entities (see [5.16](a-5.16-Identity-management.md)). An entity can represent a human user as well as a technical or logical item (e.g. a machine, device or a service). To simplify the access control management, specific roles can be assigned to entity groups.
 
 The following should be taken into account when defining and implementing access control rules:
 
@@ -63,13 +63,13 @@ Care should be taken when specifying access control rules to consider:
 
 a\) establishing rules based on the premise of least privilege, “Everything is generally forbidden unless expressly permitted”, rather than the weaker rule, “Everything is generally permitted unless expressly forbidden”;
 
-b\) changes in information labels (see [5.13](ISO_27002_2022_5.13_OT%20Labelling%20of%20information.md)) that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
+b\) changes in information labels (see [5.13](a-5.13-Labelling-of-information.md)) that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
 
 c\) changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;
 
 d\) when to define and regularly review the approval.
 
-Access control rules should be supported by documented procedures (see [5.16](ISO_27002_2022_5.16_OT%20Identity%20management.md), [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md), [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md), [8.2](ISO_27002_2022_8.2_OT%20Privileged%20access%20rights.md), [8.3](ISO_27002_2022_8.3_OT%20Information%20access%20restriction.md), [8.4](ISO_27002_2022_8.4_OT%20Access%20to%20source%20code.md), [8.5](ISO_27002_2022_8.5_OT%20Secure%20authentication.md), [8.18](ISO_27002_2022_8.18_OT%20Use%20of%20privileged%20utility%20programs.md)) and defined responsibilities (see [5.2](ISO_27002_2022_5.2_OT%20Information%20security%20roles%20and%20responsibilities.md), [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md)).
+Access control rules should be supported by documented procedures (see [5.16](a-5.16-Identity-management.md), [5.17](a-5.17-Authentication-information.md), [5.18](a-5.18-Access-rights.md), [8.2](a-8.2-Privileged-access-rights.md), [8.3](a-8.3-Information-access-restriction.md), [8.4](a-8.4-Access-to-source-code.md), [8.5](a-8.5-Secure-authentication.md), [8.18](a-8.18-Use-of-privileged-utility-programs.md)) and defined responsibilities (see [5.2](a-5.2-Information-security-roles-and-responsibilities.md), [5.17](a-5.17-Authentication-information.md)).
 
 There are several ways to implement access control, such as MAC (mandatory access control), DAC (discretionary access control), RBAC (role-based access control) and ABAC (attribute-based access control).
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.16-Identity-management.md

@@ -27,7 +27,7 @@ f\) records of all significant events concerning the use and management of user
 
 The organization should have a supporting process in place to handle changes to information related to user identities. These processes can include re-verification of trusted documents related to a person.
 
-When using identities provided or issued by third parties (e.g. social media credentials), the organization should ensure the third-party identities provide the required trust level and any associated risks are known and sufficiently treated. This can include controls related to the third parties (see [5.19](ISO_27002_2022_5.19_OT%20Information%20security%20in%20supplier%20relationships.md)) as well as controls related to associated authentication information (see [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md)).
+When using identities provided or issued by third parties (e.g. social media credentials), the organization should ensure the third-party identities provide the required trust level and any associated risks are known and sufficiently treated. This can include controls related to the third parties (see [5.19](a-5.19-Information-security-in-supplier-relationships.md)) as well as controls related to associated authentication information (see [5.17](a-5.17-Authentication-information.md)).
 
 **Other information**
 Providing or revoking access to information and other associated assets is usually a multi-step procedure:
@@ -40,5 +40,5 @@ c\) establishing an identity;
 
 d\) configuring and activating the identity. This also includes configuration and initial setup of related authentication services;
 
-e\) providing or revoking specific access rights to the identity, based on appropriate authorization or entitle ment decisions (see [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md)).
+e\) providing or revoking specific access rights to the identity, based on appropriate authorization or entitle ment decisions (see [5.18](a-5.18-Access-rights.md)).
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.17-Authentication-information.md

@@ -41,7 +41,7 @@ c)   when passwords are used as authentication information, strong passwords ac
 
 d)   the same passwords are not used across distinct services and systems;
 
-e)   the obligation to follow these rules is also included in terms and conditions of employment (see [6.2](ISO_27002_2022_6.2_OT%20Terms%20and%20conditions%20of%20employment.md)).
+e)   the obligation to follow these rules is also included in terms and conditions of employment (see [6.2](a-6.2-Terms-and-conditions-of-employment.md)).
 
 **Password management system**
 
@@ -63,7 +63,7 @@ g)   not display passwords on the screen when being entered;
 
 h)   store and transmit passwords in protected form.
 
-Password  encryption  and  hashing  should  be  performed  according  to  approved  cryptographic techniques for passwords (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md)).
+Password  encryption  and  hashing  should  be  performed  according  to  approved  cryptographic techniques for passwords (see [8.24](a-8.24-Use-of-cryptography.md)).
 
 **Other information**
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.18-Access-rights.md

@@ -15,7 +15,7 @@ To ensure access to information and other associated assets is defined and autho
 <u>Provision and revocation of access rights</u>
 The provisioning process for assigning or revoking physical and logical access rights granted to an entity’s authenticated identity should include:
 
-a\) obtaining authorization from the owner of the information and other associated assets for the use of the information and other associated assets (see [5.9](ISO_27002_2022_5.9_OT%20Inventory%20of%20information%20and%20other%20associated%20assets.md)). Separate approval for access rights by management can also be appropriate;
+a\) obtaining authorization from the owner of the information and other associated assets for the use of the information and other associated assets (see [5.9](a-5.9-Inventory-of-information-and-other-associated-assets.md)). Separate approval for access rights by management can also be appropriate;
 
 b\) considering the business requirements and the organization’s topic-specific policy and rules on access control;
 
@@ -25,7 +25,7 @@ d\) ensuring access rights are removed when someone does not need to access the
 
 e\) considering giving temporary access rights for a limited time period and revoking them at the expiration date, in particular for temporary personnel or temporary access required by personnel;
 
-f\) verifying that the level of access granted is in accordance with the topic-specific policies on access control (see [5.15](ISO_27002_2022_5.15_OT%20Access%20control.md)) and is consistent with other information security requirements such as segregation of duties (see [5.3](ISO_27002_2022_5.3_OT%20Segregation%20of%20duties.md));
+f\) verifying that the level of access granted is in accordance with the topic-specific policies on access control (see [5.15](a-5.15-Access-control.md)) and is consistent with other information security requirements such as segregation of duties (see [5.3](a-5.3-Segregation-of-duties.md));
 
 g\) ensuring that access rights are activated (e.g. by service providers) only after authorization procedures are successfully completed;
 
@@ -56,7 +56,7 @@ c\) the value of the assets currently accessible.
 **Other information**
 Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews of access rights are easier managed at the level of such roles than at the level of particular rights.
 
-Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel (see [5.20](ISO_27002_2022_5.20_OT%20Addressing%20information%20security%20within%20supplier%20agreements.md), [6.2](ISO_27002_2022_6.2_OT%20Terms%20and%20conditions%20of%20employment.md), [6.4](ISO_27002_2022_6.4_OT%20Disciplinary%20process.md), [6.6](ISO_27002_2022_6.6_OT%20Confidentiality%20or%20non-disclosure%20agreements.md)).
+Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel (see [5.20](a-5.20-Addressing-information-security-within-supplier-agreements.md), [6.2](a-6.2-Terms-and-conditions-of-employment.md), [6.4](a-6.4-Disciplinary-process.md), [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md)).
 
 In cases of management-initiated termination, disgruntled personnel or external party users can deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning or being dismissed, they can be tempted to collect information for future use.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.2-Information-security-roles-and-responsibilities.md

@@ -8,7 +8,7 @@ Information security roles and responsibilities should be defined and allocated
 To establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization.
 
 ### Guidance
-Allocation of information security roles and responsibilities should be done in accordance with the information security policy and topic-specific policies (see [5.1](ISO_27002_2022_5.1_OT%20Policies%20for%20information%20security.md)). The organization should define and manage responsibilities for:
+Allocation of information security roles and responsibilities should be done in accordance with the information security policy and topic-specific policies (see [5.1](a-5.1-Policies-for-information-security.md)). The organization should define and manage responsibilities for:
 
 a)   protection of information and other associated assets;
 b)   carrying out specific information security processes;

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.23-Information-security-for-use-of-cloud-services.md

@@ -10,7 +10,7 @@ To specify and manage information security for the use of cloud services.
 #### Guidance
 The organization should establish and communicate topic-specific policy on the use of cloud services to all relevant interested parties.
 
-The organization should define and communicate how it intends to manage information security risks associated with the use of cloud services. It can be an extension or part of the existing approach for how an organization manages services provided by external parties (see [5.21](ISO_27002_2022_5.21_OT%20Managing%20information%20security%20in%20the%20ICT%20supply%20chain.md), [5.22](ISO_27002_2022_5.22_OT%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md)).
+The organization should define and communicate how it intends to manage information security risks associated with the use of cloud services. It can be an extension or part of the existing approach for how an organization manages services provided by external parties (see [5.21](a-5.21-Managing-information-security-in-the-ICT-supply-chain.md), [5.22](a-5.22-Monitoring-review-and-change-management-of-supplier-services.md)).
 
 The use of cloud services can involve shared responsibility for information security and collaborative effort between the cloud service provider and the organization acting as the cloud service customer. It is essential that the responsibilities for both the cloud service provider and the organization, acting as the cloud service customer, are defined and implemented appropriately.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.24-Information-security-incident-management-planning-and-preparation.md

@@ -15,7 +15,7 @@ The organization should establish appropriate information security incident mana
 
 The following should be considered:
 
-a\) establishing a common method for reporting information security events including point of contact (see [6.8](ISO_27002_2022_6.8_OT%20Information%20security%20event%20reporting.md));
+a\) establishing a common method for reporting information security events including point of contact (see [6.8](a-6.8-Information-security-event-reporting.md));
 
 b\) establishing an incident management process to provide the organization with capability for managing information security incidents including administration, documentation, detection, triage, prioritization, analysis, communication and coordinating interested parties;
 
@@ -33,15 +33,15 @@ Management should ensure that an information security incident management plan i
 
 a\) evaluation of information security events according to criteria for what constitutes an information security incident;
 
-b\) monitoring (see [8.15](ISO_27002_2022_8.15_OT%20Logging.md) and [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md)), detecting (see [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md)), classifying (see [5.25](ISO_27002_2022_5.25_OT%20Assessment%20and%20decision%20on%20information%20security%20events.md)), analysing and reporting (see [6.8](ISO_27002_2022_6.8_OT%20Information%20security%20event%20reporting.md)) of information security events and incidents (by human or automatic means);
+b\) monitoring (see [8.15](a-8.15-Logging.md) and [8.16](a-8.16-Monitoring-activities.md)), detecting (see [8.16](a-8.16-Monitoring-activities.md)), classifying (see [5.25](a-5.25-Assessment-and-decision-on-information-security-events.md)), analysing and reporting (see [6.8](a-6.8-Information-security-event-reporting.md)) of information security events and incidents (by human or automatic means);
  
-c\) managing information security incidents to conclusion, including response and escalation (see [5.26](ISO_27002_2022_5.26_OT%20Response%20to%20information%20security%20incidents.md)), according to the type and the category of the incident, possible activation of crisis management and activation of continuity plans, controlled recovery from an incident and communication to internal and external interested parties;
+c\) managing information security incidents to conclusion, including response and escalation (see [5.26](a-5.26-Response-to-information-security-incidents.md)), according to the type and the category of the incident, possible activation of crisis management and activation of continuity plans, controlled recovery from an incident and communication to internal and external interested parties;
 
-d\) coordination with internal and external interested parties such as authorities, external interest groups and forums, suppliers and clients (see [5.5](ISO_27002_2022_5.5_OT%20Contact%20with%20authorities.md) and [5.6](ISO_27002_2022_5.6_OT%20Contact%20with%20special%20interest%20groups.md)); 
+d\) coordination with internal and external interested parties such as authorities, external interest groups and forums, suppliers and clients (see [5.5](a-5.5-Contact-with-authorities.md) and [5.6](a-5.6-Contact-with-special-interest-groups.md)); 
 
 e\) logging incident management activities; 
 
-f\) handling of evidence (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md));
+f\) handling of evidence (see [5.28](a-5.28-Collection-of-evidence.md));
 
 g\) root cause analysis or post-mortem procedures;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.26-Response-to-information-security-incidents.md

@@ -16,19 +16,19 @@ To ensure efficient and effective response to information security incidents.
 **Guidance**
 The organization should establish and communicate procedures on information security incident response to all relevant interested parties.
 
-Information security incidents should be responded to by a designated team with the required competency (see [5.24](ISO_27002_2022_5.24_OT%20Information%20security%20incident%20management%20planning%20and%20preparation.md)).
+Information security incidents should be responded to by a designated team with the required competency (see [5.24](a-5.24-Information-security-incident-management-planning-and-preparation.md)).
 
 The response should include the following:
 
 a\) containing, if the consequences of the incident can spread, the systems affected by the incident;
-b\) collecting evidence (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md)) as soon as possible after the occurrence;
-c\) escalation, as required including crisis management activities and possibly invoking business continuity plans (see [5.29](ISO_27002_2022_5.29_OT%20Information%20security%20during%20disruption.md), [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md));
+b\) collecting evidence (see [5.28](a-5.28-Collection-of-evidence.md)) as soon as possible after the occurrence;
+c\) escalation, as required including crisis management activities and possibly invoking business continuity plans (see [5.29](a-5.29-Information-security-during-disruption.md), [5.30](a-5.30-ICT-readiness-for-business-continuity.md));
 d\) ensuring that all involved response activities are properly logged for later analysis;
 e\) communicating the existence of the information security incident or any relevant details thereof to all relevant internal and external interested parties following the need-to-know principle;
 f\) coordinating with internal and external parties such as authorities, external interest groups and forums, suppliers and clients to improve response effectiveness and help to minimize consequences for other organizations;
 g\) once the incident has been successfully addressed, formally closing and recording it;
-h\) conducting information security forensic analysis, as required (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md));
-i\) performing post-incident analysis to identify root cause. Ensure it is documented and communicated according to defined procedures (see [5.27](ISO_27002_2022_5.27_OT%20Learning%20from%20information%20security%20incidents.md));
+h\) conducting information security forensic analysis, as required (see [5.28](a-5.28-Collection-of-evidence.md));
+i\) performing post-incident analysis to identify root cause. Ensure it is documented and communicated according to defined procedures (see [5.27](a-5.27-Learning-from-information-security-incidents.md));
 j\) identifying and managing information security vulnerabilities and weaknesses including those related to controls which have caused, contributed to or failed to prevent the incident.
 
 **Other information**

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.27-Learning-from-information-security-incidents.md

@@ -12,7 +12,7 @@ The organization should establish procedures to quantify and monitor the types,
 
 The information gained from the evaluation of information security incidents should be used to:
 
-a\) enhance the incident management plan including incident scenarios and procedures (see [5.24](ISO_27002_2022_5.24_OT%20Information%20security%20incident%20management%20planning%20and%20preparation.md));
+a\) enhance the incident management plan including incident scenarios and procedures (see [5.24](a-5.24-Information-security-incident-management-planning-and-preparation.md));
 
 b\) identify recurring or serious incidents and their causes to update the organization’s information security risk assessment and determine and implement necessary additional controls to reduce the likelihood or consequences of future similar incidents. Mechanisms to enable that include collecting, quantifying and monitoring information about incident types, volumes and costs;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md

@@ -66,7 +66,7 @@ Contractual requirements related to information security should include those st
 
 a\) contracts with clients;
 
-b\) contracts with suppliers (see [5.20](ISO_27002_2022_5.20_OT%20Addressing%20information%20security%20within%20supplier%20agreements.md));
+b\) contracts with suppliers (see [5.20](a-5.20-Addressing-information-security-within-supplier-agreements.md));
 
 c\) insurance contracts. **Other information**
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.33-Protection-of-records.md

@@ -26,7 +26,7 @@ When deciding on protection of specific organizational records, their correspond
 
 Data storage systems should be chosen such that required records can be retrieved in an acceptable time frame and format, depending on the requirements to be fulfilled.
 
-Where electronic storage media are chosen, procedures to ensure the ability to access records (both storage media and format readability) throughout the retention period should be established to safeguard against loss due to future technology change. Any related cryptographic keys and programs associated with encrypted archives or digital signatures, should also be retained to enable decryption of the records for the length of time the records are retained (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md)).
+Where electronic storage media are chosen, procedures to ensure the ability to access records (both storage media and format readability) throughout the retention period should be established to safeguard against loss due to future technology change. Any related cryptographic keys and programs associated with encrypted archives or digital signatures, should also be retained to enable decryption of the records for the length of time the records are retained (see [8.24](a-8.24-Use-of-cryptography.md)).
 
 Storage and handling procedures should be implemented in accordance with recommendations provided by manufacturers of storage media. Consideration should be given to the possibility of deterioration of media used for storage of records.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.35-Independent-review-of-information-security.md

@@ -21,7 +21,7 @@ Such reviews should be carried out by individuals independent of the area under
 
 The results of the independent reviews should be reported to the management who initiated the reviews and, if appropriate, to top management. These records should be maintained.
 
-If the independent reviews identify that the organization’s approach and implementation to managing information security is inadequate \[e.g. documented objectives and requirements are not met or are not compliant with the direction for information security stated in the information security policy and topic-specific policies (see [5.1](ISO_27002_2022_5.1_OT%20Policies%20for%20information%20security.md))\], management should initiate corrective actions.
+If the independent reviews identify that the organization’s approach and implementation to managing information security is inadequate \[e.g. documented objectives and requirements are not met or are not compliant with the direction for information security stated in the information security policy and topic-specific policies (see [5.1](a-5.1-Policies-for-information-security.md))\], management should initiate corrective actions.
 
 In addition to the periodic independent reviews, the organization should consider conducting independent reviews when:
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.36-Compliance-with-policies-rules-and-standards-for-information-security.md

@@ -23,7 +23,7 @@ c\) implement appropriate corrective actions;
 
 d\) review corrective actions taken to verify its effectiveness and identify any deficiencies or weaknesses.
 
-Results of reviews and corrective actions carried out by managers, service, product or information owners should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews (see [5.35](ISO_27002_2022_5.35_OT%20Independent%20review%20of%20information%20security.md)) when an independent review takes place in the area of their responsibility.
+Results of reviews and corrective actions carried out by managers, service, product or information owners should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews (see [5.35](a-5.35-Independent-review-of-information-security.md)) when an independent review takes place in the area of their responsibility.
 
 Corrective actions should be completed in a timely manner as appropriate to the risk. If not completed by the next scheduled review, progress should at least be addressed at that review.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.37-Documented-operating-procedures.md

@@ -31,21 +31,21 @@ b\) the secure installation and configuration of systems;
 
 c\) processing and handling of information, both automated and manual;
 
-d\) backup (see [8.13](ISO_27002_2022_8.13_OT%20Information%20backup.md)) and resilience;
+d\) backup (see [8.13](a-8.13-Information-backup.md)) and resilience;
 
 e\) scheduling requirements, including interdependencies with other systems;
 
-f\) instructions for handling errors or other exceptional conditions \[e.g. restrictions on the use of utility programs (see [8.18](ISO_27002_2022_8.18_OT%20Use%20of%20privileged%20utility%20programs.md))\], which can arise during job execution;
+f\) instructions for handling errors or other exceptional conditions \[e.g. restrictions on the use of utility programs (see [8.18](a-8.18-Use-of-privileged-utility-programs.md))\], which can arise during job execution;
 
 g\) support and escalation contacts including external support contacts in the event of unexpected operational or technical difficulties;
 
-h\) storage media handling instructions (see [7.10](ISO_27002_2022_7.10_OT%20Storage%20media.md), [7.14](ISO_27002_2022_7.14_OT%20Secure%20disposal%20or%20re-use%20of%20equipment.md));
+h\) storage media handling instructions (see [7.10](a-7.10-Storage-media.md), [7.14](a-7.14-Secure-disposal-or-re-use-of-equipment.md));
 
 i\) system restart and recovery procedures for use in the event of system failure;
 
-j\) the management of audit trail and system log information (see [8.15](ISO_27002_2022_8.15_OT%20Logging.md), [8.17](ISO_27002_2022_8.17_OT%20Clock%20synchronization.md)) and video monitoring systems (see [7.4](ISO_27002_2022_7.4_OT%20Physical%20security%20monitoring.md));
+j\) the management of audit trail and system log information (see [8.15](a-8.15-Logging.md), [8.17](a-8.17-Clock-synchronization.md)) and video monitoring systems (see [7.4](a-7.4-Physical-security-monitoring.md));
 
-k\) monitoring procedures such as capacity, performance and security (see [8.6](ISO_27002_2022_8.6_OT%20Capacity%20management.md), [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md));
+k\) monitoring procedures such as capacity, performance and security (see [8.6](a-8.6-Capacity-management.md), [8.16](a-8.16-Monitoring-activities.md));
 
 l\) maintenance instructions.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.4-Management-responsibilities.md

@@ -18,7 +18,7 @@ b)   are provided with guidelines which state the information security expectat
 
 c)   are mandated to fulfill the information security policy and topic-specific policies of the organization;
 
-d)   achieve a level of awareness of information security relevant to their roles and responsibilities within the organization (see [6.3](ISO_27002_2022_6.3_OT%20Information%20security%20awareness,%20education%20and%20training.md));
+d)   achieve a level of awareness of information security relevant to their roles and responsibilities within the organization (see [6.3](a-6.3-Information-security-awareness-education-and-training.md));
 
 e)   compliance with the terms and conditions of employment, contract or agreement, including the organization’s information security policy and appropriate methods of working;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.5-Contact-with-authorities.md

@@ -15,4 +15,4 @@ Contacts with authorities should also be used to facilitate the understanding ab
 #### Other information
 Organizations under attack can request authorities to take action against the attack source.
 
-Maintaining such contacts can be a requirement to support information security incident management (see 5.24 to 5.28) or the contingency planning and business continuity processes (see [5.29](ISO_27002_2022_5.29_OT%20Information%20security%20during%20disruption.md), [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md)). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety \[e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)\].
+Maintaining such contacts can be a requirement to support information security incident management (see 5.24 to 5.28) or the contingency planning and business continuity processes (see [5.29](a-5.29-Information-security-during-disruption.md), [5.30](a-5.30-ICT-readiness-for-business-continuity.md)). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety \[e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)\].

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.8-Information-security-in-project-management.md

@@ -14,7 +14,7 @@ The project management in use should require that:
 
 a)   information security risks are assessed and treated at an early stage and periodically as part of project risks throughout the project life cycle;
 
-b)   information security requirements \[e.g. application security requirements ([8.26](ISO_27002_2022_8.26_OT%20Application%20security%20requirements.md)), requirements for complying with intellectual property rights ([5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md)), etc.] are addressed in the early stages of projects;
+b)   information security requirements \[e.g. application security requirements ([8.26](a-8.26-Application-security-requirements.md)), requirements for complying with intellectual property rights ([5.32](a-5.32-Intellectual-property-rights.md)), etc.] are addressed in the early stages of projects;
 
 c)   information security risks associated with the execution of projects, such as security of internal and external communication aspects are considered and treated throughout the project life cycle;
 
@@ -28,7 +28,7 @@ Information security requirements for products or services to be delivered by th
 
 Information security requirements should be determined for all types of projects, not only ICT development projects. The following should also be considered when determining these requirements:
 
-a)   what information is involved (information determination), what are the corresponding information security needs (classification; see [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md)) and the potential negative business impact which can result from lack of adequate security;
+a)   what information is involved (information determination), what are the corresponding information security needs (classification; see [5.12](a-5.12-Classification-of-information.md)) and the potential negative business impact which can result from lack of adequate security;
 
 b)   the required protection needs of information and other associated assets involved, particularly in terms of confidentiality, integrity and availability;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-5.9-Inventory-of-information-and-other-associated-assets.md

@@ -27,12 +27,12 @@ The location of an asset should be included in the inventory as appropriate.
 
 The inventory does not need to be a single list of information and other associated assets. Considering that the inventory should be maintained by the relevant functions, it can be seen as a set of dynamic inventories, such as inventories for information assets, hardware, software, virtual machines (VMs), facilities, personnel, competence, capabilities and records.
 
-Each asset should be classified in accordance with the classification of the information (see [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md)) associated to that asset.
+Each asset should be classified in accordance with the classification of the information (see [5.12](a-5.12-Classification-of-information.md)) associated to that asset.
 
 The granularity of the inventory of information and other associated assets should be at a level appropriate for the needs of the organization. Sometimes specific instances of assets in the information life cycle are not feasible to be documented due to the nature of the asset. An example of a short-lived asset is a VM instance whose life cycle can be of short duration.
 
 <u>Ownership</u>
-For the identified information and other associated assets, ownership of the asset should be assigned to an individual or a group and the classification should be identified (see [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md), [5.13](ISO_27002_2022_5.13_OT%20Labelling%20of%20information.md)). A process to ensure timely assignment of asset ownership should be implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. Asset ownership should be reassigned as necessary when current asset owners leave or change job roles.
+For the identified information and other associated assets, ownership of the asset should be assigned to an individual or a group and the classification should be identified (see [5.12](a-5.12-Classification-of-information.md), [5.13](a-5.13-Labelling-of-information.md)). A process to ensure timely assignment of asset ownership should be implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. Asset ownership should be reassigned as necessary when current asset owners leave or change job roles.
 
 <u>Owner duties</u>
 The asset owner should be responsible for the proper management of an asset over the whole asset life cycle, ensuring that:
@@ -45,7 +45,7 @@ c\) the classification is reviewed periodically;
 
 d\) components supporting technology assets are listed and linked, such as database, storage, software components and sub-components;
 
-e\) requirements for the acceptable use of information and other associated assets (see [5.10](ISO_27002_2022_5.10_OT%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md)) are established;
+e\) requirements for the acceptable use of information and other associated assets (see [5.10](a-5.10-Acceptable-use-of-information-and-other-associated-assets.md)) are established;
 
 f\) access restrictions correspond with the classification and that they are effective and are reviewed periodically;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-6.2-Terms-and-conditions-of-employment.md

@@ -13,21 +13,21 @@ To ensure personnel understand their information security responsibilities for t
 **Guidance**
 The contractual obligations for personnel should take into consideration the organization’s information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated:
 
-a\) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets (see [6.6](ISO_27002_2022_6.6_OT%20Confidentiality%20or%20non-disclosure%20agreements.md));
+a\) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets (see [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md));
 
-b\) legal responsibilities and rights \[e.g. regarding copyright laws or data protection legislation (see [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md), [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md))\];
+b\) legal responsibilities and rights \[e.g. regarding copyright laws or data protection legislation (see [5.32](a-5.32-Intellectual-property-rights.md), [5.34](a-5.34-Privacy-and-protection-of-PII.md))\];
 
 c\) responsibilities for the classification of information and management of the organization’s information and other associated assets, information processing facilities and information services handled by the personnel (see 5.9to 5.13);
 
 d\) responsibilities for the handling of information received from interested parties;
 
-e\) actions to be taken if personnel disregard the organization’s security requirements (see [6.4](ISO_27002_2022_6.4_OT%20Disciplinary%20process.md)).
+e\) actions to be taken if personnel disregard the organization’s security requirements (see [6.4](a-6.4-Disciplinary-process.md)).
 
 Information security roles and responsibilities should be communicated to candidates during the pre- employment process.
 
 The organization should ensure that personnel agree to terms and conditions concerning information security. These terms and conditions should be appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services. The terms and conditions concerning information security should be reviewed when laws, regulations, the information security policy or topic-specific policies change.
 
-Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see [6.5](ISO_27002_2022_6.5_OT%20Responsibilities%20after%20termination%20or%20change%20of%20employment.md)).
+Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see [6.5](a-6.5-Responsibilities-after-termination-or-change-of-employment.md)).
 
 **Other information**
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-6.4-Disciplinary-process.md

@@ -30,7 +30,7 @@ To ensure personnel and other relevant interested parties understand the consequ
 
   
 
-The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md)).
+The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred (see [5.28](a-5.28-Collection-of-evidence.md)).
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-6.5-Responsibilities-after-termination-or-change-of-employment.md

@@ -13,7 +13,7 @@ Information security responsibilities and duties that remain valid after termina
 To protect the organization’s interests as part of the process of changing or terminating employment or contracts.
 
 **Guidance**
-The process for managing termination or change of employment should define which information security responsibilities and duties should remain valid after termination or change. This can include confidentiality of information, intellectual property and other knowledge obtained, as well as responsibilities contained within any other confidentiality agreement (see [6.6](ISO_27002_2022_6.6_OT%20Confidentiality%20or%20non-disclosure%20agreements.md)). Responsibilities and duties still valid after termination of employment or contract should be contained in the individual’s terms and conditions of employment (see [6.2](ISO_27002_2022_6.2_OT%20Terms%20and%20conditions%20of%20employment.md)), contract or agreement. Other contracts or agreements that continue for a defined period after the end of the individual’s employment can also contain information security responsibilities.
+The process for managing termination or change of employment should define which information security responsibilities and duties should remain valid after termination or change. This can include confidentiality of information, intellectual property and other knowledge obtained, as well as responsibilities contained within any other confidentiality agreement (see [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md)). Responsibilities and duties still valid after termination of employment or contract should be contained in the individual’s terms and conditions of employment (see [6.2](a-6.2-Terms-and-conditions-of-employment.md)), contract or agreement. Other contracts or agreements that continue for a defined period after the end of the individual’s employment can also contain information security responsibilities.
 
 Changes of responsibility or employment should be managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-6.6-Confidentiality-or-non-disclosure-agreements.md

@@ -74,7 +74,7 @@ j\) the expected actions to be taken in the case of non-compliance with the agre
 
   
 
-The organization should take into consideration the compliance with confidentiality and non-disclosure agreements for the jurisdiction to which they apply (see [5.31](ISO_27002_2022_5.31_OT%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md), [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md), [5.33](ISO_27002_2022_5.33_OT%20Protection%20of%20records.md), [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md)).
+The organization should take into consideration the compliance with confidentiality and non-disclosure agreements for the jurisdiction to which they apply (see [5.31](a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md), [5.32](a-5.32-Intellectual-property-rights.md), [5.33](a-5.33-Protection-of-records.md), [5.34](a-5.34-Privacy-and-protection-of-PII.md)).
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-6.7-Remote-working.md

@@ -46,7 +46,7 @@ a\) the existing or proposed physical security of the remote working site, takin
 
   
 
-b\) rules and security mechanisms for the remote physical environment such as lockable filing cabinets, secure transportation between locations and rules for remote access, clear desk, printing and disposal of information and other associated assets, and information security event reporting (see [6.8](ISO_27002_2022_6.8_OT%20Information%20security%20event%20reporting.md));
+b\) rules and security mechanisms for the remote physical environment such as lockable filing cabinets, secure transportation between locations and rules for remote access, clear desk, printing and disposal of information and other associated assets, and information security event reporting (see [6.8](a-6.8-Information-security-event-reporting.md));
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-7.10-Storage-media.md

@@ -90,7 +90,7 @@ Procedures for the secure reuse or disposal of storage media should be establish
 
   
 
-a\) if storage media containing confidential information need to be reused within the organization, securely deleting data or formatting the storage media before reuse (see [8.10](ISO_27002_2022_8.10_OT%20Information%20deletion.md));
+a\) if storage media containing confidential information need to be reused within the organization, securely deleting data or formatting the storage media before reuse (see [8.10](a-8.10-Information-deletion.md));
 
   
 
@@ -114,7 +114,7 @@ f\) when accumulating storage media for disposal, giving consideration to the ag
 
   
 
-A risk assessment should be performed on damaged devices containing sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded (see [7.14](ISO_27002_2022_7.14_OT%20Secure%20disposal%20or%20re-use%20of%20equipment.md)).
+A risk assessment should be performed on damaged devices containing sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded (see [7.14](a-7.14-Secure-disposal-or-re-use-of-equipment.md)).
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-7.13-Equipment-maintenance.md

@@ -62,7 +62,7 @@ g\) authorizing and controlling access for remote maintenance;
 
   
 
-h\) applying security measures for assets off-premises (see [7.9](ISO_27002_2022_7.9_OT%20Security%20of%20assets%20off-premises.md)) if equipment containing information is taken off premises for maintenance;
+h\) applying security measures for assets off-premises (see [7.9](a-7.9-Security-of-assets-off-premises.md)) if equipment containing information is taken off premises for maintenance;
 
   
 
@@ -74,7 +74,7 @@ j\) before putting equipment back into operation after maintenance, inspecting i
 
   
 
-k\) applying measures for secure disposal or re-use of equipment (see [7.14](ISO_27002_2022_7.14_OT%20Secure%20disposal%20or%20re-use%20of%20equipment.md)) if it is determined that equipment is to be disposed of.
+k\) applying measures for secure disposal or re-use of equipment (see [7.14](a-7.14-Secure-disposal-or-re-use-of-equipment.md)) if it is determined that equipment is to be disposed of.
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-7.2-Physical-entry.md

@@ -42,11 +42,11 @@ The following guidelines should be considered:
 
   
 
-a\) restricting access to sites and buildings to authorized personnel only. The process for the management of access rights to physical areas should include the provision, periodical review, update and revocation of authorizations (see [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md));
+a\) restricting access to sites and buildings to authorized personnel only. The process for the management of access rights to physical areas should include the provision, periodical review, update and revocation of authorizations (see [5.18](a-5.18-Access-rights.md));
 
   
 
-b\) securely maintaining and monitoring a physical logbook or electronic audit trail of all access and protecting all logs (see [5.33](ISO_27002_2022_5.33_OT%20Protection%20of%20records.md)) and sensitive authentication information;
+b\) securely maintaining and monitoring a physical logbook or electronic audit trail of all access and protecting all logs (see [5.33](a-5.33-Protection-of-records.md)) and sensitive authentication information;
 
   
 
@@ -134,7 +134,7 @@ d\) inspecting and examining incoming deliveries for explosives, chemicals or ot
 
   
 
-e\) registering incoming deliveries in accordance with asset management procedures (see [5.9](ISO_27002_2022_5.9_OT%20Inventory%20of%20information%20and%20other%20associated%20assets.md), [7.10](ISO_27002_2022_7.10_OT%20Storage%20media.md)) on entry to the site;
+e\) registering incoming deliveries in accordance with asset management procedures (see [5.9](a-5.9-Inventory-of-information-and-other-associated-assets.md), [7.10](a-7.10-Storage-media.md)) on entry to the site;
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-7.9-Security-of-assets-off-premises.md

@@ -44,7 +44,7 @@ c\) when off-premises equipment is transferred among different individuals or in
 
   
 
-d\) where necessary and practical, requiring authorization for equipment and media to be removed from the organization’s premises and keeping a record of such removals in order to maintain an audit trail (see [5.14](ISO_27002_2022_5.14_OT%20Information%20transfer.md));
+d\) where necessary and practical, requiring authorization for equipment and media to be removed from the organization’s premises and keeping a record of such removals in order to maintain an audit trail (see [5.14](a-5.14-Information-transfer.md));
 
   
 
@@ -60,11 +60,11 @@ Permanent installation of equipment outside the organization’s premises \[such
 
   
 
-a\) physical security monitoring (see [7.4](ISO_27002_2022_7.4_OT%20Physical%20security%20monitoring.md));
+a\) physical security monitoring (see [7.4](a-7.4-Physical-security-monitoring.md));
 
   
 
-b\) protecting against physical and environmental threats (see [7.5](ISO_27002_2022_7.5_OT%20Protecting%20against%20physical%20and%20environmental%20threats.md));
+b\) protecting against physical and environmental threats (see [7.5](a-7.5-Protecting-against-physical-and-environmental-threats.md));
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.1-User-endpoint-devices.md

@@ -30,13 +30,13 @@ i\) protection against malware;
 j\) remote disabling, deletion or lockout;
 k\) backups;
 l\) usage of web services and web applications;
-m\) end user behaviour analytics (see [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md));
+m\) end user behaviour analytics (see [8.16](a-8.16-Monitoring-activities.md));
 n\) the use of removable devices, including removable memory devices, and the possibility of disabling physical ports (e.g. USB ports);
 o\) the use of partitioning capabilities, if supported by the user endpoint device, which can securely separate the organization's information and other associated assets (e.g. software) from other information and other associated assets on the device.
 
 Consideration should be given as to whether certain information is so sensitive that it can only be accessed via user endpoint devices, but not stored on such devices. In such cases, additional technical safeguards can be required on the device. For example, ensuring that downloading files for offline working is disabled and that local storage such as SD card is disabled.
 
-As far as possible, the recommendations on this control should be enforced through configuration management (see [8.9](ISO_27002_2022_8.9_OT%20Configuration%20management.md)) or automated tools.
+As far as possible, the recommendations on this control should be enforced through configuration management (see [8.9](a-8.9-Configuration-management.md)) or automated tools.
 
 <u>User responsibility</u>
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.13-Information-backup.md

@@ -36,11 +36,11 @@ g\) taking care to ensure that inadvertent data loss is detected before backup i
 
 Operational procedures should monitor the execution of backups and address failures of scheduled backups to ensure completeness of backups according to the topic-specific policy on backups.
 
-Backup measures for individual systems and services should be regularly tested to ensure that they meet the objectives of incident response and business continuity plans (see [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md)). This should be combined with a test of the restoration procedures and checked against the restoration time required by the business continuity plan. In the case of critical systems and services, backup measures should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster.
+Backup measures for individual systems and services should be regularly tested to ensure that they meet the objectives of incident response and business continuity plans (see [5.30](a-5.30-ICT-readiness-for-business-continuity.md)). This should be combined with a test of the restoration procedures and checked against the restoration time required by the business continuity plan. In the case of critical systems and services, backup measures should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster.
 
 When the organization uses a cloud service, backup copies of the organization’s information, applications and systems in the cloud service environment should be taken. The organization should determine if and how requirements for backup are fulfilled when using the information backup service provided as part of the cloud service.
 
-The retention period for essential business information should be determined, taking into account any requirement for retention of archive copies. The organization should consider the deletion of information (see [8.10](ISO_27002_2022_8.10_OT%20Information%20deletion.md)) in storage media used for backup once the information’s retention period expires and should take into consideration legislation and regulations.
+The retention period for essential business information should be determined, taking into account any requirement for retention of archive copies. The organization should consider the deletion of information (see [8.10](a-8.10-Information-deletion.md)) in storage media used for backup once the information’s retention period expires and should take into consideration legislation and regulations.
 
 **Other information**
 For further information on storage security including retention consideration, see ISO/IEC 27040.

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.14-Redundancy-of-information-processing-facilities.md

@@ -29,7 +29,7 @@ f\) having duplicated components in systems (e.g. CPU, hard disks, memories) or
 Where applicable, preferably in production mode, redundant information systems should be tested to ensure the failover from one component to another component works as intended.
 
 **Other information**
-There is a strong relationship between redundancy and ICT readiness for business continuity (see [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md)) especially if short recovery times are required. Many of the redundancy measures can be part of the ICT continuity strategies and solutions.
+There is a strong relationship between redundancy and ICT readiness for business continuity (see [5.30](a-5.30-ICT-readiness-for-business-continuity.md)) especially if short recovery times are required. Many of the redundancy measures can be part of the ICT continuity strategies and solutions.
 
 The implementation of redundancies can introduce risks to the integrity (e.g. processes of copying data to duplicated components can introduce errors) or confidentiality (e.g. weak security control of duplicated components can lead to compromise) of information and information systems, which need to be considered when designing information systems.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.15-Logging.md

@@ -38,7 +38,7 @@ h\) activation and de-activation of security systems, such as anti-virus systems
 i\) creation, modification or deletion of identities;
 j\) transactions executed by users in applications. In some cases, the applications are a service or product provided or run by a third party.
 
-It is important for all systems to have synchronized time sources (see [8.17](ISO_27002_2022_8.17_OT%20Clock%20synchronization.md)) as this allows for correlation of logs between systems for analysis, alerting and investigation of an incident.
+It is important for all systems to have synchronized time sources (see [8.17](a-8.17-Clock-synchronization.md)) as this allows for correlation of logs between systems for analysis, alerting and investigation of an incident.
 
 <u>Protection of logs</u>
 
@@ -52,11 +52,11 @@ c\) failure to record events or over-writing of past recorded events if the stor
 
 For protection of logs, the use of the following techniques should be considered: cryptographic hashing, recording in an append-only and read-only file, recording in a public transparency file.
 
-Some audit logs can be required to be archived because of requirements on data retention or requirements to collect and retain evidence (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md)).
+Some audit logs can be required to be archived because of requirements on data retention or requirements to collect and retain evidence (see [5.28](a-5.28-Collection-of-evidence.md)).
 
-Where the organization needs to send system or application logs to a vendor to assist with debugging or troubleshooting errors, logs should be de-identified where possible using data masking techniques (see [8.11](ISO_27002_2022_8.11_OT%20Data%20masking.md)) for information such as usernames, internet protocol (IP) addresses, hostnames or organization name, before sending to the vendor.
+Where the organization needs to send system or application logs to a vendor to assist with debugging or troubleshooting errors, logs should be de-identified where possible using data masking techniques (see [8.11](a-8.11-Data-masking.md)) for information such as usernames, internet protocol (IP) addresses, hostnames or organization name, before sending to the vendor.
 
-Event logs can contain sensitive data and personally identifiable information. Appropriate privacy protection measures should be taken (see [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md)).
+Event logs can contain sensitive data and personally identifiable information. Appropriate privacy protection measures should be taken (see [5.34](a-5.34-Privacy-and-protection-of-PII.md)).
 
 <u>Log analysis</u>
 
@@ -86,7 +86,7 @@ Suspected and actual information security incidents should be identified (e.g. m
 
 System logs often contain a large volume of information, much of which is extraneous to information security monitoring. To help identify significant events for information security monitoring purposes, the use of suitable utility programs or audit tools to perform file interrogation can be considered.
 
-Event logging sets the foundation for automated monitoring systems (see [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md)) which are capable of generating consolidated reports and alerts on system security.
+Event logging sets the foundation for automated monitoring systems (see [8.16](a-8.16-Monitoring-activities.md)) which are capable of generating consolidated reports and alerts on system security.
 
 A SIEM tool or equivalent service can be used to store, correlate, normalize and analyse log information, and to generate alerts. SIEMs tend to require careful configuration to optimize their benefits. Configurations to consider include identification and selection of appropriate log sources, tuning and testing of rules and development of use cases.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.16-Monitoring-activities.md

@@ -61,13 +61,13 @@ Continuous monitoring via a monitoring tool should be used. Monitoring should be
 
 Automated monitoring software should be configured to generate alerts (e.g. via management consoles, email messages or instant messaging systems) based on predefined thresholds. The alerting system should be tuned and trained on the organization’s baseline to minimize false positives. Personnel should be dedicated to respond to alerts and should be properly trained to accurately interpret potential incidents. There should be redundant systems and processes in place to receive and respond to alert notifications.
 
-Abnormal events should be communicated to relevant parties in order to improve the following activities: auditing, security evaluation, vulnerability scanning and monitoring (see [5.25](ISO_27002_2022_5.25_OT%20Assessment%20and%20decision%20on%20information%20security%20events.md)). Procedures should be in place to respond to positive indicators from the monitoring system in a timely manner, in order to minimize the effect of adverse events (see [5.26](ISO_27002_2022_5.26_OT%20Response%20to%20information%20security%20incidents.md)) on information security. Procedures should also be established to identify and address false positives including tuning the monitoring software to reduce the number of future false positives.
+Abnormal events should be communicated to relevant parties in order to improve the following activities: auditing, security evaluation, vulnerability scanning and monitoring (see [5.25](a-5.25-Assessment-and-decision-on-information-security-events.md)). Procedures should be in place to respond to positive indicators from the monitoring system in a timely manner, in order to minimize the effect of adverse events (see [5.26](a-5.26-Response-to-information-security-incidents.md)) on information security. Procedures should also be established to identify and address false positives including tuning the monitoring software to reduce the number of future false positives.
 
   **Other information**
 
 Security monitoring can be enhanced by:
 
-a\) leveraging threat intelligence systems (see [5.7](ISO_27002_2022_5.7_OT%20Threat%20intelligence.md));
+a\) leveraging threat intelligence systems (see [5.7](a-5.7-Threat-intelligence.md));
 
 b\) leveraging machine learning and artificial intelligence capabilities;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.18-Use-of-privileged-utility-programs.md

@@ -13,7 +13,7 @@ To ensure the use of utility programs does not harm system and application contr
 **Guidance**
 The following guidelines for the use of utility programs that can be capable of overriding system and application controls should be considered:
 
-a\) limitation of the use of utility programs to the minimum practical number of trusted, authorized users (see [8.2](ISO_27002_2022_8.2_OT%20Privileged%20access%20rights.md));
+a\) limitation of the use of utility programs to the minimum practical number of trusted, authorized users (see [8.2](a-8.2-Privileged-access-rights.md));
 
 b\) use of identification, authentication and authorization procedures for utility programs, including unique identification of the person who uses the utility program;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.19-Installation-of-software-on-operational-systems.md

@@ -14,7 +14,7 @@ To ensure the integrity of operational systems and prevent exploitation of techn
 **Guidance**
 The following guidelines should be considered to securely manage changes and installation of software on operational systems:
 
-a\) performing updates of operational software only by trained administrators upon appropriate management authorization (see [8.5](ISO_27002_2022_8.5_OT%20Secure%20authentication.md));
+a\) performing updates of operational software only by trained administrators upon appropriate management authorization (see [8.5](a-8.5-Secure-authentication.md));
 
 b\) ensuring that only approved executable code and no development code or compilers is installed on operational systems;
 
@@ -36,7 +36,7 @@ Computer software can rely on externally supplied software and packages (e.g. so
 
 Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of software. The organization should consider the risks of relying on unsupported software. Open source software used in operational systems should be maintained to the latest appropriate release of the software. Over time, open source code can cease to be maintained but is still available in an open source software repository. The organization should also consider the risks of relying on unmaintained open source software when used in operational systems.
 
-When suppliers are involved in installing or updating software, physical or logical access should only be given when necessary and with appropriate authorization. The supplier’s activities should be monitored (see [5.22](ISO_27002_2022_5.22_OT%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md)).
+When suppliers are involved in installing or updating software, physical or logical access should only be given when necessary and with appropriate authorization. The supplier’s activities should be monitored (see [5.22](a-5.22-Monitoring-review-and-change-management-of-supplier-services.md)).
 
 The organization should define and enforce strict rules on which types of software users can install.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.2-Privileged-access-rights.md

@@ -13,11 +13,11 @@ The allocation and use of privileged access rights should be restricted and mana
 To ensure only authorized users, software components and services are provided with privileged access rights.
 
 **Guidance**
-The allocation of privileged access rights should be controlled through an authorization process in accordance with the relevant topic-specific policy on access control (see [5.15](ISO_27002_2022_5.15_OT%20Access%20control.md)). The following should be considered:
+The allocation of privileged access rights should be controlled through an authorization process in accordance with the relevant topic-specific policy on access control (see [5.15](a-5.15-Access-control.md)). The following should be considered:
 
 a\) identifying users who need privileged access rights for each system or process (e.g. operating systems, database management systems and applications);
 
-b\) allocating privileged access rights to users as needed and on an event-by-event basis in line with the topic-specific policy on access control (see [5.15](ISO_27002_2022_5.15_OT%20Access%20control.md)) (i.e. only to individuals with the necessary competence to carry out activities that require privileged access and based on the minimum requirement for their functional roles);
+b\) allocating privileged access rights to users as needed and on an event-by-event basis in line with the topic-specific policy on access control (see [5.15](a-5.15-Access-control.md)) (i.e. only to individuals with the necessary competence to carry out activities that require privileged access and based on the minimum requirement for their functional roles);
 
 c\) maintaining an authorization process (i.e. determining who can approve privileged access rights, or not granting privileged access rights until the authorization process is complete) and a record of all privileges allocated;
 
@@ -27,9 +27,9 @@ e\) taking measures to ensure that users are aware of their privileged access ri
 
 f\) authentication requirements for privileged access rights can be higher than the requirements for normal access rights. Re-authentication or authentication step-up can be necessary before doing work with privileged access rights;
 
-g\) regularly, and after any organizational change, reviewing users working with privileged access rights in order to verify if their duties, roles, responsibilities and competence still qualify them for working with privileged access rights (see [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md));
+g\) regularly, and after any organizational change, reviewing users working with privileged access rights in order to verify if their duties, roles, responsibilities and competence still qualify them for working with privileged access rights (see [5.18](a-5.18-Access-rights.md));
 
-h\) establishing specific rules in order to avoid the use of generic administration user IDs (such as “root”), depending on systems’ configuration capabilities. Managing and protecting authentication information of such identities (see [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md));
+h\) establishing specific rules in order to avoid the use of generic administration user IDs (such as “root”), depending on systems’ configuration capabilities. Managing and protecting authentication information of such identities (see [5.17](a-5.17-Authentication-information.md));
 
 i\) granting temporary privileged access just for the time window necessary to implement approved changes or activities (e.g. for maintenance activities or some critical changes), rather than permanently granting privileged access rights. This is often referred as break glass procedure, and often automated by privilege access management technologies;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.20-Networks-security.md

@@ -21,7 +21,7 @@ b\) establishing responsibilities and procedures for the management of networkin
 
 c\) maintaining up to date documentation including network diagrams and configuration files of devices (e.g. routers, switches);
 
-d\) separating operational responsibility for networks from ICT system operations where appropriate (see [5.3](ISO_27002_2022_5.3_OT%20Segregation%20of%20duties.md));
+d\) separating operational responsibility for networks from ICT system operations where appropriate (see [5.3](a-5.3-Segregation-of-duties.md));
 
 e\) establishing controls to safeguard the confidentiality and integrity of data passing over public networks, third-party networks or over wireless networks and to protect the connected systems and applications (see >5.22>, >8.24>, >5.14and >6.6>). Additional controls can also be required to maintain the availability of the network services and computers connected to the network;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.22-Segregation-of-networks.md

@@ -15,9 +15,9 @@ To split the network in security boundaries and to control traffic between them
 **Guidance**
 The organization should consider managing the security of large networks by dividing them into separate network domains and separating them from the public network (i.e. internet). The domains can be chosen based on levels of trust, criticality and sensitivity (e.g. public access domain, desktop domain, server domain, low- and high-risk systems), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks.
 
-The perimeter of each domain should be well-defined. If access between network domains is allowed, it should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the topic-specific policy on access control (see [5.15](ISO_27002_2022_5.15_OT%20Access%20control.md)), access requirements, value and classification of information processed and take account of the relative cost and performance impact of incorporating suitable gateway technology.
+The perimeter of each domain should be well-defined. If access between network domains is allowed, it should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the topic-specific policy on access control (see [5.15](a-5.15-Access-control.md)), access requirements, value and classification of information processed and take account of the relative cost and performance impact of incorporating suitable gateway technology.
 
-Wireless networks require special treatment due to the poorly-defined network perimeter. Radio coverage adjustment should be considered for segregation of wireless networks. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls (see [8.20](ISO_27002_2022_8.20_OT%20Networks%20security.md)) before granting access to internal systems. Wireless access network for guests should be segregated from those for personnel if personnel only use controlled user endpoint devices compliant to the organization’s topic-specific policies. WiFi for guests should have at least the same restrictions as WiFi for personnel, in order to discourage the use of guest WiFi by personnel.
+Wireless networks require special treatment due to the poorly-defined network perimeter. Radio coverage adjustment should be considered for segregation of wireless networks. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls (see [8.20](a-8.20-Networks-security.md)) before granting access to internal systems. Wireless access network for guests should be segregated from those for personnel if personnel only use controlled user endpoint devices compliant to the organization’s topic-specific policies. WiFi for guests should have at least the same restrictions as WiFi for personnel, in order to discourage the use of guest WiFi by personnel.
 
 **Other information**
 Networks often extend beyond organizational boundaries, as business partnerships are formed that require the interconnection or sharing of information processing and networking facilities. Such extensions can increase the risk of unauthorized access to the organization’s information systems that use the network, some of which require protection from other network users because of their sensitivity or criticality.

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.23-Web-filtering.md

@@ -21,7 +21,7 @@ b\) known or suspected malicious websites (e.g. those distributing malware or ph
 
 c\) command and control servers;
 
-d\) malicious website acquired from threat intelligence (see [5.7](ISO_27002_2022_5.7_OT%20Threat%20intelligence.md));
+d\) malicious website acquired from threat intelligence (see [5.7](a-5.7-Threat-intelligence.md));
 
 e\) websites sharing illegal content.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.24-Use-of-cryptography.md

@@ -59,7 +59,7 @@ e\) roles and responsibilities for:
 
 1\) the implementation of the rules for the effective use of cryptography;
 
-2\) the key management, including key generation (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md));
+2\) the key management, including key generation (see [8.24](a-8.24-Use-of-cryptography.md));
 
   
 
@@ -71,11 +71,11 @@ g\) the impact of using encrypted information on controls that rely on content i
 
   
 
-When implementing the organization’s rules for effective use of cryptography, the regulations and national restrictions that can apply to the use of cryptographic techniques in different parts of the world should be taken into consideration as well as the issues of trans-border flow of encrypted information (see [5.31](ISO_27002_2022_5.31_OT%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md)).
+When implementing the organization’s rules for effective use of cryptography, the regulations and national restrictions that can apply to the use of cryptographic techniques in different parts of the world should be taken into consideration as well as the issues of trans-border flow of encrypted information (see [5.31](a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md)).
 
   
 
-The contents of service level agreements or contracts with external suppliers of cryptographic services (e.g. with a certification authority) should cover issues of liability, reliability of services and response times for the provision of services (see [5.22](ISO_27002_2022_5.22_OT%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md)).
+The contents of service level agreements or contracts with external suppliers of cryptographic services (e.g. with a certification authority) should cover issues of liability, reliability of services and response times for the provision of services (see [5.22](a-5.22-Monitoring-review-and-change-management-of-supplier-services.md)).
 
   
   

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.26-Application-security-requirements.md

@@ -22,7 +22,7 @@ Application security requirements can cover a wide range of topics, depending on
 
 Application security requirements should include, as applicable:
 
-a\) level of trust in identity of entities \[e.g. through authentication (see [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md), [8.2](ISO_27002_2022_8.2_OT%20Privileged%20access%20rights.md) and [8.5](ISO_27002_2022_8.5_OT%20Secure%20authentication.md))];
+a\) level of trust in identity of entities \[e.g. through authentication (see [5.17](a-5.17-Authentication-information.md), [8.2](a-8.2-Privileged-access-rights.md) and [8.5](a-8.5-Secure-authentication.md))];
 
 b\) identifying the type of information and classification level to be processed by the application;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.28-Secure-coding.md

@@ -51,7 +51,7 @@ c) using structured programming techniques;
 d) documenting code and removing programming defects, which can allow information security vulnerabilities to be exploited;
 e) prohibiting the use of insecure design techniques (e.g. the use of hard-coded passwords, unapproved code samples and unauthenticated web services).
 
-Testing should be conducted during and after development (see [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md)). Static application security testing (SAST) processes can identify security vulnerabilities in software.
+Testing should be conducted during and after development (see [8.29](a-8.29-Security-testing-in-development-and-acceptance.md)). Static application security testing (SAST) processes can identify security vulnerabilities in software.
 
 Before software is made operational, the following should be evaluated:
 a) attack surface and the principle of least privilege;
@@ -62,7 +62,7 @@ b) conducting an analysis of the most common programming errors and documenting
 After code has been made operational:
 
 a) updates should be securely packaged and deployed;
-b) reported information security vulnerabilities should be handled (see [8.8](ISO_27002_2022_8.8_OT%20Management%20of%20technical%20vulnerabilities.md));
+b) reported information security vulnerabilities should be handled (see [8.8](a-8.8-Management-of-technical-vulnerabilities.md));
 c) errors and suspected attacks should be logged and logs regularly reviewed to make adjustments to the code as necessary;
 d) source code should be protected against unauthorized access and tampering (e.g. by using configuration management tools, which typically provide features such as access control and version control).
 
@@ -95,5 +95,5 @@ More information on ICT security evaluation can be found in the ISO/IEC 15408 se
 
 # Related:
 - [[ISO_27002_PE 8.28 Secure coding]]
-- [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md)
-- [8.8](ISO_27002_2022_8.8_OT%20Management%20of%20technical%20vulnerabilities.md)
+- [8.29](a-8.29-Security-testing-in-development-and-acceptance.md)
+- [8.8](a-8.8-Management-of-technical-vulnerabilities.md)

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.29-Security-testing-in-development-and-acceptance.md

@@ -17,9 +17,9 @@ New information systems, upgrades and new versions should be thoroughly tested a
 
 Security testing should be conducted against a set of requirements, which can be expressed as functional or non-functional. Security testing should include testing of:
 
-a\) security functions \[e.g. user authentication (see [8.5](ISO_27002_2022_8.5_OT%20Secure%20authentication.md)), access restriction (see [8.3](ISO_27002_2022_8.3_OT%20Information%20access%20restriction.md)) and use of cryptography (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md))\];
+a\) security functions \[e.g. user authentication (see [8.5](a-8.5-Secure-authentication.md)), access restriction (see [8.3](a-8.3-Information-access-restriction.md)) and use of cryptography (see [8.24](a-8.24-Use-of-cryptography.md))\];
 
-b\) secure coding (see [8.28](ISO_27002_2022_8.28_OT%20Secure%20coding.md));
+b\) secure coding (see [8.28](a-8.28-Secure-coding.md));
 
 c\) secure configurations (see >8.9>, >8.20and >8.22>) including that of operating systems, firewalls and other security components.
 
@@ -35,7 +35,7 @@ d\) decision for further actions as necessary.
 
 The organization can leverage automated tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of security related defects.
 
-For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken to ensure that the system works as expected and only as expected (see [5.8](ISO_27002_2022_5.8_OT%20Information%20security%20in%20project%20management.md)). The following should be considered:
+For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken to ensure that the system works as expected and only as expected (see [5.8](a-5.8-Information-security-in-project-management.md)). The following should be considered:
 
 a\) performing code review activities as a relevant element for testing for security flaws, including unanticipated inputs and conditions;
 
@@ -43,9 +43,9 @@ b\) performing vulnerability scanning to identify insecure configurations and sy
 
 c\) performing penetration testing to identify insecure code and design.
 
-For outsourced development and purchasing components, an acquisition process should be followed. Contracts with the supplier should address the identified security requirements (see [5.20](ISO_27002_2022_5.20_OT%20Addressing%20information%20security%20within%20supplier%20agreements.md)). Products and services should be evaluated against these criteria before acquisition.
+For outsourced development and purchasing components, an acquisition process should be followed. Contracts with the supplier should address the identified security requirements (see [5.20](a-5.20-Addressing-information-security-within-supplier-agreements.md)). Products and services should be evaluated against these criteria before acquisition.
 
-Testing should be performed in a test environment that matches the target production environment as closely as possible to ensure that the system does not introduce vulnerabilities to the organization’s environment and that the tests are reliable (see [8.31](ISO_27002_2022_8.31_OT%20Separation%20of%20development,%20test%20and%20production%20environments.md)).
+Testing should be performed in a test environment that matches the target production environment as closely as possible to ensure that the system does not introduce vulnerabilities to the organization’s environment and that the tests are reliable (see [8.31](a-8.31-Separation-of-development-test-and-production-environments.md)).
 
 **Other information**
 Multiple test environments can be established, which can be used for different kinds of testing (e.g. functional and performance testing). These different environments can be virtual, with individual configurations to simulate a variety of operating environments.

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.30-Outsourced-development.md

@@ -13,13 +13,13 @@ To ensure information security measures required by the organization are impleme
 **Guidance**
 Where system development is outsourced, the organization should communicate and agree requirements and expectations, and continually monitor and review whether the delivery of outsourced work meets these expectations. The following points should be considered across the organization’s entire external supply chain:
 
-a\) licensing agreements, code ownership and intellectual property rights related to the outsourced content (see [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md));
+a\) licensing agreements, code ownership and intellectual property rights related to the outsourced content (see [5.32](a-5.32-Intellectual-property-rights.md));
 
 b\) contractual requirements for secure design, coding and testing practices (see  8.25 to  8.29 );
 
 c\) provision of the threat model to consider by external developers;
 
-d\) acceptance testing for the quality and accuracy of the deliverables (see [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md));
+d\) acceptance testing for the quality and accuracy of the deliverables (see [8.29](a-8.29-Security-testing-in-development-and-acceptance.md));
 
 e\) provision of evidence that minimum acceptable levels of security and privacy capabilities are established (e.g. assurance reports);
 
@@ -31,7 +31,7 @@ h\) escrow agreements for the software source code (e.g. if the supplier goes ou
 
 i\) contractual right to audit development processes and controls;
 
-j\) security requirements for the development environment (see [8.31](ISO_27002_2022_8.31_OT%20Separation%20of%20development,%20test%20and%20production%20environments.md));
+j\) security requirements for the development environment (see [8.31](a-8.31-Separation-of-development-test-and-production-environments.md));
 
 k\) taking consideration of applicable legislation (e.g. on protection of personal data).
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.31-Separation-of-development-test-and-production-environments.md

@@ -27,7 +27,7 @@ b\) defining, documenting and implementing rules and authorization for the deplo
 
   
 
-c\) testing changes to production systems and applications in a testing or staging environment prior to being applied to production systems (see [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md));
+c\) testing changes to production systems and applications in a testing or staging environment prior to being applied to production systems (see [8.29](a-8.29-Security-testing-in-development-and-acceptance.md));
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.32-Change-management.md

@@ -26,7 +26,7 @@ b\) authorization of changes;
 
 c\) communicating changes to relevant interested parties;
 
-d\) tests and acceptance of tests for the changes (see [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md));
+d\) tests and acceptance of tests for the changes (see [8.29](a-8.29-Security-testing-in-development-and-acceptance.md));
 
 e\) implementation of changes including deployment plans;
 
@@ -34,15 +34,15 @@ f\) emergency and contingency considerations including fall-back procedures;
 
 g\) maintaining records of changes that include all of the above;
 
-h\) ensuring that operating documentation (see [5.37](ISO_27002_2022_5.37_OT%20Documented%20operating%20procedures.md)) and user procedures are changed as necessary to remain appropriate;
+h\) ensuring that operating documentation (see [5.37](a-5.37-Documented-operating-procedures.md)) and user procedures are changed as necessary to remain appropriate;
 
-i\) ensuring that ICT continuity plans and response and recovery procedures (see [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md)) are changed as necessary to remain appropriate.
+i\) ensuring that ICT continuity plans and response and recovery procedures (see [5.30](a-5.30-ICT-readiness-for-business-continuity.md)) are changed as necessary to remain appropriate.
 
 **Other information**
 Inadequate control of changes to information processing facilities and information systems is a common cause of system or security failures. Changes to the production environment, especially when transferring software from development to operational environment, can impact on the integrity and availability of applications.
 
 Changing software can impact the production environment and vice versa.
 
-Good practice includes the testing of ICT components in an environment segregated from both the production and development environments (see [8.31](ISO_27002_2022_8.31_OT%20Separation%20of%20development,%20test%20and%20production%20environments.md)). This provides a means of having control over new software and allowing additional protection of operational information that is used for testing purposes. This should include patches, service packs and other updates.
+Good practice includes the testing of ICT components in an environment segregated from both the production and development environments (see [8.31](a-8.31-Separation-of-development-test-and-production-environments.md)). This provides a means of having control over new software and allowing additional protection of operational information that is used for testing purposes. This should include patches, service packs and other updates.
 
 Production environment includes operating systems, databases and middleware platforms. The control should be applied for changes of applications and infrastructures.

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.33-Test-information.md

@@ -11,7 +11,7 @@ Test information should be appropriately selected, protected and managed.
 To ensure relevance of testing and protection of operational information used for testing.
 
 **Guidance**
-Test information should be selected to ensure the reliability of tests results and the confidentiality of the relevant operational information. Sensitive information (including personally identifiable information) should not be copied into the development and testing environments (see [8.31](ISO_27002_2022_8.31_OT%20Separation%20of%20development,%20test%20and%20production%20environments.md)).
+Test information should be selected to ensure the reliability of tests results and the confidentiality of the relevant operational information. Sensitive information (including personally identifiable information) should not be copied into the development and testing environments (see [8.31](a-8.31-Separation-of-development-test-and-production-environments.md)).
 
 The following guidelines should be applied to protect the copies of operational information, when used for testing purposes, whether the test environment is built in-house or on a cloud service:
 
@@ -21,9 +21,9 @@ b\) having a separate authorization each time operational information is copied
 
 c\) logging the copying and use of operational information to provide an audit trail;
 
-d\) protecting sensitive information by removal or masking (see [8.11](ISO_27002_2022_8.11_OT%20Data%20masking.md)) if used for testing;
+d\) protecting sensitive information by removal or masking (see [8.11](a-8.11-Data-masking.md)) if used for testing;
 
-e\) properly deleting (see [8.10](ISO_27002_2022_8.10_OT%20Information%20deletion.md)) operational information from a test environment immediately after the testing is complete to prevent unauthorized use of test information.
+e\) properly deleting (see [8.10](a-8.10-Information-deletion.md)) operational information from a test environment immediately after the testing is complete to prevent unauthorized use of test information.
 
 Test information should be securely stored (to prevent tampering, which can otherwise lead to invalid results) and only used for testing purposes.
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.4-Access-to-source-code.md

@@ -21,7 +21,7 @@ The following guidelines should be considered to control access to program sourc
 
 a\) managing the access to program source code and the program source libraries according to established procedures;
 b\) granting read and write access to source code based on business needs and managed to address risks of alteration or misuse and according to established procedures;
-c\) updating of source code and associated items and granting of access to source code in accordance with change control procedures (see [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)) and only performing it after appropriate authorization has been received;
+c\) updating of source code and associated items and granting of access to source code in accordance with change control procedures (see [8.32](a-8.32-Change-management.md)) and only performing it after appropriate authorization has been received;
 d\) not granting developers direct access to the source code repository, but through developer tools that control activities and authorizations on the source code;
 e\) holding program listings in a secure environment, where read and write access should be appropriately managed and assigned;
 f\) maintaining an audit log of all accesses and of all changes to source code.

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.7-Protection-against-malware.md

@@ -13,11 +13,11 @@ To ensure information and other associated assets are protected against malware.
 
 Protection against malware should be based on malware detection and repair software, information security awareness, appropriate system access and change management controls. Use of malware detection and repair software alone is not usually adequate. The following guidance should be considered:
 
-a)   implementing rules and controls that prevent or detect the use of unauthorized software \[e.g. application allowlisting (i.e. using a list providing allowed applications)] (see [8.19](ISO_27002_2022_8.19_OT%20Installation%20of%20software%20on%20operational%20systems.md) and [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)) 
+a)   implementing rules and controls that prevent or detect the use of unauthorized software \[e.g. application allowlisting (i.e. using a list providing allowed applications)] (see [8.19](a-8.19-Installation-of-software-on-operational-systems.md) and [8.32](a-8.32-Change-management.md)) 
 
 b)   implementing controls that prevent or detect the use of known or suspected malicious websites (e.g. blocklisting);  
 
-c)   reducing vulnerabilities that can be exploited by malware \[e.g. through technical vulnerability management (see [8.8](ISO_27002_2022_8.8_OT%20Management%20of%20technical%20vulnerabilities.md) and [8.19](ISO_27002_2022_8.19_OT%20Installation%20of%20software%20on%20operational%20systems.md))];
+c)   reducing vulnerabilities that can be exploited by malware \[e.g. through technical vulnerability management (see [8.8](a-8.8-Management-of-technical-vulnerabilities.md) and [8.19](a-8.19-Installation-of-software-on-operational-systems.md))];
 
 d)   conducting regular automated validation of the software and data content of systems, especially for systems supporting critical business processes; investigating the presence of any unapproved files or unauthorized amendments;
 
@@ -41,7 +41,7 @@ h)   taking care to protect against the introduction of malware during maintena
 i) implementing a process to authorize temporarily or permanently disable some or all measures against malware, including exception approval authorities, documented justification and review date. This can be necessary when the protection against malware causes disruption to normal operations;
 
 j) preparing appropriate business continuity plans for recovering from malware attacks, including 
-all necessary data and software backup (including both online and offline backup) and recovery measures (see [8.13](ISO_27002_2022_8.13_OT%20Information%20backup.md));
+all necessary data and software backup (including both online and offline backup) and recovery measures (see [8.13](a-8.13-Information-backup.md));
 
 k)   isolating environments where catastrophic consequences can occur;
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.8-Management-of-technical-vulnerabilities.md

@@ -53,7 +53,7 @@ b\) for software and other technologies (based on the asset inventory list, see
 
   
 
-c\) requiring suppliers of information system (including their components) to ensure vulnerability reporting, handling and disclosure, including the requirements in applicable contracts (see [5.20](ISO_27002_2022_5.20_OT%20Addressing%20information%20security%20within%20supplier%20agreements.md));
+c\) requiring suppliers of information system (including their components) to ensure vulnerability reporting, handling and disclosure, including the requirements in applicable contracts (see [5.20](a-5.20-Addressing-information-security-within-supplier-agreements.md));
 
   
 
@@ -65,7 +65,7 @@ e\) conducting planned, documented and repeatable penetration tests or vulnerabi
 
   
 
-f\) tracking the usage of third-party libraries and source code for vulnerabilities. This should be included in secure coding (see [8.28](ISO_27002_2022_8.28_OT%20Secure%20coding.md)).
+f\) tracking the usage of third-party libraries and source code for vulnerabilities. This should be included in secure coding (see [8.28](a-8.28-Secure-coding.md)).
 
   
 
@@ -117,7 +117,7 @@ a\) taking appropriate and timely action in response to the identification of po
 
   
 
-b\) depending on how urgently a technical vulnerability needs to be addressed, carrying out the action according to the controls related to change management (see [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)) or by following information security incident response procedures (see [5.26](ISO_27002_2022_5.26_OT%20Response%20to%20information%20security%20incidents.md));
+b\) depending on how urgently a technical vulnerability needs to be addressed, carrying out the action according to the controls related to change management (see [8.32](a-8.32-Change-management.md)) or by following information security incident response procedures (see [5.26](a-5.26-Response-to-information-security-incidents.md));
 
   
 
@@ -194,7 +194,7 @@ An effective technical vulnerability management process should be aligned with i
 
   
 
-Where the organization uses a cloud service supplied by a third-party cloud service provider, technical vulnerability management of cloud service provider resources should be ensured by the cloud service provider. The cloud service provider’s responsibilities for technical vulnerability management should be part of the cloud service agreement and this should include processes for reporting the cloud service provider's actions relating to technical vulnerabilities (see [5.23](ISO_27002_2022_5.23_OT%20Information%20security%20for%20use%20of%20cloud%20services.md)). For some cloud services, there are respective responsibilities for the cloud service provider and the cloud service customer. For example, the cloud service customer is responsible for vulnerability management of its own assets used for the cloud services.
+Where the organization uses a cloud service supplied by a third-party cloud service provider, technical vulnerability management of cloud service provider resources should be ensured by the cloud service provider. The cloud service provider’s responsibilities for technical vulnerability management should be part of the cloud service agreement and this should include processes for reporting the cloud service provider's actions relating to technical vulnerabilities (see [5.23](a-5.23-Information-security-for-use-of-cloud-services.md)). For some cloud services, there are respective responsibilities for the cloud service provider and the cloud service customer. For example, the cloud service customer is responsible for vulnerability management of its own assets used for the cloud services.
 
   
 
@@ -202,7 +202,7 @@ Where the organization uses a cloud service supplied by a third-party cloud serv
 
   
 
-Technical vulnerability management can be viewed as a sub-function of change management and as such can take advantage of the change management processes and procedures (see [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)).
+Technical vulnerability management can be viewed as a sub-function of change management and as such can take advantage of the change management processes and procedures (see [8.32](a-8.32-Change-management.md)).
 
   
 

Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.9-Configuration-management.md

@@ -44,12 +44,12 @@ f)   changing vendor default authentication information such as default password
 
 g)   invoking time-out facilities that automatically log off computing devices after a predetermined period of inactivity;
 
-h)   verifying that licence requirements have been met (see [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md)). 
+h)   verifying that licence requirements have been met (see [5.32](a-5.32-Intellectual-property-rights.md)). 
 
 #### Managing configurations
 Established configurations of hardware, software, services and networks should be recorded and a log should be maintained of all configuration changes. These records should be securely stored. This can be achieved in various ways, such as configuration databases or configuration templates.
 
-Changes to configurations should follow the change management process (see [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)).
+Changes to configurations should follow the change management process (see [8.32](a-8.32-Change-management.md)).
 
 Configuration records can contain as relevant: