diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.10_OT Acceptable use of information and other associated assets.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.10_OT Acceptable use of information and other associated assets.md
index 2b59e99..66fd826 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.10_OT Acceptable use of information and other associated assets.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.10_OT Acceptable use of information and other associated assets.md
@@ -21,7 +21,7 @@ b\) permitted and prohibited use of information and other associated assets;
c\) monitoring activities being performed by the organization.
-Acceptable use procedures should be drawn up for the full information life cycle in accordance with its classification (see 5.12) and determined risks. The following items should be considered:
+Acceptable use procedures should be drawn up for the full information life cycle in accordance with its classification (see [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md)) and determined risks. The following items should be considered:
a\) access restrictions supporting the protection requirements for each level of classification;
@@ -29,11 +29,11 @@ b\) maintenance of a record of the authorized users of information and other ass
c\) protection of temporary or permanent copies of information to a level consistent with the protection of the original information;
-d\) storage of assets associated with information in accordance with manufacturers’ specifications (see 7.8);
+d\) storage of assets associated with information in accordance with manufacturers’ specifications (see [7.8](ISO_27002_2022_7.8_OT%20Equipment%20siting%20and%20protection.md));
-e\) clear marking of all copies of storage media (electronic or physical) for the attention of the authorized recipient (see 7.10);
+e\) clear marking of all copies of storage media (electronic or physical) for the attention of the authorized recipient (see [7.10](ISO_27002_2022_7.10_OT%20Storage%20media.md));
-f\) authorization of disposal of information and other associated assets and supported deletion method(s) (see 8.10).
+f\) authorization of disposal of information and other associated assets and supported deletion method(s) (see [8.10](ISO_27002_2022_8.10_OT%20Information%20deletion.md)).
**Other information**
It can be the case that the assets concerned do not directly belong to the organization, such as public cloud services. The use of such third-party assets and any assets of the organization associated with such external assets (e.g. information, software) should be identified as applicable and controlled, for example, through agreements with cloud service providers. Care should also be taken when a collaborative working environment is used.
\ No newline at end of file
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.11_OT Return of assets.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.11_OT Return of assets.md
index d972797..1780b4f 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.11_OT Return of assets.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.11_OT Return of assets.md
@@ -16,7 +16,7 @@ To protect the organization’s assets as part of the process of changing or ter
The change or termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization.
-In cases where personnel and other interested parties purchase the organization’s equipment or use their own personal equipment, procedures should be followed to ensure that all relevant information is traced and transferred to the organization and securely deleted from the equipment (see 7.14).
+In cases where personnel and other interested parties purchase the organization’s equipment or use their own personal equipment, procedures should be followed to ensure that all relevant information is traced and transferred to the organization and securely deleted from the equipment (see [7.14](ISO_27002_2022_7.14_OT%20Secure%20disposal%20or%20re-use%20of%20equipment.md)).
In cases where personnel and other interested parties have knowledge that is important to ongoing operations, that information should be documented and transferred to the organization.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.12_OT Classification of information.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.12_OT Classification of information.md
index ac9c5ca..df3d626 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.12_OT Classification of information.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.12_OT Classification of information.md
@@ -23,7 +23,7 @@ Owners of information should be accountable for their classification.
The classification scheme should include conventions for classification and criteria for review of the classification over time. Results of classification should be updated in accordance with changes of the value, sensitivity and criticality of information through their life cycle.
-The scheme should be aligned to the topic-specific policy on access control (see 5.1) and should be able to address specific business needs of the organization.
+The scheme should be aligned to the topic-specific policy on access control (see [5.1](ISO_27002_2022_5.1_OT%20Policies%20for%20information%20security.md)) and should be able to address specific business needs of the organization.
The classification can be determined by the level of impact that the information's compromise would have for the organization. Each level defined in the scheme should be given a name that makes sense in the context of the classification scheme’s application.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.14_OT Information transfer.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.14_OT Information transfer.md
index 4f86e21..8e6cc0f 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.14_OT Information transfer.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.14_OT Information transfer.md
@@ -13,13 +13,13 @@ To maintain the security of information transferred within an organization and w
**Guidance**
General
-The organization should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit (see 5.10).
+The organization should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit (see [5.10](ISO_27002_2022_5.10_OT%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md)).
Information transfer can happen through electronic transfer, physical storage media transfer and verbal transfer.
For all types of information transfer, rules, procedures and agreements should include:
-a\) controls designed to protect transferred information from interception, unauthorized access, copying, modification, misrouting, destruction and denial of service, including levels of access control commensurate with the classification of the information involved and any special controls that are required to protect sensitive information, such as use of cryptographic techniques (see 8.24);
+a\) controls designed to protect transferred information from interception, unauthorized access, copying, modification, misrouting, destruction and denial of service, including levels of access control commensurate with the classification of the information involved and any special controls that are required to protect sensitive information, such as use of cryptographic techniques (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md));
b\) controls to ensure traceability and non-repudiation, including maintaining a chain of custody for information while in transit;
@@ -27,22 +27,22 @@ c\) identification of appropriate contacts related to the transfer including inf
d\) responsibilities and liabilities in the event of information security incidents, such as loss of physical storage media or data;
-e\) use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected (see 5.13);
+e\) use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected (see [5.13](ISO_27002_2022_5.13_OT%20Labelling%20of%20information.md));
f\) reliability and availability of the transfer service;
-g\) the topic-specific policy or guidelines on acceptable use of information transfer facilities (see 5.10);
+g\) the topic-specific policy or guidelines on acceptable use of information transfer facilities (see [5.10](ISO_27002_2022_5.10_OT%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md));
h\) retention and disposal guidelines for all business records, including messages;
NOTE Local legislation and regulations can exist regarding retention and disposal of business records.
-i\) the consideration of any other relevant legal, statutory, regulatory and contractual requirements (see 5.31, 5.32, 5.33, 5.34) related to transfer of information (e.g. requirements for electronic signatures).
+i\) the consideration of any other relevant legal, statutory, regulatory and contractual requirements (see [5.31](ISO_27002_2022_5.31_OT%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md), [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md), [5.33](ISO_27002_2022_5.33_OT%20Protection%20of%20records.md), [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md)) related to transfer of information (e.g. requirements for electronic signatures).
Electronic transfer
Rules, procedures and agreements should also consider the following items when using electronic communication facilities for information transfer:
-a\) detection of and protection against malware that can be transmitted through the use of electronic communications (see 8.7);
+a\) detection of and protection against malware that can be transmitted through the use of electronic communications (see [8.7](ISO_27002_2022_8.7_OT%20Protection%20against%20malware.md));
b\) protection of communicated sensitive electronic information that is in the form of an attachment;
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.15_OT Access control.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.15_OT Access control.md
index f698889..312defb 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.15_OT Access control.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.15_OT Access control.md
@@ -19,27 +19,27 @@ These requirements and the topic-specific policy should consider the following:
a\) determining which entities require which type of access to the information and other associated assets;
-b\) security of applications (see 8.26);
+b\) security of applications (see [8.26](ISO_27002_2022_8.26_OT%20Application%20security%20requirements.md));
-c\) physical access, which needs to be supported by appropriate physical entry controls (see 7.2, 7.3, 7.4);
+c\) physical access, which needs to be supported by appropriate physical entry controls (see [7.2](ISO_27002_2022_7.2_OT%20Physical%20entry.md), [7.3](ISO_27002_2022_7.3_OT%20Securing%20offices,%20rooms%20and%20facilities.md), [7.4](ISO_27002_2022_7.4_OT%20Physical%20security%20monitoring.md));
-d\) information dissemination and authorization (e.g. the need-to-know principle) and information security levels and classification of information (see 5.10, 5.12, 5.13);
+d\) information dissemination and authorization (e.g. the need-to-know principle) and information security levels and classification of information (see [5.10](ISO_27002_2022_5.10_OT%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md), [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md), [5.13](ISO_27002_2022_5.13_OT%20Labelling%20of%20information.md));
-e\) restrictions to privileged access (see 8.2);
+e\) restrictions to privileged access (see [8.2](ISO_27002_2022_8.2_OT%20Privileged%20access%20rights.md));
-f\) segregation of duties (see 5.3);
+f\) segregation of duties (see [5.3](ISO_27002_2022_5.3_OT%20Segregation%20of%20duties.md));
-g\) relevant legislation, regulations and any contractual obligations regarding limitation of access to data or services (see 5.31, 5.32, 5.33, 5.34, 8.3);
+g\) relevant legislation, regulations and any contractual obligations regarding limitation of access to data or services (see [5.31](ISO_27002_2022_5.31_OT%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md), [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md), [5.33](ISO_27002_2022_5.33_OT%20Protection%20of%20records.md), [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md), [8.3](ISO_27002_2022_8.3_OT%20Information%20access%20restriction.md));
h\) segregation of access control functions (e.g. access request, access authorization, access administration);
-i\) formal authorization of access requests (see 5.16and 5.18);
+i\) formal authorization of access requests (see [5.16](ISO_27002_2022_5.16_OT%20Identity%20management.md), [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md));
-j\) the management of access rights (see 5.18);
+j\) the management of access rights (see [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md));
-k\) logging (see 8.15).
+k\) logging (see [8.15](ISO_27002_2022_8.15_OT%20Logging.md)).
-Access control rules should be implemented by defining and mapping appropriate access rights and restrictions to the relevant entities (see 5.16). An entity can represent a human user as well as a technical or logical item (e.g. a machine, device or a service). To simplify the access control management, specific roles can be assigned to entity groups.
+Access control rules should be implemented by defining and mapping appropriate access rights and restrictions to the relevant entities (see [5.16](ISO_27002_2022_5.16_OT%20Identity%20management.md)). An entity can represent a human user as well as a technical or logical item (e.g. a machine, device or a service). To simplify the access control management, specific roles can be assigned to entity groups.
The following should be taken into account when defining and implementing access control rules:
@@ -63,13 +63,13 @@ Care should be taken when specifying access control rules to consider:
a\) establishing rules based on the premise of least privilege, “Everything is generally forbidden unless expressly permitted”, rather than the weaker rule, “Everything is generally permitted unless expressly forbidden”;
-b\) changes in information labels (see 5.13) that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
+b\) changes in information labels (see [5.13](ISO_27002_2022_5.13_OT%20Labelling%20of%20information.md)) that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
c\) changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;
d\) when to define and regularly review the approval.
-Access control rules should be supported by documented procedures (see 5.16, 5.17, 5.18, 8.2, 8.3, 8.4, 8.5, 8.18) and defined responsibilities (see 5.2, 5.17).
+Access control rules should be supported by documented procedures (see [5.16](ISO_27002_2022_5.16_OT%20Identity%20management.md), [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md), [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md), [8.2](ISO_27002_2022_8.2_OT%20Privileged%20access%20rights.md), [8.3](ISO_27002_2022_8.3_OT%20Information%20access%20restriction.md), [8.4](ISO_27002_2022_8.4_OT%20Access%20to%20source%20code.md), [8.5](ISO_27002_2022_8.5_OT%20Secure%20authentication.md), [8.18](ISO_27002_2022_8.18_OT%20Use%20of%20privileged%20utility%20programs.md)) and defined responsibilities (see [5.2](ISO_27002_2022_5.2_OT%20Information%20security%20roles%20and%20responsibilities.md), [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md)).
There are several ways to implement access control, such as MAC (mandatory access control), DAC (discretionary access control), RBAC (role-based access control) and ABAC (attribute-based access control).
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.16_OT Identity management.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.16_OT Identity management.md
index 9745e28..7bfb0f1 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.16_OT Identity management.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.16_OT Identity management.md
@@ -27,7 +27,7 @@ f\) records of all significant events concerning the use and management of user
The organization should have a supporting process in place to handle changes to information related to user identities. These processes can include re-verification of trusted documents related to a person.
-When using identities provided or issued by third parties (e.g. social media credentials), the organization should ensure the third-party identities provide the required trust level and any associated risks are known and sufficiently treated. This can include controls related to the third parties (see 5.19) as well as controls related to associated authentication information (see 5.17).
+When using identities provided or issued by third parties (e.g. social media credentials), the organization should ensure the third-party identities provide the required trust level and any associated risks are known and sufficiently treated. This can include controls related to the third parties (see [5.19](ISO_27002_2022_5.19_OT%20Information%20security%20in%20supplier%20relationships.md)) as well as controls related to associated authentication information (see [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md)).
**Other information**
Providing or revoking access to information and other associated assets is usually a multi-step procedure:
@@ -40,5 +40,5 @@ c\) establishing an identity;
d\) configuring and activating the identity. This also includes configuration and initial setup of related authentication services;
-e\) providing or revoking specific access rights to the identity, based on appropriate authorization or entitle ment decisions (see 5.18).
+e\) providing or revoking specific access rights to the identity, based on appropriate authorization or entitle ment decisions (see [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md)).
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.17_OT Authentication information.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.17_OT Authentication information.md
index cb998c5..596cddb 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.17_OT Authentication information.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.17_OT Authentication information.md
@@ -41,7 +41,7 @@ c) when passwords are used as authentication information, strong passwords ac
d) the same passwords are not used across distinct services and systems;
-e) the obligation to follow these rules is also included in terms and conditions of employment (see 6.2).
+e) the obligation to follow these rules is also included in terms and conditions of employment (see [6.2](ISO_27002_2022_6.2_OT%20Terms%20and%20conditions%20of%20employment.md)).
**Password management system**
@@ -63,7 +63,7 @@ g) not display passwords on the screen when being entered;
h) store and transmit passwords in protected form.
-Password encryption and hashing should be performed according to approved cryptographic techniques for passwords (see 8.24).
+Password encryption and hashing should be performed according to approved cryptographic techniques for passwords (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md)).
**Other information**
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.18_OT Access rights.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.18_OT Access rights.md
index 974426b..5f01cc4 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.18_OT Access rights.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.18_OT Access rights.md
@@ -15,7 +15,7 @@ To ensure access to information and other associated assets is defined and autho
Provision and revocation of access rights
The provisioning process for assigning or revoking physical and logical access rights granted to an entity’s authenticated identity should include:
-a\) obtaining authorization from the owner of the information and other associated assets for the use of the information and other associated assets (see 5.9). Separate approval for access rights by management can also be appropriate;
+a\) obtaining authorization from the owner of the information and other associated assets for the use of the information and other associated assets (see [5.9](ISO_27002_2022_5.9_OT%20Inventory%20of%20information%20and%20other%20associated%20assets.md)). Separate approval for access rights by management can also be appropriate;
b\) considering the business requirements and the organization’s topic-specific policy and rules on access control;
@@ -25,7 +25,7 @@ d\) ensuring access rights are removed when someone does not need to access the
e\) considering giving temporary access rights for a limited time period and revoking them at the expiration date, in particular for temporary personnel or temporary access required by personnel;
-f\) verifying that the level of access granted is in accordance with the topic-specific policies on access control (see 5.15) and is consistent with other information security requirements such as segregation of duties (see 5.3);
+f\) verifying that the level of access granted is in accordance with the topic-specific policies on access control (see [5.15](ISO_27002_2022_5.15_OT%20Access%20control.md)) and is consistent with other information security requirements such as segregation of duties (see [5.3](ISO_27002_2022_5.3_OT%20Segregation%20of%20duties.md));
g\) ensuring that access rights are activated (e.g. by service providers) only after authorization procedures are successfully completed;
@@ -56,7 +56,7 @@ c\) the value of the assets currently accessible.
**Other information**
Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews of access rights are easier managed at the level of such roles than at the level of particular rights.
-Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel (see 5.20, 6.2, 6.4, 6.6).
+Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel (see [5.20](ISO_27002_2022_5.20_OT%20Addressing%20information%20security%20within%20supplier%20agreements.md), [6.2](ISO_27002_2022_6.2_OT%20Terms%20and%20conditions%20of%20employment.md), [6.4](ISO_27002_2022_6.4_OT%20Disciplinary%20process.md), [6.6](ISO_27002_2022_6.6_OT%20Confidentiality%20or%20non-disclosure%20agreements.md)).
In cases of management-initiated termination, disgruntled personnel or external party users can deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning or being dismissed, they can be tempted to collect information for future use.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.23_OT Information security for use of cloud services.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.23_OT Information security for use of cloud services.md
index 33b858d..4c4aae1 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.23_OT Information security for use of cloud services.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.23_OT Information security for use of cloud services.md
@@ -10,7 +10,7 @@ To specify and manage information security for the use of cloud services.
#### Guidance
The organization should establish and communicate topic-specific policy on the use of cloud services to all relevant interested parties.
-The organization should define and communicate how it intends to manage information security risks associated with the use of cloud services. It can be an extension or part of the existing approach for how an organization manages services provided by external parties (see 5.21 and 5.22).
+The organization should define and communicate how it intends to manage information security risks associated with the use of cloud services. It can be an extension or part of the existing approach for how an organization manages services provided by external parties (see [5.21](ISO_27002_2022_5.21_OT%20Managing%20information%20security%20in%20the%20ICT%20supply%20chain.md), [5.22](ISO_27002_2022_5.22_OT%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md)).
The use of cloud services can involve shared responsibility for information security and collaborative effort between the cloud service provider and the organization acting as the cloud service customer. It is essential that the responsibilities for both the cloud service provider and the organization, acting as the cloud service customer, are defined and implemented appropriately.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.26_OT Response to information security incidents.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.26_OT Response to information security incidents.md
index 49e177a..15493cb 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.26_OT Response to information security incidents.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.26_OT Response to information security incidents.md
@@ -16,19 +16,19 @@ To ensure efficient and effective response to information security incidents.
**Guidance**
The organization should establish and communicate procedures on information security incident response to all relevant interested parties.
-Information security incidents should be responded to by a designated team with the required competency (see 5.24).
+Information security incidents should be responded to by a designated team with the required competency (see [5.24](ISO_27002_2022_5.24_OT%20Information%20security%20incident%20management%20planning%20and%20preparation.md)).
The response should include the following:
a\) containing, if the consequences of the incident can spread, the systems affected by the incident;
-b\) collecting evidence (see 5.28) as soon as possible after the occurrence;
-c\) escalation, as required including crisis management activities and possibly invoking business continuity plans (see 5.29and 5.30);
+b\) collecting evidence (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md)) as soon as possible after the occurrence;
+c\) escalation, as required including crisis management activities and possibly invoking business continuity plans (see [5.29](ISO_27002_2022_5.29_OT%20Information%20security%20during%20disruption.md), [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md));
d\) ensuring that all involved response activities are properly logged for later analysis;
e\) communicating the existence of the information security incident or any relevant details thereof to all relevant internal and external interested parties following the need-to-know principle;
f\) coordinating with internal and external parties such as authorities, external interest groups and forums, suppliers and clients to improve response effectiveness and help to minimize consequences for other organizations;
g\) once the incident has been successfully addressed, formally closing and recording it;
-h\) conducting information security forensic analysis, as required (see 5.28);
-i\) performing post-incident analysis to identify root cause. Ensure it is documented and communicated according to defined procedures (see 5.27);
+h\) conducting information security forensic analysis, as required (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md));
+i\) performing post-incident analysis to identify root cause. Ensure it is documented and communicated according to defined procedures (see [5.27](ISO_27002_2022_5.27_OT%20Learning%20from%20information%20security%20incidents.md));
j\) identifying and managing information security vulnerabilities and weaknesses including those related to controls which have caused, contributed to or failed to prevent the incident.
**Other information**
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.31_OT Legal, statutory, regulatory and contractual requirements.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.31_OT Legal, statutory, regulatory and contractual requirements.md
index 347fe93..ce87e3d 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.31_OT Legal, statutory, regulatory and contractual requirements.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.31_OT Legal, statutory, regulatory and contractual requirements.md
@@ -66,7 +66,7 @@ Contractual requirements related to information security should include those st
a\) contracts with clients;
-b\) contracts with suppliers (see 5.20);
+b\) contracts with suppliers (see [5.20](ISO_27002_2022_5.20_OT%20Addressing%20information%20security%20within%20supplier%20agreements.md));
c\) insurance contracts. **Other information**
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.33_OT Protection of records.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.33_OT Protection of records.md
index c7799c9..8e6a1e4 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.33_OT Protection of records.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.33_OT Protection of records.md
@@ -26,7 +26,7 @@ When deciding on protection of specific organizational records, their correspond
Data storage systems should be chosen such that required records can be retrieved in an acceptable time frame and format, depending on the requirements to be fulfilled.
-Where electronic storage media are chosen, procedures to ensure the ability to access records (both storage media and format readability) throughout the retention period should be established to safeguard against loss due to future technology change. Any related cryptographic keys and programs associated with encrypted archives or digital signatures, should also be retained to enable decryption of the records for the length of time the records are retained (see 8.24).
+Where electronic storage media are chosen, procedures to ensure the ability to access records (both storage media and format readability) throughout the retention period should be established to safeguard against loss due to future technology change. Any related cryptographic keys and programs associated with encrypted archives or digital signatures, should also be retained to enable decryption of the records for the length of time the records are retained (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md)).
Storage and handling procedures should be implemented in accordance with recommendations provided by manufacturers of storage media. Consideration should be given to the possibility of deterioration of media used for storage of records.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.35_OT Independent review of information security.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.35_OT Independent review of information security.md
index 7ad256c..cafaea9 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.35_OT Independent review of information security.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.35_OT Independent review of information security.md
@@ -21,7 +21,7 @@ Such reviews should be carried out by individuals independent of the area under
The results of the independent reviews should be reported to the management who initiated the reviews and, if appropriate, to top management. These records should be maintained.
-If the independent reviews identify that the organization’s approach and implementation to managing information security is inadequate \[e.g. documented objectives and requirements are not met or are not compliant with the direction for information security stated in the information security policy and topic-specific policies (see 5.1)\], management should initiate corrective actions.
+If the independent reviews identify that the organization’s approach and implementation to managing information security is inadequate \[e.g. documented objectives and requirements are not met or are not compliant with the direction for information security stated in the information security policy and topic-specific policies (see [5.1](ISO_27002_2022_5.1_OT%20Policies%20for%20information%20security.md))\], management should initiate corrective actions.
In addition to the periodic independent reviews, the organization should consider conducting independent reviews when:
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.36_OT Compliance with policies, rules and standards for information security.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.36_OT Compliance with policies, rules and standards for information security.md
index 145ceb7..3dfcb87 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.36_OT Compliance with policies, rules and standards for information security.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.36_OT Compliance with policies, rules and standards for information security.md
@@ -23,7 +23,7 @@ c\) implement appropriate corrective actions;
d\) review corrective actions taken to verify its effectiveness and identify any deficiencies or weaknesses.
-Results of reviews and corrective actions carried out by managers, service, product or information owners should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews (see 5.35) when an independent review takes place in the area of their responsibility.
+Results of reviews and corrective actions carried out by managers, service, product or information owners should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews (see [5.35](ISO_27002_2022_5.35_OT%20Independent%20review%20of%20information%20security.md)) when an independent review takes place in the area of their responsibility.
Corrective actions should be completed in a timely manner as appropriate to the risk. If not completed by the next scheduled review, progress should at least be addressed at that review.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.37_OT Documented operating procedures.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.37_OT Documented operating procedures.md
index ac95962..71779d7 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.37_OT Documented operating procedures.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.37_OT Documented operating procedures.md
@@ -31,21 +31,21 @@ b\) the secure installation and configuration of systems;
c\) processing and handling of information, both automated and manual;
-d\) backup (see 8.13) and resilience;
+d\) backup (see [8.13](ISO_27002_2022_8.13_OT%20Information%20backup.md)) and resilience;
e\) scheduling requirements, including interdependencies with other systems;
-f\) instructions for handling errors or other exceptional conditions \[e.g. restrictions on the use of utility programs (see 8.18)\], which can arise during job execution;
+f\) instructions for handling errors or other exceptional conditions \[e.g. restrictions on the use of utility programs (see [8.18](ISO_27002_2022_8.18_OT%20Use%20of%20privileged%20utility%20programs.md))\], which can arise during job execution;
g\) support and escalation contacts including external support contacts in the event of unexpected operational or technical difficulties;
-h\) storage media handling instructions (see 7.10 and 7.14);
+h\) storage media handling instructions (see [7.10](ISO_27002_2022_7.10_OT%20Storage%20media.md), [7.14](ISO_27002_2022_7.14_OT%20Secure%20disposal%20or%20re-use%20of%20equipment.md));
i\) system restart and recovery procedures for use in the event of system failure;
-j\) the management of audit trail and system log information (see 8.15 and 8.17) and video monitoring systems (see 7.4);
+j\) the management of audit trail and system log information (see [8.15](ISO_27002_2022_8.15_OT%20Logging.md), [8.17](ISO_27002_2022_8.17_OT%20Clock%20synchronization.md)) and video monitoring systems (see [7.4](ISO_27002_2022_7.4_OT%20Physical%20security%20monitoring.md));
-k\) monitoring procedures such as capacity, performance and security (see 8.6 and 8.16);
+k\) monitoring procedures such as capacity, performance and security (see [8.6](ISO_27002_2022_8.6_OT%20Capacity%20management.md), [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md));
l\) maintenance instructions.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.4_OT Management responsibilities.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.4_OT Management responsibilities.md
index 8a17323..b1b8772 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.4_OT Management responsibilities.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.4_OT Management responsibilities.md
@@ -18,7 +18,7 @@ b) are provided with guidelines which state the information security expectat
c) are mandated to fulfill the information security policy and topic-specific policies of the organization;
-d) achieve a level of awareness of information security relevant to their roles and responsibilities within the organization (see 6.3);
+d) achieve a level of awareness of information security relevant to their roles and responsibilities within the organization (see [6.3](ISO_27002_2022_6.3_OT%20Information%20security%20awareness,%20education%20and%20training.md));
e) compliance with the terms and conditions of employment, contract or agreement, including the organization’s information security policy and appropriate methods of working;
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.5_OT Contact with authorities.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.5_OT Contact with authorities.md
index 7583b04..3d28b28 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.5_OT Contact with authorities.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.5_OT Contact with authorities.md
@@ -15,4 +15,4 @@ Contacts with authorities should also be used to facilitate the understanding ab
#### Other information
Organizations under attack can request authorities to take action against the attack source.
-Maintaining such contacts can be a requirement to support information security incident management (see 5.24 to 5.28) or the contingency planning and business continuity processes (see 5.29 and 5.30). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety \[e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)\].
+Maintaining such contacts can be a requirement to support information security incident management (see 5.24 to 5.28) or the contingency planning and business continuity processes (see [5.29](ISO_27002_2022_5.29_OT%20Information%20security%20during%20disruption.md), [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md)). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety \[e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)\].
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.9_OT Inventory of information and other associated assets.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.9_OT Inventory of information and other associated assets.md
index 645fb25..6484da0 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.9_OT Inventory of information and other associated assets.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_5.9_OT Inventory of information and other associated assets.md
@@ -27,12 +27,12 @@ The location of an asset should be included in the inventory as appropriate.
The inventory does not need to be a single list of information and other associated assets. Considering that the inventory should be maintained by the relevant functions, it can be seen as a set of dynamic inventories, such as inventories for information assets, hardware, software, virtual machines (VMs), facilities, personnel, competence, capabilities and records.
-Each asset should be classified in accordance with the classification of the information (see 5.12) associated to that asset.
+Each asset should be classified in accordance with the classification of the information (see [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md)) associated to that asset.
The granularity of the inventory of information and other associated assets should be at a level appropriate for the needs of the organization. Sometimes specific instances of assets in the information life cycle are not feasible to be documented due to the nature of the asset. An example of a short-lived asset is a VM instance whose life cycle can be of short duration.
Ownership
-For the identified information and other associated assets, ownership of the asset should be assigned to an individual or a group and the classification should be identified (see 5.12, 5.13). A process to ensure timely assignment of asset ownership should be implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. Asset ownership should be reassigned as necessary when current asset owners leave or change job roles.
+For the identified information and other associated assets, ownership of the asset should be assigned to an individual or a group and the classification should be identified (see [5.12](ISO_27002_2022_5.12_OT%20Classification%20of%20information.md), [5.13](ISO_27002_2022_5.13_OT%20Labelling%20of%20information.md)). A process to ensure timely assignment of asset ownership should be implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. Asset ownership should be reassigned as necessary when current asset owners leave or change job roles.
Owner duties
The asset owner should be responsible for the proper management of an asset over the whole asset life cycle, ensuring that:
@@ -45,7 +45,7 @@ c\) the classification is reviewed periodically;
d\) components supporting technology assets are listed and linked, such as database, storage, software components and sub-components;
-e\) requirements for the acceptable use of information and other associated assets (see 5.10) are established;
+e\) requirements for the acceptable use of information and other associated assets (see [5.10](ISO_27002_2022_5.10_OT%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md)) are established;
f\) access restrictions correspond with the classification and that they are effective and are reviewed periodically;
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.2_OT Terms and conditions of employment.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.2_OT Terms and conditions of employment.md
index 0503d57..92e2fc6 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.2_OT Terms and conditions of employment.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.2_OT Terms and conditions of employment.md
@@ -13,21 +13,21 @@ To ensure personnel understand their information security responsibilities for t
**Guidance**
The contractual obligations for personnel should take into consideration the organization’s information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated:
-a\) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets (see 6.6);
+a\) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets (see [6.6](ISO_27002_2022_6.6_OT%20Confidentiality%20or%20non-disclosure%20agreements.md));
-b\) legal responsibilities and rights \[e.g. regarding copyright laws or data protection legislation (see 5.32 and 5.34)\];
+b\) legal responsibilities and rights \[e.g. regarding copyright laws or data protection legislation (see [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md), [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md))\];
c\) responsibilities for the classification of information and management of the organization’s information and other associated assets, information processing facilities and information services handled by the personnel (see 5.9to 5.13);
d\) responsibilities for the handling of information received from interested parties;
-e\) actions to be taken if personnel disregard the organization’s security requirements (see 6.4).
+e\) actions to be taken if personnel disregard the organization’s security requirements (see [6.4](ISO_27002_2022_6.4_OT%20Disciplinary%20process.md)).
Information security roles and responsibilities should be communicated to candidates during the pre- employment process.
The organization should ensure that personnel agree to terms and conditions concerning information security. These terms and conditions should be appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services. The terms and conditions concerning information security should be reviewed when laws, regulations, the information security policy or topic-specific policies change.
-Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see 6.5).
+Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see [6.5](ISO_27002_2022_6.5_OT%20Responsibilities%20after%20termination%20or%20change%20of%20employment.md)).
**Other information**
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.4_OT Disciplinary process.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.4_OT Disciplinary process.md
index c00bf65..3fabea6 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.4_OT Disciplinary process.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.4_OT Disciplinary process.md
@@ -30,7 +30,7 @@ To ensure personnel and other relevant interested parties understand the consequ
-The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred (see 5.28).
+The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md)).
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.5_OT Responsibilities after termination or change of employment.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.5_OT Responsibilities after termination or change of employment.md
index c73609a..fe220e9 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.5_OT Responsibilities after termination or change of employment.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.5_OT Responsibilities after termination or change of employment.md
@@ -13,7 +13,7 @@ Information security responsibilities and duties that remain valid after termina
To protect the organization’s interests as part of the process of changing or terminating employment or contracts.
**Guidance**
-The process for managing termination or change of employment should define which information security responsibilities and duties should remain valid after termination or change. This can include confidentiality of information, intellectual property and other knowledge obtained, as well as responsibilities contained within any other confidentiality agreement (see 6.6). Responsibilities and duties still valid after termination of employment or contract should be contained in the individual’s terms and conditions of employment (see 6.2), contract or agreement. Other contracts or agreements that continue for a defined period after the end of the individual’s employment can also contain information security responsibilities.
+The process for managing termination or change of employment should define which information security responsibilities and duties should remain valid after termination or change. This can include confidentiality of information, intellectual property and other knowledge obtained, as well as responsibilities contained within any other confidentiality agreement (see [6.6](ISO_27002_2022_6.6_OT%20Confidentiality%20or%20non-disclosure%20agreements.md)). Responsibilities and duties still valid after termination of employment or contract should be contained in the individual’s terms and conditions of employment (see [6.2](ISO_27002_2022_6.2_OT%20Terms%20and%20conditions%20of%20employment.md)), contract or agreement. Other contracts or agreements that continue for a defined period after the end of the individual’s employment can also contain information security responsibilities.
Changes of responsibility or employment should be managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.6_OT Confidentiality or non-disclosure agreements.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.6_OT Confidentiality or non-disclosure agreements.md
index e3543d4..de640ba 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.6_OT Confidentiality or non-disclosure agreements.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.6_OT Confidentiality or non-disclosure agreements.md
@@ -74,7 +74,7 @@ j\) the expected actions to be taken in the case of non-compliance with the agre
-The organization should take into consideration the compliance with confidentiality and non-disclosure agreements for the jurisdiction to which they apply (see 5.31, 5.32, 5.33, 5.34).
+The organization should take into consideration the compliance with confidentiality and non-disclosure agreements for the jurisdiction to which they apply (see [5.31](ISO_27002_2022_5.31_OT%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md), [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md), [5.33](ISO_27002_2022_5.33_OT%20Protection%20of%20records.md), [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md)).
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.7_OT Remote working.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.7_OT Remote working.md
index 564e177..1546a50 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.7_OT Remote working.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.7_OT Remote working.md
@@ -46,7 +46,7 @@ a\) the existing or proposed physical security of the remote working site, takin
-b\) rules and security mechanisms for the remote physical environment such as lockable filing cabinets, secure transportation between locations and rules for remote access, clear desk, printing and disposal of information and other associated assets, and information security event reporting (see 6.8);
+b\) rules and security mechanisms for the remote physical environment such as lockable filing cabinets, secure transportation between locations and rules for remote access, clear desk, printing and disposal of information and other associated assets, and information security event reporting (see [6.8](ISO_27002_2022_6.8_OT%20Information%20security%20event%20reporting.md));
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.10_OT Storage media.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.10_OT Storage media.md
index 98c49c1..08d70ef 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.10_OT Storage media.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.10_OT Storage media.md
@@ -90,7 +90,7 @@ Procedures for the secure reuse or disposal of storage media should be establish
-a\) if storage media containing confidential information need to be reused within the organization, securely deleting data or formatting the storage media before reuse (see 8.10);
+a\) if storage media containing confidential information need to be reused within the organization, securely deleting data or formatting the storage media before reuse (see [8.10](ISO_27002_2022_8.10_OT%20Information%20deletion.md));
@@ -114,7 +114,7 @@ f\) when accumulating storage media for disposal, giving consideration to the ag
-A risk assessment should be performed on damaged devices containing sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded (see 7.14).
+A risk assessment should be performed on damaged devices containing sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded (see [7.14](ISO_27002_2022_7.14_OT%20Secure%20disposal%20or%20re-use%20of%20equipment.md)).
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.13_OT Equipment maintenance.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.13_OT Equipment maintenance.md
index ef82bdb..3bbe3c3 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.13_OT Equipment maintenance.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.13_OT Equipment maintenance.md
@@ -62,7 +62,7 @@ g\) authorizing and controlling access for remote maintenance;
-h\) applying security measures for assets off-premises (see 7.9) if equipment containing information is taken off premises for maintenance;
+h\) applying security measures for assets off-premises (see [7.9](ISO_27002_2022_7.9_OT%20Security%20of%20assets%20off-premises.md)) if equipment containing information is taken off premises for maintenance;
@@ -74,7 +74,7 @@ j\) before putting equipment back into operation after maintenance, inspecting i
-k\) applying measures for secure disposal or re-use of equipment (see 7.14) if it is determined that equipment is to be disposed of.
+k\) applying measures for secure disposal or re-use of equipment (see [7.14](ISO_27002_2022_7.14_OT%20Secure%20disposal%20or%20re-use%20of%20equipment.md)) if it is determined that equipment is to be disposed of.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.2_OT Physical entry.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.2_OT Physical entry.md
index dd0f9cc..b9c3ef2 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.2_OT Physical entry.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.2_OT Physical entry.md
@@ -42,11 +42,11 @@ The following guidelines should be considered:
-a\) restricting access to sites and buildings to authorized personnel only. The process for the management of access rights to physical areas should include the provision, periodical review, update and revocation of authorizations (see 5.18);
+a\) restricting access to sites and buildings to authorized personnel only. The process for the management of access rights to physical areas should include the provision, periodical review, update and revocation of authorizations (see [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md));
-b\) securely maintaining and monitoring a physical logbook or electronic audit trail of all access and protecting all logs (see 5.33) and sensitive authentication information;
+b\) securely maintaining and monitoring a physical logbook or electronic audit trail of all access and protecting all logs (see [5.33](ISO_27002_2022_5.33_OT%20Protection%20of%20records.md)) and sensitive authentication information;
@@ -134,7 +134,7 @@ d\) inspecting and examining incoming deliveries for explosives, chemicals or ot
-e\) registering incoming deliveries in accordance with asset management procedures (see 5.9 and 7.10) on entry to the site;
+e\) registering incoming deliveries in accordance with asset management procedures (see [5.9](ISO_27002_2022_5.9_OT%20Inventory%20of%20information%20and%20other%20associated%20assets.md), [7.10](ISO_27002_2022_7.10_OT%20Storage%20media.md)) on entry to the site;
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.9_OT Security of assets off-premises.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.9_OT Security of assets off-premises.md
index 8b12d69..26fcec3 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.9_OT Security of assets off-premises.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_7.9_OT Security of assets off-premises.md
@@ -44,7 +44,7 @@ c\) when off-premises equipment is transferred among different individuals or in
-d\) where necessary and practical, requiring authorization for equipment and media to be removed from the organization’s premises and keeping a record of such removals in order to maintain an audit trail (see 5.14);
+d\) where necessary and practical, requiring authorization for equipment and media to be removed from the organization’s premises and keeping a record of such removals in order to maintain an audit trail (see [5.14](ISO_27002_2022_5.14_OT%20Information%20transfer.md));
@@ -60,11 +60,11 @@ Permanent installation of equipment outside the organization’s premises \[such
-a\) physical security monitoring (see 7.4);
+a\) physical security monitoring (see [7.4](ISO_27002_2022_7.4_OT%20Physical%20security%20monitoring.md));
-b\) protecting against physical and environmental threats (see 7.5);
+b\) protecting against physical and environmental threats (see [7.5](ISO_27002_2022_7.5_OT%20Protecting%20against%20physical%20and%20environmental%20threats.md));
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.13_OT Information backup.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.13_OT Information backup.md
index 32ffcac..c5dd383 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.13_OT Information backup.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.13_OT Information backup.md
@@ -36,11 +36,11 @@ g\) taking care to ensure that inadvertent data loss is detected before backup i
Operational procedures should monitor the execution of backups and address failures of scheduled backups to ensure completeness of backups according to the topic-specific policy on backups.
-Backup measures for individual systems and services should be regularly tested to ensure that they meet the objectives of incident response and business continuity plans (see 5.30). This should be combined with a test of the restoration procedures and checked against the restoration time required by the business continuity plan. In the case of critical systems and services, backup measures should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster.
+Backup measures for individual systems and services should be regularly tested to ensure that they meet the objectives of incident response and business continuity plans (see [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md)). This should be combined with a test of the restoration procedures and checked against the restoration time required by the business continuity plan. In the case of critical systems and services, backup measures should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster.
When the organization uses a cloud service, backup copies of the organization’s information, applications and systems in the cloud service environment should be taken. The organization should determine if and how requirements for backup are fulfilled when using the information backup service provided as part of the cloud service.
-The retention period for essential business information should be determined, taking into account any requirement for retention of archive copies. The organization should consider the deletion of information (see 8.10) in storage media used for backup once the information’s retention period expires and should take into consideration legislation and regulations.
+The retention period for essential business information should be determined, taking into account any requirement for retention of archive copies. The organization should consider the deletion of information (see [8.10](ISO_27002_2022_8.10_OT%20Information%20deletion.md)) in storage media used for backup once the information’s retention period expires and should take into consideration legislation and regulations.
**Other information**
For further information on storage security including retention consideration, see ISO/IEC 27040.
\ No newline at end of file
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.14_OT Redundancy of information processing facilities.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.14_OT Redundancy of information processing facilities.md
index 51c3d76..9beec46 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.14_OT Redundancy of information processing facilities.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.14_OT Redundancy of information processing facilities.md
@@ -29,7 +29,7 @@ f\) having duplicated components in systems (e.g. CPU, hard disks, memories) or
Where applicable, preferably in production mode, redundant information systems should be tested to ensure the failover from one component to another component works as intended.
**Other information**
-There is a strong relationship between redundancy and ICT readiness for business continuity (see 5.30) especially if short recovery times are required. Many of the redundancy measures can be part of the ICT continuity strategies and solutions.
+There is a strong relationship between redundancy and ICT readiness for business continuity (see [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md)) especially if short recovery times are required. Many of the redundancy measures can be part of the ICT continuity strategies and solutions.
The implementation of redundancies can introduce risks to the integrity (e.g. processes of copying data to duplicated components can introduce errors) or confidentiality (e.g. weak security control of duplicated components can lead to compromise) of information and information systems, which need to be considered when designing information systems.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.15_OT Logging.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.15_OT Logging.md
index 1aded33..0e3888b 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.15_OT Logging.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.15_OT Logging.md
@@ -38,7 +38,7 @@ h\) activation and de-activation of security systems, such as anti-virus systems
i\) creation, modification or deletion of identities;
j\) transactions executed by users in applications. In some cases, the applications are a service or product provided or run by a third party.
-It is important for all systems to have synchronized time sources (see 8.17) as this allows for correlation of logs between systems for analysis, alerting and investigation of an incident.
+It is important for all systems to have synchronized time sources (see [8.17](ISO_27002_2022_8.17_OT%20Clock%20synchronization.md)) as this allows for correlation of logs between systems for analysis, alerting and investigation of an incident.
Protection of logs
@@ -52,11 +52,11 @@ c\) failure to record events or over-writing of past recorded events if the stor
For protection of logs, the use of the following techniques should be considered: cryptographic hashing, recording in an append-only and read-only file, recording in a public transparency file.
-Some audit logs can be required to be archived because of requirements on data retention or requirements to collect and retain evidence (see 5.28).
+Some audit logs can be required to be archived because of requirements on data retention or requirements to collect and retain evidence (see [5.28](ISO_27002_2022_5.28_OT%20Collection%20of%20evidence.md)).
-Where the organization needs to send system or application logs to a vendor to assist with debugging or troubleshooting errors, logs should be de-identified where possible using data masking techniques (see 8.11) for information such as usernames, internet protocol (IP) addresses, hostnames or organization name, before sending to the vendor.
+Where the organization needs to send system or application logs to a vendor to assist with debugging or troubleshooting errors, logs should be de-identified where possible using data masking techniques (see [8.11](ISO_27002_2022_8.11_OT%20Data%20masking.md)) for information such as usernames, internet protocol (IP) addresses, hostnames or organization name, before sending to the vendor.
-Event logs can contain sensitive data and personally identifiable information. Appropriate privacy protection measures should be taken (see 5.34).
+Event logs can contain sensitive data and personally identifiable information. Appropriate privacy protection measures should be taken (see [5.34](ISO_27002_2022_5.34_OT%20Privacy%20and%20protection%20of%20PII.md)).
Log analysis
@@ -86,7 +86,7 @@ Suspected and actual information security incidents should be identified (e.g. m
System logs often contain a large volume of information, much of which is extraneous to information security monitoring. To help identify significant events for information security monitoring purposes, the use of suitable utility programs or audit tools to perform file interrogation can be considered.
-Event logging sets the foundation for automated monitoring systems (see 8.16) which are capable of generating consolidated reports and alerts on system security.
+Event logging sets the foundation for automated monitoring systems (see [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md)) which are capable of generating consolidated reports and alerts on system security.
A SIEM tool or equivalent service can be used to store, correlate, normalize and analyse log information, and to generate alerts. SIEMs tend to require careful configuration to optimize their benefits. Configurations to consider include identification and selection of appropriate log sources, tuning and testing of rules and development of use cases.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.16_OT Monitoring activities.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.16_OT Monitoring activities.md
index 7652657..4e24c0d 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.16_OT Monitoring activities.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.16_OT Monitoring activities.md
@@ -61,13 +61,13 @@ Continuous monitoring via a monitoring tool should be used. Monitoring should be
Automated monitoring software should be configured to generate alerts (e.g. via management consoles, email messages or instant messaging systems) based on predefined thresholds. The alerting system should be tuned and trained on the organization’s baseline to minimize false positives. Personnel should be dedicated to respond to alerts and should be properly trained to accurately interpret potential incidents. There should be redundant systems and processes in place to receive and respond to alert notifications.
-Abnormal events should be communicated to relevant parties in order to improve the following activities: auditing, security evaluation, vulnerability scanning and monitoring (see 5.25). Procedures should be in place to respond to positive indicators from the monitoring system in a timely manner, in order to minimize the effect of adverse events (see 5.26) on information security. Procedures should also be established to identify and address false positives including tuning the monitoring software to reduce the number of future false positives.
+Abnormal events should be communicated to relevant parties in order to improve the following activities: auditing, security evaluation, vulnerability scanning and monitoring (see [5.25](ISO_27002_2022_5.25_OT%20Assessment%20and%20decision%20on%20information%20security%20events.md)). Procedures should be in place to respond to positive indicators from the monitoring system in a timely manner, in order to minimize the effect of adverse events (see [5.26](ISO_27002_2022_5.26_OT%20Response%20to%20information%20security%20incidents.md)) on information security. Procedures should also be established to identify and address false positives including tuning the monitoring software to reduce the number of future false positives.
**Other information**
Security monitoring can be enhanced by:
-a\) leveraging threat intelligence systems (see 5.7);
+a\) leveraging threat intelligence systems (see [5.7](ISO_27002_2022_5.7_OT%20Threat%20intelligence.md));
b\) leveraging machine learning and artificial intelligence capabilities;
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.18_OT Use of privileged utility programs.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.18_OT Use of privileged utility programs.md
index 133d7d1..1cbeca8 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.18_OT Use of privileged utility programs.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.18_OT Use of privileged utility programs.md
@@ -13,7 +13,7 @@ To ensure the use of utility programs does not harm system and application contr
**Guidance**
The following guidelines for the use of utility programs that can be capable of overriding system and application controls should be considered:
-a\) limitation of the use of utility programs to the minimum practical number of trusted, authorized users (see 8.2);
+a\) limitation of the use of utility programs to the minimum practical number of trusted, authorized users (see [8.2](ISO_27002_2022_8.2_OT%20Privileged%20access%20rights.md));
b\) use of identification, authentication and authorization procedures for utility programs, including unique identification of the person who uses the utility program;
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.19_OT Installation of software on operational systems.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.19_OT Installation of software on operational systems.md
index ab42190..10d9007 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.19_OT Installation of software on operational systems.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.19_OT Installation of software on operational systems.md
@@ -14,7 +14,7 @@ To ensure the integrity of operational systems and prevent exploitation of techn
**Guidance**
The following guidelines should be considered to securely manage changes and installation of software on operational systems:
-a\) performing updates of operational software only by trained administrators upon appropriate management authorization (see 8.5);
+a\) performing updates of operational software only by trained administrators upon appropriate management authorization (see [8.5](ISO_27002_2022_8.5_OT%20Secure%20authentication.md));
b\) ensuring that only approved executable code and no development code or compilers is installed on operational systems;
@@ -36,7 +36,7 @@ Computer software can rely on externally supplied software and packages (e.g. so
Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of software. The organization should consider the risks of relying on unsupported software. Open source software used in operational systems should be maintained to the latest appropriate release of the software. Over time, open source code can cease to be maintained but is still available in an open source software repository. The organization should also consider the risks of relying on unmaintained open source software when used in operational systems.
-When suppliers are involved in installing or updating software, physical or logical access should only be given when necessary and with appropriate authorization. The supplier’s activities should be monitored (see 5.22).
+When suppliers are involved in installing or updating software, physical or logical access should only be given when necessary and with appropriate authorization. The supplier’s activities should be monitored (see [5.22](ISO_27002_2022_5.22_OT%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md)).
The organization should define and enforce strict rules on which types of software users can install.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.1_OT User endpoint devices.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.1_OT User endpoint devices.md
index d6208b3..d18eec2 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.1_OT User endpoint devices.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.1_OT User endpoint devices.md
@@ -30,13 +30,13 @@ i\) protection against malware;
j\) remote disabling, deletion or lockout;
k\) backups;
l\) usage of web services and web applications;
-m\) end user behaviour analytics (see 8.16);
+m\) end user behaviour analytics (see [8.16](ISO_27002_2022_8.16_OT%20Monitoring%20activities.md));
n\) the use of removable devices, including removable memory devices, and the possibility of disabling physical ports (e.g. USB ports);
o\) the use of partitioning capabilities, if supported by the user endpoint device, which can securely separate the organization's information and other associated assets (e.g. software) from other information and other associated assets on the device.
Consideration should be given as to whether certain information is so sensitive that it can only be accessed via user endpoint devices, but not stored on such devices. In such cases, additional technical safeguards can be required on the device. For example, ensuring that downloading files for offline working is disabled and that local storage such as SD card is disabled.
-As far as possible, the recommendations on this control should be enforced through configuration management (see 8.9) or automated tools.
+As far as possible, the recommendations on this control should be enforced through configuration management (see [8.9](ISO_27002_2022_8.9_OT%20Configuration%20management.md)) or automated tools.
User responsibility
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.20_OT Networks security.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.20_OT Networks security.md
index 4fcdbb3..b7b995b 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.20_OT Networks security.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.20_OT Networks security.md
@@ -21,7 +21,7 @@ b\) establishing responsibilities and procedures for the management of networkin
c\) maintaining up to date documentation including network diagrams and configuration files of devices (e.g. routers, switches);
-d\) separating operational responsibility for networks from ICT system operations where appropriate (see 5.3);
+d\) separating operational responsibility for networks from ICT system operations where appropriate (see [5.3](ISO_27002_2022_5.3_OT%20Segregation%20of%20duties.md));
e\) establishing controls to safeguard the confidentiality and integrity of data passing over public networks, third-party networks or over wireless networks and to protect the connected systems and applications (see >5.22>, >8.24>, >5.14and >6.6>). Additional controls can also be required to maintain the availability of the network services and computers connected to the network;
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.22_OT Segregation of networks.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.22_OT Segregation of networks.md
index 51b8a53..5b529b8 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.22_OT Segregation of networks.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.22_OT Segregation of networks.md
@@ -15,9 +15,9 @@ To split the network in security boundaries and to control traffic between them
**Guidance**
The organization should consider managing the security of large networks by dividing them into separate network domains and separating them from the public network (i.e. internet). The domains can be chosen based on levels of trust, criticality and sensitivity (e.g. public access domain, desktop domain, server domain, low- and high-risk systems), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks.
-The perimeter of each domain should be well-defined. If access between network domains is allowed, it should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the topic-specific policy on access control (see 5.15), access requirements, value and classification of information processed and take account of the relative cost and performance impact of incorporating suitable gateway technology.
+The perimeter of each domain should be well-defined. If access between network domains is allowed, it should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the topic-specific policy on access control (see [5.15](ISO_27002_2022_5.15_OT%20Access%20control.md)), access requirements, value and classification of information processed and take account of the relative cost and performance impact of incorporating suitable gateway technology.
-Wireless networks require special treatment due to the poorly-defined network perimeter. Radio coverage adjustment should be considered for segregation of wireless networks. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls (see 8.20) before granting access to internal systems. Wireless access network for guests should be segregated from those for personnel if personnel only use controlled user endpoint devices compliant to the organization’s topic-specific policies. WiFi for guests should have at least the same restrictions as WiFi for personnel, in order to discourage the use of guest WiFi by personnel.
+Wireless networks require special treatment due to the poorly-defined network perimeter. Radio coverage adjustment should be considered for segregation of wireless networks. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls (see [8.20](ISO_27002_2022_8.20_OT%20Networks%20security.md)) before granting access to internal systems. Wireless access network for guests should be segregated from those for personnel if personnel only use controlled user endpoint devices compliant to the organization’s topic-specific policies. WiFi for guests should have at least the same restrictions as WiFi for personnel, in order to discourage the use of guest WiFi by personnel.
**Other information**
Networks often extend beyond organizational boundaries, as business partnerships are formed that require the interconnection or sharing of information processing and networking facilities. Such extensions can increase the risk of unauthorized access to the organization’s information systems that use the network, some of which require protection from other network users because of their sensitivity or criticality.
\ No newline at end of file
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.23_OT Web filtering.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.23_OT Web filtering.md
index b2624a2..df8cb28 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.23_OT Web filtering.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.23_OT Web filtering.md
@@ -21,7 +21,7 @@ b\) known or suspected malicious websites (e.g. those distributing malware or ph
c\) command and control servers;
-d\) malicious website acquired from threat intelligence (see 5.7);
+d\) malicious website acquired from threat intelligence (see [5.7](ISO_27002_2022_5.7_OT%20Threat%20intelligence.md));
e\) websites sharing illegal content.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.24_OT Use of cryptography.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.24_OT Use of cryptography.md
index cee177a..c9b6eb7 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.24_OT Use of cryptography.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.24_OT Use of cryptography.md
@@ -59,7 +59,7 @@ e\) roles and responsibilities for:
1\) the implementation of the rules for the effective use of cryptography;
-2\) the key management, including key generation (see 8.24);
+2\) the key management, including key generation (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md));
@@ -71,11 +71,11 @@ g\) the impact of using encrypted information on controls that rely on content i
-When implementing the organization’s rules for effective use of cryptography, the regulations and national restrictions that can apply to the use of cryptographic techniques in different parts of the world should be taken into consideration as well as the issues of trans-border flow of encrypted information (see 5.31).
+When implementing the organization’s rules for effective use of cryptography, the regulations and national restrictions that can apply to the use of cryptographic techniques in different parts of the world should be taken into consideration as well as the issues of trans-border flow of encrypted information (see [5.31](ISO_27002_2022_5.31_OT%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md)).
-The contents of service level agreements or contracts with external suppliers of cryptographic services (e.g. with a certification authority) should cover issues of liability, reliability of services and response times for the provision of services (see 5.22).
+The contents of service level agreements or contracts with external suppliers of cryptographic services (e.g. with a certification authority) should cover issues of liability, reliability of services and response times for the provision of services (see [5.22](ISO_27002_2022_5.22_OT%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md)).
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.29_OT Security testing in development and acceptance.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.29_OT Security testing in development and acceptance.md
index 8a0f5a5..00c6de1 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.29_OT Security testing in development and acceptance.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.29_OT Security testing in development and acceptance.md
@@ -17,9 +17,9 @@ New information systems, upgrades and new versions should be thoroughly tested a
Security testing should be conducted against a set of requirements, which can be expressed as functional or non-functional. Security testing should include testing of:
-a\) security functions \[e.g. user authentication (see 8.5), access restriction (see 8.3) and use of cryptography (see 8.24)\];
+a\) security functions \[e.g. user authentication (see [8.5](ISO_27002_2022_8.5_OT%20Secure%20authentication.md)), access restriction (see [8.3](ISO_27002_2022_8.3_OT%20Information%20access%20restriction.md)) and use of cryptography (see [8.24](ISO_27002_2022_8.24_OT%20Use%20of%20cryptography.md))\];
-b\) secure coding (see 8.28);
+b\) secure coding (see [8.28](ISO_27002_2022_8.28_OT%20Secure%20coding.md));
c\) secure configurations (see >8.9>, >8.20and >8.22>) including that of operating systems, firewalls and other security components.
@@ -35,7 +35,7 @@ d\) decision for further actions as necessary.
The organization can leverage automated tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of security related defects.
-For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken to ensure that the system works as expected and only as expected (see 5.8). The following should be considered:
+For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken to ensure that the system works as expected and only as expected (see [5.8](ISO_27002_2022_5.8_OT%20Information%20security%20in%20project%20management.md)). The following should be considered:
a\) performing code review activities as a relevant element for testing for security flaws, including unanticipated inputs and conditions;
@@ -43,9 +43,9 @@ b\) performing vulnerability scanning to identify insecure configurations and sy
c\) performing penetration testing to identify insecure code and design.
-For outsourced development and purchasing components, an acquisition process should be followed. Contracts with the supplier should address the identified security requirements (see 5.20). Products and services should be evaluated against these criteria before acquisition.
+For outsourced development and purchasing components, an acquisition process should be followed. Contracts with the supplier should address the identified security requirements (see [5.20](ISO_27002_2022_5.20_OT%20Addressing%20information%20security%20within%20supplier%20agreements.md)). Products and services should be evaluated against these criteria before acquisition.
-Testing should be performed in a test environment that matches the target production environment as closely as possible to ensure that the system does not introduce vulnerabilities to the organization’s environment and that the tests are reliable (see 8.31).
+Testing should be performed in a test environment that matches the target production environment as closely as possible to ensure that the system does not introduce vulnerabilities to the organization’s environment and that the tests are reliable (see [8.31](ISO_27002_2022_8.31_OT%20Separation%20of%20development,%20test%20and%20production%20environments.md)).
**Other information**
Multiple test environments can be established, which can be used for different kinds of testing (e.g. functional and performance testing). These different environments can be virtual, with individual configurations to simulate a variety of operating environments.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.2_OT Privileged access rights.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.2_OT Privileged access rights.md
index 59015fc..c316303 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.2_OT Privileged access rights.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.2_OT Privileged access rights.md
@@ -13,11 +13,11 @@ The allocation and use of privileged access rights should be restricted and mana
To ensure only authorized users, software components and services are provided with privileged access rights.
**Guidance**
-The allocation of privileged access rights should be controlled through an authorization process in accordance with the relevant topic-specific policy on access control (see 5.15). The following should be considered:
+The allocation of privileged access rights should be controlled through an authorization process in accordance with the relevant topic-specific policy on access control (see [5.15](ISO_27002_2022_5.15_OT%20Access%20control.md)). The following should be considered:
a\) identifying users who need privileged access rights for each system or process (e.g. operating systems, database management systems and applications);
-b\) allocating privileged access rights to users as needed and on an event-by-event basis in line with the topic-specific policy on access control (see 5.15) (i.e. only to individuals with the necessary competence to carry out activities that require privileged access and based on the minimum requirement for their functional roles);
+b\) allocating privileged access rights to users as needed and on an event-by-event basis in line with the topic-specific policy on access control (see [5.15](ISO_27002_2022_5.15_OT%20Access%20control.md)) (i.e. only to individuals with the necessary competence to carry out activities that require privileged access and based on the minimum requirement for their functional roles);
c\) maintaining an authorization process (i.e. determining who can approve privileged access rights, or not granting privileged access rights until the authorization process is complete) and a record of all privileges allocated;
@@ -27,9 +27,9 @@ e\) taking measures to ensure that users are aware of their privileged access ri
f\) authentication requirements for privileged access rights can be higher than the requirements for normal access rights. Re-authentication or authentication step-up can be necessary before doing work with privileged access rights;
-g\) regularly, and after any organizational change, reviewing users working with privileged access rights in order to verify if their duties, roles, responsibilities and competence still qualify them for working with privileged access rights (see 5.18);
+g\) regularly, and after any organizational change, reviewing users working with privileged access rights in order to verify if their duties, roles, responsibilities and competence still qualify them for working with privileged access rights (see [5.18](ISO_27002_2022_5.18_OT%20Access%20rights.md));
-h\) establishing specific rules in order to avoid the use of generic administration user IDs (such as “root”), depending on systems’ configuration capabilities. Managing and protecting authentication information of such identities (see 5.17);
+h\) establishing specific rules in order to avoid the use of generic administration user IDs (such as “root”), depending on systems’ configuration capabilities. Managing and protecting authentication information of such identities (see [5.17](ISO_27002_2022_5.17_OT%20Authentication%20information.md));
i\) granting temporary privileged access just for the time window necessary to implement approved changes or activities (e.g. for maintenance activities or some critical changes), rather than permanently granting privileged access rights. This is often referred as break glass procedure, and often automated by privilege access management technologies;
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.30_OT Outsourced development.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.30_OT Outsourced development.md
index aad305b..3a78757 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.30_OT Outsourced development.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.30_OT Outsourced development.md
@@ -13,13 +13,13 @@ To ensure information security measures required by the organization are impleme
**Guidance**
Where system development is outsourced, the organization should communicate and agree requirements and expectations, and continually monitor and review whether the delivery of outsourced work meets these expectations. The following points should be considered across the organization’s entire external supply chain:
-a\) licensing agreements, code ownership and intellectual property rights related to the outsourced content (see 5.32);
+a\) licensing agreements, code ownership and intellectual property rights related to the outsourced content (see [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md));
b\) contractual requirements for secure design, coding and testing practices (see 8.25 to 8.29 );
c\) provision of the threat model to consider by external developers;
-d\) acceptance testing for the quality and accuracy of the deliverables (see 8.29);
+d\) acceptance testing for the quality and accuracy of the deliverables (see [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md));
e\) provision of evidence that minimum acceptable levels of security and privacy capabilities are established (e.g. assurance reports);
@@ -31,7 +31,7 @@ h\) escrow agreements for the software source code (e.g. if the supplier goes ou
i\) contractual right to audit development processes and controls;
-j\) security requirements for the development environment (see 8.31);
+j\) security requirements for the development environment (see [8.31](ISO_27002_2022_8.31_OT%20Separation%20of%20development,%20test%20and%20production%20environments.md));
k\) taking consideration of applicable legislation (e.g. on protection of personal data).
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.31_OT Separation of development, test and production environments.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.31_OT Separation of development, test and production environments.md
index 5b35e6e..969eee8 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.31_OT Separation of development, test and production environments.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.31_OT Separation of development, test and production environments.md
@@ -27,7 +27,7 @@ b\) defining, documenting and implementing rules and authorization for the deplo
-c\) testing changes to production systems and applications in a testing or staging environment prior to being applied to production systems (see 8.29);
+c\) testing changes to production systems and applications in a testing or staging environment prior to being applied to production systems (see [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md));
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.32_OT Change management.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.32_OT Change management.md
index 879a22a..d1fd477 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.32_OT Change management.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.32_OT Change management.md
@@ -26,7 +26,7 @@ b\) authorization of changes;
c\) communicating changes to relevant interested parties;
-d\) tests and acceptance of tests for the changes (see 8.29);
+d\) tests and acceptance of tests for the changes (see [8.29](ISO_27002_2022_8.29_OT%20Security%20testing%20in%20development%20and%20acceptance.md));
e\) implementation of changes including deployment plans;
@@ -34,15 +34,15 @@ f\) emergency and contingency considerations including fall-back procedures;
g\) maintaining records of changes that include all of the above;
-h\) ensuring that operating documentation (see 5.37) and user procedures are changed as necessary to remain appropriate;
+h\) ensuring that operating documentation (see [5.37](ISO_27002_2022_5.37_OT%20Documented%20operating%20procedures.md)) and user procedures are changed as necessary to remain appropriate;
-i\) ensuring that ICT continuity plans and response and recovery procedures (see 5.30) are changed as necessary to remain appropriate.
+i\) ensuring that ICT continuity plans and response and recovery procedures (see [5.30](ISO_27002_2022_5.30_OT%20ICT%20readiness%20for%20business%20continuity.md)) are changed as necessary to remain appropriate.
**Other information**
Inadequate control of changes to information processing facilities and information systems is a common cause of system or security failures. Changes to the production environment, especially when transferring software from development to operational environment, can impact on the integrity and availability of applications.
Changing software can impact the production environment and vice versa.
-Good practice includes the testing of ICT components in an environment segregated from both the production and development environments (see 8.31). This provides a means of having control over new software and allowing additional protection of operational information that is used for testing purposes. This should include patches, service packs and other updates.
+Good practice includes the testing of ICT components in an environment segregated from both the production and development environments (see [8.31](ISO_27002_2022_8.31_OT%20Separation%20of%20development,%20test%20and%20production%20environments.md)). This provides a means of having control over new software and allowing additional protection of operational information that is used for testing purposes. This should include patches, service packs and other updates.
Production environment includes operating systems, databases and middleware platforms. The control should be applied for changes of applications and infrastructures.
\ No newline at end of file
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.33_OT Test information.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.33_OT Test information.md
index 29031e5..29d2d7f 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.33_OT Test information.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.33_OT Test information.md
@@ -11,7 +11,7 @@ Test information should be appropriately selected, protected and managed.
To ensure relevance of testing and protection of operational information used for testing.
**Guidance**
-Test information should be selected to ensure the reliability of tests results and the confidentiality of the relevant operational information. Sensitive information (including personally identifiable information) should not be copied into the development and testing environments (see 8.31).
+Test information should be selected to ensure the reliability of tests results and the confidentiality of the relevant operational information. Sensitive information (including personally identifiable information) should not be copied into the development and testing environments (see [8.31](ISO_27002_2022_8.31_OT%20Separation%20of%20development,%20test%20and%20production%20environments.md)).
The following guidelines should be applied to protect the copies of operational information, when used for testing purposes, whether the test environment is built in-house or on a cloud service:
@@ -21,9 +21,9 @@ b\) having a separate authorization each time operational information is copied
c\) logging the copying and use of operational information to provide an audit trail;
-d\) protecting sensitive information by removal or masking (see 8.11) if used for testing;
+d\) protecting sensitive information by removal or masking (see [8.11](ISO_27002_2022_8.11_OT%20Data%20masking.md)) if used for testing;
-e\) properly deleting (see 8.10) operational information from a test environment immediately after the testing is complete to prevent unauthorized use of test information.
+e\) properly deleting (see [8.10](ISO_27002_2022_8.10_OT%20Information%20deletion.md)) operational information from a test environment immediately after the testing is complete to prevent unauthorized use of test information.
Test information should be securely stored (to prevent tampering, which can otherwise lead to invalid results) and only used for testing purposes.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.4_OT Access to source code.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.4_OT Access to source code.md
index 7beb0cb..e3d0131 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.4_OT Access to source code.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.4_OT Access to source code.md
@@ -21,7 +21,7 @@ The following guidelines should be considered to control access to program sourc
a\) managing the access to program source code and the program source libraries according to established procedures;
b\) granting read and write access to source code based on business needs and managed to address risks of alteration or misuse and according to established procedures;
-c\) updating of source code and associated items and granting of access to source code in accordance with change control procedures (see 8.32) and only performing it after appropriate authorization has been received;
+c\) updating of source code and associated items and granting of access to source code in accordance with change control procedures (see [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)) and only performing it after appropriate authorization has been received;
d\) not granting developers direct access to the source code repository, but through developer tools that control activities and authorizations on the source code;
e\) holding program listings in a secure environment, where read and write access should be appropriately managed and assigned;
f\) maintaining an audit log of all accesses and of all changes to source code.
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.8_OT Management of technical vulnerabilities.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.8_OT Management of technical vulnerabilities.md
index 23212c3..a405621 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.8_OT Management of technical vulnerabilities.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.8_OT Management of technical vulnerabilities.md
@@ -53,7 +53,7 @@ b\) for software and other technologies (based on the asset inventory list, see
-c\) requiring suppliers of information system (including their components) to ensure vulnerability reporting, handling and disclosure, including the requirements in applicable contracts (see 5.20);
+c\) requiring suppliers of information system (including their components) to ensure vulnerability reporting, handling and disclosure, including the requirements in applicable contracts (see [5.20](ISO_27002_2022_5.20_OT%20Addressing%20information%20security%20within%20supplier%20agreements.md));
@@ -65,7 +65,7 @@ e\) conducting planned, documented and repeatable penetration tests or vulnerabi
-f\) tracking the usage of third-party libraries and source code for vulnerabilities. This should be included in secure coding (see 8.28).
+f\) tracking the usage of third-party libraries and source code for vulnerabilities. This should be included in secure coding (see [8.28](ISO_27002_2022_8.28_OT%20Secure%20coding.md)).
@@ -117,7 +117,7 @@ a\) taking appropriate and timely action in response to the identification of po
-b\) depending on how urgently a technical vulnerability needs to be addressed, carrying out the action according to the controls related to change management (see 8.32) or by following information security incident response procedures (see 5.26);
+b\) depending on how urgently a technical vulnerability needs to be addressed, carrying out the action according to the controls related to change management (see [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)) or by following information security incident response procedures (see [5.26](ISO_27002_2022_5.26_OT%20Response%20to%20information%20security%20incidents.md));
@@ -194,7 +194,7 @@ An effective technical vulnerability management process should be aligned with i
-Where the organization uses a cloud service supplied by a third-party cloud service provider, technical vulnerability management of cloud service provider resources should be ensured by the cloud service provider. The cloud service provider’s responsibilities for technical vulnerability management should be part of the cloud service agreement and this should include processes for reporting the cloud service provider's actions relating to technical vulnerabilities (see 5.23). For some cloud services, there are respective responsibilities for the cloud service provider and the cloud service customer. For example, the cloud service customer is responsible for vulnerability management of its own assets used for the cloud services.
+Where the organization uses a cloud service supplied by a third-party cloud service provider, technical vulnerability management of cloud service provider resources should be ensured by the cloud service provider. The cloud service provider’s responsibilities for technical vulnerability management should be part of the cloud service agreement and this should include processes for reporting the cloud service provider's actions relating to technical vulnerabilities (see [5.23](ISO_27002_2022_5.23_OT%20Information%20security%20for%20use%20of%20cloud%20services.md)). For some cloud services, there are respective responsibilities for the cloud service provider and the cloud service customer. For example, the cloud service customer is responsible for vulnerability management of its own assets used for the cloud services.
@@ -202,7 +202,7 @@ Where the organization uses a cloud service supplied by a third-party cloud serv
-Technical vulnerability management can be viewed as a sub-function of change management and as such can take advantage of the change management processes and procedures (see 8.32).
+Technical vulnerability management can be viewed as a sub-function of change management and as such can take advantage of the change management processes and procedures (see [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)).
diff --git a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.9_OT Configuration management.md b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.9_OT Configuration management.md
index 7e62fd5..9937afc 100644
--- a/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.9_OT Configuration management.md
+++ b/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_8.9_OT Configuration management.md
@@ -44,12 +44,12 @@ f) changing vendor default authentication information such as default password
g) invoking time-out facilities that automatically log off computing devices after a predetermined period of inactivity;
-h) verifying that licence requirements have been met (see 5.32).
+h) verifying that licence requirements have been met (see [5.32](ISO_27002_2022_5.32_OT%20Intellectual%20property%20rights.md)).
#### Managing configurations
Established configurations of hardware, software, services and networks should be recorded and a log should be maintained of all configuration changes. These records should be securely stored. This can be achieved in various ways, such as configuration databases or configuration templates.
-Changes to configurations should follow the change management process (see 8.32).
+Changes to configurations should follow the change management process (see [8.32](ISO_27002_2022_8.32_OT%20Change%20management.md)).
Configuration records can contain as relevant:
diff --git a/Corpus/Standards/ISO-27002-OST/create_en_links.py b/Corpus/Standards/ISO-27002-OST/create_en_links.py
new file mode 100644
index 0000000..1a34e24
--- /dev/null
+++ b/Corpus/Standards/ISO-27002-OST/create_en_links.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+import os
+import re
+from pathlib import Path
+
+def version_parse(v):
+ return tuple(map(int, (v.split("."))))
+
+# Configuration
+EN_FOLDER = "ISO27002-EN-2022"
+EN_PATTERN = re.compile(r'ISO_27002_2022_([\d\.]+)_OT(.*)\.md')
+
+# Match (see n.n[, n.n]* [and n.n]*) references including missing space cases
+REF_REPLACE_PATTERN = re.compile(r'\(see ([\d\.\,\sand]+)\)')
+
+def main():
+ # Build index of EN files by section number
+ en_index = {}
+ for filename in os.listdir(EN_FOLDER):
+ if not filename.endswith('.md'):
+ continue
+ match = EN_PATTERN.match(filename)
+ if match:
+ section = match.group(1)
+ en_index[section] = filename
+
+ print(f"Indexed {len(en_index)} EN files")
+ print()
+
+ processed = 0
+ total_replacements = 0
+
+ for filename in os.listdir(EN_FOLDER):
+ if not filename.endswith('.md'):
+ continue
+ file_path = os.path.join(EN_FOLDER, filename)
+
+ with open(file_path, 'r', encoding='utf-8') as f:
+ content = f.read()
+
+ replacements = 0
+
+ def replace_reference(match):
+ nonlocal replacements
+ references_str = match.group(1)
+ # Normalize: handle "and", "and", and missing space "5.16and5.18"
+ references_str = re.sub(r'(\d)and', r'\1 and', references_str)
+ references_str = references_str.replace(" and ", ", ")
+ refs = [r.strip() for r in references_str.split(',') if r.strip()]
+ processed_refs = []
+
+ for ref in refs:
+ if ref in en_index:
+ target_file = en_index[ref].replace(' ', '%20')
+ processed_refs.append(f'[{ref}]({target_file})')
+ replacements += 1
+ else:
+ processed_refs.append(ref)
+
+ return f'(see {", ".join(processed_refs)})'
+
+ updated_content = REF_REPLACE_PATTERN.sub(replace_reference, content)
+
+ if replacements > 0:
+ with open(file_path, 'w', encoding='utf-8') as f:
+ f.write(updated_content)
+ processed += 1
+ total_replacements += replacements
+ print(f"✅ {filename}: {replacements} links created")
+
+ print()
+ print(f"Completed: {processed} files modified")
+ print(f"Total markdown links created: {total_replacements}")
+
+if __name__ == "__main__":
+ main()