richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up Literature folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 12:48:01 +02:00
parent 73a6380034
commit fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Corpus/Standards/AVG/Verplichte documenten AVG.md
View file

@ -44,4 +44,4 @@ Bron: [Advisera](https://advisera.com/eugdpracademy/knowledgebase/list-of-mandat
## Voorbeelden
[Example introduction for an Internal Privacy Policy](../../Literature%20notes/Example%20introduction%20for%20an%20Internal%20Privacy%20Policy.md)
[Example introduction for an Internal Privacy Policy](../../ISMS/Policy%20examples/Example%20introduction%20for%20an%20Internal%20Privacy%20Policy.md)

2
Corpus/Standards/BC 5701/BC5701_Training_Tab_07_O.md
View file

@ -9,7 +9,7 @@ Version: "2022"
Sheets in de cursusmap behandelen:
- samenstelling leidende coalitie (p.2)
- impact op de organisatie (p.2)
- veranderen / [Theory of planned behavior](../../Literature%20notes/Theory%20of%20planned%20behavior.md) [^1] (p.3)
- veranderen / [Theory of planned behavior](../../Various/Theory%20of%20planned%20behavior.md) [^1] (p.3)
- borging in de organisatie (p.4)
[^1]: Icek Ajzen

BIN
Corpus/Standards/CIS Controls Mappings to other frameworks.xlsx Normal file
View file

Binary file not shown.

2
Corpus/Standards/CIS Controls.md
View file

@ -31,7 +31,7 @@ IG3 assets contain sensitive information or functions that are subject to regula
Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.
![](../Sparks/ISMS/Asset%20classes.png)
![](../ISMS/Asset%20classes.png)
Source: CIS Controls v8.1 PDF, pp 8-12
![](CIS%20Controls%20and%20Safeguards.png)

7
Corpus/Standards/CISA RVWP.md Normal file
View file

@ -0,0 +1,7 @@
Ransomware Vulnerability Warning Pilot (RVWP) | CISA
https://www.cisa.gov/stopransomware/Ransomware-Vulnerability-Warning-Pilot
Related:
[Assets, Vulnerabilities, Threats, Risks](..//Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
[Vulnerability](../Information%20Security/Risks/Vulnerability.md)

2
Corpus/Standards/CISSP/CISSP_OSG8_D1_C1_1.10.md
View file

@ -31,7 +31,7 @@ Trike is also a risk based threat modeling methodology.
Visual, Agile, and Simple Threat (VAST) modeling is based on Agile principles. The goal is to integrate threat and risk management into an Agile programming environment.
### OCTAVE
see Defensive Security Handbook [Chapter 1: Risk Management](../../Literature%20notes/Def_Sec_Handbook_Chapter_1.md#Chapter%201%20Risk%20Management)
see Defensive Security Handbook [Chapter 1: Risk Management](../../Literature/Defensive%20Security%20Handbook/Def_Sec_Handbook_Chapter_1.md#Chapter%201%20Risk%20Management)
## Diagramming Potential Attacks
See pp 35-36

10
Corpus/Standards/Cross standards mapping.md Normal file
View file

@ -0,0 +1,10 @@
The file AuditScripts-CIS-Controls-Master-Mappings-v7.1c.xlsx (in the Attachments folder, linking in editor to this file type is not supported) contains a mapping between the following standards:
- CSC Critical Security Controls
- [ISO 27001 A.13.2 Information transfer](ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.13.2%20Information%20transfer.md) / ISO 27002
- IEC 62443
- NIST 800-53
- NIST 800-82
- NIST 800-171
- NIST CSF
- NIST SMB
- ... and many, many others

8
Corpus/Standards/ISO27x/About A-5.33 Protection of records.md Normal file
View file

@ -0,0 +1,8 @@
# About A-5.33: Protection of records
This Control is about the **control, purpose, and guidance for managing and protecting organizational records** to ensure their authenticity, integrity, availability, and compliance with various requirements over time.
I would say: record keeping procedures, in line with legal and other requirements.
[Original Text](../ISO-27002-OST/ISO27002-EN-2022/a-5.33-Protection-of-records.md)

10
Corpus/Standards/ISO27x/About Control 8.3 Information access restriction.md Normal file
View file

@ -0,0 +1,10 @@
# About Control 8.3: Information access restriction
Restricting access to information assets in line with the access control policy.
Control 8.3 operationalizes the foundational rules set in [A5.15](../ISO-27002-OST/ISO27002-EN-2022/a-5.15-Access-control.md) by implementing detailed technical measures.
[Original Text](../ISO-27002-OST/ISO27002-EN-2022/a-8.3-Information-access-restriction.md)

6
Corpus/Standards/ISO27x/Authentication.md
View file

@ -5,8 +5,8 @@ Authentication is the proof of identity that is achieved through providing crede
See also:
- [a-8.5-Secure-authentication](OST/27002/EN/a-8.5-Secure-authentication.md)
- [Authentication Methods Used for Network Security](../../Literature%20notes/Authentication%20Methods%20Used%20for%20Network%20Security.md)
- [Identity and Access Management (IAM)](../../Sparks/Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
- [Authentication Methods Used for Network Security](../../Information%20Security/Authentication%20Methods%20Used%20for%20Network%20Security.md)
- [Identity and Access Management (IAM)](../../Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
- [Authorization](Authorization.md)
- [Identification](../../Sparks/Information%20Security/Identification.md)
- [Identification](../../Information%20Security/Identification.md)

10
Corpus/Standards/ISO27x/Authorization.md
View file

@ -2,12 +2,12 @@
Authorization is the mechanism that determines the access level(s) of the subjects to the objects.
See also:
- [Authorization vs Access Control](../../Sparks/ISMS/Authorization%20vs%20Access%20Control.md)
- [Access Control Models](../../Sparks/ISMS/Access%20Control%20Models.md)
- [Authorization vs Access Control](../../ISMS/Authorization%20vs%20Access%20Control.md)
- [Access Control Models](../../ISMS/Access%20Control%20Models.md)
- [Authentication](Authentication.md)
- [Identification](../../Sparks/Information%20Security/Identification.md)
- [CASSM Consumer Authentication Strength Maturity Model](../../Literature%20notes/CASSM%20Consumer%20Authentication%20Strength%20Maturity%20Model.md)
- [Identity and Access Management (IAM)](../../Sparks/Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
- [Identification](../../Information%20Security/Identification.md)
- [CASSM Consumer Authentication Strength Maturity Model](../../Information%20Security/CASSM%20Consumer%20Authentication%20Strength%20Maturity%20Model.md)
- [Identity and Access Management (IAM)](../../Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
- [a-5.15-Access-control](OST/27002/EN/a-5.15-Access-control.md) ???

10
Corpus/Standards/ISO27x/Change management Change Management in ISO 27002.md Normal file
View file

@ -0,0 +1,10 @@
# Change Management in ISO 27002
Change Management in ISO 27002:
- [5.8:](../Standards/MoCs/ISO_27002_2022_5.8_MoC%20Information%20security%20in%20project%20management.md) Information security in project management
- [5.22:](../Standards/MoCs/ISO_27002_2022_5.22_MoC%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md) Monitoring, review and change management of supplier services
- [8.28:](../Standards/MoCs/ISO_27002_2022_8.28_MoC%20Secure%20coding.md) Secure coding
- [8.29:](../Standards/MoCs/ISO_27002_2022_8.29_MoC%20Security%20testing%20in%20development%20and%20acceptance.md) Security testing in development and acceptance
- [8.32:](../Standards/MoCs/ISO_27002_2022_8.32_MoC%20Change%20management.md) Change management
Also check the topic of risk / impact assessment.

2
Corpus/Standards/ISO27x/Governance model for Policies and Controls.md
View file

@ -2,7 +2,7 @@
Based on ISO 27001 and ISO 27002, a governance model for your ISMS should be structured around **Top Management's accountability** while delegating the **tactical execution** to specific information security roles.
*See [Basic ISMS governance model](../../Sparks/ISMS/Basic%20ISMS%20governance%20model.md) for a compacted version*
*See [Basic ISMS governance model](../../ISMS/Basic%20ISMS%20governance%20model.md) for a compacted version*
## Related to the Policies Lifecycle
Here is a suggested governance model mapping the lifecycle of security policies (commissioning, drafting, approving, etc.) to the specific roles mandated by the standards.

95
Corpus/Standards/ISO27x/ISO 27001 enumerated list of controls.md Normal file
View file

@ -0,0 +1,95 @@
# ISO 27001 enumerated list of controls
5.1  Policies for information security
5.2  Information security roles and responsibilities
5.3  Segregation of duties
5.4  Management responsibilities
5.5  Contact with authorities
5.6  Contact with special interest groups
5.7  Threat intelligence
5.8  Information security in project management
5.9  Inventory of information and other associated assets
5.10  Acceptable use of information and other associated assets
5.11  Return of assets
5.12  Classification of information
5.13  Labelling of information
5.14  Information transfer
5.15  Access control
5.16  Identity management
5.17  Authentication information
5.18  Access rights
5.19  Information security in supplier relationships
5.20  Addressing information security within supplier agreements
5.21  Managing information security in the ICT supply chain
5.22  Monitoring, review and change management of supplier services
5.23  Information security for use of cloud services
5.24  Information security incident management planning and preparation
5.25  Assessment and decision on information security events
5.26  Response to information security incidents
5.27  Learning from information security incidents
5.28  Collection of evidence
5.29  Information security during disruption
5.30  ICT readiness for business continuity
5.31  Legal, statutory, regulatory and contractual requirements
5.32  Intellectual property rights
5.33  Protection of records
5.34  Privacy and protection of PII
5.35  Independent review of information security
5.36  Compliance with policies, rules and standards for information security
5.37  Documented operating procedures
6.1  Screening
6.2  Terms and conditions of employment
6.3  Information security awareness, education and training
6.4  Disciplinary process
6.5  Responsibilities after termination or change of employment
6.6  Confidentiality or non-disclosure agreements
6.7  Remote working
6.8  Information security event reporting
7.1  Physical security perimeters
7.2  Physical entry
7.3  Securing offices, rooms and facilities
7.4  Physical security monitoring
7.5  Protecting against physical and environmental threats
7.6  Working in secure areas
7.7  Clear desk and clear screen
7.8  Equipment siting and protection
7.9  Security of assets off-premises
7.10  Storage media
7.11  Supporting utilities
7.12  Cabling security
7.13  Equipment maintenance
7.14  Secure disposal or re-use of equipment
8.1  User endpoint devices
8.2  Privileged access rights
8.3  Information access restriction
8.4  Access to source code
8.5  Secure authentication
8.6  Capacity management
8.7  Protection against malware
8.8  Management of technical vulnerabilities
8.9  Configuration management
8.10  Information deletion
8.11  Data masking
8.12  Data leakage prevention
8.13  Information backup
8.14  Redundancy of information processing facilities
8.15  Logging
8.16  Monitoring activities
8.17  Clock synchronization
8.18  Use of privileged utility programs
8.19  Installation of software on operational systems
8.20  Networks security
8.21  Security of network services
8.22  Segregation of networks
8.23  Web filtering
8.24  Use of cryptography
8.25  Secure development life cycle
8.26  Application security requirements
8.27  Secure system architecture and engineering principles
8.28  Secure coding
8.29  Security testing in development and acceptance
8.30  Outsourced development
8.31  Separation of development, test and production environments
8.32  Change management
8.33  Test information
8.34  Protection of information systems during audit testing

8
Corpus/Standards/ISO27x/ISO 27k standards overview.md
View file

@ -9,11 +9,11 @@ tags:
## ISO 27001 & 27002
Indexes:
- [ISO 27001:2022 EN](../../MoCs/ISO_27001_2022_00_MoC%20Index.md)
- [ISO 27002:2022 EN](../../MoCs/ISO_27001_2022_00_MoC%20Index%20EXT.md) Includes references to 2013 version!
- [ISO 27001:2022 EN](ISO_27001_2022_Index.md)
- [ISO 27002:2022 EN](ISO_27001_2022_Index%20EXT.md) Includes references to 2013 version!
- [ISO 27001:2023 NL](OST/ISO_27001_2023_NL_Index.md)
- [ISO 27002:2022 NL](OST/ISO_27002_2022_NL_Index.md)
- [Vertaaltabel Engels-Nederlands](../../MoCs/ISO_27002_2022_Vertaaltabel_Engels_Nederlands.md)
- [Vertaaltabel Engels-Nederlands](ISO_27002_2022_Vertaaltabel_Engels_Nederlands.md)
EN source tekst:
- ISO 27001:2022 [PDF](OST/27001/EN/ISO_27001_2022_EN.pdf)
@ -33,7 +33,7 @@ See also:
- [IBB op hoofdlijnen](OST/IBB%20op%20hoofdlijnen.md)
- [ISO 27001 2023 Processen en Artefacten](OST/ISO%2027001%202023%20Processen%20en%20Artefacten.md)
- [Advised Documents for ISO 27001](../../../../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md)
- [Types of Controls](../../Sparks/Types%20of%20Controls.md)
- [Types of Controls](Types%20of%20Controls.md)
Depreciated:
[ISO_27001_2013_EN_Index](legacy/ISO%2027001%202013/ISO_27001_2013_EN_Index.md)

113
Corpus/Standards/ISO27x/ISO_27001_2022_Index EXT.md Normal file
View file

@ -0,0 +1,113 @@
#iso27002/2022/EN
# ISO 27002:2022 EN Index
| 2022 ID | Control title | 2013 |
| ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| **F** | **[[ISO_27002_OT_F Foreword \|Foreword]]** | |
| **0** | **[[ISO_27002_OT_0 Introduction \|Introduction]]** | |
| **1** | **[[ISO_27002_OT_1 Scope \|Scope]]** | |
| **2** | **[[ISO_27002_OT_2 Normative references\|Normative references]]** | |
| **3** | **Terms, definitions and abbreviated terms** | |
| 3.1 | **[[ISO_27002_OT_3.1 Terms and definitions\|Terms and definitions]]** | |
| 3.2 | **[[ISO_27002_OT_3.2 Abbreviated terms\|Abbreviated terms]]** | |
| **4** | **Structure of this document** | |
| 4.1 | [[ISO_27002_OT_4.1 Clauses \| Clauses ]] | |
| 4.2 | [[ISO_27002_OT_4.2 Themes and attributes \| Themes and attributes ]] | |
| 4.3 | [[ISO_27002_OT_4.3 Control layout \| Control layout ]] | |
| **5** | **Organizational controls** | |
| 5.1 | [Policies for information security ](legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md) | 05.1.1, 05.1.2 |
| 5.2 | [Information security roles and responsibilities ](../../MoCs/ISO_27002_2022_5.2_MoC%20Information%20security%20roles%20and%20responsibilities.md) | 06.1.1 |
| 5.3 | [Segregation of duties ](../../MoCs/ISO_27002_2022_5.3_MoC%20Segregation%20of%20duties.md) | 06.1.2 |
| 5.4 | [Management responsibilities ](../../MoCs/ISO_27002_2022_5.4_MoC%20Management%20responsibilities.md) | 07.2.1 |
| 5.5 | [Contact with authorities ](../../MoCs/ISO_27002_2022_5.5_MoC%20Contact%20with%20authorities.md) | 06.1.3 |
| 5.6 | [Contact with special interest groups ](../../MoCs/ISO_27002_2022_5.6_MoC%20Contact%20with%20special%20interest%20groups.md) | 06.1.4 |
| 5.7 | [Threat intelligence ](../../MoCs/ISO_27002_2022_5.7_MoC%20Threat%20intelligence.md) | New |
| 5.8 | [Information security in project management ](../../MoCs/ISO_27002_2022_5.8_MoC%20Information%20security%20in%20project%20management.md) | 06.1.5, 14.1.1 |
| 5.9 | [Inventory of information and other associated assets ](../../MoCs/ISO_27002_2022_5.9_MoC%20Inventory%20of%20information%20and%20other%20associated%20assets.md) | 08.1.1, 08.1.2 |
| 5.10 | [Acceptable use of information and other associated assets ](../../MoCs/ISO_27002_2022_5.10_MoC%20Acceptable%20use%20of%20information%20and%20other%20associated%20assets.md) | 08.1.3, 08.2.3 |
| 5.11 | [Return of assets ](../../MoCs/ISO_27002_2022_5.11_MoC%20Return%20of%20assets.md) | 08.1.4 |
| 5.12 | [Classification of information ](../../MoCs/ISO_27002_2022_5.12_MoC%20Classification%20of%20information.md) | 08.2.1 |
| 5.13 | [Labelling of information ](../../MoCs/ISO_27002_2022_5.13_MoC%20Labelling%20of%20information.md) | 08.2.2 |
| 5.14 | [Information transfer ](../../MoCs/ISO_27002_2022_5.14_MoC%20Information%20transfer.md) | 13.2.1, 13.2.2, 13.2.3 |
| 5.15 | [Access control ](../../MoCs/ISO_27002_2022_5.15_MoC%20Access%20control.md) | 09.1.1, 09.1.2 |
| 5.16 | [Identity management ](../../MoCs/ISO_27002_2022_5.16_MoC%20Identity%20management.md) | 09.2.1 |
| 5.17 | [Authentication information ](../../Information%20Security/Authentication%20information.md) | 09.2.4, 09.3.1, 09.4.3 |
| 5.18 | [Access rights ](../../MoCs/ISO_27002_2022_5.18_MoC%20Access%20rights.md) | 09.2.2, 09.2.5, 09.2.6 |
| 5.19 | [Information security in supplier relationships ](../../MoCs/ISO_27002_2022_5.19_MoC%20Information%20security%20in%20supplier%20relationships.md) | 15.1.1 |
| 5.20 | [Addressing information security within supplier agreements ](../../MoCs/ISO_27002_2022_5.20_MoC%20Addressing%20information%20security%20within%20supplier%20agreements.md) | 15.1.2 |
| 5.21 | [Managing information security in the ICT supply chain ](../../MoCs/ISO_27002_2022_5.21_MoC%20Managing%20information%20security%20in%20the%20ICT%20supply%20chain.md) | 15.1.3 |
| 5.22 | [Monitoring, review and change management of supplier services ](../../MoCs/ISO_27002_2022_5.22_MoC%20Monitoring,%20review%20and%20change%20management%20of%20supplier%20services.md) | 15.2.1, 15.2.2 |
| 5.23 | [Information security for use of cloud services ](../../MoCs/ISO_27002_2022_5.23_MoC%20Information%20security%20for%20use%20of%20cloud%20services.md) | New |
| 5.24 | [Information security incident management planning and preparation ](../../MoCs/ISO_27002_2022_5.24_MoC%20Information%20security%20incident%20management%20planning%20and%20preparation.md) | 16.1.1 |
| 5.25 | [Assessment and decision on information security events ](../../MoCs/ISO_27002_2022_5.25_MoC%20Assessment%20and%20decision%20on%20information%20security%20events.md) | 16.1.4 |
| 5.26 | [Response to information security incidents ](../../MoCs/ISO_27002_2022_5.26_MoC%20Response%20to%20information%20security%20incidents.md) | 16.1.5 |
| 5.27 | [Learning from information security incidents ](../../MoCs/ISO_27002_2022_5.27_MoC%20Learning%20from%20information%20security%20incidents.md) | 16.1.6 |
| 5.28 | [Collection of evidence ](../../MoCs/ISO_27002_2022_5.28_MoC%20Collection%20of%20evidence.md) | 16.1.7 |
| 5.29 | [Information security during disruption ](../../MoCs/ISO_27002_2022_5.29_MoC%20Information%20security%20during%20disruption.md) | 17.1.1, 17.1.2, 17.1.3 |
| 5.30 | [ICT readiness for business continuity ](../../Information%20Security/ICT%20readiness%20for%20business%20continuity.md) | New |
| 5.31 | [Legal, statutory, regulatory and contractual requirements ](../../MoCs/ISO_27002_2022_5.31_MoC%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md) | 18.1.1, 18.1.5 |
| 5.32 | [Intellectual property rights ](../../MoCs/ISO_27002_2022_5.32_MoC%20Intellectual%20property%20rights.md) | 18.1.2 |
| 5.33 | [Protection of records ](About%20A-5.33%20Protection%20of%20records.md) | 18.1.3 |
| 5.34 | [Privacy and protection of PII ](../../MoCs/ISO_27002_2022_5.34_MoC%20Privacy%20and%20protection%20of%20PII.md) | 18.1.4 |
| 5.35 | [Independent review of information security ](../../MoCs/ISO_27002_2022_5.35_MoC%20Independent%20review%20of%20information%20security.md) | 18.2.1 |
| 5.36 | [Compliance with policies, rules and standards for information security](../../MoCs/ISO_27002_2022_5.36_MoC%20Compliance%20with%20policies,%20rules%20and%20standards%20for%20information%20security.md) | 18.2.2, 18.2.3 |
| 5.37 | [Documented operating procedures ](../../MoCs/ISO_27002_2022_5.37_MoC%20Documented%20operating%20procedures.md) | 12.1.1 |
| **6** | **People controls** | |
| 6.1 | [Screening ](../../MoCs/ISO_27002_2022_6.1_MoC%20Screening.md) | 07.1.1 |
| 6.2 | [Terms and conditions of employment ](../../MoCs/ISO_27002_2022_6.2_MoC%20Terms%20and%20conditions%20of%20employment.md) | 07.1.2 |
| 6.3 | [Information security awareness, education and training ](../../MoCs/ISO_27002_2022_6.3_MoC%20Information%20security%20awareness,%20education%20and%20training.md) | 07.2.2 |
| 6.4 | [Disciplinary process ](../../MoCs/ISO_27002_2022_6.4_MoC%20Disciplinary%20process.md) | 07.2.3 |
| 6.5 | [Responsibilities after termination or change of employment ](../../MoCs/ISO_27002_2022_6.5_MoC%20Responsibilities%20after%20termination%20or%20change%20of%20employment.md) | 07.3.1 |
| 6.6 | [Confidentiality or non-disclosure agreements ](../../MoCs/ISO_27002_2022_6.6_MoC%20Confidentiality%20or%20non-disclosure%20agreements.md) | 13.2.4 |
| 6.7 | [Remote working ](../../MoCs/ISO_27002_2022_6.7_MoC%20Remote%20working.md) | 06.2.2 |
| 6.8 | [Information security event reporting ](../../MoCs/ISO_27002_2022_6.8_MoC%20Information%20security%20event%20reporting.md) | 16.1.2, 16.1.3 |
| **7** | **Physical controls** | |
| 7.1 | [Physical security perimeters ](../../MoCs/ISO_27002_2022_7.1_MoC%20Physical%20security%20perimeters.md) | 11.1.1 |
| 7.2 | [Physical entry ](../../MoCs/ISO_27002_2022_7.2_MoC%20Physical%20entry.md) | 11.1.2, 11.1.6 |
| 7.3 | [Securing offices, rooms and facilities ](../../MoCs/ISO_27002_2022_7.3_MoC%20Securing%20offices,%20rooms%20and%20facilities.md) | 11.1.3 |
| 7.4 | [Physical security monitoring ](../../MoCs/ISO_27002_2022_7.4_MoC%20Physical%20security%20monitoring.md) | New |
| 7.5 | [Protecting against physical and environmental threats ](../../MoCs/ISO_27002_2022_7.5_MoC%20Protecting%20against%20physical%20and%20environmental%20threats.md) | 11.1.4 |
| 7.6 | [Working in secure areas ](../../MoCs/ISO_27002_2022_7.6_MoC%20Working%20in%20secure%20areas.md) | 11.1.5 |
| 7.7 | [Clear desk and clear screen ](../../MoCs/ISO_27002_2022_7.7_MoC%20Clear%20desk%20and%20clear%20screen.md) | 11.2.9 |
| 7.8 | [Equipment siting and protection ](../../MoCs/ISO_27002_2022_7.8_MoC%20Equipment%20siting%20and%20protection.md) | 11.2.1 |
| 7.9 | [Security of assets off-premises ](../../MoCs/ISO_27002_2022_7.9_MoC%20Security%20of%20assets%20off-premises.md) | 11.2.6 |
| 7.10 | [Storage media ](../../MoCs/ISO_27002_2022_7.10_MoC%20Storage%20media.md) | 08.3.1, 08.3.2, 08.3.3, 11.2.5 |
| 7.11 | [Supporting utilities ](../../MoCs/ISO_27002_2022_7.11_MoC%20Supporting%20utilities.md) | 11.2.2 |
| 7.12 | [Cabling security ](../../MoCs/ISO_27002_2022_7.12_MoC%20Cabling%20security.md) | 11.2.3 |
| 7.13 | [Equipment maintenance ](../../MoCs/ISO_27002_2022_7.13_MoC%20Equipment%20maintenance.md) | 11.2.4 |
| 7.14 | [Secure disposal or re-use of equipment ](../../MoCs/ISO_27002_2022_7.14_MoC%20Secure%20disposal%20or%20re-use%20of%20equipment.md) | 11.2.7 |
| **8** | **Technological controls** | |
| 8.1 | [User endpoint devices ](../../MoCs/ISO_27002_2022_8.1_MoC%20User%20endpoint%20devices.md) | 06.2.1, 11.2.8 |
| 8.2 | [Privileged access rights ](../../MoCs/ISO_27002_2022_8.2_MoC%20Privileged%20access%20rights.md) | 09.2.3 |
| 8.3 | [Information access restriction ](About%20Control%208.3%20Information%20access%20restriction.md) | 09.4.1 |
| 8.4 | [Access to source code ](../../MoCs/ISO_27002_2022_8.4_MoC%20Access%20to%20source%20code.md) | 09.4.5 |
| 8.5 | [Secure authentication ](../../MoCs/ISO_27002_2022_8.5_MoC%20Secure%20authentication.md) | 09.4.2 |
| 8.6 | [Capacity management ](../../MoCs/ISO_27002_2022_8.6_MoC%20Capacity%20management.md) | 12.1.3 |
| 8.7 | [Protection against malware ](../../MoCs/ISO_27002_2022_8.7_MoC%20Protection%20against%20malware.md) | 12.2.1 |
| 8.8 | [Management of technical vulnerabilities ](../../MoCs/ISO_27002_2022_8.8_MoC%20Management%20of%20technical%20vulnerabilities.md) | 12.6.1, 18.2.3 |
| 8.9 | [Configuration management ](../../MoCs/ISO_27002_2022_8.9_MoC%20Configuration%20management.md) | New |
| 8.10 | [Information deletion ](../../MoCs/ISO_27002_2022_8.10_MoC%20Information%20deletion.md) | New |
| 8.11 | [Data masking ](../../MoCs/ISO_27002_2022_8.11_MoC%20Data%20masking.md) | New |
| 8.12 | [Data leakage prevention ](../../MoCs/ISO_27002_2022_8.12_MoC%20Data%20leakage%20prevention.md) | New |
| 8.13 | [Information backup ](../../MoCs/ISO_27002_2022_8.13_MoC%20Information%20backup.md) | 12.3.1 |
| 8.14 | [Redundancy of information processing facilities ](../../MoCs/ISO_27002_2022_8.14_MoC%20Redundancy%20of%20information%20processing%20facilities.md) | 17.2.1 |
| 8.15 | [Logging ](../../MoCs/ISO_27002_2022_8.15_MoC%20Logging.md) | 12.4.1, 12.4.2, 12.4.3 |
| 8.16 | [Monitoring activities ](../../MoCs/ISO_27002_2022_8.16_MoC%20Monitoring%20activities.md) | New |
| 8.17 | [Clock synchronization ](../../MoCs/ISO_27002_2022_8.17_MoC%20Clock%20synchronization.md) | 12.4.4 |
| 8.18 | [Use of privileged utility programs ](../../MoCs/ISO_27002_2022_8.18_MoC%20Use%20of%20privileged%20utility%20programs.md) | 09.4.4 |
| 8.19 | [Installation of software on operational systems ](../../MoCs/ISO_27002_2022_8.19_MoC%20Installation%20of%20software%20on%20operational%20systems.md) | 12.5.1, 12.6.2 |
| 8.20 | [Networks security ](../../MoCs/ISO_27002_2022_8.20_MoC%20Networks%20security.md) | 13.1.1 |
| 8.21 | [Security of network services ](../../MoCs/ISO_27002_2022_8.21_MoC%20Security%20of%20network%20services.md) | 13.1.2 |
| 8.22 | [Segregation of networks ](../../MoCs/ISO_27002_2022_8.22_MoC%20Segregation%20of%20networks.md) | 13.1.3 |
| 8.23 | [Web filtering ](../../MoCs/ISO_27002_2022_8.23_MoC%20Web%20filtering.md) | New |
| 8.24 | [Use of cryptography ](../../MoCs/ISO_27002_2022_8.24_MoC%20Use%20of%20cryptography.md) | 10.1.1, 10.1.2 |
| 8.25 | [Secure development life cycle ](../../MoCs/ISO_27002_2022_8.25_MoC%20Secure%20development%20life%20cycle.md) | 14.2.1 |
| 8.26 | [Application security requirements ](../../MoCs/ISO_27002_2022_8.26_MoC%20Application%20security%20requirements.md) | 14.1.2, 14.1.3 |
| 8.27 | [Secure system architecture and engineering principles ](../../MoCs/ISO_27002_2022_8.27_MoC%20Secure%20system%20architecture%20and%20engineering%20principles.md) | 14.2.5 |
| 8.28 | [Secure coding ](../../MoCs/ISO_27002_2022_8.28_MoC%20Secure%20coding.md) | New |
| 8.29 | [Security testing in development and acceptance ](../../MoCs/ISO_27002_2022_8.29_MoC%20Security%20testing%20in%20development%20and%20acceptance.md) | 14.2.8, 14.2.9 |
| 8.30 | [Outsourced development ](../../MoCs/ISO_27002_2022_8.30_MoC%20Outsourced%20development.md) | 14.2.7 |
| 8.31 | [Separation of development, test and production environments ](../../MoCs/ISO_27002_2022_8.31_MoC%20Separation%20of%20development,%20test%20and%20production%20environments.md) | 12.1.4, 14.2.6 |
| 8.32 | [Change management ](../../MoCs/ISO_27002_2022_8.32_MoC%20Change%20management.md) | 12.1.2, 14.2.2, 14.2.3, 14.2.4 |
| 8.33 | [Test information ](../../MoCs/ISO_27002_2022_8.33_MoC%20Test%20information.md) | 14.3.1 |
| 8.34 | [Protection of information systems during audit testing ](../../MoCs/ISO_27002_2022_8.34_MoC%20Protection%20of%20information%20systems%20during%20audit%20testing.md) | 12.7.1 |

52
Corpus/Standards/ISO27x/ISO_27001_2022_Index.md Normal file
View file

@ -0,0 +1,52 @@
#iso27001/2022/EN
# ISO 27001:2022 EN Index
| Clause | Title |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **F** | **[Foreword](../ISO-27001-OST/ISO27001-EN-2022/ISO_27001_OT%20F%20Foreword.md)** |
| **0** | **[Introduction](../ISO-27001-OST/ISO27001-EN-2022/c-0-Introduction.md)** |
| **1** | **[Scope](../ISO-27001-OST/ISO27001-EN-2022/c-1-Scope.md)** |
| **2** | **[Normative references](../ISO-27001-OST/ISO27001-EN-2022/c-2-Normative-references.md)** |
| **3** | **[Terms and definitions](../ISO-27001-OST/ISO27001-EN-2022/ISO_27001_OT%20Terms%20and%20definitions.md)** |
| **4** | **[Context of the organization](ISO_27001_2022_4_MoC%20Context%20of%20the%20organization.md)** |
| 4.1 | [Understanding the organization and its context ](../../MoCs/ISO_27001_2022_4.1_MoC%20Understanding%20the%20organization%20and%20its%20context.md) |
| 4.2 | [Understanding the needs and expectations of interested parties ](../../MoCs/ISO_27001_2022_4.2_MoC%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md) |
| 4.3 | [Determining the scope of the information security management system ](../../MoCs/ISO_27001_2022_4.3_MoC%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system.md) |
| 4.4 | [Information security management system ](../../MoCs/ISO_27001_2022_4.4_MoC%20Information%20security%20management%20system.md) |
| **5** | **[Leadership](../../MoCs/ISO_27001_2022_5_MoC%20Leadership.md)** |
| 5.1 | [Leadership and commitment ](../../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md) |
| 5.2 | [Policy ](../../MoCs/ISO_27001_2022_5.2_MoC%20Policy.md) |
| 5.3 | [Organizational roles, responsibilities and authorities ](../../MoCs/ISO_27001_2022_5.3_MoC%20Organizational%20roles,%20responsibilities%20and%20authorities.md) |
| **6** | **[Planning](../../MoCs/ISO_27001_2022_6_MoC%20Planning.md)** |
| 6.1 | [Actions to address risks and opportunities ](../../MoCs/ISO_27001_2022_6.1_MoC%20Actions%20to%20address%20risks%20and%20opportunities.md) |
| 6.1.1 | [General ](../../MoCs/ISO_27001_2022_6.1.1_MoC%20General.md) |
| 6.1.2 | [Information security risk assessment ](../../ISMS/Qualifying%20vs%20quantifying%20risks.md) |
| 6.1.3 | [Information security risk treatment ](../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md) |
| 6.2 | [Information security objectives and planning to achieve them ](../../MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md) |
| 6.3 | [Planning of changes ](../../MoCs/ISO_27001_2022_6.3_MoC%20Planning%20of%20changes.md) |
| **7** | **[Support](../../MoCs/ISO_27001_2022_7_MoC%20Support.md)** |
| 7.1 | [ Resources ](../../MoCs/ISO_27001_2022_7.1_MoC%20Resources.md) |
| 7.2 | [ Competence ](../../MoCs/ISO_27001_2022_7.2_MoC%20Competence.md) |
| 7.3 | [ Awareness ](../../MoCs/ISO_27001_2022_7.3_MoC%20Awareness.md) |
| 7.4 | [ Communication ](../../MoCs/ISO_27001_2022_7.4_MoC%20Communication.md) |
| 7.5 | [ Documented information ](../../MoCs/ISO_27001_2022_7.5_MoC%20Documented%20information.md) |
| 7.5.1 | General ↑ |
| 7.5.2 | Creating and updating ↑ |
| 7.5.3 | Control of documented information ↑ |
| **8** | **[Operation](../../MoCs/ISO_27001_2022_8_MoC%20Operation.md)** |
| 8.1 | [Operational planning and control ](../../MoCs/ISO_27001_2022_8.1_MoC%20Operational%20planning%20and%20control.md) |
| 8.2 | [Information security risk assessment ](../../MoCs/ISO_27001_2022_8.2_MoC%20Information%20security%20risk%20assessment.md) |
| 8.3 | [Information security risk treatment ](../../MoCs/ISO_27001_2022_8.3_MoC%20Information%20security%20risk%20treatment.md) |
| **9** | **[Performance evaluation](../../MoCs/ISO_27001_2022_9_MoC%20Performance%20evaluation.md)** |
| 9.1 | [Monitoring, measurement, analysis and evaluation ](../../MoCs/ISO_27001_2022_9.1_MoC%20Monitoring,%20measurement,%20analysis%20and%20evaluation.md) |
| 9.2 | [Internal audit ](../../MoCs/ISO_27001_2022_9.2_MoC%20Internal%20audit.md) |
| 9.2.1 | General ↑ |
| 9.2.2 | Internal audit programme ↑ |
| 9.3 | [Management review ](../../MoCs/ISO_27001_2022_9.3_MoC%20Management%20review.md) |
| 9.3.1 | General ↑ |
| 9.3.2 | Management review inputs ↑ |
| 9.3.3 | Management review results ↑ |
| **10** | **[Improvement](../../MoCs/ISO_27001_2022_10_MoC%20Improvement.md)** |
| 10.1 | [Continual improvement ](../../MoCs/ISO_27001_2022_10.1_MoC%20Continual%20improvement.md) |
| 10.2 | [Nonconformity and corrective action ](../../MoCs/ISO_27001_2022_10.2_MoC%20Nonconformity%20and%20corrective%20action.md) |
| **[Annex A](ISO_27001_2022_Index%20EXT.md)** | **Information security controls reference** |

97
Corpus/Standards/ISO27x/ISO_27002_2022_Vertaaltabel_Engels_Nederlands.md Normal file
View file

@ -0,0 +1,97 @@
#iso27002/2022/EN
| 2022 ID | Control title | Maatregel |
| :------ | :--------------------------------------------------------------------- | :---------------------------------------------------------------------------- |
| 5.1 | Policies for information security | Beleidsregels voor informatiebeveiliging |
| 5.2 | Information security roles and responsibilities | Rollen en verantwoordelijkheden bij informatiebeveiliging |
| 5.3 | Segregation of duties | Functiescheiding |
| 5.4 | Management responsibilities | Managementverantwoordelijkheden |
| 5.5 | Contact with authorities | Contact met overheidsinstanties |
| 5.6 | Contact with special interest groups | Contact met speciale belangengroepen |
| 5.7 | Threat intelligence | Informatie en analyses over dreigingen |
| 5.8 | Information security in project management | Informatiebeveiliging in projectmanagement |
| 5.9 | Inventory of information and other associated assets | Inventarisatie van informatie en andere gerelateerde bedrijfsmiddelen |
| 5.10 | Acceptable use of information and other associated assets | Aanvaardbaar gebruik van informatie en andere gerelateerde bedrijfsmiddelen |
| 5.11 | Return of assets | Retourneren van bedrijfsmiddelen |
| 5.12 | Classification of information | Classificeren van informatie |
| 5.13 | Labelling of information | Labelen van informatie |
| 5.14 | Information transfer | Overdragen van informatie |
| 5.15 | Access control | Toegangsbeveiliging |
| 5.16 | Identity management | Identiteitsbeheer |
| 5.17 | Authentication information | Beheren van authenticatie-informatie |
| 5.18 | Access rights | Toegangsrechten |
| 5.19 | Information security in supplier relationships | Informatiebeveiliging in leveranciersrelaties |
| 5.20 | Addressing information security within supplier agreements | Adresseren van informatiebeveiliging in leveranciersovereenkomsten |
| 5.21 | Managing information security in the ICT supply chain | Beheren van informatiebeveiliging in de ICT-keten |
| 5.22 | Monitoring, review and change management of supplier services | Monitoren, beoordelen en het beheren van wijzigingen van leveranciersdiensten |
| 5.23 | Information security for use of cloud services | Informatiebeveiliging voor het gebruik van clouddiensten |
| 5.24 | Information security incident management planning and preparation | Plannen en voorbereiden van het beheer van informatiebeveiligingsincidenten |
| 5.25 | Assessment and decision on information security events | Beoordelen van en besluiten over informatiebeveiligingsgebeurtenissen |
| 5.26 | Response to information security incidents | Reageren op informatiebeveiligingsincidenten |
| 5.27 | Learning from information security incidents | Leren van informatiebeveiligingsincidenten |
| 5.28 | Collection of evidence | Verzamelen van bewijsmateriaal |
| 5.29 | Information security during disruption | Informatiebeveiliging tijdens een verstoring |
| 5.30 | ICT readiness for business continuity | ICT-gereedheid voor bedrijfscontinuïteit |
| 5.31 | Legal, statutory, regulatory and contractual requirements | Wettelijke, statutaire, regelgevende en contractuele eisen |
| 5.32 | Intellectual property rights | Intellectuele-eigendomsrechten |
| 5.33 | Protection of records | Beschermen van registraties |
| 5.34 | Privacy and protection of PII | Privacy en bescherming van persoonsgegevens |
| 5.35 | Independent review of information security | Onafhankelijke beoordeling van informatiebeveiliging |
| 5.36 | Compliance with policies, rules and standards for information security | Naleving van beleid, regels en normen voor informatiebeveiliging |
| 5.37 | Documented operating procedures | Gedocumenteerde bedieningsprocedures |
| 6.1 | Screening | Screening |
| 6.2 | Terms and conditions of employment | Arbeidsovereenkomst |
| 6.3 | Information security awareness, education and training | Bewustwording van, opleiding en training in informatiebeveiliging |
| 6.4 | Disciplinary process | Disciplinaire procedure |
| 6.5 | Responsibilities after termination or change of employment | Verantwoordelijkheden na beëindiging of wijziging van het dienstverband |
| 6.6 | Confidentiality or non-disclosure agreements | Vertrouwelijkheids- of geheimhoudingsovereenkomsten |
| 6.7 | Remote working | Werken op afstand |
| 6.8 | Information security event reporting | Melden van informatiebeveiligingsgebeurtenissen |
| 7.1 | Physical security perimeters | Fysieke beveiligingszones |
| 7.2 | Physical entry | Fysieke toegangsbeveiliging |
| 7.3 | Securing offices, rooms and facilities | Beveiligen van kantoren, ruimten en faciliteiten |
| 7.4 | Physical security monitoring | Monitoren van de fysieke beveiliging |
| 7.5 | Protecting against physical and environmental threats | Beschermen tegen fysieke en omgevingsdreigingen |
| 7.6 | Working in secure areas | Werken in beveiligde zones |
| 7.7 | Clear desk and clear screen | Clear desk en clear screen |
| 7.8 | Equipment siting and protection | Plaatsen en beschermen van apparatuur |
| 7.9 | Security of assets off-premises | Beveiligen van bedrijfsmiddelen buiten het terrein |
| 7.10 | Storage media | Opslagmedia |
| 7.11 | Supporting utilities | Nutsvoorzieningen |
| 7.12 | Cabling security | Beveiligen van bekabeling |
| 7.13 | Equipment maintenance | Onderhoud van apparatuur |
| 7.14 | Secure disposal or re-use of equipment | Veilig verwijderen of hergebruiken van apparatuur |
| 8.1 | User endpoint devices | User endpoint devices |
| 8.2 | Privileged access rights | Speciale toegangsrechten |
| 8.3 | Information access restriction | Beperking toegang tot informatie |
| 8.4 | Access to source code | Toegangsbeveiliging op broncode |
| 8.5 | Secure authentication | Beveiligde authenticatie |
| 8.6 | Capacity management | Capaciteitsbeheer |
| 8.7 | Protection against malware | Bescherming tegen malware |
| 8.8 | Management of technical vulnerabilities | Beheer van technische kwetsbaarheden |
| 8.9 | Configuration management | Configuratiebeheer |
| 8.10 | Information deletion | Wissen van informatie |
| 8.11 | Data masking | Maskeren van gegevens |
| 8.12 | Data leakage prevention | Voorkomen van gegevenslekken (Data leakage prevention) |
| 8.13 | Information backup | Back-up van informatie |
| 8.14 | Redundancy of information processing facilities | Redundantie van informatieverwerkende faciliteiten |
| 8.15 | Logging | Logging |
| 8.16 | Monitoring activities | Monitoren van activiteiten |
| 8.17 | Clock synchronization | Kloksynchronisatie |
| 8.18 | Use of privileged utility programs | Gebruik van speciale systeemhulpmiddelen |
| 8.19 | Installation of software on operational systems | Installeren van software op operationele systemen |
| 8.20 | Networks security | Beveiliging netwerkcomponenten |
| 8.21 | Security of network services | Beveiliging van netwerkdiensten |
| 8.22 | Segregation of networks | Netwerksegmentatie |
| 8.23 | Web filtering | Toepassen van webfilters |
| 8.24 | Use of cryptography | Gebruik van cryptografie |
| 8.25 | Secure development life cycle | Beveiligen tijdens de ontwikkelcyclus |
| 8.26 | Application security requirements | Toepassingsbeveiligingseisen |
| 8.27 | Secure system architecture and engineering principles | Veilige systeemarchitectuur en technische uitgangspunten |
| 8.28 | Secure coding | Veilig coderen |
| 8.29 | Security testing in development and acceptance | Testen van de beveiliging tijdens ontwikkeling en acceptatie |
| 8.30 | Outsourced development | Uitbestede systeemontwikkeling |
| 8.31 | Separation of development, test and production environments | Scheiding van ontwikkel-, test- en productieomgevingen |
| 8.32 | Change management | Wijzigingsbeheer |
| 8.33 | Test information | Testgegevens |
| 8.34 | Protection of information systems during audit testing | Bescherming van informatiesystemen tijdens audits |

BIN
Corpus/Standards/ISO27x/ISO_27005_2022_EN.pdf Normal file
View file

Binary file not shown.

4
Corpus/Standards/ISO27x/Implementation Products/BIA Workshop.md
View file

@ -7,7 +7,7 @@ Voorbeelden:
[Verbeterlijst](Verbeterlijst%20Producten.md#BIA%20Workshop)
Literature notes:
- [Business Impact Analysis (BIA)](../../../Sparks/ISMS/Business%20Impact%20Analysis%20(BIA).md)
- [Business Impact Analysis (BIA)](../../../ISMS/Business%20Impact%20Analysis%20(BIA).md)
**Doel:**
@ -29,7 +29,7 @@ Voorbereiding:
3. Impact:
- hoe lang kan mag een systeem of bepaalde informatie niet beschikbaar zijn, voordat we ernstige schade oplopen?
- Wat is 'ernstige schade'? -> - [TLP impact matrix](../../../Literature%20notes/Traffic%20Light%20Protocol%20TLP.md)
- Wat is 'ernstige schade'? -> - [TLP impact matrix](../../../ISMS/Data%20classification/Traffic%20Light%20Protocol%20TLP.md)
- MTPD Maximum tolerable period of disruption (business process): uur / dag / week / maand
- MTD Maximum Tolerable Downtime (assets) uit de lucht zijn

2
Corpus/Standards/ISO27x/Implementation Products/DRP Workshop.md
View file

@ -5,7 +5,7 @@ Voorbeelden:
- [BIA en DRP Sessies HK](../../../../Clients/Humankind/BIA%20en%20DRP%20Sessies%20HK.md)
Literatuur:
- [Disaster Recovery Planning](../../../Sparks/ISMS/Disaster%20Recovery%20Planning.md)
- [Disaster Recovery Planning](../../../ISMS/Disaster%20Recovery%20Planning.md)
Doelen:
- RPO Recovery Point Objective (assets) acceptable data loss; the point in time that you wish to recover to (maar wellicht ook een maat voor hoe vaak je een noodvoorziening (als een print-out van een rooster) moet verversen)

4
Corpus/Standards/ISO27x/Implementation Products/Dataclassificatie volgens TLP.md
View file

@ -1,11 +1,11 @@
# Product: dataclassificatie volgens TLP
Template: [](../../../Attachments/TLP_Impact_matrix_NL.xlsx)
Template: [](../../../Information%20Security/Risks/TLP_Impact_matrix_NL.xlsx)
Toegepast voor Humankind: [Dataclassificatie Humankind](../../../../Clients/Humankind/Dataclassificatie%20Humankind.md)
## Flow
1. Vaststellen risicobereidheid ([impactgebieden](../../../Sparks/impactgebieden.md) en [TLP-niveaus](../../../Literature%20notes/Traffic%20Light%20Protocol%20TLP.md))
1. Vaststellen risicobereidheid ([impactgebieden](../../../Sparks/impactgebieden.md) en [TLP-niveaus](../../../ISMS/Data%20classification/Traffic%20Light%20Protocol%20TLP.md))
- Beschikbaarheid evt. te kwantificering door omzetverlies per dag (financiën)
2. Identificeren en Classificeren van informatie-assets
- Op de as Beschikbaarheid: te bepalen door de Operatie, m.b.v. de BIA

10
Corpus/Standards/ISO27x/MoC Roles and responsibilities in ISO 27001.md
View file

@ -7,13 +7,13 @@ Recent:
- [ISO 27001 Leadership Responsibilities](ISO%2027001%20Leadership%20Responsibilities.md)
- [ISO 27001 Top Management responsibilities](ISO%2027001%20Top%20Management%20responsibilities.md)
- [Governance model for Policies and Controls](Governance%20model%20for%20Policies%20and%20Controls.md)
- [Basic ISMS governance model](../../Sparks/ISMS/Basic%20ISMS%20governance%20model.md)
- [Basic ISMS governance model](../../ISMS/Basic%20ISMS%20governance%20model.md)
- [m400-more-governance](../../../../iso27DIY-gis/guide/m400/m400-more-governance.md)
Older:
- [Roles and Responsibilities](../../Sparks/Roles%20and%20Responsibilities.md)
- [Risk ownership](../../Sparks/Risk%20ownership.md)
- [Ideas on Risk Ownership](../../Sparks/ISMS/Ideas%20on%20Risk%20Ownership.md)
- [Roles and Responsibilities](../../ISMS/Roles%20and%20Responsibilities.md)
- [Risk ownership](../../Information%20Security/Risks/Risk%20ownership.md)
- [Ideas on Risk Ownership](../../ISMS/Ideas%20on%20Risk%20Ownership.md)
- [Asset ownership](../../Sparks/Asset%20ownership.md)
- [Procuratieregeling](../../Various/Procuratieregeling.md)
- [Control ownership](../../Sparks/ISMS/Control%20ownership.md)
- [Control ownership](../../ISMS/Control%20ownership.md)

BIN
Corpus/Standards/ISO27x/NIS_2_and_ISO_27001_2022.pdf Normal file
View file

Binary file not shown.

2
Corpus/Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md
View file

@ -74,5 +74,5 @@ c)  as input to the information security test processes and techniques.
The organization should share threat intelligence with other organizations on a mutual basis in order to improve overall threat intelligence.
# Related:
- [Threat Intelligence](../../../../../Sparks/Threat%20Intelligence.md)
- [Threat Intelligence](../../../../../Information%20Security/Threat%20Intelligence.md)
- [[ISO_27002_PE 5.7 Threat intelligence]]

2
Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E02a - Risk assessment and analysis.md
View file

@ -14,7 +14,7 @@ Clause 6.1.2, on the other hand, *is* about information security risks.
## Clause 6.1.2: Information security risk assessment
Where [Clause 6.1.1](../../../MoCs/ISO_27001_2022_6.1.1_MoC%20General.md) is about risks to the *ISMS*, [Clause 6.1.2](../../../MoCs/ISO_27001_2022_6.1.2_MoC%20Information%20security%20risk%20assessment.md), on the other hand, is about risks to the *security of information*.
Where [Clause 6.1.1](../../../MoCs/ISO_27001_2022_6.1.1_MoC%20General.md) is about risks to the *ISMS*, [Clause 6.1.2](../../../ISMS/Qualifying%20vs%20quantifying%20risks.md), on the other hand, is about risks to the *security of information*.
Clause 6.1.2 states that the organization shall define and apply an information security **risk assessment process** that does a number of things, starting with the establishment, and following maintenance, of **risk criteria**. You may think of this as setting rules for the organization, to understand what information security risks *are*.

2
Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E02b - Objectives and planning.md
View file

@ -4,7 +4,7 @@
The information security objectives the organization identifies shall:
- be consistent with information security policy ([C5.1](../../../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), [A5.1](../legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md))
- results from the risk assessment ([6.1.2](../../../MoCs/ISO_27001_2022_6.1.2_MoC%20Information%20security%20risk%20assessment.md)) and risk treatment ([6.1.3e](../../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md))
- results from the risk assessment ([6.1.2](../../../ISMS/Qualifying%20vs%20quantifying%20risks.md)) and risk treatment ([6.1.3e](../../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md))
- take into account applicable information security requirements ([4.2](../../../MoCs/ISO_27001_2022_4.2_MoC%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md), needs and expectations of interested parties),
- be measurable (if practicable, see below)

2
Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E03a - Risk treatment.md
View file

@ -50,4 +50,4 @@ The controls in Annex A are often described in just one or two sentences. You mu
## Footnotes
[^1]: There's also a [Clause 8.3](../../../MoCs/ISO_27001_2022_8.3_MoC%20Information%20security%20risk%20treatment.md) Information security risk treatment in ISO 27001. It's very short: The organization shall implement the information security risk treatment plan, and it shall retain documented information on the treatments' results.
[^2]: See also [About the Statement of Applicability](../../../Sparks/ISMS/About%20the%20Statement%20of%20Applicability.md).
[^2]: See also [About the Statement of Applicability](../../../ISMS/About%20the%20Statement%20of%20Applicability.md).

2
Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05a - Operation.md
View file

@ -10,7 +10,7 @@ Clause 8, Operation, has three parts to it:
So let's have a look at [Clause 8.1](../../../MoCs/ISO_27001_2022_8.1_MoC%20Operational%20planning%20and%20control.md) Operational Planning and Control.
In Clause 6, part of the Plan phase, we looked at information security assessment and risk treatment, and the outcomes where a risk assessment *process*, a risk treatment plan, and a list of the controls we'd implement in the form of a statement of applicability (clauses [6.1.2](../../../MoCs/ISO_27001_2022_6.1.2_MoC%20Information%20security%20risk%20assessment.md) and [6.1.3](../../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md)).
In Clause 6, part of the Plan phase, we looked at information security assessment and risk treatment, and the outcomes where a risk assessment *process*, a risk treatment plan, and a list of the controls we'd implement in the form of a statement of applicability (clauses [6.1.2](../../../ISMS/Qualifying%20vs%20quantifying%20risks.md) and [6.1.3](../../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md)).
Clause 8 is part of the Do phase, and describes how we will execute the actions from Clause 6, to confirm that the risk assessments are actually being carried out and that the risk treatment plans and controls are actually being implemented. This is the subject of Clause 8.1.

2
Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05b - Performance evaluation.md
View file

@ -17,7 +17,7 @@ It's important to note that an organization is *not* expected to monitor, measur
As the standard itself doesn't prescribe *what* to monitor, your best choice is taking the security objectives as a starting point. So what and how will the organization measure and check whether those objectives (from [6.2](../../../MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md)) are being fulfilled.
Other focus points may be controls that are implemented to deal with significant risks (from [6.1.2](../../../MoCs/ISO_27001_2022_6.1.2_MoC%20Information%20security%20risk%20assessment.md)), and legal and regulatory compliance.
Other focus points may be controls that are implemented to deal with significant risks (from [6.1.2](../../../ISMS/Qualifying%20vs%20quantifying%20risks.md)), and legal and regulatory compliance.
Besides identifying what to monitor, the organization must determine how frequently those measurements will take place, who will be taking them, and which actions will be taken in response.

9
Corpus/Standards/ISO27x/Privacy in ISO 27001.md Normal file
View file

@ -0,0 +1,9 @@
# Privacy in ISO 27001
[Core concepts of Privacy](Core%20concepts%20of%20Privacy.md)
[AVG GDPR resources](../AVG/AVG%20GDPR%20resources.md)
Privacy in ISO 27001:
- [ISO 27001 A 18 Compliance](legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md#A%2018%201%204%20Privacy%20and%20protection%20of%20personally%20identifiable%20information)
[Personal Health Train | Health-RI](https://www.health-ri.nl/initiatives/personal-health-train)

62
Corpus/Standards/ISO27x/Privacy in ISO 27k.md Normal file
View file

@ -0,0 +1,62 @@
## Application specific guidelines
[ISO/IEC 27017 cloud security](https://www.iso27001security.com/html/27017.html)
> The code of practice provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002, in the cloud computing context.
> The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section.
[ISO/IEC 27018 Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors](https://www.iso27001security.com/html/27018.html)
> The standard is primarily concerned with public-cloud computing service providers acting as PII processors . “A public cloud service provider is a PII processor when it processes PII for and according to the instructions of a cloud service customer”
[ISO/IEC 27030 Security and privacy for Internet of Things](https://www.iso27001security.com/html/27030.html)
> The standard will provide guidance on the principles, risk and controls for IoT security and privacy. Currently at 2nd Committee Draft stage. The standard is due to be published in 2022.
[ISO/IEC 27046 Big data security and privacy implementation](https://www.iso27001security.com/html/27046.html)
> This standard is intended to help organizations implement the processes described in [ISO/IEC 27045](https://www.iso27001security.com/html/27045.html) in order to ensure the security and privacy of big data. It is currently at Working Draft stage. The standard was due to be published in 2023. However, a hiatus on the [ISO/IEC 27045 ](https://www.iso27001security.com/html/27045.html) project implies this standard and its schedule is in doubt.
[ISO/IEC 27400 IoT security and privacy](https://www.iso27001security.com/html/27400.html)
> The standard will provide guidance on the principles, risk and controls for IoT security and privacy. It identifies some generic risk sources and risk scenarios relevant to IoT, essentially a selection of examples for consideration. Currently at 3rd Committee Draft stage. The standard is due to be published in 2022.
## Management frameworks (?)
[ISO/IEC 27701 Privacy information management](https://www.iso27001security.com/html/27701.html)
> The standard specifies a Privacy Information Management System based on ISO/IEC 27001(ISMS), 27002 (security controls) and 29100 (privacy framework). It is applicable to both controllers and processors of Personally Identifiable Information.
[ISO/IEC TR 27550 Privacy engineering](https://www.iso27001security.com/html/27550.html)
> This is an IT security standard about *engineering* IT systems to satisfy privacy requirements relating to the protection of personal data.
[ISO/IEC 27552 Extension to 27001/27002 for privacy information management](https://www.iso27001security.com/html/27552.html)
> This standard will explain how to enhance (adapt and extend) an ISO 27001 ISMS and the associated 27002 controls to manage privacy as well as information security. Currently at DIS stage. Due to be published at the end of 2019.
[ISO/IEC 27556 User-centric framework for the handling of PII and privacy preferences](https://www.iso27001security.com/html/27556.html)
> The standard will lay out a “user-centric framework” (an architecture) to handle personal information in a controlled manner. […] It is at 2nd Committee Draft stage and is expected to be published in early in 2023.
[ISO/IEC 27557 Organizational privacy risk management](https://www.iso27001security.com/html/27557.html)
> Currently at Working Draft stage. This standard will guide organizations on managing privacy risks that could impact the organization and/or data subjects.
[ISO/IEC 29100:2011 Privacy Framework](https://www.itgovernance.asia/shop/product/iso29100-iso-29100-privacy-framework)
> ISO/IEC 29100:2011 provides a privacy framework for when dealing with PII. The standard:
> Specifies a common privacy terminology
> Defines the actors and their roles in processing PII
> Describes privacy safeguarding considerations; and
> Provides references to known privacy principles for information technology
27018 is vooral voor de rol van Verwerker.
Bij 27018 ligt de focus op de garantie kunnen bieden aan de klant, dat er met zijn gegevens wordt omgegaan conform geldende privacy principes.
Er wordt geen aandacht besteed aan de werking van de interne organisatie (tenzij dat nodig is voor het voorgaande).
Het biedt maatregelen en richtlijnen in aanvulling op het 27001 ISMS en Annex A.
Zo kun je 27018-compliant zijn in de dienstverlening aan de klant en de omgang met zijn gegevens (in de rol van verwerker), terwijl je intern (bijv. Bij HR en Marketing) niet voldoet aan de GDPR (in de rol van verwerkingsverantwoordelijke).
Voorbeeld: A 4 Collection limitation: geen aanvullende maatregelen, terwijl dit in bijv een Client Onboarding proces van belang is.
A 5 Data minimisation: alleen veilige verwijdering van tijdelijke bestanden. Terwijl de typische marketing afdeling zelden contactgegevens verwijdert als ze ze eenmaal in handen hebben.
27018:A.10.1 Notification of a data breach involving PII gaat primair over de verplichtingen richting de klant m.b.t. het lekken van hun data.
* BCR/SCC worden niet genoemd in de 27018
27701 focust op de rol als Verwerkingsverantwoordelijke.
The Information Security Management System (ISMS) defined in ISO/IEC 27001 is designed to permit the addition of sector specific requirements, without the need to develop a new Management System. ISO Management System standards, including the sector specific ones, are designed to be able to be implemented either separately or as a combined Management System.
maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
This document specifies PIMS-relate

50
Corpus/Standards/ISO27x/Risk assessment and treatment at two levels.md Normal file
View file

@ -0,0 +1,50 @@
# Risk assessment and treatment at two levels in ISO 27001
Risk assessment and risk treatment are discussed both in Chapter 6 and in Chapter 8. What is the difference?
The relationship between , (Information security risk assessment), and (Information security risk treatment) hinges on their roles within the Information Security Management System (ISMS) framework defined by ISO/IEC 27001:2022.
In essence, Clauses [6.1.2](../../ISMS/Qualifying%20vs%20quantifying%20risks.md) and [6.1.3](../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md) (Information security risk assessment and risk treatment) define the _processes_ and _criteria_ for risk management within the planning stage, while Clauses [8.2](../../MoCs/ISO_27001_2022_8.2_MoC%20Information%20security%20risk%20assessment.md) and [8.3](../../MoCs/ISO_27001_2022_8.3_MoC%20Information%20security%20risk%20treatment.md) define the _operational execution_ and _timing_ for applying those established processes.
### 1. Risk Processes Defined (Planning: Clause 6)
Clauses 6.1.2 and 6.1.3, located within the **Planning (Clause 6)** section of the ISO/IEC 27001 requirements, establish the foundational framework and repeatable methodology for how the organization approaches risk management:
- **6.1.2 Information security risk assessment:** This clause mandates the **definition and application** of a risk assessment process. This process includes:
- Establishing and maintaining risk criteria, including risk acceptance criteria.
- Ensuring that repeated assessments produce consistent, valid, and comparable results.
- Identifying, analyzing, and evaluating information security risks associated with the loss of confidentiality, integrity, and availability within the scope of the ISMS, and determining risk owners.
- The organization must **retain documented information** about this defined risk assessment process.
- **6.1.3 Information security risk treatment:** This clause mandates the **definition and application** of a risk treatment process. This process involves:
- Selecting appropriate risk treatment options based on assessment results.
- Determining all necessary controls needed to implement the chosen treatment options.
- **Comparing** the determined controls against those listed in **Annex A** (which is directly derived from ISO/IEC 27002 controls) to ensure no necessary controls have been omitted.
- Producing a **Statement of Applicability (SoA)** detailing the controls chosen, justification for inclusion, implementation status, and justification for excluding any Annex A controls.
- Formulating an **Information security risk treatment plan**.
- Obtaining approval for the treatment plan and acceptance of residual risks from risk owners.
- The organization must **retain documented information** about this defined risk treatment process.
- The risk assessment and treatment processes align with the principles and guidelines found in ISO 31000.
### 2. Risk Processes Implemented (Operation: Clause 8)
Clauses 8.2 and 8.3, located within the **Operation (Clause 8)** section, describe when and how the processes defined in Clause 6.1.2 and 6.1.3 must be actively performed by the organization.
- **8.2 Information security risk assessment:** This clause specifies the **trigger events** for conducting the risk assessment defined earlier in 6.1.2. The organization must perform risk assessments at **planned intervals** or when **significant changes are proposed or occur**. These assessments must follow the criteria established in 6.1.2 a).
- The organization is required to retain documented information of the **results** of these operational risk assessments.
- **8.3 Information security risk treatment:** This clause specifies the **action** required following the determination of the risk treatment plan (formulated in 6.1.3 e)). The organization must **implement the information security risk treatment plan**.
- The organization is required to retain documented information of the **results** of this operational risk treatment.
### Summary of the Relationship
|Clause|Section|Focus|Purpose in the ISMS Cycle|
|:--|:--|:--|:--|
|**6.1.2** (Risk assessment)|Planning|**Defining the Risk Methodology**|Establishes _how_ risk assessment will be performed (criteria, repeatable process, identification, analysis, evaluation).|
|**6.1.3** (Risk treatment)|Planning|**Defining the Treatment Framework**|Establishes _how_ risks will be treated (control selection, comparison with Annex A, SoA creation, plan formulation, residual risk acceptance).|
|**8.2** (Risk assessment)|Operation|**Executing the Assessment**|Defines _when_ the defined risk assessment process (6.1.2) must be carried out (planned intervals or significant changes).|
|**8.3** (Risk treatment)|Operation|**Executing the Treatment**|Requires the organization to _implement_ the risk treatment plan formulated during the planning stage (6.1.3).|

8
Corpus/Standards/ISO27x/Tokens.md Normal file
View file

@ -0,0 +1,8 @@
# Managing 2FA tokens
Does managing 2FA tokens fall under control: cryptographic key mgt? Probably.
Tokens are mentioned in:
- 5.11 Return of assets (for hardware tokens)
- 5.17 Authentication information
- 8.5 Secure authentication

27
Corpus/Standards/ISO27x/Types of Controls.md Normal file
View file

@ -0,0 +1,27 @@
# Types of Controls
From a [LinkedIn post](https://www.linkedin.com/posts/mohammad-salman-khan-a160a15_governance-riskmanagement-internalcontrols-activity-7344245989253206016-cYa3/).
**Preventive Controls** stop undesirable events or risks before they occur.
Examples: Passwords, firewalls, access restrictions, segregation of duties.
Comparable to a front door lock.
**Detective Controls** identify and flag events or deviations after they occur.
Examples: Exception reports, surveillance, reconciliations, audit trails.
Comparable to an intruder alarm system.
**Corrective Controls** limit the damage after an event and restore normal operations.
Examples: Backup restoration, incident response plans, disciplinary actions.
These are your recovery mechanisms—essential for resilience and continuity.
**Prescriptive Controls** define specific steps or rules to mitigate risks.
Examples: SOPs, policy manuals, codes of conduct.
They ensure consistency and compliance.
**Directive Controls** guide and influence behavior toward desired outcomes.
Examples: Training, awareness programs, tone from the top, mission statements.
These controls foster a strong risk culture by shaping mindset and behavior.
**Compensating Controls** serve as alternatives when primary controls are weak or absent.
Examples: Manual review in place of automation, monitoring in place of Segregation of Duties.

4
Corpus/Standards/ISO27x/Zero Trust and ISO 27001.md Normal file
View file

@ -0,0 +1,4 @@
# Zero Trust and ISO 27001
[Zero Trust](../📚️%20Literature%20notes/Zero%20Trust.md) is a security principle that can be applied to systems and processes. [ISO 27001 A.13.2 Information transfer](legacy/ISO%2027001%202013/ISO%2027001%20A.13.2%20Information%20transfer.md) is a method to manage security risks.

2
Corpus/Standards/ISO27x/legacy/ISO 27001 2013/ISO 27001 A 8.2.2 Labelling of information.md
View file

@ -3,4 +3,4 @@
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
Related:
- [Labeling of information in the digital domain](../../../../Sparks/ISMS/Labeling%20of%20information%20in%20the%20digital%20domain.md)
- [Labeling of information in the digital domain](../../../../ISMS/Labeling%20of%20information%20in%20the%20digital%20domain.md)

4
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/About ISO27DIY Policy Cards.md
View file

@ -27,6 +27,6 @@ Related ISO clauses and controls:
Related ideas:
- [ISO27DIY Recipe for Policy Cards](ISO27DIY%20Recipe%20for%20Policy%20Cards.md)
- [BC5701_Training_Tab_03_MS](../../../BC%205701/BC5701_Training_Tab_03_MS.md#Beleid)
- [Modules, Screens and Content](../../../../Sparks/Modules,%20Screens%20and%20Content.md)
- [Modules, Screens and Content](../../../../../AuditGlue/Modules,%20Screens%20and%20Content.md)
- [🧰 Resource portal](🧰%20Resource%20portal.md)
- [Topical InfoSec Kanbans](../../../../Literature%20notes/Topical%20InfoSec%20Kanbans.md)
- [Collection of Kanban boards on information security topics](../../../../Information%20Security/Collection%20of%20Kanban%20boards%20on%20information%20security%20topics.md)

4
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO 27001 benefits.md
View file

@ -2,14 +2,14 @@
- Easier sales
- Accelerates your customers Purchase Decision Process ("Sell with Confidence. Worldwide.")
- Certification for this standard is increasingly becoming a knock-out criterium for [Examples of vendor selection questionnaires](../../../../Sparks/Information%20Security/Examples%20of%20vendor%20selection%20questionnaires.md).
- Certification for this standard is increasingly becoming a knock-out criterium for [Examples of vendor selection questionnaires](../../../../Information%20Security/Examples%20of%20vendor%20selection%20questionnaires.md).
- Raises your infosec maturity level
- Raise your [Maturity Models](../../../../📚️%20Literature%20notes/Maturity%20Models.md) from incident driven to improvement focussed
- Continual improvement of security
- Increased resilience
- be prepared for events that threaten your business continuity
- Accountability / responsibility
- [Corporate social responsibility](../../../../Literature%20notes/Corporate%20social%20responsibility.md)
- [Corporate social responsibility](../../../../Various/Corporate%20social%20responsibility.md)
- Voorkómen maatschappelijke ontwrichting (voorbeeld: een massale cyberaanval legt de Rotterdamse havens stil)
- Encourage transparency. "We believe that transparency, such as having a permissive vulnerability disclosure policy (VDP) that encourages security research, is a key characteristic of a good, mature security program".
- https://www.maastrichtuniversity.nl/data-protection-corporate-social-responsibility

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO27DIY Business drivers.md
View file

@ -1,3 +1,3 @@
- [Perverse prikkels in de normindustrie](../../../../Sparks/Perverse%20prikkels%20in%20de%20normindustrie.md)
- [Perverse prikkels in de normindustrie](../../../../../Content%20Factory/Scratch%20file/Perverse%20prikkels%20in%20de%20normindustrie.md)
- [GRC software is geschreven voor domeindeskundigen](../../../../../Content%20Factory/Scratch%20file/GRC%20software%20is%20geschreven%20voor%20domeindeskundigen.md)
- [Problems solved 1](../../../../Sparks/Problems%20solved%201.md)

6
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO27DIY Business model.md
View file

@ -1,9 +1,9 @@
Child notes:
- [Blurbs](../../../../Sparks/Blurbs.md)
- [Toegevoegde waarde van ISO27DIY 1](../../../../Sparks/Toegevoegde%20waarde%20van%20ISO27DIY%201.md)
- [Toegevoegde waarde van ISO27DIY](../../../../../Content%20Factory/Scratch%20file/Toegevoegde%20waarde%20van%20ISO27DIY.md)
- [Friendly targets](../../../../../../💡Permanent%20ideas/Friendly%20targets.md)
- [Possible Colabs](../../../../Sparks/Possible%20Colabs.md)
- [List of possible partners](../../../../Sparks/iso27diy/List%20of%20possible%20partners.md)
- [Possible Colabs](../../../../../AuditGlue/Possible%20Colabs.md)
- [List of possible partners](../../../../../AuditGlue/List%20of%20possible%20partners.md)
- [ISO27DIY Business drivers](ISO27DIY%20Business%20drivers.md)
- [AuditGlue Business model](../AuditGlue%20Business%20model.md)
- [[### Related notes

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO27DIY Kanban board.md
View file

@ -6,4 +6,4 @@ Examples / templates may be offered as a (freebee) resource - see [🧰 Resource
Related:
- [Working back from the Annex A dashboard](Working%20back%20from%20the%20Annex%20A%20dashboard.md)
- See [Topical InfoSec Kanbans](../../../../Literature%20notes/Topical%20InfoSec%20Kanbans.md) for inspiration.
- See [Collection of Kanban boards on information security topics](../../../../Information%20Security/Collection%20of%20Kanban%20boards%20on%20information%20security%20topics.md) for inspiration.

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/ISO27DIY Video A.2 Context and Scope - Stakeholders.md
View file

@ -12,7 +12,7 @@ In this video you'll learn how to create a stakeholder analysis, identifying the
> Examine "external stakeholders relationships, perceptions, values, needs and expectations"
- [ ] See also [Stakeholder Analysis](../../../../Sparks/Stakeholder%20Analysis.md)
- [ ] See also [Stakeholder Analysis](../../../../ISMS/Stakeholder%20Analysis.md)
- [ ] And [this](https://www.pmi.org/learning/library/stakeholder-analysis-pivotal-practice-projects-8905) from the Project Management Institute

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/Working back from the Annex A dashboard.md
View file

@ -1,4 +1,4 @@
Start with the [](../../../../Attachments/ISO%2027001%20Implementatie%20dashboard%20Annex%20A.xlsx) as a framework.
Start with the [](../../../../ISMS/NHC%20ISO%2027001%20Implementatie%20dashboard%20Annex%20A.xlsx) as a framework.
Every cell gets one or more corresponding [ISO27DIY Kanban board](ISO27DIY%20Kanban%20board.md) items. So they are all linked to at least one of the ISO 27001 controls or ISO 27001 clauses.
Note that in this approach all [About ISO27DIY Policy Cards](About%20ISO27DIY%20Policy%20Cards.md), [Advised Documents for ISO 27001](../../../../../../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md), and identified risks and controls will appear on the Kanban board, directly or indirectly.

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/🏺 ISO27DIY Artefacts/ISO 27001 Implementation Plan.md
View file

@ -2,7 +2,7 @@
Skeleton project plan contents:
- [ISO 27001 benefits](../ISO%2027001%20benefits.md)
- [ISO27DIY benefits](../../../../../Sparks/iso27diy/ISO27DIY%20benefits.md)
- [ISO27DIY benefits](../../../../../../AuditGlue/ISO27DIY%20benefits.md)
## Benefits

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/🏺 ISO27DIY Artefacts/ISO 27001 Stakeholder Presentation.md
View file

@ -6,5 +6,5 @@
## Related:
- [ISO 27001 benefits](../ISO%2027001%20benefits.md)
- [ISO27DIY benefits](../../../../../Sparks/iso27diy/ISO27DIY%20benefits.md)
- [ISO27DIY benefits](../../../../../../AuditGlue/ISO27DIY%20benefits.md)

4
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/🏺 ISO27DIY Artefacts/ISO27DIY Target Operational Model for the ISMS.md
View file

@ -1,6 +1,6 @@
TOM: "What does running an ISO compliant ISMS look like, organization wise?"
See: [Target Operational Model](../../../../../Literature%20notes/Target%20Operational%20Model.md)
See: [Target Operational Model](../../../../../Various/Target%20Operational%20Model.md)
- What's expected of senior management on board:
- Show leadership and commitment
@ -11,4 +11,4 @@ See: [Target Operational Model](../../../../../Literature%20notes/Target%20Opera
- Consider requesting certification
- [Organizing Cybersecurity](../../../../../Sparks/Organizing%20Cybersecurity.md)
- [Target Operational Model](../../../../../Literature%20notes/Target%20Operational%20Model.md)
- [Target Operational Model](../../../../../Various/Target%20Operational%20Model.md)

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/🏺 ISO27DIY Artefacts/ISO27DIY implementation dashboard.md
View file

@ -1,6 +1,6 @@
The purpose of the Implementation Dashboard is to get an overview of progress and gaps and make auditing easier.
See this:
- [example Excel sheet (NL version)](../../../../../Attachments/ISO%2027001%20Implementatie%20dashboard%20Annex%20A.xlsx)
- [example Excel sheet (NL version)](../../../../../ISMS/NHC%20ISO%2027001%20Implementatie%20dashboard%20Annex%20A.xlsx)
- [example Excel sheet (EN version)](ISO%2027001-2013%20Implementation%20Dashboard.xlsx)

4
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/💾 AuditGlue software.md
View file

@ -4,9 +4,9 @@ Pivoting away from 'guided implementation management' to:
Related:
- [Three user modes for AuditGlue](../../../../Sparks/Three%20user%20modes%20for%20AuditGlue.md)
- [Three user modes for AuditGlue](../../../../../AuditGlue/Three%20user%20modes%20for%20AuditGlue.md)
- [Distributed usage of AuditGlue](../../../../../../Permanent%20ideas/Distributed%20usage%20of%20AuditGlue.md)
- [Modules, Screens and Content](../../../../Sparks/Modules,%20Screens%20and%20Content.md)
- [Modules, Screens and Content](../../../../../AuditGlue/Modules,%20Screens%20and%20Content.md)
- [AuditGlue ERD](../AuditGlue%20ERD.md)
- [AuditGlue Business model](../AuditGlue%20Business%20model.md)

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/📒 Templates/ISO 27x Control PE template.md
View file

@ -1,4 +1,4 @@
[Source text](../../../../../Sparks/Source%20text.md)
[Source text](../../../../../../AuditGlue/System%20alternative/Source%20text.md)
## Control ID + Title

2
Corpus/Standards/ISO27x/legacy/iso27DIY mk I/📒 Templates/ISO27DIY Policy Card template.md
View file

@ -20,7 +20,7 @@ Related to:
The Document Owner is responsible for development and implementation of the policy.
- [ ] Check Standard on documentation and ownership
- [ ] Check 'responsible' vs. 'accountable' / [Responsibility assignment matrices](../../../../../Literature%20notes/Responsibility%20assignment%20matrices.md)
- [ ] Check 'responsible' vs. 'accountable' / [Responsibility assignment matrices](../../../../../ISMS/Responsibility%20assignment%20matrices.md)
## Policy subject

2
Corpus/Standards/Mapping NIST Controls to ISO Standards.md Normal file
View file

@ -0,0 +1,2 @@
# Mapping NIST Controls to ISO Standards
http://gocs.info/pages/fachberichte/archiv/178-sp800_53_r4_appendix-h_draft_ipd.pdf

2
Corpus/Standards/NIS 2/NIS 2 Directive and ISO 27001-2022.md
View file

@ -2,4 +2,4 @@
Relevant articles of the NIS 2 are linked to clauses and controls of the ISO 27001:2022
![](../../Attachments/NIS_2_and_ISO_27001_2022.pdf)
![](../ISO27x/NIS_2_and_ISO_27001_2022.pdf)

2
Corpus/Standards/NIS 2/NIS 2 Index.md
View file

@ -8,7 +8,7 @@
[NIS 2 maatregelen en ISO 27002/BIO](https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/mapping-nis2-maatregelen/) Digitale overheid
[PDF](../../Attachments/NIS_2_and_ISO_27001_2022.pdf): NIS 2 Directive and ISO 27001 Andrey Prozorov
[PDF](../ISO27x/NIS_2_and_ISO_27001_2022.pdf): NIS 2 Directive and ISO 27001 Andrey Prozorov
[PDF](NIS2_EN.pdf): NIS 2 Original Text EN
[PDF](NIS2_NL.pdf): NIS 2 Brontekst

BIN
Corpus/Standards/NIST vs ISO 27001.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 256 KiB

2
Corpus/Standards/NIST/NIST AI RMF.md
View file

@ -6,4 +6,4 @@
Comparable to ISO/IEC 23894:2023 ?
See [Risk management](../../Sparks/Risk%20management.md)
See [Risk management](../../Information%20Security/Risks/Risk%20management.md)

2
Corpus/Standards/NIST/NIST articles list.md
View file

@ -9,7 +9,7 @@
[NIST CSF 2.0 Incident Response](NIST%20CSF%202.0%20Incident%20Response.md)
[](NIST%20CSF%202.0%20incident%20life%20cycle.png)
[NIST Cybersecurity Framework's five Functions](NIST%20Cybersecurity%20Framework's%20five%20Functions.md) - is this 2.0?
[Mapping NIST Controls to ISO Standards](../../Literature%20notes/Mapping%20NIST%20Controls%20to%20ISO%20Standards.md) - is this 2.0?
[Mapping NIST Controls to ISO Standards](../Mapping%20NIST%20Controls%20to%20ISO%20Standards.md) - is this 2.0?
[CSF Tools for NIST CSF and PF](../other/CSF%20Tools%20for%20NIST%20CSF%20and%20PF.md) - is this 2.0?

6
Corpus/Standards/NSA Network Security Guidance.md Normal file
View file

@ -0,0 +1,6 @@
# NSA Network Security Guidance
https://media.defense.gov/2022/Mar/01/2002947139/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDANCE_20220301.PDF
Related:
- [ISO 27001 A.13.1 Network security management](ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.13.1%20Network%20security%20management.md)

16
Corpus/Standards/Open Cybersecurity Schema Framework.md Normal file
View file

@ -0,0 +1,16 @@
# Open Cybersecurity Schema Framework
for sharing cybersecurity information
Project [Open Cybersecurity Schema Framework](https://github.com/ocsf/ocsf-docs) on Github
18 tech and cybersecurity companies co-launched a proposed standard for sharing cybersecurity information called the Open Cybersecurity Schema Framework (OCSF). The goal is to standardize things like alerts and logs from various tools, and to help streamline data pipeline creation for training AI models. Primary participants include Amazon, Splunk, IBM, Crowdstrike, Rapid7, Palo Alto, and Cloudflare.
Goals/reasons:
- help organizations detect, investigate and stop cyberattacks faster and more effectively.
- help all security teams realize better, faster data ingestion and analysis without the time-consuming, up-front normalization tasks.
- decrease time spent on normalizing data across different tools
- increasing interoperability between tools
![](Understanding%20OCSF%20August%202022%20v1.8%201.pdf)

2
Corpus/Standards/SANS/SANS Incident Response Plan.md
View file

@ -3,7 +3,7 @@ Retrieved: November 28, 2022
Related:
- [ISO 27002 5.24 Information security incident management planning and preparation](../ISO27x/OST/27002/EN/a-5.24-Information-security-incident-management-planning-and-preparation.md)
- [Ransomware Playbook](../../Sparks/Ransomware%20Playbook.md)
- [Ransomware Playbook](../../Information%20Security/Ransomware%20Playbook.md)
Six steps:

BIN
Corpus/Standards/SP-RMM Risk Management Model.pdf Normal file
View file

Binary file not shown.

BIN
Corpus/Standards/SURF Handreiking risicobeoordeling 2.0.pdf Normal file
View file

Binary file not shown.

BIN
Corpus/Standards/SURF Toolkit risicobeoordeling kaartjes workshop.docx Normal file
View file

Binary file not shown.

29
Corpus/Standards/SURF Toolkit risicobeoordeling.md Normal file
View file

@ -0,0 +1,29 @@
# SURF Toolkit risicobeoordeling
Bron: [SURF website](https://sec.surf.nl/asset/toolkit-risicobeoordeling/)
![](SURF%20Handreiking%20risicobeoordeling%202.0.pdf)
**Powerpoint voor workshop**
![Workshop slides](SURF%20risicobeoordeling%20workshop%20slides.pptx)
**Excel template risicobeoordeling**
![](../ISMS/template%20risicobeoordeling.xlsx)
Met tabbladen voor:
- Kroonjuwelen
- Risico scenario's
- Kans analyse
- Impact analyse
- Risicobereidheid
- Risico evaluatie
**Kaartjes**
![](SURF%20Toolkit%20risicobeoordeling%20kaartjes%20workshop.docx)
Workshop kaartjes voor:
- Actoren
- Motieven
- Methode
- Kwetsbaarheden
- Impact

BIN
Corpus/Standards/SURF risicobeoordeling workshop slides.pptx Normal file
View file

Binary file not shown.

BIN
Corpus/Standards/Secure Controls Framework (SCF) - 2022.1.xlsx Normal file
View file

Binary file not shown.

10
Corpus/Standards/Secure Controls Framework.md Normal file
View file

@ -0,0 +1,10 @@
# Secure Controls Framework (SCF)
Retrieved March 31, 2022 from [SCF website](https://www.securecontrolsframework.com/secure-controls-framework):
> The Secure Controls Framework (SCF) is a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems and applications. The SCF addresses both cybersecurity and privacy, so that these principles are designed to be “baked in” at the strategic, operational and tactical levels.
>
> In developing the SCF, we identified and analyzed over 100 statutory, regulatory and contractual frameworks. Through analyzing these thousands of requirements, we identified commonalities and this allows several thousand unique controls to be addressed by the controls that makeup the SCF. For instance, a requirement to maintain strong passwords is not unique, since it is required by dozens of frameworks. This allows one well-worded SCF control to address multiple requirements. This focus on simplicity and sustainability is key to the SCF, since it can enable various teams to speak the same controls language, even though they may have entirely different statutory, regulatory or contractual obligations that they are working towards.
Website: https://www.securecontrolsframework.com/
Github: https://github.com/securecontrolsframework/securecontrolsframework

144
Corpus/Standards/SurveyJS.md Normal file
View file

@ -0,0 +1,144 @@
---
tags:
- iso27DIY
- stack
- dev
---
With an open source library, Id recommend **SurveyJS** as your best option. Heres why it fits your requirements perfectly:
## SurveyJS - Best Choice for Your Use Case
SurveyJS is a free and open-source MIT-licensed JavaScript library that renders dynamic JSON-based forms with integration for React, Angular, Vue, jQuery, and Knockout, storing all data on your own servers with no limits on forms or submissions .
### Key Advantages for Your Requirements:
**1. Dynamic Question Generation**
```javascript
// Generate questions dynamically with LLM content
const surveyJson = {
pages: [{
elements: [{
type: "radiogroup",
name: "challenge",
title: await generateQuestionWithLLM(userContext),
choices: await getLLMGeneratedOptions(orgData)
}]
}]
};
```
**2. Advanced Conditional Logic**
```javascript
{
type: "text",
name: "followup",
title: "Tell us more about {challenge}",
visibleIf: "{challenge} = 'specific_option'",
// Can reference user data too
enableIf: "isUserRole('manager')"
}
```
**3. Supabase Integration**
```javascript
survey.onComplete.add(async (result) => {
await supabase.from('responses').insert({
user_id: userId,
survey_data: result.data,
completed_at: new Date()
});
});
```
**4. Personalization Support**
```javascript
// Inject user/org data into questions
survey.setValue("userName", user.name);
survey.setValue("orgSize", organization.size);
// Use in question text: "Given that {orgSize}, how would you..."
```
## Alternative: Formbricks
Formbricks is an open source surveying platform built with React, Next.js, TypeScript, and TailwindCSS that provides comprehensive logic capabilities . However, its more of a complete platform than a library you embed.
## Implementation Strategy with SurveyJS
```javascript
import { Survey } from 'survey-react-ui';
import { Model } from 'survey-core';
class DynamicSurvey {
async generateSurvey(userId, orgId) {
// 1. Fetch user/org context from Supabase
const context = await this.getContext(userId, orgId);
// 2. Generate base questions with LLM
const baseQuestions = await this.generateWithLLM(context);
// 3. Build survey JSON with conditional logic
const surveyJson = {
pages: [{
elements: baseQuestions.map(q => ({
...q,
title: this.interpolateVariables(q.title, context)
}))
}]
};
return new Model(surveyJson);
}
setupDynamicBehavior(survey, context) {
// Add dynamic question injection based on answers
survey.onValueChanged.add(async (sender, options) => {
if (options.name === 'trigger_question') {
const followup = await this.generateFollowup(
options.value,
context
);
sender.addNewPage(followup);
}
});
}
}
```
## Why SurveyJS Over Custom Solution
- **Rich question types**: 20+ built-in components
- **Mature conditional logic**: Complex expressions and branching
- **Extensible**: Custom question types and themes
- **Well-documented**: Extensive examples and API docs
- **Active development**: Regular updates and community support
- **Performance**: Optimized rendering and state management
## Database Schema Integration
```sql
-- Store dynamic survey templates
CREATE TABLE survey_templates (
id uuid PRIMARY KEY,
name text,
base_schema jsonb,
llm_prompts jsonb,
created_by uuid REFERENCES users(id)
);
-- Store completed responses
CREATE TABLE survey_responses (
id uuid PRIMARY KEY,
user_id uuid REFERENCES users(id),
template_id uuid REFERENCES survey_templates(id),
responses jsonb,
context_data jsonb,
completed_at timestamp
);
```
SurveyJS gives you the flexibility to build exactly what you need while handling the complex UI logic, validation, and state management that would take months to build from scratch.

BIN
Corpus/Standards/Understanding OCSF August 2022 v1.8 1.pdf Normal file
View file

Binary file not shown.

BIN
Corpus/Standards/Understanding OCSF August 2022 v1.8.pdf Normal file
View file

Binary file not shown.

BIN
Corpus/Standards/VNG-201907-Handreiking-Diepgaande-Risicoanalyse-methode-gemeenten-v2.2.docx Normal file
View file

Binary file not shown.

BIN
Corpus/Standards/VNG-202003-Diepgaande-Risicoanalyse-methode-gemeenten-v2.1.xlsx Normal file
View file

Binary file not shown.

37
Corpus/Standards/_Corpus-metadata.md Normal file
View file

@ -0,0 +1,37 @@
# Corpus Metadata
- All notes in this Obsidian vault need metadata.
- These metadata need to follow the [Obsidian Front Matter Syntax](../Obsidian%20Front%20Matter%20Syntax.md).
- Obsidian calls metadata variables 'Properties'
- In this Corpus we use General properties (every note should have them) and Specific properties (depending on the kind of note, can be inferred from other properties)
## General metadata
### Notetype
The `notetype` field will have one of the following values:
- `guide`: guided, hands-on lessons, learning by doing, interactive lessons
- `explanation`: background and context to the standards, paraphrases of the original standard texts, opinion, discussion, underlying principles, interpretation
- `application`: steps to solve a specific, real-world problem. Implementing the standard in real world environments, implementation aids, implementation examples, templates, etc.
- `reference`: for original standard texts, dictionaries, terms and definitions.
- `other`: for all notes that, by there content, cannot be placed in one for the previous categories.
Note:
- Notes in the iso27DIY-gis/guide folder and subfolders are typically of the `guide` type.
- Notes in iso27DIY-gis/reference and subfolders are typically of the `explanation` or `application` type.
### Language
For the `language` property we use the language code as defined in ISO 639-1.
### Status
As of yet, the only value defined for the `status` property is `active`.
## Isotags
The property `isotags`, of type list, allows any note to be linked to clauses and controls of the ISO 27001 / ISO 27002 standard, by the `id` property of the Original Standard Texts, found in `Corpus/Standards/ISO27x/OST/27001/EN` and `/Corpus/Standards/ISO27x/OST/27002/EN`, respectively.
For example, a note that needs to be linked to ISO 27001 clause 5.2 Policy, will get a value of C.5.2 added to its `isotags` list. Likewise, a note that needs to be linked to ISO 27002 control 5.15 Access control, will get a value of A.5.15 added to its `isotags` list.
## Metadata for ISO 27001 and 27002 Original Standard Texts
- The original texts of the ISO 27001 and ISO 27002 standards can be found in the OST folder and subfolders.
- These notes are tagged with “sourcetext”.
- The body of these notes must never be changed!
- Specific properties for ISO 27002 OST notes are deduced from chapter 4 of the standard ("Themes and Attributes"). They are: `theme`, `control_type`, `information_security_properties`, `cybersecurity_concepts`, `operational_capabilities`, and `security_domains`.
- For the possible values of these properties, see [Metadata - ISO 27002 Themes and Attributes](../Metadata%20-%20ISO%2027002%20Themes%20and%20Attributes.md).

2
Corpus/Standards/other/C2M2 Cybersecurity Capability Maturity.md
View file

@ -8,5 +8,5 @@ Documentation, tools, practices and self-evaluation tools can be found through [
![](C2M2%20Version%202.1%20June%202022.pdf)
Related:
- [Operational Technology](../../Sparks/Operational%20Technology.md)
- [OT Security](../../Information%20Security/OT%20Security.md)
- [IEC 62443 Cybersecurity for operational technology in automation and control systems](IEC%2062443%20Cybersecurity%20for%20operational%20technology%20in%20automation%20and%20control%20systems.md)

2
Corpus/Standards/other/Infosec frameworks and regulations.md
View file

@ -21,7 +21,7 @@ See also:
- [ISO 27k family](../../../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md)
- [ISO_27001_2013_EN_Index](../ISO27x/legacy/ISO%2027001%202013/ISO_27001_2013_EN_Index.md)
- [ISO_27001_2017_NL_Index](../ISO27x/legacy/ISO%2027001%202017%20NL/ISO_27001_2017_NL_Index.md)
- [ISO_27001_2022_00_MoC Index EXT](../../MoCs/ISO_27001_2022_00_MoC%20Index%20EXT.md)
- [ISO_27001_2022_Index EXT](../ISO27x/ISO_27001_2022_Index%20EXT.md)
- [ISO_27002_2022_NL_Index](../ISO27x/OST/ISO_27002_2022_NL_Index.md)
- [ISO31000-5.4.1-Understanding-the-organization-and-its-context](../ISO27x/ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
- [NEN7510 Risicos](../ISO27x/OST/7510/NEN7510%20Risicos.md)

2
Corpus/Standards/other/OWASP Top 10 CI-CD Security Risks.md
View file

@ -27,4 +27,4 @@ Laatste retrieval date: 5 februari 2025
[CICD-SEC-10](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-10-Insufficient-Logging-And-Visibility): Insufficient Logging and Visibility
related: [Risk management](../../Sparks/Risk%20management.md)
related: [Risk management](../../Information%20Security/Risks/Risk%20management.md)

4
Corpus/Standards/other/Privacy frameworks list.md
View file

@ -2,9 +2,9 @@
[BC_5701_Hoofstukken_Normtekst](../BC%205701/BC_5701_Hoofstukken_Normtekst.md)
[NIST Privacy Framework (PF)](../NIST/NIST%20Privacy%20Framework%20(PF).md)
[Privacy in ISO 27k](../../Literature%20notes/Privacy%20in%20ISO%2027k.md)
[Privacy in ISO 27k](../ISO27x/Privacy%20in%20ISO%2027k.md)
Related:
- [Privacy protection in Databases](../../Sparks/Privacy%20protection%20in%20Databases.md)
- [Privacy protection in Databases](../../../Content%20Factory/Scratch%20file/Privacy%20protection%20in%20Databases.md)
- [ISO 27001 A.18.1.4 Privacy and protection of personally identifiable information](../ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.18.1.4%20Privacy%20and%20protection%20of%20personally%20identifiable%20information.md)

6
Corpus/Standards/other/SCF Risk Categories for Establishing a Risk Catalog.md
View file

@ -10,7 +10,7 @@ More detail in Security & Privacy Risk Management Model (SP-RMM) Overview
Related:
- [Secure Controls Framework](../../Literature%20notes/Secure%20Controls%20Framework.md)
- [Risk analysis](../../Sparks/Risk%20analysis.md)
- [Risk inventories](../../Sparks/Risk%20inventories.md)
- [Secure Controls Framework](../Secure%20Controls%20Framework.md)
- [Risk analysis methods](../../ISMS/Risk%20analysis%20methods.md)
- [Risk inventories](../../Information%20Security/Risks/Risk%20inventories.md)

4
Corpus/Standards/other/SCF Threat Categories for Establishing a Threat Catalog.md
View file

@ -6,8 +6,8 @@ https://securecontrolsframework.com/risk-management-model/
Related:
- [Secure Controls Framework](../../Literature%20notes/Secure%20Controls%20Framework.md)
- [Threat Intelligence](../../Sparks/Threat%20Intelligence.md)
- [Secure Controls Framework](../Secure%20Controls%20Framework.md)
- [Threat Intelligence](../../Information%20Security/Threat%20Intelligence.md)
- [Assets, Vulnerabilities, Threats, Risks](../../Sparks/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)

2
Corpus/Standards/other/SP-CMM Security & Privacy maturity.md
View file

@ -1,6 +1,6 @@
## Security & Privacy: SP-CMM
The Security & Privacy Capability Maturity Model (SP-CMM) from the [Secure Controls Framework](../../Literature%20notes/Secure%20Controls%20Framework.md) takes the organizations size into consideration by having different requirements for small, medium and large organizations.
The Security & Privacy Capability Maturity Model (SP-CMM) from the [Secure Controls Framework](../Secure%20Controls%20Framework.md) takes the organizations size into consideration by having different requirements for small, medium and large organizations.
Detailed on page 21 of Secure Controls Framework Overview & Instructions, version 2022.1. ([download link](https://scf.securecontrolsframework.com/SCF_Overview_Recommended_Practices.pdf))

6
Corpus/Standards/other/Standards and Regulations for information security.md
View file

@ -1,6 +1,6 @@
[ISO 27k family](../../../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md)
[ISO_27001_2013_EN_Index](../ISO27x/legacy/ISO%2027001%202013/ISO_27001_2013_EN_Index.md)
[ISO_27001_2022_00_MoC Index EXT](../../MoCs/ISO_27001_2022_00_MoC%20Index%20EXT.md)
[ISO_27001_2022_Index EXT](../ISO27x/ISO_27001_2022_Index%20EXT.md)
[IEC 62443 Cybersecurity for operational technology in automation and control systems](IEC%2062443%20Cybersecurity%20for%20operational%20technology%20in%20automation%20and%20control%20systems.md)
**EU regulations:**
@ -23,7 +23,7 @@ Not really a standard or regulation, but excellent nonetheless, the UK's [NCSC
The NCSCs Board Toolkit helps boards to ensure that cyber resilience and risk management are embedded throughout an organisation, including its people, systems, processes and technologies.
## Cross references
- [Secure Controls Framework](../../Literature%20notes/Secure%20Controls%20Framework.md) brings a lot of those together, see their Secure Controls Framework (SCF) - 2022.1 matrix.xslx.
- [Mapping NIST Controls to ISO Standards](../../Literature%20notes/Mapping%20NIST%20Controls%20to%20ISO%20Standards.md)
- [Secure Controls Framework](../Secure%20Controls%20Framework.md) brings a lot of those together, see their Secure Controls Framework (SCF) - 2022.1 matrix.xslx.
- [Mapping NIST Controls to ISO Standards](../Mapping%20NIST%20Controls%20to%20ISO%20Standards.md)
[CSA Cloud Controls Matrix](CSA%20Cloud%20Controls%20Matrix.md)