AuditGlue/iso27DIY-MoC.md

@@ -54,6 +54,6 @@ tags:
 [Application architecture](System%20alternative/Application%20architecture.md)
 [iso27DYI architecture with LLM](System%20alternative/iso27DYI%20architecture%20with%20LLM.md)
 [iso27DIY stack deployment](System%20alternative/iso27DIY%20stack%20deployment.md)
-[SurveyJS](System%20alternative/SurveyJS.md)
+[SurveyJS](../Corpus/Standards/SurveyJS.md)
 [WeWeb Security Pre-Launch Checklist](../Corpus/ISMS/Policy%20examples/WeWeb%20Security%20Pre-Launch%20Checklist.md)
 

Corpus/ISMS/Access Control.md

@@ -1,6 +1,6 @@
 # Access Control
 
-While [authorization](../Standards/ISO27x/about/Authorization.md) is primarily concerned with establishing the policies and rules that dictate access (i.e. *what* a person or system is allowed to do), **access control** is the _system_ or _process_ that enforces those defined permissions.
+While [authorization](../Standards/ISO27x/Authorization.md) is primarily concerned with establishing the policies and rules that dictate access (i.e. *what* a person or system is allowed to do), **access control** is the _system_ or _process_ that enforces those defined permissions.
 
 See:
 - [Gedachten over rechtenstructuren](../Information%20Security/Gedachten%20over%20rechtenstructuren.md)

Corpus/ISMS/Authorization vs Access Control.md

@@ -6,7 +6,7 @@ tags:
 
 # Authorization vs. Access Control
 
-[Authorization](../Standards/ISO27x/about/Authorization.md) defines _what_ a user (or system) is allowed to do, [access control ](Access%20Control.md) is the _system_ or _process_ that enforces those defined permissions.
+[Authorization](../Standards/ISO27x/Authorization.md) defines _what_ a user (or system) is allowed to do, [access control ](Access%20Control.md) is the _system_ or _process_ that enforces those defined permissions.
 
 ## Authorization
 
@@ -23,8 +23,8 @@ tags:
 - **What it is:** Access control is the **mechanism or system that enforces the authorization policies**. It's the technical implementation that actually grants or denies access to a resource based on the authorized permissions.
 - **The "How":** It answers the question, "How is the 'what' actually applied and managed?"
 - **Enforcement:** Access control is the act of putting those policies into practice. It involves:
-    - Checking a user's identity ([Authentication](../Standards/ISO27x/about/Authentication.md)).
+    - Checking a user's identity ([Authentication](../Standards/ISO27x/Authentication.md)).
-    - Consulting the pre-defined [Authorization](../Standards/ISO27x/about/Authorization.md)authorization rules.
+    - Consulting the pre-defined [Authorization](../Standards/ISO27x/Authorization.md)authorization rules.
     - Granting or denying access to specific resources (files, applications, data, network segments, physical locations, etc.) or actions (read, write, delete, execute).
 - **Examples:**
     - An Access Control List (ACL) on a file system that specifies which users or groups can read, write, or execute a particular file.

Corpus/ISMS/Basic ISMS governance model.md

@@ -2,7 +2,7 @@
 
 A straightforward governance structure for your Information Security Management System based on ISO 27001 and ISO 27002.
 
-*Based on [Governance model for Policies and Controls](../Standards/ISO27x/about/Governance%20model%20for%20Policies%20and%20Controls.md), which contains the references to the Standard.*
+*Based on [Governance model for Policies and Controls](../Standards/ISO27x/Governance%20model%20for%20Policies%20and%20Controls.md), which contains the references to the Standard.*
 ## Policy Lifecycle: Who Does What
 
 ### Key Players

Corpus/ISMS/Business Impact Analysis (BIA).md

@@ -8,7 +8,7 @@ A Business Impact Analysis (BIA) examines the potential impacts of disruptions,
 The outcomes help to prioritize business activities and resources to enable the resumption of product and service delivery after a (major) disruption[^1].
 
 Guidelines and tooling:
-- [Guidelines for business impact analysis ISO 22317](../Standards/ISO27x/about/ISO%2022317%20Guidelines%20for%20business%20impact%20analysis.md)
+- [Guidelines for business impact analysis ISO 22317](../Standards/ISO27x/ISO%2022317%20Guidelines%20for%20business%20impact%20analysis.md)
 - [Assessing reputational risks](../Various/Assessing%20reputational%20risks.md)
 - [BIA Workshop](../Standards/ISO27x/Implementation%20Products/BIA%20Workshop.md)
 - [TLP impact matrix](Data%20classification/Traffic%20Light%20Protocol%20TLP.md)

Corpus/ISMS/Data classification/Datatags privacy oriented data classification system.md

@@ -4,7 +4,7 @@ Science. 2015101601. October 16, 2015. http://techscience.org/a/2015101601; PDF
 
 Related:
 - [ISO 27001 A 8.2 Information classification](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2%20Information%20classification.md)
-- [Privacy in ISO 27001](../../Standards/ISO27x/about/Privacy%20in%20ISO%2027001.md)
+- [Privacy in ISO 27001](../../Standards/ISO27x/Privacy%20in%20ISO%2027001.md)
 
 Sweeney et all have developed a privacy oriented data classification system with six levels:
 

Corpus/ISMS/Metrics for Information Security.md

@@ -25,4 +25,4 @@ W. Krag Brotby and Gary Hinson (PRAGMATIC Security Metrics, 2013) state metrics
 ![](../Various/Privacy/PRAGMATIC_security_metrics_examples.xlsx)
 
 Standards and Frameworks:
-- [ISO 27004](../Standards/ISO27x/about/ISO%2027004.md)
+- [ISO 27004](../Standards/ISO27x/ISO%2027004.md)

Corpus/ISMS/Risk analysis methods.md

@@ -4,9 +4,9 @@
 See also under [Threat](../📚️%20Literature%20notes/Threat.md)
 
 [Open Group Risk Analysis Standard (O-RA)](https://pubs.opengroup.org/security/o-ra/)
-[Open Group FAIR \ ISO 27005 Cookbook for Risk Assessment](../Standards/ISO27x/about/FAIR%20ISO%2027005%20Cookbook.pdf)
+[Open Group FAIR \ ISO 27005 Cookbook for Risk Assessment](../Standards/ISO27x/FAIR%20ISO%2027005%20Cookbook.pdf)
 
-[SURF Toolkit risicobeoordeling](../Standards/SURF/SURF%20Toolkit%20risicobeoordeling.md)
+[SURF Toolkit risicobeoordeling](../Standards/SURF%20Toolkit%20risicobeoordeling.md)
 	
 [](../Information%20Security/Risks/Risk_Assessment_Process.gif)
 

Corpus/ISMS/Stakeholder Analysis.md

@@ -6,4 +6,4 @@ Different stakeholders have different interests. Think of your stereotypical IT
 
 ## Related
 - [ISO 27001_OT C 4 Context of the organization](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties)
-- [ISO31000-5.4.1-Understanding-the-organization-and-its-context](../Standards/ISO27x/about/ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
+- [ISO31000-5.4.1-Understanding-the-organization-and-its-context](../Standards/ISO27x/ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)

Corpus/Information Security/BCP_Bedrijfscontinuïteitsplanning.md

@@ -8,7 +8,7 @@ Producten:
 ## Literatuur
 
 - BCP.mindnode op iCloud > Best Practices
-- evt. [CIS Controls](../Standards/CIS/CIS%20Controls.md) als raamwerk
+- evt. [CIS Controls](../Standards/CIS%20Controls.md) als raamwerk
 - ISO-22301-2019 'Business continuity management systems' en ISO-22313-2020 'Guidance on the use of ISO 22301'
 - [CISSP, Chapter 3](../Standards/CISSP/CISSP_OSG_Chapter_3.md)
 

Corpus/Information Security/Identification.md

@@ -3,14 +3,14 @@
 Identification is the claim of a subject of its identity. 
 
 See also:
-- [Authentication](../Standards/ISO27x/about/Authentication.md)
+- [Authentication](../Standards/ISO27x/Authentication.md)
-- [Authorization](../Standards/ISO27x/about/Authorization.md)
+- [Authorization](../Standards/ISO27x/Authorization.md)
 - [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
 
 # Identification
 Identification is the claim of a subject of its identity. 
 
 See also:
-- [Authentication](../Standards/ISO27x/about/Authentication.md)
+- [Authentication](../Standards/ISO27x/Authentication.md)
-- [Authorization](../Standards/ISO27x/about/Authorization.md)
+- [Authorization](../Standards/ISO27x/Authorization.md)
 - [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)

Corpus/Information Security/Identity and Access Management (IAM).md

@@ -8,8 +8,8 @@ An _allow policy_, also known as an _IAM policy_, defines and enforces what ro
 
 See:
 - [Identification](Identification.md) – "This is who I am"
-- [Authentication](../Standards/ISO27x/about/Authentication.md) – "This is how I prove it"
+- [Authentication](../Standards/ISO27x/Authentication.md) – "This is how I prove it"
-- [Authorization](../Standards/ISO27x/about/Authorization.md) – "... then this is what you get access to"
+- [Authorization](../Standards/ISO27x/Authorization.md) – "... then this is what you get access to"
 - [CISSP_Domain_5_1](../Standards/CISSP/CISSP_Domain_5_1.md), [CISSP_Domain_5_2](../Standards/CISSP/CISSP_Domain_5_2.md)
 - [Roles in Identity and Access Management (IAM)](Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)
 
@@ -23,7 +23,7 @@ An _allow policy_, also known as an _IAM policy_, defines and enforces what ro
 
 See:
 - [Identification](Identification.md) – "This is who I am"
-- [Authentication](../Standards/ISO27x/about/Authentication.md) – "This is how I prove it"
+- [Authentication](../Standards/ISO27x/Authentication.md) – "This is how I prove it"
-- [Authorization](../Standards/ISO27x/about/Authorization.md) – "... then this is what you get access to"
+- [Authorization](../Standards/ISO27x/Authorization.md) – "... then this is what you get access to"
 - [CISSP_Domain_5_1](../Standards/CISSP/CISSP_Domain_5_1.md), [CISSP_Domain_5_2](../Standards/CISSP/CISSP_Domain_5_2.md)
 - [Roles in Identity and Access Management (IAM)](Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)

Corpus/Information Security/Zero Trust.md

@@ -10,5 +10,5 @@ Zero trust is an approach to cybersecurity that assumes that no one is trusted b
 Zero trust can consist of monitoring all network communications, avoiding default configurations, tracking all devices, and implementing multifactor authentication.
 
 Related:
-- [Zero Trust and ISO 27001](../Standards/ISO27x/about/Zero%20Trust%20and%20ISO%2027001.md)
+- [Zero Trust and ISO 27001](../Standards/ISO27x/Zero%20Trust%20and%20ISO%2027001.md)
 - [Checklist for auditing Zero Trust approach](../Literature/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Zero%20Trust%20approach.md)

Corpus/Information Security/_Information security concepts MoC.md

@@ -15,19 +15,19 @@ tags:
 	[Assets, Vulnerabilities, Threats, Risks](📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
 [Assets, Vulnerabilities, Threats, Risks](/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
 [Attack Surface Analysis](📚️%20Literature%20notes/Attack%20Surface%20Analysis.md)
-[Authentication](../Standards/ISO27x/about/Authentication.md)
+[Authentication](../Standards/ISO27x/Authentication.md)
 	[Multi-factor authentication](/Multi-factor%20authentication.md) (MFA)
 	[Passwordless Authentication](/Passwordless%20Authentication.md)
 	[Risk-Based Authentication](/Risk-Based%20Authentication.md)
 	[Single Sign On (SSO)](📚️%20Literature%20notes/Single%20Sign%20On%20(SSO).md)
 	[Tokens](/Tokens.md)
-[Authorization](../Standards/ISO27x/about/Authorization.md)
+[Authorization](../Standards/ISO27x/Authorization.md)
 	[Access Control](/Access%20Control.md)
 [Awareness](/Awareness.md)
 [BCP_Bedrijfscontinuïteitsplanning](📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
 	[Business Impact Analysis (BIA)](/Business%20Impact%20Analysis%20(BIA).md)
 	[Disaster Recovery Planning](/Disaster%20Recovery%20Planning.md)
-[Change management Change Management in ISO 27002](../Standards/ISO27x/about/Change%20management%20Change%20Management%20in%20ISO%2027002.md)
+[Change management Change Management in ISO 27002](../Standards/ISO27x/Change%20management%20Change%20Management%20in%20ISO%2027002.md)
 [Classification](/Classification.md)
 [Compliance](/Compliance.md)
 [Data Breach](💡Permanent%20ideas/Data%20Breach.md)
@@ -39,10 +39,10 @@ Frameworks
 [[Hardening]]
 [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
 	[Identification](Identification.md)
-	[Authentication](../Standards/ISO27x/about/Authentication.md)
+	[Authentication](../Standards/ISO27x/Authentication.md)
-	[Authorization](../Standards/ISO27x/about/Authorization.md)
+	[Authorization](../Standards/ISO27x/Authorization.md)
 Impact
-	[Change management Change Management in ISO 27002](../Standards/ISO27x/about/Change%20management%20Change%20Management%20in%20ISO%2027002.md)
+	[Change management Change Management in ISO 27002](../Standards/ISO27x/Change%20management%20Change%20Management%20in%20ISO%2027002.md)
 	[Impact of Disruption](Sparks/Impact%20of%20Disruption.md)
 [Incidents](/Incidents.md)
 [Maturity Models](📚️%20Literature%20notes/Maturity%20Models.md)

Corpus/Literature/Checklists Gerardus Blokdyk/Checklist for auditing GRC.md

@@ -9,7 +9,7 @@ Relevant ISO 27001 clauses/controls:
 
 Related:
 [External audits](../../Sparks/External%20audits.md)
-[ISO 27001 audit process](../../Standards/ISO27x/about/ISO%2027001%20audit%20process.md)
+[ISO 27001 audit process](../../Standards/ISO27x/ISO%2027001%20audit%20process.md)
 
 
 1.  Can you assess the impact any pending regulatory change will have on your business including governance, compliance and risk management frameworks?

Corpus/Standards/CIS Controls.md

@@ -31,7 +31,7 @@ IG3 assets contain sensitive information or functions that are subject to regula
 Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.
 
 
-![](../../ISMS/Asset%20classes.png)
+![](../ISMS/Asset%20classes.png)
 Source: CIS Controls v8.1 PDF, pp 8-12
 
 ![](CIS%20Controls%20and%20Safeguards.png)

Corpus/Standards/ISO27x/Authentication.md

@@ -0,0 +1,12 @@
+# Authentication
+Authentication is the proof of identity that is achieved through providing credentials to the access control mechanism. 
+
+
+
+See also:
+- [a-8.5-Secure-authentication](OST/27002/EN/a-8.5-Secure-authentication.md)
+- [Authentication Methods Used for Network Security](../../Information%20Security/Authentication%20Methods%20Used%20for%20Network%20Security.md)
+- [Identity and Access Management (IAM)](../../Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
+- [Authorization](Authorization.md)
+- [Identification](../../Information%20Security/Identification.md)
+

Corpus/Standards/ISO27x/Authorization.md

@@ -0,0 +1,13 @@
+# Authorization
+Authorization is the mechanism that determines the access level(s) of the subjects to the objects.
+
+See also:
+- [Authorization vs Access Control](../../ISMS/Authorization%20vs%20Access%20Control.md)
+- [Access Control Models](../../ISMS/Access%20Control%20Models.md)
+- [Authentication](Authentication.md)
+- [Identification](../../Information%20Security/Identification.md)
+- [CASSM Consumer Authentication Strength Maturity Model](../../Information%20Security/CASSM%20Consumer%20Authentication%20Strength%20Maturity%20Model.md)
+- [Identity and Access Management (IAM)](../../Information%20Security/Identity%20and%20Access%20Management%20(IAM).md)
+- [a-5.15-Access-control](OST/27002/EN/a-5.15-Access-control.md) ???
+
+

Corpus/Standards/ISO27x/Governance model for Policies and Controls.md

@@ -2,7 +2,7 @@
 
 Based on ISO 27001 and ISO 27002, a governance model for your ISMS should be structured around **Top Management's accountability** while delegating the **tactical execution** to specific information security roles.
 
-*See [Basic ISMS governance model](../../../ISMS/Basic%20ISMS%20governance%20model.md) for a compacted version*
+*See [Basic ISMS governance model](../../ISMS/Basic%20ISMS%20governance%20model.md) for a compacted version*
 ## Related to the Policies Lifecycle
 
 Here is a suggested governance model mapping the lifecycle of security policies (commissioning, drafting, approving, etc.) to the specific roles mandated by the standards.
@@ -16,7 +16,7 @@ In the ISO 27001 framework, Top Management holds the ultimate accountability. Th
 - **Signing Off / Approving:** They must formally approve the information security policy. Any changes to the high-level policy must also be approved by them.
 - **Resourcing:** They are responsible for ensuring the resources needed for the ISMS are available.
 
-– see [C.5.1](../../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), [A.5.1](../legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)
+– see [C.5.1](../../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), [A.5.1](legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)
 ### **2. Information Security Manager / Competent Personnel**
 
 **Primary Mandate:** _Drafting, Advising, and Reviewing._
@@ -58,7 +58,7 @@ To operationalize this model, you can organize your governance activities into t
 | **5. Communicating** | **Security Manager/HR** publishes the policy in a format accessible to all employees and relevant external parties.                                                                                |
 | **6. Acknowledging** | **All Personnel** sign or digitally acknowledge that they have read and understood the policy.                                                                                                     |
 | **7. Reviewing**     | **Security Manager** re-evaluates the policy at planned intervals or after significant changes (e.g., a security incident).                                                                        |
-These can be deducted from [C.5.1](../../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), [A.5.1](../legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md), C.0.1, and C.0.2
+These can be deducted from [C.5.1](../../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md), [A.5.1](legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md), C.0.1, and C.0.2
 
 ### **Analogy: The Legislative Process**
 

Corpus/Standards/ISO27x/ISO 27001 Eigenaarschap van Documentatie.md

@@ -6,7 +6,7 @@ De norm geeft specifieke richtlijnen over waar de verantwoordelijkheid voor de v
 
 **1. Het overkoepelende Informatiebeveiligingsbeleid** Dit is het document op het hoogste niveau. De norm eist expliciet dat de verantwoordelijkheid voor het vaststellen en goedkeuren van dit beleid uitsluitend bij het **topmanagement (de directie)** ligt.
 
-**2. Onderwerpspecifieke beleidsregels** Voor meer gedetailleerde of specifieke beleidsregels (zoals beleid voor toegangsbeveiliging, cryptografie of werken op afstand) ligt de verantwoordelijkheid voor het ontwikkelen, beoordelen en goedkeuren bij **relevant personeel op basis van een passend bevoegdheidsniveau en technische bekwaamheid**. Dit betekent dat het eigenaarschap hier doorgaans bij de systeemeigenaren, security officers of afdelingsmanagers ligt (het "passende managementniveau", zie [A.5.1](../legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)).
+**2. Onderwerpspecifieke beleidsregels** Voor meer gedetailleerde of specifieke beleidsregels (zoals beleid voor toegangsbeveiliging, cryptografie of werken op afstand) ligt de verantwoordelijkheid voor het ontwikkelen, beoordelen en goedkeuren bij **relevant personeel op basis van een passend bevoegdheidsniveau en technische bekwaamheid**. Dit betekent dat het eigenaarschap hier doorgaans bij de systeemeigenaren, security officers of afdelingsmanagers ligt (het "passende managementniveau", zie [A.5.1](legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md)).
 
 **3. Gedocumenteerde bedieningsprocedures** Voor werkinstructies en bedieningsprocedures (zoals omschreven in [A.5.37](../../MoCs/ISO_27002_2022_5.37_MoC%20Documented%20operating%20procedures.md)) eist de norm dat in de documentatie zélf expliciet wordt gespecificeerd **welke personen verantwoordelijk zijn** voor de in de procedure beschreven activiteiten.
 

Corpus/Standards/ISO27x/ISO 27001 Leadership Responsibilities.md

@@ -25,7 +25,7 @@ Top management is responsible for establishing an information security policy th
 - **Approval:** The policy must be formally approved by top management.
 - **Changes:** Any changes to the policy must be approved by top management.
 
-This is described in [Clause 5.2](../../MoCs/ISO_27001_2022_5.2_MoC%20Policy.md) and [Control 5.1](../legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md).
+This is described in [Clause 5.2](../../MoCs/ISO_27001_2022_5.2_MoC%20Policy.md) and [Control 5.1](legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md).
 ### 3. Organizational Roles and Authorities (ISO 27001)
 
 Top management must ensure that responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization. specifically, they must assign the responsibility and authority for:

Corpus/Standards/ISO27x/ISO 27k standards overview.md

@@ -0,0 +1,54 @@
+---
+tags:
+  - iso27001
+  - iso27002
+  - type/MoC
+  - nen7510
+---
+# ISO and NEN security standards
+## ISO 27001 & 27002
+
+Indexes:
+- [ISO 27001:2022 EN](ISO_27001_2022_Index.md)
+- [ISO 27002:2022 EN](ISO_27001_2022_Index%20EXT.md) – Includes references to 2013 version!
+- [ISO 27001:2023 NL](OST/ISO_27001_2023_NL_Index.md)
+- [ISO 27002:2022 NL](OST/ISO_27002_2022_NL_Index.md)
+- [Vertaaltabel Engels-Nederlands](ISO_27002_2022_Vertaaltabel_Engels_Nederlands.md)
+
+EN source tekst:
+- ISO 27001:2022 [PDF](OST/27001/EN/ISO_27001_2022_EN.pdf)
+- ISO 27002:2022 [PDF](OST/27002/EN/ISO_27002_2022_EN.pdf)
+
+NL brontekst:
+- ISO 27001:2023 [PDF](OST/27001/NL/ISO_27001_2023_NL_PDF.md)
+- ISO 27002:2022 [PDF](OST/ISO_27002_2022_NL_PDF.md)
+
+
+See also:
+- [Plain English ISO IEC 27002 2005 from Praxiom](https://www.praxiom.com/iso-17799-objectives.htm)
+- [Changes in ISO 27001:2022 (table)](OST/27001/Detailed%20comparison%20between%202017%20and%202022.md)
+- [[ISO 27002 2022 What's New]]
+- [ISO_27001_2023_NL_Aanpassingen](OST/ISO_27001_2023_NL_Aanpassingen.md)
+- [Changes in ISO 27001_2022_Advisera](../../../../iso27DIY-gis/reference/Changes%20in%20ISO%2027001_2022_Advisera.md)
+- [IBB op hoofdlijnen](OST/IBB%20op%20hoofdlijnen.md)
+- [ISO 27001 2023 Processen en Artefacten](OST/ISO%2027001%202023%20Processen%20en%20Artefacten.md)
+- [Advised Documents for ISO 27001](../../../../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md)
+- [Types of Controls](Types%20of%20Controls.md)
+
+Depreciated:
+[ISO_27001_2013_EN_Index](legacy/ISO%2027001%202013/ISO_27001_2013_EN_Index.md)
+[ISO_27001_2017_NL_Index](legacy/ISO%2027001%202017%20NL/ISO_27001_2017_NL_Index.md)
+
+## Related ISO standards
+- [ISO 27k family](../../../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md)
+	- [ISO 27000](ISO%2027000%20MoC.md)
+	- [ISO 27005](ISO%2027005.md)
+- NEN 7510
+	- [NEN 7510-1:2024](OST/7510/NEN7510_2024_NL_1.md)
+	- [NEN 7510-2:2024](OST/7510/NEN7510_2024_NL_2.md)
+	- [NEN 7510-1:2024 Bijlage A](OST/7510/NEN7510_2024_NL_1_A.md)
+	- [NEN 7510-1:2024 Bijlage B](OST/7510/NEN7510_2024_NL_1_B.md)
+	- [NEN 7510-1:2024 Bijlage C](OST/7510/NEN7510_2024_NL_1_C.md)
+	- [NEN 7510-1:2024 vs. ISO 27001:2022](OST/7510/NEN%207510%20vs%20ISO%2027001.md)
+	- [Lijst met relevante risico's](OST/7510/NEN7510%20Risicos.md)
+

Corpus/Standards/ISO27x/ISO_27001_2022_Index EXT.md

@@ -15,7 +15,7 @@
 | 4.2     | [[ISO_27002_OT_4.2 Themes and attributes                                                         \| Themes and attributes                                                ]] |                                |
 | 4.3     | [[ISO_27002_OT_4.3 Control layout                                                                \| Control layout                                                       ]] |                                |
 | **5**   | **Organizational controls**                                                                                                                                                 |                                |
-| 5.1     | [Policies for information security                                     ](../legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md) | 05.1.1, 05.1.2                 |
+| 5.1     | [Policies for information security                                     ](legacy/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md) | 05.1.1, 05.1.2                 |
 | 5.2     | [Information security roles and responsibilities                       ](../../MoCs/ISO_27002_2022_5.2_MoC%20Information%20security%20roles%20and%20responsibilities.md) | 06.1.1                         |
 | 5.3     | [Segregation of duties                                                 ](../../MoCs/ISO_27002_2022_5.3_MoC%20Segregation%20of%20duties.md) | 06.1.2                         |
 | 5.4     | [Management responsibilities                                           ](../../MoCs/ISO_27002_2022_5.4_MoC%20Management%20responsibilities.md) | 07.2.1                         |
@@ -31,7 +31,7 @@
 | 5.14    | [Information transfer                                                  ](../../MoCs/ISO_27002_2022_5.14_MoC%20Information%20transfer.md) | 13.2.1, 13.2.2, 13.2.3         |
 | 5.15    | [Access control                                                        ](../../MoCs/ISO_27002_2022_5.15_MoC%20Access%20control.md) | 09.1.1, 09.1.2                 |
 | 5.16    | [Identity management                                                   ](../../MoCs/ISO_27002_2022_5.16_MoC%20Identity%20management.md) | 09.2.1                         |
-| 5.17    | [Authentication information                                            ](../../../Information%20Security/Authentication%20information.md) | 09.2.4, 09.3.1, 09.4.3         |
+| 5.17    | [Authentication information                                            ](../../Information%20Security/Authentication%20information.md) | 09.2.4, 09.3.1, 09.4.3         |
 | 5.18    | [Access rights                                                         ](../../MoCs/ISO_27002_2022_5.18_MoC%20Access%20rights.md) | 09.2.2, 09.2.5, 09.2.6         |
 | 5.19    | [Information security in supplier relationships                        ](../../MoCs/ISO_27002_2022_5.19_MoC%20Information%20security%20in%20supplier%20relationships.md) | 15.1.1                         |
 | 5.20    | [Addressing information security within supplier agreements            ](../../MoCs/ISO_27002_2022_5.20_MoC%20Addressing%20information%20security%20within%20supplier%20agreements.md) | 15.1.2                         |
@@ -44,7 +44,7 @@
 | 5.27    | [Learning from information security incidents                          ](../../MoCs/ISO_27002_2022_5.27_MoC%20Learning%20from%20information%20security%20incidents.md) | 16.1.6                         |
 | 5.28    | [Collection of evidence                                                ](../../MoCs/ISO_27002_2022_5.28_MoC%20Collection%20of%20evidence.md) | 16.1.7                         |
 | 5.29    | [Information security during disruption                                ](../../MoCs/ISO_27002_2022_5.29_MoC%20Information%20security%20during%20disruption.md) | 17.1.1, 17.1.2, 17.1.3         |
-| 5.30    | [ICT readiness for business continuity                                 ](../../../Information%20Security/ICT%20readiness%20for%20business%20continuity.md) | New                            |
+| 5.30    | [ICT readiness for business continuity                                 ](../../Information%20Security/ICT%20readiness%20for%20business%20continuity.md) | New                            |
 | 5.31    | [Legal, statutory, regulatory and contractual requirements             ](../../MoCs/ISO_27002_2022_5.31_MoC%20Legal,%20statutory,%20regulatory%20and%20contractual%20requirements.md) | 18.1.1, 18.1.5                 |
 | 5.32    | [Intellectual property rights                                          ](../../MoCs/ISO_27002_2022_5.32_MoC%20Intellectual%20property%20rights.md) | 18.1.2                         |
 | 5.33    | [Protection of records                                                 ](About%20A-5.33%20Protection%20of%20records.md) | 18.1.3                         |

Corpus/Standards/ISO27x/ISO_27001_2022_Index.md

@@ -0,0 +1,52 @@
+#iso27001/2022/EN
+# ISO 27001:2022 EN Index
+
+| Clause                                   | Title                                                                                                                                                                          |
+| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **F**                                    | **[Foreword](../ISO-27001-OST/ISO27001-EN-2022/ISO_27001_OT%20F%20Foreword.md)**                                                                                                                                      |
+| **0**                                    | **[Introduction](../ISO-27001-OST/ISO27001-EN-2022/c-0-Introduction.md)**                                                                                                                         |
+| **1**                                    | **[Scope](../ISO-27001-OST/ISO27001-EN-2022/c-1-Scope.md)**                                                                                                                                       |
+| **2**                                    | **[Normative references](../ISO-27001-OST/ISO27001-EN-2022/c-2-Normative-references.md)**                                                                                                         |
+| **3**                                    | **[Terms and definitions](../ISO-27001-OST/ISO27001-EN-2022/ISO_27001_OT%20Terms%20and%20definitions.md)**                                                                                                              |
+| **4**                                    | **[Context of the organization](ISO_27001_2022_4_MoC%20Context%20of%20the%20organization.md)**                                                                                          |
+| 4.1                                      | [Understanding the organization and its context                               ](../../MoCs/ISO_27001_2022_4.1_MoC%20Understanding%20the%20organization%20and%20its%20context.md) |
+| 4.2                                      | [Understanding the needs and expectations of interested parties               ](../../MoCs/ISO_27001_2022_4.2_MoC%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md) |
+| 4.3                                      | [Determining the scope of the information security management system          ](../../MoCs/ISO_27001_2022_4.3_MoC%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system.md) |
+| 4.4                                      | [Information security management system                                       ](../../MoCs/ISO_27001_2022_4.4_MoC%20Information%20security%20management%20system.md) |
+| **5**                                    | **[Leadership](../../MoCs/ISO_27001_2022_5_MoC%20Leadership.md)**                                                                                                                            |
+| 5.1                                      | [Leadership and commitment                                                    ](../../MoCs/ISO_27001_2022_5.1_MoC%20Leadership%20and%20commitment.md) |
+| 5.2                                      | [Policy                                                                       ](../../MoCs/ISO_27001_2022_5.2_MoC%20Policy.md) |
+| 5.3                                      | [Organizational roles, responsibilities and authorities                       ](../../MoCs/ISO_27001_2022_5.3_MoC%20Organizational%20roles,%20responsibilities%20and%20authorities.md) |
+| **6**                                    | **[Planning](../../MoCs/ISO_27001_2022_6_MoC%20Planning.md)**                                                                                                                                |
+| 6.1                                      | [Actions to address risks and opportunities                                   ](../../MoCs/ISO_27001_2022_6.1_MoC%20Actions%20to%20address%20risks%20and%20opportunities.md) |
+| 6.1.1                                    | [General                                                                      ](../../MoCs/ISO_27001_2022_6.1.1_MoC%20General.md)                                                            |
+| 6.1.2                                    | [Information security risk assessment                                         ](../../ISMS/Qualifying%20vs%20quantifying%20risks.md)                               |
+| 6.1.3                                    | [Information security risk treatment                                          ](../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md)                                |
+| 6.2                                      | [Information security objectives and planning to achieve them                 ](../../MoCs/ISO_27001_2022_6.2_MoC%20Information%20security%20objectives%20and%20planning%20to%20achieve%20them.md) |
+| 6.3                                      | [Planning of changes                                                          ](../../MoCs/ISO_27001_2022_6.3_MoC%20Planning%20of%20changes.md) |
+| **7**                                    | **[Support](../../MoCs/ISO_27001_2022_7_MoC%20Support.md)**                                                                                                                                  |
+| 7.1                                      | [ Resources                                                                   ](../../MoCs/ISO_27001_2022_7.1_MoC%20Resources.md) |
+| 7.2                                      | [ Competence                                                                  ](../../MoCs/ISO_27001_2022_7.2_MoC%20Competence.md) |
+| 7.3                                      | [ Awareness                                                                   ](../../MoCs/ISO_27001_2022_7.3_MoC%20Awareness.md) |
+| 7.4                                      | [ Communication                                                               ](../../MoCs/ISO_27001_2022_7.4_MoC%20Communication.md) |
+| 7.5                                      | [ Documented information                                                      ](../../MoCs/ISO_27001_2022_7.5_MoC%20Documented%20information.md) |
+| 7.5.1                                    | General ↑                                                                                                                                                                      |
+| 7.5.2                                    | Creating and updating ↑                                                                                                                                                        |
+| 7.5.3                                    | Control of documented information ↑                                                                                                                                            |
+| **8**                                    | **[Operation](../../MoCs/ISO_27001_2022_8_MoC%20Operation.md)**                                                                                                                              |
+| 8.1                                      | [Operational planning and control                                             ](../../MoCs/ISO_27001_2022_8.1_MoC%20Operational%20planning%20and%20control.md) |
+| 8.2                                      | [Information security risk assessment                                         ](../../MoCs/ISO_27001_2022_8.2_MoC%20Information%20security%20risk%20assessment.md) |
+| 8.3                                      | [Information security risk treatment                                          ](../../MoCs/ISO_27001_2022_8.3_MoC%20Information%20security%20risk%20treatment.md) |
+| **9**                                    | **[Performance evaluation](../../MoCs/ISO_27001_2022_9_MoC%20Performance%20evaluation.md)**                                                                                                    |
+| 9.1                                      | [Monitoring, measurement, analysis and evaluation                             ](../../MoCs/ISO_27001_2022_9.1_MoC%20Monitoring,%20measurement,%20analysis%20and%20evaluation.md) |
+| 9.2                                      | [Internal audit                                                               ](../../MoCs/ISO_27001_2022_9.2_MoC%20Internal%20audit.md) |
+| 9.2.1                                    | General ↑                                                                                                                                                                      |
+| 9.2.2                                    | Internal audit programme ↑                                                                                                                                                     |
+| 9.3                                      | [Management review                                                            ](../../MoCs/ISO_27001_2022_9.3_MoC%20Management%20review.md) |
+| 9.3.1                                    | General ↑                                                                                                                                                                      |
+| 9.3.2                                    | Management review inputs ↑                                                                                                                                                     |
+| 9.3.3                                    | Management review results ↑                                                                                                                                                    |
+| **10**                                   | **[Improvement](../../MoCs/ISO_27001_2022_10_MoC%20Improvement.md)**                                                                                                                         |
+| 10.1                                     | [Continual improvement                                                        ](../../MoCs/ISO_27001_2022_10.1_MoC%20Continual%20improvement.md) |
+| 10.2                                     | [Nonconformity and corrective action                                          ](../../MoCs/ISO_27001_2022_10.2_MoC%20Nonconformity%20and%20corrective%20action.md) |
+| **[Annex A](ISO_27001_2022_Index%20EXT.md)** | **Information security controls reference**                                                                                                                                    |

Corpus/Standards/ISO27x/Implementation Products/Informatiebeveiligingsbeleid ISO 27001.md

@@ -13,7 +13,7 @@
 | Volgende herzieningsdatum | [Datum]                            |
 | Status                    | [Concept/Goedgekeurd]              |
   
-*Noot: Oorspronkelijke versie gebaseerd op ISO/IEC 27001:2013; [Nieuwe beheersmaatregelen in ISO 27001-2022](../about/Nieuwe%20beheersmaatregelen%20in%20ISO%2027001-2022.md) zijn hierin verwerkt.*
+*Noot: Oorspronkelijke versie gebaseerd op ISO/IEC 27001:2013; [Toevoegingen IBB ISO27001-2022](../Toevoegingen%20IBB%20ISO27001-2022.md) zijn hierin verwerkt.*
 
 ## Inhoudsopgave 
 

Corpus/Standards/ISO27x/MoC Roles and responsibilities in ISO 27001.md

@@ -0,0 +1,19 @@
+# MoC Roles and responsibilities in ISO 27001
+
+**See**:
+
+Recent:
+- [Explicitly mentioned roles in ISO 27001](Explicitly%20mentioned%20roles%20in%20ISO%2027001.md)
+- [ISO 27001 Leadership Responsibilities](ISO%2027001%20Leadership%20Responsibilities.md)
+- [ISO 27001 Top Management responsibilities](ISO%2027001%20Top%20Management%20responsibilities.md)
+- [Governance model for Policies and Controls](Governance%20model%20for%20Policies%20and%20Controls.md)
+- [Basic ISMS governance model](../../ISMS/Basic%20ISMS%20governance%20model.md)
+- [m400-more-governance](../../../../iso27DIY-gis/guide/m400/m400-more-governance.md)
+
+Older:
+- [Roles and Responsibilities](../../ISMS/Roles%20and%20Responsibilities.md)
+- [Risk ownership](../../Information%20Security/Risks/Risk%20ownership.md)
+- [Ideas on Risk Ownership](../../ISMS/Ideas%20on%20Risk%20Ownership.md)
+- [Asset ownership](../../Sparks/Asset%20ownership.md)
+- [Procuratieregeling](../../Various/Procuratieregeling.md)
+- [Control ownership](../../ISMS/Control%20ownership.md)

Corpus/Standards/ISO27x/OST/27001/Detailed comparison between 2017 and 2022.md

@@ -2,7 +2,7 @@
 
 According to [Mark Bernard](https://www.linkedin.com/posts/markesbernard_the-changes-to-isoiec-27001-isms-are-not-activity-7344467878198329344-nZN7) , 28 juni 2025, "The changes to ISO/IEC 27001 ISMS are not straightforward. Some believe that the total number of controls was reduced; however, the truth is that new controls were added while existing controls were consolidated and streamlined."
 
-![](../../about/Changes%20in%20ISO%2027001-2022%20table.jpeg)
+![](../../Changes%20in%20ISO%2027001-2022%20table.jpeg)
 
 
 ## New ISMS Control Objectives - ISO 27001:2022 CLAUSE 4 TO 10

Corpus/Standards/ISO27x/OST/27001/EN/c-3-Terms-and-definitions.md

@@ -15,4 +15,4 @@ status: active
 For the purposes of this document, the terms and definitions given in
 ISO/IEC 27000 apply.
 
-[ISO 27000 MoC](../../../about/ISO%2027000%20MoC.md)
+[ISO 27000 MoC](../../../ISO%2027000%20MoC.md)

Corpus/Standards/ISO27x/OST/27001/EN/c-4.1-Understanding-the-organization-and-its-context.md

@@ -15,5 +15,5 @@ status: active
 
 The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
 
-NOTE Determining these issues refers to establishing the external and internal context of the organization considered in [Clause 5.4.1](../../../about/ISO31000-5.4.1-Understanding-the-organization-and-its-context.md) of ISO 31000:2018.
+NOTE Determining these issues refers to establishing the external and internal context of the organization considered in [Clause 5.4.1](../../../ISO31000-5.4.1-Understanding-the-organization-and-its-context.md) of ISO 31000:2018.
 

Corpus/Standards/ISO27x/OST/Index to the original texts of ISO 27001.md

@@ -1,53 +1,53 @@
 # Index to the original texts of ISO 27001
 2022 version
 
-| Clause      | Title                                                                                                                                                                  |
+| Clause      | Title                                                                                                                                                                                                                             |
-| ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **F**       | **[Foreword](27001/EN/c-f-Foreword.md)**                                                                                                                               |
+| **F**       | **[Foreword](27001/EN/c-f-Foreword.md)**                                                                                                                |
 | **0**       | **[Introduction](27001/EN/c-0-Introduction.md)**                                                                                                                       |
 | **1**       | **[Scope](27001/EN/c-1-Scope.md)**                                                                                                                                     |
 | **2**       | **[Normative references](27001/EN/c-2-Normative-references.md)**                                                                                                       |
 | **3**       | **[Terms and definitions](27001/EN/c-3-Terms-and-definitions.md)**                                                                                                     |
-| **4**       | **Context of the organization**                                                                                                                                        |
+| **4**       | **Context of the organization**                                                                                                                                                                                                   |
 | 4.1         | [Understanding the organization and its context                               ](27001/EN/c-4.1-Understanding-the-organization-and-its-context.md)                      |
 | 4.2         | [Understanding the needs and expectations of interested parties               ](27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md)      |
 | 4.3         | [Determining the scope of the information security management system          ](27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md) |
 | 4.4         | [Information security management system                                       ](27001/EN/c-4.4-Information-security-management-system.md)                              |
-| **5**       | **Leadership**                                                                                                                                                         |
+| **5**       | **Leadership**                                                                                                                                                                                                                    |
 | 5.1         | [Leadership and commitment                                                    ](27001/EN/c-5.1-Leadership-and-commitment.md)                                           |
 | 5.2         | [Policy                                                                       ](27001/EN/c-5.2-Policy.md)                                                              |
 | 5.3         | [Organizational roles, responsibilities and authorities                       ](27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md)               |
-| **6**       | **Planning**                                                                                                                                                           |
+| **6**       | **Planning**                                                                                                                                                                                                                      |
-| 6.1         | Actions to address risks and opportunities *(no content)*                                                                                                              |
+| 6.1         | Actions to address risks and opportunities *(no content)*                                                                                                                                                                         |
 | 6.1.1       | [General                                                                      ](27001/EN/c-6.1.1-General.md)                                                           |
 | 6.1.2       | [Information security risk assessment                                         ](27001/EN/c-6.1.2-Information-security-risk-assessment.md)                              |
 | 6.1.3       | [Information security risk treatment                                          ](27001/EN/c-6.1.3-Information-security-risk-treatment.md)                               |
 | 6.2         | [Information security objectives and planning to achieve them                 ](27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md)        |
 | 6.3         | [Planning of changes                                                          ](27001/EN/c-6.3-Planning-of-changes.md)                                                 |
-| **7**       | **Support**                                                                                                                                                            |
+| **7**       | **Support**                                                                                                                                                                                                                       |
 | 7.1         | [ Resources                                                                   ](27001/EN/c-7.1-Resources.md)                                                           |
 | 7.2         | [ Competence                                                                  ](27001/EN/c-7.2-Competence.md)                                                          |
 | 7.3         | [ Awareness                                                                   ](27001/EN/c-7.3-Awareness.md)                                                           |
 | 7.4         | [ Communication                                                               ](27001/EN/c-7.4-Communication.md)                                                       |
 | 7.5         | [ Documented information                                                      ](27001/EN/c-7.5-Documented-information.md)                                              |
-| 7.5.1       | General ↑                                                                                                                                                              |
+| 7.5.1       | General ↑                                                                                                                                                                                                                         |
-| 7.5.2       | Creating and updating ↑                                                                                                                                                |
+| 7.5.2       | Creating and updating ↑                                                                                                                                                                                                           |
-| 7.5.3       | Control of documented information ↑                                                                                                                                    |
+| 7.5.3       | Control of documented information ↑                                                                                                                                                                                               |
-| **8**       | **Operation**                                                                                                                                                          |
+| **8**       | **Operation**                                                                                                                                                                                                                     |
 | 8.1         | [Operational planning and control                                             ](27001/EN/c-8.1-Operational-planning-and-control.md)                                    |
 | 8.2         | [Information security risk assessment                                         ](27001/EN/c-8.2-Information-security-risk-assessment.md)                                |
 | 8.3         | [Information security risk treatment                                          ](27001/EN/c-8.3-Information-security-risk-treatment.md)                                 |
-| **9**       | **Performance evaluation**                                                                                                                                             |
+| **9**       | **Performance evaluation**                                                                                                                                                                                                        |
 | 9.1         | [Monitoring, measurement, analysis and evaluation                             ](27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md)                      |
 | 9.2         | [Internal audit                                                               ](27001/EN/c-9.2-Internal-audit.md)                                                      |
-| 9.2.1       | General ↑                                                                                                                                                              |
+| 9.2.1       | General ↑                                                                                                                                                                                                                         |
-| 9.2.2       | Internal audit programme ↑                                                                                                                                             |
+| 9.2.2       | Internal audit programme ↑                                                                                                                                                                                                        |
 | 9.3         | [Management review                                                            ](27001/EN/c-9.3-Management-review.md)                                                   |
-| 9.3.1       | General ↑                                                                                                                                                              |
+| 9.3.1       | General ↑                                                                                                                                                                                                                         |
-| 9.3.2       | Management review inputs ↑                                                                                                                                             |
+| 9.3.2       | Management review inputs ↑                                                                                                                                                                                                        |
-| 9.3.3       | Management review results ↑                                                                                                                                            |
+| 9.3.3       | Management review results ↑                                                                                                                                                                                                       |
-| **10**      | **Improvement**                                                                                                                                                        |
+| **10**      | **Improvement**                                                                                                                                                                                                                   |
 | 10.1        | [Continual improvement                                                        ](27001/EN/c-10.1-Continual-improvement.md)                                              |
 | 10.2        | [Nonconformity and corrective action                                          ](27001/EN/c-10.2-Nonconformity-and-corrective-action.md)                                |
-| **Annex A** | **[Information security controls reference                                     ](ISO_27002_2022_EN_Index.md)**                                                         |
+| **Annex A** | **[Information security controls reference                                     ](Index%20to%20the%20original%20texts%20of%20ISO%2027002.md)**                                                                                     |
 

Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E02a - Risk assessment and analysis.md

@@ -32,7 +32,7 @@ A very important thing to bring up early, is **risk ownership**. We need to be c
 
 As an auditor I expect to see a clearly defined and understandable risk assessment process, and evidence for its execution, by maybe getting somebody to take me through risk assessments that have been performed.
 
-Although Clause 6.1.2 tells you what should be considered when doing risk assessments, it does not tell you *how* to conduct a risk assessment. It doesn't tell you to use a risk calculation scale of 1 to 10, or high, medium and low, or using some other kind of formula, and neither does the ISO 27002 implementation guidance, of the [ISO 27005](../about/ISO%2027005.md) (Guidance on managing information security risks).
+Although Clause 6.1.2 tells you what should be considered when doing risk assessments, it does not tell you *how* to conduct a risk assessment. It doesn't tell you to use a risk calculation scale of 1 to 10, or high, medium and low, or using some other kind of formula, and neither does the ISO 27002 implementation guidance, of the [ISO 27005](../ISO%2027005.md) (Guidance on managing information security risks).
 
 What it *does* tell us, is that we need to have an agreed way of conducting risk assessments, and that we need predefined risk acceptance criteria.
 

Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E03a - Risk treatment.md

@@ -33,7 +33,7 @@ This was previously called risk transfer, but this term was dropped because you
 
 ### Risk modification by implementing controls
 
-Clause 8.3 of [ISO 27005](../about/ISO%2027005.md), the guidance document on risk management[^1], says that we shall select controls in order to address risks. These can be preventative, detective or corrective in nature.
+Clause 8.3 of [ISO 27005](../ISO%2027005.md), the guidance document on risk management[^1], says that we shall select controls in order to address risks. These can be preventative, detective or corrective in nature.
 
 Which controls will be implemented by the organization, is specified in the Statement of Applicability (6.1.3d).