diff --git a/.kilo/plans/1777714595174-misty-tiger.md b/.kilo/plans/1777714595174-misty-tiger.md new file mode 100644 index 0000000..fb0ae8d --- /dev/null +++ b/.kilo/plans/1777714595174-misty-tiger.md @@ -0,0 +1,55 @@ +# Plan to Remove Markdown Tables After First Header in Specified .md Files + +## Goal +Remove the markdown table that appears after the first markdown header (## X.Y Title) in 35 specific .md files located in the directory `/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN`. These files contain ISO 27002 control descriptions and have a summary table listing Control type, Information security properties, etc., which needs to be removed. + +## Analysis +- **Affected Files**: Identified 35 .md files containing the table starting with `| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |`. +- **Table Structure**: The table consists of 2-4 lines: + - Header row starting with `| Control type` + - Separator row + - Data row + - Optionally, an empty row +- **Location**: The table appears immediately after the first `##` header (e.g., `## 8.1 User endpoint devices`) and before the `**Control**` section. +- **Pattern**: All affected files follow the pattern where the table ends just before `**Control**`. + +## Approach +Use a Bash script with `sed` to remove the table lines from each affected file. The `sed` command will delete lines from the start of the table (`| Control type`) up to but not including `**Control**`. + +### Script +Create and run the following Bash script in the target directory: + +```bash +#!/bin/bash + +# Change to the target directory +cd /Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN || exit 1 + +# Loop through all .md files +for file in *.md; do + # Check if the file contains the table + if grep -q "| Control type" "$file"; then + # Remove the table lines: from "| Control type" to just before "**Control**" + sed -i '/^| Control type /,/^\*\*Control$/ { /^\*\*Control$/ !d }' "$file" + echo "Processed $file" + fi +done + +echo "Table removal complete." +``` + +### Steps to Execute +1. **Navigate to Directory**: Change to `/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN`. +2. **Backup (Optional)**: Consider backing up the directory before running the script. +3. **Run Script**: Execute the script to process all files. +4. **Verify**: After running, check a few files (e.g., `a-8.1-User-endpoint-devices.md`, `a-5.15-Access-control.md`) to ensure the table is removed and the `**Control**` section remains intact. + +## Risks and Considerations +- **Accuracy**: The `sed` command is designed to precisely target the table based on the observed patterns. If any file has unexpected formatting, manual review may be needed. +- **No Impact on Non-Affected Files**: Files without the table will remain unchanged. +- **Reversibility**: If needed, restore from backup or use version control (assuming the directory is in a git repo). + +## Expected Outcome +- Tables removed from 35 files. +- Content before and after the table (including `**Control**` and subsequent sections) preserved. +- No changes to other .md files in the directory. \ No newline at end of file diff --git a/Corpus/Information security concepts MoC.md b/Corpus/Information security concepts MoC.md new file mode 100644 index 0000000..578f8cd --- /dev/null +++ b/Corpus/Information security concepts MoC.md @@ -0,0 +1,75 @@ +--- +Related: + - "[ISO\\_27002\\_OT 3 Terms, definitions and abbreviated terms](Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated%20terms.md)" + - https://csiac.org/databases/acronyms/ +tags: + - type/MoC +--- +[Assets](🎇%20Sparks/Assets.md) + [NIST Asset Types](📚️%20Literature%20notes/NIST%20Asset%20Types.md) + [Asset lifecycle](📚️%20Literature%20notes/Asset%20lifecycle.md) + [Asset ownership](🎇%20Sparks/Asset%20ownership.md) + [[Asset ownership DEL]] + [Assets, Vulnerabilities, Threats, Risks](📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md) +[Assets, Vulnerabilities, Threats, Risks](🎇%20Sparks/Assets,%20Vulnerabilities,%20Threats,%20Risks.md) +[Attack Surface Analysis](📚️%20Literature%20notes/Attack%20Surface%20Analysis.md) +[Authentication](Standards/ISO27x/Authentication.md) + [Multi-factor authentication](🎇%20Sparks/Multi-factor%20authentication.md) (MFA) + [Passwordless Authentication](🎇%20Sparks/Passwordless%20Authentication.md) + [Risk-Based Authentication](🎇%20Sparks/Risk-Based%20Authentication.md) + [Single Sign On (SSO)](📚️%20Literature%20notes/Single%20Sign%20On%20(SSO).md) + [Tokens](🎇%20Sparks/Tokens.md) +[Authorization](Standards/ISO27x/Authorization.md) + [Access Control](🎇%20Sparks/Access%20Control.md) +[Awareness](🎇%20Sparks/Awareness.md) +[BCP_Bedrijfscontinuïteitsplanning](📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md) + [Business Impact Analysis (BIA)](🎇%20Sparks/Business%20Impact%20Analysis%20(BIA).md) + [Disaster Recovery Planning](🎇%20Sparks/Disaster%20Recovery%20Planning.md) +[Change management MoC](MoCs/Change%20management%20MoC.md) +[Classification](🎇%20Sparks/Classification.md) +[Compliance](🎇%20Sparks/Compliance.md) +[Data Breach](💡Permanent%20ideas/Data%20Breach.md) +[Data Governance](📚️%20Literature%20notes/Data%20Governance.md) +Frameworks + [ISO 27k family](../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md) + [NIST articles list](Standards/NIST/NIST%20articles%20list.md) +[Governance](🎇%20Sparks/Governance.md) +[[Hardening]] +[Identity and Access Management (IAM)](💡Drafts%20and%20Ideas/Identity%20and%20Access%20Management%20(IAM).md) + [Identification](💡Drafts%20and%20Ideas/Identification.md) + [Authentication](Standards/ISO27x/Authentication.md) + [Authorization](Standards/ISO27x/Authorization.md) +Impact + [Change management MoC](MoCs/Change%20management%20MoC.md) + [Impact of Disruption](💡Drafts%20and%20Ideas/Impact%20of%20Disruption.md) +[Incidents](🎇%20Sparks/Incidents.md) +[Maturity Models](📚️%20Literature%20notes/Maturity%20Models.md) +[Metrics](📚️%20Literature%20notes/InfoSec%20Metrics.md) +[Operational Technology](💡Drafts%20and%20Ideas/Operational%20Technology.md) or OT Security +[Policies](📚️%20Literature%20notes/Policies.md) +[[Posture Management]] +[Ransomware](🎇%20Sparks/Ransomware.md) +[Risks](🎇%20Sparks/Risks.md) + [Risk analysis](🎇%20Sparks/Risk%20analysis.md) + [Risk appetite](💡Drafts%20and%20Ideas/Risk%20appetite.md) + [Risk inventories](🎇%20Sparks/Risk%20inventories.md) + [Risk management](🎇%20Sparks/Risk%20management.md) + [Risk ownership](🎇%20Sparks/Risk%20ownership.md) + [Risk ownership](🎇%20Sparks/Risk%20ownership.md) + [Risk prioritization](🎇%20Sparks/Risk%20prioritization.md) + [Risk tolerance](🎇%20Sparks/Risk%20tolerance.md) + [Risk treatment](🎇%20Sparks/Risk%20treatment.md) + [Risks vs Threats vs Vulnerabilities](🎇%20Sparks/Risks%20vs%20Threats%20vs%20Vulnerabilities.md) +[Roles and Responsibilities](🎇%20Sparks/Roles%20and%20Responsibilities.md) +[Threat](📚️%20Literature%20notes/Threat.md) + [Threat Intelligence](🎇%20Sparks/Threat%20Intelligence.md) + [Security Threat Modeling](📚️%20Literature%20notes/Security%20Threat%20Modeling.md) + [Privacy Threat Modeling](📚️%20Literature%20notes/Privacy%20Threat%20Modeling.md) + [AI Threat Modeling](🎇%20Sparks/AI%20Threat%20Modeling.md) + [Threat Catalogues](📚️%20Literature%20notes/Threat%20Catalogues.md) +[Vendor security MoC](🎇%20Sparks/Vendor%20security%20MoC.md) or Supply chain security +[Vulnerability](💡Drafts%20and%20Ideas/Vulnerability.md) + [Bug bounty program](🎇%20Sparks/Bug%20bounty%20program.md) +[Zero Trust](📚️%20Literature%20notes/Zero%20Trust.md) + + diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/add_yaml.py b/Corpus/Standards/ISO27x/OST/27001/EN/add_yaml.py new file mode 100644 index 0000000..7623607 --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27001/EN/add_yaml.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +import os +import re + +directory = '/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27001/EN/' + +for filename in os.listdir(directory): + if filename.endswith('.md'): + filepath = os.path.join(directory, filename) + with open(filepath, 'r') as f: + lines = f.readlines() + if lines and lines[0].strip() == '---': + continue # Already has YAML + # Extract id and title from filename + match = re.match(r'c-([0-9.]+)-(.+)\.md', filename) + if match: + num = match.group(1) + title_part = match.group(2) + id_val = f'C.{num}' + title = title_part.replace('-', ' ') + elif filename == 'c-0-Introduction.md': + id_val = 'C.0' + title = 'Introduction' + elif filename == 'ISO_27001_OT F Foreword.md': + id_val = 'Foreword' + title = 'Foreword' + else: + # For other files like c-2-Normative-references.md + match = re.match(r'c-([0-9]+)-(.+)\.md', filename) + if match: + num = match.group(1) + title_part = match.group(2) + id_val = f'C.{num}' + title = title_part.replace('-', ' ') + else: + continue # Skip if not matching + + yaml = f'''--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "{id_val}" +title: "{title}" +tags: +- iso27001/2022/EN +status: active +--- +''' + with open(filepath, 'w') as f: + f.write(yaml + ''.join(lines)) + +print("YAML front matter added to files that didn't have it.") \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-0-Introduction.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-0-Introduction.md index 8623006..a59f3e0 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-0-Introduction.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-0-Introduction.md @@ -1,8 +1,18 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.0" +title: "Introduction" +tags: +- iso27001/2022/EN +status: active +--- +## 0 Introduction -# Introduction - -## 0.1 General +### 0.1 General This document has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization's information security management system is influenced by the organization's needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time. @@ -16,7 +26,7 @@ The order in which requirements are presented in this document does not reflect ISO/IEC 27000 describes the overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 27003, ISO/IEC 27004 and ISO/IEC 27005), with related terms and definitions. -## 0.2 Compatibility with other management system standards +### 0.2 Compatibility with other management system standards This document applies the high-level structure, identical sub-clause titles, identical text, common terms, and core definitions defined in Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, and therefore maintains compatibility with other management system standards that have adopted the Annex SL. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-1-Scope.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-1-Scope.md index 81fa321..8bf21d8 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-1-Scope.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-1-Scope.md @@ -1,6 +1,16 @@ -#iso27001/2022/EN - -# 1 Scope +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.1" +title: "Scope" +tags: +- iso27001/2022/EN +status: active +--- +## 1 Scope This document specifies the requirements for establishing, implementing, maintaining and continually improving an information diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-10-Improvement.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-10-Improvement.md new file mode 100644 index 0000000..a7791fe --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-10-Improvement.md @@ -0,0 +1,13 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.10" +title: "Improvement" +tags: +- iso27001/2022/EN +status: active +--- +# 10 Improvement \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-10.1-Continual-improvement.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-10.1-Continual-improvement.md index 8dd354d..780ac81 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-10.1-Continual-improvement.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-10.1-Continual-improvement.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.10.1" +title: "Continual improvement" +tags: +- iso27001/2022/EN +status: active +--- ## 10.1 Continual improvement The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-10.2-Nonconformity-and-corrective-action.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-10.2-Nonconformity-and-corrective-action.md index 3f82d30..84536f7 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-10.2-Nonconformity-and-corrective-action.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-10.2-Nonconformity-and-corrective-action.md @@ -1,6 +1,15 @@ -#iso27001/2022/EN - - +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.10.2" +title: "Nonconformity and corrective action" +tags: +- iso27001/2022/EN +status: active +--- ## 10.2 Nonconformity and corrective action When a nonconformity occurs, the organization shall: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-2-Normative-references.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-2-Normative-references.md index 825801e..139e126 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-2-Normative-references.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-2-Normative-references.md @@ -1,5 +1,15 @@ -#iso27001/2022/EN - -# 2 Normative references +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.2" +title: "Normative references" +tags: +- iso27001/2022/EN +status: active +--- +## 2 Normative references The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-3-Terms-and-definitions.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-3-Terms-and-definitions.md index a940411..ce18537 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-3-Terms-and-definitions.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-3-Terms-and-definitions.md @@ -1,6 +1,16 @@ -#iso27001/2022/EN - -# 3 Terms and definitions +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.3" +title: "Terms and definitions" +tags: +- iso27001/2022/EN +status: active +--- +## 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-4-Context-of-the-organization.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-4-Context-of-the-organization.md new file mode 100644 index 0000000..d1900cb --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-4-Context-of-the-organization.md @@ -0,0 +1,13 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: C.4 +title: Context of the organisation +tags: + - iso27001/2022/EN +status: active +--- +# 4 Context of the organisation \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-4.1-Understanding-the-organization-and-its-context.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-4.1-Understanding-the-organization-and-its-context.md index a52b54a..db16bc2 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-4.1-Understanding-the-organization-and-its-context.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-4.1-Understanding-the-organization-and-its-context.md @@ -1,4 +1,16 @@ -# Clause 4.1: Understanding the organization and its context +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.4.1" +title: "Understanding the organization and its context" +tags: +- iso27001/2022/EN +status: active +--- +## Clause 4.1: Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md index def5f7a..ff17bad 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md @@ -1,5 +1,16 @@ -#iso27001/2022/EN -# 4.2 Understanding the needs and expectations of interested parties +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.4.2" +title: "Understanding the needs and expectations of interested parties" +tags: +- iso27001/2022/EN +status: active +--- +## 4.2 Understanding the needs and expectations of interested parties The organization shall determine: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md index 31d130a..3f2cb5c 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md @@ -1,5 +1,16 @@ -#iso27001/2022/EN -# 4.3 Determining the scope of the information security management system +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.4.3" +title: "Determining the scope of the information security management system" +tags: +- iso27001/2022/EN +status: active +--- +## 4.3 Determining the scope of the information security management system The organization shall determine the boundaries and applicability of the information security management system to establish its scope. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-4.4-Information-security-management-system.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-4.4-Information-security-management-system.md index 18df68a..ff56552 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-4.4-Information-security-management-system.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-4.4-Information-security-management-system.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN -# 4.4 Information security management system +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.4.4" +title: "Information security management system" +tags: +- iso27001/2022/EN +status: active +--- +## 4.4 Information security management system The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-5-Leadership.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-5-Leadership.md new file mode 100644 index 0000000..4128e08 --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-5-Leadership.md @@ -0,0 +1,13 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: C.5 +title: Leadership +tags: + - iso27001/2022/EN +status: active +--- +# 5 Leadership \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-5.1-Leadership-and-commitment.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-5.1-Leadership-and-commitment.md index 7cb915e..1053ba0 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-5.1-Leadership-and-commitment.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-5.1-Leadership-and-commitment.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.5.1" +title: "Leadership and commitment" +tags: +- iso27001/2022/EN +status: active +--- ## 5.1 Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the information security management system by: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md index 414bca5..fb4e5a4 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.5.2" +title: "Policy" +tags: +- iso27001/2022/EN +status: active +--- ## 5.2 Policy Top management shall establish an information security policy that: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md index 0c02608..9cac7b5 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md @@ -1,5 +1,16 @@ -#iso27001/2022/EN -## 5.3 Organizational roles, responsibilities and authorities +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.5.3" +title: "Organizational roles responsibilities and authorities" +tags: +- iso27001/2022/EN +status: active +--- +## 5.3 Organizational roles responsibilities and authorities Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-6-Planning.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-6-Planning.md new file mode 100644 index 0000000..8dfb2ef --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-6-Planning.md @@ -0,0 +1,13 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: C.6 +title: Planning +tags: + - iso27001/2022/EN +status: active +--- +# 6 Planning \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.1-General.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.1-General.md index 091785a..49060a2 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.1-General.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.1-General.md @@ -1,3 +1,15 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.6.1.1" +title: "General" +tags: +- iso27001/2022/EN +status: active +--- ### 6.1.1 General When planning for the information security management system, the organization shall consider the issues referred to in [4.1](c-4.1-Understanding-the-organization-and-its-context.md) and the requirements referred to in [4.2](ISO_27001_2022_OT%204.2%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md) and determine the risks and opportunities that need to be addressed to: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.2-Information-security-risk-assessment.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.2-Information-security-risk-assessment.md index 6dae621..d21dd80 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.2-Information-security-risk-assessment.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.2-Information-security-risk-assessment.md @@ -1,3 +1,15 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.6.1.2" +title: "Information security risk assessment" +tags: +- iso27001/2022/EN +status: active +--- ### 6.1.2 Information security risk assessment The organization shall define and apply an information security risk assessment process that: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.3-Information-security-risk-treatment.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.3-Information-security-risk-treatment.md index 3d2b38e..a1ab924 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.3-Information-security-risk-treatment.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.3-Information-security-risk-treatment.md @@ -1,3 +1,15 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.6.1.3" +title: "Information security risk treatment" +tags: +- iso27001/2022/EN +status: active +--- ### 6.1.3 Information security risk treatment The organization shall define and apply an information security risk treatment process to: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md index 3934666..029fc2d 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.6.2" +title: "Information security objectives and planning to achieve them" +tags: +- iso27001/2022/EN +status: active +--- ## 6.2 Information security objectives and planning to achieve them The organization shall establish information security objectives at relevant functions and levels. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.3-Planning-of-changes.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.3-Planning-of-changes.md index 07b83f1..514a047 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-6.3-Planning-of-changes.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-6.3-Planning-of-changes.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.6.3" +title: "Planning of changes" +tags: +- iso27001/2022/EN +status: active +--- ## 6.3 Planning of changes When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-7-Support.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-7-Support.md new file mode 100644 index 0000000..8c6132d --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-7-Support.md @@ -0,0 +1,13 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: C.7 +title: Support +tags: + - iso27001/2022/EN +status: active +--- +# 7 Support \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.1-Resources.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.1-Resources.md index 840b863..2e740ad 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.1-Resources.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.1-Resources.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.7.1" +title: "Resources" +tags: +- iso27001/2022/EN +status: active +--- ## 7.1 Resources The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.2-Competence.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.2-Competence.md index d674099..06f33e2 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.2-Competence.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.2-Competence.md @@ -1,5 +1,15 @@ -#iso27001/2022/EN - +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.7.2" +title: "Competence" +tags: +- iso27001/2022/EN +status: active +--- ## 7.2 Competence The organization shall: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.3-Awareness.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.3-Awareness.md index 1f7e419..a991ecf 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.3-Awareness.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.3-Awareness.md @@ -1,5 +1,15 @@ -#iso27001/2022/EN - +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.7.3" +title: "Awareness" +tags: +- iso27001/2022/EN +status: active +--- ## 7.3 Awareness Persons doing work under the organization's control shall be aware of: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.4-Communication.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.4-Communication.md index 4bb908d..c0ddd6b 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.4-Communication.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.4-Communication.md @@ -1,5 +1,15 @@ -#iso27001/2022/EN - +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.7.4" +title: "Communication" +tags: +- iso27001/2022/EN +status: active +--- ## 7.4 Communication The organization shall determine the need for internal and external communications relevant to the information security management system including: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.5-Documented-information.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.5-Documented-information.md index bf511be..13c3ddc 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-7.5-Documented-information.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-7.5-Documented-information.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.7.5" +title: "Documented information" +tags: +- iso27001/2022/EN +status: active +--- ## 7.5 Documented information ### 7.5.1 General diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-8-Operation.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-8-Operation.md new file mode 100644 index 0000000..fc59611 --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-8-Operation.md @@ -0,0 +1,13 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: C.8 +title: Operation +tags: + - iso27001/2022/EN +status: active +--- +# 8 Operation \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-8.1-Operational-planning-and-control.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-8.1-Operational-planning-and-control.md index 6793dae..ca02294 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-8.1-Operational-planning-and-control.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-8.1-Operational-planning-and-control.md @@ -1,4 +1,15 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.8.1" +title: "Operational planning and control" +tags: +- iso27001/2022/EN +status: active +--- ## 8.1 Operational planning and control The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-8.2-Information-security-risk-assessment.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-8.2-Information-security-risk-assessment.md index 27c30b7..06ff66d 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-8.2-Information-security-risk-assessment.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-8.2-Information-security-risk-assessment.md @@ -1,5 +1,16 @@ -#iso27001/2022/EN -# Clause 8.2: Information security risk assessment +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.8.2" +title: "Information security risk assessment" +tags: +- iso27001/2022/EN +status: active +--- +## 8.2 Information security risk assessment The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in [6.1.2a](ISO_27001_OT%206.1.2%20Information%20security%20risk%20assessment.md). diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-8.3-Information-security-risk-treatment.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-8.3-Information-security-risk-treatment.md index c0b1739..01f5b39 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-8.3-Information-security-risk-treatment.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-8.3-Information-security-risk-treatment.md @@ -1,8 +1,16 @@ --- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.8.3" +title: "Information security risk treatment" tags: - - iso27001/2022/EN +- iso27001/2022/EN +status: active --- -# Clause 8.3 Information security risk treatment +## 8.3 Information security risk treatment The organization shall implement the information security risk treatment plan. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-9-Performance-evaluation.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-9-Performance-evaluation.md new file mode 100644 index 0000000..5010557 --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-9-Performance-evaluation.md @@ -0,0 +1,13 @@ +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: C.9 +title: Performance evaluation +tags: + - iso27001/2022/EN +status: active +--- +# 9 Performance evaluation \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md index 5c743e5..b2ab30b 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md @@ -1,5 +1,16 @@ -#iso27001/2022/EN -## 9.1 Monitoring, measurement, analysis and evaluation +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.9.1" +title: "Monitoring measurement analysis and evaluation" +tags: +- iso27001/2022/EN +status: active +--- +## 9.1 Monitoring measurement analysis and evaluation The organization shall determine: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-9.2-Internal-audit.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-9.2-Internal-audit.md index ca63f44..d17db1b 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-9.2-Internal-audit.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-9.2-Internal-audit.md @@ -1,6 +1,16 @@ -#iso27001/2022/EN +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.9.2" +title: "Internal audit" +tags: +- iso27001/2022/EN +status: active +--- ## 9.2 Internal audit - ### 9.2.1 General The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/c-9.3-Management-review.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-9.3-Management-review.md index de57def..6c15e77 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/c-9.3-Management-review.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-9.3-Management-review.md @@ -1,5 +1,15 @@ -#iso27001/2022/EN - +--- +notetype: sourcetext +standard: ISO 27001 +version: 2022 +language: EN +type: clause +id: "C.9.3" +title: "Management review" +tags: +- iso27001/2022/EN +status: active +--- ## 9.3 Management review ### 9.3.1 General diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/ISO_27001_OT F Foreword.md b/Corpus/Standards/ISO27x/OST/27001/EN/c-f-Foreword.md similarity index 98% rename from Corpus/Standards/ISO27x/OST/27001/EN/ISO_27001_OT F Foreword.md rename to Corpus/Standards/ISO27x/OST/27001/EN/c-f-Foreword.md index 3415d87..70a6076 100644 --- a/Corpus/Standards/ISO27x/OST/27001/EN/ISO_27001_OT F Foreword.md +++ b/Corpus/Standards/ISO27x/OST/27001/EN/c-f-Foreword.md @@ -1,6 +1,4 @@ -#iso27001/2022/EN - -# Foreword +## F Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/rename-iso-title.zsh b/Corpus/Standards/ISO27x/OST/27001/EN/rename-iso-title.zsh deleted file mode 100755 index d756956..0000000 --- a/Corpus/Standards/ISO27x/OST/27001/EN/rename-iso-title.zsh +++ /dev/null @@ -1,90 +0,0 @@ -#!/usr/bin/env zsh -set -euo pipefail - -execute=false -if [[ ${1:-} == '--execute' ]]; then - execute=true - shift -fi - -if [[ $# -gt 0 ]]; then - print -u2 'Usage: rename-iso-title.zsh [--execute]' - exit 2 -fi - -# Requires Obsidian app running and CLI enabled. -: ${OBSIDIAN_CLI:=obsidian} - -files=(c-[0-9]*\.md(N)) -if (( ${#files} == 0 )); then - print 'No matching files found.' - exit 0 -fi - -for src in "$files[@]"; do - base=${src:t} - - # Read the level 1 header from the file - # Format: # - # Extract everything after the first number and space - header=$(head -n 1 "$src" | sed 's/^# [0-9.]* //') - - if [[ -z "$header" ]]; then - print -u2 "WARN skipped (no header found): $src" - continue - fi - - # Clean up the title - title=$header - # Replace spaces with dashes - title=${title// /-} - # Remove commas, slashes, parentheses, quotes - title=${title//,/} - title=${title//\//} - title=${title//\\/} - title=${title//\(} - title=${title//\)} - title=${title//\'} - title=${title//\'} - # Replace diacritics with base characters - title=${title//ï/i} - title=${title//é/e} - title=${title//è/e} - title=${title//ê/e} - title=${title//ë/e} - title=${title//ö/o} - title=${title//ü/u} - title=${title//ó/o} - title=${title//ô/o} - title=${title//á/a} - title=${title//à/a} - title=${title//ã/a} - title=${title//ä/a} - title=${title//í/i} - title=${title//ì/i} - title=${title//ñ/n} - title=${title//ú/u} - title=${title//ù/u} - # Remove multiple dashes - title=${title//---/-} - title=${title//--/-} - # Remove leading/trailing dashes - title=${title#-} - title=${title%-} - - # Build new filename: c-n.n-TITLE.md - ext="${src:r}.md" # extension without the extra .md issue - filename="${src%.*}" - target="${filename}-${title}.md" - - if [[ $src == $target ]]; then - print "SKIP $src" - continue - fi - - print "SRC $src" - print "DEST $target" - if $execute; then - "$OBSIDIAN_CLI" rename file="$src" name="$target" - fi -done \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27001/EN/rename-iso.zsh b/Corpus/Standards/ISO27x/OST/27001/EN/rename-iso.zsh deleted file mode 100755 index b28bf84..0000000 --- a/Corpus/Standards/ISO27x/OST/27001/EN/rename-iso.zsh +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env zsh -set -euo pipefail - -execute=false -if [[ ${1:-} == '--execute' ]]; then - execute=true - shift -fi - -if [[ $# -gt 0 ]]; then - print -u2 'Usage: rename-iso.zsh [--execute]' - exit 2 -fi - -# Requires Obsidian app running and CLI enabled. -# Adjust OBSIDIAN_CLI to the command you actually use (e.g. `obsidian`). -: ${OBSIDIAN_CLI:=obsidian} - -files=(ISO_27001*.md(N)) -if (( ${#files} == 0 )); then - print 'No matching files found.' - exit 0 -fi - -for src in "$files[@]"; do - base=${src:t} - # Match both ISO_27001_OT and ISO_27001_2022_OT patterns - if [[ $base =~ '^ISO_27001(_2022)?_OT ([0-9.]+) (.+)\.md$' ]]; then - version=${match[2]#_} - title=${match[3]} - target="c-${version}-${title}.md" - # Replace spaces with dashes - target=${target// /-} - # Remove commas - target=${target//,} - # Prevent double dashes - target=${target//--/-} - if [[ $src == $target ]]; then - print "SKIP $src" - continue - fi - print "SRC $src" - print "DEST $target" - if $execute; then - "$OBSIDIAN_CLI" rename file="$src" name="$target" - fi - else - print -u2 "WARN skipped (pattern mismatch): $src" - fi -done diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/ISO 27002_2022_EN.docx b/Corpus/Standards/ISO27x/OST/27002/EN/ISO 27002_2022_EN.docx new file mode 100644 index 0000000..3faf329 Binary files /dev/null and b/Corpus/Standards/ISO27x/OST/27002/EN/ISO 27002_2022_EN.docx differ diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/ISO_27002_OT 3 Terms, definitions and abbreviated terms.md b/Corpus/Standards/ISO27x/OST/27002/EN/ISO_27002_OT 3 Terms, definitions and abbreviated terms.md deleted file mode 100644 index 4ac17cb..0000000 --- a/Corpus/Standards/ISO27x/OST/27002/EN/ISO_27002_OT 3 Terms, definitions and abbreviated terms.md +++ /dev/null @@ -1,818 +0,0 @@ -#iso27002/2022/EN - - -**3.1** **Terms** **and** **definitions** - - - -For the purposes of this document, the following terms and definitions apply. - - - -ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp - -— IEC Electropedia: available at https://www.electropedia.org/ - - - -**3.****1.1** - -**access** **control** - -means to ensure that physical and logical access to _assets_ (3.1.2) is authorized and restricted based on business and information security requirements - - - -**3.****1.2** - -**ass****et** - -anything that has value to the organization - - - -Note 1 to entry: In the context of information security, two kinds of assets can be distinguished: - - - -— the primary assets: — information; - -— business _processes_ (3.1.27) and activities; - - - -— the supporting assets (on which the primary assets rely) of all types, for example: — hardware; - -— software; — network; - -— _personnel_ (3.1.20); - - - - - -© ISO/IEC 2022 – All rights reserved **1** - - - - - - - -**ISO/IEC 27002:2022(E)** - - - - - - - -— site; - -Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com) - -ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited. - - - -— organization’s structure. - - - -**3.****1.3** - -**attack** - -successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an _asset_ (3.1.2) or any attempt to expose, steal, or make unauthorized use of an _asset_ (3.1.2) - - - -**3.1.4** - -**aut****hentication** - -provision of assurance that a claimed characteristic of an _entity_ (3.1.11) is correct - - - -**3****.1.5** - -**au****thenticity** - -property that an _entity_ (3.1.11) is what it claims to be - - - -**3.1.6** - -**chain** **of** **custody** - -demonstrable possession, movement, handling and location of material from one point in time until another - - - -Note 1 to entry: Material includes information and other associated _assets_ (3.1.2) in the context of ISO/IEC 27002. - - - -[SOURCE: ISO/IEC 27050-1:2019, 3.1, modified — “Note 1 to entry” added] - - - -**3.****1.7** - -**confidential** **information** - -information that is not intended to be made available or disclosed to unauthorized individuals, _entities_ (3.1.11) or _processes_ (3.1.27) - - - -**3****.1.8** - -**control** - -measure that maintains and/or modifies risk - - - -Note 1 to entry: Controls include, but are not limited to, any _process_ (3.1.27), _policy_ (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk. - - - -Note 2 to entry: Controls may not always exert the intended or assumed modifying effect. - - - -[SOURCE: ISO 31000:2018, 3.8] - - - -**3.****1.9** - -**disrupti****on** - -incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organization’s objectives - - - -[SOURCE: ISO 22301:2019, 3.10] - - - -**3.1****.10** - -**endpoint** **device** - -network connected information and communication technology (ICT) hardware device - - - -Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices. - - - -**3.1.11** - -**entity** - -item relevant for the purpose of operation of a domain that has recognizably distinct existence - - - -Note 1 to entry: An entity can have a physical or a logical embodiment. - - - - - - - -**2** © ISO/IEC 2022 – All rights reserved - - - - - - - - - - - - - - - - - -EXAMPLE - -Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com) - -ISO Store Order: OP-582678 / Downloaded: 2022-02-17 - -Single user licence only, copying and networking prohibited. - -**ISO/IEC 27002:2022(E)** - - - - - - - -A person, an organization, a device, a group of such items, a human subscriber to a telecom - -service, a SIM card, a passport, a network interface card, a software application, a service or a website. - - - -[SOURCE: ISO/IEC 24760-1:2019, 3.1.1] - - - -**3.****1.12** - -**information** **processing** **facility** - -any information processing system, service or infrastructure, or the physical location housing it [SOURCE: ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.] **3****.1.13** - -**information** **security** **breach** - -compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed - - - -**3.1****.14** - -**information** **security** **event** - -occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or failure of _controls_ (3.1.8) - - - -[SOURCE: ISO/IEC 27035-1:2016, 3.3, modified — “breach of information security” has been replaced with “information security breach”] - - - -**3.1****.15** - -**information** **security incident** - -one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organization’s _assets_ (3.1.2) or compromise its operations - - - -[SOURCE: ISO/IEC 27035-1:2016, 3.4] - - - -**3.1.16** - -**information** **security** **incident** **management** - -exercise of a consistent and effective approach to the handling of _information_ _security_ _incidents_ (3.1.15) [SOURCE: ISO/IEC 27035-1:2016, 3.5] - -**3****.1.17** - -**information** **system** - -set of applications, services, information technology _assets_ (3.1.2), or other information-handling components - - - -[SOURCE: ISO/IEC 27000:2018, 3.35] - - - -**3.1.18** - -**interested** **party** stakeholder - -person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity - - - -[SOURCE: ISO/IEC 27000:2018, 3.37] - - - -**3.****1.19** - -**non-repudiation** - -ability to prove the occurrence of a claimed event or action and its originating _entities_ (3.1.11) - - - -**3.1.20** - -**pers****onnel** - -persons doing work under the organization’s direction - - - -Note 1 to entry: The concept of personnel includes the organization’s members, such as the governing body, top management, employees, temporary staff, contractors and volunteers. - - - - - - - -© ISO/IEC 2022 – All rights reserved **3** - - - - - - - -**ISO/IEC 27002:2022(E)** - - - - - - - -**3.1****.21** - -Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com) - -ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited. - -**personally identifiable** **information** - -**PII** - -any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person. - - - -Note 1 to entry: The “natural person” in the definition is the _PII_ _principal_ (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person. - - - -[SOURCE: ISO/IEC 29100:2011/Amd.1:2018, 2.9] - - - -**3.1.22** - -**PII** **principal** - -natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.21) relates - - - -Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”. - - - -[SOURCE: ISO/IEC 29100:2011, 2.11] - - - -**3.1.23** - -**PII** **processor** - -privacy stakeholder that processes _personally_ _identifiable_ _information_ _(PII)_ (3.1.21) on behalf of and in accordance with the instructions of a PII controller - - - -[SOURCE: ISO/IEC 29100:2011, 2.12] - - - -**3.1****.24** - -**policy** - -intentions and direction of an organization, as formally expressed by its top management [SOURCE: ISO/IEC 27000:2018, 3.53] - -**3.1.25** - -**privacy** **impact** **assessment** **PIA** - -overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organization’s broader risk management framework - - - -[SOURCE: ISO/IEC 29134:2017, 3.7, modified — Note 1 to entry removed.] - - - -**3.1.26** - -**procedure** - -specified way to carry out an activity or a _process_ (3.1.27) - - - -[SOURCE: ISO 30000:2009, 3.12] - - - -**3.1.27** - -**proce****ss** - -set of interrelated or interacting activities that uses or transforms inputs to deliver a result - - - -[SOURCE: ISO 9000:2015, 3.4.1, modified— Notes to entry removed.] - - - -**3.1****.28** - -**re****cord** - -information created, received and maintained as evidence and as an _asset_ (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business - - - - - - - - - -**4** © ISO/IEC 2022 – All rights reserved - -Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com) - -ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited. - - - - - - - -**ISO/IEC 27002:2022(E)** - - - - - - - -Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements. - - - -[SOURCE: ISO 15489-1:2016, 3.14, modified— “Note 1 to entry” added.] - - - -**3.1.29** - -**recovery** **point** **objective** - -**RPO** - -point in time to which data are to be recovered after a _disruption_ (3.1.9) has occurred [SOURCE: ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".] **3.1.30** - -**recovery** **time** **objective** **RTO** - -period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a _disruption_ (3.1.9) has occurred - - - -[SOURCE: ISO/IEC 27031:2011, 3.13, modified — "must" replaced by "are to be".] - - - -**3.1****.31** - -**reliability** - -property of consistent intended behaviour and results - - - -**3.1.32** - -**rule** - -accepted principle or instruction that states the organization’s expectations on what is required to be done, what is allowed or not allowed - - - -Note 1 to entry: Rules can be formally expressed in _topic-specific policies_ (3.1.35) and in other types of documents. - - - -**3.1.33** - -**sensitive** **information** - -information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety - - - -**3****.1.34** - -**thr****eat** - -potential cause of an unwanted incident, which can result in harm to a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74] - -**3.1.35** - -**topic-specific** **policy** - -intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management - - - -Note 1 to entry: Topic-specific policies can formally express _rules_ (3.1.32) or organization standards. Note 2 to entry: Some organizations use other terms for these topic-specific policies. - -Note 3 to entry: The topic-specific policies referred to in this document are related to information security. - - - -EXAMPLE Topic-specific policy on _access_ _control_ (3.1.1), topic-specific policy on clear desk and clear screen. - - - -**3.1.36** - -**u****ser** - -_interested_ _party_ (3.1.18) with access to the organization’s _information_ _systems_ (3.1.17) - - - -EXAMPLE _Personnel_ (3.1.20), customers, suppliers. - - - - - - - - - -© ISO/IEC 2022 – All rights reserved - - - - - - - - - - - -**5** - - - - - - - -**ISO/IEC 27002:2022(E)** - - - - - - - -**3.1.37** - -**user** **endpoint** **device** - -Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com) - -ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited. - -_endpoint_ _device_ (3.1.10) used by users to access information processing services - - - -Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc. - - - -**3.1****.38** - -**vu****lnerability** - -weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one or more _threats_ (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77] - - - -**3.2** **Abbreviated** **terms** - - - -ABAC attribute-based access control - - - -ACL access control list - - - -BIA business impact analysis - - - -BYOD bring your own device - - - -CAPTCHA completely automated public Turing test to tell computers and humans apart - - - -CPU central processing unit - - - -DAC discretionary access control - - - -DNS domain name system - - - -GPS global positioning system - - - -IAM identity and access management - - - -ICT information and communication technology - - - -ID identifier - - - -IDE integrated development environment - - - -IDS intrusion detection system - - - -IoT internet of things - - - -IP internet protocol - - - -IPS intrusion prevention system - - - -IT information technology - - - -ISMS information security management system - - - -MAC mandatory access control - - - -NTP network time protocol - - - -PIA privacy impact assessment - - - -PII personally identifiable information - - - - - - - -**6** © ISO/IEC 2022 – All rights reserved - -Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com) - -ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited. - - - - - - - -**ISO/IEC 27002:2022(E)** - - - - - - - -PIN personal identification number - - - -PKI public key infrastructure - - - -PTP precision time protocol - - - -RBAC role-based access control - - - -RPO recovery point objective - - - -RTO recovery time objective - - - -SAST static application security testing - - - -SD secure digital - - - -SDN software-defined networking - - - -SD-WAN software-defined wide area networking - - - -SIEM security information and event management - - - -SMS short message service - - - -SQL structured query language - - - -SSO single sign on - - - -SWID software identification - - - -UEBA user and entity behaviour analytics - - - -UPS uninterruptible power supply - - - -URL uniform resource locator - - - -USB universal serial bus - - - -VM virtual machine - - - -VPN virtual private network - - - -WiFi wireless fidelity \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated-terms.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated-terms.md new file mode 100644 index 0000000..23cf32d --- /dev/null +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated-terms.md @@ -0,0 +1,187 @@ +## 3.1 Terms and definitions +For the purposes of this document, the following terms and definitions apply. +ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp +— IEC Electropedia: available at https://www.electropedia.org/ + +3.1.1 **access control** +means to ensure that physical and logical access to _assets_ (3.1.2) is authorized and restricted based on business and information security requirements + +3.1.2 **asset** +anything that has value to the organization +*Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:* +— the primary assets: — information; +— business _processes_ (3.1.27) and activities; +— the supporting assets (on which the primary assets rely) of all types, for example: — hardware; +— software; — network; +— _personnel_ (3.1.20); +— site; +— organization’s structure. + +3.1.3 **attack** +successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an _asset_ (3.1.2) or any attempt to expose, steal, or make unauthorized use of an _asset_ (3.1.2) + +3.1.4 **authentication** +provision of assurance that a claimed characteristic of an _entity_ (3.1.11) is correct + +3.1.5 **authenticity** +property that an _entity_ (3.1.11) is what it claims to be + +3.1.6 **chain of custody** +demonstrable possession, movement, handling and location of material from one point in time until another +*Note 1 to entry: Material includes information and other associated _assets_ (3.1.2) in the context of ISO/IEC 27002.* + +3.1.7 **confidential information** +information that is not intended to be made available or disclosed to unauthorized individuals, _entities_ (3.1.11) or _processes_ (3.1.27) + +3.1.8 **control** +measure that maintains and/or modifies risk + +*Note 1 to entry: Controls include, but are not limited to, any _process_ (3.1.27), _policy_ (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.* +*Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.* + +3.1.9 **disruption** +incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organization’s objectives + +3.1.10 **endpoint device** +network connected information and communication technology (ICT) hardware device +*Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.* + +3.1.11 **entity** +item relevant for the purpose of operation of a domain that has recognizably distinct existence + +*Note 1 to entry: An entity can have a physical or a logical embodiment.* +A person, an organization, a device, a group of such items, a human subscriber to a telecom +service, a SIM card, a passport, a network interface card, a software application, a service or a website. + +3.1.12 **information processing facility** +any information processing system, service or infrastructure, or the physical location housing it [SOURCE: ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.] + +3.1.13 **information security breach** compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed + +3.1.14 **information security event** +occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or failure of _controls_ (3.1.8) + +3.1.15 **information security incident** +one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organization’s _assets_ (3.1.2) or compromise its operations + +3.1.16 **information security incident management** +exercise of a consistent and effective approach to the handling of _information_ _security_ _incidents_ (3.1.15) [SOURCE: ISO/IEC 27035-1:2016, 3.5] + +3.1.17 **information system** set of applications, services, information technology _assets_ (3.1.2), or other information-handling components + +3.1.18 **interested party stakeholder** +person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity + +3.1.19 **non-repudiation** +ability to prove the occurrence of a claimed event or action and its originating _entities_ (3.1.11) + +3.1.20 **personnel** +persons doing work under the organization’s direction +*Note 1 to entry: The concept of personnel includes the organization’s members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.* + +3.1.21 **personally identifiable information / PII** +any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person. +*Note 1 to entry: The “natural person” in the definition is the PII principal (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.* + +3.1.22 **PII principal** +natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.21) relates +*Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.* + +3.1.23 **PII processor** +privacy stakeholder that processes _personally_ _identifiable_ _information_ _(PII)_ (3.1.21) on behalf of and in accordance with the instructions of a PII controller + +3.1.24 **policy** +intentions and direction of an organization, as formally expressed by its top management +[SOURCE: ISO/IEC 27000:2018, 3.53] + +3.1.25 **privacy impact assessment PIA** +overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organization’s broader risk management framework + +3.1.26 **procedure** +specified way to carry out an activity or a _process_ (3.1.27) + +3.1.27 **process** +set of interrelated or interacting activities that uses or transforms inputs to deliver a result + +3.1.28 **record** +information created, received and maintained as evidence and as an _asset_ (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business +*Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.* + +3.1.29 **recovery point objective** / **RPO** +point in time to which data are to be recovered after a _disruption_ (3.1.9) has occurred [SOURCE: ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".] + +3.1.30 **recovery time objective RTO** +period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a _disruption_ (3.1.9) has occurred + +3.1.31 **reliability** +property of consistent intended behaviour and results + +3.1.32 **rule** +accepted principle or instruction that states the organization’s expectations on what is required to be done, what is allowed or not allowed +*Note 1 to entry: Rules can be formally expressed in _topic-specific policies_ (3.1.35) and in other types of documents.* + +3.1.33 **sensitive information** +information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety + +3.1.34 **threat** potential cause of an unwanted incident, which can result in harm to a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74] + +3.1.35 **topic-specific policy** +intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management +*Note 1 to entry: Topic-specific policies can formally express _rules_ (3.1.32) or organization standards. Note 2 to entry: Some organizations use other terms for these topic-specific policies.* +*Note 3 to entry: The topic-specific policies referred to in this document are related to information security.* + +3.1.36 **user** +_interested_ _party_ (3.1.18) with access to the organization’s _information_ _systems_ (3.1.17) + +3.1.37 **user endpoint device** +_endpoint_ _device_ (3.1.10) used by users to access information processing services +*Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc.* + +3.1.38 **vulnerability** +weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one or more _threats_ (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77] + +### 3.2 Abbreviated terms + +ABAC attribute-based access control +ACL access control list +BIA business impact analysis +BYOD bring your own device +CAPTCHA completely automated public Turing test to tell computers and humans apart +CPU central processing unit +DAC discretionary access control +DNS domain name system +GPS global positioning system +IAM identity and access management +ICT information and communication technology +ID identifier IDE integrated development environment +IDS intrusion detection system IoT internet of things +IP internet protocol +IPS intrusion prevention system +IT information technology +ISMS information security management system +MAC mandatory access control +NTP network time protocol +PIA privacy impact assessment +PII personally identifiable information +PIN personal identification number +PKI public key infrastructure +PTP precision time protocol +RBAC role-based access control +RPO recovery point objective +RTO recovery time objective +SAST static application security testing +SD secure digital +SDN software-defined networking +SD-WAN software-defined wide area networking +SIEM security information and event management +SMS short message service +SQL structured query language +SSO single sign on +SWID software identification +UEBA user and entity behaviour analytics +UPS uninterruptible power supply +URL uniform resource locator +USB universal serial bus +VM virtual machine +VPN virtual private network +WiFi wireless fidelity diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md index aa4086c..302cdd1 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md @@ -24,13 +24,13 @@ status: active ## 5.1 Policies for information security -#### Control +### Control Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. -#### Purpose +### Purpose To ensure continuing suitability, adequacy, effectiveness of management direction and support for information security in accordance with business, legal, statutory, regulatory and contractual requirements. -#### Guidance +### Guidance At the highest level, the organization should define an "information security policy" which is approved by top management and which sets out the organization's approach to managing its information security. The information security policy should take into consideration requirements derived from: @@ -91,7 +91,7 @@ Level of detail | General or high-level | Specific and detailed Documented and formally approved by | Top management | Appropriate level of management -#### Other information +### Other information Topic-specific policies can vary across organizations. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.10-Acceptable-use-of-information-and-other-associated-assets.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.10-Acceptable-use-of-information-and-other-associated-assets.md index e627b91..172ccd1 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.10-Acceptable-use-of-information-and-other-associated-assets.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.10-Acceptable-use-of-information-and-other-associated-assets.md @@ -1,16 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.10" +title: "Acceptable use of information and other associated assets" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Asset_management + - Information_protection +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 5.10 Acceptable use of information and other associated assets -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ----------------------------------------- | ------------------------------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection | #Governance_and_Ecosystem #Protection | - -**Control** +### Control Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. -**Purpose** +### Purpose To ensure information and other associated assets are appropriately protected, used and handled. -**Guidance** +### Guidance Personnel and external party users using or having access to the organization’s information and other associated assets should be made aware of the information security requirements for protecting and handling the organization’s information and other associated assets. They should be responsible for their use of any information processing facilities. The organization should establish a topic-specific policy on the acceptable use of information and other associated assets and communicate it to anyone who uses or handles information and other associated assets. The topic-specific policy on acceptable use should provide clear direction on how individuals are expected to use information and other associated assets. The topic-specific policy should state: @@ -35,5 +57,5 @@ e\) clear marking of all copies of storage media (electronic or physical) for th f\) authorization of disposal of information and other associated assets and supported deletion method(s) (see [8.10](a-8.10-Information-deletion.md)). -**Other information** +### Other information It can be the case that the assets concerned do not directly belong to the organization, such as public cloud services. The use of such third-party assets and any assets of the organization associated with such external assets (e.g. information, software) should be identified as applicable and controlled, for example, through agreements with cloud service providers. Care should also be taken when a collaborative working environment is used. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.11-Return-of-assets.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.11-Return-of-assets.md index 6281a5f..7207764 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.11-Return-of-assets.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.11-Return-of-assets.md @@ -1,18 +1,36 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.11" +title: "Return of assets" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Asset_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.11 Return of assets -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------ | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management | #Protection | - -**Control** +### Control Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement. -**Purpose** +### Purpose To protect the organization’s assets as part of the process of changing or terminating employment, contract or agreement. -**Guidance** +### Guidance The change or termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization. @@ -30,5 +48,5 @@ c\) specialist equipment; d\) authentication hardware (e.g. mechanical keys, physical tokens and smartcards) for information systems, sites and physical archives; e\) physical copies of information. -**Other information** +### Other information It can be difficult to return information held on assets which are not owned by the organization. In such cases, it is necessary to restrict the use of information using other information security controls such as access rights management (5.18) or use of cryptography (8.24). \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.12-Classification-of-information.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.12-Classification-of-information.md index 0ea107a..e2fd133 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.12-Classification-of-information.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.12-Classification-of-information.md @@ -1,18 +1,36 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.12" +title: "Classification of information" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Information_protection] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- ## 5.12 Classification of information -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------ | -------------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Information_protection | #Protection #Defence | - -**Control** +### Control Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. -**Purpose** +### Purpose To ensure identification and understanding of protection needs of information in accordance with its importance to the organization. -**Guidance** +### Guidance The organization should establish a topic-specific policy on information classification and communicate it to all relevant interested parties. The organization should take into account requirements for confidentiality, integrity and availability in the classification scheme. @@ -31,7 +49,7 @@ The scheme should be consistent across the whole organization and included in it The classification scheme used within the organization can be different from the schemes used by other organizations, even if the names for levels are similar. In addition, information moving between organizations can vary in classification depending on its context in each organization, even if their classification schemes are identical. Therefore, agreements with other organizations that include information sharing should include procedures to identify the classification of that information and to interpret the classification levels from other organizations. Correspondence between different schemes can be determined by looking for equivalence in the associated handling and protection methods. -**Other information** +### Other information Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls. Information can cease to be sensitive or critical after a certain period of time. For example, when the information has been made public, it no longer has confidentiality requirements but can still require protection for its integrity and availability properties. These aspects should be taken into account, as over-classification can lead to the implementation of unnecessary controls resulting in additional expense or, on the contrary, under-classification can lead to insufficient controls to protect the information from compromise. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.13-Labelling-of-information.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.13-Labelling-of-information.md index 343d95a..97418fa 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.13-Labelling-of-information.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.13-Labelling-of-information.md @@ -1,14 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.13" +title: "Labelling of information" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Information_protection] +security_domains: + - Defence + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 5.13 Labelling of information -**Control** +### Control An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization. -**Purpose** +### Purpose To facilitate the communication of classification of information and support automation of information processing and management. -**Guidance** +### Guidance Procedures for information labelling should cover information and other associated assets in all formats. The labelling should reflect the classification scheme established in 5.12. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of storage media. The procedures can define: a\) cases where labelling is omitted (e.g. labelling of non-confidential information to reduce workloads); @@ -37,7 +61,7 @@ Personnel and other interested parties should be made aware of labelling procedu Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label. -**Other information** +### Other information Labelling of classified information is a key requirement for information sharing. Other useful metadata that can be attached to the information is which organizational process created the information and at what time. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.14-Information-transfer.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.14-Information-transfer.md index e9cc43d..ed049e6 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.14-Information-transfer.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.14-Information-transfer.md @@ -1,16 +1,36 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.14" +title: "Information transfer" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Asset_management + - Information_protection +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.14 Information transfer -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ----------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection | #Protection | - -**Control** +### Control Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. -**Purpose** +### Purpose To maintain the security of information transferred within an organization and with any external interested party. -**Guidance** +### Guidance <u>General</u> The organization should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit (see [5.10](a-5.10-Acceptable-use-of-information-and-other-associated-assets.md)). @@ -136,6 +156,6 @@ e\) begin any sensitive conversations with a disclaimer so those present know th -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md index bfe1808..1a5a331 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md @@ -1,18 +1,34 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.15" +title: "Access control" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- ## 5.15 Access control -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection | - -**Control** +### Control Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. -**Purpose** +### Purpose To ensure authorized access and to prevent unauthorized access to information and other associated assets. -**Guidance** +### Guidance Owners of information and other associated assets should determine information security and business requirements related to access control. A topic-specific policy on access control should be defined which takes account of these requirements and should be communicated to all relevant interested parties. These requirements and the topic-specific policy should consider the following: @@ -51,7 +67,7 @@ c\) considering all types of available connections in distributed environments s d\) considering how elements or factors relevant to dynamic access control can be reflected. -**Other information** +### Other information There are often overarching principles used in the context of access control. Two of the most frequently used principles are: diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.16-Identity-management.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.16-Identity-management.md index 481ee8d..23d8a2f 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.16-Identity-management.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.16-Identity-management.md @@ -1,16 +1,34 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.16" +title: "Identity management" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.16 Identity management -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection | - -**Control** +### Control The full life cycle of identities should be managed. -**Purpose** +### Purpose To allow for the unique identification of individuals and systems accessing the organization’s information and other associated assets and to enable appropriate assignment of access rights. -**Guidance** +### Guidance The processes used in the context of identity management should ensure that: a\) for identities assigned to persons, a specific identity is only linked to a single person to be able to hold the person accountable for actions performed with this specific identity; @@ -29,7 +47,7 @@ The organization should have a supporting process in place to handle changes to When using identities provided or issued by third parties (e.g. social media credentials), the organization should ensure the third-party identities provide the required trust level and any associated risks are known and sufficiently treated. This can include controls related to the third parties (see [5.19](a-5.19-Information-security-in-supplier-relationships.md)) as well as controls related to associated authentication information (see [5.17](a-5.17-Authentication-information.md)). -**Other information** +### Other information Providing or revoking access to information and other associated assets is usually a multi-step procedure: a\) confirming the business requirements for an identity to be established; diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.17-Authentication-information.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.17-Authentication-information.md index debc788..601da43 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.17-Authentication-information.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.17-Authentication-information.md @@ -1,4 +1,25 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.17" +title: "Authentication information" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.17 Authentication information ### Control @@ -65,7 +86,7 @@ h)   store and transmit passwords in protected form. Password  encryption  and  hashing  should  be  performed  according  to  approved  cryptographic techniques for passwords (see [8.24](a-8.24-Use-of-cryptography.md)). -**Other information** +### Other information Passwords or passphrases are a commonly used type of authentication information and are a common means of verifying a user’s identity. Other types of authentication information are cryptographic keys, data stored on hardware tokens (e.g. smart cards) that produce authentication codes and biometric data such as iris scans or fingerprints. Additional information can be found in the ISO/IEC 24760 series. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.18-Access-rights.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.18-Access-rights.md index 7020cd9..8e693ee 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.18-Access-rights.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.18-Access-rights.md @@ -1,16 +1,34 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.18" +title: "Access rights" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.18 Access rights -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection | - -**Control** +### Control Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. -**Purpose** +### Purpose To ensure access to information and other associated assets is defined and authorized according to the business requirements. -**Guidance** +### Guidance <u>Provision and revocation of access rights</u> The provisioning process for assigning or revoking physical and logical access rights granted to an entity’s authenticated identity should include: @@ -53,7 +71,7 @@ b\) the current responsibilities of the user; c\) the value of the assets currently accessible. -**Other information** +### Other information Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews of access rights are easier managed at the level of such roles than at the level of particular rights. Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel (see [5.20](a-5.20-Addressing-information-security-within-supplier-agreements.md), [6.2](a-6.2-Terms-and-conditions-of-employment.md), [6.4](a-6.4-Disciplinary-process.md), [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md)). diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.19-Information-security-in-supplier-relationships.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.19-Information-security-in-supplier-relationships.md index 11664ac..61debc1 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.19-Information-security-in-supplier-relationships.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.19-Information-security-in-supplier-relationships.md @@ -1,15 +1,38 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.19" +title: "Information security in supplier relationships" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 5.19 Information security in supplier relationships -**Control** +### Control Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services. -**Purpose** +### Purpose To maintain an agreed level of information security in supplier relationships. -**Guidance** +### Guidance The organization should establish and communicate a topic-specific policy on supplier relationships to all relevant interested parties. @@ -56,7 +79,7 @@ n\) level of personnel security and physical security expected from supplier's p The procedures for continuing information processing in the event that the supplier becomes unable to supply its products or services (e.g. because of an incident, because the supplier is no longer in business, or no longer provides some components due to technology advancements) should be considered to avoid any delay in arranging replacement products or services (e.g. identifying an alternative supplier in advance or always using alternative suppliers). -**Other information** +### Other information In cases where it is not possible for an organization to place requirements on a supplier, the organization should: diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md index 7b88880..80d91f8 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md @@ -1,3 +1,28 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.2" +title: "Information security roles and responsibilities" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Governance] +security_domains: + - Governance_and_Ecosystem + - Protection + - Resilience +tags: + - iso27002/2022/EN +status: active +--- + ## 5.2 Information security roles and responsibilities ### Control diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.20-Addressing-information-security-within-supplier-agreements.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.20-Addressing-information-security-within-supplier-agreements.md index 55e407d..60c6b99 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.20-Addressing-information-security-within-supplier-agreements.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.20-Addressing-information-security-within-supplier-agreements.md @@ -1,13 +1,36 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.20" +title: "Addressing information security within supplier agreements" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 5.20 Addressing information security within supplier agreements -**Control** +### Control Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship. -**Purpose** +### Purpose To maintain an agreed level of information security in supplier relationships. -**Guidance** +### Guidance Supplier agreements should be established and documented to ensure that there is clear understanding between the organization and the supplier regarding both parties’ obligations to fulfil relevant information security requirements. The following terms can be considered for inclusion in the agreements in order to satisfy the identified information security requirements: @@ -66,7 +89,7 @@ z\) ensuring, at the end of the contract, handover support to another supplier o The organization should establish and maintain a register of agreements with external parties (e.g. contracts, memorandum of understanding, information-sharing agreements) to keep track of where their information is going. The organization should also regularly review, validate and update their agreements with external parties to ensure they are still required and fit for purpose with relevant information security clauses. -**Other information** +### Other information The agreements can vary considerably for different organizations and among the different types of suppliers. Therefore, care should be taken to include all relevant requirements for addressing information security risks. For details on supplier agreements, see ISO/IEC 27036 series. For cloud service agreements, see ISO/IEC 19086 series. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.21-Managing-information-security-in-the-ICT-supply-chain.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.21-Managing-information-security-in-the-ICT-supply-chain.md index bed7514..2519f49 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.21-Managing-information-security-in-the-ICT-supply-chain.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.21-Managing-information-security-in-the-ICT-supply-chain.md @@ -1,15 +1,36 @@ -#iso27002/2022/EN -[[ISO_27002_PE 5.21 Managing information security in the ICT supply chain]] +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.21" +title: "Managing information security in the ICT supply chain" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- ## 5.21 Managing information security in the ICT supply chain -**Control** +### Control Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain. -**Purpose** +### Purpose To maintain an agreed level of information security in supplier relationships. -**Guidance** +### Guidance The following topics should be considered to address information security within ICT supply chain security in addition to the general information security requirements for supplier relationships: @@ -39,7 +60,7 @@ l\) defining rules for sharing of information regarding the supply chain and any m\) implementing specific processes for managing ICT component life cycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements. Identification of an alternative supplier and the process to transfer software and competence to the alternative supplier should be considered. -**Other information** +### Other information The specific ICT supply chain risk management practices are built on top of general information security, quality, project management and system engineering practices but do not replace them. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.22-Monitoring-review-and-change-management-of-supplier-services.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.22-Monitoring-review-and-change-management-of-supplier-services.md index 6f842b7..5e9e5cf 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.22-Monitoring-review-and-change-management-of-supplier-services.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.22-Monitoring-review-and-change-management-of-supplier-services.md @@ -1,12 +1,38 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.22" +title: "Monitoring, review and change management of supplier services" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection + - Defence + - Information_security_assurance +tags: + - iso27002/2022/EN +status: active +--- -**Control** +## 5.22 Monitoring, review, and change management of supplier services + +### Control The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. -**Purpose** +### Purpose To maintain an agreed level of information security and service delivery in line with supplier agreements. -**Guidance** +### Guidance Monitoring, review and change management of supplier services should ensure the information security terms and conditions of the agreements are complied with, information security incidents and problems are managed properly and changes in supplier services or business status do not affect service delivery. This should involve a process to manage the relationship between the organization and the supplier to: @@ -51,5 +77,5 @@ m\) evaluate regularly that the suppliers maintain adequate information security The responsibility for managing supplier relationships should be assigned to a designated individual or team. Sufficient technical skills and resources should be made available to monitor that the requirements of the agreement, in particular the information security requirements, are being met. Appropriate actions should be taken when deficiencies in the service delivery are observed. -**Other information** +### Other information See ISO/IEC 27036-3 for more detail. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.23-Information-security-for-use-of-cloud-services.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.23-Information-security-for-use-of-cloud-services.md index 4b5329c..adecb9a 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.23-Information-security-for-use-of-cloud-services.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.23-Information-security-for-use-of-cloud-services.md @@ -1,13 +1,36 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.23" +title: "Information security for use of cloud services" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 5.23 Information security for use of cloud services -#### Control +### Control Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements. -#### Purpose +### Purpose To specify and manage information security for the use of cloud services. -#### Guidance +### Guidance The organization should establish and communicate topic-specific policy on the use of cloud services to all relevant interested parties. The organization should define and communicate how it intends to manage information security risks associated with the use of cloud services. It can be an extension or part of the existing approach for how an organization manages services provided by external parties (see [5.21](a-5.21-Managing-information-security-in-the-ICT-supply-chain.md), [5.22](a-5.22-Monitoring-review-and-change-management-of-supplier-services.md)). @@ -48,7 +71,7 @@ c) use of peer cloud service providers or other sub-contractors (including chang The organization using cloud services should maintain close contact with its cloud service providers. These contacts enable mutual exchange of information about information security for the use of the cloud services including a mechanism for both cloud service provider and the organization, acting as the cloud service customer, to monitor each service characteristic and report failures to the commitments contained in the agreements. -#### Other information +### Other information This control considers cloud security from the perspective of the cloud service customer. Additional information relating to cloud services can be found in ISO/IEC 17788, ISO/IEC 17789 and ISO/IEC 22123-1. Specifics related to cloud portability in support of exit strategies can be found in ISO/IEC 19941. Specifics related to information security and public cloud services are described in ISO/IEC 27017. Specifics related to PII protection in public clouds acting as PII processor are described in ISO/IEC 27018. Supplier relationships for cloud services are covered by ISO/IEC 27036-4 and cloud service agreements and their contents are dealt with in the ISO/IEC 19086 series, with security and privacy specifically covered by ISO/IEC 19086-4. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.24-Information-security-incident-management-planning-and-preparation.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.24-Information-security-incident-management-planning-and-preparation.md index f8fac08..cf3e26b 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.24-Information-security-incident-management-planning-and-preparation.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.24-Information-security-incident-management-planning-and-preparation.md @@ -1,13 +1,38 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.24" +title: "Information security incident management planning and preparation" +theme: Organizational +control_type: [Corrective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Respond + - Recover +operational_capabilities: + - Governance + - Information_security_event_management +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.24 Information security incident management planning and preparation -#### Control +### Control The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. -#### Purpose +### Purpose To ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events. -#### Guidance +### Guidance **Roles and responsibilities** @@ -61,7 +86,7 @@ d\) creation of incident reports. Any external requirements on reporting of incidents to relevant interested parties within the defined time frame (e.g. breach notification requirements to regulators) should be considered when implementing incident management procedures. -**Other information** +### Other information Information security incidents can transcend organizational and national boundaries. To respond to such incidents, it is beneficial to coordinate response and share information about these incidents with external organizations as appropriate. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.25-Assessment-and-decision-on-information-security-events.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.25-Assessment-and-decision-on-information-security-events.md index 827c3ad..a2ebc82 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.25-Assessment-and-decision-on-information-security-events.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.25-Assessment-and-decision-on-information-security-events.md @@ -1,19 +1,37 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.25" +title: "Assessment and decision on information security events" +theme: Organizational +control_type: [Detective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Detect + - Respond +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.25 Assessment and decision on information security events -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------- | ---------------- | -| #Detective | #Confidentiality #Integrity #Availability | #Detect #Respond | #Information_security_event_management | #Defence | - - - -**Control** +### Control The organization should assess information security events and decide if they are to be categorized as information security incidents. -**Purpose** +### Purpose @@ -21,7 +39,7 @@ To ensure effective categorization and prioritization of information security ev -**Guidance** +### Guidance @@ -31,5 +49,5 @@ Personnel responsible for coordinating and responding to information security in Results of the assessment and decision should be recorded in detail for the purpose of future reference and verification. -**Other information** +### Other information The ISO/IEC 27035 series provides further guidance on incident management. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.26-Response-to-information-security-incidents.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.26-Response-to-information-security-incidents.md index f1a470f..7d2010b 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.26-Response-to-information-security-incidents.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.26-Response-to-information-security-incidents.md @@ -1,19 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.26" +title: "Response to information security incidents" +theme: Organizational +control_type: [Corrective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Respond + - Recover +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.26 Response to information security incidents -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------- | ---------------- | -| #Corrective | #Confidentiality #Integrity #Availability | #Respond #Recover | #Information_security_event_management | #Defence | - - -**Control** +### Control Information security incidents should be responded to in accordance with the documented procedures. -**Purpose** +### Purpose To ensure efficient and effective response to information security incidents. -**Guidance** +### Guidance The organization should establish and communicate procedures on information security incident response to all relevant interested parties. Information security incidents should be responded to by a designated team with the required competency (see [5.24](a-5.24-Information-security-incident-management-planning-and-preparation.md)). @@ -31,5 +50,5 @@ h\) conducting information security forensic analysis, as required (see [5.28](a i\) performing post-incident analysis to identify root cause. Ensure it is documented and communicated according to defined procedures (see [5.27](a-5.27-Learning-from-information-security-incidents.md)); j\) identifying and managing information security vulnerabilities and weaknesses including those related to controls which have caused, contributed to or failed to prevent the incident. -**Other information** +### Other information The ISO/IEC 27035 series provides further guidance on incident management. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.27-Learning-from-information-security-incidents.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.27-Learning-from-information-security-incidents.md index 6b32db2..dfc3967 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.27-Learning-from-information-security-incidents.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.27-Learning-from-information-security-incidents.md @@ -1,13 +1,36 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.27" +title: "Learning from information security incidents" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.27 Learning from information security incidents -#### Control +### Control Knowledge gained from information security incidents should be used to strengthen and improve the information security controls. -#### Purpose +### Purpose To reduce the likelihood or consequences of future incidents. -#### Guidance +### Guidance The organization should establish procedures to quantify and monitor the types, volumes and costs of information security incidents. The information gained from the evaluation of information security incidents should be used to: @@ -18,6 +41,6 @@ b\) identify recurring or serious incidents and their causes to update the organ c\) enhance user awareness and training (see [6.3](ISO_27002_2022_6.3_OT%20Information%20security%20awareness%2C%20education%20and%20training.md)) by providing examples of what can happen, how to respond to such incidents and how to avoid them in the future. -#### Other information +### Other information The ISO/IEC 27035 series provides further guidance. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.28-Collection-of-evidence.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.28-Collection-of-evidence.md index d4b3cff..aa56cf0 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.28-Collection-of-evidence.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.28-Collection-of-evidence.md @@ -1,20 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.28" +title: "Collection of evidence" +theme: Organizational +control_type: [Corrective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Detect + - Respond +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.28 Collection of evidence -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------- | ---------------- | -| #Corrective | #Confidentiality #Integrity #Availability | #Detect #Respond | #Information_security_event_management | #Defence | - - - -**Control** +### Control The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. -**Purpose** +### Purpose To ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions. -**Guidance** +### Guidance Internal procedures should be developed and followed when dealing with evidence related to information security events for the purposes of disciplinary and legal actions. The requirements of different jurisdictions should be considered to maximize chances of admission across the relevant jurisdictions. In general, these procedures for the management of evidence should provide instructions for the identification, collection, acquisition and preservation of evidence in accordance with different types of storage media, devices and status of devices (i.e. powered on or off). Evidence typically needs to be collected in a manner that is admissible in the appropriate national courts of law or another disciplinary forum. It should be possible to show that: @@ -29,7 +47,7 @@ Where available, certification or other relevant means of qualification of perso Digital evidence can transcend organizational or jurisdictional boundaries. In such cases, it should be ensured that the organization is entitled to collect the required information as digital evidence. -**Other information** +### Other information When an information security event is first detected, it is not always obvious whether or not the event will result in court action. Therefore, the danger exists that necessary evidence is destroyed intentionally or accidentally before the seriousness of the incident is realized. It is advisable to involve legal advice or law enforcement early in any contemplated legal action and take advice on the evidence required. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.29-Information-security-during-disruption.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.29-Information-security-during-disruption.md index c37ffcf..6830e03 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.29-Information-security-during-disruption.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.29-Information-security-during-disruption.md @@ -1,17 +1,40 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.29" +title: "Information security during disruption" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Respond +operational_capabilities: [Continuity] +security_domains: + - Protection + - Resilience +tags: + - iso27002/2022/EN +status: active +--- + ## 5.29 Information security during disruption -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ----------------------- | ----------------------------------------- | ---------------------- | ------------------------ | ----------------------- | -| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Respond | #Continuity | #Protection #Resilience | - -**Control** +### Control The organization should plan how to maintain information security at an appropriate level during disruption. -**Purpose** +### Purpose To protect information and other associated assets during disruption. -**Guidance** +### Guidance The organization should determine its requirements for adapting information security controls during disruption. Information security requirements should be included in the business continuity management processes. Plans should be developed, implemented, tested, reviewed and evaluated to maintain or restore the security of information of critical business processes following interruption or failure. Security of information should be restored at the required level and in the required time frames. @@ -24,7 +47,7 @@ b\) processes to maintain existing information security controls during disrupti c\) compensating controls for information security controls that cannot be maintained during disruption. -**Other information** +### Other information In the context of business continuity and ICT continuity planning, it can be necessary to adapt the information security requirements depending on the type of disruption, compared to normal operational conditions. As part of the business impact analysis and risk assessment performed within business continuity management, the consequences of loss of confidentiality and integrity of information should be considered and prioritized in addition to the need for maintaining availability. Information on business continuity management systems can be found in ISO 22301 and ISO 22313. Further guidance on business impact analysis (BIA) can be found in ISO/TS 22317. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md index 9895400..a5c86c7 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md @@ -1,4 +1,27 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.3" +title: "Segregation of duties" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Governance + - Identity_and_access_management +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.3 Segregation of duties ### Control @@ -12,24 +35,24 @@ Segregation of duties and areas of responsibility aims to separate conflicting d The organization should determine which duties and areas of responsibility need to be segregated. The following are examples of activities that can require segregation: -a)   initiating, approving and executing a change; +a) initiating, approving and executing a change; -b)   requesting, approving and implementing access rights; +b) requesting, approving and implementing access rights; -c)   designing, implementing and reviewing code; +c) designing, implementing and reviewing code; -d)   developing software and administering production systems; +d) developing software and administering production systems; -e)   using and administering applications; +e) using and administering applications; -f)   using applications and administering databases; +f) using applications and administering databases; -g)   designing, auditing and assuring information security controls. +g) designing, auditing and assuring information security controls. -The  possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision. +The possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision. Care should be taken when using role-based access control systems to ensure that persons are not granted conflicting roles. When there is a large number of roles, the organization should consider using automated tools to identify conflicts and facilitate their removal. Roles should be carefully defined and provisioned to minimize access problems if a role is removed or reassigned. -### Other **information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md index 57a9d36..0bb8db8 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md @@ -1,15 +1,29 @@ -#iso27002/2022/EN -See also: -- [BCP_Bedrijfscontinuïteitsplanning](../../../../../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md) -- [Disaster Recovery Planning](../../../../../🎇%20Sparks/Disaster%20Recovery%20Planning.md) +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.30" +title: "ICT readiness for business continuity" +theme: Organizational +control_type: [Corrective] +information_security_properties: [Availability] +cybersecurity_concepts: [Respond] +operational_capabilities: [Continuity] +security_domains: [Resilience] +tags: + - iso27002/2022/EN +status: active +--- -# **5.30** **ICT** **readiness** **for** **business** continuity +## 5.30 ICT readiness for business continuity -## Purpose +### Purpose To ensure the availability of the organization’s information and other associated assets during disruption. -## Guidance +### Guidance ICT readiness for business continuity is an important component in business continuity management and information security management to ensure that the organization’s objectives can continue to be met during disruption. @@ -34,7 +48,7 @@ c)   ICT continuity plans include the following ICT continuity information: 2)   RTO of each prioritized ICT service and the procedures for restoring those components; 3)   RPO of the prioritized ICT resources defined as information and the procedures for restoring the information. -## Other **information** +### Other information Managing ICT continuity forms a key part of business continuity requirements concerning availability to be able to: diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md index 03202b6..9b03793 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md @@ -1,16 +1,36 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.31" +title: "Legal, statutory, regulatory and contractual requirements" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Legal_and_compliance] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 5.31 Legal, statutory, regulatory and contractual requirements -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------ | ------------------------------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Legal_and_compliance | #Governance_and_Ecosystem #Protection | - -**Control** +### Control Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date. -**Purpose** +### Purpose To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. -**Guidance** +### Guidance <u>General</u> External requirements including legal, statutory, regulatory or contractual requirements should be taken into consideration when: diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.32-Intellectual-property-rights.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.32-Intellectual-property-rights.md index 74e38b0..8ead371 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.32-Intellectual-property-rights.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.32-Intellectual-property-rights.md @@ -1,10 +1,31 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.32" +title: "Intellectual property rights" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Legal_and_compliance] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.32 Intellectual property rights -**Control** +### Control The organization should implement appropriate procedures to protect intellectual property rights. -**Purpose** +### Purpose To ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products. The following guidelines should be considered to protect any material that can be considered intellectual property: @@ -33,7 +54,7 @@ k\) not duplicating, converting to another format or extracting from commercial l\) not copying, in full or in part, standards (e.g. ISO/IEC International Standards), books, articles, reports or other documents, other than permitted by copyright law or the applicable licences. -**Other information** +### Other information Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.33-Protection-of-records.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.33-Protection-of-records.md index b4d26f3..3e03743 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.33-Protection-of-records.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.33-Protection-of-records.md @@ -1,19 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.33" +title: "Protection of records" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: + - Legal_and_compliance + - Asset_management + - Information_protection +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- ## 5.33 Protection of records - - -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | --------------------------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Identify #Protect | #Legal_and_compliance #Asset_management #Information_protection | #Defence | - - -**Control** +### Control Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. -**Purpose** +### Purpose To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records. -**Guidance** +### Guidance The organization should take the following steps to protect the authenticity, reliability, integrity and usability of records, as their business context and requirements for their management change over time: a\) issue guidelines on the storage, handling chain of custody and disposal of records, which includes prevention of manipulation of records. These guidelines should be aligned with the organization’s topic-specific policy on records management and other records requirements; @@ -30,7 +49,7 @@ Where electronic storage media are chosen, procedures to ensure the ability to a Storage and handling procedures should be implemented in accordance with recommendations provided by manufacturers of storage media. Consideration should be given to the possibility of deterioration of media used for storage of records. -**Other information** +### Other information Records document individual events or transactions or can form aggregations that have been designed to document work processes, activities or functions. They are both evidence of business activity and information assets. Any set of information, regardless of its structure or form, can be managed as a record. This includes information in the form of a document, a collection of data or other types of digital or analogue information which are created, captured and managed in the course of business. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.34-Privacy-and-protection-of-PII.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.34-Privacy-and-protection-of-PII.md index cf279bd..984c36d 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.34-Privacy-and-protection-of-PII.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.34-Privacy-and-protection-of-PII.md @@ -1,18 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.34" +title: "Privacy and protection of PII" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: + - Information_protection + - Legal_and_compliance +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.34 Privacy and protection of PII - - -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | --------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Identify #Protect | #Information_protection #Legal_and_compliance | #Protection | - -**Control** +### Control The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. -**Purpose** +### Purpose To ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII. -**Guidance** +### Guidance The organization should establish and communicate a topic-specific policy on privacy and protection of PII to all relevant interested parties. The organization should develop and implement procedures for the preservation of privacy and protection of PII. These procedures should be communicated to all relevant interested parties involved in the processing of personally identifiable information. @@ -23,7 +43,7 @@ Responsibility for handling PII should be dealt with taking into consideration r Appropriate technical and organizational measures to protect PII should be implemented. -**Other information** +### Other information A number of countries have introduced legislation placing controls on the collection, processing, transmission and deletion of PII. Depending on the respective national legislation, such controls can impose duties on those collecting, processing and disseminating PII and can also restrict the authority to transfer PII to other countries. ISO/IEC 29100 provides a high-level framework for the protection of PII within ICT systems. Further information on privacy information management systems can be found in ISO/IEC 27701. Specific information regarding privacy information management for public clouds acting as PII processors can be found in ISO/IEC 27018. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.35-Independent-review-of-information-security.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.35-Independent-review-of-information-security.md index 893e829..ce5ce77 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.35-Independent-review-of-information-security.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.35-Independent-review-of-information-security.md @@ -1,18 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.35" +title: "Independent review of information security" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: [Information_security_assurance] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.35 Independent review of information security - - -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ----------------------- | ----------------------------------------- | ---------------------- | ------------------------------- | ------------------------- | -| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Identify #Protect | #Information_security_assurance | #Governance_and_Ecosystem | - -**Control** +### Control The organization’s approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur. -**Purpose** +### Purpose To ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security. -**Guidance** +### Guidance The organization should have processes to conduct independent reviews. Management should plan and initiate periodic independent reviews. The reviews should include assessing opportunities for improvement and the need for changes to the approach to information security, including the information security policy, topic-specific policies and other controls. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.36-Compliance-with-policies-rules-and-standards-for-information-security.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.36-Compliance-with-policies-rules-and-standards-for-information-security.md index ed00652..a37fc1d 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.36-Compliance-with-policies-rules-and-standards-for-information-security.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.36-Compliance-with-policies-rules-and-standards-for-information-security.md @@ -1,16 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.36" +title: "Compliance with policies, rules and standards for information security" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: + - Legal_and_compliance + - Information_security_assurance +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.36 Compliance with policies, rules and standards for information security -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ----------------------------------------------------- | ------------------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Identify #Protect | #Legal_and_compliance #Information_security_assurance | #Governance_and_Ecosystem | - -**Control** +### Control Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed. -**Purpose** +### Purpose To ensure that information security is implemented and operated in accordance with the organization’s information security policy, topic-specific policies, rules and standards. -**Guidance** +### Guidance Managers, service, product or information owners should identify how to review that information security requirements defined in the information security policy, topic-specific policies, rules, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review. If any non-compliance is found as a result of the review, managers should: @@ -27,5 +49,5 @@ Results of reviews and corrective actions carried out by managers, service, prod Corrective actions should be completed in a timely manner as appropriate to the risk. If not completed by the next scheduled review, progress should at least be addressed at that review. -**Other information** +### Other information Operational monitoring of system use is covered in 8.15, 8.16, 8.17. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.37-Documented-operating-procedures.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.37-Documented-operating-procedures.md index 141da41..ffdd837 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.37-Documented-operating-procedures.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.37-Documented-operating-procedures.md @@ -1,18 +1,50 @@ - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.37" +title: "Documented operating procedures" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Recover +operational_capabilities: + - Asset_management + - Physical_security + - System_and_network_security + - Application_security + - Secure_configuration + - Identity_and_access_management + - Threat_and_vulnerability_management + - Continuity + - Information_security_event_management +security_domains: + - Governance_and_Ecosystem + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- ## 5.37 Documented operating procedures -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ----------------------- | ----------------------------------------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | -| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Recover | #Asset_management #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability_management #Continuity #Information_security_event_management | #Governance_and_Ecosystem #Protection #Defence | - -**Control** +### Control Operating procedures for information processing facilities should be documented and made available to personnel who need them. -**Purpose** +### Purpose To ensure the correct and secure operation of information processing facilities. -**Guidance** +### Guidance Documented procedures should be prepared for the organization’s operational activities associated with information security, for example: a\) when the activity needs to be performed in the same way by many people; @@ -51,5 +83,5 @@ l\) maintenance instructions. Documented operating procedures should be reviewed and updated when needed. Changes to documented operating procedures should be authorized. Where technically feasible, information systems should be managed consistently, using the same procedures, tools and utilities. -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.4-Management-responsibilities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.4-Management-responsibilities.md index 2f50de6..9dca0e8 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.4-Management-responsibilities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.4-Management-responsibilities.md @@ -1,13 +1,34 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.4" +title: "Management responsibilities" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Governance] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.4 Management responsibilities -#### Control +### Control Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization. -#### Purpose +### Purpose To ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfill their information security responsibilities. -#### Guidance +### Guidance Management should demonstrate support of the information security policy, topic-specific policies, procedures and information security controls. Management responsibilities should include ensuring that personnel: @@ -28,5 +49,5 @@ g)   where practicable, are provided with a confidential channel for reporting h)   are provided with adequate resources and project planning time for implementing the organization’s security-related processes and controls. -#### Other information +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.5-Contact-with-authorities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.5-Contact-with-authorities.md index 423a885..89b4857 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.5-Contact-with-authorities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.5-Contact-with-authorities.md @@ -1,18 +1,47 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.5" +title: "Contact with authorities" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect + - Respond + - Recover +operational_capabilities: [Governance] +security_domains: + - Defence + - Resilience +tags: + - iso27002/2022/EN +status: active +--- + ## 5.5 Contact with authorities -#### Control +### Control The organization should establish and maintain contact with relevant authorities. -#### Purpose +### Purpose To ensure appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities. -#### Guidance +### Guidance The organization should specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner. Contacts with authorities should also be used to facilitate the understanding about the current and upcoming expectations of these authorities (e.g. applicable information security regulations). -#### Other information +### Other information Organizations under attack can request authorities to take action against the attack source. Maintaining such contacts can be a requirement to support information security incident management (see 5.24 to 5.28) or the contingency planning and business continuity processes (see [5.29](a-5.29-Information-security-during-disruption.md), [5.30](a-5.30-ICT-readiness-for-business-continuity.md)). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety \[e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)\]. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.6-Contact-with-special-interest-groups.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.6-Contact-with-special-interest-groups.md index ad461d2..bc0596b 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.6-Contact-with-special-interest-groups.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.6-Contact-with-special-interest-groups.md @@ -1,13 +1,39 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.6" +title: "Contact with special interest groups" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Respond + - Recover +operational_capabilities: [Governance] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- + ## 5.6 Contact with special interest groups -#### Control +### Control The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations. -#### Purpose +### Purpose To ensure appropriate flow of information takes place with respect to information security. -#### Guidance +### Guidance Membership of special interest groups or forums should be considered as a means to: @@ -24,5 +50,5 @@ e)   share  and  exchange  information  about  new  technologies,  produ f)   provide suitable liaison points when dealing with information security incidents (see 5.24 to 5.28). -#### Other information +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md index 538e7c8..3a05e86 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md @@ -1,13 +1,42 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.7" +title: "Threat intelligence" +theme: Organizational +control_type: + - Preventive + - Detective + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Detect + - Respond +operational_capabilities: [Threat_and_vulnerability_management] +security_domains: + - Defence + - Resilience +tags: + - iso27002/2022/EN +status: active +--- + ## 5.7 Threat intelligence -#### Control +### Control Information relating to information security threats should be collected and analysed to produce threat intelligence. -#### Purpose +### Purpose To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken. -#### Guidance +### Guidance Information about existing or emerging threats is collected and analysed in order to: a)  facilitate informed actions to prevent the threats from causing harm to the organization; diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.8-Information-security-in-project-management.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.8-Information-security-in-project-management.md index 1cded2c..5458b2c 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.8-Information-security-in-project-management.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.8-Information-security-in-project-management.md @@ -1,13 +1,38 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.8" +title: "Information security in project management" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: [Governance] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 5.8 Information security in project management -#### Control +### Control Information security should be integrated into project management. -#### Purpose +### Purpose To ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle. -#### Guidance +### Guidance Information security should be integrated into project management to ensure information security risks are addressed as part of the project management. This can be applied to any type of project regardless of its complexity, size, duration, discipline or application area (e.g. a project for a core business process, ICT, facility management or other supporting processes). The project management in use should require that: @@ -46,7 +71,7 @@ h)   compliance with the legal, statutory, regulatory and contractual environme i) level of confidence or assurance required for third parties to meet the organization’s information security policy and topic-specific policies including relevant security clauses in any agreements or contracts. -#### Other information +### Other information The project development approach, such as waterfall life cycle or agile life cycle, should support information security in a structured way that can be adapted to suit the assessed severity of the information security risks, based on the character of the project. Early consideration of information security requirements for the product or service (e.g. at the planning and design stages), can lead to more effective and cost-efficient solutions for quality and information security. ISO 21500 and ISO 21502 provide guidance on concepts and processes of project management that are important for the performance of projects. ISO/IEC 27005 provides guidance on the use of risk management processes to identify controls to meet information security requirements. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.9-Inventory-of-information-and-other-associated-assets.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.9-Inventory-of-information-and-other-associated-assets.md index 8168224..195f25a 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.9-Inventory-of-information-and-other-associated-assets.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.9-Inventory-of-information-and-other-associated-assets.md @@ -1,18 +1,36 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.9" +title: "Inventory of information and other associated assets" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Asset_management] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- ## 5.9 Inventory of information and other associated assets -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -|--------------|----------------------------------------|-----------------------|-------------------------|-----------------------------------| -| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Asset_management | #Governance_and_Ecosystem #Protection | - -**Control** +### Control An inventory of information and other associated assets, including owners, should be developed and maintained. -**Purpose** +### Purpose To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. -**Guidance** +### Guidance <u>Inventory</u> The organization should identify its information and other associated assets and determine their importance in terms of information security. Documentation should be maintained in dedicated or existing inventories as appropriate. @@ -55,7 +73,7 @@ h\) they are involved in the identification and management of risks associated w i\) they support personnel who have the roles and responsibilities of managing their information. -**Other information** +### Other information Inventories of information and other associated assets are often necessary to ensure the effective protection of information and can be required for other purposes, such as health and safety, insurance or financial reasons. Inventories of information and other associated assets also support risk management, audit activities, vulnerability management, incident response and recovery planning. Tasks and responsibilities can be delegated (e.g. to a custodian looking after the assets on a daily basis), but the person or group who delegated them remains accountable. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.1-Screening.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.1-Screening.md index 640bc60..759efd0 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.1-Screening.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.1-Screening.md @@ -1,20 +1,34 @@ -# Control 6.1 Screening - - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.1" +title: "Screening" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Human_resource_security] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- ## 6.1 Screening -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------- | ----------------------------------------- | -------------------------- | ---------------------------- | ------------------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human_resource_security | #Governance_and_Ecosystem | - -**Control** +### Control Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. -**Purpose** +### Purpose To ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment. -**Guidance** +### Guidance A screening process should be performed for all personnel including full-time, part-time and temporary staff. Where these individuals are contracted through suppliers of services, screening requirements should be included in the contractual agreements between the organization and the suppliers. Information on all candidates being considered for positions within the organization should be collected and handled taking into consideration any appropriate legislation existing in the relevant jurisdiction. In some jurisdictions, the organization can be legally required to inform the candidates beforehand about the screening activities. @@ -44,5 +58,5 @@ d\) termination of employment. Verification checks should be repeated periodically to confirm ongoing suitability of personnel, depending on the criticality of a person’s role. -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.2-Terms-and-conditions-of-employment.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.2-Terms-and-conditions-of-employment.md index 5583450..1295056 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.2-Terms-and-conditions-of-employment.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.2-Terms-and-conditions-of-employment.md @@ -1,16 +1,34 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.2" +title: "Terms and conditions of employment" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Human_resource_security] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- + ## 6.2 Terms and conditions of employment -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------- | ----------------------------------------- | -------------------------- | ---------------------------- | ------------------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human_resource_security | #Governance_and_Ecosystem | - -**Control** +### Control The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security. -**Purpose** +### Purpose To ensure personnel understand their information security responsibilities for the roles for which they are considered. -**Guidance** +### Guidance The contractual obligations for personnel should take into consideration the organization’s information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated: a\) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets (see [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md)); @@ -29,7 +47,7 @@ The organization should ensure that personnel agree to terms and conditions conc Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see [6.5](a-6.5-Responsibilities-after-termination-or-change-of-employment.md)). -**Other information** +### Other information A code of conduct can be used to state personnel’s information security responsibilities regarding confidentiality, PII protection, ethics, appropriate use of the organization’s information and other associated assets, as well as reputable practices expected by the organization. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.3-Information-security-awareness-education-and-training.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.3-Information-security-awareness-education-and-training.md index 5994f8f..7dc6748 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.3-Information-security-awareness-education-and-training.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.3-Information-security-awareness-education-and-training.md @@ -1,20 +1,34 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.3" +title: "Information security awareness, education and training" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Human_resource_security] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- ## 6.3 Information security awareness, education and training -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------- | ----------------------------------------- | -------------------------- | ---------------------------- | ------------------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human_resource_security | #Governance_and_Ecosystem | - - - -**Control** +### Control Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. -**Purpose** +### Purpose To ensure personnel and relevant interested parties are aware of and fullfil their information security responsibilities. -**Guidance** +### Guidance <u>General</u> An information security awareness, education and training programme should be established in line with the organization’s information security policy, topic-specific policies and relevant procedures on information security, taking into consideration the organization’s information to be protected and the information security controls that have been implemented to protect the information. @@ -66,7 +80,7 @@ The education and training programme should consider different forms \[e.g. lect -**Other information** +### Other information When composing an awareness programme, it is important not only to focus on the ’what’ and ’how’, but also the ’why’, when possible. It is important that personnel understand the aim of information security and the potential effect, positive and negativ e, on the organization of their own behaviour. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.4-Disciplinary-process.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.4-Disciplinary-process.md index b2f1db0..046afe0 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.4-Disciplinary-process.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.4-Disciplinary-process.md @@ -1,16 +1,34 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.4" +title: "Disciplinary process" +theme: People +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Respond +operational_capabilities: [Human_resource_security] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- + ## 6.4 Disciplinary process -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|----------------------------|-----------------------------------------|---------------------------|-------------------------------|-----------------------------| - -| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Respond | #Human_resource_security | #Governance_and_Ecosystem | - - - -**Control** +### Control @@ -18,7 +36,7 @@ A disciplinary process should be formalized and communicated to take actions aga -**Purpose** +### Purpose @@ -26,7 +44,7 @@ To ensure personnel and other relevant interested parties understand the consequ -**Guidance** +### Guidance @@ -58,7 +76,7 @@ The response should take into consideration relevant legal, statutory, regulator -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.5-Responsibilities-after-termination-or-change-of-employment.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.5-Responsibilities-after-termination-or-change-of-employment.md index 172277d..f977df9 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.5-Responsibilities-after-termination-or-change-of-employment.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.5-Responsibilities-after-termination-or-change-of-employment.md @@ -1,18 +1,36 @@ - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.5" +title: "Responsibilities after termination or change of employment" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Human_resource_security + - Asset_management +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- ## 6.5 Responsibilities after termination or change of employment -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------- | ----------------------------------------- | -------------------------- | ---------------------------- | -------------------- | -| #Preventive | #Confidentiality #Integrity #Availability | | | | - -**Control** +### Control Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. -**Purpose** +### Purpose To protect the organization’s interests as part of the process of changing or terminating employment or contracts. -**Guidance** +### Guidance The process for managing termination or change of employment should define which information security responsibilities and duties should remain valid after termination or change. This can include confidentiality of information, intellectual property and other knowledge obtained, as well as responsibilities contained within any other confidentiality agreement (see [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md)). Responsibilities and duties still valid after termination of employment or contract should be contained in the individual’s terms and conditions of employment (see [6.2](a-6.2-Terms-and-conditions-of-employment.md)), contract or agreement. Other contracts or agreements that continue for a defined period after the end of the individual’s employment can also contain information security responsibilities. Changes of responsibility or employment should be managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment. @@ -23,5 +41,5 @@ A process should be established for the communication of the changes and of oper The process for the termination or change of employment should also be applied to external personnel (i.e. suppliers) when a termination occurs of personnel, the contract or the job with the organization, or when there is a change of the job within the organization. -**Other information** +### Other information In many organizations, the human resources function is generally responsible for the overall termination process and works together with the supervising manager of the person transitioning to manage the information security aspects of the relevant procedures. In the case of personnel provided through an external party (e.g. through a supplier), this termination process is undertaken by the external party in accordance with the contract between the organization and the external party. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.6-Confidentiality-or-non-disclosure-agreements.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.6-Confidentiality-or-non-disclosure-agreements.md index b669405..ea1969a 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.6-Confidentiality-or-non-disclosure-agreements.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.6-Confidentiality-or-non-disclosure-agreements.md @@ -1,24 +1,36 @@ - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.6" +title: "Confidentiality or non-disclosure agreements" +theme: People +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: + - Human_resource_security + - Information_protection + - Supplier_relationships_security +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +--- ## 6.6 Confidentiality or non-disclosure agreements -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|------------------------------------|---------------------------|-------------------------------------------------------------|-------------------------------| - -| #Preventive | #Confidentiality | #Protect | #Human_resource_security #Information_protection #Supplier_relationships | #Governance_and_Ecosystem | - - - -**Control** +### Control Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. -**Purpose** +### Purpose @@ -26,7 +38,7 @@ To maintain confidentiality of information accessible by personnel or external p -**Guidance** +### Guidance @@ -82,7 +94,7 @@ Requirements for confidentiality and non-disclosure agreements should be reviewe -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.7-Remote-working.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.7-Remote-working.md index 289fc7c..2d3acfb 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.7-Remote-working.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.7-Remote-working.md @@ -1,16 +1,34 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.7" +title: "Remote working" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Asset_management + - Information_protection + - Physical_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 6.7 Remote working -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|--------------------------------------------------------------------------------|---------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection #Physical_security #System_and_network_security | #Protection | - - - -**Control** +### Control @@ -18,7 +36,7 @@ Security measures should be implemented when personnel are working remotely to p -**Purpose** +### Purpose @@ -26,7 +44,7 @@ To ensure the security of information when personnel are working remotely. -**Guidance** +### Guidance diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.8-Information-security-event-reporting.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.8-Information-security-event-reporting.md index 0b00a6c..d5627df 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-6.8-Information-security-event-reporting.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-6.8-Information-security-event-reporting.md @@ -1,18 +1,29 @@ - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.8" +title: "Information security event reporting" +theme: People +control_type: [Detective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Detect] +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- ## 6.8 Information security event reporting - -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|---------------------------------------------|---------------------| - -| #Detective | #Confidentiality #Integrity #Availability | #Detect | #Information_security_event_management | #Defence | - - - -**Control** +### Control @@ -20,7 +31,7 @@ The organization should provide a mechanism for personnel to report observed or -**Purpose** +### Purpose @@ -28,7 +39,7 @@ To support timely, consistent and effective reporting of information security ev -**Guidance** +### Guidance @@ -88,7 +99,7 @@ Personnel and users should be advised not to attempt to prove suspected informat -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.1-Physical-security-perimeters.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.1-Physical-security-perimeters.md index 216097e..7b6f3dd 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.1-Physical-security-perimeters.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.1-Physical-security-perimeters.md @@ -1,22 +1,37 @@ - - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.1" +title: "Physical security perimeters" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- ## 7.1 Physical security perimeters -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -|------------------|-----------------------------------------|---------------------------|-----------------------------------|---------------------| -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security | - -**Control** +### Control Security perimeters should be defined and used to protect areas that contain information and other associated assets. -**Purpose** +### Purpose To prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets. -**Guidance** +### Guidance @@ -36,7 +51,7 @@ c\) alarming, monitoring and testing all fire doors on a security perimeter in c -**Other information** +### Other information Physical protection can be achieved by creating one or more physical barriers around the organization’s premises and information processing facilities. A secure area can be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access can be necessary between areas with different security requirements inside the security perimeter. The organization should consider having physical security measures that can be strengthened during increased threat situations. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.10-Storage-media.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.10-Storage-media.md index a22aea1..1d1219f 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.10-Storage-media.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.10-Storage-media.md @@ -1,16 +1,32 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.10" +title: "Storage media" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.10 Storage media -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|---------------------------------------------|---------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Asset_management | #Protection | - - - -**Control** +### Control @@ -18,7 +34,7 @@ Storage media should be managed through their life cycle of acquisition, use, tr -**Purpose** +### Purpose @@ -26,7 +42,7 @@ To ensure only authorized disclosure, modification, removal or destruction of in -**Guidance** +### Guidance @@ -118,6 +134,6 @@ A risk assessment should be performed on damaged devices containing sensitive da -**Other information** +### Other information When confidential information on storage media is not encrypted, additional physical protection of the storage media should be considered. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.11-Supporting-utilities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.11-Supporting-utilities.md index 3ee2bd9..86559d7 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.11-Supporting-utilities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.11-Supporting-utilities.md @@ -1,16 +1,33 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.11" +title: "Supporting utilities" +theme: Physical +control_type: + - Preventive + - Detective +information_security_properties: + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.11 Supporting utilities -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|-----------------------|------------------------------------|---------------------------|-----------------------------|----------------------| - -| #Preventive<br>#Detective | #Integrity<br>#Availability | #Protect #Detect | #Physical_security | #Protection | - - - -**Control** +### Control @@ -18,7 +35,7 @@ Information processing facilities should be protected from power failures and ot -**Purpose** +### Purpose @@ -26,7 +43,7 @@ To prevent loss, damage or compromise of information and other associated assets -**Guidance** +### Guidance @@ -66,7 +83,7 @@ Emergency lighting and communications should be provided. Emergency switches and -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.12-Cabling-security.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.12-Cabling-security.md index 26f7384..1e038ef 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.12-Cabling-security.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.12-Cabling-security.md @@ -1,16 +1,29 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.12" +title: "Cabling security" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.12 Cabling security -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|------------------------------------|---------------------------|-----------------------------|----------------------| - -| #Preventive | #Confidentiality #Availability | #Protect | #Physical_security | #Protection | - - - -**Control** +### Control @@ -18,7 +31,7 @@ Cables carrying power, data or supporting information services should be protect -**Purpose** +### Purpose @@ -26,7 +39,7 @@ To prevent loss, damage, theft or compromise of information and other associated -**Guidance** +### Guidance @@ -74,7 +87,7 @@ Specialist advice should be sought on how to manage risks arising from cabling i -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.13-Equipment-maintenance.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.13-Equipment-maintenance.md index 2f16d29..28e4fc0 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.13-Equipment-maintenance.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.13-Equipment-maintenance.md @@ -1,16 +1,34 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.13" +title: "Equipment maintenance" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: + - Protection + - Resilience +tags: + - iso27002/2022/EN +status: active +--- + ## 7.13 Equipment maintenance -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|----------------------------------------|---------------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Asset_management | #Protection #Resilience | - - - -**Control** +### Control @@ -18,7 +36,7 @@ Equipment should be maintained correctly to ensure availability, integrity and c -**Purpose** +### Purpose @@ -26,7 +44,7 @@ To prevent loss, damage, theft or compromise of information and other associated -**Guidance** +### Guidance @@ -78,7 +96,7 @@ k\) applying measures for secure disposal or re-use of equipment (see [7.14](a-7 -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.14-Secure-disposal-or-re-use-of-equipment.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.14-Secure-disposal-or-re-use-of-equipment.md index c3867ad..b08e158 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.14-Secure-disposal-or-re-use-of-equipment.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.14-Secure-disposal-or-re-use-of-equipment.md @@ -1,16 +1,29 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.14" +title: "Secure disposal or re-use of equipment" +theme: Physical +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.14 Secure disposal or re-use of equipment -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|------------------------------------|---------------------------|----------------------------------------|---------------------------| - -| #Preventive | #Confidentiality | #Protect | #Physical_security #Asset_management | #Protection | - - - -**Control** +### Control @@ -18,7 +31,7 @@ Items of equipment containing storage media should be verified to ensure that an -**Purpose** +### Purpose @@ -54,7 +67,7 @@ c\) the ability to reuse the controls at the next facility. -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.2-Physical-entry.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.2-Physical-entry.md index 0208a84..5ff9dbe 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.2-Physical-entry.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.2-Physical-entry.md @@ -1,16 +1,32 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.2" +title: "Physical entry" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Identity_and_access_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.2 Physical entry - -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -|------------------|-----------------------------------------|---------------------------|-----------------------------------------------------|---------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Identity_and_Access - - - -**Control** +### Control @@ -18,7 +34,7 @@ Secure areas should be protected by appropriate entry controls and access points -**Purpose** +### Purpose @@ -26,7 +42,7 @@ To ensure only authorized physical access to the organization’s information an -**Guidance** +### Guidance @@ -146,6 +162,6 @@ g\) inspecting incoming deliveries for evidence of tampering on the way. If tamp -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.3-Securing-offices-rooms-and-facilities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.3-Securing-offices-rooms-and-facilities.md index 3868b43..0c7d605 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.3-Securing-offices-rooms-and-facilities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.3-Securing-offices-rooms-and-facilities.md @@ -1,18 +1,32 @@ - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.3" +title: "Securing offices, rooms and facilities" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- ## 7.3 Securing offices, rooms and facilities -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|--------------------------------------|---------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security<br>#Asset_management | #Protection | - - - -**Control** +### Control @@ -24,7 +38,7 @@ To prevent unauthorized physical access, damage and interference to the organiza -**Guidance** +### Guidance @@ -48,6 +62,6 @@ d\) not making directories, internal telephone books and online accessible maps -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.4-Physical-security-monitoring.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.4-Physical-security-monitoring.md index bec1efd..3900908 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.4-Physical-security-monitoring.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.4-Physical-security-monitoring.md @@ -1,18 +1,36 @@ - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.4" +title: "Physical security monitoring" +theme: Physical +control_type: + - Preventive + - Detective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [Physical_security] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- ## 7.4 Physical security monitoring -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|----------------------------|-----------------------------------------|---------------------------|-----------------------------|---------------------------| - -| #Preventive #Detective | #Confidentiality #Integrity #Availability | #Protect #Detect | #Physical_security | #Protection #Defence | - - - -**Control** +### Control @@ -20,7 +38,7 @@ Premises should be continuously monitored for unauthorized physical access. -**Purpose** +### Purpose @@ -28,7 +46,7 @@ To detect and deter unauthorized physical access. -**Guidance** +### Guidance @@ -80,6 +98,6 @@ Any monitoring and recording mechanism should be used taking into consideration -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.5-Protecting-against-physical-and-environmental-threats.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.5-Protecting-against-physical-and-environmental-threats.md index b20093b..856206e 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.5-Protecting-against-physical-and-environmental-threats.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.5-Protecting-against-physical-and-environmental-threats.md @@ -1,16 +1,30 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.5" +title: "Protecting against physical and environmental threats" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.5 Protecting against physical and environmental threats -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|-----------------------------|----------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security | #Protection | - - - -**Control** +### Control @@ -18,7 +32,7 @@ Protection against physical and environmental threats, such as natural disasters -**Purpose** +### Purpose @@ -62,7 +76,7 @@ d\) explosives and weapons: performing random inspections for the presence of ex -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.6-Working-in-secure-areas.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.6-Working-in-secure-areas.md index 4cc388d..fd1afdd 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.6-Working-in-secure-areas.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.6-Working-in-secure-areas.md @@ -1,22 +1,36 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.6" +title: "Working in secure areas" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.6 Working in secure areas -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|-----------------------------|----------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security | #Protection | - - - -**Control** +### Control Security measures for working in secure areas should be designed and implemented. -**Purpose** +### Purpose @@ -24,7 +38,7 @@ To protect information and other associated assets in secure areas from damage a -**Guidance** +### Guidance @@ -60,6 +74,6 @@ f\) posting emergency procedures in a readily visible or accessible manner. -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.7-Clear-desk-and-clear-screen.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.7-Clear-desk-and-clear-screen.md index 04aa36a..79e6b7c 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.7-Clear-desk-and-clear-screen.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.7-Clear-desk-and-clear-screen.md @@ -1,14 +1,27 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.7" +title: "Clear desk and clear screen" +theme: Physical +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.7 Clear desk and clear screen -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|------------------------------------|---------------------------|-----------------------------|----------------------| - -| #Preventive | #Confidentiality | #Protect | #Physical_security | #Protection | - -**Control** +### Control @@ -16,7 +29,7 @@ Clear desk rules for papers and removable storage media and clear screen rules f -**Purpose** +### Purpose @@ -24,7 +37,7 @@ To reduce the risks of unauthorized access, loss of and damage to information on -**Guidance** +### Guidance @@ -68,6 +81,6 @@ The organization should have procedures in place when vacating facilities includ -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.8-Equipment-siting-and-protection.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.8-Equipment-siting-and-protection.md index 0f5874a..e3501fc 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.8-Equipment-siting-and-protection.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.8-Equipment-siting-and-protection.md @@ -1,16 +1,32 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.8" +title: "Equipment siting and protection" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.8 Equipment siting and protection -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|----------------------------------------|---------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Asset_management | #Protection | - - - -**Control** +### Control @@ -18,7 +34,7 @@ Equipment should be sited securely and protected. -**Purpose** +### Purpose @@ -26,7 +42,7 @@ To reduce the risks from physical and environmental threats, and from unauthoriz -**Guidance** +### Guidance @@ -70,6 +86,6 @@ i\) physically separating information processing facilities managed by the organ -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.9-Security-of-assets-off-premises.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.9-Security-of-assets-off-premises.md index 79afda5..9f1315b 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-7.9-Security-of-assets-off-premises.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-7.9-Security-of-assets-off-premises.md @@ -1,14 +1,32 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.9" +title: "Security of assets off-premises" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 7.9 Security of assets off-premises -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | - -|------------------|-----------------------------------------|---------------------------|----------------------------------------|---------------------| - -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Asset_management | #Protection | - -**Control** +### Control @@ -20,7 +38,7 @@ To prevent loss, damage, theft or compromise of off-site devices and interruptio -**Guidance** +### Guidance @@ -76,7 +94,7 @@ d\) logical access controls. -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.1-User-endpoint-devices.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.1-User-endpoint-devices.md index a5a364b..59eedf9 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.1-User-endpoint-devices.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.1-User-endpoint-devices.md @@ -1,18 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.1" +title: "User endpoint devices" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Asset_management + - Information_protection +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.1 User endpoint devices -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| -------------- | ---------------------------------------- | --------------------- | ----------------------------------------- | --------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management<br>#Information_protection | #Protection | - -**Control** +### Control Information stored on, processed by or accessible via user endpoint devices should be protected. -**Purpose** +### Purpose To protect information against the risks introduced by using user endpoint devices. -**Guidance** +### Guidance <u>General</u> @@ -65,7 +85,7 @@ The organization should establish procedures for: a\) the configuration of wireless connections on devices (e.g. disabling vulnerable protocols); b\) using wireless or wired connections with appropriate bandwidth in accordance with relevant topic-specific policies (e.g. because backups or software updates are needed). -**Other information** +### Other information Controls to protect information on user endpoint devices depend on whether the user endpoint device is used only inside of the organization's secured premises and network connections, or whether it is exposed to increased physical and network related threats outside of the organization. The wireless connections for user endpoint devices are similar to other types of network connections but have important differences that should be considered when identifying controls. In particular, back-up of information stored on user endpoint devices can sometimes fail because of limited network bandwidth or because user endpoint devices are not connected at the times when backups are scheduled. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.10-Information-deletion.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.10-Information-deletion.md index edf72c5..84cc94e 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.10-Information-deletion.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.10-Information-deletion.md @@ -1,16 +1,33 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.10" +title: "Information deletion" +theme: Technological +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: + - Information_protection + - Legal_and_compliance +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.10 Information deletion -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------- | ----------------------------------- | -------------------------- | --------------------------------------------- | -------------------- | -| #Preventive | #Confidentiality | #Protect | #Information_protection #Legal_and_compliance | #Protection | - -**Control** +### Control Information stored in information systems, devices or in any other storage media should be deleted when no longer required. -**Purpose** +### Purpose To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion. -**Guidance** +### Guidance <u>General</u> Sensitive information should not be kept for longer than it is required to reduce the risk of undesirable disclosure. @@ -48,5 +65,5 @@ Control measures described in 7.14 should be applied to physically destroy the s An official record of information deletion is useful when analysing the cause of a possible information leakage event. -**Other information** +### Other information Information on user data deletion in cloud services can be found in ISO/IEC 27017. Information on deletion of PII can be found in ISO/IEC 27555. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.11-Data-masking.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.11-Data-masking.md index a09772a..f392c80 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.11-Data-masking.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.11-Data-masking.md @@ -1,16 +1,31 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.11" +title: "Data masking" +theme: Technological +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: [Information_protection] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.11 Data masking -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------- | ----------------------------------- | -------------------------- | ---------------------------- | -------------------- | -| #Preventive | #Confidentiality | #Protect | #Information_protection | #Protection | - -**Control** +### Control Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. -**Purpose** +### Purpose To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements. -**Guidance** +### Guidance Where the protection of sensitive data (e.g. PII) is a concern, the organization should consider hiding such data by using techniques such as data masking, pseudonymization or anonymization. Pseudonymization or anonymization techniques can hide PII, disguise the true identity of PII principals or other sensitive information, and disconnect the link between PII and the identity of the PII principal or the link between other sensitive information. @@ -40,7 +55,7 @@ c\) agreements or restrictions on usage of the processed data; d\) prohibiting collating the processed data with other information in order to identify the PII principal; e\) keeping track of providing and receiving the processed data. -**Other information** +### Other information Anonymization irreversibly alters PII in such a way that the PII principal can no longer be identified directly or indirectly. Pseudonymization replaces the identifying information with an alias. Knowledge of the algorithm (sometimes referred to as the “additional information”) used to perform the pseudonymization allows for at least some form of identification of the PII principal. Such “additional information” should therefore be kept separate and protected. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.12-Data-leakage-prevention.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.12-Data-leakage-prevention.md index ec2d2c2..12327c9 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.12-Data-leakage-prevention.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.12-Data-leakage-prevention.md @@ -1,16 +1,37 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.12" +title: "Data leakage prevention" +theme: Technological +control_type: + - Preventive + - Detective +information_security_properties: [Confidentiality] +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [Information_protection] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- + ## 8.12 Data leakage prevention -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------------- | ----------------------------------- | -------------------------- | ---------------------------- | -------------------- | -| #Preventive #Detective | #Confidentiality | #Protect #Detect | #Information_protection | #Protection #Defence | - -**Control** +### Control Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. -**Purpose** +### Purpose To detect and prevent the unauthorized disclosure and extraction of information by individuals or systems. -**Guidance** +### Guidance The organization should consider the following to reduce the risk of data leakage: a\) identifying and classifying information to protect against leakage (e.g. personal information, pricing models and product designs); @@ -33,7 +54,7 @@ Where data is backed up, care should be taken to ensure sensitive information is Data leakage prevention should also be considered to protect against the intelligence actions of an adversary from obtaining confidential or secret information (geopolitical, human, financial, commercial, scientific or any other) which can be of interest for espionage or can be critical for the community. The data le akage prevention actions should be oriented to confuse the adversary’s decisions for example by replacing authentic information with false information, either as an independent action or as response to the adversary’s intelligence actions. Examples of these kinds of actions are reverse social engineering or the use of honeypots to attract attackers. -**Other information** +### Other information Data leakage prevention tools are designed to identify data, monitor data usage and movement, and take actions to prevent data from leaking (e.g. alerting users to their risky behaviour and blocking the transfer of data to portable storage devices). Data leakage prevention inherently involves monitoring personnel’s communications and online activities, and by extension external party messages, which raises legal concerns that should be considered prior to deploying data leakage prevention tools. There is a variety of legislation relating to privacy, data protection, employment, interception of data and telecommunications that is applicable to monitoring and data processing in the context of data leakage prevention. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.13-Information-backup.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.13-Information-backup.md index e978a2d..5802e95 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.13-Information-backup.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.13-Information-backup.md @@ -1,17 +1,33 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.13" +title: "Information backup" +theme: Technological +control_type: [Corrective] +information_security_properties: + - Integrity + - Availability +cybersecurity_concepts: [Recover] +operational_capabilities: [Continuity] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.13 Information backup -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ------------------------------- | ---------------------- | ------------------------ | ---------------- | -| #Corrective | #Integrity #Availability | #Recover | #Continuity | #Protection | - -**Control** +### Control Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. -**Purpose** +### Purpose To enable recovery from loss of data or systems. -**Guidance** +### Guidance A topic-specific policy on backup should be established to address the organization’s data retention and information security requirements. Adequate backup facilities should be provided to ensure that all essential information and software can be recovered following an incident or failure or loss of storage media. @@ -42,5 +58,5 @@ When the organization uses a cloud service, backup copies of the organization’ The retention period for essential business information should be determined, taking into account any requirement for retention of archive copies. The organization should consider the deletion of information (see [8.10](a-8.10-Information-deletion.md)) in storage media used for backup once the information’s retention period expires and should take into consideration legislation and regulations. -**Other information** +### Other information For further information on storage security including retention consideration, see ISO/IEC 27040. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.14-Redundancy-of-information-processing-facilities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.14-Redundancy-of-information-processing-facilities.md index d1266e8..f79ae9c 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.14-Redundancy-of-information-processing-facilities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.14-Redundancy-of-information-processing-facilities.md @@ -1,16 +1,35 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.14" +title: "Redundancy of information processing facilities" +theme: Technological +control_type: [Preventive] +information_security_properties: [Availability] +cybersecurity_concepts: [Protect] +operational_capabilities: + - Continuity + - Asset_management +security_domains: + - Protection + - Resilience +tags: + - iso27002/2022/EN +status: active +--- + ## 8.14 Redundancy of information processing facilities -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ------------------------------- | ---------------------- | ----------------------------- | ----------------------- | -| #Preventive | #Availability | #Protect | #Continuity #Asset_management | #Protection #Resilience | - -**Control** +### Control Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. -**Purpose** +### Purpose To ensure the continuous operation of information processing facilities. -**Guidance** +### Guidance The organization should identify requirements for the availability of business services and information systems. The organization should design and implement systems architecture with appropriate redundancy to meet these requirements. Redundancy can be introduced by duplicating information processing facilities in part or in their entirety (i.e. spare components or having two of everything). The organization should plan and implement procedures for the activation of the redundant components and processing facilities. The procedures should establish if the redundant components and processing activities are always activated, or in case of emergency, automatically or manually activated. The redundant components and information processing facilities should ensure the same security level as the primary ones. @@ -28,7 +47,7 @@ f\) having duplicated components in systems (e.g. CPU, hard disks, memories) or Where applicable, preferably in production mode, redundant information systems should be tested to ensure the failover from one component to another component works as intended. -**Other information** +### Other information There is a strong relationship between redundancy and ICT readiness for business continuity (see [5.30](a-5.30-ICT-readiness-for-business-continuity.md)) especially if short recovery times are required. Many of the redundancy measures can be part of the ICT continuity strategies and solutions. The implementation of redundancies can introduce risks to the integrity (e.g. processes of copying data to duplicated components can introduce errors) or confidentiality (e.g. weak security control of duplicated components can lead to compromise) of information and information systems, which need to be considered when designing information systems. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.15-Logging.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.15-Logging.md index cfdfc06..902becf 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.15-Logging.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.15-Logging.md @@ -1,18 +1,36 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.15" +title: "Logging" +theme: Technological +control_type: [Detective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Detect] +operational_capabilities: [Information_security_event_management] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- ## 8.15 Logging -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------- | ----------------------------------------- | -------------------------- | -------------------------------------- | -------------------- | -| #Detective | #Confidentiality #Integrity #Availability | #Detect | #Information_security_event_management | #Protection #Defence | - -**Control** +### Control Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. -**Purpose** +### Purpose To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. -**Guidance** +### Guidance <u>General</u> @@ -82,7 +100,7 @@ e\) correlating logs to enable efficient and highly accurate analysis. Suspected and actual information security incidents should be identified (e.g. malware infection or probing of firewalls) and be subject to further investigation (e.g. as part of an information security incident management process, see >5.25>). -**Other information** +### Other information System logs often contain a large volume of information, much of which is extraneous to information security monitoring. To help identify significant events for information security monitoring purposes, the use of suitable utility programs or audit tools to perform file interrogation can be considered. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.16-Monitoring-activities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.16-Monitoring-activities.md index b7d3de8..36b004a 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.16-Monitoring-activities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.16-Monitoring-activities.md @@ -1,18 +1,38 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.16" +title: "Monitoring activities" +theme: Technological +control_type: + - Detective + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Detect + - Respond +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.16 Monitoring activities -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------------- | ----------------------------------------- | -------------------------- | -------------------------------------- | -------------------- | -| #Detective #Corrective | #Confidentiality #Integrity #Availability | #Detect #Respond | #Information_security_event_management | #Defence | - - -**Control** +### Control Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. -**Purpose** +### Purpose To detect anomalous behaviour and potential information security incidents. -**Guidance** +### Guidance The monitoring scope and level should be determined in accordance with business and information security requirements and taking into consideration relevant laws and regulations. Monitoring records should be maintained for defined retention periods. The following should be considered for inclusion within the monitoring system: diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.17-Clock-synchronization.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.17-Clock-synchronization.md index 7b5e866..17e59bc 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.17-Clock-synchronization.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.17-Clock-synchronization.md @@ -1,16 +1,35 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.17" +title: "Clock synchronization" +theme: Technological +control_type: [Detective] +information_security_properties: [Integrity] +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [Information_security_event_management] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- + ## 8.17 Clock synchronization -| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** | -| ---------------- | ----------------------------------- | -------------------------- | -------------------------------------- | -------------------- | -| #Detective | #Integrity | #Protect #Detect | #Information_security_event_management | #Protection #Defence | - -**Control** +### Control The clocks of information processing systems used by the organization should be synchronized to approved time sources. -**Purpose** +### Purpose To enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents. -**Guidance** +### Guidance External and internal requirements for time representation, reliable synchronization and accuracy should be documented and implemented. Such requirements can be from legal, statutory, regulatory, contractual, standards and internal monitoring needs. A standard reference time for use within the organization should be defined and considered for all systems, including building management systems, entry and exit systems and others that can be used to aid investigations. A clock linked to a radio time broadcast from a national atomic clock or global positioning system (GPS) should be used as the reference clock for logging systems; a consistent, trusted date and time source to ensure accurate time-stamps. Protocols such as network time protocol (NTP) or precision time protocol (PTP) should be used to keep all networked systems in synchronization with a reference clock. @@ -19,5 +38,5 @@ The organization can use two external time sources at the same time in order to Clock synchronization can be difficult when using multiple cloud services or when using both cloud and on-premises services. In this case, the clock of each service should be monitored and the difference recorded in order to mitigate risks arising from discrepancies. -**Other information** +### Other information The correct setting of computer clocks is important to ensure the accuracy of event logs, which can be required for investi gations or as evidence in legal and disciplinary cases. Inaccurate audit logs can hinder such investigations and damage the credibility of such evidence. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.18-Use-of-privileged-utility-programs.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.18-Use-of-privileged-utility-programs.md index 51c226f..9029080 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.18-Use-of-privileged-utility-programs.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.18-Use-of-privileged-utility-programs.md @@ -1,16 +1,37 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.18" +title: "Use of privileged utility programs" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - System_and_network_security + - Secure_configuration + - Application_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.18 Use of privileged utility programs -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------------------------------------------------------ | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #System_and_network_security #Secure_configuration #Application_security | #Protection | - -**Control** +### Control The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled. -**Purpose** +### Purpose To ensure the use of utility programs does not harm system and application controls for information security. -**Guidance** +### Guidance The following guidelines for the use of utility programs that can be capable of overriding system and application controls should be considered: a\) limitation of the use of utility programs to the minimum practical number of trusted, authorized users (see [8.2](a-8.2-Privileged-access-rights.md)); @@ -31,6 +52,6 @@ h\) limitation of the availability of utility programs (e.g. for the duration of i\) logging of all use of utility programs. -**Other information** +### Other information Most information systems have one or more utility programs that can be capable of overriding system and application controls, for example diagnostics, patching, antivirus, disk defragmenters, debuggers, backup and network tools. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.19-Installation-of-software-on-operational-systems.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.19-Installation-of-software-on-operational-systems.md index 4282a53..39bf523 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.19-Installation-of-software-on-operational-systems.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.19-Installation-of-software-on-operational-systems.md @@ -1,17 +1,36 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.19" +title: "Installation of software on operational systems" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Secure_configuration + - Application_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.19 Installation of software on operational systems -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Secure_configuration #Application_security | #Protection | - -**Control** +### Control Procedures and measures should be implemented to securely manage software installation on operational systems. -**Purpose** +### Purpose To ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities. -**Guidance** +### Guidance The following guidelines should be considered to securely manage changes and installation of software on operational systems: a\) performing updates of operational software only by trained administrators upon appropriate management authorization (see [8.5](a-8.5-Secure-authentication.md)); @@ -42,5 +61,5 @@ The organization should define and enforce strict rules on which types of softwa The principle of least privilege should be applied to software installation on operational systems. The organization should identify what types of software installations are permitted (e.g. updates and security patches to existing software) and what types of installations are prohibited (e.g. software that is only for personal use and software whose pedigree with regard to being potentially malicious is unknown or suspect). These privileges should be granted based on the roles of the users concerned. -**Other information** +### Other information No other information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.2-Privileged-access-rights.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.2-Privileged-access-rights.md index 9cbe003..8f10a9a 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.2-Privileged-access-rights.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.2-Privileged-access-rights.md @@ -1,18 +1,34 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.2" +title: "Privileged access rights" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- ## 8.2 Privileged access rights -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection | - -**Control** +### Control The allocation and use of privileged access rights should be restricted and managed. -**Purpose** +### Purpose To ensure only authorized users, software components and services are provided with privileged access rights. -**Guidance** +### Guidance The allocation of privileged access rights should be controlled through an authorization process in accordance with the relevant topic-specific policy on access control (see [5.15](a-5.15-Access-control.md)). The following should be considered: a\) identifying users who need privileged access rights for each system or process (e.g. operating systems, database management systems and applications); @@ -39,7 +55,7 @@ k\) not sharing or linking identities with privileged access rights to multiple l\) only using identities with privileged access rights for undertaking administrative tasks and not for day-to-day general tasks \[i.e. checking email, accessing the web (users should have a separate normal network identity for these activities)\]. -**Other information** +### Other information Privileged access rights are access rights provided to an identity, a role or a process that allows the performance of activities that typical users or processes cannot perform. System administrator roles typically require privileged access rights. Inappropriate use of system administrator privileges (any feature or facility of an information system that enables the user to override system or application controls) is a major contributory factor to failures or breaches of systems. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.20-Networks-security.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.20-Networks-security.md index b00856b..d09fbdc 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.20-Networks-security.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.20-Networks-security.md @@ -1,18 +1,40 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.20" +title: "Networks security" +theme: Technological +control_type: + - Preventive + - Detective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [System_and_network_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.20 Networks security -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ---------------------- | ----------------------------------------- | ---------------------- | ---------------------------- | ---------------- | -| #Preventive #Detective | #Confidentiality #Integrity #Availability | #Protect #Detect | #System_and_network_security | #Protection | - -**Control** +### Control Networks and network devices should be secured, managed and controlled to protect information in systems and applications. -**Purpose** +### Purpose To protect information in networks and its supporting information processing facilities from compromise via the network. -**Guidance** +### Guidance Controls should be implemented to ensure the security of information in networks and to protect connected services from unauthorized access. In particular, the following items should be considered: a\) the type and classification level of information that the network can support; @@ -45,5 +67,5 @@ n\) disabling vulnerable network protocols. The organization should ensure that appropriate security controls are applied to the use of virtualized networks. Virtualized networks also cover software-defined networking (SDN, SD-WAN). Virtualized networks can be desirable from a security viewpoint, since they can permit logical separation of communication taking place over physical networks, particularly for systems and applications that are implemented using distributed computing. -**Other information** +### Other information Additional information on network security can be found in the ISO/IEC 27033 series. More information concerning virtualized networks can be found in ISO/IEC TS 23167. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.21-Security-of-network-services.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.21-Security-of-network-services.md index 9ec3b9f..05d09db 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.21-Security-of-network-services.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.21-Security-of-network-services.md @@ -1,18 +1,34 @@ - +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.21" +title: "Security of network services" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [System_and_network_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- ## 8.21 Security of network services -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ---------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #System_and_network_security | #Protection | - -**Control** +### Control Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. -**Purpose** +### Purpose To ensure security in the use of network services. -**Guidance** +### Guidance The security measures necessary for particular services, such as security features, service levels and service requirements, should be identified and implemented (by internal or external network service providers). The organization should ensure that network service providers implement these measures. The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored. The right to audit should be agreed between the organization and the provider. The organization should also consider third-party attestations provided by service providers to demonstrate they maintain appropriate security measures. @@ -43,7 +59,7 @@ c\) caching (e.g. in a content delivery network) and its parameters that allow u d\) procedures for the network service usage to restrict access to network services or applications, where necessary. -**Other information** +### Other information Network services include the provision of connections, private network services and managed network security solutions such as firewalls and intrusion detection systems. These services can range from simple unmanaged bandwidth to complex value-added offerings. More guidance on a framework for access management is given in ISO/IEC 29146. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.22-Segregation-of-networks.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.22-Segregation-of-networks.md index 61f0528..6368688 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.22-Segregation-of-networks.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.22-Segregation-of-networks.md @@ -1,23 +1,39 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.22" +title: "Segregation of networks" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [System_and_network_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- ## 8.22 Segregation of networks -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ---------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #System_and_network_security | #Protection | - -**Control** +### Control Groups of information services, users and information systems should be segregated in the organization’s networks. -**Purpose** +### Purpose To split the network in security boundaries and to control traffic between them based on business needs. -**Guidance** +### Guidance The organization should consider managing the security of large networks by dividing them into separate network domains and separating them from the public network (i.e. internet). The domains can be chosen based on levels of trust, criticality and sensitivity (e.g. public access domain, desktop domain, server domain, low- and high-risk systems), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks. The perimeter of each domain should be well-defined. If access between network domains is allowed, it should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the topic-specific policy on access control (see [5.15](a-5.15-Access-control.md)), access requirements, value and classification of information processed and take account of the relative cost and performance impact of incorporating suitable gateway technology. Wireless networks require special treatment due to the poorly-defined network perimeter. Radio coverage adjustment should be considered for segregation of wireless networks. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls (see [8.20](a-8.20-Networks-security.md)) before granting access to internal systems. Wireless access network for guests should be segregated from those for personnel if personnel only use controlled user endpoint devices compliant to the organization’s topic-specific policies. WiFi for guests should have at least the same restrictions as WiFi for personnel, in order to discourage the use of guest WiFi by personnel. -**Other information** +### Other information Networks often extend beyond organizational boundaries, as business partnerships are formed that require the interconnection or sharing of information processing and networking facilities. Such extensions can increase the risk of unauthorized access to the organization’s information systems that use the network, some of which require protection from other network users because of their sensitivity or criticality. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.23-Web-filtering.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.23-Web-filtering.md index 2925df8..ec368cb 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.23-Web-filtering.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.23-Web-filtering.md @@ -1,16 +1,34 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.23" +title: "Web filtering" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [System_and_network_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.23 Web filtering -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ---------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #System_and_network_security | #Protection | - -**Control** +### Control Access to external websites should be managed to reduce exposure to malicious content. -**Purpose** +### Purpose To protect systems from being compromised by malware and to prevent access to unauthorized web resources. -**Guidance** +### Guidance The organization should reduce the risks of its personnel accessing websites that contain illegal information or are known to contain viruses or phishing material. A technique for achieving this works by blocking the IP address or domain of the website(s) concerned. Some browsers and anti-malware technologies do this automatically or can be configured to do so. The organization should identify the types of websites to which personnel should or should not have access. The organization should consider blocking access to the following types of websites: @@ -29,5 +47,5 @@ Prior to deploying this control, the organization should establish rules for saf Training should be given to personnel on the secure and appropriate use of online resources including access to the web. The training should include the organization’s rules, contact point for raising security concerns, and exception process when restricted web resources need to be accessed for legitimate business reasons. Training should also be given to personnel to ensure that they do not overrule any browser advisory that reports that a website is not secure but allows the user to proceed. -**Other information** +### Other information Web filtering can include a range of techniques including signatures, heuristics, list of acceptable websites or domains, list of prohibited websites or domains and bespoke configuration to help prevent malicious software and other malicious activity from attacking the organization’s network and systems. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.24-Use-of-cryptography.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.24-Use-of-cryptography.md index e3b584b..ebeb441 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.24-Use-of-cryptography.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.24-Use-of-cryptography.md @@ -1,23 +1,34 @@ --- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.24" +title: "Use of cryptography" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Secure_configuration] +security_domains: [Protection] tags: - - iso27001/2022/EN + - iso27002/2022/EN +status: active --- - ## 8.24 Use of cryptography -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains -| -------------- | ---------------------------------------- | --------------------- | ------------------------- | --------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Secure_configuration | #Protection | - - -**Control** +### Control Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. -**Purpose** +### Purpose @@ -25,7 +36,7 @@ To ensure proper and effective use of cryptography to protect the confidentialit -**Guidance** +### Guidance @@ -153,7 +164,7 @@ In addition to integrity, for many use cases, the authenticity of public keys sh -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.25-Secure-development-life-cycle.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.25-Secure-development-life-cycle.md index 661a1a2..ed2d342 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.25-Secure-development-life-cycle.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.25-Secure-development-life-cycle.md @@ -1,17 +1,30 @@ --- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.25" +title: "Secure development life cycle" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] tags: - - iso27001/2022/EN + - iso27002/2022/EN +status: active --- ## 8.25 Secure development life cycle -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection | - - - -**Control** +### Control @@ -23,7 +36,7 @@ To ensure information security is designed and implemented within the secure dev -**Guidance** +### Guidance @@ -83,7 +96,7 @@ If development is outsourced, the organization should obtain assurance that the -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.26-Application-security-requirements.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.26-Application-security-requirements.md index f83b078..2c0e37f 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.26-Application-security-requirements.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.26-Application-security-requirements.md @@ -1,4 +1,29 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.26" +title: "Application security requirements" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- + ## 8.26 Application security requirements | Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | @@ -6,13 +31,13 @@ | #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection #Defence | -#### Control +### Control Information security requirements should be identified, specified and approved when developing or acquiring applications. -#### Purpose +### Purpose To ensure all information security requirements are identified and addressed when developing or acquiring applications. -#### Guidance +### Guidance <u>General</u> @@ -88,6 +113,6 @@ e\) where a trusted authority is used (e.g. for the purposes of issuing and main Several of the above considerations can be addressed by the application of cryptography (see [[8.24]]), taking into consideration legal requirements (see [[5.31]], [[5.36]], especially see [[5.31]] for cryptography legislation). -**Other information** +### Other information Applications accessible via networks are subject to a range of network related threats, such as fraudulent activities, contract disputes or disclosure of information to the public; incomplete transmission, mis- routing, unauthorized message alteration, duplication or replay. Therefore, detailed risk assessments and careful determination of controls are indispensable. Controls required often include cryptographic methods for authentication and securing data transfer. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.27-Secure-system-architecture-and-engineering-principles.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.27-Secure-system-architecture-and-engineering-principles.md index 130b1a0..aaa0081 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.27-Secure-system-architecture-and-engineering-principles.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.27-Secure-system-architecture-and-engineering-principles.md @@ -1,23 +1,38 @@ --- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.27" +title: "Secure system architecture and engineering principles" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] tags: - - iso27001/2022/EN + - iso27002/2022/EN +status: active --- ## 8.27 Secure system architecture and engineering principles -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection | - -**Control** +### Control Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities. -**Purpose** +### Purpose To ensure information systems are securely designed, implemented and operated within the development life cycle. -**Guidance** +### Guidance Security engineering principles should be established, documented and applied to information system engineering activities. Security should be designed into all architecture layers (business, data, applications and technology). New technology should be analysed for security risks and the design should be reviewed against known attack patterns. @@ -81,7 +96,7 @@ The established security engineering principles should be applied, where applica The security engineering principles and the established engineering procedures should be regularly reviewed to ensure that they are effectively contributing to enhanced standards of security within the engineering process. They should also be regularly reviewed to ensure that they remain up-to- date in terms of combatting any new potential threats and in remaining applicable to advances in the technologies and solutions being applied. -**Other information** +### Other information Secure engineering principles can be applied to the design or configuration of a range of techniques, such as: diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.28-Secure-coding.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.28-Secure-coding.md index 1d24c99..772a2de 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.28-Secure-coding.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.28-Secure-coding.md @@ -1,20 +1,33 @@ --- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.28" +title: "Secure coding" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] tags: - - iso27001/2022/EN + - iso27002/2022/EN +status: active --- - -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection | - - ## 8.28 Secure coding -#### Control +### Control Secure coding principles should be applied to software development. -#### Purpose +### Purpose To ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software. #### Guidance diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.29-Security-testing-in-development-and-acceptance.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.29-Security-testing-in-development-and-acceptance.md index e386602..fa4fe06 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.29-Security-testing-in-development-and-acceptance.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.29-Security-testing-in-development-and-acceptance.md @@ -1,18 +1,37 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.29" +title: "Security testing in development and acceptance" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: + - Application_security + - Information_security_assurance + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- ## 8.29 Security testing in development and acceptance -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ---------------------------------------------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Application_security #Information_security_assurance #System_and_network_security | #Protection | - -**Control** +### Control Security testing processes should be defined and implemented in the development life cycle. -**Purpose** +### Purpose To validate if information security requirements are met when applications or code are deployed to the production environment. -**Guidance** +### Guidance New information systems, upgrades and new versions should be thoroughly tested and verified during the development processes. Security testing should be an integral part of the testing for systems or components. Security testing should be conducted against a set of requirements, which can be expressed as functional or non-functional. Security testing should include testing of: @@ -47,7 +66,7 @@ For outsourced development and purchasing components, an acquisition process sho Testing should be performed in a test environment that matches the target production environment as closely as possible to ensure that the system does not introduce vulnerabilities to the organization’s environment and that the tests are reliable (see [8.31](a-8.31-Separation-of-development-test-and-production-environments.md)). -**Other information** +### Other information Multiple test environments can be established, which can be used for different kinds of testing (e.g. functional and performance testing). These different environments can be virtual, with individual configurations to simulate a variety of operating environments. Testing and monitoring of test environments, tools and technologies also needs to be considered to ensure effective testing. The same considerations apply to monitoring of the monitoring systems deployed in development, test and production settings. Judgeme nt is needed, guided by the sensitivity of the systems and data, to determine how many layers of meta-testing are useful. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.3-Information-access-restriction.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.3-Information-access-restriction.md index 1ef746b..4963692 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.3-Information-access-restriction.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.3-Information-access-restriction.md @@ -1,16 +1,34 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.3" +title: "Information access restriction" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.3 Information access restriction -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection | - -**Control** +### Control Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. -**Purpose** +### Purpose To ensure only authorized access and to prevent unauthorized access to information and other associated assets. -**Guidance** +### Guidance Access to information and other associated assets should be restricted in accordance with the established topic-specific policies. The following should be considered in order to support access restriction requirements: a\) not allowing access to sensitive information by unknown user identities or anonymously. Public or anonymous access should only be granted to storage locations that do not contain any sensitive information; @@ -45,7 +63,7 @@ d\) defining the printing permissions for the information; e\) recording who accesses the information and how the information is used; f\) raising alerts if attempts to misuse the information are detected. -**Other information** +### Other information Dynamic access management techniques and other dynamic information protection technologies can support the protection of information even when data is shared beyond the originating organization, where traditional access controls cannot be enforced. It can be applied to documents, emails or other files containing information to limit who can access the content and in what way. It can be at a granular level and be adapted over the life cycle of the information. Dynamic access management techniques do not replace classical access management \[e.g. using access control lists (ACLs)\], but can add more factors for conditionality, real-time evaluation, just-in-time data reduction and other enhancements that can be useful for the most sensitive information. It offers a way to control access outside the organization’s environment. Incident response can be supported by dynamic access management techniques as permissions can be modified or revoked at any time. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.30-Outsourced-development.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.30-Outsourced-development.md index 0d3174d..87a7a12 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.30-Outsourced-development.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.30-Outsourced-development.md @@ -1,16 +1,44 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.30" +title: "Outsourced development" +theme: Technological +control_type: + - Preventive + - Detective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect + - Detect +operational_capabilities: + - System_and_network_security + - Application_security + - Supplier_relationships_security +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 8.30 Outsourced development -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| :--------------------- | :------------------------------------------- | :---------------------------- | :---------------------------------------------------------------------------------- | :------------------------------------ | -| #Preventive #Detective | #Confidentiality<br>#Integrity #Availability | #Identify #Protect<br>#Detect | #System_and_network_security #Application_security #Supplier_relationships_security | #Governance_and_Ecosystem #Protection | - -**Control** +### Control The organization should direct, monitor and review the activities related to outsourced system development. -**Purpose** +### Purpose To ensure information security measures required by the organization are implemented in outsourced system development. -**Guidance** +### Guidance Where system development is outsourced, the organization should communicate and agree requirements and expectations, and continually monitor and review whether the delivery of outsourced work meets these expectations. The following points should be considered across the organization’s entire external supply chain: a\) licensing agreements, code ownership and intellectual property rights related to the outsourced content (see [5.32](a-5.32-Intellectual-property-rights.md)); @@ -35,5 +63,5 @@ j\) security requirements for the development environment (see [8.31](a-8.31-Sep k\) taking consideration of applicable legislation (e.g. on protection of personal data). -**Other information** +### Other information Further information on supplier relationships can be found in the ISO/IEC 27036 series. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.31-Separation-of-development-test-and-production-environments.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.31-Separation-of-development-test-and-production-environments.md index 191f9e4..0e908d6 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.31-Separation-of-development-test-and-production-environments.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.31-Separation-of-development-test-and-production-environments.md @@ -1,16 +1,36 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.31" +title: "Separation of development, test and production environments" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.31 Separation of development, test and production environments -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| --- | --- | --- | --- | --- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection | - -**Control** +### Control Development, testing and production environments should be separated and secured. -**Purpose** +### Purpose To protect the production environment and data from compromise by development and test activities. -**Guidance** +### Guidance The level of separation between production, testing and development environments that is necessary to prevent production problems should be identified and implemented. @@ -79,7 +99,7 @@ A single person should not have the ability to make changes to both development -**Other information** +### Other information Without adequate measures and procedures, developers and testers having access to production systems can introduce significant risks (e.g. unwanted modification of files or system environment, system failure, running unauthorized and untested code in product ion systems, disclosure of confidential data, data integrity and availability issues). There is a need to maintain a known and stable environment in which to perform meaningful testing and to prevent inappropriate developer access to the production environment. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.32-Change-management.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.32-Change-management.md index eb8b550..0f1accb 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.32-Change-management.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.32-Change-management.md @@ -1,17 +1,36 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.32" +title: "Change management" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.32 Change management -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection | - -**Control** +### Control Changes to information processing facilities and information systems should be subject to change management procedures. -**Purpose** +### Purpose To preserve information security when executing changes. -**Guidance** +### Guidance Introduction of new systems and major changes to existing systems should follow agreed rules and a formal process of documentation, specification, testing, quality control and managed implementation. Management responsibilities and procedures should be in place to ensure satisfactory control of all changes. Change control procedures should be documented and enforced to ensure the confidentiality, integrity and availability of information in information processing facilities and information systems, for the entire system development life cycle from the early design stages through all subsequent maintenance efforts. @@ -38,7 +57,7 @@ h\) ensuring that operating documentation (see [5.37](a-5.37-Documented-operatin i\) ensuring that ICT continuity plans and response and recovery procedures (see [5.30](a-5.30-ICT-readiness-for-business-continuity.md)) are changed as necessary to remain appropriate. -**Other information** +### Other information Inadequate control of changes to information processing facilities and information systems is a common cause of system or security failures. Changes to the production environment, especially when transferring software from development to operational environment, can impact on the integrity and availability of applications. Changing software can impact the production environment and vice versa. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.33-Test-information.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.33-Test-information.md index e827f33..d0fdd2b 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.33-Test-information.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.33-Test-information.md @@ -1,16 +1,33 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.33" +title: "Test information" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity +cybersecurity_concepts: [Protect] +operational_capabilities: [Information_protection] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.33 Test information -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ------------------------------- | ---------------------- | ------------------------ | ---------------- | -| #Preventive | #Confidentiality #Integrity | #Protect | #Information_protection | #Protection | - -**Control** +### Control Test information should be appropriately selected, protected and managed. -**Purpose** +### Purpose To ensure relevance of testing and protection of operational information used for testing. -**Guidance** +### Guidance Test information should be selected to ensure the reliability of tests results and the confidentiality of the relevant operational information. Sensitive information (including personally identifiable information) should not be copied into the development and testing environments (see [8.31](a-8.31-Separation-of-development-test-and-production-environments.md)). The following guidelines should be applied to protect the copies of operational information, when used for testing purposes, whether the test environment is built in-house or on a cloud service: @@ -27,5 +44,5 @@ e\) properly deleting (see [8.10](a-8.10-Information-deletion.md)) operational i Test information should be securely stored (to prevent tampering, which can otherwise lead to invalid results) and only used for testing purposes. -**Other information** +### Other information System and acceptance testing can require substantial volumes of test information that are as close as possible to operational information. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.34-Protection-of-information-systems-during-audit-testing.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.34-Protection-of-information-systems-during-audit-testing.md index 6e209fe..884d4ea 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.34-Protection-of-information-systems-during-audit-testing.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.34-Protection-of-information-systems-during-audit-testing.md @@ -1,16 +1,38 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.34" +title: "Protection of information systems during audit testing" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - System_and_network_security + - Information_protection +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 8.34 Protection of information systems during audit testing -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| --- | --- | --- | --- | --- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #System_and_network_security #Information_protection | #Governance_and_Ecosystem #Protection | - -**Control** +### Control Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. -**Purpose** +### Purpose To minimize the impact of audit and other assurance activities on operational systems and business processes. -**Guidance** +### Guidance The following guidelines should be observed: a\) agreeing audit requests for access to systems and data with appropriate management; @@ -29,5 +51,5 @@ g\) running audit tests that can affect system availability outside business hou h\) monitoring and logging all access for audit and test purposes. -**Other information** +### Other information Audit tests and other assurance activities can also happen on development and test systems, where such tests can impact for example the integrity of code or lead to disclosure of any sensitive information held in such environments. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.4-Access-to-source-code.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.4-Access-to-source-code.md index cadaf79..fde1176 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.4-Access-to-source-code.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.4-Access-to-source-code.md @@ -1,16 +1,37 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.4" +title: "Access to source code" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Identity_and_access_management + - Application_security + - Secure_configuration +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.4 Access to source code -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | --------------------------------------------------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management #Application_security #Secure_configuration | #Protection | - -**Control** +### Control Read and write access to source code, development tools and software libraries should be appropriately managed. -**Purpose** +### Purpose To prevent the introduction of unauthorized functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property. -**Guidance** +### Guidance Access to source code and associated items (such as designs, specifications, verification plans and validation plans) and development tools (e.g. compilers, builders, integration tools, test platforms and environments) should be strictly controlled. For source code, this can be achieved by controlling central storage of such code, preferably in source code management system. @@ -28,5 +49,5 @@ f\) maintaining an audit log of all accesses and of all changes to source code. If the program source code is intended to be published, additional controls to provide assurance on its integrity (e.g. digital signature) should be considered. -**Other information** +### Other information If access to source code is not properly controlled, source code can be modified or some data in the development environment (e.g. copies of production data, configuration details) can be retrieved by unauthorized persons. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.5-Secure-authentication.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.5-Secure-authentication.md index 6355aa3..3903b33 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.5-Secure-authentication.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.5-Secure-authentication.md @@ -1,18 +1,34 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.5" +title: "Secure authentication" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- ## 8.5 Secure authentication -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- | -| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection | - -**Control** +### Control Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. -**Purpose** +### Purpose To ensure a user or an entity is securely authenticated, when access to systems, applications and services is granted. -**Guidance** +### Guidance A suitable authentication technique should be chosen to substantiate the claimed identity of a user, software, messages and other entities. The strength of authentication should be appropriate for the classification of the information to be accessed. Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as digital certificates, smart cards, tokens or biometric means, should be used. @@ -38,5 +54,5 @@ j\) not transmitting passwords in clear text over a network to avoid being captu k\) terminating inactive sessions after a defined period of inactivity, especially in high risk locations such as public or external areas outside the organization’s security management or on user endpoint devices; l\) restricting connection duration times to provide additional security for high-risk applications and reduce the window of opportunity for unauthorized access. -**Other information** +### Other information Additional information on entity authentication assurance can be found is ISO/IEC 29115. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.6-Capacity-management.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.6-Capacity-management.md index 516cb86..2847892 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.6-Capacity-management.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.6-Capacity-management.md @@ -1,16 +1,40 @@ +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.6" +title: "Capacity management" +theme: Technological +control_type: + - Preventive + - Detective +information_security_properties: + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect + - Detect +operational_capabilities: [Continuity] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +--- + ## 8.6 Capacity management -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | -| ---------------------- | ------------------------------- | -------------------------- | ------------------------ | ------------------------------------- | -| #Preventive #Detective | #Integrity #Availability | #Identify #Protect #Detect | #Continuity | #Governance_and_Ecosystem #Protection | - -**Control** +### Control The use of resources should be monitored and adjusted in line with current and expected capacity requirements. -**Purpose** +### Purpose To ensure the required capacity of information processing facilities, human resources, offices and other facilities. -**Guidance** +### Guidance Capacity requirements for information processing facilities, human resources, offices and other facilities should be identified, taking into account the business criticality of the concerned systems and processes. System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems. @@ -43,5 +67,5 @@ f\) denying or restricting bandwidth for resource-consuming services if these ar A documented capacity management plan should be considered for mission critical systems. -**Other information** +### Other information For more detail on the elasticity and scalability of cloud computing, see ISO/IEC TS 23167. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.7-Protection-against-malware.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.7-Protection-against-malware.md index 8ed499e..f1cd484 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.7-Protection-against-malware.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.7-Protection-against-malware.md @@ -1,15 +1,44 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.7" +title: "Protection against malware" +theme: Technological +control_type: + - Preventive + - Detective + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: + - System_and_network_security + - Information_protection +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- -# 8.7  **Protection** **against** **malware** +## 8.7  Protection against malware ## Control Protection against malware should be implemented and supported by appropriate user awareness. -## Purpose +### Purpose To ensure information and other associated assets are protected against malware. -## Guidance +### Guidance Protection against malware should be based on malware detection and repair software, information security awareness, appropriate system access and change management controls. Use of malware detection and repair software alone is not usually adequate. The following guidance should be considered: @@ -53,6 +82,6 @@ n)   implementing procedures to regularly collect information about new malware o)   verifying that information relating to malware, such as warning bulletins, comes from qualified and reputable sources (e.g. reliable internet sites or suppliers of malware detection software) and is accurate and informative. -## Other **information** +### Other information It is not always possible to install software that protects against malware on some systems (e.g. some industrial control systems). Some forms of malware infect computer operating systems and computer firmware such that common malware controls cannot clean the system and a full reimaging of the operating system software and sometimes the computer firmware is necessary to return to a secure state. diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.8-Management-of-technical-vulnerabilities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.8-Management-of-technical-vulnerabilities.md index 77430c6..6efb828 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.8-Management-of-technical-vulnerabilities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.8-Management-of-technical-vulnerabilities.md @@ -1,19 +1,36 @@ -#iso27002/2022/EN -x +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.8" +title: "Management of technical vulnerabilities" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: [Threat_and_vulnerability_management] +security_domains: + - Governance_and_Ecosystem + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +--- + ## 8.8 Management of technical vulnerabilities -| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains | - -| -------------- | ---------------------------------------- | --------------------- | ------------------------------- | ------------------------------- | - -| #Preventive | #Confidentiality #Integrity #Availability | #Identify #Protect | #Threat_and_vulnerability_management | #Governance_and_Ecosystem #Protection #Defence | - - - -**Control** +### Control @@ -21,7 +38,7 @@ Information about technical vulnerabilities of information systems in use should -**Purpose** +### Purpose @@ -29,7 +46,7 @@ To prevent exploitation of technical vulnerabilities. -**Guidance** +### Guidance @@ -198,7 +215,7 @@ Where the organization uses a cloud service supplied by a third-party cloud serv -**Other information** +### Other information diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.9-Configuration-management.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.9-Configuration-management.md index 518d996..aaf2484 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-8.9-Configuration-management.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-8.9-Configuration-management.md @@ -1,4 +1,25 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.9" +title: "Configuration management" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Secure_configuration] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +--- + ## 8.9 Configuration management ### Control diff --git a/Corpus/Standards/ISO27x/OST/Index to the original texts of ISO 27001.md b/Corpus/Standards/ISO27x/OST/Index to the original texts of ISO 27001.md index 8d14c7a..6306c93 100644 --- a/Corpus/Standards/ISO27x/OST/Index to the original texts of ISO 27001.md +++ b/Corpus/Standards/ISO27x/OST/Index to the original texts of ISO 27001.md @@ -3,7 +3,7 @@ | Clause | Title | | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **F** | **[Foreword](27001/EN/ISO_27001_OT%20F%20Foreword.md)** | +| **F** | **[Foreword](27001/EN/c-f-Foreword.md)** | | **0** | **[Introduction](27001/EN/c-0-Introduction.md)** | | **1** | **[Scope](27001/EN/c-1-Scope.md)** | | **2** | **[Normative references](27001/EN/c-2-Normative-references.md)** | diff --git a/Corpus/🎇 Sparks/Risks.md b/Corpus/🎇 Sparks/Risks.md index 838101c..a0958dc 100644 --- a/Corpus/🎇 Sparks/Risks.md +++ b/Corpus/🎇 Sparks/Risks.md @@ -1,6 +1,6 @@ [Assets, Vulnerabilities, Threats, Risks](Assets,%20Vulnerabilities,%20Threats,%20Risks.md) [Vulnerability](../💡Drafts%20and%20Ideas/Vulnerability.md) -[📗 Information security concepts MoC](../📗%20Information%20security%20concepts%20MoC.md) +[Information security concepts MoC](../Information%20security%20concepts%20MoC.md) [Assets, Vulnerabilities, Threats, Risks](../📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md) diff --git a/Corpus/💡Drafts and Ideas/Information Security.md b/Corpus/💡Drafts and Ideas/Information Security.md index 7c1447e..8783fba 100644 --- a/Corpus/💡Drafts and Ideas/Information Security.md +++ b/Corpus/💡Drafts and Ideas/Information Security.md @@ -1,3 +1,3 @@ -- [📗 Information security concepts MoC](../📗%20Information%20security%20concepts%20MoC.md) +- [Information security concepts MoC](../Information%20security%20concepts%20MoC.md) - [🗃 Standards and Regulations for information security](../Standards/other/🗃%20Standards%20and%20Regulations%20for%20information%20security.md) diff --git a/Corpus/📗 Information security concepts MoC.md b/Corpus/📗 Information security concepts MoC.md index b2c42c7..8877780 100644 --- a/Corpus/📗 Information security concepts MoC.md +++ b/Corpus/📗 Information security concepts MoC.md @@ -1,6 +1,12 @@ --- Related: +<<<<<<< HEAD + - "[ISO\\_27002\\_OT 3 Terms, definitions and abbreviated terms](Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated-terms.md)" +||||||| 2d92263 - "[ISO\\_27002\\_OT 3 Terms, definitions and abbreviated terms](Standards/ISO27x/OST/27002/EN/ISO_27002_OT%203%20Terms,%20definitions%20and%20abbreviated%20terms.md)" +======= + - "[ISO\\_27002\\_OT 3 Terms, definitions and abbreviated terms](Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated%20terms.md)" +>>>>>>> 27002-metadata - https://csiac.org/databases/acronyms/ tags: - type/MoC diff --git a/prepend_frontmatter.py b/prepend_frontmatter.py new file mode 100644 index 0000000..0827aae --- /dev/null +++ b/prepend_frontmatter.py @@ -0,0 +1,2320 @@ +#!/usr/bin/env python3 +""" +prepend_frontmatter.py + +For each ISO 27002 control note in the target folder: +- Skips files that already have YAML frontmatter (starts with ---) +- Skips a-3-Terms* +- Prepends the correct frontmatter block and writes the file back + +Run from anywhere: + python3 prepend_frontmatter.py + +Requires Python 3.6+. No dependencies. +""" + +import os + +VAULT_DIR = "/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN" + +FRONTMATTER = { + "a-5.1-Policies-for-information-security.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.1" +title: "Policies for information security" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Governance] +security_domains: + - Governance_and_Ecosystem + - Resilience +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.2-Information-security-roles-and-responsibilities.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.2" +title: "Information security roles and responsibilities" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Governance] +security_domains: + - Governance_and_Ecosystem + - Protection + - Resilience +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.3-Segregation-of-duties.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.3" +title: "Segregation of duties" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Governance + - Identity_and_access_management +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.4-Management-responsibilities.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.4" +title: "Management responsibilities" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Governance] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.5-Contact-with-authorities.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.5" +title: "Contact with authorities" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect + - Respond + - Recover +operational_capabilities: [Governance] +security_domains: + - Defence + - Resilience +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.6-Contact-with-special-interest-groups.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.6" +title: "Contact with special interest groups" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Respond + - Recover +operational_capabilities: [Governance] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.7-Threat-intelligence.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.7" +title: "Threat intelligence" +theme: Organizational +control_type: + - Preventive + - Detective + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Detect + - Respond +operational_capabilities: [Threat_and_vulnerability_management] +security_domains: + - Defence + - Resilience +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.8-Information-security-in-project-management.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.8" +title: "Information security in project management" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: [Governance] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.9-Inventory-of-information-and-other-associated-assets.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.9" +title: "Inventory of information and other associated assets" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Asset_management] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.10-Acceptable-use-of-information-and-other-associated-assets.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.10" +title: "Acceptable use of information and other associated assets" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Asset_management + - Information_protection +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.11-Return-of-assets.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.11" +title: "Return of assets" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Asset_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.12-Classification-of-information.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.12" +title: "Classification of information" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Information_protection] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.13-Labelling-of-information.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.13" +title: "Labelling of information" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Information_protection] +security_domains: + - Defence + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.14-Information-transfer.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.14" +title: "Information transfer" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Asset_management + - Information_protection +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.15-Access-control.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.15" +title: "Access control" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.16-Identity-management.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.16" +title: "Identity management" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.17-Authentication-information.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.17" +title: "Authentication information" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.18-Access-rights.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.18" +title: "Access rights" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.19-Information-security-in-supplier-relationships.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.19" +title: "Information security in supplier relationships" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.20-Addressing-information-security-within-supplier-agreements.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.20" +title: "Addressing information security within supplier agreements" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.21-Managing-information-security-in-the-ICT-supply-chain.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.21" +title: "Managing information security in the ICT supply chain" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.22-Monitoring-review-and-change-management-of-supplier-services.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.22" +title: "Monitoring, review and change management of supplier services" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection + - Defence + - Information_security_assurance +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.23-Information-security-for-use-of-cloud-services.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.23" +title: "Information security for use of cloud services" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Supplier_relationships_security] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.24-Information-security-incident-management-planning-and-preparation.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.24" +title: "Information security incident management planning and preparation" +theme: Organizational +control_type: [Corrective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Respond + - Recover +operational_capabilities: + - Governance + - Information_security_event_management +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.25-Assessment-and-decision-on-information-security-events.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.25" +title: "Assessment and decision on information security events" +theme: Organizational +control_type: [Detective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Detect + - Respond +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.26-Response-to-information-security-incidents.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.26" +title: "Response to information security incidents" +theme: Organizational +control_type: [Corrective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Respond + - Recover +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.27-Learning-from-information-security-incidents.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.27" +title: "Learning from information security incidents" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.28-Collection-of-evidence.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.28" +title: "Collection of evidence" +theme: Organizational +control_type: [Corrective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Detect + - Respond +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.29-Information-security-during-disruption.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.29" +title: "Information security during disruption" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Respond +operational_capabilities: [Continuity] +security_domains: + - Protection + - Resilience +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.30-ICT-readiness-for-business-continuity.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.30" +title: "ICT readiness for business continuity" +theme: Organizational +control_type: [Corrective] +information_security_properties: [Availability] +cybersecurity_concepts: [Respond] +operational_capabilities: [Continuity] +security_domains: [Resilience] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.31" +title: "Legal, statutory, regulatory and contractual requirements" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Legal_and_compliance] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.32-Intellectual-property-rights.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.32" +title: "Intellectual property rights" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Legal_and_compliance] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.33-Protection-of-records.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.33" +title: "Protection of records" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: + - Legal_and_compliance + - Asset_management + - Information_protection +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.34-Privacy-and-protection-of-PII.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.34" +title: "Privacy and protection of PII" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: + - Information_protection + - Legal_and_compliance +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.35-Independent-review-of-information-security.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.35" +title: "Independent review of information security" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: [Information_security_assurance] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.36-Compliance-with-policies-rules-and-standards-for-information-security.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.36" +title: "Compliance with policies, rules and standards for information security" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: + - Legal_and_compliance + - Information_security_assurance +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-5.37-Documented-operating-procedures.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.37" +title: "Documented operating procedures" +theme: Organizational +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Recover +operational_capabilities: + - Asset_management + - Physical_security + - System_and_network_security + - Application_security + - Secure_configuration + - Identity_and_access_management + - Threat_and_vulnerability_management + - Continuity + - Information_security_event_management +security_domains: + - Governance_and_Ecosystem + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-6.1-Screening.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.1" +title: "Screening" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Human_resource_security] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-6.2-Terms-and-conditions-of-employment.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.2" +title: "Terms and conditions of employment" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Human_resource_security] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-6.3-Information-security-awareness-education-and-training.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.3" +title: "Information security awareness, education and training" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Human_resource_security] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-6.4-Disciplinary-process.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.4" +title: "Disciplinary process" +theme: People +control_type: + - Preventive + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Respond +operational_capabilities: [Human_resource_security] +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-6.5-Responsibilities-after-termination-or-change-of-employment.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.5" +title: "Responsibilities after termination or change of employment" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Human_resource_security + - Asset_management +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-6.6-Confidentiality-or-non-disclosure-agreements.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.6" +title: "Confidentiality or non-disclosure agreements" +theme: People +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: + - Human_resource_security + - Information_protection + - Supplier_relationships_security +security_domains: [Governance_and_Ecosystem] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-6.7-Remote-working.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.7" +title: "Remote working" +theme: People +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Asset_management + - Information_protection + - Physical_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-6.8-Information-security-event-reporting.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.6.8" +title: "Information security event reporting" +theme: People +control_type: [Detective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Detect] +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.1-Physical-security-perimeters.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.1" +title: "Physical security perimeters" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.2-Physical-entry.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.2" +title: "Physical entry" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Identity_and_access_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.3-Securing-offices-rooms-and-facilities.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.3" +title: "Securing offices, rooms and facilities" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.4-Physical-security-monitoring.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.4" +title: "Physical security monitoring" +theme: Physical +control_type: + - Preventive + - Detective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [Physical_security] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.5-Protecting-against-physical-and-environmental-threats.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.5" +title: "Protecting against physical and environmental threats" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.6-Working-in-secure-areas.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.6" +title: "Working in secure areas" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.7-Clear-desk-and-clear-screen.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.7" +title: "Clear desk and clear screen" +theme: Physical +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.8-Equipment-siting-and-protection.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.8" +title: "Equipment siting and protection" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.9-Security-of-assets-off-premises.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.9" +title: "Security of assets off-premises" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.10-Storage-media.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.10" +title: "Storage media" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.11-Supporting-utilities.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.11" +title: "Supporting utilities" +theme: Physical +control_type: + - Preventive + - Detective +information_security_properties: + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.12-Cabling-security.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.12" +title: "Cabling security" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Physical_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.13-Equipment-maintenance.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.13" +title: "Equipment maintenance" +theme: Physical +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: + - Protection + - Resilience +tags: + - iso27002/2022/EN +status: active +---""", + + "a-7.14-Secure-disposal-or-re-use-of-equipment.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.7.14" +title: "Secure disposal or re-use of equipment" +theme: Physical +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: + - Physical_security + - Asset_management +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.1-User-endpoint-devices.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.1" +title: "User endpoint devices" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Asset_management + - Information_protection +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.2-Privileged-access-rights.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.2" +title: "Privileged access rights" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.3-Information-access-restriction.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.3" +title: "Information access restriction" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.4-Access-to-source-code.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.4" +title: "Access to source code" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Identity_and_access_management + - Application_security + - Secure_configuration +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.5-Secure-authentication.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.5" +title: "Secure authentication" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Identity_and_access_management] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.6-Capacity-management.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.6" +title: "Capacity management" +theme: Technological +control_type: + - Preventive + - Detective +information_security_properties: + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect + - Detect +operational_capabilities: [Continuity] +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.7-Protection-against-malware.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.7" +title: "Protection against malware" +theme: Technological +control_type: + - Preventive + - Detective + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: + - System_and_network_security + - Information_protection +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.8-Management-of-technical-vulnerabilities.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.8" +title: "Management of technical vulnerabilities" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect +operational_capabilities: [Threat_and_vulnerability_management] +security_domains: + - Governance_and_Ecosystem + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.9-Configuration-management.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.9" +title: "Configuration management" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Secure_configuration] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.10-Information-deletion.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.10" +title: "Information deletion" +theme: Technological +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: + - Information_protection + - Legal_and_compliance +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.11-Data-masking.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.11" +title: "Data masking" +theme: Technological +control_type: [Preventive] +information_security_properties: [Confidentiality] +cybersecurity_concepts: [Protect] +operational_capabilities: [Information_protection] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.12-Data-leakage-prevention.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.12" +title: "Data leakage prevention" +theme: Technological +control_type: + - Preventive + - Detective +information_security_properties: [Confidentiality] +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [Information_protection] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.13-Information-backup.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.13" +title: "Information backup" +theme: Technological +control_type: [Corrective] +information_security_properties: + - Integrity + - Availability +cybersecurity_concepts: [Recover] +operational_capabilities: [Continuity] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.14-Redundancy-of-information-processing-facilities.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.14" +title: "Redundancy of information processing facilities" +theme: Technological +control_type: [Preventive] +information_security_properties: [Availability] +cybersecurity_concepts: [Protect] +operational_capabilities: + - Continuity + - Asset_management +security_domains: + - Protection + - Resilience +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.15-Logging.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.15" +title: "Logging" +theme: Technological +control_type: [Detective] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Detect] +operational_capabilities: [Information_security_event_management] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.16-Monitoring-activities.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.16" +title: "Monitoring activities" +theme: Technological +control_type: + - Detective + - Corrective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Detect + - Respond +operational_capabilities: [Information_security_event_management] +security_domains: [Defence] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.17-Clock-synchronization.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.17" +title: "Clock synchronization" +theme: Technological +control_type: [Detective] +information_security_properties: [Integrity] +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [Information_security_event_management] +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.18-Use-of-privileged-utility-programs.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.18" +title: "Use of privileged utility programs" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - System_and_network_security + - Secure_configuration + - Application_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.19-Installation-of-software-on-operational-systems.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.19" +title: "Installation of software on operational systems" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Secure_configuration + - Application_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.20-Networks-security.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.20" +title: "Networks security" +theme: Technological +control_type: + - Preventive + - Detective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Protect + - Detect +operational_capabilities: [System_and_network_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.21-Security-of-network-services.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.21" +title: "Security of network services" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [System_and_network_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.22-Segregation-of-networks.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.22" +title: "Segregation of networks" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [System_and_network_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.23-Web-filtering.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.23" +title: "Web filtering" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [System_and_network_security] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.24-Use-of-cryptography.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.24" +title: "Use of cryptography" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: [Secure_configuration] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.25-Secure-development-life-cycle.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.25" +title: "Secure development life cycle" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.26-Application-security-requirements.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.26" +title: "Application security requirements" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: + - Protection + - Defence +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.27-Secure-system-architecture-and-engineering-principles.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.27" +title: "Secure system architecture and engineering principles" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.28-Secure-coding.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.28" +title: "Secure coding" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.29-Security-testing-in-development-and-acceptance.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.29" +title: "Security testing in development and acceptance" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: + - Application_security + - Information_security_assurance + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.30-Outsourced-development.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.30" +title: "Outsourced development" +theme: Technological +control_type: + - Preventive + - Detective +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: + - Identify + - Protect + - Detect +operational_capabilities: + - System_and_network_security + - Application_security + - Supplier_relationships_security +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.31-Separation-of-development-test-and-production-environments.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.31" +title: "Separation of development, test and production environments" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.32-Change-management.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.32" +title: "Change management" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - Application_security + - System_and_network_security +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.33-Test-information.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.33" +title: "Test information" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity +cybersecurity_concepts: [Protect] +operational_capabilities: [Information_protection] +security_domains: [Protection] +tags: + - iso27002/2022/EN +status: active +---""", + + "a-8.34-Protection-of-information-systems-during-audit-testing.md": """--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.8.34" +title: "Protection of information systems during audit testing" +theme: Technological +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Protect] +operational_capabilities: + - System_and_network_security + - Information_protection +security_domains: + - Governance_and_Ecosystem + - Protection +tags: + - iso27002/2022/EN +status: active +---""", +} + + +def main(): + written = [] + skipped_fm = [] + skipped_missing = [] + errors = [] + + for filename, frontmatter in sorted(FRONTMATTER.items()): + filepath = os.path.join(VAULT_DIR, filename) + + if not os.path.exists(filepath): + skipped_missing.append(filename) + continue + + with open(filepath, "r", encoding="utf-8") as f: + content = f.read() + + if content.startswith("---"): + skipped_fm.append(filename) + continue + + new_content = frontmatter + "\n\n" + content + + with open(filepath, "w", encoding="utf-8") as f: + f.write(new_content) + + written.append(filename) + + print(f"Written: {len(written)}") + print(f"Already had FM: {len(skipped_fm)}") + print(f"File not found: {len(skipped_missing)}") + print(f"Errors: {len(errors)}") + + if skipped_fm: + print("\nAlready had frontmatter (skipped):") + for f in skipped_fm: + print(f" {f}") + if skipped_missing: + print("\nNot found (skipped):") + for f in skipped_missing: + print(f" {f}") + if errors: + print("\nErrors:") + for e in errors: + print(f" {e}") + + +if __name__ == "__main__": + main() \ No newline at end of file