richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: richardk:890e0d8c4f9ce88451f364f202f63b8dbd53489b
Branches Tags
richardk:main
...
compare: richardk:c4e0d21aaf2186cebf08c4a7b0dc9926d3652d9c
Branches Tags
richardk:main

14 commits
890e0d8c4f ... c4e0d21aaf

Author SHA1 Message Date
Richard Kranendonk
c4e0d21aaf Added front matter to 27001 EN 2026-05-02 13:23:39 +02:00
Richard Kranendonk
405b666055 Removed orphaned tags form BoF 2026-05-02 12:46:56 +02:00
Richard Kranendonk
2c59707ef5 Consistent use of subheaders 2026-05-02 12:23:42 +02:00
Richard Kranendonk
90ac17a99a clean up formatting 2026-05-02 12:16:30 +02:00
Richard Kranendonk
8d66fc4602 Removed legacy property tables with Kilo 2026-05-02 12:00:56 +02:00
Richard Kranendonk
880e2f2044 Front matter added with prepend_frontmatter.py 2026-05-02 11:31:49 +02:00
Richard Kranendonk
324add41f4 Merge 27002-metadata changes: add DOCX, prepend_frontmatter.py, rename controls, delete obsolete MoC, update content 2026-05-01 17:55:13 +02:00
Richard Kranendonk
4dc34352a1 Merge enrich-27002 changes into 27002-metadata 2026-05-01 17:45:30 +02:00
Richard Kranendonk
984ccff4e4 Let kilo remove bof cruft 2026-05-01 17:01:25 +02:00
Richard Kranendonk
c88dcd383b Added normtext as .docx 2026-05-01 16:38:28 +02:00
Richard Kranendonk
873b5eaee3 first automated metadata addition 2026-04-30 19:56:40 +02:00
Richard Kranendonk
037af7e1a1 minor changes 2026-04-30 19:24:31 +02:00
Richard Kranendonk
228a58056c Removed BoF cruft 2026-04-30 18:33:25 +02:00
Richard Kranendonk
d39edec574 minor changes 2026-04-30 17:39:47 +02:00
143 changed files with 5693 additions and 1796 deletions
Download patch file Download diff file Expand all files Collapse all files

55
.kilo/plans/1777714595174-misty-tiger.md Normal file
View file

@ -0,0 +1,55 @@
# Plan to Remove Markdown Tables After First Header in Specified .md Files
## Goal
Remove the markdown table that appears after the first markdown header (## X.Y Title) in 35 specific .md files located in the directory `/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN`. These files contain ISO 27002 control descriptions and have a summary table listing Control type, Information security properties, etc., which needs to be removed.
## Analysis
- **Affected Files**: Identified 35 .md files containing the table starting with `| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |`.
- **Table Structure**: The table consists of 2-4 lines:
- Header row starting with `| Control type`
- Separator row
- Data row
- Optionally, an empty row
- **Location**: The table appears immediately after the first `##` header (e.g., `## 8.1 User endpoint devices`) and before the `**Control**` section.
- **Pattern**: All affected files follow the pattern where the table ends just before `**Control**`.
## Approach
Use a Bash script with `sed` to remove the table lines from each affected file. The `sed` command will delete lines from the start of the table (`| Control type`) up to but not including `**Control**`.
### Script
Create and run the following Bash script in the target directory:
```bash
#!/bin/bash
# Change to the target directory
cd /Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN || exit 1
# Loop through all .md files
for file in *.md; do
# Check if the file contains the table
if grep -q "| Control type" "$file"; then
# Remove the table lines: from "| Control type" to just before "**Control**"
sed -i '/^| Control type /,/^\*\*Control$/ { /^\*\*Control$/ !d }' "$file"
echo "Processed $file"
fi
done
echo "Table removal complete."
```
### Steps to Execute
1. **Navigate to Directory**: Change to `/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN`.
2. **Backup (Optional)**: Consider backing up the directory before running the script.
3. **Run Script**: Execute the script to process all files.
4. **Verify**: After running, check a few files (e.g., `a-8.1-User-endpoint-devices.md`, `a-5.15-Access-control.md`) to ensure the table is removed and the `**Control**` section remains intact.
## Risks and Considerations
- **Accuracy**: The `sed` command is designed to precisely target the table based on the observed patterns. If any file has unexpected formatting, manual review may be needed.
- **No Impact on Non-Affected Files**: Files without the table will remain unchanged.
- **Reversibility**: If needed, restore from backup or use version control (assuming the directory is in a git repo).
## Expected Outcome
- Tables removed from 35 files.
- Content before and after the table (including `**Control**` and subsequent sections) preserved.
- No changes to other .md files in the directory.

75
Corpus/Information security concepts MoC.md Normal file
View file

@ -0,0 +1,75 @@
---
Related:
- "[ISO\\_27002\\_OT 3 Terms, definitions and abbreviated terms](Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated%20terms.md)"
- https://csiac.org/databases/acronyms/
tags:
- type/MoC
---
[Assets](🎇%20Sparks/Assets.md)
[NIST Asset Types](📚️%20Literature%20notes/NIST%20Asset%20Types.md)
[Asset lifecycle](📚️%20Literature%20notes/Asset%20lifecycle.md)
[Asset ownership](🎇%20Sparks/Asset%20ownership.md)
[[Asset ownership DEL]]
[Assets, Vulnerabilities, Threats, Risks](📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
[Assets, Vulnerabilities, Threats, Risks](🎇%20Sparks/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
[Attack Surface Analysis](📚️%20Literature%20notes/Attack%20Surface%20Analysis.md)
[Authentication](Standards/ISO27x/Authentication.md)
[Multi-factor authentication](🎇%20Sparks/Multi-factor%20authentication.md) (MFA)
[Passwordless Authentication](🎇%20Sparks/Passwordless%20Authentication.md)
[Risk-Based Authentication](🎇%20Sparks/Risk-Based%20Authentication.md)
[Single Sign On (SSO)](📚️%20Literature%20notes/Single%20Sign%20On%20(SSO).md)
[Tokens](🎇%20Sparks/Tokens.md)
[Authorization](Standards/ISO27x/Authorization.md)
[Access Control](🎇%20Sparks/Access%20Control.md)
[Awareness](🎇%20Sparks/Awareness.md)
[BCP_Bedrijfscontinuïteitsplanning](📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
[Business Impact Analysis (BIA)](🎇%20Sparks/Business%20Impact%20Analysis%20(BIA).md)
[Disaster Recovery Planning](🎇%20Sparks/Disaster%20Recovery%20Planning.md)
[Change management MoC](MoCs/Change%20management%20MoC.md)
[Classification](🎇%20Sparks/Classification.md)
[Compliance](🎇%20Sparks/Compliance.md)
[Data Breach](💡Permanent%20ideas/Data%20Breach.md)
[Data Governance](📚️%20Literature%20notes/Data%20Governance.md)
Frameworks
[ISO 27k family](../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md)
[NIST articles list](Standards/NIST/NIST%20articles%20list.md)
[Governance](🎇%20Sparks/Governance.md)
[[Hardening]]
[Identity and Access Management (IAM)](💡Drafts%20and%20Ideas/Identity%20and%20Access%20Management%20(IAM).md)
[Identification](💡Drafts%20and%20Ideas/Identification.md)
[Authentication](Standards/ISO27x/Authentication.md)
[Authorization](Standards/ISO27x/Authorization.md)
Impact
[Change management MoC](MoCs/Change%20management%20MoC.md)
[Impact of Disruption](💡Drafts%20and%20Ideas/Impact%20of%20Disruption.md)
[Incidents](🎇%20Sparks/Incidents.md)
[Maturity Models](📚️%20Literature%20notes/Maturity%20Models.md)
[Metrics](📚️%20Literature%20notes/InfoSec%20Metrics.md)
[Operational Technology](💡Drafts%20and%20Ideas/Operational%20Technology.md) or OT Security
[Policies](📚️%20Literature%20notes/Policies.md)
[[Posture Management]]
[Ransomware](🎇%20Sparks/Ransomware.md)
[Risks](🎇%20Sparks/Risks.md)
[Risk analysis](🎇%20Sparks/Risk%20analysis.md)
[Risk appetite](💡Drafts%20and%20Ideas/Risk%20appetite.md)
[Risk inventories](🎇%20Sparks/Risk%20inventories.md)
[Risk management](🎇%20Sparks/Risk%20management.md)
[Risk ownership](🎇%20Sparks/Risk%20ownership.md)
[Risk ownership](🎇%20Sparks/Risk%20ownership.md)
[Risk prioritization](🎇%20Sparks/Risk%20prioritization.md)
[Risk tolerance](🎇%20Sparks/Risk%20tolerance.md)
[Risk treatment](🎇%20Sparks/Risk%20treatment.md)
[Risks vs Threats vs Vulnerabilities](🎇%20Sparks/Risks%20vs%20Threats%20vs%20Vulnerabilities.md)
[Roles and Responsibilities](🎇%20Sparks/Roles%20and%20Responsibilities.md)
[Threat](📚️%20Literature%20notes/Threat.md)
[Threat Intelligence](🎇%20Sparks/Threat%20Intelligence.md)
[Security Threat Modeling](📚️%20Literature%20notes/Security%20Threat%20Modeling.md)
[Privacy Threat Modeling](📚️%20Literature%20notes/Privacy%20Threat%20Modeling.md)
[AI Threat Modeling](🎇%20Sparks/AI%20Threat%20Modeling.md)
[Threat Catalogues](📚️%20Literature%20notes/Threat%20Catalogues.md)
[Vendor security MoC](🎇%20Sparks/Vendor%20security%20MoC.md) or Supply chain security
[Vulnerability](💡Drafts%20and%20Ideas/Vulnerability.md)
[Bug bounty program](🎇%20Sparks/Bug%20bounty%20program.md)
[Zero Trust](📚️%20Literature%20notes/Zero%20Trust.md)

54
Corpus/Standards/ISO27x/OST/27001/EN/add_yaml.py Normal file
View file

@ -0,0 +1,54 @@
#!/usr/bin/env python3
import os
import re
directory = '/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27001/EN/'
for filename in os.listdir(directory):
if filename.endswith('.md'):
filepath = os.path.join(directory, filename)
with open(filepath, 'r') as f:
lines = f.readlines()
if lines and lines[0].strip() == '---':
continue # Already has YAML
# Extract id and title from filename
match = re.match(r'c-([0-9.]+)-(.+)\.md', filename)
if match:
num = match.group(1)
title_part = match.group(2)
id_val = f'C.{num}'
title = title_part.replace('-', ' ')
elif filename == 'c-0-Introduction.md':
id_val = 'C.0'
title = 'Introduction'
elif filename == 'ISO_27001_OT F Foreword.md':
id_val = 'Foreword'
title = 'Foreword'
else:
# For other files like c-2-Normative-references.md
match = re.match(r'c-([0-9]+)-(.+)\.md', filename)
if match:
num = match.group(1)
title_part = match.group(2)
id_val = f'C.{num}'
title = title_part.replace('-', ' ')
else:
continue # Skip if not matching
yaml = f'''---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "{id_val}"
title: "{title}"
tags:
- iso27001/2022/EN
status: active
---
'''
with open(filepath, 'w') as f:
f.write(yaml + ''.join(lines))
print("YAML front matter added to files that didn't have it.")

20
Corpus/Standards/ISO27x/OST/27001/EN/c-0-Introduction.md
View file

@ -1,8 +1,18 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.0"
title: "Introduction"
tags:
- iso27001/2022/EN
status: active
---
## 0 Introduction
# Introduction
## 0.1 General
### 0.1 General
This document has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization's information security management system is influenced by the organization's needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time.
@ -16,7 +26,7 @@ The order in which requirements are presented in this document does not reflect
ISO/IEC 27000 describes the overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 27003, ISO/IEC 27004 and ISO/IEC 27005), with related terms and definitions.
## 0.2 Compatibility with other management system standards
### 0.2 Compatibility with other management system standards
This document applies the high-level structure, identical sub-clause titles, identical text, common terms, and core definitions defined in Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, and therefore maintains compatibility with other management system standards that have adopted the Annex SL.

16
Corpus/Standards/ISO27x/OST/27001/EN/c-1-Scope.md
View file

@ -1,6 +1,16 @@
#iso27001/2022/EN
# 1 Scope
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.1"
title: "Scope"
tags:
- iso27001/2022/EN
status: active
---
## 1 Scope
This document specifies the requirements for establishing, implementing, maintaining and continually improving an information

13
Corpus/Standards/ISO27x/OST/27001/EN/c-10-Improvement.md Normal file
View file

@ -0,0 +1,13 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.10"
title: "Improvement"
tags:
- iso27001/2022/EN
status: active
---
# 10 Improvement

13
Corpus/Standards/ISO27x/OST/27001/EN/c-10.1-Continual-improvement.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.10.1"
title: "Continual improvement"
tags:
- iso27001/2022/EN
status: active
---
## 10.1 Continual improvement
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.

15
Corpus/Standards/ISO27x/OST/27001/EN/c-10.2-Nonconformity-and-corrective-action.md
View file

@ -1,6 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.10.2"
title: "Nonconformity and corrective action"
tags:
- iso27001/2022/EN
status: active
---
## 10.2 Nonconformity and corrective action
When a nonconformity occurs, the organization shall:

16
Corpus/Standards/ISO27x/OST/27001/EN/c-2-Normative-references.md
View file

@ -1,5 +1,15 @@
#iso27001/2022/EN
# 2 Normative references
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.2"
title: "Normative references"
tags:
- iso27001/2022/EN
status: active
---
## 2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

16
Corpus/Standards/ISO27x/OST/27001/EN/c-3-Terms-and-definitions.md
View file

@ -1,6 +1,16 @@
#iso27001/2022/EN
# 3 Terms and definitions
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.3"
title: "Terms and definitions"
tags:
- iso27001/2022/EN
status: active
---
## 3 Terms and definitions
For the purposes of this document, the terms and definitions given in
ISO/IEC 27000 apply.

13
Corpus/Standards/ISO27x/OST/27001/EN/c-4-Context-of-the-organization.md Normal file
View file

@ -0,0 +1,13 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.4
title: Context of the organisation
tags:
- iso27001/2022/EN
status: active
---
# 4 Context of the organisation

14
Corpus/Standards/ISO27x/OST/27001/EN/c-4.1-Understanding-the-organization-and-its-context.md
View file

@ -1,4 +1,16 @@
# Clause 4.1: Understanding the organization and its context
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.4.1"
title: "Understanding the organization and its context"
tags:
- iso27001/2022/EN
status: active
---
## Clause 4.1: Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

15
Corpus/Standards/ISO27x/OST/27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
# 4.2 Understanding the needs and expectations of interested parties
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.4.2"
title: "Understanding the needs and expectations of interested parties"
tags:
- iso27001/2022/EN
status: active
---
## 4.2 Understanding the needs and expectations of interested parties
The organization shall determine:

15
Corpus/Standards/ISO27x/OST/27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
# 4.3 Determining the scope of the information security management system
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.4.3"
title: "Determining the scope of the information security management system"
tags:
- iso27001/2022/EN
status: active
---
## 4.3 Determining the scope of the information security management system
The organization shall determine the boundaries and applicability of the information security management system to establish its scope.

15
Corpus/Standards/ISO27x/OST/27001/EN/c-4.4-Information-security-management-system.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
# 4.4 Information security management system
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.4.4"
title: "Information security management system"
tags:
- iso27001/2022/EN
status: active
---
## 4.4 Information security management system
The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.

13
Corpus/Standards/ISO27x/OST/27001/EN/c-5-Leadership.md Normal file
View file

@ -0,0 +1,13 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.5
title: Leadership
tags:
- iso27001/2022/EN
status: active
---
# 5 Leadership

13
Corpus/Standards/ISO27x/OST/27001/EN/c-5.1-Leadership-and-commitment.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.5.1"
title: "Leadership and commitment"
tags:
- iso27001/2022/EN
status: active
---
## 5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the information security management system by:

13
Corpus/Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.5.2"
title: "Policy"
tags:
- iso27001/2022/EN
status: active
---
## 5.2 Policy
Top management shall establish an information security policy that:

15
Corpus/Standards/ISO27x/OST/27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
## 5.3 Organizational roles, responsibilities and authorities
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.5.3"
title: "Organizational roles responsibilities and authorities"
tags:
- iso27001/2022/EN
status: active
---
## 5.3 Organizational roles responsibilities and authorities
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization.

13
Corpus/Standards/ISO27x/OST/27001/EN/c-6-Planning.md Normal file
View file

@ -0,0 +1,13 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.6
title: Planning
tags:
- iso27001/2022/EN
status: active
---
# 6 Planning

12
Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.1-General.md
View file

@ -1,3 +1,15 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.1.1"
title: "General"
tags:
- iso27001/2022/EN
status: active
---
### 6.1.1 General
When planning for the information security management system, the organization shall consider the issues referred to in [4.1](c-4.1-Understanding-the-organization-and-its-context.md) and the requirements referred to in [4.2](ISO_27001_2022_OT%204.2%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md) and determine the risks and opportunities that need to be addressed to:

12
Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.2-Information-security-risk-assessment.md
View file

@ -1,3 +1,15 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.1.2"
title: "Information security risk assessment"
tags:
- iso27001/2022/EN
status: active
---
### 6.1.2 Information security risk assessment
The organization shall define and apply an information security risk assessment process that:

12
Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.3-Information-security-risk-treatment.md
View file

@ -1,3 +1,15 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.1.3"
title: "Information security risk treatment"
tags:
- iso27001/2022/EN
status: active
---
### 6.1.3 Information security risk treatment
The organization shall define and apply an information security risk treatment process to:

13
Corpus/Standards/ISO27x/OST/27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.2"
title: "Information security objectives and planning to achieve them"
tags:
- iso27001/2022/EN
status: active
---
## 6.2 Information security objectives and planning to achieve them
The organization shall establish information security objectives at relevant functions and levels.

13
Corpus/Standards/ISO27x/OST/27001/EN/c-6.3-Planning-of-changes.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.3"
title: "Planning of changes"
tags:
- iso27001/2022/EN
status: active
---
## 6.3 Planning of changes
When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

13
Corpus/Standards/ISO27x/OST/27001/EN/c-7-Support.md Normal file
View file

@ -0,0 +1,13 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.7
title: Support
tags:
- iso27001/2022/EN
status: active
---
# 7 Support

13
Corpus/Standards/ISO27x/OST/27001/EN/c-7.1-Resources.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.1"
title: "Resources"
tags:
- iso27001/2022/EN
status: active
---
## 7.1 Resources
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.

14
Corpus/Standards/ISO27x/OST/27001/EN/c-7.2-Competence.md
View file

@ -1,5 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.2"
title: "Competence"
tags:
- iso27001/2022/EN
status: active
---
## 7.2 Competence
The organization shall:

14
Corpus/Standards/ISO27x/OST/27001/EN/c-7.3-Awareness.md
View file

@ -1,5 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.3"
title: "Awareness"
tags:
- iso27001/2022/EN
status: active
---
## 7.3 Awareness
Persons doing work under the organization's control shall be aware of:

14
Corpus/Standards/ISO27x/OST/27001/EN/c-7.4-Communication.md
View file

@ -1,5 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.4"
title: "Communication"
tags:
- iso27001/2022/EN
status: active
---
## 7.4 Communication
The organization shall determine the need for internal and external communications relevant to the information security management system including:

13
Corpus/Standards/ISO27x/OST/27001/EN/c-7.5-Documented-information.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.5"
title: "Documented information"
tags:
- iso27001/2022/EN
status: active
---
## 7.5 Documented information
### 7.5.1 General

13
Corpus/Standards/ISO27x/OST/27001/EN/c-8-Operation.md Normal file
View file

@ -0,0 +1,13 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.8
title: Operation
tags:
- iso27001/2022/EN
status: active
---
# 8 Operation

13
Corpus/Standards/ISO27x/OST/27001/EN/c-8.1-Operational-planning-and-control.md
View file

@ -1,4 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.8.1"
title: "Operational planning and control"
tags:
- iso27001/2022/EN
status: active
---
## 8.1 Operational planning and control
The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:

15
Corpus/Standards/ISO27x/OST/27001/EN/c-8.2-Information-security-risk-assessment.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
# Clause 8.2: Information security risk assessment
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.8.2"
title: "Information security risk assessment"
tags:
- iso27001/2022/EN
status: active
---
## 8.2 Information security risk assessment
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in [6.1.2a](ISO_27001_OT%206.1.2%20Information%20security%20risk%20assessment.md).

12
Corpus/Standards/ISO27x/OST/27001/EN/c-8.3-Information-security-risk-treatment.md
View file

@ -1,8 +1,16 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.8.3"
title: "Information security risk treatment"
tags:
- iso27001/2022/EN
- iso27001/2022/EN
status: active
---
# Clause 8.3 Information security risk treatment
## 8.3 Information security risk treatment
The organization shall implement the information security risk treatment plan.

13
Corpus/Standards/ISO27x/OST/27001/EN/c-9-Performance-evaluation.md Normal file
View file

@ -0,0 +1,13 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.9
title: Performance evaluation
tags:
- iso27001/2022/EN
status: active
---
# 9 Performance evaluation

15
Corpus/Standards/ISO27x/OST/27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
## 9.1 Monitoring, measurement, analysis and evaluation
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.9.1"
title: "Monitoring measurement analysis and evaluation"
tags:
- iso27001/2022/EN
status: active
---
## 9.1 Monitoring measurement analysis and evaluation
The organization shall determine:

14
Corpus/Standards/ISO27x/OST/27001/EN/c-9.2-Internal-audit.md
View file

@ -1,6 +1,16 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.9.2"
title: "Internal audit"
tags:
- iso27001/2022/EN
status: active
---
## 9.2 Internal audit
### 9.2.1 General
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

14
Corpus/Standards/ISO27x/OST/27001/EN/c-9.3-Management-review.md
View file

@ -1,5 +1,15 @@
#iso27001/2022/EN
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.9.3"
title: "Management review"
tags:
- iso27001/2022/EN
status: active
---
## 9.3 Management review
### 9.3.1 General

4
Corpus/Standards/ISO27x/OST/27001/EN/ISO_27001_OT F Foreword.md → Corpus/Standards/ISO27x/OST/27001/EN/c-f-Foreword.md
View file

@ -1,6 +1,4 @@
#iso27001/2022/EN
# Foreword
## F Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

90
Corpus/Standards/ISO27x/OST/27001/EN/rename-iso-title.zsh
View file

@ -1,90 +0,0 @@
#!/usr/bin/env zsh
set -euo pipefail
execute=false
if [[ ${1:-} == '--execute' ]]; then
execute=true
shift
fi
if [[ $# -gt 0 ]]; then
print -u2 'Usage: rename-iso-title.zsh [--execute]'
exit 2
fi
# Requires Obsidian app running and CLI enabled.
: ${OBSIDIAN_CLI:=obsidian}
files=(c-[0-9]*\.md(N))
if (( ${#files} == 0 )); then
print 'No matching files found.'
exit 0
fi
for src in "$files[@]"; do
base=${src:t}
# Read the level 1 header from the file
# Format: # <number> <title>
# Extract everything after the first number and space
header=$(head -n 1 "$src" | sed 's/^# [0-9.]* //')
if [[ -z "$header" ]]; then
print -u2 "WARN skipped (no header found): $src"
continue
fi
# Clean up the title
title=$header
# Replace spaces with dashes
title=${title// /-}
# Remove commas, slashes, parentheses, quotes
title=${title//,/}
title=${title//\//}
title=${title//\\/}
title=${title//\(}
title=${title//\)}
title=${title//\'}
title=${title//\'}
# Replace diacritics with base characters
title=${title//ï/i}
title=${title//é/e}
title=${title//è/e}
title=${title//ê/e}
title=${title//ë/e}
title=${title//ö/o}
title=${title//ü/u}
title=${title//ó/o}
title=${title//ô/o}
title=${title//á/a}
title=${title//à/a}
title=${title//ã/a}
title=${title//ä/a}
title=${title//í/i}
title=${title//ì/i}
title=${title//ñ/n}
title=${title//ú/u}
title=${title//ù/u}
# Remove multiple dashes
title=${title//---/-}
title=${title//--/-}
# Remove leading/trailing dashes
title=${title#-}
title=${title%-}
# Build new filename: c-n.n-TITLE.md
ext="${src:r}.md" # extension without the extra .md issue
filename="${src%.*}"
target="${filename}-${title}.md"
if [[ $src == $target ]]; then
print "SKIP $src"
continue
fi
print "SRC $src"
print "DEST $target"
if $execute; then
"$OBSIDIAN_CLI" rename file="$src" name="$target"
fi
done

50
Corpus/Standards/ISO27x/OST/27001/EN/rename-iso.zsh
View file

@ -1,50 +0,0 @@
#!/usr/bin/env zsh
set -euo pipefail
execute=false
if [[ ${1:-} == '--execute' ]]; then
execute=true
shift
fi
if [[ $# -gt 0 ]]; then
print -u2 'Usage: rename-iso.zsh [--execute]'
exit 2
fi
# Requires Obsidian app running and CLI enabled.
# Adjust OBSIDIAN_CLI to the command you actually use (e.g. `obsidian`).
: ${OBSIDIAN_CLI:=obsidian}
files=(ISO_27001*.md(N))
if (( ${#files} == 0 )); then
print 'No matching files found.'
exit 0
fi
for src in "$files[@]"; do
base=${src:t}
# Match both ISO_27001_OT and ISO_27001_2022_OT patterns
if [[ $base =~ '^ISO_27001(_2022)?_OT ([0-9.]+) (.+)\.md$' ]]; then
version=${match[2]#_}
title=${match[3]}
target="c-${version}-${title}.md"
# Replace spaces with dashes
target=${target// /-}
# Remove commas
target=${target//,}
# Prevent double dashes
target=${target//--/-}
if [[ $src == $target ]]; then
print "SKIP $src"
continue
fi
print "SRC $src"
print "DEST $target"
if $execute; then
"$OBSIDIAN_CLI" rename file="$src" name="$target"
fi
else
print -u2 "WARN skipped (pattern mismatch): $src"
fi
done

BIN
Corpus/Standards/ISO27x/OST/27002/EN/ISO 27002_2022_EN.docx Normal file
View file

Binary file not shown.

818
Corpus/Standards/ISO27x/OST/27002/EN/ISO_27002_OT 3 Terms, definitions and abbreviated terms.md
View file

@ -1,818 +0,0 @@
#iso27002/2022/EN
**3.1** **Terms** **and** **definitions**
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
**3.****1.1**
**access** **control**
means to ensure that physical and logical access to _assets_ (3.1.2) is authorized and restricted based on business and information security requirements
**3.****1.2**
**ass****et**
anything that has value to the organization
Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:
— the primary assets: — information;
— business _processes_ (3.1.27) and activities;
— the supporting assets (on which the primary assets rely) of all types, for example: — hardware;
— software; — network;
_personnel_ (3.1.20);
© ISO/IEC 2022 All rights reserved **1**
**ISO/IEC 27002:2022(E)**
— site;
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
— organizations structure.
**3.****1.3**
**attack**
successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an _asset_ (3.1.2) or any attempt to expose, steal, or make unauthorized use of an _asset_ (3.1.2)
**3.1.4**
**aut****hentication**
provision of assurance that a claimed characteristic of an _entity_ (3.1.11) is correct
**3****.1.5**
**au****thenticity**
property that an _entity_ (3.1.11) is what it claims to be
**3.1.6**
**chain** **of** **custody**
demonstrable possession, movement, handling and location of material from one point in time until another
Note 1 to entry: Material includes information and other associated _assets_ (3.1.2) in the context of ISO/IEC 27002.
[SOURCE: ISO/IEC 27050-1:2019, 3.1, modified — “Note 1 to entry” added]
**3.****1.7**
**confidential** **information**
information that is not intended to be made available or disclosed to unauthorized individuals, _entities_ (3.1.11) or _processes_ (3.1.27)
**3****.1.8**
**control**
measure that maintains and/or modifies risk
Note 1 to entry: Controls include, but are not limited to, any _process_ (3.1.27), _policy_ (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
**3.****1.9**
**disrupti****on**
incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organizations objectives
[SOURCE: ISO 22301:2019, 3.10]
**3.1****.10**
**endpoint** **device**
network connected information and communication technology (ICT) hardware device
Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.
**3.1.11**
**entity**
item relevant for the purpose of operation of a domain that has recognizably distinct existence
Note 1 to entry: An entity can have a physical or a logical embodiment.
**2** © ISO/IEC 2022 All rights reserved
EXAMPLE
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17
Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
A person, an organization, a device, a group of such items, a human subscriber to a telecom
service, a SIM card, a passport, a network interface card, a software application, a service or a website.
[SOURCE: ISO/IEC 24760-1:2019, 3.1.1]
**3.****1.12**
**information** **processing** **facility**
any information processing system, service or infrastructure, or the physical location housing it [SOURCE: ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.] **3****.1.13**
**information** **security** **breach**
compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed
**3.1****.14**
**information** **security** **event**
occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or failure of _controls_ (3.1.8)
[SOURCE: ISO/IEC 27035-1:2016, 3.3, modified — “breach of information security” has been replaced with “information security breach”]
**3.1****.15**
**information** **security incident**
one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organizations _assets_ (3.1.2) or compromise its operations
[SOURCE: ISO/IEC 27035-1:2016, 3.4]
**3.1.16**
**information** **security** **incident** **management**
exercise of a consistent and effective approach to the handling of _information_ _security_ _incidents_ (3.1.15) [SOURCE: ISO/IEC 27035-1:2016, 3.5]
**3****.1.17**
**information** **system**
set of applications, services, information technology _assets_ (3.1.2), or other information-handling components
[SOURCE: ISO/IEC 27000:2018, 3.35]
**3.1.18**
**interested** **party** stakeholder
person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
[SOURCE: ISO/IEC 27000:2018, 3.37]
**3.****1.19**
**non-repudiation**
ability to prove the occurrence of a claimed event or action and its originating _entities_ (3.1.11)
**3.1.20**
**pers****onnel**
persons doing work under the organizations direction
Note 1 to entry: The concept of personnel includes the organizations members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.
© ISO/IEC 2022 All rights reserved **3**
**ISO/IEC 27002:2022(E)**
**3.1****.21**
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**personally identifiable** **information**
**PII**
any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.
Note 1 to entry: The “natural person” in the definition is the _PII_ _principal_ (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.
[SOURCE: ISO/IEC 29100:2011/Amd.1:2018, 2.9]
**3.1.22**
**PII** **principal**
natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.21) relates
Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.
[SOURCE: ISO/IEC 29100:2011, 2.11]
**3.1.23**
**PII** **processor**
privacy stakeholder that processes _personally_ _identifiable_ _information_ _(PII)_ (3.1.21) on behalf of and in accordance with the instructions of a PII controller
[SOURCE: ISO/IEC 29100:2011, 2.12]
**3.1****.24**
**policy**
intentions and direction of an organization, as formally expressed by its top management [SOURCE: ISO/IEC 27000:2018, 3.53]
**3.1.25**
**privacy** **impact** **assessment** **PIA**
overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organizations broader risk management framework
[SOURCE: ISO/IEC 29134:2017, 3.7, modified — Note 1 to entry removed.]
**3.1.26**
**procedure**
specified way to carry out an activity or a _process_ (3.1.27)
[SOURCE: ISO 30000:2009, 3.12]
**3.1.27**
**proce****ss**
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
[SOURCE: ISO 9000:2015, 3.4.1, modified— Notes to entry removed.]
**3.1****.28**
**re****cord**
information created, received and maintained as evidence and as an _asset_ (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business
**4** © ISO/IEC 2022 All rights reserved
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.
[SOURCE: ISO 15489-1:2016, 3.14, modified— “Note 1 to entry” added.]
**3.1.29**
**recovery** **point** **objective**
**RPO**
point in time to which data are to be recovered after a _disruption_ (3.1.9) has occurred [SOURCE: ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".] **3.1.30**
**recovery** **time** **objective** **RTO**
period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a _disruption_ (3.1.9) has occurred
[SOURCE: ISO/IEC 27031:2011, 3.13, modified — "must" replaced by "are to be".]
**3.1****.31**
**reliability**
property of consistent intended behaviour and results
**3.1.32**
**rule**
accepted principle or instruction that states the organizations expectations on what is required to be done, what is allowed or not allowed
Note 1 to entry: Rules can be formally expressed in _topic-specific policies_ (3.1.35) and in other types of documents.
**3.1.33**
**sensitive** **information**
information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety
**3****.1.34**
**thr****eat**
potential cause of an unwanted incident, which can result in harm to a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74]
**3.1.35**
**topic-specific** **policy**
intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management
Note 1 to entry: Topic-specific policies can formally express _rules_ (3.1.32) or organization standards. Note 2 to entry: Some organizations use other terms for these topic-specific policies.
Note 3 to entry: The topic-specific policies referred to in this document are related to information security.
EXAMPLE Topic-specific policy on _access_ _control_ (3.1.1), topic-specific policy on clear desk and clear screen.
**3.1.36**
**u****ser**
_interested_ _party_ (3.1.18) with access to the organizations _information_ _systems_ (3.1.17)
EXAMPLE _Personnel_ (3.1.20), customers, suppliers.
© ISO/IEC 2022 All rights reserved
**5**
**ISO/IEC 27002:2022(E)**
**3.1.37**
**user** **endpoint** **device**
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
_endpoint_ _device_ (3.1.10) used by users to access information processing services
Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc.
**3.1****.38**
**vu****lnerability**
weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one or more _threats_ (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77]
**3.2** **Abbreviated** **terms**
ABAC attribute-based access control
ACL access control list
BIA business impact analysis
BYOD bring your own device
CAPTCHA completely automated public Turing test to tell computers and humans apart
CPU central processing unit
DAC discretionary access control
DNS domain name system
GPS global positioning system
IAM identity and access management
ICT information and communication technology
ID identifier
IDE integrated development environment
IDS intrusion detection system
IoT internet of things
IP internet protocol
IPS intrusion prevention system
IT information technology
ISMS information security management system
MAC mandatory access control
NTP network time protocol
PIA privacy impact assessment
PII personally identifiable information
**6** © ISO/IEC 2022 All rights reserved
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
PIN personal identification number
PKI public key infrastructure
PTP precision time protocol
RBAC role-based access control
RPO recovery point objective
RTO recovery time objective
SAST static application security testing
SD secure digital
SDN software-defined networking
SD-WAN software-defined wide area networking
SIEM security information and event management
SMS short message service
SQL structured query language
SSO single sign on
SWID software identification
UEBA user and entity behaviour analytics
UPS uninterruptible power supply
URL uniform resource locator
USB universal serial bus
VM virtual machine
VPN virtual private network
WiFi wireless fidelity

187
Corpus/Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated-terms.md Normal file
View file

@ -0,0 +1,187 @@
## 3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1.1 **access control**
means to ensure that physical and logical access to _assets_ (3.1.2) is authorized and restricted based on business and information security requirements
3.1.2 **asset**
anything that has value to the organization
*Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:*
— the primary assets: — information;
— business _processes_ (3.1.27) and activities;
— the supporting assets (on which the primary assets rely) of all types, for example: — hardware;
— software; — network;
_personnel_ (3.1.20);
— site;
— organizations structure.
3.1.3 **attack**
successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an _asset_ (3.1.2) or any attempt to expose, steal, or make unauthorized use of an _asset_ (3.1.2)
3.1.4 **authentication**
provision of assurance that a claimed characteristic of an _entity_ (3.1.11) is correct
3.1.5 **authenticity**
property that an _entity_ (3.1.11) is what it claims to be
3.1.6 **chain of custody**
demonstrable possession, movement, handling and location of material from one point in time until another
*Note 1 to entry: Material includes information and other associated _assets_ (3.1.2) in the context of ISO/IEC 27002.*
3.1.7 **confidential information**
information that is not intended to be made available or disclosed to unauthorized individuals, _entities_ (3.1.11) or _processes_ (3.1.27)
3.1.8 **control**
measure that maintains and/or modifies risk
*Note 1 to entry: Controls include, but are not limited to, any _process_ (3.1.27), _policy_ (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.*
*Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.*
3.1.9 **disruption**
incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organizations objectives
3.1.10 **endpoint device**
network connected information and communication technology (ICT) hardware device
*Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.*
3.1.11 **entity**
item relevant for the purpose of operation of a domain that has recognizably distinct existence
*Note 1 to entry: An entity can have a physical or a logical embodiment.*
A person, an organization, a device, a group of such items, a human subscriber to a telecom
service, a SIM card, a passport, a network interface card, a software application, a service or a website.
3.1.12 **information processing facility**
any information processing system, service or infrastructure, or the physical location housing it [SOURCE: ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.]
3.1.13 **information security breach** compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed
3.1.14 **information security event**
occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or failure of _controls_ (3.1.8)
3.1.15 **information security incident**
one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organizations _assets_ (3.1.2) or compromise its operations
3.1.16 **information security incident management**
exercise of a consistent and effective approach to the handling of _information_ _security_ _incidents_ (3.1.15) [SOURCE: ISO/IEC 27035-1:2016, 3.5]
3.1.17 **information system** set of applications, services, information technology _assets_ (3.1.2), or other information-handling components
3.1.18 **interested party stakeholder**
person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
3.1.19 **non-repudiation**
ability to prove the occurrence of a claimed event or action and its originating _entities_ (3.1.11)
3.1.20 **personnel**
persons doing work under the organizations direction
*Note 1 to entry: The concept of personnel includes the organizations members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.*
3.1.21 **personally identifiable information / PII**
any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.
*Note 1 to entry: The “natural person” in the definition is the PII principal (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.*
3.1.22 **PII principal**
natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.21) relates
*Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.*
3.1.23 **PII processor**
privacy stakeholder that processes _personally_ _identifiable_ _information_ _(PII)_ (3.1.21) on behalf of and in accordance with the instructions of a PII controller
3.1.24 **policy**
intentions and direction of an organization, as formally expressed by its top management
[SOURCE: ISO/IEC 27000:2018, 3.53]
3.1.25 **privacy impact assessment PIA**
overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organizations broader risk management framework
3.1.26 **procedure**
specified way to carry out an activity or a _process_ (3.1.27)
3.1.27 **process**
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
3.1.28 **record**
information created, received and maintained as evidence and as an _asset_ (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business
*Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.*
3.1.29 **recovery point objective** / **RPO**
point in time to which data are to be recovered after a _disruption_ (3.1.9) has occurred [SOURCE: ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".]
3.1.30 **recovery time objective RTO**
period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a _disruption_ (3.1.9) has occurred
3.1.31 **reliability**
property of consistent intended behaviour and results
3.1.32 **rule**
accepted principle or instruction that states the organizations expectations on what is required to be done, what is allowed or not allowed
*Note 1 to entry: Rules can be formally expressed in _topic-specific policies_ (3.1.35) and in other types of documents.*
3.1.33 **sensitive information**
information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety
3.1.34 **threat** potential cause of an unwanted incident, which can result in harm to a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74]
3.1.35 **topic-specific policy**
intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management
*Note 1 to entry: Topic-specific policies can formally express _rules_ (3.1.32) or organization standards. Note 2 to entry: Some organizations use other terms for these topic-specific policies.*
*Note 3 to entry: The topic-specific policies referred to in this document are related to information security.*
3.1.36 **user**
_interested_ _party_ (3.1.18) with access to the organizations _information_ _systems_ (3.1.17)
3.1.37 **user endpoint device**
_endpoint_ _device_ (3.1.10) used by users to access information processing services
*Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc.*
3.1.38 **vulnerability**
weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one or more _threats_ (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77]
### 3.2 Abbreviated terms
ABAC attribute-based access control
ACL access control list
BIA business impact analysis
BYOD bring your own device
CAPTCHA completely automated public Turing test to tell computers and humans apart
CPU central processing unit
DAC discretionary access control
DNS domain name system
GPS global positioning system
IAM identity and access management
ICT information and communication technology
ID identifier IDE integrated development environment
IDS intrusion detection system IoT internet of things
IP internet protocol
IPS intrusion prevention system
IT information technology
ISMS information security management system
MAC mandatory access control
NTP network time protocol
PIA privacy impact assessment
PII personally identifiable information
PIN personal identification number
PKI public key infrastructure
PTP precision time protocol
RBAC role-based access control
RPO recovery point objective
RTO recovery time objective
SAST static application security testing
SD secure digital
SDN software-defined networking
SD-WAN software-defined wide area networking
SIEM security information and event management
SMS short message service
SQL structured query language
SSO single sign on
SWID software identification
UEBA user and entity behaviour analytics
UPS uninterruptible power supply
URL uniform resource locator
USB universal serial bus
VM virtual machine
VPN virtual private network
WiFi wireless fidelity

8
Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md
View file

@ -24,13 +24,13 @@ status: active
## 5.1 Policies for information security
#### Control
### Control
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
#### Purpose
### Purpose
To ensure continuing suitability, adequacy, effectiveness of management direction and support for information security in accordance with business, legal, statutory, regulatory and contractual requirements.
#### Guidance
### Guidance
At the highest level, the organization should define an "information security policy" which is approved by top management and which sets out the organization's approach to managing its information security.
The information security policy should take into consideration requirements derived from:
@ -91,7 +91,7 @@ Level of detail | General or high-level | Specific and detailed
Documented and formally approved by | Top management | Appropriate level of management
#### Other information
### Other information
Topic-specific policies can vary across organizations.

38
Corpus/Standards/ISO27x/OST/27002/EN/a-5.10-Acceptable-use-of-information-and-other-associated-assets.md
View file

@ -1,16 +1,38 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.10"
title: "Acceptable use of information and other associated assets"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Asset_management
- Information_protection
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.10 Acceptable use of information and other associated assets
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ----------------------------------------- | ------------------------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection | #Governance_and_Ecosystem #Protection |
**Control**
### Control
Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
**Purpose**
### Purpose
To ensure information and other associated assets are appropriately protected, used and handled.
**Guidance**
### Guidance
Personnel and external party users using or having access to the organizations information and other associated assets should be made aware of the information security requirements for protecting and handling the organizations information and other associated assets. They should be responsible for their use of any information processing facilities.
The organization should establish a topic-specific policy on the acceptable use of information and other associated assets and communicate it to anyone who uses or handles information and other associated assets. The topic-specific policy on acceptable use should provide clear direction on how individuals are expected to use information and other associated assets. The topic-specific policy should state:
@ -35,5 +57,5 @@ e\) clear marking of all copies of storage media (electronic or physical) for th
f\) authorization of disposal of information and other associated assets and supported deletion method(s) (see [8.10](a-8.10-Information-deletion.md)).
**Other information**
### Other information
It can be the case that the assets concerned do not directly belong to the organization, such as public cloud services. The use of such third-party assets and any assets of the organization associated with such external assets (e.g. information, software) should be identified as applicable and controlled, for example, through agreements with cloud service providers. Care should also be taken when a collaborative working environment is used.

34
Corpus/Standards/ISO27x/OST/27002/EN/a-5.11-Return-of-assets.md
View file

@ -1,18 +1,36 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.11"
title: "Return of assets"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Asset_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 5.11 Return of assets
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------ | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management | #Protection |
**Control**
### Control
Personnel and other interested parties as appropriate should return all the organizations assets in their possession upon change or termination of their employment, contract or agreement.
**Purpose**
### Purpose
To protect the organizations assets as part of the process of changing or terminating employment, contract or agreement.
**Guidance**
### Guidance
The change or termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization.
@ -30,5 +48,5 @@ c\) specialist equipment;
d\) authentication hardware (e.g. mechanical keys, physical tokens and smartcards) for information systems, sites and physical archives;
e\) physical copies of information.
**Other information**
### Other information
It can be difficult to return information held on assets which are not owned by the organization. In such cases, it is necessary to restrict the use of information using other information security controls such as access rights management (5.18) or use of cryptography (8.24).

36
Corpus/Standards/ISO27x/OST/27002/EN/a-5.12-Classification-of-information.md
View file

@ -1,18 +1,36 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.12"
title: "Classification of information"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Information_protection]
security_domains:
- Protection
- Defence
tags:
- iso27002/2022/EN
status: active
---
## 5.12 Classification of information
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------ | -------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Information_protection | #Protection #Defence |
**Control**
### Control
Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
**Purpose**
### Purpose
To ensure identification and understanding of protection needs of information in accordance with its importance to the organization.
**Guidance**
### Guidance
The organization should establish a topic-specific policy on information classification and communicate it to all relevant interested parties.
The organization should take into account requirements for confidentiality, integrity and availability in the classification scheme.
@ -31,7 +49,7 @@ The scheme should be consistent across the whole organization and included in it
The classification scheme used within the organization can be different from the schemes used by other organizations, even if the names for levels are similar. In addition, information moving between organizations can vary in classification depending on its context in each organization, even if their classification schemes are identical. Therefore, agreements with other organizations that include information sharing should include procedures to identify the classification of that information and to interpret the classification levels from other organizations. Correspondence between different schemes can be determined by looking for equivalence in the associated handling and protection methods.
**Other information**
### Other information
Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls.
Information can cease to be sensitive or critical after a certain period of time. For example, when the information has been made public, it no longer has confidentiality requirements but can still require protection for its integrity and availability properties. These aspects should be taken into account, as over-classification can lead to the implementation of unnecessary controls resulting in additional expense or, on the contrary, under-classification can lead to insufficient controls to protect the information from compromise.

32
Corpus/Standards/ISO27x/OST/27002/EN/a-5.13-Labelling-of-information.md
View file

@ -1,14 +1,38 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.13"
title: "Labelling of information"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Information_protection]
security_domains:
- Defence
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.13 Labelling of information
**Control**
### Control
An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.
**Purpose**
### Purpose
To facilitate the communication of classification of information and support automation of information processing and management.
**Guidance**
### Guidance
Procedures for information labelling should cover information and other associated assets in all formats. The labelling should reflect the classification scheme established in 5.12. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of storage media. The procedures can define:
a\) cases where labelling is omitted (e.g. labelling of non-confidential information to reduce workloads);
@ -37,7 +61,7 @@ Personnel and other interested parties should be made aware of labelling procedu
Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.
**Other information**
### Other information
Labelling of classified information is a key requirement for information sharing.
Other useful metadata that can be attached to the information is which organizational process created the information and at what time.

36
Corpus/Standards/ISO27x/OST/27002/EN/a-5.14-Information-transfer.md
View file

@ -1,16 +1,36 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.14"
title: "Information transfer"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Asset_management
- Information_protection
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 5.14 Information transfer
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ----------------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection | #Protection |
**Control**
### Control
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.
**Purpose**
### Purpose
To maintain the security of information transferred within an organization and with any external interested party.
**Guidance**
### Guidance
<u>General</u>
The organization should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit (see [5.10](a-5.10-Acceptable-use-of-information-and-other-associated-assets.md)).
@ -136,6 +156,6 @@ e\) begin any sensitive conversations with a disclaimer so those present know th
**Other information**
### Other information
No other information.

34
Corpus/Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md
View file

@ -1,18 +1,34 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.15"
title: "Access control"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Identity_and_access_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 5.15 Access control
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
**Control**
### Control
Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.
**Purpose**
### Purpose
To ensure authorized access and to prevent unauthorized access to information and other associated assets.
**Guidance**
### Guidance
Owners of information and other associated assets should determine information security and business requirements related to access control. A topic-specific policy on access control should be defined which takes account of these requirements and should be communicated to all relevant interested parties.
These requirements and the topic-specific policy should consider the following:
@ -51,7 +67,7 @@ c\) considering all types of available connections in distributed environments s
d\) considering how elements or factors relevant to dynamic access control can be reflected.
**Other information**
### Other information
There are often overarching principles used in the context of access control. Two of the most frequently used principles are:

34
Corpus/Standards/ISO27x/OST/27002/EN/a-5.16-Identity-management.md
View file

@ -1,16 +1,34 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.16"
title: "Identity management"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Identity_and_access_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 5.16 Identity management
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
**Control**
### Control
The full life cycle of identities should be managed.
**Purpose**
### Purpose
To allow for the unique identification of individuals and systems accessing the organizations information and other associated assets and to enable appropriate assignment of access rights.
**Guidance**
### Guidance
The processes used in the context of identity management should ensure that:
a\) for identities assigned to persons, a specific identity is only linked to a single person to be able to hold the person accountable for actions performed with this specific identity;
@ -29,7 +47,7 @@ The organization should have a supporting process in place to handle changes to
When using identities provided or issued by third parties (e.g. social media credentials), the organization should ensure the third-party identities provide the required trust level and any associated risks are known and sufficiently treated. This can include controls related to the third parties (see [5.19](a-5.19-Information-security-in-supplier-relationships.md)) as well as controls related to associated authentication information (see [5.17](a-5.17-Authentication-information.md)).
**Other information**
### Other information
Providing or revoking access to information and other associated assets is usually a multi-step procedure:
a\) confirming the business requirements for an identity to be established;

25
Corpus/Standards/ISO27x/OST/27002/EN/a-5.17-Authentication-information.md
View file

@ -1,4 +1,25 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.17"
title: "Authentication information"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Identity_and_access_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 5.17 Authentication information
### Control
@ -65,7 +86,7 @@ h)   store and transmit passwords in protected form.
Password  encryption  and  hashing  should  be  performed  according  to  approved  cryptographic techniques for passwords (see [8.24](a-8.24-Use-of-cryptography.md)).
**Other information**
### Other information
Passwords or passphrases are a commonly used type of authentication information and are a common means of verifying a users identity. Other types of authentication information are cryptographic keys, data stored on hardware tokens (e.g. smart cards) that produce authentication codes and biometric data such as iris scans or fingerprints. Additional information can be found in the ISO/IEC 24760 series.

34
Corpus/Standards/ISO27x/OST/27002/EN/a-5.18-Access-rights.md
View file

@ -1,16 +1,34 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.18"
title: "Access rights"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Identity_and_access_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 5.18 Access rights
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
**Control**
### Control
Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organizations topic-specific policy on and rules for access control.
**Purpose**
### Purpose
To ensure access to information and other associated assets is defined and authorized according to the business requirements.
**Guidance**
### Guidance
<u>Provision and revocation of access rights</u>
The provisioning process for assigning or revoking physical and logical access rights granted to an entitys authenticated identity should include:
@ -53,7 +71,7 @@ b\) the current responsibilities of the user;
c\) the value of the assets currently accessible.
**Other information**
### Other information
Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews of access rights are easier managed at the level of such roles than at the level of particular rights.
Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel (see [5.20](a-5.20-Addressing-information-security-within-supplier-agreements.md), [6.2](a-6.2-Terms-and-conditions-of-employment.md), [6.4](a-6.4-Disciplinary-process.md), [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md)).

33
Corpus/Standards/ISO27x/OST/27002/EN/a-5.19-Information-security-in-supplier-relationships.md
View file

@ -1,15 +1,38 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.19"
title: "Information security in supplier relationships"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Supplier_relationships_security]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.19 Information security in supplier relationships
**Control**
### Control
Processes and procedures should be defined and implemented to manage the information security risks associated with the use of suppliers products or services.
**Purpose**
### Purpose
To maintain an agreed level of information security in supplier relationships.
**Guidance**
### Guidance
The organization should establish and communicate a topic-specific policy on supplier relationships to all relevant interested parties.
@ -56,7 +79,7 @@ n\) level of personnel security and physical security expected from supplier's p
The procedures for continuing information processing in the event that the supplier becomes unable to supply its products or services (e.g. because of an incident, because the supplier is no longer in business, or no longer provides some components due to technology advancements) should be considered to avoid any delay in arranging replacement products or services (e.g. identifying an alternative supplier in advance or always using alternative suppliers).
**Other information**
### Other information
In cases where it is not possible for an organization to place requirements on a supplier, the organization should:

25
Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md
View file

@ -1,3 +1,28 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.2"
title: "Information security roles and responsibilities"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Governance]
security_domains:
- Governance_and_Ecosystem
- Protection
- Resilience
tags:
- iso27002/2022/EN
status: active
---
## 5.2 Information security roles and responsibilities
### Control

33
Corpus/Standards/ISO27x/OST/27002/EN/a-5.20-Addressing-information-security-within-supplier-agreements.md
View file

@ -1,13 +1,36 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.20"
title: "Addressing information security within supplier agreements"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Supplier_relationships_security]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.20 Addressing information security within supplier agreements
**Control**
### Control
Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.
**Purpose**
### Purpose
To maintain an agreed level of information security in supplier relationships.
**Guidance**
### Guidance
Supplier agreements should be established and documented to ensure that there is clear understanding between the organization and the supplier regarding both parties obligations to fulfil relevant information security requirements.
The following terms can be considered for inclusion in the agreements in order to satisfy the identified information security requirements:
@ -66,7 +89,7 @@ z\) ensuring, at the end of the contract, handover support to another supplier o
The organization should establish and maintain a register of agreements with external parties (e.g. contracts, memorandum of understanding, information-sharing agreements) to keep track of where their information is going. The organization should also regularly review, validate and update their agreements with external parties to ensure they are still required and fit for purpose with relevant information security clauses.
**Other information**
### Other information
The agreements can vary considerably for different organizations and among the different types of suppliers. Therefore, care should be taken to include all relevant requirements for addressing information security risks.
For details on supplier agreements, see ISO/IEC 27036 series. For cloud service agreements, see ISO/IEC 19086 series.

33
Corpus/Standards/ISO27x/OST/27002/EN/a-5.21-Managing-information-security-in-the-ICT-supply-chain.md
View file

@ -1,15 +1,36 @@
#iso27002/2022/EN
[[ISO_27002_PE 5.21 Managing information security in the ICT supply chain]]
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.21"
title: "Managing information security in the ICT supply chain"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Supplier_relationships_security]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.21 Managing information security in the ICT supply chain
**Control**
### Control
Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
**Purpose**
### Purpose
To maintain an agreed level of information security in supplier relationships.
**Guidance**
### Guidance
The following topics should be considered to address information security within ICT supply chain security in addition to the general information security requirements for supplier relationships:
@ -39,7 +60,7 @@ l\) defining rules for sharing of information regarding the supply chain and any
m\) implementing specific processes for managing ICT component life cycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements. Identification of an alternative supplier and the process to transfer software and competence to the alternative supplier should be considered.
**Other information**
### Other information
The specific ICT supply chain risk management practices are built on top of general information security, quality, project management and system engineering practices but do not replace them.

36
Corpus/Standards/ISO27x/OST/27002/EN/a-5.22-Monitoring-review-and-change-management-of-supplier-services.md
View file

@ -1,12 +1,38 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.22"
title: "Monitoring, review and change management of supplier services"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Supplier_relationships_security]
security_domains:
- Governance_and_Ecosystem
- Protection
- Defence
- Information_security_assurance
tags:
- iso27002/2022/EN
status: active
---
**Control**
## 5.22 Monitoring, review, and change management of supplier services
### Control
The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
**Purpose**
### Purpose
To maintain an agreed level of information security and service delivery in line with supplier agreements.
**Guidance**
### Guidance
Monitoring, review and change management of supplier services should ensure the information security terms and conditions of the agreements are complied with, information security incidents and problems are managed properly and changes in supplier services or business status do not affect service delivery.
This should involve a process to manage the relationship between the organization and the supplier to:
@ -51,5 +77,5 @@ m\) evaluate regularly that the suppliers maintain adequate information security
The responsibility for managing supplier relationships should be assigned to a designated individual or team. Sufficient technical skills and resources should be made available to monitor that the requirements of the agreement, in particular the information security requirements, are being met. Appropriate actions should be taken when deficiencies in the service delivery are observed.
**Other information**
### Other information
See ISO/IEC 27036-3 for more detail.

33
Corpus/Standards/ISO27x/OST/27002/EN/a-5.23-Information-security-for-use-of-cloud-services.md
View file

@ -1,13 +1,36 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.23"
title: "Information security for use of cloud services"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Supplier_relationships_security]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.23 Information security for use of cloud services
#### Control
### Control
Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organizations information security requirements.
#### Purpose
### Purpose
To specify and manage information security for the use of cloud services.
#### Guidance
### Guidance
The organization should establish and communicate topic-specific policy on the use of cloud services to all relevant interested parties.
The organization should define and communicate how it intends to manage information security risks associated with the use of cloud services. It can be an extension or part of the existing approach for how an organization manages services provided by external parties (see [5.21](a-5.21-Managing-information-security-in-the-ICT-supply-chain.md), [5.22](a-5.22-Monitoring-review-and-change-management-of-supplier-services.md)).
@ -48,7 +71,7 @@ c) use of peer cloud service providers or other sub-contractors (including chang
The organization using cloud services should maintain close contact with its cloud service providers. These contacts enable mutual exchange of information about information security for the use of the cloud services including a mechanism for both cloud service provider and the organization, acting as the cloud service customer, to monitor each service characteristic and report failures to the commitments contained in the agreements.
#### Other information
### Other information
This control considers cloud security from the perspective of the cloud service customer.
Additional information relating to cloud services can be found in ISO/IEC 17788, ISO/IEC 17789 and ISO/IEC 22123-1. Specifics related to cloud portability in support of exit strategies can be found in ISO/IEC 19941. Specifics related to information security and public cloud services are described in ISO/IEC 27017. Specifics related to PII protection in public clouds acting as PII processor are described in ISO/IEC 27018. Supplier relationships for cloud services are covered by ISO/IEC 27036-4 and cloud service agreements and their contents are dealt with in the ISO/IEC 19086 series, with security and privacy specifically covered by ISO/IEC 19086-4.

35
Corpus/Standards/ISO27x/OST/27002/EN/a-5.24-Information-security-incident-management-planning-and-preparation.md
View file

@ -1,13 +1,38 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.24"
title: "Information security incident management planning and preparation"
theme: Organizational
control_type: [Corrective]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Respond
- Recover
operational_capabilities:
- Governance
- Information_security_event_management
security_domains: [Defence]
tags:
- iso27002/2022/EN
status: active
---
## 5.24 Information security incident management planning and preparation
#### Control
### Control
The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
#### Purpose
### Purpose
To ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events.
#### Guidance
### Guidance
**Roles and responsibilities**
@ -61,7 +86,7 @@ d\) creation of incident reports.
Any external requirements on reporting of incidents to relevant interested parties within the defined time frame (e.g. breach notification requirements to regulators) should be considered when implementing incident management procedures.
**Other information**
### Other information
Information security incidents can transcend organizational and national boundaries. To respond to such incidents, it is beneficial to coordinate response and share information about these incidents with external organizations as appropriate.

38
Corpus/Standards/ISO27x/OST/27002/EN/a-5.25-Assessment-and-decision-on-information-security-events.md
View file

@ -1,19 +1,37 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.25"
title: "Assessment and decision on information security events"
theme: Organizational
control_type: [Detective]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Detect
- Respond
operational_capabilities: [Information_security_event_management]
security_domains: [Defence]
tags:
- iso27002/2022/EN
status: active
---
## 5.25 Assessment and decision on information security events
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------- | ---------------- |
| #Detective | #Confidentiality #Integrity #Availability | #Detect #Respond | #Information_security_event_management | #Defence |
**Control**
### Control
The organization should assess information security events and decide if they are to be categorized as information security incidents.
**Purpose**
### Purpose
@ -21,7 +39,7 @@ To ensure effective categorization and prioritization of information security ev
**Guidance**
### Guidance
@ -31,5 +49,5 @@ Personnel responsible for coordinating and responding to information security in
Results of the assessment and decision should be recorded in detail for the purpose of future reference and verification.
**Other information**
### Other information
The ISO/IEC 27035 series provides further guidance on incident management.

37
Corpus/Standards/ISO27x/OST/27002/EN/a-5.26-Response-to-information-security-incidents.md
View file

@ -1,19 +1,38 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.26"
title: "Response to information security incidents"
theme: Organizational
control_type: [Corrective]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Respond
- Recover
operational_capabilities: [Information_security_event_management]
security_domains: [Defence]
tags:
- iso27002/2022/EN
status: active
---
## 5.26 Response to information security incidents
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------- | ---------------- |
| #Corrective | #Confidentiality #Integrity #Availability | #Respond #Recover | #Information_security_event_management | #Defence |
**Control**
### Control
Information security incidents should be responded to in accordance with the documented procedures.
**Purpose**
### Purpose
To ensure efficient and effective response to information security incidents.
**Guidance**
### Guidance
The organization should establish and communicate procedures on information security incident response to all relevant interested parties.
Information security incidents should be responded to by a designated team with the required competency (see [5.24](a-5.24-Information-security-incident-management-planning-and-preparation.md)).
@ -31,5 +50,5 @@ h\) conducting information security forensic analysis, as required (see [5.28](a
i\) performing post-incident analysis to identify root cause. Ensure it is documented and communicated according to defined procedures (see [5.27](a-5.27-Learning-from-information-security-incidents.md));
j\) identifying and managing information security vulnerabilities and weaknesses including those related to controls which have caused, contributed to or failed to prevent the incident.
**Other information**
### Other information
The ISO/IEC 27035 series provides further guidance on incident management.

33
Corpus/Standards/ISO27x/OST/27002/EN/a-5.27-Learning-from-information-security-incidents.md
View file

@ -1,13 +1,36 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.27"
title: "Learning from information security incidents"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Identify
- Protect
operational_capabilities: [Information_security_event_management]
security_domains: [Defence]
tags:
- iso27002/2022/EN
status: active
---
## 5.27 Learning from information security incidents
#### Control
### Control
Knowledge gained from information security incidents should be used to strengthen and improve the information security controls.
#### Purpose
### Purpose
To reduce the likelihood or consequences of future incidents.
#### Guidance
### Guidance
The organization should establish procedures to quantify and monitor the types, volumes and costs of information security incidents.
The information gained from the evaluation of information security incidents should be used to:
@ -18,6 +41,6 @@ b\) identify recurring or serious incidents and their causes to update the organ
c\) enhance user awareness and training (see [6.3](ISO_27002_2022_6.3_OT%20Information%20security%20awareness%2C%20education%20and%20training.md)) by providing examples of what can happen, how to respond to such incidents and how to avoid them in the future.
#### Other information
### Other information
The ISO/IEC 27035 series provides further guidance.

38
Corpus/Standards/ISO27x/OST/27002/EN/a-5.28-Collection-of-evidence.md
View file

@ -1,20 +1,38 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.28"
title: "Collection of evidence"
theme: Organizational
control_type: [Corrective]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Detect
- Respond
operational_capabilities: [Information_security_event_management]
security_domains: [Defence]
tags:
- iso27002/2022/EN
status: active
---
## 5.28 Collection of evidence
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | -------------------------------------- | ---------------- |
| #Corrective | #Confidentiality #Integrity #Availability | #Detect #Respond | #Information_security_event_management | #Defence |
**Control**
### Control
The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
**Purpose**
### Purpose
To ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.
**Guidance**
### Guidance
Internal procedures should be developed and followed when dealing with evidence related to information security events for the purposes of disciplinary and legal actions. The requirements of different jurisdictions should be considered to maximize chances of admission across the relevant jurisdictions.
In general, these procedures for the management of evidence should provide instructions for the identification, collection, acquisition and preservation of evidence in accordance with different types of storage media, devices and status of devices (i.e. powered on or off). Evidence typically needs to be collected in a manner that is admissible in the appropriate national courts of law or another disciplinary forum. It should be possible to show that:
@ -29,7 +47,7 @@ Where available, certification or other relevant means of qualification of perso
Digital evidence can transcend organizational or jurisdictional boundaries. In such cases, it should be ensured that the organization is entitled to collect the required information as digital evidence.
**Other information**
### Other information
When an information security event is first detected, it is not always obvious whether or not the event will result in court action. Therefore, the danger exists that necessary evidence is destroyed intentionally or accidentally before the seriousness of the incident is realized. It is advisable to involve legal advice or law enforcement early in any contemplated legal action and take advice on the evidence required.

41
Corpus/Standards/ISO27x/OST/27002/EN/a-5.29-Information-security-during-disruption.md
View file

@ -1,17 +1,40 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.29"
title: "Information security during disruption"
theme: Organizational
control_type:
- Preventive
- Corrective
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Protect
- Respond
operational_capabilities: [Continuity]
security_domains:
- Protection
- Resilience
tags:
- iso27002/2022/EN
status: active
---
## 5.29 Information security during disruption
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ----------------------- | ----------------------------------------- | ---------------------- | ------------------------ | ----------------------- |
| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Respond | #Continuity | #Protection #Resilience |
**Control**
### Control
The organization should plan how to maintain information security at an appropriate level during disruption.
**Purpose**
### Purpose
To protect information and other associated assets during disruption.
**Guidance**
### Guidance
The organization should determine its requirements for adapting information security controls during disruption. Information security requirements should be included in the business continuity management processes.
Plans should be developed, implemented, tested, reviewed and evaluated to maintain or restore the security of information of critical business processes following interruption or failure. Security of information should be restored at the required level and in the required time frames.
@ -24,7 +47,7 @@ b\) processes to maintain existing information security controls during disrupti
c\) compensating controls for information security controls that cannot be maintained during disruption.
**Other information**
### Other information
In the context of business continuity and ICT continuity planning, it can be necessary to adapt the information security requirements depending on the type of disruption, compared to normal operational conditions. As part of the business impact analysis and risk assessment performed within business continuity management, the consequences of loss of confidentiality and integrity of information should be considered and prioritized in addition to the need for maintaining availability.
Information on business continuity management systems can be found in ISO 22301 and ISO 22313. Further guidance on business impact analysis (BIA) can be found in ISO/TS 22317.

43
Corpus/Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md
View file

@ -1,4 +1,27 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.3"
title: "Segregation of duties"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Governance
- Identity_and_access_management
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 5.3 Segregation of duties
### Control
@ -12,24 +35,24 @@ Segregation of duties and areas of responsibility aims to separate conflicting d
The organization should determine which duties and areas of responsibility need to be segregated. The following are examples of activities that can require segregation:
a)   initiating, approving and executing a change;
a) initiating, approving and executing a change;
b)   requesting, approving and implementing access rights;
b) requesting, approving and implementing access rights;
c)   designing, implementing and reviewing code;
c) designing, implementing and reviewing code;
d)   developing software and administering production systems;
d) developing software and administering production systems;
e)   using and administering applications;
e) using and administering applications;
f)   using applications and administering databases;
f) using applications and administering databases;
g)   designing, auditing and assuring information security controls.
g) designing, auditing and assuring information security controls.
The  possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision.
The possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision.
Care should be taken when using role-based access control systems to ensure that persons are not granted conflicting roles. When there is a large number of roles, the organization should consider using automated tools to identify conflicts and facilitate their removal. Roles should be carefully defined and provisioned to minimize access problems if a role is removed or reassigned.
### Other **information**
### Other information
No other information.

30
Corpus/Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md
View file

@ -1,15 +1,29 @@
#iso27002/2022/EN
See also:
- [BCP_Bedrijfscontinuïteitsplanning](../../../../../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
- [Disaster Recovery Planning](../../../../../🎇%20Sparks/Disaster%20Recovery%20Planning.md)
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.30"
title: "ICT readiness for business continuity"
theme: Organizational
control_type: [Corrective]
information_security_properties: [Availability]
cybersecurity_concepts: [Respond]
operational_capabilities: [Continuity]
security_domains: [Resilience]
tags:
- iso27002/2022/EN
status: active
---
# **5.30** **ICT** **readiness** **for** **business** continuity
## 5.30 ICT readiness for business continuity
## Purpose
### Purpose
To ensure the availability of the organizations information and other associated assets during disruption.
## Guidance
### Guidance
ICT readiness for business continuity is an important component in business continuity management and information security management to ensure that the organizations objectives can continue to be met during disruption.
@ -34,7 +48,7 @@ c)   ICT continuity plans include the following ICT continuity information:
2)   RTO of each prioritized ICT service and the procedures for restoring those components;
3)   RPO of the prioritized ICT resources defined as information and the procedures for restoring the information.
## Other **information**
### Other information
Managing ICT continuity forms a key part of business continuity requirements concerning availability to be able to:

34
Corpus/Standards/ISO27x/OST/27002/EN/a-5.31-Legal-statutory-regulatory-and-contractual-requirements.md
View file

@ -1,16 +1,36 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.31"
title: "Legal, statutory, regulatory and contractual requirements"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Legal_and_compliance]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.31 Legal, statutory, regulatory and contractual requirements
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------ | ------------------------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Legal_and_compliance | #Governance_and_Ecosystem #Protection |
**Control**
### Control
Legal, statutory, regulatory and contractual requirements relevant to information security and the organizations approach to meet these requirements should be identified, documented and kept up to date.
**Purpose**
### Purpose
To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.
**Guidance**
### Guidance
<u>General</u>
External requirements including legal, statutory, regulatory or contractual requirements should be taken into consideration when:

29
Corpus/Standards/ISO27x/OST/27002/EN/a-5.32-Intellectual-property-rights.md
View file

@ -1,10 +1,31 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.32"
title: "Intellectual property rights"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Legal_and_compliance]
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 5.32 Intellectual property rights
**Control**
### Control
The organization should implement appropriate procedures to protect intellectual property rights.
**Purpose**
### Purpose
To ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.
The following guidelines should be considered to protect any material that can be considered intellectual property:
@ -33,7 +54,7 @@ k\) not duplicating, converting to another format or extracting from commercial
l\) not copying, in full or in part, standards (e.g. ISO/IEC International Standards), books, articles, reports or other documents, other than permitted by copyright law or the applicable licences.
**Other information**
### Other information
Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences.

41
Corpus/Standards/ISO27x/OST/27002/EN/a-5.33-Protection-of-records.md
View file

@ -1,19 +1,38 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.33"
title: "Protection of records"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Identify
- Protect
operational_capabilities:
- Legal_and_compliance
- Asset_management
- Information_protection
security_domains: [Defence]
tags:
- iso27002/2022/EN
status: active
---
## 5.33 Protection of records
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | --------------------------------------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Identify #Protect | #Legal_and_compliance #Asset_management #Information_protection | #Defence |
**Control**
### Control
Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
**Purpose**
### Purpose
To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records.
**Guidance**
### Guidance
The organization should take the following steps to protect the authenticity, reliability, integrity and usability of records, as their business context and requirements for their management change over time:
a\) issue guidelines on the storage, handling chain of custody and disposal of records, which includes prevention of manipulation of records. These guidelines should be aligned with the organizations topic-specific policy on records management and other records requirements;
@ -30,7 +49,7 @@ Where electronic storage media are chosen, procedures to ensure the ability to a
Storage and handling procedures should be implemented in accordance with recommendations provided by manufacturers of storage media. Consideration should be given to the possibility of deterioration of media used for storage of records.
**Other information**
### Other information
Records document individual events or transactions or can form aggregations that have been designed to document work processes, activities or functions. They are both evidence of business activity and information assets. Any set of information, regardless of its structure or form, can be managed as a record. This includes information in the form of a document, a collection of data or other types of digital or analogue information which are created, captured and managed in the course of business.

40
Corpus/Standards/ISO27x/OST/27002/EN/a-5.34-Privacy-and-protection-of-PII.md
View file

@ -1,18 +1,38 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.34"
title: "Privacy and protection of PII"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Identify
- Protect
operational_capabilities:
- Information_protection
- Legal_and_compliance
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 5.34 Privacy and protection of PII
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | --------------------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Identify #Protect | #Information_protection #Legal_and_compliance | #Protection |
**Control**
### Control
The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
**Purpose**
### Purpose
To ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII.
**Guidance**
### Guidance
The organization should establish and communicate a topic-specific policy on privacy and protection of PII to all relevant interested parties.
The organization should develop and implement procedures for the preservation of privacy and protection of PII. These procedures should be communicated to all relevant interested parties involved in the processing of personally identifiable information.
@ -23,7 +43,7 @@ Responsibility for handling PII should be dealt with taking into consideration r
Appropriate technical and organizational measures to protect PII should be implemented.
**Other information**
### Other information
A number of countries have introduced legislation placing controls on the collection, processing, transmission and deletion of PII. Depending on the respective national legislation, such controls can impose duties on those collecting, processing and disseminating PII and can also restrict the authority to transfer PII to other countries.
ISO/IEC 29100 provides a high-level framework for the protection of PII within ICT systems. Further information on privacy information management systems can be found in ISO/IEC 27701. Specific information regarding privacy information management for public clouds acting as PII processors can be found in ISO/IEC 27018.

38
Corpus/Standards/ISO27x/OST/27002/EN/a-5.35-Independent-review-of-information-security.md
View file

@ -1,18 +1,38 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.35"
title: "Independent review of information security"
theme: Organizational
control_type:
- Preventive
- Corrective
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Identify
- Protect
operational_capabilities: [Information_security_assurance]
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 5.35 Independent review of information security
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ----------------------- | ----------------------------------------- | ---------------------- | ------------------------------- | ------------------------- |
| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Identify #Protect | #Information_security_assurance | #Governance_and_Ecosystem |
**Control**
### Control
The organizations approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.
**Purpose**
### Purpose
To ensure the continuing suitability, adequacy and effectiveness of the organizations approach to managing information security.
**Guidance**
### Guidance
The organization should have processes to conduct independent reviews.
Management should plan and initiate periodic independent reviews. The reviews should include assessing opportunities for improvement and the need for changes to the approach to information security, including the information security policy, topic-specific policies and other controls.

38
Corpus/Standards/ISO27x/OST/27002/EN/a-5.36-Compliance-with-policies-rules-and-standards-for-information-security.md
View file

@ -1,16 +1,38 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.36"
title: "Compliance with policies, rules and standards for information security"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Identify
- Protect
operational_capabilities:
- Legal_and_compliance
- Information_security_assurance
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 5.36 Compliance with policies, rules and standards for information security
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ----------------------------------------------------- | ------------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Identify #Protect | #Legal_and_compliance #Information_security_assurance | #Governance_and_Ecosystem |
**Control**
### Control
Compliance with the organizations information security policy, topic-specific policies, rules and standards should be regularly reviewed.
**Purpose**
### Purpose
To ensure that information security is implemented and operated in accordance with the organizations information security policy, topic-specific policies, rules and standards.
**Guidance**
### Guidance
Managers, service, product or information owners should identify how to review that information security requirements defined in the information security policy, topic-specific policies, rules, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review.
If any non-compliance is found as a result of the review, managers should:
@ -27,5 +49,5 @@ Results of reviews and corrective actions carried out by managers, service, prod
Corrective actions should be completed in a timely manner as appropriate to the risk. If not completed by the next scheduled review, progress should at least be addressed at that review.
**Other information**
### Other information
Operational monitoring of system use is covered in 8.15, 8.16, 8.17.

50
Corpus/Standards/ISO27x/OST/27002/EN/a-5.37-Documented-operating-procedures.md
View file

@ -1,18 +1,50 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.37"
title: "Documented operating procedures"
theme: Organizational
control_type:
- Preventive
- Corrective
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Protect
- Recover
operational_capabilities:
- Asset_management
- Physical_security
- System_and_network_security
- Application_security
- Secure_configuration
- Identity_and_access_management
- Threat_and_vulnerability_management
- Continuity
- Information_security_event_management
security_domains:
- Governance_and_Ecosystem
- Protection
- Defence
tags:
- iso27002/2022/EN
status: active
---
## 5.37 Documented operating procedures
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ----------------------- | ----------------------------------------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- |
| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Recover | #Asset_management #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability_management #Continuity #Information_security_event_management | #Governance_and_Ecosystem #Protection #Defence |
**Control**
### Control
Operating procedures for information processing facilities should be documented and made available to personnel who need them.
**Purpose**
### Purpose
To ensure the correct and secure operation of information processing facilities.
**Guidance**
### Guidance
Documented procedures should be prepared for the organizations operational activities associated with information security, for example:
a\) when the activity needs to be performed in the same way by many people;
@ -51,5 +83,5 @@ l\) maintenance instructions.
Documented operating procedures should be reviewed and updated when needed. Changes to documented operating procedures should be authorized. Where technically feasible, information systems should be managed consistently, using the same procedures, tools and utilities.
**Other information**
### Other information
No other information.

31
Corpus/Standards/ISO27x/OST/27002/EN/a-5.4-Management-responsibilities.md
View file

@ -1,13 +1,34 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.4"
title: "Management responsibilities"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Governance]
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 5.4 Management responsibilities
#### Control
### Control
Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
#### Purpose
### Purpose
To ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfill their information security responsibilities.
#### Guidance
### Guidance
Management should demonstrate support of the information security policy, topic-specific policies, procedures and information security controls.
Management responsibilities should include ensuring that personnel:
@ -28,5 +49,5 @@ g)   where practicable, are provided with a confidential channel for reporting
h)   are provided with adequate resources and project planning time for implementing the organizations security-related processes and controls.
#### Other information
### Other information
No other information.

39
Corpus/Standards/ISO27x/OST/27002/EN/a-5.5-Contact-with-authorities.md
View file

@ -1,18 +1,47 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.5"
title: "Contact with authorities"
theme: Organizational
control_type:
- Preventive
- Corrective
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Identify
- Protect
- Respond
- Recover
operational_capabilities: [Governance]
security_domains:
- Defence
- Resilience
tags:
- iso27002/2022/EN
status: active
---
## 5.5 Contact with authorities
#### Control
### Control
The organization should establish and maintain contact with relevant authorities.
#### Purpose
### Purpose
To ensure appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities.
#### Guidance
### Guidance
The organization should specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner.
Contacts with authorities should also be used to facilitate the understanding about the current and upcoming expectations of these authorities (e.g. applicable information security regulations).
#### Other information
### Other information
Organizations under attack can request authorities to take action against the attack source.
Maintaining such contacts can be a requirement to support information security incident management (see 5.24 to 5.28) or the contingency planning and business continuity processes (see [5.29](a-5.29-Information-security-during-disruption.md), [5.30](a-5.30-ICT-readiness-for-business-continuity.md)). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety \[e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)\].

36
Corpus/Standards/ISO27x/OST/27002/EN/a-5.6-Contact-with-special-interest-groups.md
View file

@ -1,13 +1,39 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.6"
title: "Contact with special interest groups"
theme: Organizational
control_type:
- Preventive
- Corrective
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Protect
- Respond
- Recover
operational_capabilities: [Governance]
security_domains: [Defence]
tags:
- iso27002/2022/EN
status: active
---
## 5.6 Contact with special interest groups
#### Control
### Control
The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.
#### Purpose
### Purpose
To ensure appropriate flow of information takes place with respect to information security.
#### Guidance
### Guidance
Membership of special interest groups or forums should be considered as a means to:
@ -24,5 +50,5 @@ e)   share  and  exchange  information  about  new  technologies,  produ
f)   provide suitable liaison points when dealing with information security incidents (see 5.24 to 5.28).
#### Other information
### Other information
No other information.

37
Corpus/Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md
View file

@ -1,13 +1,42 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.7"
title: "Threat intelligence"
theme: Organizational
control_type:
- Preventive
- Detective
- Corrective
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Identify
- Detect
- Respond
operational_capabilities: [Threat_and_vulnerability_management]
security_domains:
- Defence
- Resilience
tags:
- iso27002/2022/EN
status: active
---
## 5.7 Threat intelligence
#### Control
### Control
Information relating to information security threats should be collected and analysed to produce threat intelligence.
#### Purpose
### Purpose
To provide awareness of the organizations threat environment so that the appropriate mitigation actions can be taken.
#### Guidance
### Guidance
Information about existing or emerging threats is collected and analysed in order to:
a)  facilitate informed actions to prevent the threats from causing harm to the organization;

35
Corpus/Standards/ISO27x/OST/27002/EN/a-5.8-Information-security-in-project-management.md
View file

@ -1,13 +1,38 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.8"
title: "Information security in project management"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Identify
- Protect
operational_capabilities: [Governance]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.8 Information security in project management
#### Control
### Control
Information security should be integrated into project management.
#### Purpose
### Purpose
To ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle.
#### Guidance
### Guidance
Information security should be integrated into project management to ensure information security risks are addressed as part of the project management. This can be applied to any type of project regardless of its complexity, size, duration, discipline or application area (e.g. a project for a core business process, ICT, facility management or other supporting processes).
The project management in use should require that:
@ -46,7 +71,7 @@ h)   compliance with the legal, statutory, regulatory and contractual environme
i) level of confidence or assurance required for third parties to meet the organizations information security policy and topic-specific policies including relevant security clauses in any agreements or contracts.
#### Other information
### Other information
The project development approach, such as waterfall life cycle or agile life cycle, should support information security in a structured way that can be adapted to suit the assessed severity of the information security risks, based on the character of the project. Early consideration of information security requirements for the product or service (e.g. at the planning and design stages), can lead to more effective and cost-efficient solutions for quality and information security. ISO 21500 and ISO 21502 provide guidance on concepts and processes of project management that are important for the performance of projects.
ISO/IEC 27005 provides guidance on the use of risk management processes to identify controls to meet information security requirements.

36
Corpus/Standards/ISO27x/OST/27002/EN/a-5.9-Inventory-of-information-and-other-associated-assets.md
View file

@ -1,18 +1,36 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.9"
title: "Inventory of information and other associated assets"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Asset_management]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
status: active
---
## 5.9 Inventory of information and other associated assets
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|--------------|----------------------------------------|-----------------------|-------------------------|-----------------------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Asset_management | #Governance_and_Ecosystem #Protection |
**Control**
### Control
An inventory of information and other associated assets, including owners, should be developed and maintained.
**Purpose**
### Purpose
To identify the organizations information and other associated assets in order to preserve their information security and assign appropriate ownership.
**Guidance**
### Guidance
<u>Inventory</u>
The organization should identify its information and other associated assets and determine their importance in terms of information security. Documentation should be maintained in dedicated or existing inventories as appropriate.
@ -55,7 +73,7 @@ h\) they are involved in the identification and management of risks associated w
i\) they support personnel who have the roles and responsibilities of managing their information.
**Other information**
### Other information
Inventories of information and other associated assets are often necessary to ensure the effective protection of information and can be required for other purposes, such as health and safety, insurance or financial reasons. Inventories of information and other associated assets also support risk management, audit activities, vulnerability management, incident response and recovery planning.
Tasks and responsibilities can be delegated (e.g. to a custodian looking after the assets on a daily basis), but the person or group who delegated them remains accountable.

36
Corpus/Standards/ISO27x/OST/27002/EN/a-6.1-Screening.md
View file

@ -1,20 +1,34 @@
# Control 6.1 Screening
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.6.1"
title: "Screening"
theme: People
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Human_resource_security]
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 6.1 Screening
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
| ---------------- | ----------------------------------------- | -------------------------- | ---------------------------- | ------------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human_resource_security | #Governance_and_Ecosystem |
**Control**
### Control
Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
**Purpose**
### Purpose
To ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.
**Guidance**
### Guidance
A screening process should be performed for all personnel including full-time, part-time and temporary staff. Where these individuals are contracted through suppliers of services, screening requirements should be included in the contractual agreements between the organization and the suppliers.
Information on all candidates being considered for positions within the organization should be collected and handled taking into consideration any appropriate legislation existing in the relevant jurisdiction. In some jurisdictions, the organization can be legally required to inform the candidates beforehand about the screening activities.
@ -44,5 +58,5 @@ d\) termination of employment.
Verification checks should be repeated periodically to confirm ongoing suitability of personnel, depending on the criticality of a persons role.
**Other information**
### Other information
No other information.

34
Corpus/Standards/ISO27x/OST/27002/EN/a-6.2-Terms-and-conditions-of-employment.md
View file

@ -1,16 +1,34 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.6.2"
title: "Terms and conditions of employment"
theme: People
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Human_resource_security]
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 6.2 Terms and conditions of employment
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
| ---------------- | ----------------------------------------- | -------------------------- | ---------------------------- | ------------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human_resource_security | #Governance_and_Ecosystem |
**Control**
### Control
The employment contractual agreements should state the personnels and the organizations responsibilities for information security.
**Purpose**
### Purpose
To ensure personnel understand their information security responsibilities for the roles for which they are considered.
**Guidance**
### Guidance
The contractual obligations for personnel should take into consideration the organizations information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated:
a\) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets (see [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md));
@ -29,7 +47,7 @@ The organization should ensure that personnel agree to terms and conditions conc
Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see [6.5](a-6.5-Responsibilities-after-termination-or-change-of-employment.md)).
**Other information**
### Other information
A code of conduct can be used to state personnels information security responsibilities regarding confidentiality, PII protection, ethics, appropriate use of the organizations information and other associated assets, as well as reputable practices expected by the organization.

36
Corpus/Standards/ISO27x/OST/27002/EN/a-6.3-Information-security-awareness-education-and-training.md
View file

@ -1,20 +1,34 @@
#iso27002/2022/EN
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.6.3"
title: "Information security awareness, education and training"
theme: People
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Human_resource_security]
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 6.3 Information security awareness, education and training
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
| ---------------- | ----------------------------------------- | -------------------------- | ---------------------------- | ------------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human_resource_security | #Governance_and_Ecosystem |
**Control**
### Control
Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.
**Purpose**
### Purpose
To ensure personnel and relevant interested parties are aware of and fullfil their information security responsibilities.
**Guidance**
### Guidance
<u>General</u>
An information security awareness, education and training programme should be established in line with the organizations information security policy, topic-specific policies and relevant procedures on information security, taking into consideration the organizations information to be protected and the information security controls that have been implemented to protect the information.
@ -66,7 +80,7 @@ The education and training programme should consider different forms \[e.g. lect
**Other information**
### Other information
When composing an awareness programme, it is important not only to focus on the what and how, but also the why, when possible. It is important that personnel understand the aim of information security and the potential effect, positive and negativ e, on the organization of their own behaviour.

42
Corpus/Standards/ISO27x/OST/27002/EN/a-6.4-Disciplinary-process.md
View file

@ -1,16 +1,34 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.6.4"
title: "Disciplinary process"
theme: People
control_type:
- Preventive
- Corrective
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Protect
- Respond
operational_capabilities: [Human_resource_security]
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 6.4 Disciplinary process
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|----------------------------|-----------------------------------------|---------------------------|-------------------------------|-----------------------------|
| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Respond | #Human_resource_security | #Governance_and_Ecosystem |
**Control**
### Control
@ -18,7 +36,7 @@ A disciplinary process should be formalized and communicated to take actions aga
**Purpose**
### Purpose
@ -26,7 +44,7 @@ To ensure personnel and other relevant interested parties understand the consequ
**Guidance**
### Guidance
@ -58,7 +76,7 @@ The response should take into consideration relevant legal, statutory, regulator
**Other information**
### Other information

36
Corpus/Standards/ISO27x/OST/27002/EN/a-6.5-Responsibilities-after-termination-or-change-of-employment.md
View file

@ -1,18 +1,36 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.6.5"
title: "Responsibilities after termination or change of employment"
theme: People
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Human_resource_security
- Asset_management
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 6.5 Responsibilities after termination or change of employment
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
| ---------------- | ----------------------------------------- | -------------------------- | ---------------------------- | -------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | | | |
**Control**
### Control
Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.
**Purpose**
### Purpose
To protect the organizations interests as part of the process of changing or terminating employment or contracts.
**Guidance**
### Guidance
The process for managing termination or change of employment should define which information security responsibilities and duties should remain valid after termination or change. This can include confidentiality of information, intellectual property and other knowledge obtained, as well as responsibilities contained within any other confidentiality agreement (see [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md)). Responsibilities and duties still valid after termination of employment or contract should be contained in the individuals terms and conditions of employment (see [6.2](a-6.2-Terms-and-conditions-of-employment.md)), contract or agreement. Other contracts or agreements that continue for a defined period after the end of the individuals employment can also contain information security responsibilities.
Changes of responsibility or employment should be managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment.
@ -23,5 +41,5 @@ A process should be established for the communication of the changes and of oper
The process for the termination or change of employment should also be applied to external personnel (i.e. suppliers) when a termination occurs of personnel, the contract or the job with the organization, or when there is a change of the job within the organization.
**Other information**
### Other information
In many organizations, the human resources function is generally responsible for the overall termination process and works together with the supervising manager of the person transitioning to manage the information security aspects of the relevant procedures. In the case of personnel provided through an external party (e.g. through a supplier), this termination process is undertaken by the external party in accordance with the contract between the organization and the external party.

38
Corpus/Standards/ISO27x/OST/27002/EN/a-6.6-Confidentiality-or-non-disclosure-agreements.md
View file

@ -1,24 +1,36 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.6.6"
title: "Confidentiality or non-disclosure agreements"
theme: People
control_type: [Preventive]
information_security_properties: [Confidentiality]
cybersecurity_concepts: [Protect]
operational_capabilities:
- Human_resource_security
- Information_protection
- Supplier_relationships_security
security_domains: [Governance_and_Ecosystem]
tags:
- iso27002/2022/EN
status: active
---
## 6.6 Confidentiality or non-disclosure agreements
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|------------------------------------|---------------------------|-------------------------------------------------------------|-------------------------------|
| #Preventive | #Confidentiality | #Protect | #Human_resource_security #Information_protection #Supplier_relationships | #Governance_and_Ecosystem |
**Control**
### Control
Confidentiality or non-disclosure agreements reflecting the organizations needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
**Purpose**
### Purpose
@ -26,7 +38,7 @@ To maintain confidentiality of information accessible by personnel or external p
**Guidance**
### Guidance
@ -82,7 +94,7 @@ Requirements for confidentiality and non-disclosure agreements should be reviewe
**Other information**
### Other information

40
Corpus/Standards/ISO27x/OST/27002/EN/a-6.7-Remote-working.md
View file

@ -1,16 +1,34 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.6.7"
title: "Remote working"
theme: People
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Asset_management
- Information_protection
- Physical_security
- System_and_network_security
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 6.7 Remote working
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|-----------------------------------------|---------------------------|--------------------------------------------------------------------------------|---------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection #Physical_security #System_and_network_security | #Protection |
**Control**
### Control
@ -18,7 +36,7 @@ Security measures should be implemented when personnel are working remotely to p
**Purpose**
### Purpose
@ -26,7 +44,7 @@ To ensure the security of information when personnel are working remotely.
**Guidance**
### Guidance

39
Corpus/Standards/ISO27x/OST/27002/EN/a-6.8-Information-security-event-reporting.md
View file

@ -1,18 +1,29 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.6.8"
title: "Information security event reporting"
theme: People
control_type: [Detective]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Detect]
operational_capabilities: [Information_security_event_management]
security_domains: [Defence]
tags:
- iso27002/2022/EN
status: active
---
## 6.8 Information security event reporting
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|-----------------------------------------|---------------------------|---------------------------------------------|---------------------|
| #Detective | #Confidentiality #Integrity #Availability | #Detect | #Information_security_event_management | #Defence |
**Control**
### Control
@ -20,7 +31,7 @@ The organization should provide a mechanism for personnel to report observed or
**Purpose**
### Purpose
@ -28,7 +39,7 @@ To support timely, consistent and effective reporting of information security ev
**Guidance**
### Guidance
@ -88,7 +99,7 @@ Personnel and users should be advised not to attempt to prove suspected informat
**Other information**
### Other information

35
Corpus/Standards/ISO27x/OST/27002/EN/a-7.1-Physical-security-perimeters.md
View file

@ -1,22 +1,37 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.1"
title: "Physical security perimeters"
theme: Physical
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Physical_security]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 7.1 Physical security perimeters
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|-----------------------------------------|---------------------------|-----------------------------------|---------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security |
**Control**
### Control
Security perimeters should be defined and used to protect areas that contain information and other associated assets.
**Purpose**
### Purpose
To prevent unauthorized physical access, damage and interference to the organizations information and other associated assets.
**Guidance**
### Guidance
@ -36,7 +51,7 @@ c\) alarming, monitoring and testing all fire doors on a security perimeter in c
**Other information**
### Other information
Physical protection can be achieved by creating one or more physical barriers around the organizations premises and information processing facilities.
A secure area can be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access can be necessary between areas with different security requirements inside the security perimeter. The organization should consider having physical security measures that can be strengthened during increased threat situations.

40
Corpus/Standards/ISO27x/OST/27002/EN/a-7.10-Storage-media.md
View file

@ -1,16 +1,32 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.10"
title: "Storage media"
theme: Physical
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Physical_security
- Asset_management
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 7.10 Storage media
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|-----------------------------------------|---------------------------|---------------------------------------------|---------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Asset_management | #Protection |
**Control**
### Control
@ -18,7 +34,7 @@ Storage media should be managed through their life cycle of acquisition, use, tr
**Purpose**
### Purpose
@ -26,7 +42,7 @@ To ensure only authorized disclosure, modification, removal or destruction of in
**Guidance**
### Guidance
@ -118,6 +134,6 @@ A risk assessment should be performed on damaged devices containing sensitive da
**Other information**
### Other information
When confidential information on storage media is not encrypted, additional physical protection of the storage media should be considered.

41
Corpus/Standards/ISO27x/OST/27002/EN/a-7.11-Supporting-utilities.md
View file

@ -1,16 +1,33 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.11"
title: "Supporting utilities"
theme: Physical
control_type:
- Preventive
- Detective
information_security_properties:
- Integrity
- Availability
cybersecurity_concepts:
- Protect
- Detect
operational_capabilities: [Physical_security]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 7.11 Supporting utilities
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|-----------------------|------------------------------------|---------------------------|-----------------------------|----------------------|
| #Preventive<br>#Detective | #Integrity<br>#Availability | #Protect #Detect | #Physical_security | #Protection |
**Control**
### Control
@ -18,7 +35,7 @@ Information processing facilities should be protected from power failures and ot
**Purpose**
### Purpose
@ -26,7 +43,7 @@ To prevent loss, damage or compromise of information and other associated assets
**Guidance**
### Guidance
@ -66,7 +83,7 @@ Emergency lighting and communications should be provided. Emergency switches and
**Other information**
### Other information

37
Corpus/Standards/ISO27x/OST/27002/EN/a-7.12-Cabling-security.md
View file

@ -1,16 +1,29 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.12"
title: "Cabling security"
theme: Physical
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Physical_security]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 7.12 Cabling security
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|------------------------------------|---------------------------|-----------------------------|----------------------|
| #Preventive | #Confidentiality #Availability | #Protect | #Physical_security | #Protection |
**Control**
### Control
@ -18,7 +31,7 @@ Cables carrying power, data or supporting information services should be protect
**Purpose**
### Purpose
@ -26,7 +39,7 @@ To prevent loss, damage, theft or compromise of information and other associated
**Guidance**
### Guidance
@ -74,7 +87,7 @@ Specialist advice should be sought on how to manage risks arising from cabling i
**Other information**
### Other information

42
Corpus/Standards/ISO27x/OST/27002/EN/a-7.13-Equipment-maintenance.md
View file

@ -1,16 +1,34 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.13"
title: "Equipment maintenance"
theme: Physical
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Physical_security
- Asset_management
security_domains:
- Protection
- Resilience
tags:
- iso27002/2022/EN
status: active
---
## 7.13 Equipment maintenance
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|-----------------------------------------|---------------------------|----------------------------------------|---------------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Asset_management | #Protection #Resilience |
**Control**
### Control
@ -18,7 +36,7 @@ Equipment should be maintained correctly to ensure availability, integrity and c
**Purpose**
### Purpose
@ -26,7 +44,7 @@ To prevent loss, damage, theft or compromise of information and other associated
**Guidance**
### Guidance
@ -78,7 +96,7 @@ k\) applying measures for secure disposal or re-use of equipment (see [7.14](a-7
**Other information**
### Other information

35
Corpus/Standards/ISO27x/OST/27002/EN/a-7.14-Secure-disposal-or-re-use-of-equipment.md
View file

@ -1,16 +1,29 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.14"
title: "Secure disposal or re-use of equipment"
theme: Physical
control_type: [Preventive]
information_security_properties: [Confidentiality]
cybersecurity_concepts: [Protect]
operational_capabilities:
- Physical_security
- Asset_management
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 7.14 Secure disposal or re-use of equipment
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|------------------------------------|---------------------------|----------------------------------------|---------------------------|
| #Preventive | #Confidentiality | #Protect | #Physical_security #Asset_management | #Protection |
**Control**
### Control
@ -18,7 +31,7 @@ Items of equipment containing storage media should be verified to ensure that an
**Purpose**
### Purpose
@ -54,7 +67,7 @@ c\) the ability to reuse the controls at the next facility.
**Other information**
### Other information

40
Corpus/Standards/ISO27x/OST/27002/EN/a-7.2-Physical-entry.md
View file

@ -1,16 +1,32 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.2"
title: "Physical entry"
theme: Physical
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Physical_security
- Identity_and_access_management
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 7.2 Physical entry
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|-----------------------------------------|---------------------------|-----------------------------------------------------|---------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Identity_and_Access
**Control**
### Control
@ -18,7 +34,7 @@ Secure areas should be protected by appropriate entry controls and access points
**Purpose**
### Purpose
@ -26,7 +42,7 @@ To ensure only authorized physical access to the organizations information an
**Guidance**
### Guidance
@ -146,6 +162,6 @@ g\) inspecting incoming deliveries for evidence of tampering on the way. If tamp
**Other information**
### Other information
No other information.

38
Corpus/Standards/ISO27x/OST/27002/EN/a-7.3-Securing-offices-rooms-and-facilities.md
View file

@ -1,18 +1,32 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.3"
title: "Securing offices, rooms and facilities"
theme: Physical
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Physical_security
- Asset_management
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 7.3 Securing offices, rooms and facilities
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|-----------------------------------------|---------------------------|--------------------------------------|---------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security<br>#Asset_management | #Protection |
**Control**
### Control
@ -24,7 +38,7 @@ To prevent unauthorized physical access, damage and interference to the organiza
**Guidance**
### Guidance
@ -48,6 +62,6 @@ d\) not making directories, internal telephone books and online accessible maps
**Other information**
### Other information
No other information.

44
Corpus/Standards/ISO27x/OST/27002/EN/a-7.4-Physical-security-monitoring.md
View file

@ -1,18 +1,36 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.4"
title: "Physical security monitoring"
theme: Physical
control_type:
- Preventive
- Detective
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts:
- Protect
- Detect
operational_capabilities: [Physical_security]
security_domains:
- Protection
- Defence
tags:
- iso27002/2022/EN
status: active
---
## 7.4 Physical security monitoring
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|----------------------------|-----------------------------------------|---------------------------|-----------------------------|---------------------------|
| #Preventive #Detective | #Confidentiality #Integrity #Availability | #Protect #Detect | #Physical_security | #Protection #Defence |
**Control**
### Control
@ -20,7 +38,7 @@ Premises should be continuously monitored for unauthorized physical access.
**Purpose**
### Purpose
@ -28,7 +46,7 @@ To detect and deter unauthorized physical access.
**Guidance**
### Guidance
@ -80,6 +98,6 @@ Any monitoring and recording mechanism should be used taking into consideration
**Other information**
### Other information
No other information.

36
Corpus/Standards/ISO27x/OST/27002/EN/a-7.5-Protecting-against-physical-and-environmental-threats.md
View file

@ -1,16 +1,30 @@
---
notetype: sourcetext
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.7.5"
title: "Protecting against physical and environmental threats"
theme: Physical
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Physical_security]
security_domains: [Protection]
tags:
- iso27002/2022/EN
status: active
---
## 7.5 Protecting against physical and environmental threats
| **Control type** | **Information security properties** | **Cybersecurity concepts** | **Operational capabilities** | **Security domains** |
|------------------|-----------------------------------------|---------------------------|-----------------------------|----------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security | #Protection |
**Control**
### Control
@ -18,7 +32,7 @@ Protection against physical and environmental threats, such as natural disasters
**Purpose**
### Purpose
@ -62,7 +76,7 @@ d\) explosives and weapons: performing random inspections for the presence of ex
**Other information**
### Other information

Some files were not shown because too many files have changed in this diff Show more