richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: richardk:d39edec5742f7f5aa90f9c09c33c40ea73ed8272
Branches Tags
richardk:main
...
compare: richardk:d316285a747a1a4a516c0aa797982a29a5b83fa5
Branches Tags
richardk:main

30 commits
d39edec574 ... d316285a74

Author SHA1 Message Date
Richard Kranendonk
d316285a74 Added original documents, concatenated A-4 notes to a single one, to serve as metadata reference 2026-05-07 14:47:13 +02:00
Richard Kranendonk
84942d44e3 manually added front matter 2026-05-07 14:26:22 +02:00
Richard Kranendonk
1baf4fbd9a Removed the tag 'iso27002/2022/EN' from .md files in 27002/NL 2026-05-07 14:23:05 +02:00
Richard Kranendonk
7fcb17b157 manually added front matter 2026-05-07 14:20:36 +02:00
Richard Kranendonk
2f25768d71 set notetype to 'reference' and added 'sourcetext' to tags 2026-05-07 14:14:29 +02:00
Richard Kranendonk
81d99248aa set notetype to 'reference' and added 'sourcetext' to tags 2026-05-07 14:12:28 +02:00
Richard Kranendonk
2db580d0ee set notetype to 'reference' and added 'sourcetext' to tags 2026-05-07 13:59:03 +02:00
Richard Kranendonk
c5105d8ea9 set notetype to 'reference' and added 'sourcetext' to tags 2026-05-07 13:53:36 +02:00
Richard Kranendonk
f6ba2d42af added PECB Training transcriptions 2026-05-07 12:21:14 +02:00
Richard Kranendonk
f80f7fdf36 Removed legacy property tables, reformatted bold headers as level 3 2026-05-02 16:25:07 +02:00
Richard Kranendonk
542c4e30e5 Removed duplicate header 2026-05-02 16:13:40 +02:00
Richard Kranendonk
48f8fdb84b Added YAML front matter to 27002-NL 2026-05-02 16:10:53 +02:00
Richard Kranendonk
92adf49834 Added proper level 2 headers where they were missing 2026-05-02 16:00:43 +02:00
Richard Kranendonk
db2071fc3a Added front matter to 27001-NL, manually removed some crud from 27002-NL files 2026-05-02 15:16:39 +02:00
Richard Kranendonk
ad8ec4812a Added links to sub-paragraphs in chapter notes, moved some files 2026-05-02 14:55:15 +02:00
Richard Kranendonk
92d0a28788 Added links to sub-paragraphs in chapter notes 2026-05-02 14:42:13 +02:00
Richard Kranendonk
c4e0d21aaf Added front matter to 27001 EN 2026-05-02 13:23:39 +02:00
Richard Kranendonk
405b666055 Removed orphaned tags form BoF 2026-05-02 12:46:56 +02:00
Richard Kranendonk
2c59707ef5 Consistent use of subheaders 2026-05-02 12:23:42 +02:00
Richard Kranendonk
90ac17a99a clean up formatting 2026-05-02 12:16:30 +02:00
Richard Kranendonk
8d66fc4602 Removed legacy property tables with Kilo 2026-05-02 12:00:56 +02:00
Richard Kranendonk
880e2f2044 Front matter added with prepend_frontmatter.py 2026-05-02 11:31:49 +02:00
Richard Kranendonk
324add41f4 Merge 27002-metadata changes: add DOCX, prepend_frontmatter.py, rename controls, delete obsolete MoC, update content 2026-05-01 17:55:13 +02:00
Richard Kranendonk
4dc34352a1 Merge enrich-27002 changes into 27002-metadata 2026-05-01 17:45:30 +02:00
Richard Kranendonk
984ccff4e4 Let kilo remove bof cruft 2026-05-01 17:01:25 +02:00
Richard Kranendonk
c88dcd383b Added normtext as .docx 2026-05-01 16:38:28 +02:00
Richard Kranendonk
890e0d8c4f Restore files to match origin/27002-metadata 
Both a-5.1-Policies-for-information-security.md and a-5.2-Information-security-roles-and-responsibilities.md had extraneous content (duplicate headers, extra frontmatter, text changes) compared to their expected state. Restored from origin/27002-metadata branch.
 2026-05-01 16:37:33 +02:00
Richard Kranendonk
873b5eaee3 first automated metadata addition 2026-04-30 19:56:40 +02:00
Richard Kranendonk
037af7e1a1 minor changes 2026-04-30 19:24:31 +02:00
Richard Kranendonk
228a58056c Removed BoF cruft 2026-04-30 18:33:25 +02:00
353 changed files with 22115 additions and 3862 deletions
Download patch file Download diff file Expand all files Collapse all files

55
.kilo/plans/1777714595174-misty-tiger.md Normal file
View file

@ -0,0 +1,55 @@
# Plan to Remove Markdown Tables After First Header in Specified .md Files
## Goal
Remove the markdown table that appears after the first markdown header (## X.Y Title) in 35 specific .md files located in the directory `/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN`. These files contain ISO 27002 control descriptions and have a summary table listing Control type, Information security properties, etc., which needs to be removed.
## Analysis
- **Affected Files**: Identified 35 .md files containing the table starting with `| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |`.
- **Table Structure**: The table consists of 2-4 lines:
- Header row starting with `| Control type`
- Separator row
- Data row
- Optionally, an empty row
- **Location**: The table appears immediately after the first `##` header (e.g., `## 8.1 User endpoint devices`) and before the `**Control**` section.
- **Pattern**: All affected files follow the pattern where the table ends just before `**Control**`.
## Approach
Use a Bash script with `sed` to remove the table lines from each affected file. The `sed` command will delete lines from the start of the table (`| Control type`) up to but not including `**Control**`.
### Script
Create and run the following Bash script in the target directory:
```bash
#!/bin/bash
# Change to the target directory
cd /Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN || exit 1
# Loop through all .md files
for file in *.md; do
# Check if the file contains the table
if grep -q "| Control type" "$file"; then
# Remove the table lines: from "| Control type" to just before "**Control**"
sed -i '/^| Control type /,/^\*\*Control$/ { /^\*\*Control$/ !d }' "$file"
echo "Processed $file"
fi
done
echo "Table removal complete."
```
### Steps to Execute
1. **Navigate to Directory**: Change to `/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN`.
2. **Backup (Optional)**: Consider backing up the directory before running the script.
3. **Run Script**: Execute the script to process all files.
4. **Verify**: After running, check a few files (e.g., `a-8.1-User-endpoint-devices.md`, `a-5.15-Access-control.md`) to ensure the table is removed and the `**Control**` section remains intact.
## Risks and Considerations
- **Accuracy**: The `sed` command is designed to precisely target the table based on the observed patterns. If any file has unexpected formatting, manual review may be needed.
- **No Impact on Non-Affected Files**: Files without the table will remain unchanged.
- **Reversibility**: If needed, restore from backup or use version control (assuming the directory is in a git repo).
## Expected Outcome
- Tables removed from 35 files.
- Content before and after the table (including `**Control**` and subsequent sections) preserved.
- No changes to other .md files in the directory.

75
Corpus/Information security concepts MoC.md Normal file
View file

@ -0,0 +1,75 @@
---
Related:
- "[ISO\\_27002\\_OT 3 Terms, definitions and abbreviated terms](Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated%20terms.md)"
- https://csiac.org/databases/acronyms/
tags:
- type/MoC
---
[Assets](🎇%20Sparks/Assets.md)
[NIST Asset Types](📚️%20Literature%20notes/NIST%20Asset%20Types.md)
[Asset lifecycle](📚️%20Literature%20notes/Asset%20lifecycle.md)
[Asset ownership](🎇%20Sparks/Asset%20ownership.md)
[[Asset ownership DEL]]
[Assets, Vulnerabilities, Threats, Risks](📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
[Assets, Vulnerabilities, Threats, Risks](🎇%20Sparks/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
[Attack Surface Analysis](📚️%20Literature%20notes/Attack%20Surface%20Analysis.md)
[Authentication](Standards/ISO27x/Authentication.md)
[Multi-factor authentication](🎇%20Sparks/Multi-factor%20authentication.md) (MFA)
[Passwordless Authentication](🎇%20Sparks/Passwordless%20Authentication.md)
[Risk-Based Authentication](🎇%20Sparks/Risk-Based%20Authentication.md)
[Single Sign On (SSO)](📚️%20Literature%20notes/Single%20Sign%20On%20(SSO).md)
[Tokens](🎇%20Sparks/Tokens.md)
[Authorization](Standards/ISO27x/Authorization.md)
[Access Control](🎇%20Sparks/Access%20Control.md)
[Awareness](🎇%20Sparks/Awareness.md)
[BCP_Bedrijfscontinuïteitsplanning](📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
[Business Impact Analysis (BIA)](🎇%20Sparks/Business%20Impact%20Analysis%20(BIA).md)
[Disaster Recovery Planning](🎇%20Sparks/Disaster%20Recovery%20Planning.md)
[Change management MoC](MoCs/Change%20management%20MoC.md)
[Classification](🎇%20Sparks/Classification.md)
[Compliance](🎇%20Sparks/Compliance.md)
[Data Breach](💡Permanent%20ideas/Data%20Breach.md)
[Data Governance](📚️%20Literature%20notes/Data%20Governance.md)
Frameworks
[ISO 27k family](../../iso27DIY-gis/reference/Examples/ISO%2027k%20family.md)
[NIST articles list](Standards/NIST/NIST%20articles%20list.md)
[Governance](🎇%20Sparks/Governance.md)
[[Hardening]]
[Identity and Access Management (IAM)](💡Drafts%20and%20Ideas/Identity%20and%20Access%20Management%20(IAM).md)
[Identification](💡Drafts%20and%20Ideas/Identification.md)
[Authentication](Standards/ISO27x/Authentication.md)
[Authorization](Standards/ISO27x/Authorization.md)
Impact
[Change management MoC](MoCs/Change%20management%20MoC.md)
[Impact of Disruption](💡Drafts%20and%20Ideas/Impact%20of%20Disruption.md)
[Incidents](🎇%20Sparks/Incidents.md)
[Maturity Models](📚️%20Literature%20notes/Maturity%20Models.md)
[Metrics](📚️%20Literature%20notes/InfoSec%20Metrics.md)
[Operational Technology](💡Drafts%20and%20Ideas/Operational%20Technology.md) or OT Security
[Policies](📚️%20Literature%20notes/Policies.md)
[[Posture Management]]
[Ransomware](🎇%20Sparks/Ransomware.md)
[Risks](🎇%20Sparks/Risks.md)
[Risk analysis](🎇%20Sparks/Risk%20analysis.md)
[Risk appetite](💡Drafts%20and%20Ideas/Risk%20appetite.md)
[Risk inventories](🎇%20Sparks/Risk%20inventories.md)
[Risk management](🎇%20Sparks/Risk%20management.md)
[Risk ownership](🎇%20Sparks/Risk%20ownership.md)
[Risk ownership](🎇%20Sparks/Risk%20ownership.md)
[Risk prioritization](🎇%20Sparks/Risk%20prioritization.md)
[Risk tolerance](🎇%20Sparks/Risk%20tolerance.md)
[Risk treatment](🎇%20Sparks/Risk%20treatment.md)
[Risks vs Threats vs Vulnerabilities](🎇%20Sparks/Risks%20vs%20Threats%20vs%20Vulnerabilities.md)
[Roles and Responsibilities](🎇%20Sparks/Roles%20and%20Responsibilities.md)
[Threat](📚️%20Literature%20notes/Threat.md)
[Threat Intelligence](🎇%20Sparks/Threat%20Intelligence.md)
[Security Threat Modeling](📚️%20Literature%20notes/Security%20Threat%20Modeling.md)
[Privacy Threat Modeling](📚️%20Literature%20notes/Privacy%20Threat%20Modeling.md)
[AI Threat Modeling](🎇%20Sparks/AI%20Threat%20Modeling.md)
[Threat Catalogues](📚️%20Literature%20notes/Threat%20Catalogues.md)
[Vendor security MoC](🎇%20Sparks/Vendor%20security%20MoC.md) or Supply chain security
[Vulnerability](💡Drafts%20and%20Ideas/Vulnerability.md)
[Bug bounty program](🎇%20Sparks/Bug%20bounty%20program.md)
[Zero Trust](📚️%20Literature%20notes/Zero%20Trust.md)

2
Corpus/MoCs/iso27DIY-MoC.md
View file

@ -22,7 +22,7 @@ tags:
## Method
[Samenhang tussen producten](../🎇%20Sparks/Samenhang%20tussen%20producten.md)
[ISO 27001 2023 Processen en Artefacten](../Standards/ISO27x/OST/27001/NL/ISO%2027001%202023%20Processen%20en%20Artefacten.md)
[ISO 27001 2023 Processen en Artefacten](../Standards/ISO27x/OST/ISO%2027001%202023%20Processen%20en%20Artefacten.md)
[Advised Documents for ISO 27001](../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md)
[Examples of Proof for auditors](../🎇%20Sparks/Examples%20of%20Proof%20for%20auditors.md)
[About ISO27DIY Policy Cards](../💡Permanent%20ideas/About%20ISO27DIY%20Policy%20Cards.md)

BIN
Corpus/Standards/ISO27x/ISO 27001_2022_EN.docx Normal file
View file

Binary file not shown.

12725
Corpus/Standards/ISO27x/ISO 27002_2022_EN_complete.md Normal file
View file

File diff suppressed because it is too large Load diff

12
Corpus/Standards/ISO27x/ISO 27k standards overview.md
View file

@ -11,8 +11,8 @@ tags:
Indexes:
- [ISO 27001:2022 EN](../../MoCs/ISO_27001_2022_00_MoC%20Index.md)
- [ISO 27002:2022 EN](../../MoCs/ISO_27001_2022_00_MoC%20Index%20EXT.md) Includes references to 2013 version!
- [ISO 27001:2023 NL](OST/27001/NL/ISO_27001_2023_NL_Index.md)
- [ISO 27002:2022 NL](OST/27002/NL/ISO_27002_2022_NL_Index.md)
- [ISO 27001:2023 NL](OST/ISO_27001_2023_NL_Index.md)
- [ISO 27002:2022 NL](OST/ISO_27002_2022_NL_Index.md)
- [Vertaaltabel Engels-Nederlands](../../MoCs/ISO_27002_2022_Vertaaltabel_Engels_Nederlands.md)
EN source tekst:
@ -21,17 +21,17 @@ EN source tekst:
NL brontekst:
- ISO 27001:2023 [PDF](OST/27001/NL/ISO_27001_2023_NL_PDF.md)
- ISO 27002:2022 [PDF](OST/27002/NL/ISO_27002_2022_NL_PDF.md)
- ISO 27002:2022 [PDF](OST/ISO_27002_2022_NL_PDF.md)
See also:
- [Plain English ISO IEC 27002 2005 from Praxiom](https://www.praxiom.com/iso-17799-objectives.htm)
- [Changes in ISO 27001:2022 (table)](../../🎇%20Sparks/Detailed%20comparison%20between%202017%20and%202022.md)
- [[ISO 27002 2022 What's New]]
- [ISO_27001_2023_NL_Aanpassingen](OST/27001/NL/ISO_27001_2023_NL_Aanpassingen.md)
- [ISO_27001_2023_NL_Aanpassingen](OST/ISO_27001_2023_NL_Aanpassingen.md)
- [Changes in ISO 27001_2022_Advisera](../../../../iso27DIY-gis/reference/Changes%20in%20ISO%2027001_2022_Advisera.md)
- [IBB op hoofdlijnen](OST/27001/NL/IBB%20op%20hoofdlijnen.md)
- [ISO 27001 2023 Processen en Artefacten](OST/27001/NL/ISO%2027001%202023%20Processen%20en%20Artefacten.md)
- [IBB op hoofdlijnen](OST/IBB%20op%20hoofdlijnen.md)
- [ISO 27001 2023 Processen en Artefacten](OST/ISO%2027001%202023%20Processen%20en%20Artefacten.md)
- [Advised Documents for ISO 27001](../../../../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md)
- [Types of Controls](../../🎇%20Sparks/Types%20of%20Controls.md)

54
Corpus/Standards/ISO27x/OST/27001/EN/add_yaml.py Normal file
View file

@ -0,0 +1,54 @@
#!/usr/bin/env python3
import os
import re
directory = '/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27001/EN/'
for filename in os.listdir(directory):
if filename.endswith('.md'):
filepath = os.path.join(directory, filename)
with open(filepath, 'r') as f:
lines = f.readlines()
if lines and lines[0].strip() == '---':
continue # Already has YAML
# Extract id and title from filename
match = re.match(r'c-([0-9.]+)-(.+)\.md', filename)
if match:
num = match.group(1)
title_part = match.group(2)
id_val = f'C.{num}'
title = title_part.replace('-', ' ')
elif filename == 'c-0-Introduction.md':
id_val = 'C.0'
title = 'Introduction'
elif filename == 'ISO_27001_OT F Foreword.md':
id_val = 'Foreword'
title = 'Foreword'
else:
# For other files like c-2-Normative-references.md
match = re.match(r'c-([0-9]+)-(.+)\.md', filename)
if match:
num = match.group(1)
title_part = match.group(2)
id_val = f'C.{num}'
title = title_part.replace('-', ' ')
else:
continue # Skip if not matching
yaml = f'''---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "{id_val}"
title: "{title}"
tags:
- iso27001/2022/EN
status: active
---
'''
with open(filepath, 'w') as f:
f.write(yaml + ''.join(lines))
print("YAML front matter added to files that didn't have it.")

21
Corpus/Standards/ISO27x/OST/27001/EN/c-0-Introduction.md
View file

@ -1,8 +1,19 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.0"
title: "Introduction"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 0 Introduction
# Introduction
## 0.1 General
### 0.1 General
This document has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization's information security management system is influenced by the organization's needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time.
@ -16,7 +27,7 @@ The order in which requirements are presented in this document does not reflect
ISO/IEC 27000 describes the overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 27003, ISO/IEC 27004 and ISO/IEC 27005), with related terms and definitions.
## 0.2 Compatibility with other management system standards
### 0.2 Compatibility with other management system standards
This document applies the high-level structure, identical sub-clause titles, identical text, common terms, and core definitions defined in Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, and therefore maintains compatibility with other management system standards that have adopted the Annex SL.

17
Corpus/Standards/ISO27x/OST/27001/EN/c-1-Scope.md
View file

@ -1,6 +1,17 @@
#iso27001/2022/EN
# 1 Scope
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.1"
title: "Scope"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 1 Scope
This document specifies the requirements for establishing, implementing, maintaining and continually improving an information

16
Corpus/Standards/ISO27x/OST/27001/EN/c-10-Improvement.md Normal file
View file

@ -0,0 +1,16 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.10"
title: "Improvement"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
# 10 Improvement
[c-10.1-Continual-improvement](c-10.1-Continual-improvement.md)
[c-10.2-Nonconformity-and-corrective-action](c-10.2-Nonconformity-and-corrective-action.md)

14
Corpus/Standards/ISO27x/OST/27001/EN/c-10.1-Continual-improvement.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.10.1"
title: "Continual improvement"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 10.1 Continual improvement
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.

16
Corpus/Standards/ISO27x/OST/27001/EN/c-10.2-Nonconformity-and-corrective-action.md
View file

@ -1,6 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.10.2"
title: "Nonconformity and corrective action"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 10.2 Nonconformity and corrective action
When a nonconformity occurs, the organization shall:

17
Corpus/Standards/ISO27x/OST/27001/EN/c-2-Normative-references.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
# 2 Normative references
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.2"
title: "Normative references"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

16
Corpus/Standards/ISO27x/OST/27001/EN/c-3-Terms-and-definitions.md
View file

@ -1,6 +1,16 @@
#iso27001/2022/EN
# 3 Terms and definitions
---
notetype: sourcetext
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.3"
title: "Terms and definitions"
tags:
- iso27001/2022/EN
status: active
---
## 3 Terms and definitions
For the purposes of this document, the terms and definitions given in
ISO/IEC 27000 apply.

18
Corpus/Standards/ISO27x/OST/27001/EN/c-4-Context-of-the-organization.md Normal file
View file

@ -0,0 +1,18 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.4
title: Context of the organisation
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
# 4 Context of the organisation
[c-4.1-Understanding-the-organization-and-its-context](c-4.1-Understanding-the-organization-and-its-context.md)
[c-4.2-Understanding-the-needs-and-expectations-of-interested-parties](c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md)
[c-4.3-Determining-the-scope-of-the-information-security-management-system](c-4.3-Determining-the-scope-of-the-information-security-management-system.md)
[c-4.4-Information-security-management-system](c-4.4-Information-security-management-system.md)

15
Corpus/Standards/ISO27x/OST/27001/EN/c-4.1-Understanding-the-organization-and-its-context.md
View file

@ -1,4 +1,17 @@
# Clause 4.1: Understanding the organization and its context
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.4.1"
title: "Understanding the organization and its context"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## Clause 4.1: Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

16
Corpus/Standards/ISO27x/OST/27001/EN/c-4.2-Understanding-the-needs-and-expectations-of-interested-parties.md
View file

@ -1,5 +1,17 @@
#iso27001/2022/EN
# 4.2 Understanding the needs and expectations of interested parties
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.4.2"
title: "Understanding the needs and expectations of interested parties"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 4.2 Understanding the needs and expectations of interested parties
The organization shall determine:

16
Corpus/Standards/ISO27x/OST/27001/EN/c-4.3-Determining-the-scope-of-the-information-security-management-system.md
View file

@ -1,5 +1,17 @@
#iso27001/2022/EN
# 4.3 Determining the scope of the information security management system
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.4.3"
title: "Determining the scope of the information security management system"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 4.3 Determining the scope of the information security management system
The organization shall determine the boundaries and applicability of the information security management system to establish its scope.

16
Corpus/Standards/ISO27x/OST/27001/EN/c-4.4-Information-security-management-system.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
# 4.4 Information security management system
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.4.4"
title: "Information security management system"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 4.4 Information security management system
The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.

18
Corpus/Standards/ISO27x/OST/27001/EN/c-5-Leadership.md Normal file
View file

@ -0,0 +1,18 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.5
title: Leadership
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
# 5 Leadership
[c-5.1-Leadership-and-commitment](c-5.1-Leadership-and-commitment.md)
[c-5.2-Policy](c-5.2-Policy.md)
[c-5.3-Organizational-roles-responsibilities-and-authorities](c-5.3-Organizational-roles-responsibilities-and-authorities.md)

14
Corpus/Standards/ISO27x/OST/27001/EN/c-5.1-Leadership-and-commitment.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.5.1"
title: "Leadership and commitment"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the information security management system by:

14
Corpus/Standards/ISO27x/OST/27001/EN/c-5.2-Policy.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.5.2"
title: "Policy"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 5.2 Policy
Top management shall establish an information security policy that:

16
Corpus/Standards/ISO27x/OST/27001/EN/c-5.3-Organizational-roles-responsibilities-and-authorities.md
View file

@ -1,5 +1,17 @@
#iso27001/2022/EN
## 5.3 Organizational roles, responsibilities and authorities
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.5.3"
title: "Organizational roles responsibilities and authorities"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 5.3 Organizational roles responsibilities and authorities
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization.

17
Corpus/Standards/ISO27x/OST/27001/EN/c-6-Planning.md Normal file
View file

@ -0,0 +1,17 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.6
title: Planning
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
# 6 Planning
[c-6.1-Actions-to-address-risks-and-opportunities](c-6.1-Actions-to-address-risks-and-opportunities.md)
[c-6.2-Information-security-objectives-and-planning-to-achieve-them](c-6.2-Information-security-objectives-and-planning-to-achieve-them.md)
[c-6.3-Planning-of-changes](c-6.3-Planning-of-changes.md)

19
Corpus/Standards/ISO27x/OST/27001/EN/c-6.1-Actions-to-address-risks-and-opportunities.md Normal file
View file

@ -0,0 +1,19 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.6.1
title: Actions to address risks and opportunities
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 6.1 Actions to address risks and opportunities
[c-6.1.1-General](c-6.1.1-General.md)
[c-6.1.2-Information-security-risk-assessment](c-6.1.2-Information-security-risk-assessment.md)
[c-6.1.3-Information-security-risk-treatment](c-6.1.3-Information-security-risk-treatment.md)

13
Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.1-General.md
View file

@ -1,3 +1,16 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.1.1"
title: "General"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
### 6.1.1 General
When planning for the information security management system, the organization shall consider the issues referred to in [4.1](c-4.1-Understanding-the-organization-and-its-context.md) and the requirements referred to in [4.2](ISO_27001_2022_OT%204.2%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md) and determine the risks and opportunities that need to be addressed to:

13
Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.2-Information-security-risk-assessment.md
View file

@ -1,3 +1,16 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.1.2"
title: "Information security risk assessment"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
### 6.1.2 Information security risk assessment
The organization shall define and apply an information security risk assessment process that:

13
Corpus/Standards/ISO27x/OST/27001/EN/c-6.1.3-Information-security-risk-treatment.md
View file

@ -1,3 +1,16 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.1.3"
title: "Information security risk treatment"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
### 6.1.3 Information security risk treatment
The organization shall define and apply an information security risk treatment process to:

14
Corpus/Standards/ISO27x/OST/27001/EN/c-6.2-Information-security-objectives-and-planning-to-achieve-them.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.2"
title: "Information security objectives and planning to achieve them"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 6.2 Information security objectives and planning to achieve them
The organization shall establish information security objectives at relevant functions and levels.

14
Corpus/Standards/ISO27x/OST/27001/EN/c-6.3-Planning-of-changes.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.6.3"
title: "Planning of changes"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 6.3 Planning of changes
When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

19
Corpus/Standards/ISO27x/OST/27001/EN/c-7-Support.md Normal file
View file

@ -0,0 +1,19 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.7
title: Support
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
# 7 Support
[c-7.1-Resources](c-7.1-Resources.md)
[c-7.2-Competence](c-7.2-Competence.md)
[c-7.3-Awareness](c-7.3-Awareness.md)
[c-7.4-Communication](c-7.4-Communication.md)
[c-7.5-Documented-information](c-7.5-Documented-information.md)

14
Corpus/Standards/ISO27x/OST/27001/EN/c-7.1-Resources.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.1"
title: "Resources"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 7.1 Resources
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.

15
Corpus/Standards/ISO27x/OST/27001/EN/c-7.2-Competence.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.2"
title: "Competence"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 7.2 Competence
The organization shall:

15
Corpus/Standards/ISO27x/OST/27001/EN/c-7.3-Awareness.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.3"
title: "Awareness"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 7.3 Awareness
Persons doing work under the organization's control shall be aware of:

15
Corpus/Standards/ISO27x/OST/27001/EN/c-7.4-Communication.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.4"
title: "Communication"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 7.4 Communication
The organization shall determine the need for internal and external communications relevant to the information security management system including:

14
Corpus/Standards/ISO27x/OST/27001/EN/c-7.5-Documented-information.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.7.5"
title: "Documented information"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 7.5 Documented information
### 7.5.1 General

17
Corpus/Standards/ISO27x/OST/27001/EN/c-8-Operation.md Normal file
View file

@ -0,0 +1,17 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.8
title: Operation
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
# 8 Operation
[c-8.1-Operational-planning-and-control](c-8.1-Operational-planning-and-control.md)
[c-8.2-Information-security-risk-assessment](c-8.2-Information-security-risk-assessment.md)
[c-8.3-Information-security-risk-treatment](c-8.3-Information-security-risk-treatment.md)

14
Corpus/Standards/ISO27x/OST/27001/EN/c-8.1-Operational-planning-and-control.md
View file

@ -1,4 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.8.1"
title: "Operational planning and control"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 8.1 Operational planning and control
The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:

16
Corpus/Standards/ISO27x/OST/27001/EN/c-8.2-Information-security-risk-assessment.md
View file

@ -1,5 +1,17 @@
#iso27001/2022/EN
# Clause 8.2: Information security risk assessment
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.8.2"
title: "Information security risk assessment"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 8.2 Information security risk assessment
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in [6.1.2a](ISO_27001_OT%206.1.2%20Information%20security%20risk%20assessment.md).

13
Corpus/Standards/ISO27x/OST/27001/EN/c-8.3-Information-security-risk-treatment.md
View file

@ -1,8 +1,17 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.8.3"
title: "Information security risk treatment"
tags:
- iso27001/2022/EN
- iso27001/2022/EN
- sourcetext
status: active
---
# Clause 8.3 Information security risk treatment
## 8.3 Information security risk treatment
The organization shall implement the information security risk treatment plan.

17
Corpus/Standards/ISO27x/OST/27001/EN/c-9-Performance-evaluation.md Normal file
View file

@ -0,0 +1,17 @@
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: C.9
title: Performance evaluation
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
# 9 Performance evaluation
[c-9.1-Monitoring-measurement-analysis-and-evaluation](c-9.1-Monitoring-measurement-analysis-and-evaluation.md)
[c-9.2-Internal-audit](c-9.2-Internal-audit.md)
[c-9.3-Management-review](c-9.3-Management-review.md)

16
Corpus/Standards/ISO27x/OST/27001/EN/c-9.1-Monitoring-measurement-analysis-and-evaluation.md
View file

@ -1,5 +1,17 @@
#iso27001/2022/EN
## 9.1 Monitoring, measurement, analysis and evaluation
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.9.1"
title: "Monitoring measurement analysis and evaluation"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 9.1 Monitoring measurement analysis and evaluation
The organization shall determine:

15
Corpus/Standards/ISO27x/OST/27001/EN/c-9.2-Internal-audit.md
View file

@ -1,6 +1,17 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.9.2"
title: "Internal audit"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 9.2 Internal audit
### 9.2.1 General
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

15
Corpus/Standards/ISO27x/OST/27001/EN/c-9.3-Management-review.md
View file

@ -1,5 +1,16 @@
#iso27001/2022/EN
---
notetype: reference
standard: ISO 27001
version: 2022
language: EN
type: clause
id: "C.9.3"
title: "Management review"
tags:
- iso27001/2022/EN
- sourcetext
status: active
---
## 9.3 Management review
### 9.3.1 General

4
Corpus/Standards/ISO27x/OST/27001/EN/ISO_27001_OT F Foreword.md → Corpus/Standards/ISO27x/OST/27001/EN/c-f-Foreword.md
View file

@ -1,6 +1,4 @@
#iso27001/2022/EN
# Foreword
## F Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

90
Corpus/Standards/ISO27x/OST/27001/EN/rename-iso-title.zsh
View file

@ -1,90 +0,0 @@
#!/usr/bin/env zsh
set -euo pipefail
execute=false
if [[ ${1:-} == '--execute' ]]; then
execute=true
shift
fi
if [[ $# -gt 0 ]]; then
print -u2 'Usage: rename-iso-title.zsh [--execute]'
exit 2
fi
# Requires Obsidian app running and CLI enabled.
: ${OBSIDIAN_CLI:=obsidian}
files=(c-[0-9]*\.md(N))
if (( ${#files} == 0 )); then
print 'No matching files found.'
exit 0
fi
for src in "$files[@]"; do
base=${src:t}
# Read the level 1 header from the file
# Format: # <number> <title>
# Extract everything after the first number and space
header=$(head -n 1 "$src" | sed 's/^# [0-9.]* //')
if [[ -z "$header" ]]; then
print -u2 "WARN skipped (no header found): $src"
continue
fi
# Clean up the title
title=$header
# Replace spaces with dashes
title=${title// /-}
# Remove commas, slashes, parentheses, quotes
title=${title//,/}
title=${title//\//}
title=${title//\\/}
title=${title//\(}
title=${title//\)}
title=${title//\'}
title=${title//\'}
# Replace diacritics with base characters
title=${title//ï/i}
title=${title//é/e}
title=${title//è/e}
title=${title//ê/e}
title=${title//ë/e}
title=${title//ö/o}
title=${title//ü/u}
title=${title//ó/o}
title=${title//ô/o}
title=${title//á/a}
title=${title//à/a}
title=${title//ã/a}
title=${title//ä/a}
title=${title//í/i}
title=${title//ì/i}
title=${title//ñ/n}
title=${title//ú/u}
title=${title//ù/u}
# Remove multiple dashes
title=${title//---/-}
title=${title//--/-}
# Remove leading/trailing dashes
title=${title#-}
title=${title%-}
# Build new filename: c-n.n-TITLE.md
ext="${src:r}.md" # extension without the extra .md issue
filename="${src%.*}"
target="${filename}-${title}.md"
if [[ $src == $target ]]; then
print "SKIP $src"
continue
fi
print "SRC $src"
print "DEST $target"
if $execute; then
"$OBSIDIAN_CLI" rename file="$src" name="$target"
fi
done

50
Corpus/Standards/ISO27x/OST/27001/EN/rename-iso.zsh
View file

@ -1,50 +0,0 @@
#!/usr/bin/env zsh
set -euo pipefail
execute=false
if [[ ${1:-} == '--execute' ]]; then
execute=true
shift
fi
if [[ $# -gt 0 ]]; then
print -u2 'Usage: rename-iso.zsh [--execute]'
exit 2
fi
# Requires Obsidian app running and CLI enabled.
# Adjust OBSIDIAN_CLI to the command you actually use (e.g. `obsidian`).
: ${OBSIDIAN_CLI:=obsidian}
files=(ISO_27001*.md(N))
if (( ${#files} == 0 )); then
print 'No matching files found.'
exit 0
fi
for src in "$files[@]"; do
base=${src:t}
# Match both ISO_27001_OT and ISO_27001_2022_OT patterns
if [[ $base =~ '^ISO_27001(_2022)?_OT ([0-9.]+) (.+)\.md$' ]]; then
version=${match[2]#_}
title=${match[3]}
target="c-${version}-${title}.md"
# Replace spaces with dashes
target=${target// /-}
# Remove commas
target=${target//,}
# Prevent double dashes
target=${target//--/-}
if [[ $src == $target ]]; then
print "SKIP $src"
continue
fi
print "SRC $src"
print "DEST $target"
if $execute; then
"$OBSIDIAN_CLI" rename file="$src" name="$target"
fi
else
print -u2 "WARN skipped (pattern mismatch): $src"
fi
done

6
Corpus/Standards/ISO27x/OST/27001/NL/ISO_27001_2023_NL_PDF.md
View file

@ -1,6 +0,0 @@
#iso27001/2023/NL
# ISO 27001 2023 NL
![](ISO_IEC_27001_2023_NL.pdf)

51
Corpus/Standards/ISO27x/OST/27001/NL/add_yaml.py Normal file
View file

@ -0,0 +1,51 @@
#!/usr/bin/env python3
import os
import re
directory = '/Users/rico/src/iso27diy-corp/Corpus/Standards/ISO27x/OST/27001/NL/'
for filename in os.listdir(directory):
if filename.endswith('.md'):
filepath = os.path.join(directory, filename)
with open(filepath, 'r') as f:
lines = f.readlines()
if lines and lines[0].strip() == '---':
continue # Already has YAML
# Extract id and title from filename
match = re.match(r'c-([0-9.]+)-(.+)\.md', filename)
if match:
num = match.group(1)
title_part = match.group(2)
id_val = f'C.{num}'
title = title_part.replace('-', ' ')
elif filename == 'c-0-Inleiding.md':
id_val = 'C.0'
title = 'Inleiding'
else:
# For other files
match = re.match(r'c-([0-9]+)-(.+)\.md', filename)
if match:
num = match.group(1)
title_part = match.group(2)
id_val = f'C.{num}'
title = title_part.replace('-', ' ')
else:
continue # Skip if not matching
yaml = f'''---
notetype: sourcetext
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "{id_val}"
title: "{title}"
tags:
- iso27001/2023/NL
status: active
---
'''
with open(filepath, 'w') as f:
f.write(yaml + ''.join(lines))
print("YAML front matter added to files that didn't have it.")

13
Corpus/Standards/ISO27x/OST/27001/NL/c-0-Inleiding.md
View file

@ -1,3 +1,16 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.0"
title: "Inleiding"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 0 Inleiding
1. **Algemeen**

13
Corpus/Standards/ISO27x/OST/27001/NL/c-1-Onderwerp-en-toepassingsgebied.md
View file

@ -1,3 +1,16 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.1"
title: "Onderwerp en toepassingsgebied"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 1 Onderwerp en toepassingsgebied
Dit document specificeert de eisen voor het binnen de context van de organisatie inrichten, implementeren, in stand houden en continu verbeteren van een managementsysteem voor informatiebeveiliging. Dit document bevat ook eisen voor het beoordelen en behandelen van informatiebeveiligingsrisico\'s afgestemd op de behoeften van de organisatie. De eisen in dit document zijn algemeen en bedoeld om van toepassing te zijn voor alle organisaties, ongeacht type, omvang of aard. Het uitsluiten van een of meer eisen van hoofdstuk 4 t/m 10 is niet aanvaardbaar als een organisatie naleving van dit document wil claimen.

15
Corpus/Standards/ISO27x/OST/27001/NL/c-10-Verbetering.md
View file

@ -1 +1,16 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.10"
title: "Verbetering"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 10 Verbetering
[c-10.1-Continue-verbetering](c-10.1-Continue-verbetering.md)
[c-10.2-Afwijkingen-en-corrigerende-maatregelen](c-10.2-Afwijkingen-en-corrigerende-maatregelen.md)

15
Corpus/Standards/ISO27x/OST/27001/NL/c-10.1-Continue-verbetering.md
View file

@ -1,3 +1,16 @@
# 10.1 Continue verbetering
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.10.1"
title: "Continue verbetering"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 10.1 Continue verbetering
De organisatie moet continu de geschiktheid, toereikendheid en doeltreffendheid van het managementsysteem voor informatiebeveiliging verbeteren.

25
Corpus/Standards/ISO27x/OST/27001/NL/c-10.2-Afwijkingen-en-corrigerende-maatregelen.md
View file

@ -1,20 +1,33 @@
# 10.2 Afwijkingen en corrigerende maatregelen
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.10.2"
title: "Afwijkingen en corrigerende maatregelen"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 10.2 Afwijkingen en corrigerende maatregelen
Wanneer zich een afwijking voordoet, moet de organisatie:
a) op de afwijking reageren, en indien van toepassing:
1. maatregelen treffen om de afwijking te beheersen en te corrigeren;
## 1. maatregelen treffen om de afwijking te beheersen en te corrigeren;
2. de consequenties aanpakken;
## 2. de consequenties aanpakken;
b) de noodzaak evalueren om maatregelen te treffen om de oorzaken van de afwijking weg te nemen, zodat de afwijking zich niet herhaalt of zich niet elders voordoet, door:
1. de afwijking te beoordelen;
## 1. de afwijking te beoordelen;
2. de oorzaken van de afwijking vast te stellen; en
## 2. de oorzaken van de afwijking vast te stellen; en
3. vast te stellen of zich gelijksoortige afwijkingen voordoen of kunnen voordoen;
## 3. vast te stellen of zich gelijksoortige afwijkingen voordoen of kunnen voordoen;
c) de benodigde maatregelen implementeren;

13
Corpus/Standards/ISO27x/OST/27001/NL/c-2-Normatieve-verwijzingen.md
View file

@ -1,3 +1,16 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.2"
title: "Normatieve verwijzingen"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 2 Normatieve verwijzingen
Naar de volgende documenten wordt in de tekst zo verwezen dat de bepalingen ervan geheel

12
Corpus/Standards/ISO27x/OST/27001/NL/c-3-Termen-en-definities.md
View file

@ -1,3 +1,15 @@
---
notetype: sourcetext
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.3"
title: "Termen en definities"
tags:
- iso27001/2023/NL
status: active
---
# 3 Termen en definities
Voor de toepassing van dit document gelden de termen en definities zoals opgenomen in ISO/IEC 27000.

17
Corpus/Standards/ISO27x/OST/27001/NL/c-4-Context-van-de-organisatie.md
View file

@ -1 +1,18 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.4"
title: "Context van de organisatie"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 4 Context van de organisatie
[c-4.1-Inzicht-in-de-organisatie-en-haar-context](c-4.1-Inzicht-in-de-organisatie-en-haar-context.md)
[c-4.2-Inzicht-in-de-behoeften-en-verwachtingen-van-belanghebbenden](c-4.2-Inzicht-in-de-behoeften-en-verwachtingen-van-belanghebbenden.md)
[c-4.3-Het-toepassingsgebied-van-het-managementsysteem-voor-informatiebeveiliging-vaststellen](c-4.3-Het-toepassingsgebied-van-het-managementsysteem-voor-informatiebeveiliging-vaststellen.md)
[c-4.4-Managementsysteem-voor-informatiebeveiliging](c-4.4-Managementsysteem-voor-informatiebeveiliging.md)

15
Corpus/Standards/ISO27x/OST/27001/NL/c-4.1-Inzicht-in-de-organisatie-en-haar-context.md
View file

@ -1,4 +1,17 @@
# 4.1 Inzicht in de organisatie en haar context
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.4.1"
title: "Inzicht in de organisatie en haar context"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 4.1 Inzicht in de organisatie en haar context
De organisatie moet externe en interne (belangrijke) punten vaststellen die relevant zijn voor haar doelstelling en die haar vermogen beïnvloeden om het (de) beoogde resulta(a)t(en) van haar managementsysteem voor informatiebeveiliging te behalen.

15
Corpus/Standards/ISO27x/OST/27001/NL/c-4.2-Inzicht-in-de-behoeften-en-verwachtingen-van-belanghebbenden.md
View file

@ -1,4 +1,17 @@
# 4.2 Inzicht in de behoeften en verwachtingen van belanghebbenden
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.4.2"
title: "Inzicht in de behoeften en verwachtingen van belanghebbenden"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 4.2 Inzicht in de behoeften en verwachtingen van belanghebbenden
De organisatie moet vaststellen:

15
Corpus/Standards/ISO27x/OST/27001/NL/c-4.3-Het-toepassingsgebied-van-het-managementsysteem-voor-informatiebeveiliging-vaststellen.md
View file

@ -1,4 +1,17 @@
# 4.3 Het toepassingsgebied van het managementsysteem voor informatiebeveiliging vaststellen
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.4.3"
title: "Het toepassingsgebied van het managementsysteem voor informatiebeveiliging vaststellen"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 4.3 Het toepassingsgebied van het managementsysteem voor informatiebeveiliging vaststellen
De organisatie moet de grenzen en toepasselijkheid van het managementsysteem voor informatiebeveiliging bepalen om het toepassingsgebied ervan vast te stellen.

15
Corpus/Standards/ISO27x/OST/27001/NL/c-4.4-Managementsysteem-voor-informatiebeveiliging.md
View file

@ -1,3 +1,16 @@
# 4.4 Managementsysteem voor informatiebeveiliging
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.4.4"
title: "Managementsysteem voor informatiebeveiliging"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 4.4 Managementsysteem voor informatiebeveiliging
De organisatie moet een managementsysteem voor informatiebeveiliging inrichten, implementeren, onderhouden en continu verbeteren, met inbegrip van de benodigde processen en hun interacties, in overeenstemming met de eisen van dit document.

16
Corpus/Standards/ISO27x/OST/27001/NL/c-5-Leiderschap.md
View file

@ -1 +1,17 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.5"
title: "Leiderschap"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 5 Leiderschap
[c-5.1-Leiderschap-en-betrokkenheid](c-5.1-Leiderschap-en-betrokkenheid.md)
[c-5.2-Beleid](c-5.2-Beleid.md)
[c-5.3-Rollen-verantwoordelijkheden-en-bevoegdheden-binnen-de-organisatie](c-5.3-Rollen-verantwoordelijkheden-en-bevoegdheden-binnen-de-organisatie.md)

15
Corpus/Standards/ISO27x/OST/27001/NL/c-5.1-Leiderschap-en-betrokkenheid.md
View file

@ -1,4 +1,17 @@
# 5.1 Leiderschap en betrokkenheid
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.5.1"
title: "Leiderschap en betrokkenheid"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 5.1 Leiderschap en betrokkenheid
Het topmanagement moet leiderschap en betrokkenheid tonen met betrekking tot het managementsysteem voor informatiebeveiliging door:

15
Corpus/Standards/ISO27x/OST/27001/NL/c-5.2-Beleid.md
View file

@ -1,4 +1,17 @@
# 5.2 Beleid
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.5.2"
title: "Beleid"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 5.2 Beleid
Het topmanagement moet een informatiebeveiligingsbeleid vaststellen dat:

15
Corpus/Standards/ISO27x/OST/27001/NL/c-5.3-Rollen-verantwoordelijkheden-en-bevoegdheden-binnen-de-organisatie.md
View file

@ -1,4 +1,17 @@
# 5.3 Rollen, verantwoordelijkheden en bevoegdheden binnen de organisatie
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.5.3"
title: "Rollen verantwoordelijkheden en bevoegdheden binnen de organisatie"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 5.3 Rollen, verantwoordelijkheden en bevoegdheden binnen de organisatie
Het topmanagement moet bewerkstelligen dat de verantwoordelijkheden en bevoegdheden voor rollen die relevant zijn voor informatiebeveiliging worden toegekend en gecommuniceerd binnen de organisatie.

16
Corpus/Standards/ISO27x/OST/27001/NL/c-6-Planning.md
View file

@ -1 +1,17 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.6"
title: "Planning"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 6 Planning
[c-6.1-Acties-om-risicos-en-kansen-op-te-pakken](c-6.1-Acties-om-risicos-en-kansen-op-te-pakken.md)
[c-6.2-Informatiebeveiligingsdoelstellingen-en-de-planning-om-ze-te-bereiken](c-6.2-Informatiebeveiligingsdoelstellingen-en-de-planning-om-ze-te-bereiken.md)
[c-6.3-Planning-van-wijzigingen](c-6.3-Planning-van-wijzigingen.md)

47
Corpus/Standards/ISO27x/OST/27001/NL/c-6.1-Acties-om-risicos-en-kansen-op-te-pakken.md
View file

@ -1,4 +1,17 @@
# 6.1 Acties om risico's en kansen op te pakken
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.6.1"
title: "Acties om risicos en kansen op te pakken"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 6.1 Acties om risico's en kansen op te pakken
1. **Algemeen**
@ -16,41 +29,41 @@ d) acties plannen om deze risico's en kansen op te pakken; en
e) plannen op welke manier:
1. de acties in de processen van haar managementsysteem voor informatiebeveiliging worden geïntegreerd en geïmplementeerd; en
## 1. de acties in de processen van haar managementsysteem voor informatiebeveiliging worden geïntegreerd en geïmplementeerd; en
2. de doeltreffendheid van deze acties wordt geëvalueerd.
## 2. de doeltreffendheid van deze acties wordt geëvalueerd.
1. **Risicobeoordeling van informatiebeveiliging**
## 1. **Risicobeoordeling van informatiebeveiliging**
De organisatie moet een risicobeoordelingsprocedure voor informatiebeveiliging definiëren en toepassen die:
a) risicocriteria voor informatiebeveiliging vaststelt en onderhoudt, waaronder:
1. de risicoacceptatiecriteria; en
## 1. de risicoacceptatiecriteria; en
2. criteria voor het uitvoeren van risicobeoordelingen van informatiebeveiliging;
## 2. criteria voor het uitvoeren van risicobeoordelingen van informatiebeveiliging;
b) waarborgt dat herhaalde risicobeoordelingen van informatiebeveiliging consistente, valide en vergelijkbare resultaten opleveren;
c) de informatiebeveiligingsrisico's identificeert:
1. pas de risicobeoordelingsprocedure voor informatiebeveiliging toe om de risico's in verband met het verlies van vertrouwelijkheid, integriteit en beschikbaarheid van informatie binnen het toepassingsgebied van het managementsysteem voor informatiebeveiliging te identificeren; en
## 1. pas de risicobeoordelingsprocedure voor informatiebeveiliging toe om de risico's in verband met het verlies van vertrouwelijkheid, integriteit en beschikbaarheid van informatie binnen het toepassingsgebied van het managementsysteem voor informatiebeveiliging te identificeren; en
2. identificeer de risico-eigenaren;
## 2. identificeer de risico-eigenaren;
d) de informatiebeveiligingsrisico's analyseert:
1. beoordeel de potentiële gevolgen indien de risico's die in 6.1.2 c) 1) zijn vastgesteld, zich zouden voordoen;
## 1. beoordeel de potentiële gevolgen indien de risico's die in 6.1.2 c) 1) zijn vastgesteld, zich zouden voordoen;
2. beoordeel de realistische waarschijnlijkheid dat de risico's die zijn vastgesteld in 6.1.2 c) 1) zich voordoen; en
## 2. beoordeel de realistische waarschijnlijkheid dat de risico's die zijn vastgesteld in 6.1.2 c) 1) zich voordoen; en
3. stel de risiconiveaus vast;
## 3. stel de risiconiveaus vast;
e) de informatiebeveiligingsrisico's evalueert:
1. vergelijk de resultaten van de risicoanalyse met de risicocriteria die zijn vastgesteld in 6.1.2 a); en
## 1. vergelijk de resultaten van de risicoanalyse met de risicocriteria die zijn vastgesteld in 6.1.2 a); en
2. prioriteer de geanalyseerde risico's voor risicobehandeling.
## 2. prioriteer de geanalyseerde risico's voor risicobehandeling.
De organisatie moet gedocumenteerde informatie bewaren over de risicobeoordelingsprocedure voor informatiebeveiliging.
@ -72,13 +85,13 @@ OPMERKING 3 De lijst van beheersmaatregelen voor informatiebeveiliging in bijlag
d) een verklaring van toepasselijkheid op te stellen die het volgende bevat:
- de noodzakelijke beheersmaatregelen (zie 6.1.3 b) en c));
## - de noodzakelijke beheersmaatregelen (zie 6.1.3 b) en c));
- een rechtvaardiging voor het opnemen ervan;
## - een rechtvaardiging voor het opnemen ervan;
- de informatie of de benodigde beheersmaatregelen zijn geïmplementeerd of niet; en
## - de informatie of de benodigde beheersmaatregelen zijn geïmplementeerd of niet; en
- de rechtvaardiging voor het uitsluiten van beheersmaatregelen uit bijlage A.
## - de rechtvaardiging voor het uitsluiten van beheersmaatregelen uit bijlage A.
e) een plan voor de behandeling van informatiebeveiligingsrisico's te formuleren; en

15
Corpus/Standards/ISO27x/OST/27001/NL/c-6.2-Informatiebeveiligingsdoelstellingen-en-de-planning-om-ze-te-bereiken.md
View file

@ -1,4 +1,17 @@
# 6.2 Informatiebeveiligingsdoelstellingen en de planning om ze te bereiken
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.6.2"
title: "Informatiebeveiligingsdoelstellingen en de planning om ze te bereiken"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 6.2 Informatiebeveiligingsdoelstellingen en de planning om ze te bereiken
De organisatie moet voor relevante functies en op relevante niveaus informatiebeveiligingsdoel- stellingen vaststellen.

17
Corpus/Standards/ISO27x/OST/27001/NL/c-6.3-Planning-van-wijzigingen.md
View file

@ -1,5 +1,18 @@
# 6.3 Planning van wijzigingen
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.6.3"
title: "Planning van wijzigingen"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 6.3 Planning van wijzigingen
Wanneer de organisatie besluit dat er een noodzaak is voor wijzigingen in het managementsysteem voor informatiebeveiliging, moeten de wijzigingen worden uitgevoerd volgens een geplande werkwijze.
[]{#_bookmark20 .anchor}\* Nederlandse voetnoot: De tekst is niet overgenomen in deze vertaling, omdat de strekking ervan identiek is aan die van het nieuwe opsommingsdeel g).
Nederlandse voetnoot: De tekst is niet overgenomen in deze vertaling, omdat de strekking ervan identiek is aan die van het nieuwe opsommingsdeel g).

18
Corpus/Standards/ISO27x/OST/27001/NL/c-7-Ondersteuning.md
View file

@ -1 +1,19 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.7"
title: "Ondersteuning"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 7 Ondersteuning
[c-7.1-Middelen](c-7.1-Middelen.md)
[c-7.2-Competentie](c-7.2-Competentie.md)
[c-7.3-Bewustzijn](c-7.3-Bewustzijn.md)
[c-7.4-Communicatie](c-7.4-Communicatie.md)
[c-7.5-Gedocumenteerde-informatie](c-7.5-Gedocumenteerde-informatie.md)

15
Corpus/Standards/ISO27x/OST/27001/NL/c-7.1-Middelen.md
View file

@ -1,3 +1,16 @@
# 7.1 Middelen
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.7.1"
title: "Middelen"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 7.1 Middelen
De organisatie moet de middelen vaststellen en beschikbaar stellen die nodig zijn voor het inrichten, implementeren, onderhouden en continu verbeteren van het managementsysteem voor informatiebeveiliging.

15
Corpus/Standards/ISO27x/OST/27001/NL/c-7.2-Competentie.md
View file

@ -1,4 +1,17 @@
# 7.2 Competentie
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.7.2"
title: "Competentie"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 7.2 Competentie
De organisatie moet:

15
Corpus/Standards/ISO27x/OST/27001/NL/c-7.3-Bewustzijn.md
View file

@ -1,4 +1,17 @@
# 7.3 Bewustzijn
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.7.3"
title: "Bewustzijn"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 7.3 Bewustzijn
Personen die werkzaamheden verrichten onder het gezag van de organisatie, moeten zich bewust zijn van:

15
Corpus/Standards/ISO27x/OST/27001/NL/c-7.4-Communicatie.md
View file

@ -1,4 +1,17 @@
# 7.4 Communicatie
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.7.4"
title: "Communicatie"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 7.4 Communicatie
De organisatie moet vaststellen welke interne en externe communicatie relevant is voor het managementsysteem voor informatiebeveiliging, inclusief:

19
Corpus/Standards/ISO27x/OST/27001/NL/c-7.5-Gedocumenteerde-informatie.md
View file

@ -1,4 +1,17 @@
# 7.5 Gedocumenteerde informatie
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.7.5"
title: "Gedocumenteerde informatie"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 7.5 Gedocumenteerde informatie
1. **Algemeen**
@ -16,7 +29,7 @@ OPMERKING De uitgebreidheid van gedocumenteerde informatie voor een managementsy
3) de competentie van de mensen.
1. **Creëren en actualiseren**
## 1. **Creëren en actualiseren**
Bij het creëren en actualiseren van gedocumenteerde informatie moet de organisatie zorgen voor (een) passend(e):
@ -26,7 +39,7 @@ b) format (bijv. taal, softwareversie, afbeeldingen) en media (bijv. papier, el
c) beoordeling en goedkeuring van geschiktheid en toereikendheid.
1. **Beheersing van gedocumenteerde informatie**
## 1. **Beheersing van gedocumenteerde informatie**
Gedocumenteerde informatie zoals het managementsysteem voor informatiebeveiliging en dit document vereisen, moet worden beheerst om te bewerkstelligen dat:

17
Corpus/Standards/ISO27x/OST/27001/NL/c-8-Uitvoering.md
View file

@ -1 +1,18 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.8"
title: "Uitvoering"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 8 Uitvoering
[c-8.1-Operationele-planning-en-beheersing](c-8.1-Operationele-planning-en-beheersing.md)
[c-8.2-Risicobeoordeling-van-informatiebeveiliging](c-8.2-Risicobeoordeling-van-informatiebeveiliging.md)
[c-8.3-Informatiebeveiligingsrisicos-behandelen](c-8.3-Informatiebeveiligingsrisicos-behandelen.md)

15
Corpus/Standards/ISO27x/OST/27001/NL/c-8.1-Operationele-planning-en-beheersing.md
View file

@ -1,4 +1,17 @@
# 8.1 Operationele planning en beheersing
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.8.1"
title: "Operationele planning en beheersing"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 8.1 Operationele planning en beheersing
Om te voldoen aan de eisen en om de in hoofdstuk 6 vastgestelde acties te implementeren moet de organisatie de benodigde processen plannen, implementeren en beheersen, door:

15
Corpus/Standards/ISO27x/OST/27001/NL/c-8.2-Risicobeoordeling-van-informatiebeveiliging.md
View file

@ -1,4 +1,17 @@
# 8.2 Risicobeoordeling van informatiebeveiliging
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.8.2"
title: "Risicobeoordeling van informatiebeveiliging"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 8.2 Risicobeoordeling van informatiebeveiliging
De organisatie moet, met geplande tussenpozen of zodra belangrijke veranderingen worden voorgesteld of zich voordoen, risicobeoordelingen voor informatiebeveiliging uitvoeren, rekening houdend met de in 6.1.2 a) vastgestelde criteria.

15
Corpus/Standards/ISO27x/OST/27001/NL/c-8.3-Informatiebeveiligingsrisicos-behandelen.md
View file

@ -1,4 +1,17 @@
# 8.3 Informatiebeveiligingsrisico's behandelen
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.8.3"
title: "Informatiebeveiligingsrisicos behandelen"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 8.3 Informatiebeveiligingsrisico's behandelen
De organisatie moet het risicobehandelingsplan voor informatiebeveiliging implementeren.

16
Corpus/Standards/ISO27x/OST/27001/NL/c-9-Evaluatie-van-de-prestaties.md
View file

@ -1 +1,17 @@
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.9"
title: "Evaluatie van de prestaties"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
# 9 Evaluatie van de prestaties
[c-9.1-Monitoren-meten-analyseren-en-evalueren](c-9.1-Monitoren-meten-analyseren-en-evalueren.md)
[c-9.2-Interne-audit](c-9.2-Interne-audit.md)
[c-9.3-Management-review](c-9.3-Management-review.md)

15
Corpus/Standards/ISO27x/OST/27001/NL/c-9.1-Monitoren-meten-analyseren-en-evalueren.md
View file

@ -1,4 +1,17 @@
# 9.1 Monitoren, meten, analyseren en evalueren
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.9.1"
title: "Monitoren meten analyseren en evalueren"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 9.1 Monitoren, meten, analyseren en evalueren
De organisatie moet vaststellen:

21
Corpus/Standards/ISO27x/OST/27001/NL/c-9.2-Interne-audit.md
View file

@ -1,4 +1,17 @@
# 9.2 Interne audit
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.9.2"
title: "Interne audit"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 9.2 Interne audit
1. **Algemeen**
@ -6,13 +19,13 @@ De organisatie moet met geplande tussenpozen interne audits uitvoeren om informa
a) voldoet aan
1. de eigen eisen van de organisatie voor haar managementsysteem voor informatiebeveiliging;
## 1. de eigen eisen van de organisatie voor haar managementsysteem voor informatiebeveiliging;
2. de eisen van dit document;
## 2. de eisen van dit document;
b) doeltreffend is geïmplementeerd en onderhouden.
1. **Intern auditprogramma**
## 1. **Intern auditprogramma**
De organisatie moet (een) auditprogramma('s) plannen, vaststellen, implementeren en onderhouden, met inbegrip van de frequentie, methoden, verantwoordelijkheden, planningseisen en rapportage.

25
Corpus/Standards/ISO27x/OST/27001/NL/c-9.3-Management-review.md
View file

@ -1,4 +1,17 @@
# 9.3 Management review
---
notetype: reference
standard: ISO 27001
version: 2023
language: NL
type: clause
id: "C.9.3"
title: "Management review"
tags:
- iso27001/2023/NL
- sourcetext
status: active
---
## 9.3 Management review
1. **Algemeen**
@ -16,13 +29,13 @@ c) wijzigingen in de behoeften en verwachtingen van de belanghebbenden die rele
d) feedback over de prestaties van de informatiebeveiliging, met inbegrip van trends in:
1. afwijkingen en corrigerende maatregelen;
## 1. afwijkingen en corrigerende maatregelen;
2. resultaten van monitoren en meten;
## 2. resultaten van monitoren en meten;
3. auditresultaten;
## 3. auditresultaten;
4. het voldoen aan informatiebeveiligingsdoelstellingen;
## 4. het voldoen aan informatiebeveiligingsdoelstellingen;
e) feedback van belanghebbenden;
@ -30,7 +43,7 @@ f) resultaten van risicobeoordeling en de status van het risicobehandelingsplan
g) kansen voor continue verbetering.
1. **Resultaten van de management review**
## 1. **Resultaten van de management review**
De resultaten van de management reviews moeten beslissingen omvatten met betrekking tot kansen voor continue verbetering en de noodzaak voor wijzigingen in het managementsysteem voor informatiebeveiliging.

101
Corpus/Standards/ISO27x/OST/27002/EN/A-4-Structure-of-this-document.md Normal file
View file

@ -0,0 +1,101 @@
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
id: "A.4"
title: "Structure of this document"
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
# 4 Structure of this document
## 4.1 Clauses
This document is structured as follows:
a\) Organizational controls (Clause 5)
b\) People controls (Clause 6)
c\) Physical controls (Clause 7)
d\) Technological controls (Clause 8)
There are 2 informative annexes:
— Annex A— Using attributes
— Annex B— Correspondence with ISO/IEC 27002:2013
Annex A explains how an organization can use attributes (see 4.2) to create its own views based on the control attributes defined in this document or of its own creation.
Annex B shows the correspondence between the controls in this edition of ISO/IEC 27002 and the previous 2013 edition.
## 4.2 Themes and attributes
The categorization of controls given in Clauses 5to 8are referred to as themes.
Controls are categorized as:
a\) people, if they concern individual people;
b\) physical, if they concern physical objects;
c\) technological, if they concern technology;
d\) otherwise they are categorized as organizational.
The organization can use attributes to create different views which are different categorizations of controls as seen from a different perspective to the themes. Attributes can be used to filter, sort or present controls in different views for different audiences. Annex Aexplains how this can be achieved and provides an example of a view.
By way of example, each control in this document has been associated with five attributes with corresponding attribute values (preceded by "#" to make them searchable), as follows:
a\) Control type
Control type is an attribute to view controls from the perspective of when and how the control modifies the risk with regard to the occurrence of an information security incident. Attribute values consist of Preventive (the control that is intended to prevent the occurrence of an information security incident), Detective (the control acts when an information security incident occurs) and Corrective (the control acts after an information security incident occurs).
b\) Information security properties
Information security properties is an attribute to view controls from the perspective of which characteristic of information the control will contribute to preserving. Attribute values consist of Confidentiality, Integrity and Availability.
c\) Cybersecurity concepts
Cybersecurity concepts is an attribute to view controls from the perspective of the association of controls to cybersecurity concepts defined in the cybersecurity framework described in ISO/IEC TS 27110. Attribute values consist of Identify, Protect, Detect, Respond and Recover.
d\) Operational capabilities
Operational capabilities is an attribute to view controls from the practitioners perspective of information security capabilities. Attribute values consist of Governance, Asset_management, Information_protection, Human_resource_security, Physical_security, System_and_network\_ security, Application_security, Secure_configuration, Identity_and_access_management,
Threat_and_vulnerability_management, Continuity, Supplier_relationships_security, Legal_and\_ compliance, Information_security_event_management and Information_security_assurance.
e\) Security domains
Security domains is an attribute to view controls from the perspective of four information security
domains: “Governance and Ecosystem” includes “Information System Security Governance &
Risk Management” and “Ecosystem cybersecurity management” (including internal and external stakeholders); “Protection” includes “IT Security Architecture”, “IT Security Administration”, “Identity and access management”, “IT Security Maintenance” and “Physical and environmental security”; “Defence” includes “Detection” and “Computer Security Incident Management”; “Resilience” includes “Continuity of operations” and “Crisis management”. Attribute values consist of Governance_and_Ecosystem, Protection, Defence and Resilience.
The attributes given in this document are selected because they are considered generic enough to be used by different types of organizations. Organizations can choose to disregard one or more of the attributes given in this document. They can also create attributes of their own (with the corresponding attribute values) to create their own organizational views. Clause A.2includes examples of such attributes.
## 4.3 Control layout
The layout for each control contains the following:
**Control title:** Short name of the control;
**Attribute table**: A table shows the value(s) of each attribute for the given control;
**Control:** What the control is;
**Purpose**: Why the control should be implemented; — **Guidance:** How the control should be implemented;
**Other information:** Explanatory text or references to other related documents.
Subheadings are used in the guidance text for some controls to aid readability where guidance is lengthy and addresses multiple topics. Such headings are not necessarily used in all guidance text. Subheadings are underlined.

BIN
Corpus/Standards/ISO27x/OST/27002/EN/ISO 27002_2022_EN_complete.docx Normal file
View file

Binary file not shown.

818
Corpus/Standards/ISO27x/OST/27002/EN/ISO_27002_OT 3 Terms, definitions and abbreviated terms.md
View file

@ -1,818 +0,0 @@
#iso27002/2022/EN
**3.1** **Terms** **and** **definitions**
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
**3.****1.1**
**access** **control**
means to ensure that physical and logical access to _assets_ (3.1.2) is authorized and restricted based on business and information security requirements
**3.****1.2**
**ass****et**
anything that has value to the organization
Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:
— the primary assets: — information;
— business _processes_ (3.1.27) and activities;
— the supporting assets (on which the primary assets rely) of all types, for example: — hardware;
— software; — network;
_personnel_ (3.1.20);
© ISO/IEC 2022 All rights reserved **1**
**ISO/IEC 27002:2022(E)**
— site;
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
— organizations structure.
**3.****1.3**
**attack**
successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an _asset_ (3.1.2) or any attempt to expose, steal, or make unauthorized use of an _asset_ (3.1.2)
**3.1.4**
**aut****hentication**
provision of assurance that a claimed characteristic of an _entity_ (3.1.11) is correct
**3****.1.5**
**au****thenticity**
property that an _entity_ (3.1.11) is what it claims to be
**3.1.6**
**chain** **of** **custody**
demonstrable possession, movement, handling and location of material from one point in time until another
Note 1 to entry: Material includes information and other associated _assets_ (3.1.2) in the context of ISO/IEC 27002.
[SOURCE: ISO/IEC 27050-1:2019, 3.1, modified — “Note 1 to entry” added]
**3.****1.7**
**confidential** **information**
information that is not intended to be made available or disclosed to unauthorized individuals, _entities_ (3.1.11) or _processes_ (3.1.27)
**3****.1.8**
**control**
measure that maintains and/or modifies risk
Note 1 to entry: Controls include, but are not limited to, any _process_ (3.1.27), _policy_ (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
**3.****1.9**
**disrupti****on**
incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organizations objectives
[SOURCE: ISO 22301:2019, 3.10]
**3.1****.10**
**endpoint** **device**
network connected information and communication technology (ICT) hardware device
Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.
**3.1.11**
**entity**
item relevant for the purpose of operation of a domain that has recognizably distinct existence
Note 1 to entry: An entity can have a physical or a logical embodiment.
**2** © ISO/IEC 2022 All rights reserved
EXAMPLE
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17
Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
A person, an organization, a device, a group of such items, a human subscriber to a telecom
service, a SIM card, a passport, a network interface card, a software application, a service or a website.
[SOURCE: ISO/IEC 24760-1:2019, 3.1.1]
**3.****1.12**
**information** **processing** **facility**
any information processing system, service or infrastructure, or the physical location housing it [SOURCE: ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.] **3****.1.13**
**information** **security** **breach**
compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed
**3.1****.14**
**information** **security** **event**
occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or failure of _controls_ (3.1.8)
[SOURCE: ISO/IEC 27035-1:2016, 3.3, modified — “breach of information security” has been replaced with “information security breach”]
**3.1****.15**
**information** **security incident**
one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organizations _assets_ (3.1.2) or compromise its operations
[SOURCE: ISO/IEC 27035-1:2016, 3.4]
**3.1.16**
**information** **security** **incident** **management**
exercise of a consistent and effective approach to the handling of _information_ _security_ _incidents_ (3.1.15) [SOURCE: ISO/IEC 27035-1:2016, 3.5]
**3****.1.17**
**information** **system**
set of applications, services, information technology _assets_ (3.1.2), or other information-handling components
[SOURCE: ISO/IEC 27000:2018, 3.35]
**3.1.18**
**interested** **party** stakeholder
person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
[SOURCE: ISO/IEC 27000:2018, 3.37]
**3.****1.19**
**non-repudiation**
ability to prove the occurrence of a claimed event or action and its originating _entities_ (3.1.11)
**3.1.20**
**pers****onnel**
persons doing work under the organizations direction
Note 1 to entry: The concept of personnel includes the organizations members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.
© ISO/IEC 2022 All rights reserved **3**
**ISO/IEC 27002:2022(E)**
**3.1****.21**
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**personally identifiable** **information**
**PII**
any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.
Note 1 to entry: The “natural person” in the definition is the _PII_ _principal_ (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.
[SOURCE: ISO/IEC 29100:2011/Amd.1:2018, 2.9]
**3.1.22**
**PII** **principal**
natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.21) relates
Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.
[SOURCE: ISO/IEC 29100:2011, 2.11]
**3.1.23**
**PII** **processor**
privacy stakeholder that processes _personally_ _identifiable_ _information_ _(PII)_ (3.1.21) on behalf of and in accordance with the instructions of a PII controller
[SOURCE: ISO/IEC 29100:2011, 2.12]
**3.1****.24**
**policy**
intentions and direction of an organization, as formally expressed by its top management [SOURCE: ISO/IEC 27000:2018, 3.53]
**3.1.25**
**privacy** **impact** **assessment** **PIA**
overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organizations broader risk management framework
[SOURCE: ISO/IEC 29134:2017, 3.7, modified — Note 1 to entry removed.]
**3.1.26**
**procedure**
specified way to carry out an activity or a _process_ (3.1.27)
[SOURCE: ISO 30000:2009, 3.12]
**3.1.27**
**proce****ss**
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
[SOURCE: ISO 9000:2015, 3.4.1, modified— Notes to entry removed.]
**3.1****.28**
**re****cord**
information created, received and maintained as evidence and as an _asset_ (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business
**4** © ISO/IEC 2022 All rights reserved
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.
[SOURCE: ISO 15489-1:2016, 3.14, modified— “Note 1 to entry” added.]
**3.1.29**
**recovery** **point** **objective**
**RPO**
point in time to which data are to be recovered after a _disruption_ (3.1.9) has occurred [SOURCE: ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".] **3.1.30**
**recovery** **time** **objective** **RTO**
period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a _disruption_ (3.1.9) has occurred
[SOURCE: ISO/IEC 27031:2011, 3.13, modified — "must" replaced by "are to be".]
**3.1****.31**
**reliability**
property of consistent intended behaviour and results
**3.1.32**
**rule**
accepted principle or instruction that states the organizations expectations on what is required to be done, what is allowed or not allowed
Note 1 to entry: Rules can be formally expressed in _topic-specific policies_ (3.1.35) and in other types of documents.
**3.1.33**
**sensitive** **information**
information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety
**3****.1.34**
**thr****eat**
potential cause of an unwanted incident, which can result in harm to a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74]
**3.1.35**
**topic-specific** **policy**
intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management
Note 1 to entry: Topic-specific policies can formally express _rules_ (3.1.32) or organization standards. Note 2 to entry: Some organizations use other terms for these topic-specific policies.
Note 3 to entry: The topic-specific policies referred to in this document are related to information security.
EXAMPLE Topic-specific policy on _access_ _control_ (3.1.1), topic-specific policy on clear desk and clear screen.
**3.1.36**
**u****ser**
_interested_ _party_ (3.1.18) with access to the organizations _information_ _systems_ (3.1.17)
EXAMPLE _Personnel_ (3.1.20), customers, suppliers.
© ISO/IEC 2022 All rights reserved
**5**
**ISO/IEC 27002:2022(E)**
**3.1.37**
**user** **endpoint** **device**
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
_endpoint_ _device_ (3.1.10) used by users to access information processing services
Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc.
**3.1****.38**
**vu****lnerability**
weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one or more _threats_ (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77]
**3.2** **Abbreviated** **terms**
ABAC attribute-based access control
ACL access control list
BIA business impact analysis
BYOD bring your own device
CAPTCHA completely automated public Turing test to tell computers and humans apart
CPU central processing unit
DAC discretionary access control
DNS domain name system
GPS global positioning system
IAM identity and access management
ICT information and communication technology
ID identifier
IDE integrated development environment
IDS intrusion detection system
IoT internet of things
IP internet protocol
IPS intrusion prevention system
IT information technology
ISMS information security management system
MAC mandatory access control
NTP network time protocol
PIA privacy impact assessment
PII personally identifiable information
**6** © ISO/IEC 2022 All rights reserved
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
PIN personal identification number
PKI public key infrastructure
PTP precision time protocol
RBAC role-based access control
RPO recovery point objective
RTO recovery time objective
SAST static application security testing
SD secure digital
SDN software-defined networking
SD-WAN software-defined wide area networking
SIEM security information and event management
SMS short message service
SQL structured query language
SSO single sign on
SWID software identification
UEBA user and entity behaviour analytics
UPS uninterruptible power supply
URL uniform resource locator
USB universal serial bus
VM virtual machine
VPN virtual private network
WiFi wireless fidelity

201
Corpus/Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated-terms.md Normal file
View file

@ -0,0 +1,201 @@
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
id: "A.3"
title: "Terms, definitions, and abbreviated terms"
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
# 3 Terms, definitions, and abbreviated terms
## 3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1.1 **access control**
means to ensure that physical and logical access to _assets_ (3.1.2) is authorized and restricted based on business and information security requirements
3.1.2 **asset**
anything that has value to the organization
*Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:*
— the primary assets: — information;
— business _processes_ (3.1.27) and activities;
— the supporting assets (on which the primary assets rely) of all types, for example: — hardware;
— software; — network;
_personnel_ (3.1.20);
— site;
— organizations structure.
3.1.3 **attack**
successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an _asset_ (3.1.2) or any attempt to expose, steal, or make unauthorized use of an _asset_ (3.1.2)
3.1.4 **authentication**
provision of assurance that a claimed characteristic of an _entity_ (3.1.11) is correct
3.1.5 **authenticity**
property that an _entity_ (3.1.11) is what it claims to be
3.1.6 **chain of custody**
demonstrable possession, movement, handling and location of material from one point in time until another
*Note 1 to entry: Material includes information and other associated _assets_ (3.1.2) in the context of ISO/IEC 27002.*
3.1.7 **confidential information**
information that is not intended to be made available or disclosed to unauthorized individuals, _entities_ (3.1.11) or _processes_ (3.1.27)
3.1.8 **control**
measure that maintains and/or modifies risk
*Note 1 to entry: Controls include, but are not limited to, any _process_ (3.1.27), _policy_ (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.*
*Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.*
3.1.9 **disruption**
incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organizations objectives
3.1.10 **endpoint device**
network connected information and communication technology (ICT) hardware device
*Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.*
3.1.11 **entity**
item relevant for the purpose of operation of a domain that has recognizably distinct existence
*Note 1 to entry: An entity can have a physical or a logical embodiment.*
A person, an organization, a device, a group of such items, a human subscriber to a telecom
service, a SIM card, a passport, a network interface card, a software application, a service or a website.
3.1.12 **information processing facility**
any information processing system, service or infrastructure, or the physical location housing it [SOURCE: ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.]
3.1.13 **information security breach** compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed
3.1.14 **information security event**
occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or failure of _controls_ (3.1.8)
3.1.15 **information security incident**
one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organizations _assets_ (3.1.2) or compromise its operations
3.1.16 **information security incident management**
exercise of a consistent and effective approach to the handling of _information_ _security_ _incidents_ (3.1.15) [SOURCE: ISO/IEC 27035-1:2016, 3.5]
3.1.17 **information system** set of applications, services, information technology _assets_ (3.1.2), or other information-handling components
3.1.18 **interested party stakeholder**
person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
3.1.19 **non-repudiation**
ability to prove the occurrence of a claimed event or action and its originating _entities_ (3.1.11)
3.1.20 **personnel**
persons doing work under the organizations direction
*Note 1 to entry: The concept of personnel includes the organizations members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.*
3.1.21 **personally identifiable information / PII**
any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.
*Note 1 to entry: The “natural person” in the definition is the PII principal (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.*
3.1.22 **PII principal**
natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.21) relates
*Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.*
3.1.23 **PII processor**
privacy stakeholder that processes _personally_ _identifiable_ _information_ _(PII)_ (3.1.21) on behalf of and in accordance with the instructions of a PII controller
3.1.24 **policy**
intentions and direction of an organization, as formally expressed by its top management
[SOURCE: ISO/IEC 27000:2018, 3.53]
3.1.25 **privacy impact assessment PIA**
overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organizations broader risk management framework
3.1.26 **procedure**
specified way to carry out an activity or a _process_ (3.1.27)
3.1.27 **process**
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
3.1.28 **record**
information created, received and maintained as evidence and as an _asset_ (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business
*Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.*
3.1.29 **recovery point objective** / **RPO**
point in time to which data are to be recovered after a _disruption_ (3.1.9) has occurred [SOURCE: ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".]
3.1.30 **recovery time objective RTO**
period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a _disruption_ (3.1.9) has occurred
3.1.31 **reliability**
property of consistent intended behaviour and results
3.1.32 **rule**
accepted principle or instruction that states the organizations expectations on what is required to be done, what is allowed or not allowed
*Note 1 to entry: Rules can be formally expressed in _topic-specific policies_ (3.1.35) and in other types of documents.*
3.1.33 **sensitive information**
information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety
3.1.34 **threat** potential cause of an unwanted incident, which can result in harm to a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74]
3.1.35 **topic-specific policy**
intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management
*Note 1 to entry: Topic-specific policies can formally express _rules_ (3.1.32) or organization standards. Note 2 to entry: Some organizations use other terms for these topic-specific policies.*
*Note 3 to entry: The topic-specific policies referred to in this document are related to information security.*
3.1.36 **user**
_interested_ _party_ (3.1.18) with access to the organizations _information_ _systems_ (3.1.17)
3.1.37 **user endpoint device**
_endpoint_ _device_ (3.1.10) used by users to access information processing services
*Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc.*
3.1.38 **vulnerability**
weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one or more _threats_ (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77]
### 3.2 Abbreviated terms
ABAC attribute-based access control
ACL access control list
BIA business impact analysis
BYOD bring your own device
CAPTCHA completely automated public Turing test to tell computers and humans apart
CPU central processing unit
DAC discretionary access control
DNS domain name system
GPS global positioning system
IAM identity and access management
ICT information and communication technology
ID identifier IDE integrated development environment
IDS intrusion detection system IoT internet of things
IP internet protocol
IPS intrusion prevention system
IT information technology
ISMS information security management system
MAC mandatory access control
NTP network time protocol
PIA privacy impact assessment
PII personally identifiable information
PIN personal identification number
PKI public key infrastructure
PTP precision time protocol
RBAC role-based access control
RPO recovery point objective
RTO recovery time objective
SAST static application security testing
SD secure digital
SDN software-defined networking
SD-WAN software-defined wide area networking
SIEM security information and event management
SMS short message service
SQL structured query language
SSO single sign on
SWID software identification
UEBA user and entity behaviour analytics
UPS uninterruptible power supply
URL uniform resource locator
USB universal serial bus
VM virtual machine
VPN virtual private network
WiFi wireless fidelity

45
Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md
View file

@ -1,14 +1,38 @@
#iso27002/2022/EN
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.1"
title: "Policies for information security"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Governance]
security_domains:
- Governance_and_Ecosystem
- Resilience
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.1 Policies for information security
#### Control
### Control
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
#### Purpose
### Purpose
To ensure continuing suitability, adequacy, effectiveness of management direction and support for information security in accordance with business, legal, statutory, regulatory and contractual requirements.
#### Guidance
At the highest level, the organization should define an “information security policy” which is approved by top management and which sets out the organizations approach to managing its information security.
### Guidance
At the highest level, the organization should define an "information security policy" which is approved by top management and which sets out the organization's approach to managing its information security.
The information security policy should take into consideration requirements derived from:
@ -45,10 +69,10 @@ j) information classification and handling;
k) management of technical vulnerabilities;
l) secure development.
The responsibility for the development, review and approval of the topic-specific policies should be allocated to relevant personnel based on their appropriate level of authority and technical competency. The review should include assessing opportunities for improvement of the organizations information security policy and topic-specific policies and managing information security in response to changes to:
The responsibility for the development, review and approval of the topic-specific policies should be allocated to relevant personnel based on their appropriate level of authority and technical competency. The review should include assessing opportunities for improvement of the organization's information security policy and topic-specific policies and managing information security in response to changes to:
a) the organizations business strategy;
b) the organizations technical environment;
a) the organization's business strategy;
b) the organization's technical environment;
c) regulations, statutes, legislation and contracts;
d) information security risks;
e) the current and projected information security threat environment;
@ -56,7 +80,7 @@ f) lessons learned from information security events and incidents.
The review of information security policy and topic-specific policies should take the results of management reviews and audits into account. Review and update of other related policies should be considered when one policy is changed to maintain consistency.
The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to the intended reader. Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable. The organization can determine the formats and names of these policy documents that meet the organizations needs. In some organizations, the information security policy and topic-specific policies can be in a single document. The organization can name these topic-specific policies as standards, directives, policies or others.
The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to the intended reader. Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable. The organization can determine the formats and names of these policy documents that meet the organization's needs. In some organizations, the information security policy and topic-specific policies can be in a single document. The organization can name these topic-specific policies as standards, directives, policies or others.
If the information security policy or any topic-specific policy is distributed outside the organization, care should be taken not to improperly disclose confidential information.
@ -68,10 +92,9 @@ Level of detail | General or high-level | Specific and detailed
Documented and formally approved by | Top management | Appropriate level of management
#### Other information
### Other information
Topic-specific policies can vary across organizations.
# Related
- [[ISO_27002_PE 5.1 Policies for information security]]

39
Corpus/Standards/ISO27x/OST/27002/EN/a-5.10-Acceptable-use-of-information-and-other-associated-assets.md
View file

@ -1,16 +1,39 @@
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.10"
title: "Acceptable use of information and other associated assets"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Asset_management
- Information_protection
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.10 Acceptable use of information and other associated assets
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ----------------------------------------- | ------------------------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection | #Governance_and_Ecosystem #Protection |
**Control**
### Control
Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
**Purpose**
### Purpose
To ensure information and other associated assets are appropriately protected, used and handled.
**Guidance**
### Guidance
Personnel and external party users using or having access to the organizations information and other associated assets should be made aware of the information security requirements for protecting and handling the organizations information and other associated assets. They should be responsible for their use of any information processing facilities.
The organization should establish a topic-specific policy on the acceptable use of information and other associated assets and communicate it to anyone who uses or handles information and other associated assets. The topic-specific policy on acceptable use should provide clear direction on how individuals are expected to use information and other associated assets. The topic-specific policy should state:
@ -35,5 +58,5 @@ e\) clear marking of all copies of storage media (electronic or physical) for th
f\) authorization of disposal of information and other associated assets and supported deletion method(s) (see [8.10](a-8.10-Information-deletion.md)).
**Other information**
### Other information
It can be the case that the assets concerned do not directly belong to the organization, such as public cloud services. The use of such third-party assets and any assets of the organization associated with such external assets (e.g. information, software) should be identified as applicable and controlled, for example, through agreements with cloud service providers. Care should also be taken when a collaborative working environment is used.

35
Corpus/Standards/ISO27x/OST/27002/EN/a-5.11-Return-of-assets.md
View file

@ -1,18 +1,37 @@
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.11"
title: "Return of assets"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Asset_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.11 Return of assets
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------ | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management | #Protection |
**Control**
### Control
Personnel and other interested parties as appropriate should return all the organizations assets in their possession upon change or termination of their employment, contract or agreement.
**Purpose**
### Purpose
To protect the organizations assets as part of the process of changing or terminating employment, contract or agreement.
**Guidance**
### Guidance
The change or termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization.
@ -30,5 +49,5 @@ c\) specialist equipment;
d\) authentication hardware (e.g. mechanical keys, physical tokens and smartcards) for information systems, sites and physical archives;
e\) physical copies of information.
**Other information**
### Other information
It can be difficult to return information held on assets which are not owned by the organization. In such cases, it is necessary to restrict the use of information using other information security controls such as access rights management (5.18) or use of cryptography (8.24).

37
Corpus/Standards/ISO27x/OST/27002/EN/a-5.12-Classification-of-information.md
View file

@ -1,18 +1,37 @@
#iso27002/2022/EN
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.12"
title: "Classification of information"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Information_protection]
security_domains:
- Protection
- Defence
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.12 Classification of information
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------ | -------------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Information_protection | #Protection #Defence |
**Control**
### Control
Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
**Purpose**
### Purpose
To ensure identification and understanding of protection needs of information in accordance with its importance to the organization.
**Guidance**
### Guidance
The organization should establish a topic-specific policy on information classification and communicate it to all relevant interested parties.
The organization should take into account requirements for confidentiality, integrity and availability in the classification scheme.
@ -31,7 +50,7 @@ The scheme should be consistent across the whole organization and included in it
The classification scheme used within the organization can be different from the schemes used by other organizations, even if the names for levels are similar. In addition, information moving between organizations can vary in classification depending on its context in each organization, even if their classification schemes are identical. Therefore, agreements with other organizations that include information sharing should include procedures to identify the classification of that information and to interpret the classification levels from other organizations. Correspondence between different schemes can be determined by looking for equivalence in the associated handling and protection methods.
**Other information**
### Other information
Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls.
Information can cease to be sensitive or critical after a certain period of time. For example, when the information has been made public, it no longer has confidentiality requirements but can still require protection for its integrity and availability properties. These aspects should be taken into account, as over-classification can lead to the implementation of unnecessary controls resulting in additional expense or, on the contrary, under-classification can lead to insufficient controls to protect the information from compromise.

33
Corpus/Standards/ISO27x/OST/27002/EN/a-5.13-Labelling-of-information.md
View file

@ -1,14 +1,39 @@
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.13"
title: "Labelling of information"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Information_protection]
security_domains:
- Defence
- Protection
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.13 Labelling of information
**Control**
### Control
An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.
**Purpose**
### Purpose
To facilitate the communication of classification of information and support automation of information processing and management.
**Guidance**
### Guidance
Procedures for information labelling should cover information and other associated assets in all formats. The labelling should reflect the classification scheme established in 5.12. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of storage media. The procedures can define:
a\) cases where labelling is omitted (e.g. labelling of non-confidential information to reduce workloads);
@ -37,7 +62,7 @@ Personnel and other interested parties should be made aware of labelling procedu
Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.
**Other information**
### Other information
Labelling of classified information is a key requirement for information sharing.
Other useful metadata that can be attached to the information is which organizational process created the information and at what time.

37
Corpus/Standards/ISO27x/OST/27002/EN/a-5.14-Information-transfer.md
View file

@ -1,16 +1,37 @@
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.14"
title: "Information transfer"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities:
- Asset_management
- Information_protection
security_domains: [Protection]
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.14 Information transfer
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ----------------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection | #Protection |
**Control**
### Control
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.
**Purpose**
### Purpose
To maintain the security of information transferred within an organization and with any external interested party.
**Guidance**
### Guidance
<u>General</u>
The organization should establish and communicate a topic-specific policy on information transfer to all relevant interested parties. Rules, procedures and agreements to protect information in transit should reflect the classification of the information involved. Where information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect information in all forms in transit (see [5.10](a-5.10-Acceptable-use-of-information-and-other-associated-assets.md)).
@ -136,6 +157,6 @@ e\) begin any sensitive conversations with a disclaimer so those present know th
**Other information**
### Other information
No other information.

35
Corpus/Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md
View file

@ -1,18 +1,35 @@
#iso27002/2022/EN
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.15"
title: "Access control"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Identity_and_access_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.15 Access control
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
**Control**
### Control
Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.
**Purpose**
### Purpose
To ensure authorized access and to prevent unauthorized access to information and other associated assets.
**Guidance**
### Guidance
Owners of information and other associated assets should determine information security and business requirements related to access control. A topic-specific policy on access control should be defined which takes account of these requirements and should be communicated to all relevant interested parties.
These requirements and the topic-specific policy should consider the following:
@ -51,7 +68,7 @@ c\) considering all types of available connections in distributed environments s
d\) considering how elements or factors relevant to dynamic access control can be reflected.
**Other information**
### Other information
There are often overarching principles used in the context of access control. Two of the most frequently used principles are:

35
Corpus/Standards/ISO27x/OST/27002/EN/a-5.16-Identity-management.md
View file

@ -1,16 +1,35 @@
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.16"
title: "Identity management"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Identity_and_access_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.16 Identity management
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
**Control**
### Control
The full life cycle of identities should be managed.
**Purpose**
### Purpose
To allow for the unique identification of individuals and systems accessing the organizations information and other associated assets and to enable appropriate assignment of access rights.
**Guidance**
### Guidance
The processes used in the context of identity management should ensure that:
a\) for identities assigned to persons, a specific identity is only linked to a single person to be able to hold the person accountable for actions performed with this specific identity;
@ -29,7 +48,7 @@ The organization should have a supporting process in place to handle changes to
When using identities provided or issued by third parties (e.g. social media credentials), the organization should ensure the third-party identities provide the required trust level and any associated risks are known and sufficiently treated. This can include controls related to the third parties (see [5.19](a-5.19-Information-security-in-supplier-relationships.md)) as well as controls related to associated authentication information (see [5.17](a-5.17-Authentication-information.md)).
**Other information**
### Other information
Providing or revoking access to information and other associated assets is usually a multi-step procedure:
a\) confirming the business requirements for an identity to be established;

26
Corpus/Standards/ISO27x/OST/27002/EN/a-5.17-Authentication-information.md
View file

@ -1,4 +1,26 @@
#iso27002/2022/EN
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.17"
title: "Authentication information"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Identity_and_access_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.17 Authentication information
### Control
@ -65,7 +87,7 @@ h)   store and transmit passwords in protected form.
Password  encryption  and  hashing  should  be  performed  according  to  approved  cryptographic techniques for passwords (see [8.24](a-8.24-Use-of-cryptography.md)).
**Other information**
### Other information
Passwords or passphrases are a commonly used type of authentication information and are a common means of verifying a users identity. Other types of authentication information are cryptographic keys, data stored on hardware tokens (e.g. smart cards) that produce authentication codes and biometric data such as iris scans or fingerprints. Additional information can be found in the ISO/IEC 24760 series.

35
Corpus/Standards/ISO27x/OST/27002/EN/a-5.18-Access-rights.md
View file

@ -1,16 +1,35 @@
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.18"
title: "Access rights"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Protect]
operational_capabilities: [Identity_and_access_management]
security_domains: [Protection]
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.18 Access rights
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| ------------ | ----------------------------------------- | ---------------------- | ------------------------------- | ---------------- |
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
**Control**
### Control
Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organizations topic-specific policy on and rules for access control.
**Purpose**
### Purpose
To ensure access to information and other associated assets is defined and authorized according to the business requirements.
**Guidance**
### Guidance
<u>Provision and revocation of access rights</u>
The provisioning process for assigning or revoking physical and logical access rights granted to an entitys authenticated identity should include:
@ -53,7 +72,7 @@ b\) the current responsibilities of the user;
c\) the value of the assets currently accessible.
**Other information**
### Other information
Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews of access rights are easier managed at the level of such roles than at the level of particular rights.
Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel (see [5.20](a-5.20-Addressing-information-security-within-supplier-agreements.md), [6.2](a-6.2-Terms-and-conditions-of-employment.md), [6.4](a-6.4-Disciplinary-process.md), [6.6](a-6.6-Confidentiality-or-non-disclosure-agreements.md)).

34
Corpus/Standards/ISO27x/OST/27002/EN/a-5.19-Information-security-in-supplier-relationships.md
View file

@ -1,15 +1,39 @@
#iso27002/2022/EN
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.19"
title: "Information security in supplier relationships"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Supplier_relationships_security]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.19 Information security in supplier relationships
**Control**
### Control
Processes and procedures should be defined and implemented to manage the information security risks associated with the use of suppliers products or services.
**Purpose**
### Purpose
To maintain an agreed level of information security in supplier relationships.
**Guidance**
### Guidance
The organization should establish and communicate a topic-specific policy on supplier relationships to all relevant interested parties.
@ -56,7 +80,7 @@ n\) level of personnel security and physical security expected from supplier's p
The procedures for continuing information processing in the event that the supplier becomes unable to supply its products or services (e.g. because of an incident, because the supplier is no longer in business, or no longer provides some components due to technology advancements) should be considered to avoid any delay in arranging replacement products or services (e.g. identifying an alternative supplier in advance or always using alternative suppliers).
**Other information**
### Other information
In cases where it is not possible for an organization to place requirements on a supplier, the organization should:

27
Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md
View file

@ -1,4 +1,29 @@
#iso27002/2022/EN
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.2"
title: "Information security roles and responsibilities"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Governance]
security_domains:
- Governance_and_Ecosystem
- Protection
- Resilience
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.2 Information security roles and responsibilities
### Control

34
Corpus/Standards/ISO27x/OST/27002/EN/a-5.20-Addressing-information-security-within-supplier-agreements.md
View file

@ -1,13 +1,37 @@
#iso27002/2022/EN
---
notetype: reference
standard: ISO 27002
version: 2022
language: EN
type: control
id: "A.5.20"
title: "Addressing information security within supplier agreements"
theme: Organizational
control_type: [Preventive]
information_security_properties:
- Confidentiality
- Integrity
- Availability
cybersecurity_concepts: [Identify]
operational_capabilities: [Supplier_relationships_security]
security_domains:
- Governance_and_Ecosystem
- Protection
tags:
- iso27002/2022/EN
- sourcetext
status: active
---
## 5.20 Addressing information security within supplier agreements
**Control**
### Control
Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.
**Purpose**
### Purpose
To maintain an agreed level of information security in supplier relationships.
**Guidance**
### Guidance
Supplier agreements should be established and documented to ensure that there is clear understanding between the organization and the supplier regarding both parties obligations to fulfil relevant information security requirements.
The following terms can be considered for inclusion in the agreements in order to satisfy the identified information security requirements:
@ -66,7 +90,7 @@ z\) ensuring, at the end of the contract, handover support to another supplier o
The organization should establish and maintain a register of agreements with external parties (e.g. contracts, memorandum of understanding, information-sharing agreements) to keep track of where their information is going. The organization should also regularly review, validate and update their agreements with external parties to ensure they are still required and fit for purpose with relevant information security clauses.
**Other information**
### Other information
The agreements can vary considerably for different organizations and among the different types of suppliers. Therefore, care should be taken to include all relevant requirements for addressing information security risks.
For details on supplier agreements, see ISO/IEC 27036 series. For cloud service agreements, see ISO/IEC 19086 series.

Some files were not shown because too many files have changed in this diff Show more