# GIS Content Map

- **m100: Implementing with ISO27DIY**
	- [[m100s010-Modules-and-Sessions|m100s010]]: Modules and Sessions
	- [[m100s020-about-AuditGlue|m100s020]]: About AuditGlue
- **m200: About ISO 27001**
	- [[m200s010-about-ISO27001|m200s010]]: About ISO 27001
- **m300: Strategy, Risks and Leadership**
	- [[m300s010-introduction|m300s010]]: Introduction to Strategy, Risks and Leadership
	- [[m310s010-organizational-goals|m310s010]]: Organizational Goals
	- [[m310s020-threat-landscape|m310s020]]: The Threat Landscape
	- [[m310s030-Identifying-Strategic-Risks|m310s030]]: Identifying Strategic Risks
	- [[m310s040-qualifying-risks|m310s040]]: Qualifying Risks
	- [[m310s050-qualifying-impact|m310s050]]: Qualifying Impact
	- [[m310s060-creating-the-risk-matrix|m310s060]]: Creating the Risk Matrix
	- [[m310s070-Governance-model|m310s070]]: Governance model
	- m310s080: Information Security Policy ([[ISO_27001_2022_5.2_MoC Policy|C5.2]])
- **m400: Context of the Organization** 
	- [[m400s010-introduction|m400s010]]: Introduction: Why Context Matters
	- m400s020: Standards, Laws and Regulations  ([[ISO_27001_2022_4.2_MoC Understanding the needs and expectations of interested parties|C4.2]], [[ISO_27002_2022_5.31_MoC Legal, statutory, regulatory and contractual requirements|A5.31]], [[ISO_27002_2022_5.34_MoC Privacy and protection of PII|A5.34]])
	- m400s030: [[iso27diy-git-SYNC!/m300/m300s520-DESTEP-analysis|m300s520]]: **DESTEP analysis**  ([[ISO_27001_2022_4.2_MoC Understanding the needs and expectations of interested parties|C4.2]])
	- m400s040: [[iso27diy-m300s510|m300s510]]:  **SWOT analysis** ([[ISO_27001_2022_4.1_MoC Understanding the organization and its context|C4.1]])
	- m400s050: Stakeholder Analysis ([[ISO_27001_2022_4.2_MoC Understanding the needs and expectations of interested parties|C4.2]])
	- **m410:Organizational Structures**
		- [[Introduction for Organizational Structures]]
		- Organizational processes ([[ISO_27001_2022_4.1_MoC Understanding the organization and its context|C4.1]])
		- Organization Chart ([[ISO_27001_2022_4.1_MoC Understanding the organization and its context|C4.1]])
		- Job architecture ([[ISO_27001_2022_4.1_MoC Understanding the organization and its context|C4.1]])
		- Physical context (sites, buildings, areas) ([[ISO_27002_2022_7.1_MoC Physical security perimeters|A7.1]])
		- Asset identification ([[ISO_27002_2022_5.9_MoC Inventory of information and other associated assets|A5.9]], [[ISO_27002_2022_5.32_MoC Intellectual property rights|A5.32]])
	- **420: Planning the Implementation**
		- [[m300s120-Setting-ISMS-Objectives|m300s120]]: Setting ISMS Objectives
		- [[iso27diy-git-SYNC!/m300/m300s200-scope|m300s200]]: Setting the Scope
		- Planning the ISMS implementation ([[ISO_27001_2022_6.1.1_MoC General|C6.1.1]])
- **m500: Risks and Measures**
	- Risk identification ([[ISO_27001_2022_6.1.2_MoC Information security risk assessment|C6.1.2]])
	- Risk analysis ([[ISO_27001_2022_6.1.2_MoC Information security risk assessment|C6.1.2]])
	- Data classification ([[ISO_27002_2022_5.12_MoC Classification of information|A5.12]])
	- Technical vulnerabilities Test ([[ISO_27002_2022_8.8_MoC Management of technical vulnerabilities|A8.8]])
	- Threat analysis (technical) ([[ISO_27001_2022_6.1.2_MoC Information security risk assessment|C6.1.2]], [[ISO_27002_2022_5.7_MoC Threat intelligence|A5.7]], [[ISO_27002_2022_5.6_MoC Contact with special interest groups|A5.6]])
	- Controls identification ([[ISO_27001_2022_6.1.3_MoC Information security risk treatment|C6.1.3]])
	- Roles and responsibilities ([[ISO_27001_2022_5.2_MoC Policy|C5.2]], [[ISO_27001_2022_5.3_MoC Organizational roles, responsibilities and authorities|C5.3]], [[ISO_27002_2022_5.4_MoC Management responsibilities|A5.4]], [[ISO_27002_2022_5.3_MoC Segregation of duties|A5.3]], [[ISO_27002_2022_5.5_MoC Contact with authorities|A5.5]]) – see [[m400-more-governance]]
	- Planning Controls implementation ([[ISO_27001_2022_8.1_MoC Operational planning and control|C8.1]])
	- Risk Management ([[ISO_27001_2022_8.1_MoC Operational planning and control|C8.1]], [[ISO_27001_2022_8.2_MoC Information security risk assessment|C8.2]], [[ISO_27001_2022_8.3_MoC Information security risk treatment|C8.3]], [[ISO_27001_2022_10.1_MoC Continual improvement|C10.1]])
	- Controls implementation ([[ISO_27001_2022_8.3_MoC Information security risk treatment|C8.3]])
- **m600: Supporting the ISMS**
	- Resources ([[ISO_27001_2022_7.1_MoC Resources|C7.1]]) 
	- Competencies ([[ISO_27001_2022_7.2_MoC Competence|C7.2]])
	- Documentation ([[ISO_27002_2022_5.33_MoC Protection of records|A5.33]], [[ISO_27001_2022_7.5.2_MoC Creating and updating|C7.5.2]])
	- Policies ([[ISO_27002_2022_5.1_MoC Policies for information security|A5.1]])
	- Review calendar ([[ISO_27002_2022_5.35_MoC Independent review of information security|A5.35]], [[ISO_27001_2022_7.5.2_MoC Creating and updating|C7.5.2]])
	- Communication and Awareness ([[ISO_27001_2022_7.3_MoC Awareness|C7.3]], [[ISO_27001_2022_7.4_MoC Communication|C7.4]])
- **m700: Securing the Business**
	- m710: Business Continuity
		- Incident management ([[ISO_27002_2022_5.24_MoC Information security incident management planning and preparation|A5.24]], [[ISO_27002_2022_5.25_MoC Assessment and decision on information security events|A5.25]], [[ISO_27002_2022_5.26_MoC Response to information security incidents|A5.26]], [[ISO_27002_2022_5.27_MoC Learning from information security incidents|A5.27]], [[ISO_27002_2022_5.28_MoC Collection of evidence|A5.28]], [[ISO_27002_2022_5.29_MoC Information security during disruption|A5.29]], [[ISO_27002_2022_5.5_MoC Contact with authorities|A5.5]], [[ISO_27002_2022_5.6_MoC Contact with special interest groups|A5.6]])
		- Business Impact Analyses ([[ISO_27002_2022_5.29_MoC Information security during disruption|A5.29]], [[ISO_27002_2022_5.30_MoC ICT readiness for business continuity|A5.30]])
		- Business Continuity Planning ([[ISO_27002_2022_5.29_MoC Information security during disruption|A5.29]], [[ISO_27002_2022_5.30_MoC ICT readiness for business continuity|A5.30]], [[ISO_27002_2022_7.11_MoC Supporting utilities|A7.11]], [[ISO_27002_2022_5.5_MoC Contact with authorities|A5.5]])
	- m720: People Processes
		- HR Policies ([[ISO_27002_2022_6.1_MoC Screening|A6.1]], [[ISO_27002_2022_6.2_MoC Terms and conditions of employment|A6.2]], [[ISO_27002_2022_6.3_MoC Information security awareness, education and training|A6.3]], [[ISO_27002_2022_6.4_MoC Disciplinary process|A6.4]], [[ISO_27002_2022_6.5_MoC Responsibilities after termination or change of employment|A6.5]], [[ISO_27002_2022_6.6_MoC Confidentiality or non-disclosure agreements|A6.6]])
		- User policies ([[ISO_27002_2022_5.10_MoC Acceptable use of information and other associated assets|A5.10]], [[ISO_27002_2022_5.11_MoC Return of assets|A5.11]], [[ISO_27002_2022_5.12_MoC Classification of information|A5.12]], [[ISO_27002_2022_5.13_MoC Labelling of information|A5.13]], [[ISO_27002_2022_5.14_MoC Information transfer|A5.14]], [[ISO_27002_2022_5.37_MoC Documented operating procedures|A5.37]], [[ISO_27002_2022_6.7_MoC Remote working|A6.7]], [[ISO_27002_2022_6.8_MoC Information security event reporting|A6.8]], [[ISO_27002_2022_7.7_MoC Clear desk and clear screen|A7.7]], [[ISO_27002_2022_8.24_MoC Use of cryptography|A8.24]])
		- Training ([[ISO_27002_2022_6.3_MoC Information security awareness, education and training|A6.3]])
	- 730: Technology processes
		- Access Control ([[ISO_27002_2022_5.15_MoC Access control|A5.15]], [[ISO_27002_2022_5.16_MoC Identity management|A5.16]], [[ISO_27002_2022_5.17_MoC Authentication information|A5.17]], [[ISO_27002_2022_5.18_MoC Access rights|A5.18]], [[ISO_27002_2022_8.2_MoC Privileged access rights|A8.2]], [[ISO_27002_2022_8.3_MoC Information access restriction|A8.3]], [[ISO_27002_2022_8.4_MoC Access to source code|A8.4]], [[ISO_27002_2022_8.5_MoC Secure authentication|A8.5]])
		- Technologies lifecycle ([[ISO_27002_2022_5.8_MoC Information security in project management|A5.8]], [[ISO_27002_2022_5.23_MoC Information security for use of cloud services|A5.23]], [[ISO_27002_2022_8.26_MoC Application security requirements|A8.26]], [[ISO_27002_2022_8.27_MoC Secure system architecture and engineering principles|A8.27]], [[ISO_27002_2022_8.28_MoC Secure coding|A8.28]], [[ISO_27002_2022_8.29_MoC Security testing in development and acceptance|A8.29]], [[ISO_27002_2022_8.30_MoC Outsourced development|A8.30]], [[ISO_27002_2022_8.31_MoC Separation of development, test and production environments|A8.31]], [[ISO_27002_2022_8.32_MoC Change management|A8.32]], [[ISO_27002_2022_8.33_MoC Test information|A8.33]], [[ISO_27002_2022_7.13_MoC Equipment maintenance|A7.13]], [[ISO_27002_2022_7.14_MoC Secure disposal or re-use of equipment|A7.14]], [[ISO_27002_2022_8.6_MoC Capacity management|A8.6]])
		- Vendor management ([[ISO_27002_2022_5.19_MoC Information security in supplier relationships|A5.19]], [[ISO_27002_2022_5.20_MoC Addressing information security within supplier agreements|A5.20]], [[ISO_27002_2022_5.21_MoC Managing information security in the ICT supply chain|A5.21]], [[ISO_27002_2022_5.22_MoC Monitoring, review and change management of supplier services|A5.22]], [[ISO_27002_2022_5.23_MoC Information security for use of cloud services|A5.23]], [[ISO_27002_2022_8.29_MoC Security testing in development and acceptance|A8.29]])
		- Device management ([[ISO_27002_2022_7.9_MoC Security of assets off-premises|A7.9]], [[ISO_27002_2022_7.10_MoC Storage media|A7.10]], [[ISO_27002_2022_8.1_MoC User endpoint devices|A8.1]], [[ISO_27002_2022_8.7_MoC Protection against malware|A8.7]])
		- IT administration ([[ISO_27002_2022_8.7_MoC Protection against malware|A8.7]], [[ISO_27002_2022_8.8_MoC Management of technical vulnerabilities|A8.8]], [[ISO_27002_2022_8.9_MoC Configuration management|A8.9]], [[ISO_27002_2022_8.10_MoC Information deletion|A8.10]], [[ISO_27002_2022_8.11_MoC Data masking|A8.11]], [[ISO_27002_2022_8.12_MoC Data leakage prevention|A8.12]], [[ISO_27002_2022_8.13_MoC Information backup|A8.13]], [[ISO_27002_2022_8.14_MoC Redundancy of information processing facilities|A8.14]], [[ISO_27002_2022_8.15_MoC Logging|A8.15]], [[ISO_27002_2022_8.16_MoC Monitoring activities|A8.16]], [[ISO_27002_2022_8.17_MoC Clock synchronization|A8.17]], [[ISO_27002_2022_8.18_MoC Use of privileged utility programs|A8.18]], [[ISO_27002_2022_8.19_MoC Installation of software on operational systems|A8.19]], [[ISO_27002_2022_8.20_MoC Networks security|A8.20]], [[ISO_27002_2022_8.21_MoC Security of network services|A8.21]], [[ISO_27002_2022_8.22_MoC Segregation of networks|A8.22]], [[ISO_27002_2022_8.23_MoC Web filtering|A8.23]], [[ISO_27002_2022_8.24_MoC Use of cryptography|A8.24]], [[ISO_27002_2022_8.25_MoC Secure development life cycle|A8.25]], [[ISO_27002_2022_8.26_MoC Application security requirements|A8.26]], [[ISO_27002_2022_8.27_MoC Secure system architecture and engineering principles|A8.27]], [[ISO_27002_2022_8.28_MoC Secure coding|A8.28]], [[ISO_27002_2022_8.29_MoC Security testing in development and acceptance|A8.29]], [[ISO_27002_2022_8.30_MoC Outsourced development|A8.30]], [[ISO_27002_2022_8.31_MoC Separation of development, test and production environments|A8.31]], [[ISO_27002_2022_8.32_MoC Change management|A8.32]], [[ISO_27002_2022_8.33_MoC Test information|A8.33]], [[ISO_27002_2022_8.34_MoC Protection of information systems during audit testing|A8.34]], [[ISO_27002_2022_5.6_MoC Contact with special interest groups|A5.6]]) 
		- Physical security ([[ISO_27002_2022_7.1_MoC Physical security perimeters|A7.1]], [[ISO_27002_2022_7.2_MoC Physical entry|A7.2]], [[ISO_27002_2022_7.3_MoC Securing offices, rooms and facilities|A7.3]], [[ISO_27002_2022_7.4_MoC Physical security monitoring|A7.4]], [[ISO_27002_2022_7.5_MoC Protecting against physical and environmental threats|A7.5]], [[ISO_27002_2022_7.6_MoC Working in secure areas|A7.6]], [[ISO_27002_2022_7.7_MoC Clear desk and clear screen|A7.7]], [[ISO_27002_2022_7.8_MoC Equipment siting and protection|A7.8]], [[ISO_27002_2022_7.12_MoC Cabling security|A7.12]])
- **800: Evaluate and Improve** ([[ISO_27001_2022_9_MoC Performance evaluation|C9]], [[ISO_27001_2022_10_MoC Improvement|C10]])
	- Audits and Reviews ([[ISO_27001_2022_9.2_MoC Internal audit|C9.2]], [[ISO_27002_2022_5.35_MoC Independent review of information security|A5.35]], [[ISO_27002_2022_5.36_MoC Compliance with policies, rules and standards for information security|A5.36]])
	- Management Reviews ([[ISO_27001_2022_9.3_MoC Management review|C9.3]])
	- Planning of Changes ([[ISO_27001_2022_6.3_MoC Planning of changes|C6.3]])
- **900: ISO 27001 Audits**
	- Afwijkingen en Correcties ([[ISO_27001_2022_10.1_MoC Continual improvement|C10.1]])