diff --git a/library/libraries/iso27001.yaml b/library/libraries/iso27001.yaml new file mode 100644 index 0000000..ea5d6b9 --- /dev/null +++ b/library/libraries/iso27001.yaml @@ -0,0 +1,1207 @@ +urn: urn:intuitem:risk:library:iso27001-2022 +locale: en +name: ISO/IEC 27001:2022 +description: Information security management systems - Requirements +copyright: See https://www.iso.org/standard/27001 +version: 1 +objects: + framework: + urn: urn:intuitem:risk:framework:iso27001-2022 + provider: ISO/IEC + name: ISO/IEC 27001:2022 + description: Information security management systems - Requirements + version: '1.1' + requirement_groups: + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core + name: Core + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4 + name: '4' + description: Context of the organization + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4:4.1 + name: '4.1' + description: Understanding the organization and its context + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4:4.2 + name: '4.2' + description: Understanding the needs and expectations of interested parties + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4:4.3 + name: '4.3' + description: Determining the scope of the information security management system + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4:4.4 + name: '4.4' + description: Information security management system + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5 + name: '5' + description: Leadership + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5:5.1 + name: '5.1' + description: Leadership and commitment + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5:5.2 + name: '5.2' + description: Policy + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5:5.3 + name: '5.3' + description: Organizational roles, responsibilities and authorities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6 + name: '6' + description: Planning + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1 + name: '6.1' + description: Actions to address risks and opportunities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1:6.1.1 + name: 6.1.1 + description: General + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1:6.1.2 + name: 6.1.2 + description: Information security risk assessment requirement + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1:6.1.3 + name: 6.1.3 + description: Information security risk treatment + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.2 + name: '6.2' + description: Information security objectives and planning to achieve them + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7 + name: '7' + description: Support + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.1 + name: '7.1' + description: Resources + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.2 + name: '7.2' + description: Competence + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.3 + name: '7.3' + description: Awareness + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.4 + name: '7.4' + description: Communication + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5 + name: '7.5' + description: Documented Information + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5:7.5.1 + name: 7.5.1 + description: General + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5:7.5.2 + name: 7.5.2 + description: Creating and Updating documented information + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5:7.5.3 + name: 7.5.3 + description: Control of documented information + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8 + name: '8' + description: Operations + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8:8.1 + name: '8.1' + description: Operational planning and control + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8:8.2 + name: '8.2' + description: Information security risk assessment + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8:8.3 + name: '8.3' + description: Information security risk treatment + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9 + name: '9' + description: Performance evaluation + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.1 + name: '9.1' + description: Monitoring, measurement, analysis, evaluation + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.2 + name: '9.2' + description: Internal audit + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.2:9.2.1 + name: 9.2.1 + description: General + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.2 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.2:9.2.2 + name: 9.2.2 + description: Internal audit programme + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.2 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3 + name: '9.3' + description: Management review + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3:9.3.1 + name: 9.3.1 + description: General + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3:9.3.2 + name: 9.3.2 + description: Management review inputs + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3:9.3.3 + name: 9.3.3 + description: Management review results + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10 + name: '10' + description: Improvement + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.1 + name: '10.1' + description: Continual improvement + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2 + name: '10.2' + description: Nonconformity and corrective action + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10 + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a + name: Annex A + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + name: '5' + description: Organisational controls + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + name: '6' + description: People controls + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + name: '7' + description: Physical controls + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a + - urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + name: '8' + description: Technological controls + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a + requirements: + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:4:4.1:1 + name: 4.1r + description: Understand the context and the organization. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4:4.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.CONTEXT + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:4:4.2:1 + name: 4.2r + description: Determine interested parties and understand therir requirements + in relation with the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4:4.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.CONTEXT + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:4:4.3:1 + name: 4.3r + description: Determine the scope of the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4:4.3 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.SCOPE + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:4:4.4:1 + name: 4.4r + description: Design and implement the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:4:4.4 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.OVERVIEW + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:5:5.1:1 + name: 5.1r + description: Ensure top management provides adequate commitment and resources + for the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5:5.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.OVERVIEW + - urn:intuitem:risk:function:mitre-attack::D.CONTROL + - urn:intuitem:risk:function:mitre-attack::D.COM + - urn:intuitem:risk:function:mitre-attack::D.AUDIT_PLAN + - urn:intuitem:risk:function:mitre-attack::D.COMPETENCY + - urn:intuitem:risk:function:mitre-attack::POL.MAIN + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:5:5.2:1 + name: 5.2r + description: Define an adequate security policy. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5:5.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.MAIN + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:5:5.3:1 + name: 5.3r + description: Ensure roles and responsibilities are properly defined. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:5:5.3 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.RACI + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:6:6.1:6.1.1:1 + name: 6.1.1r + description: When planning for the ISMS, take into account risks and opportunities, + and actions to address them. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1:6.1.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.RISK + - urn:intuitem:risk:function:mitre-attack::D.RISK_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:6:6.1:6.1.2:1 + name: 6.1.2r + description: Establish a proper risk assessment process. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1:6.1.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.RISK + - urn:intuitem:risk:function:mitre-attack::D.RISK_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:6:6.1:6.1.3:1 + name: 6.1.3r + description: Establish a proper risk treatment process, and produce a Statement + of Applicability. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.1:6.1.3 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.RISK + - urn:intuitem:risk:function:mitre-attack::D.RISK_REGISTER + - urn:intuitem:risk:function:mitre-attack::D.SOA + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:6:6.2:1 + name: 6.2r + description: Define and maintain relevant security objectives. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:6:6.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.MAIN + - urn:intuitem:risk:function:mitre-attack::D.SO_REGISTER + - urn:intuitem:risk:function:mitre-attack::D.RISK_REGISTER + - urn:intuitem:risk:function:mitre-attack::D.MGMT_REVIEW + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:7:7.1:1 + name: 7.1r + description: Provide adequate resources for the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.RACI + - urn:intuitem:risk:function:mitre-attack::D.COMPETENCY + - urn:intuitem:risk:function:mitre-attack::D.CONTROLS + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:7:7.2:1 + name: 7.2r + description: Manage competence of workforce interacting with the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.EDUC + - urn:intuitem:risk:function:mitre-attack::D.EDUC_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:7:7.3:1 + name: 7.3r + description: Manage awareness of all employees and contractors. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.3 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.EDUC + - urn:intuitem:risk:function:mitre-attack::D.EDUC_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:7:7.4:1 + name: 7.4r + description: Manage communication relevant to the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.4 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.COM + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:7:7.5:7.5.1:1 + name: 7.5.1r + description: Document adequate information relevant to the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5:7.5.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.DOC_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:7:7.5:7.5.2:1 + name: 7.5.2r + description: Identify properly the documents, and manage reviews and approvals. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5:7.5.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.DOC_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:7:7.5:7.5.3:1 + name: 7.5.3r + description: Ensure the ISM documentation is available and adequately protected. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:7:7.5:7.5.3 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.DOC_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:8:8.1:1 + name: 8.1r + description: Define and implement adequate processes, and control them. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8:8.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.RACI + - urn:intuitem:risk:function:mitre-attack::D.PROC_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:8:8.2:1 + name: 8.2r + description: Perform risk assessments periodically. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8:8.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.PROC_REGISTER + - urn:intuitem:risk:function:mitre-attack::D.RISK_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:8:8.3:1 + name: 8.3r + description: Implement risk treatment plan. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:8:8.3 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.PROC_REGISTER + - urn:intuitem:risk:function:mitre-attack::D.RISK_REGISTER + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:9:9.1:1 + name: 9.1r + description: Implement relevant monitoring, and evaluate performance and effectiveness + of the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.MONITOR + - urn:intuitem:risk:function:mitre-attack::D_AUDIT_PLAN + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:9:9.2:9.2.1:1 + name: 9.2.1r + description: Perform regular internal audits of the ISMS. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.2:9.2.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.AUDIT + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:9:9.2:9.2.2:1 + name: 9.2.2r + description: Manage the internal audit programme appropriately. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.2:9.2.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.AUDIT_PLAN + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:9:9.3:9.3.1:1 + name: 9.3.1r + description: Organize management reviews of the ISMS periodically. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3:9.3.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.MAIN + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:9:9.3:9.3.2:1 + name: 9.3.2r + description: Include appropriate data for effective management reviews. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3:9.3.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.MGMT_REVIEW + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:9:9.3:9.3.3:1 + name: 9.3.3r + description: Document the results of the management reviews. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:9:9.3:9.3.3 + security_functions: + - urn:intuitem:risk:function:mitre-attack::D.MGMT_REVIEW + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.1:1 + name: 10.1r + description: Improve the ISMS continuously. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.1 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.MAIN + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:1 + name: 10.2r + description: Manage nonconformities appropriately. + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2 + security_functions: + - urn:intuitem:risk:function:mitre-attack::POL.MAIN + - urn:intuitem:risk:function:mitre-attack::POL.INCIDENT + - urn:intuitem:risk:function:mitre-attack::D.NC_LOG + - urn:intuitem:risk:function:mitre-attack::D.PROC_REGISTER + - urn:intuitem:risk:function:mitre-attack::D.RACI + - urn:intuitem:risk:function:mitre-attack::D.MGMT_REVIEW + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:1 + name: '5.1' + description: Policies for information security + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:2 + name: '5.2' + description: Information security roles and responsibilities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:3 + name: '5.3' + description: Segregation of duties + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:4 + name: '5.4' + description: Management responsibilities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:5 + name: '5.5' + description: Contact with authorities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:6 + name: '5.6' + description: Contact with special interest groups + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:7 + name: '5.7' + description: Threat intelligence + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:8 + name: '5.8' + description: Information security in project management + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:9 + name: '5.9' + description: Inventory of information and other associated assets + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:10 + name: '5.10' + description: Acceptable use of information and other associated assets + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:11 + name: '5.11' + description: Return of assets + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:12 + name: '5.12' + description: Classification of information + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:13 + name: '5.13' + description: Labelling of information + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:14 + name: '5.14' + description: Information transfer + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:15 + name: '5.15' + description: Access control + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:16 + name: '5.16' + description: Identity management + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:17 + name: '5.17' + description: Authentication information + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:18 + name: '5.18' + description: Access rights + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:19 + name: '5.19' + description: Information security in supplier relationships + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:20 + name: '5.20' + description: Addressing information security within supplier agreements + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:21 + name: '5.21' + description: Managing information security in the ICT supply chain + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:22 + name: '5.22' + description: Monitor, review and change management of supplier services + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:23 + name: '5.23' + description: Information security for use of cloud services + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:24 + name: '5.24' + description: Information security incident management planning and preparation + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:25 + name: '5.25' + description: Assessment and decision on information security events + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:26 + name: '5.26' + description: Response to information security incidents + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:27 + name: '5.27' + description: Learning from information security incidents + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:28 + name: '5.28' + description: Collection of evidence + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:29 + name: '5.29' + description: Information security during disruption + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:30 + name: '5.30' + description: ICT readiness for business continuity + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:31 + name: '5.31' + description: Legal, statutory, regulatory and contractual requirements + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:32 + name: '5.32' + description: Intellectual property rights + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:33 + name: '5.33' + description: Protection of records + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:34 + name: '5.34' + description: Privacy and protection of PII + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:35 + name: '5.35' + description: Independent review of information security + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:36 + name: '5.36' + description: Compliance with policies, rules and standards for information security + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:5:37 + name: '5.37' + description: Documented operating procedures + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:5 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:6:1 + name: '6.1' + description: Screening + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:6:2 + name: '6.2' + description: Terms and conditions of employment + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:6:3 + name: '6.3' + description: Information security awareness, education and training + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:6:4 + name: '6.4' + description: Disciplinary process + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:6:5 + name: '6.5' + description: Responsibilities after termination or change of employment + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:6:6 + name: '6.6' + description: Confidentiality or non-disclosure agreements + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:6:7 + name: '6.7' + description: Remote working + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:6:8 + name: '6.8' + description: Information security event reporting + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:6 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:1 + name: '7.1' + description: Physical security perimeters + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:2 + name: '7.2' + description: Physical entry + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:3 + name: '7.3' + description: Securing offices, rooms and facilities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:4 + name: '7.4' + description: Physical security monitoring + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:5 + name: '7.5' + description: Protecting against physical and environmental threats + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:6 + name: '7.6' + description: Working In secure areas + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:7 + name: '7.7' + description: Clear desk and clear screen + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:8 + name: '7.8' + description: Equipment siting and protection + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:9 + name: '7.9' + description: Security of assets off-premises + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:10 + name: '7.10' + description: Storage media + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:11 + name: '7.11' + description: Supporting utilities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:12 + name: '7.12' + description: Cabling security + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:13 + name: '7.13' + description: Equipment maintenance + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:7:14 + name: '7.14' + description: Secure disposal or re-use of equipment + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:7 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:1 + name: '8.1' + description: User end point devices + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:2 + name: '8.2' + description: Privileged access rights + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:3 + name: '8.3' + description: Information access restriction + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:4 + name: '8.4' + description: Access to source code + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:5 + name: '8.5' + description: Secure authentication + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:6 + name: '8.6' + description: Capacity management + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:7 + name: '8.7' + description: Protection against malware + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:8 + name: '8.8' + description: Management of technical vulnerabilities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:9 + name: '8.9' + description: Configuration management + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:10 + name: '8.10' + description: Information deletion + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:11 + name: '8.11' + description: Data masking + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:12 + name: '8.12' + description: Data leakage prevention + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:13 + name: '8.13' + description: Information backup + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:14 + name: '8.14' + description: Redundancy of information processing facilities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:15 + name: '8.15' + description: Logging + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:16 + name: '8.16' + description: Monitoring activities + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:17 + name: '8.17' + description: Clock synchronization + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:18 + name: '8.18' + description: Use of privileged utility programs + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:19 + name: '8.19' + description: Installation of software on operational systems + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:20 + name: '8.20' + description: Networks security + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:21 + name: '8.21' + description: Security of network services + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:22 + name: '8.22' + description: Segregation of networks + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:23 + name: '8.23' + description: Web filtering + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:24 + name: '8.24' + description: Use of cryptography + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:25 + name: '8.25' + description: Secure development life cycle + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:26 + name: '8.26' + description: Application security requirements + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:27 + name: '8.27' + description: Secure system architecture and engineering principles + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:28 + name: '8.28' + description: Secure coding + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:29 + name: '8.29' + description: Security testing in development and acceptance + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:30 + name: '8.30' + description: Outsourced development + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:31 + name: '8.31' + description: Separation of development, test and production environments + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:32 + name: '8.32' + description: Change management + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:33 + name: '8.33' + description: Test information + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + - urn: urn:intuitem:risk:reqs:iso27001-2022:core:10:10.2:annex-a:8:34 + name: '8.34' + description: Protection of information systems during audit testing + parent_urn: urn:intuitem:risk:req_groups:iso27001-2022:core:10:10.2:annex-a:8 + security_functions: + - urn: urn:intuitem:risk:function:mitre-attack::D.OVERVIEW + name: Organization overview document + provider: intuitem + description: 'Objectives of the organization + + Organigram + + ISMS objectives + + CISO responsibilities + + ISMS Management review' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.CONTEXT + name: Context of organization document + provider: intuitem + description: 'Stakeholders + + Authorities + + Special interest groups' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.SCOPE + name: ISMS Scope document + provider: intuitem + description: 'Products and services + + Products and services requiring certification + + Locations + + Organization view + + Business architecture view + + Data architecture view + + Application architecture view + + Technology architecture view + + Network view + + Scope statement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.LEGAL + name: legal register + provider: intuitem + description: "Legal requirements \nStatutory requirements \nRegulatory requirements\ + \ \nContractual requirements \nIntellectual property rights\nEmployment contracts\n\ + NDAs" + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.SOA + name: Statement of Applicabilty document + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.CONTROLS + name: Controls accountability matrix + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.AUDIT_PLAN + name: Audit plan document + provider: intuitem + description: 'Context of the organization + + Leadership + + Planning + + Support + + Operation + + Performance evaluation + + Improvement + + Organizational controls + + People controls + + Physical controls + + Technological controls' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.COMPETENCY + name: Competency matrix + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.RACI + name: Responsibility matrix + provider: intuitem + description: RACI for ISMS + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.COM + name: Communication plan document + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.RISK_REGISTER + name: Risk register + provider: intuitem + description: 'Risk owner + + Impact + + Likelihood + + Risk level + + Evaluation + + Priority + + Treatment option + + Mitigations - recommended security measures' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.SO_REGISTER + name: Security objectives register + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.MGMT_REVIEW + name: Management review plan document + provider: intuitem + description: 'Review of risks + + Review of security objectives + + Review of security incidents + + Review of vulnerability management + + Review of non-conformities' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.EDUC_REGISTER + name: Training and awareness register + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.DOC_REGISTER + name: Document register + provider: intuitem + description: 'Rules for edition and maintenance + + Version control + + Register + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.PROC_REGISTER + name: Operational procedures register + provider: intuitem + description: 'Risk management procdure + + Incident management procedure + + Problem management procedure + + Vulnerability management procedure + + HR procedures + + Change management procedure + + Procedure for externalization + + Physical security procedures + + Privileged access procedure + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.NC_LOG + name: Log of non-conformities + provider: intuitem + description: "List of non-conformities (incident, problems, \u2026)\nCorrective\ + \ action taken" + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.INTERNAL_RULES + name: Rules of procedure document + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.ASSET_REGISTER + name: Registry of assets + provider: intuitem + description: CMDB + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::D.SUPPLIER_REGISTER + name: Registry of suppliers + provider: intuitem + description: Risk management + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.MAIN + name: Main policy + provider: intuitem + description: 'information security objectives + + commitment + + Management review + + Applicable policies + + Management of non conformities + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.EDUC + name: Information security awareness and traning policy + provider: intuitem + description: 'implications of not respecting + + Security event reporting + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.WORK + name: Workstations and teleworking policy + provider: intuitem + description: 'Workstations + + Mobile devices + + Teleworkding + + Password handling + + Returning of assets + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.CRYPTO + name: Cryptographic policy + provider: intuitem + description: 'Key management + + Encryption + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.CLASSIF + name: Information classification and handling policy + provider: intuitem + description: 'classification + + protection and handling of information + + Poritection and handling of PII + + clear desk + + clear screen + + Protection of records + + Retention rules + + Use of test information + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.AUDIT + name: Internal and external audit policy + provider: intuitem + description: Protection of audit information + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.BCP + name: Business continuity policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.SEG_DUTY + name: Segregation of duties policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.ACCESS + name: Access control policy + provider: intuitem + description: 'Identification + + authentication + + password management + + RBAC + + Review of access rights + + Provisioning + + Leavers + + Remote access + + Privileged access management + + Third party access + + Monitoring and reporting + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.MALWARE + name: Malware protection policy + provider: intuitem + description: 'antivirus + + EDR' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.RISK + name: Risk management policy + provider: intuitem + description: 'Risk management definition + + Risk appetite + + Risk acceptance criteria + + Criteria for risk assessment + + Risk identification + + Risk assessment + + CIAP approach + + Risk reporting + + Risk review + + Risk treatment (mitigation acceptance, transfer) + + Risk evaluation + + Use of ISO27002 controls + + Management of access rights + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.ASSET + name: Asset management policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.BACKUP + name: Backup and restore policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.SUPPLIER + name: Third party supplier security policy + provider: intuitem + description: Management of supplier risk + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.MONITOR + name: Logging and monitoring policy + provider: intuitem + description: Logging + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.TRANSFER + name: Information transfer policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.SECDEV + name: Secure development policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.PHYSICAL + name: Physical security policy + provider: intuitem + description: 'Physical security perimeter + + Secure areas + + Employee access control + + Visitors access control + + Delivery management + + Cabling security + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.NETWORK + name: Network security management policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.ACCEPT + name: Acceptable use policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.PROJECT + name: IS project integration policy + provider: intuitem + description: '' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.THREAT_INTEL + name: Threat intelligence policy + provider: intuitem + description: 'Known Exploited Vulnerabilities + + Threat actors activity + + Continual improvement' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.INCIDENT + name: IS incident management policy + provider: intuitem + description: 'Security incident management + + Vulnerability management' + version: '1.1' + - urn: urn:intuitem:risk:function:mitre-attack::POL.MAINTENANCE + name: Maintenance policy + provider: intuitem + description: 'Obsolescence management + + Maintenance contracts + + Change management' + version: '1.1'