{
    "queries": {
        "9fa7e16c-987b-4700-9048-cf7c2df46037": "How can management ensure that employees, contractors, and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work?",
        "02246769-fd6b-413d-9dcc-b53b956b0f6e": "What are the requirements for information security awareness, education, and training for all employees of the organization, as well as contractors and third party users, according to the ISO 27001:2015 standard?",
        "42659caa-11e4-453f-9554-00a4fecc3e2e": "Why is it important for the board to review progress towards final implementation of the security policy at specific dates?",
        "3cc4f586-7387-4dfe-ac20-3b6fa3440fb4": "What are the key points suggested for reviewing progress towards implementing the security policy, and why are these points significant in the process?",
        "02861940-53c2-4953-a3ce-8ebe5bac2df7": "How can access controls be used to secure specific rooms within a building, and why is it important to ensure that unauthorized individuals cannot observe activities within these rooms?",
        "46325c46-e487-43ea-bd43-196205a33063": "What considerations must be taken into account when implementing physical security monitoring measures such as security guards, CCTV, and intruder alarms, particularly in relation to privacy legislation and the correct placement of cameras?",
        "ef6c30bb-7a23-4865-8431-c8c9bb5206d2": "Explain the importance of establishing management responsibilities and procedures for responding to information security incidents, as outlined in control a.16.1.1. How does this contribute to ensuring a quick, effective, and orderly response to security events?",
        "ed950482-0124-4886-89c3-230389fdc583": "In accordance with control a.16.1.2, why is it crucial for security events to be reported through appropriate management channels as quickly as possible? How does this help in addressing observed or suspected information security weaknesses in systems or services?",
        "fd348851-d006-4826-8174-1d38de90db14": "How does setting the scope of an organization's ISMS contribute to the effectiveness of the system, and what are the key considerations in defining the scope?",
        "4b52958a-e15c-4d5d-9905-a82e8f1dbc9e": "Explain the importance of having an internal audit program in place for an ISMS, and discuss the key elements that should be included to ensure independence and avoid conflicts of interest.",
        "09028450-6558-4ae4-bfac-a0944eeba3c0": "How can information security be compromised through various communication mediums such as e-mails, mobile phones, answering machines, and teleconferences?",
        "29324672-e27e-40bd-bedc-9b49fe36f24f": "What are some potential risks and threats to information security, including unauthorized access, accidental sending of information to the wrong recipient, and theft or loss of mobile phones?",
        "ed843e16-7647-4514-b3ea-ae548ccf353e": "How does the California Consumer Privacy Act compare to the EU GDPR in terms of regulatory impact in the USA?",
        "eda4ae87-38e2-415e-89fd-0ace102a39e1": "What are some key components of the UK's Data Protection Act 2018 and how does it relate to the EU GDPR?",
        "5094a1cc-0c6c-4473-817b-dee5f6299159": "How does the new structure of annex a controls align with the four pillars of information security, and why is this alignment considered a significant improvement over the previous version?",
        "64d9a3fb-88ec-4d15-a51c-b46a038bc005": "Discuss the importance of the technological pillar in information security, and provide examples of controls that fall under this category.",
        "daff023c-2046-4b0c-819c-947688555715": "How does the information classification procedure help organizations determine which information assets are worth protecting and which are not? Provide an example to illustrate your answer.",
        "48a9e198-fc7c-4842-87cd-c99f3087309b": "According to control 8.1.3 of ISO27002, what are the key considerations organizations should address when documenting and implementing rules for the acceptable use of information assets, systems, and services? How do these rules apply to employees, contractors, and third parties?",
        "23b902e3-5ffd-46de-b127-9d62bd6ba485": "How can organizations ensure reliable time sources for systems such as time recording systems, access-controlled doors, and canteen billing systems? Discuss the importance of establishing a unified time base for internal monitoring purposes.",
        "bfe3ecbe-7fec-497f-a0ab-4c214368e9d8": "What measures should be taken if there is no possibility of automated time query for technical facilities? Explain the significance of using utility programs with privileged rights in maintaining administrative and security-related settings.",
        "485ed01c-9c75-4993-b664-d489de334053": "Explain the importance of carrying out spot checks regularly to ensure effective synchronization in information security management. How can a failure at this level impact event investigation, disciplinary action, and court actions?",
        "b090671b-b3c3-47c1-8032-95bae578c981": "Differentiate between an information security event and an information security incident according to section 16 of ISO27002. Why is it crucial to make a distinction between the two, and what steps should be taken to manage incidents effectively?",
        "5dd87feb-c86d-4a24-a017-85d72a71610e": "How should information security incidents be responded to according to the documented procedures outlined in the context information?",
        "625cd77b-21b1-48d4-8178-0cfd45c8b18c": "Who is responsible for implementing controls in response to information security incidents, and how can knowledge gained from analyzing and resolving incidents be used to reduce the likelihood or impact of future incidents?",
        "95432f18-ec02-49a4-900b-01fa5365b89f": "How can perimeter protection be visually indicated in a security zone, and why is it important to prevent unauthorized access to assets within this zone?",
        "e6bbb863-49dc-4951-8338-61ef6d7d126f": "What security measures should be in place at defined points of access to protected security zones, and why is it crucial for the perimeter protection design to be based on the security requirements of information processing in the respective zone?",
        "20b5b3f2-4228-44cc-8000-319832e26928": "How can vulnerabilities be categorized in relation to assets, threats, and controls according to the information provided in the document? Provide examples of vulnerabilities and methods for vulnerability assessment as outlined in annex d.",
        "97e2e275-a862-4726-88ea-318a83b48b0d": "Explain the importance of identifying consequences in the context of asset management. How can the consequences of losses of confidentiality, integrity, and availability impact an organization's assets and operations?",
        "c9d77f79-3732-4e65-91ef-6e25422d4838": "What are some fundamental requirements that should be considered in a contract for outsourcing services, particularly in relation to data protection, audits, certifications, and subcontractors?",
        "e7e852dd-6044-4964-a50e-347c438400f0": "What steps should be taken before the start of performance in an outsourcing contract, such as clearance/authorization of personnel and naming subcontractors?",
        "a5b2bf8e-1a62-442f-a88f-63a59254ce19": "How should security objectives be broken down to relevant organizational units in the context of ISMS-5.1 (a)? Provide an example using the security objective of confidentiality of customer data.",
        "21244884-298a-44e9-8182-3c6adcc9c0a0": "In the context of the risk \"loss of confidentiality,\" how should risk owners be determined and what is their role in ensuring the confidentiality of customer data within their respective organizational units?",
        "8c5b123c-0120-44d3-aec2-ac047ad85dfa": "How does the use of tools in risk assessment and SOA development impact the amount of paperwork generated, flexibility in dealing with changing circumstances, and the meaningfulness of the results generated?",
        "7e2c13d2-9966-47ee-9ff5-ea802a384451": "Why is it important to track changes to the risk assessment process over time and consider the 'future-proofing' aspect of requirements when purchasing a risk assessment tool, in addition to ensuring the proper support and continuity of the product from the supplier and manufacturer?",
        "1b67ae6f-0c92-4ed9-9b22-6a47d93411a1": "What is the significance of skipping chapters 0 to 3 in the commentary on chapter 4 of the standard according to the provided context information?",
        "218eb939-6c89-47e1-8409-a84ced9ed79e": "How does the author indicate changes compared to the previous version of the standard in the commentary on chapter 4 of the standard, as mentioned in the context information?",
        "94db8ea0-a7b8-457b-8697-7da9e6ba7c1c": "How can organizations ensure a reliable time source for recording legally relevant information, and why is this important in a large IT landscape?",
        "22c3e285-0ab2-4d22-8446-24267aab3d50": "Discuss the importance of establishing backup and archiving procedures for records in order to ensure their availability for evaluation.",
        "af47fdf9-e36f-432e-9add-c2079172dae6": "How can the information security department members ensure alignment with the standard operating procedures used by other departments in the organization?",
        "bb012ad5-1c39-440e-af30-18684eb6fb69": "Why is it important for the team to understand the business context in order to effectively assess needs and scope for information security implementation?",
        "c43e6d64-7483-48e2-95ae-d90518d2de5e": "How does the ISO 27001 standard recommend that management review meeting results be considered in the context of policy revision and approval?",
        "9315c6d3-0d08-4331-8e7c-6cf31639956a": "What role does the information security department play in ensuring that revised policies are reviewed at regular intervals and approved by management, according to the internal organization objective of the ISO 27001 standard?",
        "320a19cc-1dd0-4df3-a739-388eee901755": "How can organizations ensure the successful acceptance of systems they procure but did not develop themselves, particularly in terms of security requirements?",
        "93863b5b-ea15-4292-94f9-42276c29a174": "What is the significance of conducting acceptance tests in a test environment rather than a production environment, and how does this relate to the overall security of the system during productive operation?",
        "153314ae-0151-481b-976f-77dab30cd4ab": "Why is consistent time synchronization important in information processing systems and facilities, according to the provided context information?",
        "a5687beb-5e1a-4bf7-9095-7bb784b110b6": "What are some examples of time sources that can be used for clock synchronization in an IT landscape, as mentioned in the text?",
        "802f3db9-6ff3-4d74-925c-76edbcabe254": "Explain the significance of control a-5.12 in the context of the project, particularly in relation to the expanded objectives for classification and occasions summarized.",
        "aa75a5c2-8409-459c-9eee-f57e5f1051fa": "Discuss the implications of control a-5.19 in agreements, focusing on the generalized nature of the control and its relevance in specific scenarios.",
        "b9e57750-12c8-4bc7-928d-d3e2796b1998": "How does the diversity of media types navigating port 80 make it difficult for firewalls to filter out malware or control access to specific data channels?",
        "2ee00e0b-3767-48c9-9b92-fd61a448a69a": "In what ways is the risk from hackers growing, and how does organized crime play a role in turning to the internet and e-commerce as a lucrative business area?",
        "fc01779a-ddd5-4e61-9b57-a48f2c555492": "How can organizations monitor the transfer of information to removable storage media, such as secure digital (SD) cards and USB ports, to prevent unauthorized access, misuse, or corruption?",
        "22b8beda-42ba-4272-8d79-5d76dc92336c": "What security measures should be applied when transferring physical storage media, including paper documents, to protect against unauthorized access, misuse, or corruption during transport via postal service or courier?",
        "e26cb88a-9bcb-4f29-85be-099a395a1a82": "How does clause 7.1 of ISO 27001 emphasize the importance of identifying and allocating resources for the establishment, implementation, maintenance, and continual improvement of an organization's ISMS?",
        "125cc775-1ebf-4921-ab0f-3b8ee32bfddd": "What are the key resources that organizations need to consider according to clause 7.1 of ISO 27001, and how do these resources impact the effectiveness of an organization's ISMS?",
        "e2f1e994-9440-46d6-a0cb-4eb86b4b32cf": "How does the clear desk and clear screen policy contribute to information security in an organization, and what challenges may be faced in implementing this policy?",
        "3dba739f-c4e5-40fc-87ad-b3d4826ab2e7": "When considering equipment siting and protection for devices located outside of a typical office environment, what types of threats should be taken into account and how can these threats be mitigated?",
        "8f290e6b-20f8-413b-8f4d-08e34b49ca30": "What are the key considerations that need to be addressed from the perspective of teleworkers, including working hours, scope for teleworking, approval process, training and education, and supervision of teleworking systems?",
        "37fcaa93-acf1-4c6f-9385-82360061d6aa": "What are the specific requirements and prohibitions related to the use of teleworking systems, including exclusive use for official purposes, unauthorized use, and security measures for home offices and while traveling?",
        "b778d000-0695-426c-a12c-6557ed6809c7": "How can an organization maintain the security of information transferred within the organization and with external parties according to ISO/IEC 27002:2022(e)?",
        "56715b57-14a9-4d32-8bfe-88e53e4018c1": "What types of controls should be included in rules, procedures, and agreements for information transfer, as outlined in the guidance provided?",
        "4a237021-5945-4f20-87f0-751fe45224a5": "What is the purpose of a Data Protection Impact Assessment (DPIA) according to the ds-gvo, and when is it required?",
        "f72ad738-5293-4ca3-8ca3-5288df8144d6": "How does the Standard Data Protection Model (SDM) determine the protective measures needed for data processing, and what happens if the protective need is higher than normal?",
        "057b3cd5-7d3b-4943-bf5d-ad4a4eee5ac8": "How can an organization effectively communicate to employees and contractors that the use of unauthorized software/tools is prohibited? What controls can be implemented to prevent and detect the use of unauthorized software?",
        "b4dc6530-15f6-402c-919c-50b3bcabb96e": "What steps should be taken to prevent and detect malicious websites, and how can malware detection software be utilized to protect computer systems from malware threats? Discuss the importance of regular system reviews in maintaining cybersecurity measures.",
        "7dfdcef8-21d4-4419-bc8e-024d49b7bed5": "How can physical and logical access to diagnostic and configuration ports be controlled to ensure protection and security?",
        "c88f6c9b-5b2d-4304-9910-109e9eb23596": "Explain the importance of network connection control and how it helps in restricting user access to shared networks, especially across organizational boundaries.",
        "df802a8b-dbf2-4764-b1e3-7f5a2d37a0b9": "How should the level of preparedness for an audit be assessed according to the context information provided?",
        "e72a2c12-f686-4ed6-80f5-c90486337bf8": "Why is it important for the statement of applicability (SOA) to undergo a particularly detailed review in the context of internal ISMS audit and management review?",
        "1d1af8ec-c989-4611-bf78-32d73a311725": "Explain the importance of defining physical boundaries for an Information Security Management System (ISMS) and provide examples of justifications for excluding certain physical boundaries from the ISMS scope.",
        "9ace2c3b-23a7-4d52-99f2-85946ce3d26e": "How does the integration of organizational, information communication technology (ICT), and physical scopes and boundaries contribute to obtaining the overall ISMS scope and boundaries? Provide a step-by-step explanation of this integration process.",
        "e3da807e-0b97-4a34-9c06-1ded18dd3569": "What is the fundamental difference between the Sarbanes-Oxley Act and other codes of corporate governance, particularly in terms of compliance requirements?",
        "32b8d822-e622-491d-a4aa-00c895dc4f55": "Can you explain the significance of sections 302, 404, and 409 of the Sarbanes-Oxley Act, and why they are considered the highest-profile and most critical sections of the legislation?",
        "8d24db65-c6a1-4dc1-995d-cb6891e83d39": "What are some key considerations regarding the security of equipment and information when it comes to taking them off-site without authorization?",
        "4a74a1f3-c18f-45c4-bb87-d74680dae3e8": "Who is responsible for preparing evidence, such as a gate pass, for equipment taken off-premises according to the ISO 27001 control?",
        "5407cd0d-295f-40a3-b64f-96c0fff91de7": "How does the use of a tool-based ticket system contribute to the overall efficiency of incident management?",
        "1cbc77b5-9356-46e4-9ac6-aa6ff096c602": "What steps should be taken to ensure that individuals responsible for incident handling are properly trained and equipped with the necessary tools for efficient incident management?",
        "8571e75f-966a-4db3-923f-90f7aa882625": "What are the key benefits of implementing an Information Security Management System (ISMS) based on ISO 27001 within an organization, and how does it contribute to managing risks and ensuring the confidentiality, integrity, and availability of information?",
        "9ac87e82-65b1-41a2-9b10-1fc9a46bdbe0": "In terms of cost and duration, what factors influence the expenses associated with obtaining ISO 27001 certification, and how does the size of an organization impact the complexity and length of the certification process?",
        "7045a54b-df29-4040-b573-e96a62de4659": "How can talking to stakeholders help organizations achieve ISO 27001 compliance, even without seeking official certification?",
        "2e167026-1cc2-477c-b20f-6fbbf38e7611": "What steps can organizations take to evaluate the effectiveness of their information security practices according to the ISO 27001 standard requirements?",
        "c66000e2-2970-44bc-966a-dfdc5bf35873": "How can organizations identify and evaluate the needs and expectations of interested parties in the context of their Information Security Management System (ISMS)?",
        "95ce842f-f30c-4cf3-90cb-e51c7162dfc4": "What are the guidelines for implementing ISMS-4.2 in terms of understanding and incorporating the goals and expectations of interested parties into the organization's processes and systems?",
        "90917b91-a8f8-433c-96ad-3a7e1c6b66f7": "How can organizations ensure the security of accounts that are a clear target for hackers, according to the document?",
        "3582e1db-6fd1-4360-9228-972f77d547ba": "What is the importance of using multifactor authentication for accounts that are a target for hackers, as mentioned in the document?",
        "9f1aebf3-d0d0-4a8a-980c-479b985668ac": "How can handheld devices be used to transmit viruses to desktops and networks, and what potential risks do they pose in terms of security threats such as denial-of-service attacks and fraud against phone networks?",
        "076e58c1-28d2-4f64-a83c-a1eecf3133ee": "In what ways can smartphone users be vulnerable to hacking, and what personal data can be accessed by attackers through the manipulation of wireless networks? How can this threat be mitigated through access control processes?",
        "2e968090-7a62-4043-b51f-21c38a389702": "How can an organization ensure secure outsourced system development according to control 14.2.7 of ISO27002?",
        "4acd92e0-8344-466c-9882-96c8016d5485": "What measures does ISO27002 recommend for organizations engaging in outsourced development to protect themselves during a process over which they have little direct control?",
        "d84e73d0-38ec-4fcf-9024-1fa16281cc44": "How can organizations protect and manage removable media according to the control outlined in the document? Provide specific points to consider in the procedure.",
        "d3a1c594-8db1-4d9a-a53a-1e02f0b004a1": "Who is responsible for preparing the procedure for the management of removable devices, and what support should be provided by the information security team in implementing policies related to removable media?",
        "2c2f408e-424c-415e-92cd-cf7d3e17660d": "How can checks be effectively prepared to achieve their goals while minimizing disruption to work routines, according to the context information provided?",
        "972b253c-ecb5-49da-b037-dec355014b11": "Describe the three different basic forms in which design activities may be concluded, as outlined in the context information.",
        "60aab0a1-73d6-4f00-bf56-e209c95f2aac": "How can trading partners in business-to-business (B2B) commerce address fraudulent transactions and insurance issues, and what controls should be implemented to mitigate risks?",
        "0e24b4a6-1b2b-4fa7-af91-b771cab799a8": "In the context of business-to-consumer (B2C) commerce, how can organizations ensure data protection, prevent phishing attacks, and address credit card fraud, considering the implications of relevant laws and jurisdiction?",
        "f3bbea29-fe94-4fcf-a86d-67ac69d2de16": "Why is it important for an organization to appoint a specific individual responsible for the security of web servers, and what qualifications should this person possess according to the given information?",
        "63c1cc02-fe75-4cde-b270-3034f862b206": "How can an organization ensure the security of its web servers by following the recommendations provided, such as running the most recent Windows server and browser, installing service packs and hotfixes, and avoiding installing a Windows server on the same physical platform as a domain controller?",
        "5c6e9671-7da8-48d8-a4a4-9803af48ee5b": "How does the qualitative methodology mentioned in the text assist in quickly assessing different risks and making comparative risk assessment decisions? Provide examples to support your answer.",
        "ff5ac0d1-5112-4d13-978f-a14a5fbf9ef3": "Explain the concept of boundary calculations as discussed in the text and how it can be used to determine the amount to spend on risk control implementation. Use the provided example to illustrate your explanation.",
        "7fc0d3f4-eb3c-46bb-aac8-2c759c21b5a0": "How does the relevance of different control categories in ISO 27001 vary depending on the nature of an organization's operations, such as working with suppliers or relying solely on cloud-based applications?",
        "0352e191-5966-4ad0-8598-e239e3ffb04c": "What roles and responsibilities are necessary within an organization to successfully implement ISO 27001 controls, and how does collaboration among personnel from different areas contribute to the implementation process?",
        "95d33524-fe73-4570-9d35-27fc6c45bdfd": "How does documenting the organization's scope in terms of implementing security controls help ensure a common vision among all stakeholders, including management?",
        "fb28253d-c3d2-48bc-b665-a56680b0ee82": "What role does the Chief Information Security Officer (CISO) play in leading the implementation of ISO 27001 within an organization, and what authority do they have in forming a team for this purpose?",
        "79ca856d-015b-41f6-b54c-dd3cfcc3cd90": "How can organizations ensure that all legal and statutory requirements, including intellectual property rights, are clearly outlined in a supplier agreement?",
        "41f82cb8-ef82-4426-b3ac-10f8e8f6a69b": "In what circumstances does an organization have the right to audit a supplier organization, and why is this important for maintaining security and resolving issues within the partnership?",
        "140ded07-bc39-4859-a219-00cf84b2d668": "How do cyber attacks typically begin, and why are they considered automated and indiscriminate in nature according to the context information provided?",
        "56b42fdf-b645-4dd5-bd69-1b2fb9683925": "How has the evolving use of technology, such as cloud computing and social networks, impacted the perception of cybersecurity as a persistent business risk for organizations, as mentioned in the PricewaterhouseCoopers (PwC) global state of information security survey 2018?",
        "1aab1e4d-9d13-4404-b5bf-e208150d8bde": "How can organizations ensure compliance with the requirements for an Information Security Management System (ISMS) as outlined in chapters 4 to 10 of ISO 27001?",
        "df78630e-d9bb-49ec-8885-a19241560a44": "Why is it important for individuals studying ISO 27001 to familiarize themselves with the specific terminology used in the standard, as explained in section 14 of the document?",
        "a1b5189f-e455-4cf4-9d37-e39620928b50": "How does the storage of data play a crucial role in ensuring compliance with legal requirements, supervisory bodies, and the organization's own requirements? Discuss the importance of factors such as storage location, encryption, integrity-secured, and retention periods in this regard.",
        "3260da0f-66ec-40f1-8494-4b0a4f77837b": "In what ways does the external environment, including legal requirements, supervisory bodies, and stakeholders, influence the data management practices of an organization? Provide examples of how organizations can align their data storage and access policies with these external factors to ensure compliance and operational efficiency.",
        "b8d039fe-a2a3-4b7a-87df-3750c3ea99a5": "How can organizations ensure that the management forum and cross-functional group effectively address information security concerns, especially in relation to external certification audits?",
        "619dba17-5372-45aa-8b2f-dbcab585120f": "In what ways can organizations streamline their information security governance structure by potentially combining the management forum and cross-functional group, and what are the potential benefits and drawbacks of this approach?",
        "309b46ff-c0b9-4612-9ab2-467ce8545c87": "How can inventories of information and other associated assets support risk management, audit activities, vulnerability management, incident response, and recovery planning?",
        "564f79fb-e179-4d28-b468-be9850d9e652": "What is the importance of designating groups of information and other associated assets that act together to provide a particular service, and who is accountable for the owner of this service in such cases?",
        "2899615c-f1a4-4247-8f47-f878b132c2d6": "How should significant changes to sensitive applications be authorized according to the information security management forum or the IT governance committee?",
        "da5f708c-9854-41ed-92f1-0c91ead86324": "What steps should be taken to minimize business disruption and ensure that system documentation and user procedures are updated after implementing a change in the network environment?",
        "3d2f9d66-7929-49e6-b694-63bb9334a5bf": "What is the significance of the ISO 27001:2022 standard in the realm of information security management systems?",
        "ea55767d-7747-43f1-a917-2972b18711a9": "How does an Information Security Management System (ISMS) help organizations mitigate information security risks according to the provided context information?",
        "57190066-05c3-44f8-be02-12c51479e0c4": "How can an organization ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions?",
        "6a73450e-0fba-4322-8f7a-baeb23b525c8": "What guidance does the ISO/IEC 27035 series provide in relation to the collection of evidence for information security events?",
        "d1f63d86-af0f-47b7-9ee8-c49ebf3ec0eb": "How can the implementation of visitor badges contribute to improved security in an organization, and what role do staff training and regular review of access rights play in maintaining physical security controls?",
        "843b8b40-925b-4acb-9039-0de6e732f384": "Why is it important for access rights to secure areas, especially computer server rooms, to be regularly reviewed, updated, and revoked? How can the information security management forum ensure accountability in this process?",
        "ff1af595-a7a3-4ff9-9584-b1531d94c9f9": "How can entry controls be used to manage movement between secure areas of an organization's premises, and what are some examples of entry control methods mentioned in the document?",
        "3c854f2a-7994-414a-813c-92060a19f8b9": "Why is it important for organizations to secure offices, rooms, and facilities where equipment containing sensitive information is stored, and how does this relate to the overall physical security perimeter of an organization?",
        "22a82866-4120-4f0d-8b61-6757cf0f54a2": "How can the lack of identification and authentication mechanisms like user authentication lead to security risks in software systems?",
        "2ad25a64-4949-4c48-a94f-ad86fcd15cdc": "Explain how uncontrolled downloading and use of software can result in tampering and potential security breaches in a system.",
        "30f98a7e-155b-4957-bd05-3cb397fca03e": "How does an iterative approach to conducting risk assessment contribute to the effectiveness of the information security risk management process?",
        "3a6a032e-38b0-47c5-b29c-135e091bb4c9": "In what circumstances would another iteration of the risk assessment be necessary, according to the information provided in the context?",
        "996cb98a-8425-4bf4-a1f1-59800dca3ddc": "What is the control objective of control a.6.1 in the standard, and how does it relate to the establishment of an information security management structure within an organization?",
        "7e371dfe-53be-49f7-8a61-9f3c33d12458": "How does the creation of a management information security forum align with the objectives of the information security policy and risk assessment processes outlined in the document?",
        "50821fe6-2d89-40dc-bdd1-f05175410050": "What are some key considerations for monitoring compliance with prescribed measures in practice, and how should reporting obligations be handled in case of violations of the agreement?",
        "e9176fea-a4b5-4441-99a4-9c8c725ea98e": "How can confidentiality requirements be addressed in contracts that do not have a separate non-disclosure agreement, and what are some alternative methods for including security policies in contracts for services such as outsourcing or cloud services?",
        "b0a379da-66b0-4718-b1c1-d30c1ecd7a45": "What is the purpose of ISO 27001 clause 8.2 regarding information security risk assessment?",
        "1aa3704f-39e8-42ed-aa98-a0db90269ada": "Why is it important for organizations to have a systematic, documented, and regularly reviewed risk management process for their information assets according to ISO 27001?",
        "3230aca0-b904-49b4-a9a0-82741685a5e9": "Explain the difference between a file, a worm, a trojan, and a rootkit in terms of how they spread and their intended effects on a computer system.",
        "fd7f8b54-b7bd-47a1-8f09-b3edec56a939": "How do polymorphic worms differ from regular worms in terms of their ability to overcome virus defenses and evolve in the wild?",
        "cd3cabf7-f252-431a-84e8-2a3dfca4e5b6": "What are the recommended actions for ensuring compliance with relevant legislation and regulations when dealing with encrypted information or cryptography tools, especially when crossing jurisdictional borders?",
        "df4977eb-50c1-4f1c-8588-7a70e1af8bec": "How should an organization protect its intellectual property rights according to the context information provided?",
        "f5ed184b-5974-4dcb-b932-b7473e878b57": "How does the organization's risk appetite play a role in decision-making regarding risks, and why is it important to define and document this aspect?",
        "15d77f6f-2fbc-4cbb-822c-bcc2362f561c": "Why is it necessary to consider the organization's existing controls, corporate risk management, business strategies, and policies when implementing an ISMS, and how does this integration contribute to overall risk management effectiveness?",
        "45232064-b862-4cf5-9b1f-ccdbdf28a1c8": "Why is achieving an accredited certification for ISO 27001 highly recommended according to the context information?",
        "e17d27e0-bde4-44a2-b3ba-e62582d0bd1f": "Why does the document strongly recommend seeking certification exclusively through accredited bodies for ISO 27001?",
        "2e239d69-3964-4c5c-a276-028035a69402": "How does certification against ISO/IEC 27001 by an accredited certification body contribute to increasing stakeholder trust in an organization?",
        "91ba4ff9-bb16-40e9-8f8e-442a21320ffe": "Explain the significance of the ISMS family of standards and its components in ensuring effective economic management of information security investments.",
        "27d7f440-0919-4f90-95ef-a714cf3eeec8": "What is the main objective of control a.11.1 in Annex A, and how does it contribute to the overall security of an organization's data?",
        "76c908d0-f6ec-4c9c-af39-8fbd4298da0f": "Explain the importance of physical and environmental security in relation to protecting an organization's systems, buildings, and supporting equipment against physical threats.",
        "996fbca1-7f1a-46a5-925f-c25359047a7a": "How does the ISO/IEC 27001 Annex A relate to certification audits, and what is the common practice among certification bodies in terms of assessment programs?",
        "96f7187d-c078-43ad-acfd-284c666c20c1": "In what ways does the Statement of Applicability (SoA) differ from the controls outlined in ISO/IEC 27001 Annex A, and what is the significance of ensuring that no unnecessary controls are included in the SoA?",
        "06061d0e-47b5-404a-931d-40d2f817c697": "How can achieving ISO 27001 certification benefit a company in terms of avoiding financial losses caused by ransomware attacks?",
        "8877f96e-d3cd-4c38-bef2-f84f92461021": "In what ways can having a certified information security system help a company win more deals and secure investments more easily?",
        "9433d279-1ac0-4b94-8bb7-c2378b6116b0": "How can organizations ensure that information security continuity is embedded into their business continuity management system according to ISO 27002 control objective 17.1?",
        "18e17216-3760-44af-bedd-adc282f74550": "What are the three specific controls that address the key control objective of embedding information security continuity into the organization's business continuity management system, as outlined in the provided context information?",
        "7bd60d4a-f1b1-464f-b8d1-b133e7052309": "How can training be utilized in the context of personnel deployment to address missing qualifications and expertise, particularly during the initial planning/implementation phase?",
        "0f949735-b1b3-40ff-8d51-9f518392dd1a": "In the implementation of controls in the risk treatment plan (RB plan), what are some examples of resources that may be used, and how can the costs associated with these resources be determined or estimated?",
        "55d50249-0b6a-449f-9fd9-5193a99fdb64": "How can a company ensure that the objectives of their Information Security Management System (ISMS) are clearly defined in the guideline on information security, and why is it important for management to be responsible for this document?",
        "2690837c-63b6-49ec-9ee0-af711a8bcf4f": "What steps should a company take to identify and assess risks, and what role does management play in approving the risk assessment process within the organization's risk management methodology?",
        "721441f4-ff96-455d-b16d-12bb35439f1a": "How can configuration management be integrated with asset management processes and associated tooling to enhance cybersecurity measures?",
        "a6a6716f-36c5-408b-94e9-0fcb2ad7debc": "Why is automation considered more effective in managing security configuration, and how can infrastructure as code be utilized in this process?",
        "72f52b6a-3e36-4f07-88d2-cb1c6fffab24": "How can management ensure the responsible and secure transfer of information between their organization and external parties, and what are the key considerations in framing agreements for this purpose?",
        "3792d89a-d453-4d84-a659-b3e25909ac1c": "In the event of a security incident involving the transfer of information, what steps should be taken to address the issue, including potential liabilities to be paid, and how can information classification levels be effectively communicated and agreed upon between the organization and external parties?",
        "5f25f3ea-e461-4c91-825b-6c4ff1c6a9ac": "How often is a recertification audit required to maintain ISO 27001 certification, and what does it entail?",
        "04863d8c-a318-4271-86c5-02b6b0a8dbe1": "Based on the size of a company or organization, how long does it typically take to prepare for an ISO 27001 external audit, and what are the main requirements to obtain certification?",
        "a554387e-2589-4f47-a265-5ddef5a5c53f": "How can security assessments, such as vulnerability assessments and penetration testing, help organizations determine baselines or acceptable behavior in their systems?",
        "397e5b43-a35a-43f4-a41a-c569a68bfda8": "Explain the importance of leveraging logs in combination with monitoring systems for detecting anomalous behavior in a network.",
        "2f4a8692-3e20-49da-a625-37f94325d748": "How does the ISO 27001 standard recommend assigning security-related activities to roles within an Information Security Management System (ISMS)?",
        "154836bc-b82b-49fa-8155-414f49e5b32c": "Why is it important to document the tasks, authorities, and qualification profiles for roles within an organization's data protection requirements, as outlined in the DS-GVO, BDSG, and other regulations?",
        "36408ee5-63cb-47a6-9da1-26c5e37f7e26": "How can organizations ensure the protection of cables carrying power, data, or supporting information services from interception, interference, or damage according to the ISO/IEC 27001:2022 standard?",
        "c204917d-ba5e-4bcf-be6f-de25eac9d804": "Why is it important for organizations to verify that any sensitive data and licensed software has been removed or securely overwritten from items of equipment containing storage media prior to disposal or re-use, as outlined in the information security controls reference in Annex A of the ISO/IEC 27001:2022 standard?",
        "5bb43ebe-228c-4d73-8c7e-abd128b4248a": "Compare and contrast the focus and scope of SOC 2 and ISO 27001 in terms of cybersecurity efforts and controls. How do these two standards differ in their approach to implementing, monitoring, and maintaining information security management systems (ISMS)?",
        "7b6ade37-f8a3-4bb2-8676-1b059208f392": "How do SOC 2, ISO 27001, and ISO 27002 complement each other in strengthening security standards and controls within organizations? Discuss the potential benefits of undergoing SOC 2 audits for organizations that have already achieved ISO 27001 certification.",
        "6ddb8307-40b7-479e-841c-6a94c01f5b58": "How does the presence of multiple versions of operating systems, such as Windows Server 2012 R2, Windows 8, and Windows 10, impact the management of vulnerabilities and threats within an organization's information systems?",
        "58bbd329-9f2c-44d3-86f5-9304cf5ec1b2": "According to ISO 27002, what is the significance of designating groups of assets that work together to provide a particular service in complex information systems? How does this designation impact accountability for the delivery and operation of the service?",
        "67c141c5-5699-4baf-bd7d-e4c53a30a2bb": "How does management commitment play a crucial role in the development and implementation of an Information Security Management System (ISMS)?",
        "28422ffd-08de-4182-a23d-92d71de99d4c": "Can you outline the key steps involved in conducting a risk assessment for an organisation's information assets as part of an ISMS?",
        "6c1d1d34-dd08-448f-b73c-37b398c5b1cd": "How does the high-level information security risk assessment help in defining priorities and chronology in taking action to address critical risks? Provide examples of situations where budget constraints may impact the implementation of all controls simultaneously.",
        "3a2a6692-376f-4241-aa59-655c35f7750f": "Why is it important to conduct a high-level assessment of consequences before delving into a detailed risk management process? How can synchronizing the risk assessment with other plans related to change management or business continuity help in making informed decisions about securing systems or applications?",
        "4ade3337-246b-406c-b14d-e70f0302daa4": "How does the ISO/IEC 27001 standard differ in its approach to the operation clause compared to other standards like ISO 22301 and ISO 9001?",
        "2cb9289d-5d3c-4b70-a2fa-fe1300c1f299": "What are some examples of where documentation for an Information Security Management System (ISMS) may be held in modern times, as mentioned in the context information?",
        "2e67c79a-b0ed-43e3-90db-f0db180dcb06": "How can users ensure that unattended equipment has appropriate protection according to the control ISO 27001 mentioned in the document?",
        "d64f7196-d69f-4199-a4ad-3bf7ecfcace7": "Who is responsible for defining policy and procedure to protect unattended users' system or equipment as stated in the document?",
        "48694142-c73f-46f9-a608-2265cd80471f": "How can an organization effectively transfer risks in terms of organizational security, and what actions should be taken to implement this risk transfer strategy?",
        "eaafd471-a70b-4e43-8c15-ab01cceb1037": "According to the example organizational structure for establishing the ISMS, what are the main roles and responsibilities of management, the information security committee, specialists team, and external consultants in ensuring information security within the organization?",
        "694daf80-63cb-45ce-8471-84c2a0be7343": "How do threat-vulnerability combinations impact the security of assets, and why is it important to consider multiple vulnerabilities for a single threat?",
        "b3a2cc12-384c-4fb2-85a4-4c9d1e24c07f": "Explain the significance of threat and vulnerability databases in the context of risk assessment, and discuss how unique threat-vulnerability combinations in specific industries may require additional controls beyond those outlined in ISO 27001 Annex A.",
        "6ba2243b-8d37-495b-b7f1-efe7f2695c8b": "What are the different perspectives on when to implement upgrades for commercial off-the-shelf software packages, and what is the recommended approach according to the context information provided?",
        "6efeea5d-0d10-4a4c-80d8-3d943df37992": "How should users of commercial off-the-shelf software packages stay informed about upgrades, patches, fixes, and potential security weaknesses, and what is the recommended action regarding Microsoft service packs according to the context information provided?",
        "137d68fd-5c9c-4c76-a810-f0f74cf0c9ad": "How does the risk treatment plan play a crucial role in linking the components of the risk management process and the continual improvement of the ISMS?",
        "96a8fa53-147f-42ac-82cb-8ea66011ca13": "Why is it important for the risk treatment plan to clearly identify individual competence, training, and awareness requirements for the execution and continual improvement of risk management objectives?",
        "d9197d92-5800-410d-90ed-d20f6a16da56": "How can organizations ensure that their vendors are managing business and customer risks effectively in the context of outsourced policies and processes?",
        "28a22baa-66ca-494b-8ca9-9a25061394a7": "What are the three main steps that organizations can take to identify the scope of implementation for their Information Security Management System (ISMS) according to the provided text?",
        "3826ad78-e182-49b1-bab1-8ecd00e6b596": "How does the ISO/IEC 27001:2022 standard address the use of cryptography in network security, and what key management practices are required to be defined and implemented?",
        "b7eaf7b3-6a9e-4d9a-baa5-435cb1a71f25": "Explain the importance of establishing and applying secure development life cycle rules in software and system development, and how these rules contribute to overall information security within an organization.",
        "dca11ec2-cb45-4210-9212-46cd74cc92a5": "How do data breach reporting laws in the United States differ from federal data protection legislation, and what impact do sectoral regulations such as HIPAA, GLBA, and FISMA have on organizations?",
        "fb9db65b-5c66-47e3-861c-9181c9982003": "Discuss the significance of emerging economies passing data protection and cyber security laws, and explain the importance of compliance with PCI DSS for organizations that accept payment cards.",
        "778e3f99-cf22-493b-85de-201baa8f7e77": "Explain the importance of encryption methods in ensuring the security of service usage, including key generation, distribution, and storage. How do these methods contribute to maintaining the confidentiality and integrity of data exchanged through security gateways?",
        "629f3108-7624-4f1c-9a50-49cafd735003": "Discuss the significance of service level agreements in guaranteeing the quality and availability of services, including bandwidth, transaction performance, maintenance windows, response times, and downtime. How do these agreements help in establishing clear expectations and responsibilities between service providers and users?",
        "24074717-f166-4036-a9e9-be781a400082": "How can owners of information and associated assets ensure authorized access and prevent unauthorized access according to the guidance provided in the document?",
        "8d8024ce-3b6e-4396-bc69-5dbf3396ed71": "Discuss the importance of considering factors such as determining entities requiring access, security of applications, physical access controls, information dissemination and authorization, and restrictions to privileged access when defining a topic-specific policy on access control.",
        "4eb9fa0e-df50-4679-810c-92956e0afd26": "How can early retrieval of company assets from staff benefit both the organization and the individual concerned, according to the document?",
        "a30f8767-1d56-451a-8234-4c9eb79648ef": "What measures should users take to ensure that unattended equipment, such as workstations or servers, have appropriate protection as outlined in control a.11.2.8?",
        "6aab11de-bfe7-44db-a7f3-1d406085c82b": "Why does the document recommend that organizations change their operating procedures to accommodate software packages rather than seeking to change the software package itself?",
        "090fd315-b454-4b9f-9ad2-66d7d133d5d8": "According to the document, what steps should an organization take if they are unable to find any solution other than to try to change a software package?",
        "2ba7c2c8-0d97-47a1-8c75-544c8b714100": "How does the ISO 27001:2015 standard address the issue of ensuring that employees, contractors, and third party users understand their roles and responsibilities in relation to information security?",
        "254d657a-fc0c-4fb4-877f-268e73d19fb6": "In what ways does the ISO 27001:2015 standard recommend conducting background verification checks on candidates for employment, contractors, and third party users to reduce the risk of theft, fraud, or misuse of facilities?",
        "273b3948-0d9e-48df-bcbf-d7da1beacba6": "How can organisations protect themselves from the ingress of undesirable or illegal information, as well as the illegal processing or retention of personally identifiable information (PII)?",
        "2572178d-8654-4fc9-b89d-627361936dc4": "Why is it important for ICT vendors to quickly disclose and take remedial action upon discovering a vulnerability in their goods and services, even if the information protected by the ICT is not within the scope of the vendor's ISMS?",
        "5fb73abe-21e6-43f0-a1af-3ac50bcd8f71": "How can organizations ensure proper control and maintenance of equipment, particularly when it comes to sensitive or confidential data, according to the information provided?",
        "7a0bd37c-899e-4e0a-95b7-fdc3b284bad5": "Why is it important for organizations to maintain detailed records of qualified maintenance and repair organizations for older or legacy equipment, as mentioned in the document?",
        "a6ac9569-905c-4043-8df0-1e50a3bc57fe": "How should business-critical applications be reviewed and tested after operating platform changes to ensure organizational operations and security are not adversely impacted?",
        "40bbfdf0-d137-414c-8664-8f7c8f4da652": "What considerations should be taken into account when conducting a technical review of applications following changes to the operating platform, such as thorough testing and ensuring business continuity is not affected?",
        "deb743d1-6ef2-450c-84a1-d0c604b832ce": "How can organizations address risks in the ICT supply chain according to the specific control mentioned in the text?",
        "b03b3cbd-4306-4587-ab5b-51b562bb2f9d": "What are the steps involved in working with tier 1 suppliers to enhance supply chain security, as outlined in the document?",
        "72238429-cc54-4ef8-b52b-c43bb879c855": "How often should physical inventory checks be carried out for assets, and who should conduct these checks according to the document?",
        "48e50732-ee96-41c1-a9de-1f93ae6c0e55": "What types of assets are mentioned in the document that may need to be inventoried, and can you provide examples of each type?",
        "5cee584a-56e9-407a-8881-c1727d18ea0b": "How does the ISO/IEC 27000 standard play a role in the development of an Information Security Management System (ISMS)?",
        "1558a893-1928-488d-9130-813b8e558a7c": "What are the key responsibilities of an individual tasked with ensuring the management of information security risks within an organization, as outlined in the provided document?",
        "0ec98d9b-2b47-441d-933c-2b4f6fb9a99e": "How can an organization effectively identify information security requirements within its overall strategy and business objectives? Provide examples of factors that may influence these requirements.",
        "541fa7be-2b30-4ca6-957b-1c92451c9470": "Explain the importance of continually repeating steps a) to d) in establishing, monitoring, maintaining, and improving an organization's Information Security Management System (ISMS). How can this iterative process help in protecting the organization's information assets on an ongoing basis?",
        "7b9f30d2-b009-424d-ac5a-6e44da961ae5": "Explain the concept of a risk treatment plan (rb-plan) and discuss the importance of documenting necessary controls for each selected treatment option. Provide examples from the text to support your explanation.",
        "e28e6c11-0c07-4e27-a087-8302f1f2c557": "Compare and contrast the use of relocation as a risk treatment option in two different scenarios mentioned in the text: one related to insufficient availability of an IT application and the other related to the destruction of data carriers. How does the specific measure taken in each scenario address the identified risks effectively?",
        "007b9f19-1982-45ad-9403-5d215ac8b189": "How can contract management teams ensure that contracted service levels are actually achieved and address any identified shortfalls?",
        "4329b549-a757-4054-a5dc-c0fc2084372b": "What steps should be taken by the third-party unit to ensure effective communication and collaboration with the organization's contract management personnel?",
        "e2ac27c9-2e6a-42fc-ba58-8702e69bc243": "Why is it recommended to conduct exercises related to backup systems on test systems rather than production systems?",
        "3b5eba00-6d16-45bc-ae47-ff7e902e91c0": "What are some alternative backup options mentioned in the document, and what risks should be considered when using them, especially in relation to service availability?",
        "16fd2c45-cc01-4074-80cb-c7528492dcfd": "How does annex a.9 address the issue of unauthorized individuals gaining access to information assets and information processing facilities?",
        "5575d013-e572-4af8-943a-267ff41be495": "What are some of the risks that annex a.9 helps protect against, and what measures are included in the access control clause to mitigate these risks?",
        "ecc5bd99-3ccf-4e1e-a8bd-974834aff725": "How do utility programs play a role in information systems, and what are some examples of utility programs that can override system and application controls?",
        "cef7f51b-d796-4679-9202-8962f5a0c835": "According to ISO/IEC 27002:2022, what control procedures and measures should be implemented to securely manage software installation on operational systems, and what is the purpose of implementing these measures?",
        "d14b7b20-41cc-4006-9405-9c86bbd54c6d": "How can an Information Security Management System (ISMS) \"grow\" over time according to the work instructions provided?",
        "59d9aead-eb23-4f57-85ab-bb7c09e600a3": "What are the key controls concerning personnel outlined in group 6 of the document, and how do they apply to both internal and external personnel within an organization?",
        "c81b1f5d-46a7-4636-b03b-bd28dff8f381": "How can organizations ensure the creation of secure environments by default when designing information systems, according to the principles outlined in the document?",
        "b742d070-f3b5-422d-8ed2-10bb048989fb": "Discuss the importance of principles such as defense in depth, privacy by design, security by default, least privilege, and zero trust in engineering secure systems, as mentioned in the document.",
        "730767fe-9e61-4edf-8853-afea18a3f384": "What are the key considerations and costs associated with obtaining and maintaining ISO 27001 certification for an organization?",
        "86825eb5-2e61-4b58-b512-d7cf5973538e": "How can ISO 27001 certification benefit a company in terms of security program effectiveness, customer trust, and overall business outcomes?",
        "afb93c5b-59ad-4ca1-a260-b9154e02822c": "What is the purpose of an Information Security Management System (ISMS) according to the context information provided?",
        "049a23bd-8830-4004-a8fd-107f74239dc9": "How has the ISO 27001 standard evolved over time, specifically with the release of the ISO 27001:2022 version?",
        "3f22065d-0e22-4bc9-bfc7-eacbb3f39b29": "How does ISO 27001 clause 4.4 emphasize the importance of management commitment to information security?",
        "4a4be5a1-2762-4231-a291-3d12458b5fa1": "What are the key elements that must be included in an Information Security Management System (ISMS) according to ISO 27001 clause 4.4?",
        "6e5a2edd-6944-40f2-abd1-915003d095cb": "How does an organization evaluate information security risks and prioritize them for treatment according to the guidelines outlined in the document?",
        "4e960f54-47b1-4ba8-9d49-8d716959b5f9": "In the information security risk treatment process, what steps must an organization take to select appropriate risk treatment options and ensure necessary controls are implemented?",
        "2dad6825-f6fb-4db7-adf0-72499adef872": "How can complex access controls within an organization potentially lead to unauthorized methods of access by users, and what factors should be considered in terms of personnel constraints when implementing these controls?",
        "71f044cb-afd9-4bf4-80ac-633386aa5d0d": "What are the implications of personnel constraints, such as the availability and cost of specialized skill sets, on security policies and practices within an organization, and why is it important to complete security screening before hiring new staff members?",
        "cb9f7a66-be49-4b28-9ebd-ec000abc2d8d": "Define the terms \"authentication\" and \"authenticity\" as per the ISO/IEC 27002:2022 standard. How do these concepts relate to ensuring the security of an organization's assets?",
        "133e4fee-47ca-4461-b293-66ea509bbbff": "Explain the concept of a \"chain of custody\" in the context of information security according to the ISO/IEC 27002:2022 standard. Why is it important to maintain a demonstrable chain of custody for information and associated assets?",
        "fa7087a6-5955-46e1-8320-4034353707fe": "Explain the importance of information security risk treatment in an organization and how it is related to the ISO 27001 standard.",
        "d15e6797-8463-4fd2-b6a4-772bd7daf621": "Describe the key components of requirement 8.3 of ISO 27001 related to information security risk treatment and the documentation that organizations are required to retain.",
        "9b77a345-4b57-4008-8017-d9a4dfed6225": "How does the internal audit process contribute to ensuring compliance with ISO 27001 standards for information security management systems?",
        "8046b101-bb2e-4437-bb6b-cd476c6a137f": "What are the implications of the external auditor's tests on systems and procedures for an organization seeking ISO certification, particularly in terms of time and resources?",
        "e72fddfa-c69d-4733-a6e8-1e1ae188b144": "How can organizations ensure a good level of protection and performance for their data, and what expert advice should be sought in implementing a RAID array?",
        "8db69073-fff5-4d6d-babf-62273bdce4f7": "What considerations should organizations make regarding the retention period of business information, particularly in relation to legal requirements for retaining emails as business records, and what solutions could be implemented to meet these requirements?",
        "87b0ef46-64e5-4be4-9215-aaab93ebdb39": "How does ISO 27001 define the purpose of an ISMS and what is the role of risk management according to ISO 27002?",
        "fb520165-84ca-4930-bd9a-d34c840aedfe": "According to the document, what factors should be considered when selecting controls for managing risks in an organization, and why is it important to comply with national and international legislation and regulations in this process?",
        "ecd9c6c4-3af0-4d7e-acba-e9567e57f9fb": "How can an organization ensure that their information security risk assessments produce consistent, valid, and comparable results?",
        "651d28c3-b977-4358-9391-c13a7a09fa6c": "What steps should be taken to identify and analyze information security risks, including assessing potential consequences and likelihood of occurrence?",
        "04e36a5f-d4ac-459d-bed1-15b011f9146f": "How can the damage from flood/water intrusion be limited in a security zone, and what specific measures can be implemented to address this issue?",
        "2072dd73-789f-46c0-8473-199c7872fb9f": "Discuss the importance of implementing measures to prevent and mitigate incidents such as lightning strikes, fire, and power outages in a security zone, and provide examples of specific strategies that can be utilized for each type of incident.",
        "c0a4fee6-740b-49b4-9674-13496170d159": "How can organizations protect business data on privately owned devices, while also considering legislation related to personal identifiable information (PII) protection?",
        "7afe663a-9d5a-4e76-a97d-9c0bde2d2edb": "What are some potential challenges or considerations for organizations regarding software licensing agreements and liability for client software on privately owned endpoint devices used by personnel or external party users?",
        "94ce41a0-7b04-43d5-8681-0190818e23ba": "How does clause 7.2.2 of the standard address the need for individual assessment of knowledge, skills, and competencies for specific roles in information security?",
        "2c6628d2-a150-4974-9171-c3a257cd52d2": "How can an organization satisfy the requirement of maintaining records of competence as outlined in clause 7.2 of the standard?",
        "403d3b57-716d-44ec-8c7f-14e822d46f68": "How does the organization ensure that appropriate approvals are obtained before providing user access to systems and services, according to the ISO 27001 control for user access provisioning?",
        "7ae8c285-4f38-454a-a0d7-257b7d7969c2": "In the context of user registration and de-registration procedures, why is it important for user IDs to be disabled immediately when users change roles or leave the organization?",
        "e434045d-0fda-44b3-a903-f14ebe55a78b": "How can organizations protect against the introduction of malware during maintenance and emergency procedures, especially when malware can bypass normal controls?",
        "65c9d47a-2889-4795-8d05-25c9f54c0064": "What steps should be taken to authorize the temporary or permanent disabling of measures against malware, and why might this be necessary in certain situations?",
        "282c1f94-ae4b-48e9-8a11-7141b2b3edce": "How does ISO 27001 certification help organizations prove their security practices to potential customers worldwide?",
        "37f1d0b7-a1c6-474c-a64d-fbd7f60de265": "Explain the concept of an Information Security Management System (ISMS) and how organizations can demonstrate their implementation and conformance with ISMS through policies, procedures, and operational processes.",
        "17123179-5754-4036-83cf-120144b2732e": "How does the variety of platforms for handheld devices impact the development of generic anti-malware software?",
        "7d42d795-a738-44da-8346-632555510a72": "Explain the importance of implementing a layered approach to cybersecurity for organizations with handheld devices, including the installation of anti-malware software on both the handhelds and desktops.",
        "92791128-0870-44f7-95f3-1ddbb0f4cbd0": "How does an auditor assess an organization's risk assessment process during an ISO 27001 internal audit?",
        "40af9c54-7a53-4464-8b02-daacba675909": "What evidence does an auditor look for to determine if an organization's ISMS documentation is adequate during an ISO 27001 internal audit?",
        "e140d214-9afb-43e3-a01b-8a13d05b6b1f": "Explain the importance of providing notification prior to any substantive customer impacting changes in the delivery of cloud services, and discuss the specific scenarios in which notification should be given according to the context information provided.",
        "3638e6e5-fe69-4116-8c70-d23d1f45c85b": "Describe the significance of maintaining close contact with cloud service providers for organizations using cloud services, and outline the key aspects of information security that should be exchanged between the cloud service provider and the organization, as mentioned in the context information.",
        "6ca6c589-f6b5-4b74-8a8c-afdd0d929c55": "How can professionals maintain their qualifications through membership and continuing professional education points, and what are some methods they can use to achieve this?",
        "b0c9cb23-8f23-4f28-b791-fb47f73eff94": "What is the purpose of threat intelligence in an organization, and how can it be utilized to reduce risk and improve defenses at strategic, tactical, and operational levels?",
        "4349e83a-ee47-43f1-9096-5b924621ca67": "How do network log monitoring systems differ from intrusion detection systems, and why is it important for organizations to use both in conjunction with each other?",
        "5fea01f8-83bb-4e04-a4b7-58f09e132a6f": "According to the context information, what factors should an organization consider when selecting an appropriate remote access authentication control for external connections to their network?",
        "f345e3c4-fbbc-470a-99c5-beb75a72736c": "What are the key requirements of control a-8.12 in the 2022 version of the standard regarding data leakage prevention, and why is it important to have suitable monitoring facilities in place to fulfill these requirements?",
        "ab41a501-101e-4906-903d-02a8922336be": "How do data loss prevention (DLP) tools help organizations in identifying sensitive data, monitoring their movements, and preventing unauthorized data leaks? Provide examples of how DLP tools can be used in an organization's IT landscape.",
        "9e56fcd0-5bfb-42d7-9e6b-5998739f27b3": "How did the company fr\u00e4nkische benefit from the guidance provided during their internal audit process?",
        "0b1cd56b-12ec-44f7-9bce-11ef0c55c858": "How did the successful external certification of fr\u00e4nkische demonstrate the importance of risk assessments in business operations?",
        "c5acee5b-1ed0-49e9-92fb-e8fbceb345ee": "What steps should be included in the investigation procedure for dealing with security incidents, as outlined in ISO27002 clause 16.1.7?",
        "4140ccb3-5137-434b-b191-39285632b5c1": "Why is it important to gather and prepare evidence properly in the initial stages of investigating a security incident, according to the context information provided?",
        "e79521c7-ba9d-4f16-a70e-603d55191b16": "How can physical security measures, such as windows or bars, be designed in a way that does not draw attention to the most valuable assets in a room?",
        "5fff0e94-51d9-408c-9679-15f738ba5ea8": "Why is it important for internal directories or guides that identify the location of secure areas to be restricted from public access?",
        "30db9f70-03be-40c8-bca5-b339f03312fc": "How does the evolution of malware impact the need for regular updates of anti-malware software within an organization's IT governance framework?",
        "8b2433d6-364a-4aed-93df-217e23a8c928": "What specific challenges do wireless networks pose in terms of endpoint security, and how can organizations mitigate the risks associated with airborne viruses infecting these networks?",
        "2a68f8b0-9623-4676-b22b-b150eed53b1a": "How does regular review of the needs and expectations of interested parties contribute to the effectiveness of an ISMS according to ISO 27001:2022 clause 4.2?",
        "377a8d3b-8f50-40a8-8bd6-81afbb85b845": "Explain the steps involved in addressing the needs and expectations of interested parties in an ISMS to comply with ISO 27001:2022 clause 4.2.",
        "eae0fdbb-90b8-4b9d-b7d2-03e1f36d2e89": "How can unauthorized access to screens and recording of activities be prevented in a workplace setting, especially when it is possible to observe screens from outside through windows or other means?",
        "3ee87e0b-34e8-420e-b35d-c2082f73361b": "What security measures should be implemented to protect equipment located outside an organization's premises, particularly mobile IT systems that process or store sensitive data?",
        "dbaeb2fc-88a2-4394-91c1-2c5a25b289ba": "How can organizations protect their information on employees' personal mobile devices when used outside the premises, according to the ISO 27001 standard?",
        "7ecaa10e-e696-4cfd-8b30-46064c244236": "What are some example controls that can be implemented to ensure the safe use of mobile devices, as mentioned in the document?",
        "46994878-aa95-4cf8-8ca7-c6ebe047f10f": "How can asset labeling using QR codes, bar codes, or RFIDs help in monitoring and tracking assets within a business?",
        "e70a2513-ab2d-4000-a7bb-ec41af7e022d": "What are some best practices for labeling assets, and why do some companies choose not to mention their company name on asset tags for security purposes?",
        "1a2d25f5-29cd-472e-96a7-95943cd030bd": "How can network operators ensure that service providers are aware of and implement the necessary security requirements for remote control modules?",
        "96f5d13a-9c67-4537-b72a-160a5f913232": "What steps can be taken to improve the implementation of IT security laws and ensure the protection of critical infrastructures in relation to remote control modules?",
        "bdc605a0-9a31-40bd-91aa-75fbb3ad40d3": "How can the successful implementation of an ISMS be achieved according to the context information provided?",
        "6813f7e3-0f9e-4b3d-a8b3-8adf987cc9ca": "Why is it emphasized that a detailed change management program is not necessary for the implementation of an ISMS, and what is instead required for successful implementation?",
        "a0d1d471-7342-43ad-8987-178030b176b7": "How does ISO27002 identify security risks in email, and what are some examples of these risks mentioned in the document?",
        "2f47f978-2e05-4f6b-a4eb-74893ed8fd83": "What potential consequences can a company face if confidential or sensitive information is exposed through email communication between organizations by individual staff members, according to the document?",
        "fded8500-431e-48bf-bc68-dc5d8ad8c542": "How does the requirement to maintain registers of fixed assets differ between private companies and public-sector organizations?",
        "8ce04e2b-1672-405f-b395-52621bbe2142": "Why is it important for organizations to identify and maintain an inventory of their information assets, especially in comparison to traditional fixed assets?",
        "885962a5-db78-424b-a9c7-0791741466d6": "How can findings from an audit help improve an organization's information security strategy?",
        "ad173987-d36d-413c-8fd6-f657435bdb1b": "What steps should be taken if nonconformities are identified during an audit in order to ensure effectiveness in addressing them?",
        "5162794c-7d93-4064-a7c9-891831d408e4": "How should audit requests for access to systems and data be handled according to the guidance provided in the document?",
        "8a34b333-0bea-44a0-8b7f-dbe2c028175f": "In what circumstances should audit tests be limited to read-only access to software and data, and how should this limitation be addressed if read-only access is not available?",
        "e6defc34-75cf-4580-bbf3-3cd9787cf9b1": "Define the terms \"event\" and \"incident\" in the context of information security, and explain the difference between the two. How does incident management play a crucial role in handling security incidents effectively?",
        "d0883bad-3ec9-4206-a163-6098044923c7": "How does the traffic light protocol of the BSI for data exchange in critical infrastructure environments help in managing and responding to security incidents? Provide examples of situations where an event may escalate into an incident in an organization's IT system.",
        "12d3d77b-33ef-4bf6-b424-09d0911a1cad": "How does ISO 27001 compliance benefit a business in terms of competitiveness, protection of intellectual property, and customer retention?",
        "62f82c2e-6dd5-456b-9c65-fdd26ff4bd68": "What advantages does ISO 27001 compliance offer to a company's staff in terms of operational efficiency and job satisfaction?",
        "7bd6384d-d690-4e30-9d3d-f0f134704853": "How important is it for organizations to stay updated on both local and international laws in order to provide products and services to their clients? How can security controls be implemented to safeguard information in accordance with these laws?",
        "9858e63f-c39f-4663-800a-dc60d30fd0bf": "What is the main responsibility of the information security team in identifying and prioritizing actionable improvement areas for the organization's information security management system? How can these improvement areas be effectively implemented and tracked for progress?",
        "af7ae685-f65c-4126-8312-dbe7d60dea38": "How does the processing time from each ticket factor in the risk level of the corresponding vulnerability, and why is it important to weight the processing time in this way? How does this weighting help prevent the average value from being skewed by vulnerabilities with low risk levels?",
        "0a9c6fa6-3627-4004-8ef8-4e21084a3e80": "What are the basic requirements specified in the standard for measurements of this kind, particularly in terms of comparability and reproducibility? How do these requirements ensure that measurement data is reliable and consistent over time?",
        "e4ac4e4d-b253-42b5-9e50-53c003e9ac6a": "What are the key components that should be included in detailed system restart and recovery procedures in the event of system failure, and how should these procedures be made easily accessible to users?",
        "f46e9923-0681-40a0-a391-127e3f8805df": "Discuss the importance of having detailed procedures for basic housekeeping functions in a computer system environment, and explain how these procedures should be reflected in visible reminders for users.",
        "c6f3d5e1-1c4e-416a-bc50-ee7446b91b00": "How can the potential impacts of a threat-vulnerability assessment be categorized in terms of business, legal/regulatory, and contractual consequences?",
        "05b22675-6bb1-4ee3-bab5-f698609294b0": "Using the example provided, explain how a threat of driver forgetfulness or inattention, combined with a vulnerability of a van door not closing properly, could lead to the consequence of a backup tape falling out into the road while in transit.",
        "277896d2-70d4-4e2d-a315-2e1f271c36de": "Why is it important for organizations to report software malfunctions according to control 16.1.2 of iso27002?",
        "e6f76404-6d96-49b7-9009-61a46dfca355": "What steps should be incorporated into the event reporting procedure for software malfunctions to ensure the integrity of information on the organization's network?",
        "aef6b17c-402f-4b77-bb0e-d267db4f09b2": "How can logical segmentation, such as VLAN or VPN, be utilized to transport classified data securely on a physical network? What are the benefits of using such segmentation methods according to organizational rules or regulatory bodies?",
        "b5ab9522-84d5-474e-87cf-c25cd7c88356": "In what scenarios would filtering and authorization control of network nodes be relevant for controlling the use of services by participants from other segments on a network? How can guest networks be effectively separated from sensitive production networks while still allowing for necessary access to the internet or specific parts of the organization's network?",
        "9e73f201-1c97-4043-80f1-829822586fdc": "How can organizations assess the likelihood and impact of threats to their assets in order to develop controls to mitigate risks in their Information Security Management System (ISMS)?",
        "6af527c3-064e-45e5-a190-84ed4ac0d54a": "What are the key components of monitoring and reviewing an ISMS to ensure its effectiveness, including evaluating security controls, reviewing risk assessments, conducting internal audits, and seeking feedback from stakeholders?",
        "aa862048-0ef7-497a-a4b5-ae78b946f7ce": "Who is responsible for the proper management of an asset over the whole asset lifecycle according to the document?",
        "272190d1-0704-4366-9d54-00bdede4ff2a": "Can assets have users or custodians who are not the nominated owners of the asset? Provide an example from the document to support your answer.",
        "92eeb031-dd06-4028-8965-63bc9ba7bc2b": "How can business architecture diagrams, organization charts, and network maps be used to specify the scope of an ISMS, according to the context information provided?",
        "c8f55445-cd28-42bc-ab37-6b1db3a793ef": "Explain the difference between procedures and work instructions in the context of implementing controls for an ISMS, as outlined in the document.",
        "c8e9040a-18c9-4ff5-a004-36997529a46e": "How can organizations ensure that secure system engineering principles are followed in their in-house development activities?",
        "dab5bc5f-8ff1-480c-9492-767c36c00af1": "What controls should be put in place when outsourcing development to ensure the protection of code and intellectual property rights?",
        "2a7e30fe-c410-44f0-9e39-b702d3e4daac": "How can an organization ensure compliance with legal requirements, especially when operating in multiple countries with varying regulations such as GDPR and EIDAS?",
        "e7545927-0735-4bc1-a3e2-78e11276238b": "Why is it not recommended to establish a lower level of security than originally planned at the beginning of implementing an ISMS, even if it means starting with a smaller scope?",
        "44cd5b99-95c5-4319-8146-5f6497ee38ab": "How can organizations respond to adversary intelligence actions, and what are some examples of these actions in the context of data leakage prevention?",
        "5a1976d8-167b-48e1-b7de-f0fc0059c832": "What legal concerns should be considered before deploying data leakage prevention tools, and how does monitoring personnel's communications and online activities relate to privacy and data protection legislation?",
        "4ea96dbf-53ab-432d-9d35-46858396786b": "How can compliance automation software like Vanta simplify the process of conducting a full audit for ISO 27001 certification?",
        "5ce1157c-c3a5-4117-b066-46851a5abb46": "What is the renewal process for ISO 27001 certification and how often does it need to be renewed?",
        "0036366f-0e1c-4219-a23e-33f08b45bdfe": "How should background verification checks be conducted for candidates for employment, according to the document's guidelines?",
        "0ab2c5be-4145-45f5-9d05-94104927f9ae": "What responsibilities should be outlined in the contractual agreements with employees and contractors regarding information security, as per the document's requirements?",
        "fc25e79c-2109-4cdd-9831-c5a3a5ab754e": "How can organizations ensure compliance with relevant agreements, legislation, and regulations when implementing cryptographic controls for the privacy and protection of personal identifiable information?",
        "d7da17e2-1f5f-4784-b048-a0dce464ecdb": "Why is it important for organizations to consult with their legal team to analyze specific legal requirements in countries where they operate in relation to cryptographic controls?",
        "c6bfa6fa-1934-4780-9325-1c604fe18233": "How can organizations ensure they are staying up to date with industry best practices and relevant information to improve their team's knowledge about implementing and monitoring controls regularly?",
        "5dbfedf4-cf74-416a-8077-2c3232309fb8": "Why is it important for organizations to maintain appropriate contacts with special interest groups and participate in security forums, seminars, and professional associations in order to prevent information security attacks on their systems?",
        "4db5ded7-d8d1-4a5d-aad0-4361e236f431": "How can organisations ensure the effectiveness of their Information Security Management Systems (ISMS) according to the context information provided?",
        "b4b814ca-2cda-46a7-a300-29bbf8847ae4": "Why is it important for organisations to monitor and measure information security risks, controls, and awareness/training programs as part of their ISMS, as mentioned in the context information?",
        "4f0cdfb5-6fb8-4e5e-a8b1-9759469edb39": "How is the importance of an asset determined in the context of ISO 27001 implementation, and why is it necessary to implement controls for assets with a sum value of more than 5?",
        "74b379e7-de8b-4c41-b5d6-20b135e4741b": "In the context of the IT helpdesk department's involvement in ISO 27001 security controls implementation, what factors contribute to the varying asset values across different departments, and why is it important to assess and prioritize assets based on their value?",
        "5efb0f99-8397-47f2-9285-4d5e7d018ee5": "How can the human resources department prepare evidence of misconduct in the organization, and what role does the external auditor play in verifying this evidence during an ISO 27001 certification audit?",
        "53247abc-58a5-4a55-9a07-6aeaec452201": "Explain the importance of defining and communicating information security responsibilities and duties that remain valid after termination or change of employment, as outlined in ISO 27001 control A.7.3.1.",
        "8070e233-5317-4038-89d8-e1be86ece0bf": "How does the approach for determining which assets require controls differ from the approach for identifying authorized individuals or groups for access control?",
        "4edb0ece-9e1c-4ceb-ab12-160d65891acc": "Can you provide examples of subjects for access control beyond just individuals and roles, as mentioned in the context information?",
        "cec9b3c8-e485-48ae-b6bb-8f3d321caf43": "How does the alignment of the scope of the Information Security Management System (ISMS) with the boundaries of a single management team's responsibility impact the effectiveness of risk management within an organization?",
        "b9efd0a6-8093-4cfc-b951-8bcf67ee468b": "Why is it important for the management team with authority to sign the information security policy to also have responsibility for directing and managing the organization within the scope of the ISMS?",
        "8a9a27b4-62f9-4962-94f1-6d022027ff8b": "How should emergency plans be drafted and submitted for review in the business continuity planning process?",
        "281d95f1-685b-4756-8ba0-842236e2dd23": "What key components should be included in the clear descriptions signed off by the board in the business continuity planning process?",
        "74134d68-2a41-4ad6-abc3-920ae87d8561": "How can organisations ensure open communication with authorities regarding information security violations, and why is this important for incident management and business continuity planning?",
        "b9044f9d-ba53-4b3e-8a9f-61d23248471f": "Why is it beneficial for organisations to maintain contacts with regulatory authorities and interested groups in the context of information security and compliance with rules and regulations?",
        "a90793c7-7615-44fa-8501-98fca6722058": "How can automated and continuous system monitoring help in identifying and closing gaps in ISMS implementation?",
        "894f5a88-1f3f-4249-90ec-8a61658ba521": "Why is it important to address any gaps in ISMS implementation in a timely manner?",
        "038ac056-a19f-4076-b225-ba98df141cb8": "What are the key steps involved in an on-site audit for ISO 27001 certification?",
        "dfbda894-d560-4908-8fe0-be9287d3c77d": "How does the certification body handle non-conformities identified during the audit process?",
        "9d9e2353-9251-4dec-9868-7a9f1b654b3f": "Explain the significance of transferring the note regarding the validity of results from the existing standard to the main body of clause 9.1 in the ISO/IEC 27001:2022 standard.",
        "55eac1a7-26e0-42d1-b3a8-7fd03e46affa": "Discuss the impact of the reorganization of clause 9.3 in the ISO/IEC 27001:2022 standard, specifically focusing on the addition of item (c) to management review inputs.",
        "a168c0c0-d8ab-444e-81d5-875d52353819": "How can an organization ensure that changes to software are properly managed to avoid potential issues with future upgrades and maintenance, according to the document's recommendations?",
        "c92c194f-b1a1-4240-8e7b-f90f147e908c": "Why is it important for organizations engaging in complex system development to establish clear, documented principles for engineering secure systems, and how can these principles be applied effectively across all systems engineering efforts?",
        "1ef89106-eb3b-4ddf-8de4-5c9fc984cc20": "Explain the importance of service level agreements (SLAs) and operational level agreements (OLAs) in ensuring the continuity of critical business processes. How do these agreements impact the development of preventive, detective, and reactive measures for business continuity management?",
        "af30b1a7-60c3-4d59-98cc-3638718dc2b4": "Describe the process of conducting a business impact analysis (BIA) and how it helps in determining the criticality of each business process. How does the information gathered from a BIA contribute to the development of a continuity solution for affected business processes?",
        "39f4c9ee-19e5-42c2-919b-1d2edd1be0a5": "How important is it for organizations to document the critical assets and their whereabouts in their business continuity plans? What information should be included in this documentation?",
        "cf6bc048-95cd-44b1-80e3-58d69050d919": "Why is it crucial for organizations to regularly test and maintain their business continuity plans? How can untested plans be compared to having no plan at all in the event of a disaster?",
        "4536ce6a-0c14-4ac8-93ab-4e7a2ad47b88": "What are the key components that should be in place before undergoing an audit according to Steve's suggestions?",
        "f12ea9af-6cc9-453f-a781-b56431b87e9b": "How does Steve recommend preparing for an internal audit and ensuring readiness for compliance automation system testing?",
        "05001da0-899d-4bc1-8c9a-4d278b98a712": "How does Control 12.7.1 from ISO27002 recommend organizations prepare for information systems audits, and what are the key considerations outlined in this control?",
        "05363d00-0ee0-4206-99c7-c8e06e6d6099": "In the context of minimizing disruption during audits, what strategies does ISO27002 suggest for selecting periods of low or reduced activity for conducting audits, and how should testing be controlled to ensure minimal disruption to business activities?",
        "4477c024-7ac0-46f4-81c8-330e4b741e20": "How does ISO27002 provide guidance on the selection and design of a secure area for physical and environmental security within an organization?",
        "600067ca-80fa-4df9-95af-e175c3a088de": "In what ways should secure storage facilities, such as safes and high-security document stores, be strategically located to mitigate risks posed by external and environmental threats?",
        "35ce49dc-9da8-45ae-b91d-c7ae8ffca3f1": "Why is a risk treatment plan considered an essential tool for organizations looking to protect their information assets and enhance their information security posture?",
        "2e5c6142-bd36-473e-8649-200d3494dc71": "How can implementing a risk treatment plan help an organization improve its overall information security?",
        "470cc0af-4e19-47f6-ba49-a2ee59e650d5": "How does the Internet Engineering Task Force (IETF) contribute to the evolution and operation of internet architecture?",
        "15cd59b6-c043-4f9f-a0eb-9fe6c3c9ac73": "Can you explain the significance of the four key security technologies (SSL, IPsec, S/MIME, PKIX) in the context of internet security systems?",
        "67c9a220-f7af-440b-af09-7d91e3e7c9a8": "How can organizations ensure that the resources necessary for planning, operating, and maintaining the ISMS are available, and what is the importance of having a resource plan in place for a specific period of time?",
        "98738398-effb-4d7d-a6cf-43331bda490d": "In what ways can recommendations from recognized auditors be utilized during discussions with management about the allocation of resources for establishing and operating the ISMS?",
        "5fed9125-d50f-47a2-b5c3-21f69614f512": "What were the key partnerships and collaborations that led to the development of the ISO 27001 standard, and how did they contribute to the foundation of the standard?",
        "cd3b399c-e367-4639-8fbb-d144c762b1a0": "Explain the evolution of the BS 7799 standards into the ISO 27001:2005 standards, including the specific changes and developments that occurred throughout the process.",
        "69709243-e35b-4ded-84f7-abb6ddb16acf": "How does obtaining an ISO 27001 certificate benefit a business in terms of legal compliance and mitigating costly breaches?",
        "ba23397b-7ce4-4c82-9023-4f1dea038d3c": "According to the context information, what is the average cost of a data breach in 2023 and how does ISO 27001 certification help in mitigating such cyber-related incidents?",
        "55c95291-f7d5-4a5b-8524-8b47493388a7": "How can you identify the expectations of stakeholders regarding information security according to best practices outlined in the document?",
        "3a89e636-88cd-425b-84d2-01464cd3025f": "What are the individual steps involved in achieving ISO 27001 compliance as described in the checklist provided in the document?",
        "d855cade-4910-4aec-9490-78cf5ddb8a1a": "How can multiple test environments be utilized for different types of testing, and what are the benefits of using virtual environments with individual configurations?",
        "8c2b3490-781d-4ac6-ba11-8aba8bb71242": "Why is it important to consider testing and monitoring of test environments, tools, and technologies, as well as monitoring of monitoring systems in development, test, and production settings? How can judgement be used to determine the usefulness of meta-testing in these scenarios?",
        "96fbb343-b847-439f-9370-f24c9912aa31": "What are the potential consequences of failing an external audit, and how should organizations view this outcome as an opportunity for improvement?",
        "1dd5526f-ff8f-43e1-8589-a93a35b260a1": "How many annex a controls are included in the 2022 version of ISO 27001, and how are these controls categorized to address different areas of an organization's operations?",
        "890d41aa-4fd2-4ac7-91d8-da1a87afe5c1": "What are the key components involved in presenting a high-level plan for implementing an information security management system, according to the document?",
        "3ce9edf8-2b23-4875-9c7c-8b66051c47e5": "Why is it important for the CISO or relevant authoritative person to organize a kick-off meeting and invite all key stakeholders associated with the information security department, as mentioned in the document?",
        "83be69d9-3e7b-4ecf-ad52-795c6d9d929e": "How does the ISO/IEC 27002:2022 standard recommend organizations assess and categorize information security events? What is the purpose of this categorization and prioritization scheme?",
        "2aaeedd1-343e-4388-81f5-35cc67ea046f": "Why is it important for organizations to have a defined scheme for categorizing and prioritizing information security incidents? What criteria should be included in this scheme according to the guidance provided in the document?",
        "9886a022-a65f-4f8a-8cbe-6074dff89fbd": "How can organizations determine the impact of incident scenarios on their assets and business processes, and what criteria should be considered during this determination process?",
        "448ec50b-696a-4d5c-a5c8-aa582a3ce857": "In the context of risk analysis, what are some operational consequences that organizations should consider when assessing incident scenarios, and how do these consequences impact the overall risk analysis process?",
        "407367a5-969c-4b3c-9abb-b3164b93a068": "How does the concept of consequent savings benefit the bottom line or enable other controls to be deployed relate to the risk assessment process, as discussed in the text?",
        "b0b61bb7-708f-4735-96df-dee1cec11e3c": "Why is it important to identify existing controls before conducting the initial risk assessment, and how can this approach help in identifying potential areas of over-control in the risk management process?",
        "c9a96ae2-29d3-47f9-b488-19d55a3255f0": "What specific information should be included in measurement and monitoring protocols according to ISMS-9.1?",
        "73049cbb-d118-47ec-97ae-15e7957f90d4": "How does ISMS-9.1 emphasize the importance of monitoring and measuring important metrics in order to assess the effectiveness of individual measures and processes within an ISMS?"
    },
    "corpus": {
        "0ef1ecc3-b5a7-4ac1-bcfd-d9357f85b63b": "their employment contract, which shall state\ntheir and the organization\u2019s responsibilities for information security.\na. 8.2 during employment (iso 27001:2015, version 2015)\nobjective: to ensure that all employees, contractors and third party users are aware of\ninformation security threats and concerns, their responsibilities and liabilities, and are\nequipped to support organizational security policy in the course of their normal work, and\nto reduce the risk of human error.\na.8.2.1\nmanagement responsibilities\ncontrol\nmanagement shall require employees, contractors and third party users to apply security\nin accordance with established policies and procedures of the organization.\na.8.2.2 information security awareness, education and training\ncontrol\nall employees of the organization and, where relevant, contractors and third party users\nshall receive appropriate awareness training and regular updates in organizational policies\nand procedures, as relevant for their job function.\na.8.2.3\ndisciplinary",
        "b9ebd8fb-e98b-4b40-9b18-9022a309c5c8": "the proposed security policy. this document should\nset out clearly the proposed dates at which the board will be invited to\nreview progress towards final implementation so that it can ensure that its\npolicy is being properly implemented.\nas all organizations have their own preferred formats for doing this, this\nbook does not set out how to do it. it only argues that review dates should\nbe realistically spaced and that the plans it approves should allow executive\nmanagers sufficient flexibility in implementing a policy that will have to be\ndesigned in the light of facts that are not known at the point at which the\npolicy is adopted.\nit is suggested that the key points at which progress might be reviewed\nare:\n1 after completion of the risk assessment; the full range of risks to be\nmanaged will have been identified.\n2 after completion of a draft statement of applicability (soa). any costs\nincurred prior to this should be minimal, but until the soa defines what\ninformation security policy and scope\nneeds",
        "4188dfca-a862-43c5-87f9-96ffc99a3b6a": "paid to how deliveries are received and shipments loaded, if that applies to your\nlocation.\n4.3.3. a.7.3 securing offices, rooms and facilities\nrelevant toolkit documents\ne data centre access procedure\nonce inside the building, there may be a need to secure specific rooms separately, again via\naccess controls, and to ensure that what goes on there is no visible or obvious to\nunauthorised people.\n4.3.4 a.7.4 physical security monitoring\nrelevant toolkit documents\ne cctv policy\nthis control covers the use of monitoring systems such as security guards, cctv (closed\ncircuit television) and intruder alarms to detect when an unauthorised person has entered a\nbuilding. for cctv, the requirements of privacy legislation must be considered, along with\nthe correct siting of cameras so that security objectives are achieved without capturing\npublic activities unnecessarily.\n4.3.5 a.7.5 protecting against physical and environmental threats\nrelevant toolkit documents\ne this control is addressed by documents in other",
        "aae0f8c8-c21c-4425-a8d1-d396d58b7d8b": "including communication on security events and weaknesses.\ncontrol\na.16.1.1 [responsibilities and \u2014 [management responsibilities and procedures shall be established\nprocedures to ensure a quick, effective and orderly response to information\nsecurity incidents.\ncontrol\na.16.1.2 reporting information ; ; ;\n\u201c| security events information security events shall be reported through appropriate\nmanagement channels as quickly as possible.\nobserved or suspected information security weaknesses in sys-\ntems or services.\ncontrol\nassessment of and . . .\na.16.1.4 |decision oninforma-__ |!nformation security events shall be assessed and it shall be\ncontrol\nreporting information |employees and contractors using the organization's information\na.16.1.3 | -ecurity weaknesses _|systems and services shall be required to note and report any\ntion security events _ | decided if they are to be classified as information security inci-\ndents.\ncontrol\na.16.1.5 | response to informa- ; ou, ;\n*8-\" | tion security incidents",
        "08c79691-1a3d-4d17-832e-9e9b26ac1e15": "intended results.\n * policies and procedures that support the organization\u2019s isms are reviewed, approved, and remain current.\n * resources are appropriately allocated, and effectively, and efficiently used in order to meet the intended objectives.\n * an internal audit program is defined and carried out in accordance with established policies and procedures, to include sufficient independence to maintain a separation of duties and avoid any conflicts of interest.\n * metrics such as key performance indicators (kpis) are defined, useful, and are being reported to ensure that the isms is effective and intended outcomes are achieved.\n * any necessary adjustments are made to continually improve the isms. ## what are the requirements of iso 27001 and an effective isms?\n### scope development\nsetting the scope of your organization\u2019s isms is an essential step in\nestablishing an effective isms. the scope will inform stakeholders what areas\nof the business are covered by the isms. as your organization defines",
        "4fbb58fe-de5f-404f-a2e5-d67e631396a6": "summarized here. e-mails can go astray or be intercepted\nand are also a widely used medium for harassment, information leakage,\nand so on. one could be overheard while talking on a mobile phone in a\npublic place, such as on a train. answering machines can be overheard by\nsomeone physically present in the room as the caller leaves a message.\nunauthorized access to dial-in voicemail systems (phone hacking) is a clear\ndanger, as is unauthorized dial-in to teleconferences. facsimiles and e-mails\ncan accidentally be sent to the wrong destination and the wrong person.\nso, information security could be compromised by any of these events. it\ncould also be compromised by the theft or disappearance of critical mobile\nphones or by the failure of communications facilities (whether through\noverload, interruption or mechanical failure or even through failure to iden-\ntify and pay appropriate service provider invoices in due time). information\ncan also be compromised if unauthorized users can access it. a smartphone\nwith",
        "50f8ab92-cd48-4f64-b334-494a3293df30": "state information security and data\nbreach laws (such as the californian senate bill 1386), which require\nnotification of breaches of personal data security.\nmost recently, california\u2019s consumer privacy act brings some of the eu\ngdpr regulatory heft to the usa and has triggered a federal-level review of\nus privacy regulation. of course, the huge growth in anti-money-laundering\nregulation, including the requirements of the international joint task force\nand the us patriot act, broadens the requirement on organizations to verify\nclient details, and therefore to keep those personal details secure and in line\nwith applicable data security regulations.\nuk legislation\nin the united kingdom, there are now over 70 laws that, to one extent or\nanother, may need to be reflected in the isms. a current list is included in\nthe vigilant software compliance manager. the most important legislation\nincludes the following.\nthe data protection act 2018\nthe uk\u2019s data protection act 2018 (dpa), which puts the eu gdpr into\nuk",
        "62efc227-c2be-4e2b-ab7e-14a3b9f0d5a9": "information. * the technological category contains 34 controls that address the technological aspects of information security. these controls include things like implementing firewalls and antivirus software, encrypting data, and managing access to information systems.\nthe new structure of annex a controls is aligned with the four pillars of\ninformation security:\n * organisational: this pillar addresses the need for a strong organisational commitment to information security. * people: this pillar addresses the importance of people in information security. * physical: this pillar addresses the need to protect information assets from physical threats. * technological: this pillar addresses the need to protect information assets from technological threats.\nthe new structure of annex a controls is a significant improvement over the\nprevious version. it makes it easier for organisations to implement an\neffective information security management system and protect their",
        "daa7e108-6608-48db-90ae-94a6ffd55a29": "default\nlevel for such information.\nthe way to do this is through the information classification procedure,\nwhich is discussed below. information with a specific low-level classifica-\ntion, assigned by its owner, may be defined as not being an asset worth\nprotecting, and information with all other classifications may be defined as\nassets and worth protecting. for instance, a file of press cuttings might be\nclassified such that it is clear that it is not an asset worth protecting; statu-\ntory accounts, once filed at companies house, become public domain\ninformation, which there is no point in protecting from a confidentiality\nangle (although the integrity and availability of these data could still be of\nconcern).\nacceptable use of assets\ncontrol 8.1.3 of is027002 says organizations should document and imple-\nment rules for the acceptable use of information assets, systems and services.\n143\n144\nit governance\nthese rules should apply to employees just as much as to contractors and\nthird parties, and the",
        "caaa0a69-5ad9-4841-96ca-a0f932811e21": "the unified intranet time: time recording systems, access-controlled doors and gates, canteen billing systems, etc.\n9\n* for example, the internet time servers of the physikalisch-technische bundesanstalt (ptb) at ptbti-\nmex.ptb.de with x = 1, 2, 3 or 4.\n212 3 controls: requirements and measures\nif there is no possibility of automated time query for some technical facilities, manual adjustment and control of the system time is the only option.\nto implement the control, it should be checked whether there are external requirements for a reliable time source in the context of the organization, what provisions exist for this (must it be the legally recognized time?) - or whether it is sufficient to establish and apply a simple time base for internal purposes, such as monitoring, in a unified manner. the examples above outline possible implementation options.\na-8.18 use of utility programs with privileged rights\nthis concerns utility programs that can change administrative and security-related settings of",
        "31967224-3533-4e6a-8fca-f2316f00af72": "should carry out spot checks on a regular basis to ensure that the\nsynchronization is effective.\na failure at this level could hamper event investigation, invalidate disci-\nplinary action and fatally undermine court actions.\ninformation security events and incidents\nsection 16 of is027002 deals with information security incident manage-\nment and makes an important distinction between an information security\nevent and an information security incident. an event is not necessarily an\nincident, whereas an incident will always start off as an event. in other\nwords, there are a number of events that, because they are either expected\nor unexpected, might not significantly compromise the integrity, availability\nor confidentiality of the organization\u2019s information. events are reported;\nincidents are managed \u2014 which means that there has to be a decision, for\neach event, as to whether or not it is an incident. the control objective is to\nensure that events that relate to or might compromise information security,\nor",
        "8b5ff7fb-8ae9-4e69-93df-a0069cb7d196": "information security incidents shall be responded to in accordance\nwith the documented procedures.\ncontrol\nlearning from\na.16.1.6 {information security | knowledge gained from analysing and resolving information secu-\nincidents rity incidents shall be used to reduce the likelihood or impact of\nfuture incidents.\ncontrol\na.16.1.7 |collection of evidence |the organization shall define and apply procedures for the iden-\ntification, collection, acquisition and preservation of information,\nwhich can serve as evidence.\nresponsibility\nthe it department and all department stakeholders are responsible for implementing\ncontrols. incidents can occur in any department and the department should note the\nincident. the information security team will act as a guide.\n43\nchapter 2. assessing needs and scope\nsection a.17 of the annexure\nas shown in table 2-13, section a.17 covers the controls required for business\ncontinuity.\ntable 2-13. a.17 information security aspects of business continuity management\na.17__",
        "ab4e20c7-c3a6-403c-b500-b81b65c94f43": "perimeter. further controls require security measures to prevent unauthorized access to assets.\ninstead of speaking from within the perimeter, the term \"security zone\" is often used - the perimeter is the outer border of the security zone. occasionally, this boundary is visually visible, such as through colored markings, or it represents a visible boundary of a fenced area.\nplease note that this translation may not be 100% accurate and is provided for informational purposes only.\nthe premises are protected by surrounding walls. access to such protected security zones should only be possible at defined points and only with corresponding controls.\nthe perimeter protection to be designed must be based on the security requirements of information processing in the respective zone and must not have any vulnerabilities.\nthis includes the associated assets, see a-5.9, keyword asset location.\nthis also includes documents and files.\naccess-controlled gates, airlocks, and doors.\npoints in the perimeter that have",
        "7f7ffea8-3e7c-4177-8f9c-797e90452fff": "to be considered, for example, those intrinsic or extrinsic to the asset.\nexamples of vulnerabilities and methods for vulnerability assessment can be found in annex d.\noutput: a list of vulnerabilities in relation to assets, threats and controls; a list of vulnerabilities that do\nnot relate to any identified threat for review.\n8.2.6 identification of consequences\ninput: a list of assets, a list of business processes, and a list of threats and vulnerabilities, where\nappropriate, related to assets and their relevance.\naction: the consequences that losses of confidentiality, integrity and availability may have on the assets\nshould be identified.\nimplementation guidance:\na consequence can be loss of effectiveness, adverse operating conditions, loss of business, reputation,\ndamage, etc.\nthis activity identifies the damage or consequences to the organization that can be caused by an\nincident scenario. an incident scenario is the description of a threat exploiting a certain vulnerability\nor set of",
        "90914c3c-d184-4b4e-91d0-94f33fbdfccd": "outsourcing recipient, but then not review or evaluate the reports within the organization.\nagainst this background, the following points - as far as applicable and relevant in the specific case - should be considered in the contract. they are roughly assigned to the phases of service provision:\nfundamental:\ne requirements regarding data protection and other legal regulations relevant to the contractual relationship (e.g. intellectual property)\ne audits, certifications*, etc. required by the organization\ne right to inspections/verifications/audits on-site at the supplier by the client or third parties commissioned by them\ne version and change management at the supplier\ne issue of subcontractors: naming subcontractors, notification of changes - or generally excluding subcontractors for the contracted service\ne contact person for information security at the supplier\nto be done before the start of performance:\ne clearance/authorization of personnel from the service provider: important not only in",
        "d52be9df-d64a-455d-b897-cb512c5dbb25": "achievement\nthis section of the standard deals with the security objectives formulated in connection with isms-5.1 (a).\nfirst, these security objectives should be \"broken down\" to all relevant organizational units from the perspective of the organization as a whole, as far as they fall within the scope of the isms. in doing so, one aligns with the tasks of each organizational unit and determines which objectives apply to the unit in whole or in part, or to which objectives the unit must contribute.\nalternatively, corresponding roles can also be considered (possibly both).\nlet's take the example of the security objective of confidentiality of customer data, which is formulated for the entire organization. the corresponding risk \"loss of confidentiality...\" should then have been identified in the risk assessment, and risk owners have been determined - usually the organizational units that process this customer data (in any form). they must ensure the confidentiality of customer data in their respective",
        "15db25b9-6f00-424f-8c7b-2d61d2f03b0f": "streamline the risk assessment and soa\ndevelopment process, the amount of additional paperwork it\ngenerates, the flexibility it offers for dealing with changing\ncircumstances and frequent, smaller-scale risk assessments,\nand the meaningfulness of the results it generates.\ntracking changes to the risk assessment process over time is\nalso important, and often the \u2018future-proofing\u2019 aspect of\nrequirements of the tool are overlooked during the initial\npurchase because of the focus on achieving certification, or\nat least the implementation of an iso 27001-compliant\nisms. of course, normal due diligence analyses should also\nbe undertaken of the status of the supplier and manufacturer\nof the product to ensure that it is properly supported and\nlikely to continue to be.\nrisk assessments can be done without using such tools,\nalthough it can be difficult to demonstrate that the risk\nassessment produces comparable and reproducible results\nwithout one. a proper risk assessment in any business will\nbe very time",
        "7dd6321a-aa4f-4c94-9253-d4780fc5a297": "example, refers to the requirement(s) from section 4.1 in the main part of the standard.\nwe have taken the titles of the standard chapters and sections from the latest german draft version.\n! note on language: at the time of writing this book, both iso 27001/iso 27002 standards exist in english as well as in a german draft version. based on experience, it usually takes some time until the official german versions are published.\n\u00a9 the author(s), exclusively licensed to springer fachmedien wiesbaden gmbh, part of springer nature 2023\nh. kersten and k.-w. schr\u00e9der, [iso 27001: 2022/2023, edition <kes>,\nhttps://doi.org/10.1007/978-3-658-42244-8 2\n32 2 requirements for the isms\nwe start with the commentary on chapter 4 of the standard, skipping 0 to 3: these are only\nan introduction, a description of the subject of the standard,\nas well as two references to the iso/iec 27000 series of standards.\n> important\nwhere changes have been made compared to the previous version of the standard,\nwe point this out in",
        "4f43b0ce-be97-49cd-a3fb-76c541a6df34": "reliable time source. a uniform time in all systems of a large it landscape is almost indispensable. for legally relevant recordings, the legally recognized time (dcf77 signal of the ptb) in germany should be used.\n- records only make sense if they are available at the time of evaluation. measures must therefore be taken\nsetting up parallel storage of data at least two physically separate locations, establishing backup and archiving procedures.\nfor the purpose of analysis, it can be helpful to have software tools available that can filter the desired information from the records and, if necessary, draw automated conclusions. in managing records in databases, this can easily be achieved through query procedures.\nit may be useful to bind the right to analyze certain records to specific roles or individuals. furthermore, it should be considered whether legally relevant records should only be evaluated and assessed using the principle of dual control - for example, to prevent future doubts about the results",
        "a418494b-1cdb-469c-a651-dab4307ae7be": "technology officer, and\nthe chief information security officer.\ninformation security department members: this includes the\ninformation security manager, team members, and department\nheads of any departments that are part of the implementation. the\ninformation security department members schedule a meeting with\nthe department heads to define their scope of work and determine\nwhat standard operating procedures they use on a daily basis to\nperform their tasks.\nchapter 2. assessing needs and scope\nduring such discussions, you can use a checklist or questionnaire to collect the\ninformation. this will help you conclude whether the collected information is important\nfrom a business point of view and can be placed under the crucial category. that is why\nthis chapter discussed business context. you need to understand the business context in\norder to understand the systems and processes that you use in your organization.\nonce all these department discussions are done, the team makes a collective\ndecision to",
        "f586e1a3-6399-4de9-bc7d-3f427fade670": "consider when reviewing the policy, but the\niso 27001 standard states that the management review meeting results should be\nconsidered.\nevidence that can be prepared: all the revised policies must be reviewed at regular\nintervals and the revised policies must be approved by management.\nwho prepares it: the information security department will facilitate with relevant\ndepartments heads to ensure their policies are reviewed on regular, defined intervals.\nfor external audit: an external auditor conducting the iso 27001 certification audit\nwill check that all the policies have been reviewed at regular intervals, as well as have\nbeen approved and communicated to employees and external stakeholders.\n122\nchapter 6 execution\na.6 organization of information security\na.6.1 internal organization\nobjective: to establish a management framework to initiate and control the\nimplementation and operation of information security within the organization.\nexplanation: before you initiate the iso 27001 implementation in",
        "ab0b61e7-e9ff-43b9-af0f-a40e31783f7c": "described above. in any case, it would be advisable to either conduct independent acceptance tests yourself or at least accompany them at the client's site. contractually, the acceptance procedure could be agreed upon, and the organization's own test plans could be included if necessary.\nif it comes to systems that the organization wants to procure but did not develop itself, acceptance tests should also be carried out. the subject is the fulfillment of security requirements for procurement. these acceptance tests should never be performed in a production environment, but in a test environment that corresponds as closely as possible to the future real-life environment.\nan extension of the acceptance procedures concerns the compliance with security requirements during productive operation: if compliance with the requirements can be demonstrated over a defined period of operation (\"trial operation\"), a so-called system accreditation is granted.\na-8.30 outsourced development\nif the development of a system",
        "17fee279-9c53-4ae2-8903-8cd90059c78a": "if there are safety-related incidents and reporting is required.\na-8.17 clock synchronization\nmany information processing systems and facilities have an internal system clock, whose time values are used, for example, in recordings or as a basis for time-controlled processing.\nas already explained in a-5.33 and a-8.15, a consistent time is essential in an it landscape in order to compare records, schedule cross-system events, and analyze incidents. therefore, all systems within an organization should regularly synchronize with a common time source, if they are technically capable of doing so.\nwhat can be considered as a time source? examples:\nthe system clock of a designated it system in the intranet, such as a router, can be used as a time base - if the goal is simply to provide a consistent time throughout the intranet and it doesn't matter if it is precise or slightly off by fractions of seconds. occasional checking of this simple time base is necessary.\ntime information can be obtained from",
        "1733ee83-2fd5-4dd7-b376-a9f57f0c9798": "(special case of the control in the project)\nutilized systems)\na-5.9 x 8.1.1\n8.1.2\na-5.10 xx x 8.1.3\n8.2.3* *also applies to\nunclassified information\na-5.11 x x 8.1.4 not only at termination,\nbut also at changes\na-5.12 x x 8.2.1 expanded objectives for\nclassification, occasions\nsummarized\na-5.13 8.2.2\na-5.14 xx x 13.2.1\n13.2.2\n(13.2.3) (special case: electronic\nmessage transmission)\na-5.15 xx x 9.1.1\n(9.1.2) (special case: network and\nnetwork services)\na-5.16 x 9.2.1 full lifecycle of\nidentities\na-5.17 x 9.2.4\n9.3.1\n(9.4.3) (special case: passwords)\n(continuation)\n248\ntab. 4.1 (continuation)\n4 schedule for transition to the new standard\ncontrol a b cc old controls comments\na-5.18 x 9.2.2 reference to policy for\n9.2.5* access control\n(9.2.6) *asset owner\nremoved\n(special case: termination of\nemployment/service)\na-5.19 xx (15.1.1) generalized\n(special case: only in\nagreements)\na-5.20 x 15.1.2\na-5.21 x (15.1.3) new comprehensive\nwording\n(special case: consideration only\nin agreements)\na-5.22 x",
        "76404f60-8111-4607-8427-62a7efe85424": "80, traditionally enabled on 99.9 per cent\nof firewalls to run http). this means that a diversity of media types try to\nnavigate port 80, making it difficult for firewalls to filter out malware or to\ncontrol access to specific data channels. of course, as new applications are\ndeveloped and firewalls lag behind in their ability to handle the new applica-\ntion effectively, so organizations will take increasing risks by opening their\nfirewalls anyway \u2014 particularly where the application is considered critical\nto the business.\nthe risk from hackers is growing all the time. there was a detailed discus-\nsion of the world of hackers in the context of access control, and this is also\nhighly relevant to the consideration of e-commerce. organized crime, as was\ndescribed in chapter 1, is turning to the internet and e-commerce as a lucra-\ntive business area, the growth of phishing, pharming, website drive-by\nattacks and increasingly sophisticated spam mail are some of the most visi-\nble and high-profile indicators of",
        "2d7970e5-7fcb-4976-83fc-cf5b41816018": "removable storage media ports [e.g. secure digital (sd) card slots and universal serial\nbus (usb) ports] if there is an organizational reason for their use;\ni) where there is a need to use removable storage media, monitoring the transfer of information to\nsuch storage media;\nj) information can be vulnerable to unauthorized access, misuse or corruption during physical\ntransport, for instance when sending storage media via the postal service or via courier.\nin this control, media includes paper documents. when transferring physical storage media, apply\nsecurity measures in 5.14.\nrer rdi ]\nprocedures for the secure reuse or disposal of storage media should be established to minimize the\nrisk of confidential information leakage to unauthorized persons. the procedures for secure reuse or\ndisposal of storage media containing confidential information should be proportional to the sensitivity\nof that information. the following items should be considered:\na) if storage media containing confidential information",
        "32e25db1-e44a-4bb1-9bf7-49856a57a136": "### clause 7.1 of iso 27001: resources\nclause 7.1 of iso 27001 requires organisations to identify and allocate the\nresources needed for the establishment, implementation, maintenance, and\ncontinual improvement of their (isms). this is because the resources available\nto an organisation will have a significant impact on the effectiveness of its\nisms.\nthe resources that need to be considered include:\n * people: the organisation needs to have the right people with the right skills and knowledge to implement and maintain its isms. this includes security professionals, as well as other employees who have a role to play in information security, such as it staff, line managers, and employees with access to sensitive information. * infrastructure: the organisation needs to have the necessary infrastructure, such as it systems and facilities, to support its isms. this includes hardware, software, and physical security measures. * financial resources: the organisation needs to have the financial",
        "43946d1c-0f7d-4d6e-af9e-a8b795130f1b": "clear screen\nrelevant toolkit documents\ne clear desk and clear screen policy\nthis control requires that screens are locked when not in use (that is they display a screen\nsaver) and desks are kept tidy with sensitive information locked away.\nin many organizations the adoption of a clear-desk policy can be challenging, and the cost of\nadditional secure storage can add up. remember however that the policy is likely to only\napply to items of a certain security classification so publicly available information may still\nbe sited on desks.\n4.3.8 a.7.8 equipment siting and protection\nrelevant toolkit documents\ne this control is addressed by documents in other folders - see toolkit index\nif you have equipment that is outside of a typical office environment (perhaps a public kiosk\nor ict equipment in remote locations) it may be that you will need to consider how best to\nprotect the kit and the information it processes from a number of threats. these threats\ncould include environmental damage perhaps due to",
        "e34b7081-0df8-4197-bd01-4be47ad95fa5": "addition to the general guidelines from a-5.1, the following points should be addressed from the perspective of teleworkers:\nfundamentals such as working hours and availability regulations\nscope for teleworking (where it can and cannot be used)\napproval process for teleworking from the perspective of employees\nopportunities/obligations regarding training and education before and during the use of teleworking\nprocess for providing teleworking systems and other tools\nobligation to supervise the issued teleworking systems and facilities by the teleworkers\nexclusive use of teleworking systems intended for official use for mobile/home offices\nprohibition of unauthorized use of teleworking systems, e.g., by family members, visitors, colleagues, or contractors in the vicinity\nspecial requirements/settings for routers and access points in home offices, as well as the use of hotspots while traveling\nbefore starting work in a mobile/home office, the work environment must be checked for compliance with all security",
        "f90b2243-ab2a-49a5-98cd-5a738c991bc5": "reserved\nhochschulbibliothekszentrum des landes nordrhein-westfalen (hbz)\n09/06/2023 15:30:34\nprinted copies are uncontrolled\niso/iec 27002:2022(e)\npurpose\nto maintain the security of information transferred within an organization and with any external\ninterested party.\nguidance\ngeneral\nthe organization should establish and communicate a topic-specific policy on information transfer\nto all relevant interested parties. rules, procedures and agreements to protect information in transit\nshould reflect the classification of the information involved. where information is transferred between\nthe organization and third parties, transfer agreements (including recipient authentication) should be\nestablished and maintained to protect information in all forms in transit (see 5.10).\ninformation transfer can happen through electronic transfer, physical storage media transfer and\nverbal transfer.\nfor all types of information transfer, rules, procedures and agreements should include:\na) controls designed to",
        "b10f2b4d-cdbe-487e-9bcb-f4488568eea6": "according to the ds-gvo, in addition to risk analysis, a data protection impact assessment (dpia) is required, among other things, for high risks. as a result of this dpia, the processing of the data under consideration may generally be permissible, permissible only with additional measures, or not permissible at all.\nchoosing suitable toms: according to the standard data protection model (sdm), a protective need for the respective data processing is determined with regard to the data protection objectives. for \"normal\" protective needs, the modules of the sdm can provide measures to fulfill the objectives - similar to the it baseline protection of the bsi. if the protective need is higher, these measures must be supplemented.\nmeasures should be strengthened or replaced by more secure measures.\noption of considering additional standards: the iso 27018 standard addresses data protection for cloud service providers (as data processors), but does not fully cover the gdpr. certifications according to this",
        "4d90dd3c-c4cb-4134-b640-4e028b230553": "your systems in all the scenarios, so the focus must be more on prevention\nmethods.\nconsider the following points when implementing the controls:\ne the organization should define a policy to communicate to the\nemployees/contractors that the use of any unauthorized software/\ntools is prohibited.\ne\u00ab use controls that help in the prevention and detection of\nunauthorized software.\ne\u00ab use controls that help in the prevention and detection of websites\nthat are malicious or could spread malicious content, i.e. sites that\nare blacklisted.\n170\nchapter 6 execution\ne install malware detection software to prevent and block malware\nthreats. as a preventive measure, schedule the scan of all computer\nsystems and media to detect malware. scan files received over the\nnetwork or through storage media, email attachments, and web\npages. regular updates to the software should be done to address the\nlatest malware threats.\ne plan and perform the regular reviews of your organization\u2019s systems\nto check whether any",
        "01efe271-e088-419f-9f45-07ff1da0f28b": "protection\ncontrol\nphysical and logical access to diagnostic and configuration ports shall be controlled.\n13\na.11.4.5\nsegregation in networks\ncontrol\ngroups of information services, users, and information systems shall be segregated on\nnetworks.\na.11.4.6\nnetwork connection control\ncontrol\nfor shared networks, especially those extending across the organization\u2019s boundaries, the\ncapability of users to connect to the network shall be restricted, in line with the access\ncontrol policy and requirements of the business applications (see 11.1).\na.11.4.7\nnetwork routing control\ncontrol\nrouting controls shall be implemented for networks to ensure that computer connections\nand information flows do not breach the access control policy of the business\napplications.\na.11.5 operating system access control (!s0 27001:2015, version 2015)\nobjective: to prevent unauthorized access to operating systems.\na.11.5.1\nsecure log-on procedures\ncontrol\naccess to operating systems shall be controlled by a secure",
        "65dc2c1c-d4a2-4fd0-89d6-cf6f94ed0bc0": "arrangements. (it is for the certification body to\ndetermine exactly what it requires in order to be convinced of the establish-\nment, effectiveness and ongoing arrangements for internal isms audit and\nmanagement review, aspects it is required to confirm prior to issuing a certif-\nicate, and hence possibly something worth asking when selecting your\ncertification body.)\nthe level of preparedness for an audit should then be assessed by carry-\ning out a comprehensive review. the detailed work should be carried out by\nthe information security adviser and by the quality function, and this should\nall be reviewed by the management information security forum. a compre-\nhensive review could use this book, starting with chapter 4, and question\nthe extent to which adequate steps have been taken to implement the vari-\nous recommendations.\nthe statement of applicability (soa) needs particularly detailed review.\nit should be possible to identify the extent to which each of the controls\nidentified as necessary has been",
        "95555e4f-2a3b-4087-a8d3-535f6d4521a4": "guidance.\n\u00a9 iso/iec 2010 \u2014 all rights reserved 17\niso/iec 27003:2010(e)\noutput\nthe deliverables of this activity are:\na) description of physical boundaries for the isms, including any justifications for the exclusion of physical\nboundaries under the organization\u2019s management that have been excluded from the isms scope,\nb) description of the organization and their geographical characteristics relevant to the scope.\nother information\nno other specific information.\n6.5 integrate each scope and boundaries to obtain the isms scope and boundaries\nactivity\nthe isms scope and boundaries should be obtained by integrating each scope and boundaries.\ninput\na) output from activity 5.3 define the preliminary isms scope - the document for the preliminary scope of\nthe isms\nb) output from activity 6.2 define organizational scope and boundaries\nc) output from activity 6.3 define information communication technology (ict) scope and boundaries\nd) output from activity 6.4 define physical scope and",
        "32fe9ed4-aa09-4c14-84f4-92e5e2715157": "fundamentally different from the combined\ncode, and from codes of corporate governance adopted elsewhere in the\noecd, in that compliance is mandatory, rather than \u2018comply or explain\u2019.\nthis aspect, combined with significant potential sanctions for individual\ndirectors, drives sox compliance requirements through the supply chain to\norganizations not directly subject to its requirements.\nwhile the act lays down detailed requirements for the governance of\norganizations, the three highest-profile and most critical sections \u2014 which\nwere implemented in phases \u2014 are 302, 404 and 409 (see table 2.1).\nthe sec, which is responsible for implementation of sox, has relevant\ninformation available at https://www.sec.gov/info/smallbus/404guide/intro.\nshtml (archived at https://perma.cc/s5bsz-58vq), and the sarbanes-oxley\nwebsite itself is at https://sarbanes-oxley-101.com (archived at https://\nperma.cc/2afs-guya).\ninternal controls and audit\nunder sox, managers are required to certify the company\u2019s financial\nreports, and",
        "5731d60e-40a1-4dae-88b6-8a84e704a0ab": "27001)\nequipment, information, or software should not be taken off-site without prior authorization.\nexplanation/what is required: this is the security of equipment and any\ninformation or other equipment should not be taken off-site without authorization or\napproval from the relevant departments. some key points for consideration are:\ne when equipment is transferred to individuals or vendors off-\npremises, a log document should be maintained.\ne\u00ab organizational equipment and media devices should not be left\nunattended in public.\n163\nchapter 6 execution\nevidence that can be prepared: gate pass for equipment taken off-premises.\nwho prepares it: the it team, along with the admin team, is responsible for\nsecuring the removal of assets.\nfor external audit: the external auditor conducting the iso 27001 audit may ask for\nthis evidence.\na.11.2.7 secure disposal or reuse of equipment (control iso 27001)\nallitems of equipment containing storage media should be verified to ensure that any\nsensitive data and",
        "42077ab8-2817-463d-93f3-5cfc4f0fed27": "overall efficiency of incident management\nefficiency is always a topic in these points, i.e. on the one hand, qualified processing of incidents must be enabled, and on the other hand, the processing time must not get out of hand. it may only be possible to make an experience-based assessment of efficiency as part of the pdca.\nin most cases, incident management is nowadays implemented through a tool-based ticket system. the aspect of recording incidents that have occurred and their processing up to resolution is a central point: only through this can an experience base be built for the treatment of future incidents (a-5.27), evaluations be carried out, and efficiency measurements be controlled. in this regard, it should also be determined which records should be archived over which periods of time.\nonce the planning outlined above has been approved for implementation,\n- the individuals responsible for incident handling must be instructed or trained accordingly and equipped with the necessary tools (e.g.",
        "1841b692-6808-4d24-89c9-cb4872134d81": "27001 standard\ndefines which documents must exist at a minimum.\nan isms provides a structured approach to integrating information security\ninto an organization\u2019s business processes\u2014thus helping to effectively manage\nand minimize risks, increase the organization\u2019s resiliency, and ensure the\nconfidentiality, integrity, and availability of organizational and customer\ninformation.\n## how much does iso 27001 certification cost, how long will it take, and how\nlong is it valid?\nmuch like the process of going through a soc 2 audit, the cost of obtaining\niso 27001 certification varies depending on organization size and number of\nemployees, which in turn helps determine the time it will take to audit the\norganization. **iso 27001 certification costs can range from $6k\u2013$10k for\nsmaller companies, to upwards of $25k for large companies.**\ndepending on the size of an organization, implementation of an isms based on\niso 27001 can be complex, involving a variety of activities and people; the\nproject can last for",
        "6e5674ca-b57b-4378-9315-03997a7ced44": "and\nshows your dedication to maintaining the highest standards of information\nsecurity. it also increases the value of your brand, resulting in a win-win\nsituations.\n## our checklist: how to achieve iso 27001 compliance even if they are not seeking official certification, there is always the\noption for organisations to pursue compliance with the iso 27001 standard\nrequirements. the following list shows the best practices you can implement to\nachieve this and can be used very well as a checklist:\n * talk to your stakeholders to understand their information security expectations. * define the scope of your isms and the information security measures you will implement. * define a clear security policy. * conduct a risk assessment to identify any existing and potential risks to your information security. * implement measures and risk management methods that set clear objectives. * regularly evaluate the effectiveness of your information security practices and conduct",
        "f15fe5cf-f57a-4398-8228-ca490ad154a3": "recommended for external aspects - more on this in the following section on isms-4.2.\nisms-4.2 - understanding the needs and expectations of interested parties\nwhen it comes to external aspects of contextual information, it may be easier to compile a list of relevant interested parties. for each party on the list, it is then necessary to examine whether they are actually relevant to our isms:\ndo we want or need to consider their goals and expectations in our isms?\nif the answer is yes, we then collect all available contextual information on each party: instead of conducting numerous conversations (as with internal aspects), we evaluate existing contractual agreements, legal texts, requirements, guidelines, etc. to obtain contextual information - of course, this does not exclude direct conversations with \"important\" clients and partners.\nguidelines for implementing isms-4.2\nafter creating a list of potential interested parties, we examine each party on the list to determine if they are truly relevant to",
        "de1b9464-6884-4ced-85a9-2bbd974b4ad4": "control as they are a clear target for hackers. this will\ninvolve a process of understanding who holds them, validated such access and reviewing it\non a regular basis. the use of mfa (multifactor authentication) for these accounts is a must\nand will be expected by the auditor.\n4.4.3 a.8.3 information access restriction\nrelevant toolkit documents\ne dynamic access control policy\nalthough it is closely related to control a.5.15 access control, this control specifically refers\nto the use of dynamic access management techniques which are associated with\ninformation even when it leaves the confines of the organization. this allows the\norganization to control what is done with the information (such as printing or copying) and\nto change levels of access even after the information has been distributed.\n4.4.4 a.8.4 access to source code\nrelevant toolkit documents\ne this control is addressed by documents in other folders - see toolkit index\nif your organization undertakes bespoke software development, you will",
        "f198aefb-8f50-4248-9131-5a4253bc4b7f": "to\nnetworks as a result of viruses (written to be innocuous to handhelds but\ninfectious to desktops and networks) that are transmitted to networks by\nhandhelds when users synchronize pdas and pcs. handhelds that have\nwireless connections to the internet can be used to mount denial-of-service\nattacks, and could be used for defrauding phone networks or other mali-\ncious activity.\na bigger issue for smartphone users is the ease with they can be hacked,\nand the extent to which personal data \u2014 text messages, website transactions,\nlocation, etc - can be gathered by an attacker who has named a wireless\nnetwork with something sufficiently similar for all nearby mobile devices\nthat are set to \u2018automatically join networks\u2019 to join the attacker\u2019s. while this\nshould properly be dealt with as part of the access control processes, it is\nimportant to recognize the seriousness of this threat for what it is.\nmost users of handhelds are relatively unsophisticated in their under-\nstanding of malware and security issues and",
        "a1d37719-f8c5-4c6d-a1c3-3e01a6ad0f70": "personnel involved in the development activity;\n\u00ab regular back-ups of the environment, but stored elsewhere and with\ndifferent access restrictions.\noutsourced development\ncontrol 14.2.7 of is027002 says the organization should apply controls\nthat will make outsourced system development secure. where the organiza-\ntion cannot help itself by using vendor-developed software and must have its\nown developed, there are a number of measures that iso27002 recommends\nit should introduce to try to protect itself during a process over which it has\nlittle direct control.\nthe issues that it must consider, only some of which can be incorporated\ninto a contract (others will require expert supervision that the organization\nmight not have in-house), are as follows:\n- licensing, code ownership and intellectual property rights;\n- certification (possibly by a third party) of the quality and accuracy (code\nreview) of the work done;\n+ escrow arrangements (particularly for the source code) in the event of the\ndeveloper\u2019s",
        "0dea6229-d68a-4ae4-9b68-c1ad50175855": "media in accordance with the\nclassification scheme adopted by the organization.\n141\nchapter 6 execution\nexplanation/what is required: this control focuses on the management of\nremovable media. the procedure should be defined to protect and manage removable\nmedia. the following points should be considered:\ne all the removable media should be stored in a safe and secure\nenvironment.\ne\u00ab to reduce the risk of data damage, there should be multiple media\ndevices to store business-critical data/information.\ne confidential information should be protected with a cryptographic\ntechnique.\ne restrict the use of external drives such as hard disks, stick\ndevices, etc.\nevidence that can be prepared: prepare the procedure for the management of\nremovable devices.\nwho prepares it: the it team is responsible for records related to media transfer.\npolicies should also be defined and implemented with the support of the information\nsecurity team.\nfor external audit: the external auditor will look for this",
        "f57b0154-34d2-4f0f-9031-80a2511cab91": "primarily geared towards remedying defects. if checks are to be accepted, it is important\nthat this motivation is recognised by all those involved as being the objective of the checks. it is important to\ndiscuss possible solutions to problems with participants during a check and to pre-prepare appropriate\nremedies.\nchecks should be carefully prepared so to ensure that they can achieve their goals as efficiently as possible\nwhile at the same time causing as little disruption as possible to the work routine. the general implementation\nof checks should be coordinated in advance with management. the design activities may be concluded in\nthree different basic forms:\ne incident reports\ne = verification or non-conformity of control functionality\ne other regular checks\nfurther, the results from the activities should be designed in terms of how records are made and information\ngiven to management. formal documentation should be made to describe the design and covering principle\nactivities and their purpose, as",
        "76dad14b-c071-4b1d-8314-d80fb8e2060e": "fraudulent transactions, and how is insurance\nto be dealt with?\nas can be seen, these questions and the controls they should instigate are\nspecifically designed for business-to-business (b2b) commerce; trading\n277\n278\nit governance\npartners should incorporate their answers to these questions into an agree-\nment between them. trading partners operating through an internet\nexchange or via an extranet also need to resolve these issues. many, but\nnot all, of the issues listed above can be solved by implementing effective\ncryptographic controls. cryptographic controls, encryption, digital signa-\ntures, non-repudiation services and key management are the subjects of\ncontrol 10.1 of is027002.\nthese controls need to be extended to cover business-to-consumer (b2c)\ncommerce for all organizations that sell via the web, particularly in respect\nof the implications of data protection legislation, phishing attacks and credit\ncard fraud. the organization also needs to determine which laws and juris-\ndiction apply to",
        "df1f0df8-f8a7-4baf-8d73-9787cfd67209": "following:\n\u00ab someone should be appointed to be specifically responsible for the\nsecurity of the web servers. this person should have adequate specialist\ntraining and should have available a completely up-to-date source of\ninformation about vulnerabilities, threats, attacks and defences.\n- the organization should run the most recent windows server and\nbrowser.\n+ the more recent the version, the fewer the security-related bugs.\n+ the organization should install the latest service pack (sp} on each\nwindows host that houses each windows server. service packs are\n281\n282\nit governance\navailable, free, over the web from https://www.microsoft.com/en-us/\ndownload (archived at https://perma.cc/d8tf-z683).\n- the organization should install the latest hotfixes as soon as they become\navailable. these are usually also available directly from the microsoft\nwebsite.\n- the organization should avoid installing a windows server on the same\nphysical platform as a domain controller.\n\u00ab the organization should obtain",
        "ab19c50e-8eb0-4c29-8c26-d51db6af7794": "lines would also give rise to an\nassessed risk of \u2018high\u2019.\nthe qualitative methodology has been useful in enabling\ndifferent risks to be quickly assessed, and for comparative\nrisk assessment decisions to be made \u2014 without detailed,\nfaux-accurate calculations as to potential impact.\nboth risks fall outside the organisation\u2019s risk tolerance level,\nand both should be controlled. the organisation\u2019s risk\nacceptance criteria include the requirement that the cost of\ncontrol should be in line with the identified potential impact.\nbut how do we determine, in this example, how much to\nspend on implementation?\nboundary calculations\none approach is to calculate the risk value (risk = impact x\nlikelihood) at the borders of each risk value and for the\ninvestment criteria to be as simple as: spend no less than [the\nlower risk level] and no more than [the higher risk level].\neach level has an upper and a lower boundary, the point at\nwhich the risk shifts from being at one level to being at the\nnext. for example, the",
        "23d99f5f-7f96-4189-bf97-08992ca17524": "alliance (hitrust), the organization will need a\ncomprehensive system for each control area defined in the compliance category. the supplier relationships category will be relevant only to organizations\nthat work with suppliers. likewise, the physical and environmental security\ncategory will be irrelevant to a business that works remotely and relies\nsolely on cloud-based applications; however, that organization will need to\nimplement comprehensive controls in the access control and communications\nsecurity categories. ## who should implement iso 27001 controls?\nbecause the iso 27001 control categories cover a wide range of business\nfunctions, personnel from different areas of the organization will need to\ncollaborate during the iso implementation process. if iso 27001 is to be\nimplemented by an in-house team, a dedicated iso 27001 lead must oversee the\nentire operation. specific iso 27001 control categories require certain roles to provide input\nand complete specific tasks. for example,\n * a",
        "e7d7f970-c2c5-4d50-a849-a5c331ba1dab": "outsourced products or services.\nby taking these steps, you can prepare the following documents:\nscope document\nstatement of applicability\na well-defined scope provides assurance that all the important areas of your\norganization have been covered in terms of implementing security controls. it also helps\nto get everyone, including management, on the same page, with one common vision.\nif this is not handled properly, it may delay or extend the implementation timeline.\ndocumenting the organization\u2019s scope is one of the requirements of the iso 27001\nstandard.\nmany organizations have security departments, which are lead by the chief\ninformation security officer (ciso). this person usually reports directly to the vice\npresident or managing director. the ciso has the authority to form a team to work on\nthe implementation of iso 27001. in general, the team includes the following members:\n26\nsteering committee members: this includes the managing director,\nvice president, chief executive officer, chief",
        "440099e7-55a3-490c-bb30-2c8194c392ce": "inclusion in the supplier agreement.\n\u00a2 information that will be shared with the supplier organization and\nthe methods to provide access to the information.\ne classification of information defined based on the classification\nscheme of your organization and the supplier.\ne all the legal and statutory requirements, including the intellectual\nproperty rights, must be clearly mentioned.\n199\nchapter 6 execution\npolicies to be followed as required by the work scope and contract:\nit is important to include that your organization has the right to audit supplier\norganization whenever there is a security incident, or any type of issue observed for\ninvestigation purposes.\nthere could be many more points that can be mentioned inside the agreement to\navoid any conflicts between your organization and the supplier. these are just examples\nfor reference purposes only. organizations may add more depending on their business/\nproject scope.\nevidence that can be prepared:\ne supplier relationship policy\ne supplier",
        "b48039a3-f931-4910-b356-63d070b6aedd": "and\nstate-level entities, targeted on large corporations and foreign governments,\nwith the objective of stealing information or compromising information\nsystems, cyber attacks are, initially, automated and indiscriminate - any\norganization with an internet presence will be scanned and potentially\ntargeted.\nnot surprisingly, the pricewaterhousecoopers (pwc) global state of\ninformation security survey 2018 said that \u2018most organizations realize that\ncybersecurity has become a persistent, all-encompassing business risk\u2019, this\nis because the business use of technology is continuing to evolve rapidly, as\norganizations move into cloud computing and exploit social networks.\nwireless networking, voice over ip (voip) and software as a service (saas)\nit governance\nhave become mainstream. the increasingly digital and inter-connected\nsupply chain increases the pressure on organizations to manage information\nand its security and confirms the growing dependence of uk business on\ninformation and information",
        "66007d14-e11f-4966-ab89-70b2c1e5a844": "for the isms\n> trailer\nchapters 4 to 10 of iso 27001 present the requirements for an isms, in textual form - which naturally allows for a certain degree of interpretation. before implementing these requirements, it is therefore advisable not only to read the texts but also to inspect explanations and implementation guidelines, as provided in iso 27002, other secondary sources, or even in this book.\nin this chapter, we will step-by-step go through all isms requirements from iso 27001: those who have access to the standard can directly compare all points!.\nimportant: in this book, we use a number of terms (e.g., organization, risk assessment, information value, objectives, isms) that have a specific meaning in the iso 27000 series of standards - sometimes deviating from common usage. explanations and examples of such terms can be found in section 14 of this book.\nwhen referring to individual chapters or requirements from iso 27001, we use the chapter and section numbers of this standard: isms-4.1, for",
        "295b5bdc-0b4c-4c93-8e97-947c51078bf1": "data should be stored (storage location and medium), how the storage is done (e.g. open, encrypted, integrity-secured, multiple redundancy), and how long the data should be stored or retained (storage and archiving periods), who should have what kind of access, etc.\nwith this enumeration, we are already moving towards the management of documented information, which is the subject of the standard (in its main part) - we will come back to this in chapter 2.\n11. context\nevery organization operates in an environment that influences and controls its business and administrative activities. this includes legal requirements - from all countries in which the organization operates, as well as from supranational institutions - requirements from supervisory and reporting bodies, requirements and expectations from customers, business partners, and shareholders - and finally, the organization's own requirements, for example, regarding the improvement of products/services.\nin cross-border activities, cultural, social,",
        "6d039382-8f54-4dfb-9ece-a45edc07f90c": "communications strategy and ensuring that the whole\norganization is aware of the way in which information security is tackled.\nthere is a lot of overlap between the possible functions of the management\nforum and the cross-functional group described earlier in this chapter. an\nexternal certification auditor will want to know how the two key functions\n\u2014 coherent management of information security and coordination of infor-\nmation security-related activity \u2014 have been tackled. one route, clearly, is\n62\nit governance\nfor each forum to have very clearly differentiated functions and for the\nreporting lines between the two to be drawn very unambiguously.\nusefully, in all but the largest organizations these two forums can be\ncombined. practically, this is sensible, as otherwise the structural issues of\nrelating the two forums and of clarifying what issues are dealt with at which\nlevel can create unnecessary bureaucracy. where two separate groups are set\nup, the first to operate more at the strategic level and",
        "642fee47-6ee6-4c5d-8432-9bf739e2fcf9": "uncontrolled\niso/iec 27002:2022(e)\nh) they are involved in the identification and management of risks associated with their asset(s);\ni) they support personnel who have the roles and responsibilities of managing their information.\nother information\ninventories of information and other associated assets are often necessary to ensure the effective\nprotection of information and can be required for other purposes, such as health and safety, insurance\nor financial reasons. inventories of information and other associated assets also support risk\nmanagement, audit activities, vulnerability management, incident response and recovery planning.\ntasks and responsibilities can be delegated (e.g. to a custodian looking after the assets on a daily basis),\nbut the person or group who delegated them remains accountable.\nit can be useful to designate groups of information and other associated assets which act together to\nprovide a particular service. in this case, the owner of this service is accountable for the",
        "fdf6cac7-1b23-4e70-ad21-de232392b778": "on the network.\nsignificant changes should be authorized by an entity such as the infor-\nmation security management forum or the it governance committee.\ncode changes to sensitive applications should be checked by a second\nperson. this could be required on something as simple as a set of changes\nto accounting or project codes as well as on more complex applications.\nthe implementation should be carried out in a way and at a time that\nminimizes business disruption and does not disturb the business processes.\nsystem documentation and user procedures should be updated as soon as\nthe change has been implemented, and the completion of this step should\nbe identified on the approval form.\nthere should be some form of version control for all updates (using the\nvendor numbering system for vendor software updates), and this should\nbe logged on a central register.\nan easy way back to the pre-change status quo (perhaps through the\nmost recent back-ups, or through the existing disaster recovery procedure)\nshould be",
        "d19c6a1d-f7f1-4aa3-a1ce-a9a57f9de024": "information**. this includes intellectual\nproperty, trade secrets, proprietary data, and other valuable assets. while\nthe specific term \"intellectual property\" may not be used, the principles of\ninformation security within the iso 27000 series standards are designed to\nencompass various forms of valuable and sensitive information, including\nintellectual property.\n## what is the iso 27001:2022 standard?\nthe iso 27001:2022 edition stands as the most recent iteration of iso 27001,\nthe global benchmark for information security management systems that you must\nadhere to receive your certification. if you\u2019re already certified and need to\ntransition to the 2022 iteration, then our iso 27001:2022 transition guide is\nyour go-to resource.\n## what is an isms?\nan information security management system (isms) provides a framework of\n**documented policies, procedures, and controls** designed to **mitigate\ninformation security risks**. once you\u2019ve built your isms, getting it\ncertified against an international standard",
        "a2921295-40f4-4d71-9675-87a7e333a46d": "training (see 6.3) by providing examples of what can happen, how to\nrespond to such incidents and how to avoid them in the future.\n46 \u00a9 iso/iec 2022 - all rights reserved\nhochschulbibliothekszentrum des landes nordrhein-westfalen (hbz)\n09/06/2023 15:30:34\nprinted copies are uncontrolled\niso/iec 27002:2022(e)\nother information\nthe iso/tec 27035 series provides further guidance.\n5.28 collection of evidence\ncontrol type information cybersecurity operational security domains\nsecurity properties concepts capabilities\n#corrective #confidentiality #detect #respond |#information_secu- |#defence\n#integrity rity_event_manage-\n#availability ment\ncontrol\nthe organization should establish and implement procedures for the identification, collection,\nacquisition and preservation of evidence related to information security events.\npurpose\nto ensure a consistent and effective management of evidence related to information security incidents\nfor the purposes of disciplinary and legal actions.\nguidance\ninternal",
        "d5a683d3-0088-4123-8f68-f8f76ef48fe9": "significant culture change, and this could\nsignificantly contribute to improved security. of course, even in a small\norganization the fact that visitors have to wear badges acts as a deterrent\nto opportunist trespassers or intruders, as they will realize that they are\nobviously out of place without the appropriate visual \u2018stamp\u2019 of approval\n(assuming this control is implemented effectively and passes are retrieved\nfrom visitors and staff leavers who no longer have need for them).\n- all staff who might encounter visitors should be trained so that it is diffi-\ncult for a social engineer to bypass physical security controls.\n- access rights to secure areas should regularly be reviewed, updated and,\nwhere necessary, revoked. this is particularly important for access rights\nto computer server rooms. the record should be reviewed on a regular\nbasis by the information security management forum, and a record of the\nforum\u2019s review should form part of the isms documentation.\n- third-party support personnel should",
        "09a600af-a0c4-471a-8a91-5c4f0d08c799": "data that is\ndesignated as part of your physical security perimeter.\n### **a.11.1.2 physical entry controls**\nonce you have established physical security perimeters, you are required to\ninstall entry controls to manage who may move between secure areas of the\npremises.\nhandheld metal detectors, walk-through metal detectors, swipe cards, and\nkeycodes are all options for gaining access to different areas of your\norganisation. different degrees of protection might be used in different\nsections of your organisation. the approach you take to build and administer\nsecurity restrictions should align with the significance of the data you are\nstoring.\n### **a.11.1.3 securing offices, rooms and facilities**\nannex a 11 focuses on an organisation's physical environment security (which\nmeans it does not just monitor the data it holds), but also focuses on\nsafeguarding where that data is stored.\nequipment containing sensitive information is kept in various rooms, offices,\nand facilities, and these locations may not",
        "9ad8970c-cec4-49b0-9b0a-de10b2560686": "rights\n\u2018software - \u2014\u2014 + ;\nee . | widely-distributed software corruption of data\napplying application programs to the wrong data|\n|corrupt f dat\nin terms of time | rruption of data\n1\ncomplicated user interface | error in use\nih :\nlack of documentation | error in use\nincorrect parameter set up | error in use\n_ {incorrect dates | error in use\n\u00a9 iso/iec 2018 - all rights reserved 41\n?\n20-12-14 (5:33.25.\na)\nnormen-download-beuth-comcave, college ginbh-kdnv.6918371-1d. dqopgm4kffssz2 tebidl2u!\niso/iec 27005:2018(e)\n| lack of identification and authentication mech-\nnisms like user authentication\nforging of rights\njinprotected password tables\nforging of rights\n| poor password management\nforging of rights\nnnecessary services enabled\nhlegal processing of data\n| immature or new software\nsoftware malfunction\n| unclear or incomplete specifications for developers | software malfunction\n| lack of effective change contro!\nsoftware malfunction\nuncontrolled downloading and use of software | tampering",
        "edd89224-ef1c-4bd1-8773-4129efb74223": "consultation\n?\no2u- 12-14 15:33:52\n\u201d\nu a\nas figure 2 illustrates, the information security risk management process can be iterative for risk\nassessment and/or risk treatment activities. an iterative approach to conducting risk assessment can\nincrease depth and detail of the assessment at each iteration. the iterative approach provides a good\nbalance between minimizing the time and effort spent in identifying controls, while still ensuring that\nhigh risks are appropriately assessed.\nthe context is established first. then, a risk assessment is conducted. if this provides sufficient\ninformation to effectively determine the actions required to modify the risks to an acceptable level,\nthen the task is complete and the risk treatment follows. if the information is insufficient, another\niteration of the risk assessment with revised context (e.g. risk evaluation criteria, risk acceptance\ncriteria or impact criteria) is conducted, possibly on limited parts of the total scope (see figure 2, risk\ndecision point",
        "c77df136-cb6f-4db0-92e5-bceaa10f1ace": "the same time as\nthe information security policy is being drawn up, as set out in chapter 5.\nan effective information security management structure also enables the\nrisk assessment (to be discussed in chapter 6) to be carried out effectively.\nthe second control category in annex a to the standard, in clause a.6.1,\nis \u2018internal organization\u2019. controls are selected to meet business, regulatory\nor contractual requirements (the baseline security criteria), or in response to\nthe risk analysis (see chapter 6); there is a business requirement to put an\ninformation security management structure in place from the start of the\niso27001 project. the control objective of control a.6.1 is to \u2018establish a\nmanagement framework to initiate and control the implementation and\noperation of information security within the organization\u2019.\nthis objective encourages the creation of the management information\nsecurity forum identified in earlier versions of the standard. more impor-\ntantly, it no longer prescribes any specific",
        "539f5e57-b405-45a5-bdbb-fd2e9c37c5c4": "authorization of the organization to monitor compliance with the prescribed measures in practice\n\u2014 reporting obligations in case of violation of the provisions of the agreement (e.g. unintentional disclosure of data)\n- agreements of this kind should be centrally managed and regularly checked for up-to-dateness and appropriateness.\n158 3 controls: requirements and measures\nthese points also apply if a separate nda is not concluded, but the confidentiality requirements are included in a more comprehensive contract. this could be useful for services such as outsourcing, cloud services, disposal of data carriers, etc.\nan alternative is to include the organization's security policy, for example, as an attachment to a contract. this naturally requires that the relevant data group is considered in the policy and that appropriate protective measures are specified. the overarching contract should then include a sentence stating that the security policy applies.\nkommen werden,\nwhich mentions and makes the guideline",
        "c5fe7d67-2752-410b-abc4-80500bfe5f49": "iso 27001 is an international standard that provides a framework for managing\ninformation security. it is designed to help organisations protect their\ninformation assets from a variety of threats, including unauthorized access,\nuse, disclosure, modification, or destruction.\nclause 8.2 of iso 27001 is concerned with information security risk\nassessment. this clause requires organisations to identify, assess, and\ncontrol the risks to their information assets.\n## what is iso 27001 clause 8.2 information security risk assessment?\niso 27001 clause 8.2 information security risk assessment is titled\n\"information security risk assessment\". information security risk assessment\nis a critical process for any organization that wants to protect its data and\nsystems. by identifying and assessing risks, organizations can take steps to\nmitigate them and prevent security incidents from occurring. a risk management\nprocess should be following:\n * systematic * documented * regularly reviewed and",
        "f322baac-3355-4edd-a17f-b82ab819bbe1": "file\n(a document or executable file) to carry each copy. it may or may not have\na \u2018payload\u2019: the ability to do something funny or destructive or clever when\nit arrives.\na worm, however, is autonomous. it does not rely upon a host file to\ncarry it. it can replicate itself, which it does by means of a transmission\nmedium such as e-mail, instant messaging, internet relay chat, network\nconnections, infected websites, etc. polymorphic worms are designed to\nevolve in the wild, to more effectively overcome evolving virus defences.\na trojan is hostile code concealed within and purporting to be bona fide\ncode. it is designed to reach a target stealthily and be executed inadvertently.\nit may have been installed at the time the software was developed; it is often\nthe payload of an e-mail attachment or is designed to infect the computer of\nsomeone who clicks on a link in a phishing e-mail. the objective is often to\nachieve control over the target system.\nrootkits are pieces of software installed at the root of a",
        "30876d23-bfc9-4a8d-a78f-702daf142f3f": "restrictions on the usage of cryptography;\nd) mandatory or discretionary methods of access by the countries\u2019 authorities to encrypted\ninformation;\ne) validity of digital signatures, seals and certificates.\nit is recommended to seek legal advice when ensuring compliance with relevant legislation and\nregulations, especially when encrypted information or cryptography tools are moved across\njurisdictional borders.\ncontracts\ncontractual requirements related to information security should include those stated in:\na) contracts with clients;\nb) contracts with suppliers (see 5.20);\nc} insurance contracts.\nother information\nno other information.\n5.32 intellectual property rights\ncontrol type information cybersecurity operational security domains\n. . concepts capabilities\nsecurity properties\n#preventive #confidentiality #identify #legal_and_compli- |#governance_and_\n#integrity ance ecosystem\n#availability\ncontrol\nthe organization should implement appropriate procedures to protect intellectual property",
        "8c555cbb-aa1c-440b-bc9a-995f0089a9bf": "standard also requires that the way in which the isms fits in with the controls already in\nplace within the organization such as corporate risk management, business strategies and\npolicies is defined and that all interested parties are identified, together with their relevant\nrequirements, such as legal, regulatory or contractual obligations.\none of the items that should be defined and documented is the organization\u2019s risk appetite.\nthis refers to the overall attitude to risk; is the organization risk-averse and therefore wants\nto minimize risk at every level? or is the attitude that of high risk/high reward where not\neverything will work out well but enough will deliver results to keep the company going? or\nis it somewhere in between?\nthis needs careful consideration and discussion with top management; unless the\norganization is obviously very conservative or obviously very \u201chigh stakes\u201d the answer is\nprobably somewhere around the middle. this factor is used later when deciding what to do\nabout risks",
        "30b789d0-a623-4df0-bdb4-41ff328c59b6": "united kingdom, numerous accredited certification bodies for iso 27001\nexist. these bodies have undergone scrutiny and accreditation by ukas, the\ncountry's national accreditation authority. ukas guarantees organisational\ncompetence and adherence to the highest standards, utilising a thorough audit\nprocess to ensure compliance.\noften, certain contractual agreements require an official accredited\ncertification. apart from this, **achieving an accredited certification is\nhighly recommended** \u2014 you can use it in your communications towards customers\nand have an external assess your information security to ensure your isms is\nin check.\nwe strongly **recommend seeking certification exclusively through accredited\nbodies**. business partners often do not acknowledge certifications lacking\nconfirmation from an international accreditation body. in fact, most contracts\nmandating iso 27001 certification implicitly refer to certification by an\naccredited body. read more about accredited bodies here.\n## conducting a",
        "9c6f0ca9-7662-4487-a8fb-514338238b90": "language and conceptual basis for information security, making it easier to\nplace confidence in business partners with a compliant isms, especially if they require certification\nagainst iso/iec 27001 by an accredited certification body;\nincrease in stakeholder trust in the organization;\nsatisfying societal needs and expectations;\nmore effective economic management of information security investments.\nisms family of standards\n5.1 general information\nthe isms family of standards consists of inter-related standards, already published or under\ndevelopment, and contains a number of significant structural components. these components are\nfocused on:\nstandards describing isms requirements (iso/iec 27001);\ncertification body requirements (iso/iec 27006) for those certifying conformity with\niso/iec 27001; and\nadditional requirement framework for sector-specific implementations of the isms (iso/iec 27009).\nother documents provide guidance for various aspects of an isms implementation, addressing a",
        "c36b2a9a-1470-4c8a-b7a5-5ce4c7c621fe": "functionality.\nthere are two main controls under annex a 11 that define the main reasons why\nit must be implemented in an organisation.\n## what is the objective of annex a 11?\neach of the two main controls under annex a 11 have similar but different\nobjectives.\nthe two main controls are: a.11.1 secure areas and a.11.2 equipment.\n### **objective of a.11.1 secure areas**\nphysical and environmental security are at the core of annex a.11.1. the\nobjective of this control is to prevent unauthorised physical access and\ndamage to the organisation's stored data.\n### **objective of a.11.2 equipment**\nequipment is equally important as secure areas of annex a.11.2. the objective\nof this control is to avoid asset loss, damage and or theft as well as\ndisruption of business activities.\n## what is physical and environmental security?\nphysical and environmental security refers to the precautions put in place to\nprotect systems, buildings, and supporting equipment against physical threats.\nit refers to the",
        "bb08096a-5d54-4790-9249-3c7328aebdc5": "those in annex a as a\ncheck to confirm that no necessary\ncontrol has been overlooked\nrelevance of the soa to certification audits\nthe soa is a principal driver of certification audits. common practice amongst\ncertification bodies is to devise an assessment programme that covers all the\ncontrols in annex a as well as the isms requirements (i.e., iso/iec 27001 clauses\n4-10).\nit is important to realise, however, that the controls in iso/iec 27001 annex a are\nnot requirements, albeit the necessary controls in the soa are organisational\nrequirements. the iso requirement (clause 6.1.3 c)) is the comparison process.\nmoreover, there is no requirement to express the organisation\u2019s necessary controls\nin terms of the annex a controls. that means:\na) the soa does not need to have the same structure as annex a.\nb) provided that there are no unnecessary controls in annex a, the soa does\nnot have to contain any annex a controls (otherwise the soa will have to\nidentify and justify those that are unnecessary).\nhowever,",
        "9e633911-1d9b-4400-af40-43ee3b9e3fc3": "standard until april\n2024, if you wish to do so.\ncomplying with the new 2022 standard is bound to save your organisation\nresources and frustrations. this is why we recommend transitioning sooner\nrather than later.\n* * *\n## what are the benefits of getting iso 27001 certified?\nthe benefits of implementing iso 27001 are plenty \u2014 both for your business and\nexternal parties and stakeholders. here's an overview of the most important\nones:\nthe benefits of achieving iso 27001 certification:\n * your company or organisation can avoid significant financial losses caused by ransomware attacks.\n * win more deals; having a certified information security system can set you apart from the competition and win trust among potential customers.\n * you may be able to secure investment more easily; investors are becoming more and more aware of the threats ransomware attacks have.\n * by getting certified, you can experience increased customer trust because, nowadays, tech-savvy customers want to know how you handle data",
        "69b9ea27-4c4b-406b-aa77-45fd54ee37c8": "the\ndevelopment and maintenance of bcps, including information about\n1so22301 and various tools and standards which can be used in creating\niso27001-compliant contingency plans and which can be adapted to the\nneeds of the organization.\ninformation security continuity\nthe key is027002 control objective, at 17.1 is to embed information secu-\nrity continuity into the organization\u2019s business continuity management\nit governance\nsystem (bcms), to be sure that, in any situation where the bcms was\ninvoked, information security would be a natural part of the process. for\nexample, the bcms might require that, in the event of a fire alarm, all the\ninternal electronic doors automatically unlock and open themselves; the\nisms should require that access to sensitive information in what are still\nofficially secure areas should continue to be restricted.\nthere are three specific controls that talk to this control objective: plan-\nning, implementing and verifying.\ncontrol 17.1.1 says the organization should determine",
        "4bbc873e-a7eb-44aa-827f-7735ea04d259": "normal operation.\nin the context of personnel deployment, it should also be taken into account that training may be required to build missing qualifications and expertise. this is particularly true for the initial planning/implementation phase, but may also arise repeatedly later when hiring or transferring personnel.\nin the context of processes such as risk assessment, incident management, and change management, tools could be used - the costs for their acquisition and the effort for their integration should be determined or estimated.\nin the implementation of controls in the risk treatment plan (rb plan), very different resources are used:\n- commissioning of service providers for security-related tasks that cannot or do not want to be carried out internally - costs are to be determined based on effort or contractually agreed lump sums.\n- procurement of new technical components and systems to improve security - financial resources are required for procurement and maintenance.\n- measures for",
        "2244fc27-bfd1-4afd-962e-6f11a40ff47c": "departments.\n**coordination and documentation of the guideline on information security**\nthe objectives which your company seeks to achieve with your isms should be\nclearly defined in the guideline on information security. this document should\nalso demonstrate why information security is a top priority in your\norganisation, and that management is responsible for the guideline.\nthis does not have to be formulated by management themselves but must always\nbe approved by the necessary stakeholders. the iso standard already specifies\nthe following information security objectives:\n * data confidentiality\n * data availability\n * data integrity\n**definition of risk assessment and risk management methods**\nyou will need to identify your company\u2019s risks, assess them individually and\ndefine an appropriate methodology for risk management. the assessment should\nalways be carried out by the respective risk owner and should ultimately be\napproved by management.\nin addition, this area should be coordinated within",
        "7fc7bb88-77af-4ac9-97e7-30f321e45665": "target\nconfiguration or by manual analysis of the deviation followed by corrective actions.\nother information\ndocumentation for systems often records details about the configuration of both hardware and\nsoftware.\nsystem hardening is a typical part of configuration management.\nconfiguration management can be integrated with asset management processes and associated tooling.\nautomation is usually more effective to manage security configuration (e.g. using infrastructure as\ncode).\nconfiguration templates and targets can be confidential information and should be protected from\nunauthorized access accordingly.\n96 \u00a9 iso/iec 2022 - all rights reserved\nhochschulbibliothekszentrum des landes nordrhein-westfalen (hbz)\n09/06/2023 15:30:34\n8.10 information deletion\ncontrol type information\nsecurity properties\n#confidentiality\n#preventive\ncybersecurity\nconcepts\n#protect\niso/iec 27002:2022(e)\noperational\ncapabilities\n#information_pro-\nsecurity",
        "b317864d-228d-44a3-95ac-7fed74cf2452": "transfer of information between your organization and external party. that way,\nthey become responsible and liable to protect your organization information from any\ninformation security breach. points to consider for framing the agreements are:\ne the responsibilities of management in controlling and transfer of\ninformation\ne the act of tracing the information from the source to destination\n185\nchapter 6 execution\ne standards to follow for information packaging. for example, if\ncourier services are required, what security standards will the courier\nfirm follow to secure your information.\ne ifthere is a security incident, how will issues be addressed, including\nany liabilities to be paid.\ne ensuring information classification is understood. the information\naccess control levels must be agreed on by your organization and the\nexternal party.\nevidence that can be prepared:\ne information transfer policy\ne information transfer agreements\nwho prepares it: the information security team facilitates in",
        "2832d92e-e24b-43f4-b3df-67eb20ed483a": "of the isms. this is done every year.\n * recertification audit: this is necessary to keep your certification and covers all aspects of the standard and must be carried out every 3 years.\n## how long does it take to get ready for an iso 27001 external audit?\ndepending on the size of your company or organisation, you can be audit-ready\nin about 8 weeks. if you decide to go the manual route of building your\ndocumentation from scratch, it can take at least approximately 4 months.\nthere are a few main requirements you need to fulfil to obtain your iso 27001.\nto help you with it, we\u2019ve compiled a series of checklists which outline\neverything you\u2019ll need for your certification.\n * **1 to 20 employees - up to 3 months**\n * **20 to 50 employees \u2013 3 to 5 months**\n * **50 to 200 employees - 5 to 8 months**\n * **more than 200 employees - 8 to 20 months**\nit is also important to take into account several other variables that may\naffect the time it takes for you to obtain the certification.\n * the number of",
        "ea9815e8-5286-40eb-b825-6cbf5da6db57": "security assessments (e.g. vulnerability assessments, penetration\ntesting, cyber-attack simulations and cyber response exercises), and using the results of these\nassessments to help determine baselines or acceptable behaviour;\ne} using performance monitoring systems to help establish and detect anomalous behaviour;\nf) leveraging logs in combination with monitoring systems.\nmonitoring activities are often conducted using specialist software, such as intrusion detection\nsystems. these can be configured to a baseline of normal, acceptable and expected system and network\nactivities.\nmonitoring for anomalous communications helps in the identification of botnets (i.e. set of devices\nunder the malicious control of the botnet owner, usually used for mounting distributed denial of service\nattacks on other computers of other organizations). if the computer is being controlled by an external\ndevice, there is a communication between the infected device and the controller. the organization\nshould therefore employ",
        "a6d81d49-52db-401e-b363-f0997f0056be": "protection requirements (ds-gvo [1] and bdsg [3] and others) and thus also the role of the data protection officer.\nappendix a of iso 27001 lists a number of security-related activities that should be assigned to a role within the isms - however, appendix a is not binding. for more details, see chapter 3 in this book.\n2.2 leadership (isms-5) 49\nonce agreement has been reached on all necessary and desired roles, their tasks and authorities should be documented in writing, for example in a role description or job description. furthermore, a qualification or requirement profile should be derived from this for the selection of suitable candidates for each role. this applies initially to newly established roles, but should also be applied in a similar manner when assigning individual tasks to existing roles.\nit is recommended to document this selection process for role assignment, i.e. to create evidence that can prove the outlined process and the comparison with the qualification profiles.\nby isms-5.3 at",
        "b05966d4-cfe0-485e-ab0e-bd9b7de543ad": "disruptions\ncaused by failures in supporting utilities.\n7.12 cabling security\ncables carrying power, data or supporting information services shall be protected from\ninterception, interference or damage.\n7.13 equipment maintenance\nequipment shall be maintained correctly to ensure availability, integrity and confidentiality of\ninformation.\n7.14 secure disposal or re-use of equipment\nitems of equipment containing storage media shall be verified to ensure that any sensitive data\nand licensed software has been removed or securely overwritten prior to disposal or re-use.\niso/iec 27001:2022(e)\nannex a\ninformation security controls reference\n8. technological controls\n8.1 user end point devices\ninformation stored on, processed by or accessible via user end point devices shall be protected.\n8.2 privileged access rights\nthe allocation and use of privileged access rights shall be restricted and managed.\n8.3 information access restriction\naccess to information and other associated assets shall be restricted in",
        "358d9217-2f27-4657-bfb6-21bf2d8c18e1": "discover opportunities to\nimprove their cybersecurity efforts and controls. however, soc 2 only reviews\nthe existing security controls an organization has in place. meanwhile, iso\n27001 looks beyond controls to define how the whole isms should be\nimplemented, monitored, and maintained.\nwhile soc 2 is considered an international standard, it is primarily\nimplemented by north american organizations and does not feature a formal\ncertification program. plus, it\u2019s not considered as rigorous or extensive in\nscope as iso 27001 regulations.\nas regulations across soc 2 and iso 27001 do overlap and complement one\nanother, organizations that have achieved iso 27001 certification may choose\nto undergo soc 2 audits to further strengthen their security standards and\ncontrols.\nlearn more about iso 27001 and soc 2 differences.\nstrongcdn n\niso 27002 was first implemented as a guideline for best practices for general\ninformation security management. although iso 27002 was standardized\niso 27002 before iso 27001, it has",
        "919fb2b7-a9ad-4adb-8407-3a6737afe2d4": "organisation\u2019s\noperating systems include multiple versions of windows\n(e.g. windows server 2012 r2, windows 8 and windows\n10) together with linux and/or unix, because the\nvulnerabilities \u2014 and therefore the threats \u2014 are likely to be\ndifferent for each. conversely, looking at all installations of\nwindows 8 together may be a sensible aggregation.\niso 27002, 8.1.2 identifies another such circumstance:\nin complex information systems, it may be useful to\ndesignate groups of assets which act together to provide a\n98\n8: information assets\nparticular service. in this case the owner of this service is\naccountable for the delivery of the service, including the\noperation of its assets.\nasset dependencies\nin some cases, the dependency of one asset on another might\naffect the valuation of both assets and these dependencies\nshould be identified during this phase of the project. for\ninstance, if the integrity of data output from a program\ndepends on the integrity of the data input, then the value of\nthe second",
        "cbb66fcc-929c-417d-931e-ba43b59c2409": "requirement for organisations to\nestablish, implement, maintain, and continually improve an isms. this clause\nemphasises the importance of management commitment to information security and\nthe need to involve all relevant stakeholders in the development and\nimplementation of the isms.\nto get started on the right foot with creating your isms, it can be helpful to\ncreate a document that runs through how to do each key process for the isms\nstep-by-step. this includes some examples such as:\n * security policy management process\n * risk assessment process and a process for handling such risks\n * process to ensure the necessary awareness and competence\n#### how do i conduct a risk assessment?\na risk assessment is a process of identifying, assessing, and mitigating the\nrisks to your organisation's information assets. it is an essential part of\nany isms.\n * the risk assessment process typically includes the following steps:\n * identify the assets that need to be protected.\n * identify the threats and",
        "aa113ca1-8219-4e60-b00e-5c5760622256": "high-level information security risk assessment\nthe high-level assessment allows definition of the priorities and chronology in the actions. for various\nreasons, such as budget, it may not be possible to implement all controls simultaneously and only the\nmost critical risks can be addressed through the risk treatment process. as well, it can be premature\nto begin detailed risk management if implementation is only envisaged after one or two years. to\nreach this objective, the high-level assessment can begin with a high-level assessment of consequences\ninstead of starting with a systematic analysis of threats, vulnerabilities, assets and consequences.\nanother reason to start with the high-level assessment is to synchronize with other plans related to\nchange management (or business continuity). for example, it is not sound to completely secure a system\nor application if itis planned to outsource it in the near future, although it can still be worth doing the\nrisk assessment in order to define the outsource",
        "9ed4d4cc-ef2c-4815-845c-5a5f364cbf64": "and\nyou will need to decide where such documentation is to be held. in modern times this is\nusually electronically and could be on a shared network drive, an intranet, a full-blown\ndocument management system or any other arrangement that is appropriate to your\norganization.\n3.9 clause 8 operation\nrelevant toolkit documents\ne isms process interaction overview\ninterestingly, this section of the iso/iec 27001 standard is very short and basically repeats\nwhat has been stated in other sections. this contrasts with other standards, such as\n1s022301 (business continuity) and iso 9001 (quality management), where most of the\nrequirements are within the operation clause.\nhowever, there is a need to set out the processes of the isms and how they interact, and an\noverview of this is provided in the toolkit.\n3.10 clause 9 performance evaluation\nrelevant toolkit documents\ne process for monitoring, measurement, analysis and evaluation\ne procedure for internal audits\ne internal audit plan\ne internal audit",
        "56cad94e-faba-4d1b-8978-e59c185cdd74": "confidential\ninformation when equipment is disposed of or reused.\n164\nchapter 6 execution\na.11.2.8 unattended user equipment (control iso 27001)\nusers should ensure that unattended equipment has appropriate protection.\nexplanation/what is required: the control says that none of the equipment should\nbe unattended in the organization and they must be protected. here are some points to\nconsider:\ne keep unattended equipment in the locker to protect them from\nunauthorized use.\ne when the user is not at her desk, use automatic locking with\npassword protection.\ne sessions must get terminated automatically if the user is not active in\na predefined time frame.\nevidence that can be prepared: a log document for keys and drawers assigned to\nindividuals and a session report from the server.\nwho prepares it: the it team is responsible for defining policy and procedure to\nprotect unattended users\u2019 system or equipment.\nfor external audit: the external auditor may check for the list of keys or lockers\nallocated to",
        "c116a0c3-0b6c-4740-8ed6-8a5bbf664869": "risk sharing, risk avoidance and risk retention, the necessary actions should be taken from the\norganizational security aspects. if the decision has been made to transfer risks, the appropriate actions should\nbe taken, using contracts, insurance arrangements and organizational structure such as partnership and joint\nventures.\nfigure b.1 shows an example of the organizational structure for establishing the isms. the main roles and\nresponsibilities of the organization given below are based on this example.\nmanagement\n\u00a2 issue a letter of\nappointment\n* endorse\ninformation security\ncommittee\n* adjust ed\n. endorse, \u2014\u2014_ 2,\ntt | | information security planning\nspecialists team\nexternal consu tants\nadvise\nsaen ti \u201ctaman wsousest resources -\u2014\u2014anarae\nee ee ern\ncomme tt af building and \u201c\u2014aangand eames |\ndepartment department management department\nfigure b.1 \u2014 example organizational structure for establishing the isms\ninteraction with the organization\nall parties involved should review and become very familiar",
        "8b57d71d-d7a9-465c-bc14-c4271b73bd1b": "therefore speak\n107\n9: threats and vulnerabilities\nof \u2018threat-vulnerability combinations\u2019. there are a number of\nthreat-vulnerability combinations that apply to any one asset,\nand any one threat typically may have more than one\nvulnerability that it can exploit. it should also be noted that a\nthreat to one asset is not necessarily a threat to another. for\nexample, a fire in the server room is a threat to a number of\nsystems based there, but is unlikely to be a threat to an\norganisation\u2019s externally hosted mobile phone network.\nthere are very many threats and the range of possible\nvulnerabilities is also substantial. examples of threats and\nvulnerabilities are contained in iso 27005, bs 7799-3 and\nnist sp 800-30. threat and vulnerability databases are\nincreasingly widely available, and any good risk assessment\ntool should contain both.\nsome threat-vulnerability combinations will be unique to\nspecific industries, which may lead to the introduction of\ncontrols additional to those in iso 27001 annex a. many",
        "1496d12f-d6de-49df-81b3-943e23d2897a": "a new version (particularly of a\nmicrosoft package) only after it has had a period in the marketplace during\nwhich its initial set of bugs can be diagnosed and fixed. others take the view\nthat the faster the upgrade is implemented, the sooner the organization will\nbe able to have in place software without the known security weaknesses of\nearlier versions. of course, it will soon have its own vulnerabilities exposed!\nour view is that users of commercial off-the-shelf software packages\nshould subscribe to the websites of all their software suppliers, should be\n291\n292\nit governance\naware of upgrades, patches and fixes as they become available and of any\nnew weaknesses or flaws that implementation of the upgrades might cause,\nand unless they can identify compelling data security reasons not to, should\nupgrade at the earliest opportunity. microsoft service packs should be\ninstalled virtually as soon as they are available (unless there are compelling\nreasons not to) through the organization\u2019s current change",
        "85bf0ae7-a240-43a0-a5e6-203cc8c3f6e8": "and improved. this plan\nshould also ensure adequate funding and resources for\nimplementation of the selected controls and should set out\nclearly what these are.\nthe risk treatment plan should also identify the individual\ncompetence and broader training and awareness\n166\n16: the gap analysis and risk treatment plan\nrequirements necessary for its execution and continual\nimprovement.\nwe see the risk treatment plan as the key document that links\nboth components of the risk management process and\ncontinual improvement of the isms. it is a high-level,\ndocumented identification of who is responsible for\ndelivering which risk management objectives, of how this is\nto be done, with what resources, and how this is to be\nassessed and improved; at its core is the detailed schedule\ndescribing who is responsible for taking what action, in\nrespect of each risk, to bring it within acceptable levels.\n167\nchapter 17: repeating and reviewing the\nrisk assessment\neffective risk management is a continual cycle, which,",
        "e2ed72f1-7cbd-470c-89ad-e83b67fec55c": "controlled scope, but you still need to manage\nyour vendor as part of your outsourced policies and processes. they are responsible\nfor managing your business and customer risks. you should also conduct a vendor risk\nassessment, which you will learn about in the coming chapters.\ntip look for vendors/suppliers who are compliant with information security\npractices, as this will help you feel confident that they understand your\nbusiness risks.\nby taking all these steps, you can rest easy that you have not missed any important\nareas or stakeholders.\n25\nchapter 2. assessing needs and scope\nyou can take three main steps to identify the scope of implementation for your\norganization\u2019s isms:\n1.\nidentify the areas/systems/locations where all the information is or\nwill be stored. this includes the physical and digital document files.\nidentify all the ways by which information is or will be made\naccessible to users.\nidentify what is out of scope, i-e., what your organization doesn\u2019t\nhave control over, such as",
        "c87568f6-4fd2-4a55-a46f-6ce10a404d38": "applications.\n8.21 security of network services\nsecurity mechanisms, service levels and service requirements of network services shall be\nidentified, implemented and monitored.\n8.22 segregation of networks\ngroups of information services, users and information systems shall be segregated in the\norganization\u2019s networks.\n8.23 web filtering\naccess to external websites shall be managed to reduce exposure to malicious content.\n8.24 use of cryptography\niso/iec 27001:2022(e)\nrules for the effective use of cryptography, including cryptographic key management, shall be\ndefined and implemented.\n8.25 secure development life cycle\nrules for the secure development of software and systems shall be established and applied.\n8.26 application security requirements\ninformation security requirements shall be identified, specified and approved when developing\nor acquiring applications.\n8.27 secure system architecture and engineering principles\nprinciples for engineering secure systems shall be established, documented,",
        "7619be21-4848-40ac-921f-e26e1cb0d7fd": "states now have data breach reporting laws,\nand sectoral regulation such as hipaa, glba, fisma and others impose\nstrict requirements on organizations. while the united states still has no\nfederal data protection legislation, california (ccpa) does. so do canada\n(pipeda), australia and other members of the commonwealth. in the\neu all countries are subject to the eu gdpr, the core of which is exactly\nthe same in all member states. emerging economies are also passing data\nprotection and cyber security laws, recognizing that improved security is\na prerequisite for competing in the data-rich developed world.\nin parallel, pci dss, a private sector security standard, has emerged as a\ncontractual requirement for organizations that accept payment cards and,\ninterestingly, compliance with pci dss has been enshrined in law in some\nus states; the ico, in the uk, has recognized its importance.\ndirectors of listed businesses, of public-sector organizations and of\ncompanies throughout their supply chains must be able to",
        "20510c5d-5723-4307-9bad-1df1bb810931": "security gateways)\n- encryption methods used (algorithms, keys including key generation, distribution, and storage)\n- possible restrictions regarding location, time, duration, frequency, and other conditions for using the services\n- login procedures for using the services and corresponding authentication methods (e.g. chip card-based)\n- scope and depth of monitoring service usage\nservice levels, for example, include guarantees of bandwidth, transaction performance, definition of maintenance windows, response times in case of incidents, maximum downtime of services, and percentage availability of services over a longer period of time.\nother characteristics may involve parameters that affect the ease of use of the services or the content quality of the services (such as the timeliness of the data and messages provided as part of the services).\nthe respective service provider is responsible for implementing the requirements: the organization for its own services or an external service provider used. the",
        "11354320-7bfe-4b28-8359-5c5b8649d0ac": "and information security requirements.\npurpose\nto ensure authorized access and to prevent unauthorized access to information and other associated\nassets.\nguidance\nowners of information and other associated assets should determine information security and business\nrequirements related to access control. a topic-specific policy on access control should be defined which\ntakes account of these requirements and should be communicated to all relevant interested parties.\nthese requirements and the topic-specific policy should consider the following:\na) determining which entities require which type of access to the information and other associated\nassets;\nb) security of applications (see 8.26);\nc) physical access, which needs to be supported by appropriate physical entry controls (see 7.2, 7.3,\nza);\nd) information dissemination and authorization (e.g. the need-to-know principle) and information\nsecurity levels and classification of information (see 5.10, 5.12, 5.13);\ne) restrictions to privileged access",
        "d0efbf5a-6a2f-4de3-8df0-224f7c8612cb": "early retrieval of company\nassets from such staff will also assist both the organization and the individ-\nual concerned \u2014 and will prevent any untoward suspicion if an asset is stolen,\ndamaged or corrupted during the notice period.\nunattended user equipment\ncontrol a.11.2.8 requires users to ensure that unattended equipment has\nappropriate protection. the primary focus of this control is workstations or\nservers that are logged on and then left unattended, usually temporarily, by\nthe user. this offers an unauthorized user the opportunity to access resources\nor assets using someone else\u2019s user name, resources or assets that he or she\nmay, in fact, not be authorized to access in the first place.\nthe need for server rooms to remain locked when unattended has already\nbeen discussed. all workstations, notebooks and servers should, however,\nhave password-protected screen savers. these are set up by the user and\nshould be set so that the screen saver fires up after a short period \u2014 three to\nequipment",
        "d7eb5f40-2a22-41fb-8ace-6c714eadeab8": "these appear absolutely\nnecessary, to control them strictly. it is usually better, and generally more\ncost-effective, for the organization to change its operating procedures to\naccommodate the software package than to seek to change the software\npackage to suit its procedures. software packages are increasingly complex,\nand the skills to modify them are generally native to the vendor. where, for\nsome business-critical reason, the organization is unable to find any solution\nother than to try to change a software package, is027002 recommends that\na risk assessment should first be carried out that identifies, among other\nthings:\n\u00ab what the risk may be of compromising vendor-designed and in-built\ncontrols and integrity processes;\n+ whether or not the consent of the vendor must be obtained;\n\u00ab the possibility of the desired change appearing from the vendor at some\npoint as a standard program update (in which case, membership of a\nproduct vendor group and pressure on the vendor may be the best course\nof",
        "c5dd66fd-05d4-4030-b381-1480242a472f": "employment (iso 27001:2015, version 2015)\nobjective: to ensure that employees, contractors and third party users understand their\nresponsibilities, and are suitable for the roles they are considered for, and to reduce the\nrisk of theft, fraud or misuse of facilities.\na.8.1.1\nroles and responsibilities\ncontrol\nsecurity roles and responsibilities of employees, contractors and third party users shall be\ndefined and documented in accordance with the organization\u2019s information security\npolicy.\na.8.1.2\nscreening\ncontrol\nbackground verification checks on all candidates for employment, contractors, and third\nparty users shall be carried out in accordance with relevant laws, regulations and ethics,\nand proportional to the business requirements, the classification of the information to be\naccessed, and the perceived risks.\na.8.1.3 terms and conditions of employment\ncontrol\nas part of their contractual obligation, employees, contractors and third party users shall\nagree and sign the terms and conditions of",
        "2d355a45-ba28-455f-861b-acd6e74d394e": "third is \u201cpreventing\nthe organisation\u2019s information technology from being used to harm other\norganisations.\u201d\nb) organisations should protect themselves from the ingress of undesirable\n(e.g., fake news) or illegal information and the illegal processing or retention\nof personally identifiable information (pii).\nc) litis a reasonable expectation that ict vendors supply goods and services\nthat are free from vulnerability. upon discovery of a vulnerability, vendors\nshould therefore be quick to disclose it and take remedial action. again, the\ninformation protected by such ict need not be within scope of the vendor's\nisms, although vulnerability disclosure is a reasonable interested party\nrequirement that is generally implied even if not stated in any contractual\nagreement.\nthere are seven years between the publication dates of iso/iec 27001 and\niso/iec 27014. perhaps when iso/iec 27001 is revised, the requirements of this\nclause will be rephrased to include these societal and other relevant",
        "a969e4a0-e81b-4796-9574-a44a0b3c61c4": "should carry out repairs or\nservices; records of all work done should be retained (in an old-fashioned\nbook attached to the machine) and there should be appropriate procedures\n(dealing with the saving, deleting or erasing of data, particularly sensitive or\nconfidential data) for controlling equipment sent off-site for repair. any\ninsurance requirements should be identified and complied with.\nthere is a more important issue with older or legacy equipment.\nequipment that works faultlessly for long periods can suddenly fail. it is\nimportant, at that point, that there are detailed records of qualified mainte-\nnance and repair organizations. more sensibly, a documented record of the\nservice history of equipment should be maintained so that as it becomes\nolder, properly informed decisions can be taken about the right time for it to\nbe replaced.\n223\n224\nit governance\nremoval of assets\ncontrol a.11.2.5 requires the organization to ensure that no assets \u2014 equip-\nment, information or software - are removed from",
        "32715012-b7be-4a05-aaa8-4d2540a254d9": "responsible for preparing the\nevidence document and other required controls.\nfor external audit: the external auditor can ask for a change-log document and/or\nthe procedure to manage changes within the software development lifecycle.\na.14.2.3 technical review of applications after operating platform\nchanges (control iso 27001)\nwhen operating platforms are changed, business-critical applications should be\nreviewed and tested to ensure there is no adverse impact on organizational operations or\nsecurity.\nexplanation/what is required: the control covers how the technical review is\nperformed once the operating system is changed. sometimes changing the operating\nsystem may introduce security impacts or the code might not work as expected. the\nfollowing points can be considered:\ne\u00ab thorough testing needs to be done when the operating system gets\nchanged.\ne all the changes must be done to ensure that business continuity isn\u2019t\nimpacted.\nnote the operating platform includes databases, middleware, and any",
        "5e058988-00f5-490b-a71f-a4d0913692bd": "and second rank suppliers; dealing\nwith risk all the way down the ict supply chain pre-supposes the organiza-\ntion has the available resources for addressing the issue, together with risks\nsufficiently significant to make this a relevant activity. at the heart of this\nspecific control is the idea that the prime contracting organization drives a\nspecific approach to supply chain security all the way down its supply chain.\nthe steps for doing this are:\n+ work with tier 1 suppliers to analyse their supply chains, and identify the\ngeneric risks that apply to particular types of supplier within the chain, or\nspecific risks that might apply to specific suppliers, products or services;\n+ work with tier 1 suppliers to agree information security standards and\nprocesses that are appropriate and necessary for the supply chain,\nfocusing first on easily identifiable risks and then working to model\nparticular threats and potential attack vectors in order to identify relevant\ncontrols;\n+ work with tier 1 suppliers to",
        "23375829-0fe7-4962-b7bb-4471c2081aa4": "date of acquisition and any other\nnumbers) included in the inventory. its current location should be stated.\nany other information necessary for disaster recovery (including format,\nback-up details and licence information) should be listed. the nominated\nowner (and, if this is different, the name of the operator) of the item should\nbe shown on the schedule, as should its security classification (see below).\nthe inventory should be updated for disposals (when and to whom).\nphysical inventory checks should be carried out at least annually, by some-\none other than the nominated owner of the asset, to confirm the accuracy of\nthe register. the types of assets that might need to be inventoried include the\nfollowing:\n- information assets: data in any format. files and copies of plans, system\ndocumentation, original user manuals, original training material, opera-\ntional or other support procedures, continuity plans and other fall-back\narrangements, archived information, personal data, financial and\naccounting",
        "3ca3a510-c0b7-4b7c-acc3-c2c590e211a4": "systems. iso/iec 27000 is a\ngood place to start, in that it contains a full set of terms applicable to the\nisms. other terms from other standards and frameworks (eg business\ncontinuity, or itil, or cobit) could be added as required.\ndeveloping, with the forum, the security policy, its objectives and\nstrategy.\ndefining, with the forum, the scope of the isms, taking into account\ninternal and external issues and the requirements of interested parties.\nbriefing the forum on current threats, vulnerabilities and steps taken to\ncounter them.\nworking with risk owners to carry out the initial information security\nrisk assessment.\nensuring risk owners identify changed risks and that appropriate action\nis taken.\nensuring that the risk is managed by agreeing with the board, risk\nowners and the forum, the organization\u2019s approach to risk management,\nthe risk treatment plan and the level of assurance that will be necessary.\nselecting control objectives and controls that, when implemented, will\nmeet the",
        "2131bf86-9838-4b48-808b-e453182c259d": "steps in establishing, monitoring, maintaining and\nimproving its isms:\na) identify information assets and their associated information security requirements (see 4.5.2);\nb) assess information security risks (see 4.5.3) and treat information security risks (see 4.5.4);\nc) select and implement relevant controls to manage unacceptable risks (see 4.5.5);\nd) monitor, maintain and improve the effectiveness of controls associated with the organization\u2019s\ninformation assets (see 4.5.6).\nto ensure the isms is effectively protecting the organization\u2019s information assets on an ongoing\nbasis, it is necessary that steps a) to d) be continually repeated to identify changes in risks or in the\norganization's strategies or business objectives.\n4.5.2 identifying information security requirements\nwithin the overall strategy and business objectives of the organization, its size and geographical spread,\ninformation security requirements can be identified through an understanding of the following:\na) identified information",
        "bfb9cd07-beaf-411e-9736-753d86157d5e": "treatment, which is why we call it the risk treatment plan (rb-plan) - the plan will be expanded in the following steps.\n(b) for each treatment option selected under (a), the necessary controls should be documented.\nwe want to comment on this requirement in more detail because it is relatively complicated: the selection of an option is still relatively unspecific. let's take the option of relocation as an example and consider two cases:\n- if the risk of an it application lies, for example, in insufficient availability, one could choose the option of relocation and consider relocation to a cloud service as a specific measure, whose provider can offer high availability.\n- before and during the destruction of data carriers, there is a risk of loss of confidentiality if such data carriers fall into the wrong hands. here, too, one could choose relocation as an option and provide data carrier destruction by a certified disposal company as a specific measure. since such a disposal company only collects material",
        "bde01834-69b8-45db-b0be-a8d34617b7b0": "of\ncontract performance, including information security. this may mean that\nadditional training is necessary, but the benefit in terms of clarity of process\nand accountability is clear. key responsibilities should include:\n- monitoring service performance to ensure that the contracted levels are\nactually achieved, identifying shortfalls and agreeing how they should be\nrectified.\n+ reviewing all records of security incidents (including audit trails),\noperational problems, failures, fault tracing and anything else likely to\ncreate a risk for the organization and ensuring that appropriate corrective\naction is taken. this may sometimes lead to escalation through the\ncontractual escalation clauses, and the contract management team should\nhave the skills and experience to manage such an escalation.\nit is important that the third party designates an individual or, depending on\nimportance, a team with whom the organization\u2019s contract management\npersonnel can deal. the third-party unit needs to have sufficient",
        "418fe790-3605-4bbd-b2d8-9972878b434f": "should never be conducted on production systems, but always on test systems, so that any errors occurring during the exercises do not affect normal it operations.\nin addition to traditional backup methods, there are other backup options: automatic data mirroring on other storage systems or in the cloud, data synchronization across multiple devices (typical for data on mobile it systems using manufacturer clouds). such options can be included in backup plans, but risks regarding service availability should be considered when using other clouds.\nlong-term data archiving must also be considered. the goal is not only to preserve the most recent consistent data state, but also explicitly to secure older versions, for example, to be able to trace or prove business processes based on them. typical requirements include retention periods or minimum/maximum storage durations.\nthe control also mentions system backups, which involve maintaining and providing backup systems (in sufficient quantity). it is important to",
        "5f5c1707-feaa-438c-846b-e86d15519e72": "## **what is annex a.9?**\nannex a.9 access control guarantees that only authorised users have access to\na service, while unauthorised individuals are barred from using it.\naccess control is often referred to by the terms \u201caccess management\u201d, \u201crights\nmanagement\u201d, and \u201cidentity management\u201d. unauthorised people may get access to\ninformation assets and information processing facilities, resulting in\ninformation misuse or loss. the access control clause tackles these issues by\nallowing you to control who has access to these assets.\ninformation asset protection is critical for all organisations, and annex a.9\nprotects against a variety of risks, including unintentional damage or loss of\ninformation, overheating, threats, and so on. this requires a defined control\npolicy and processes, as well as the registration, removal, and review of user\naccess rights\u2014includes physical access, network access, control over\nprivileged utilities, and limitation of access to programme source code.\n## **what is access",
        "d7c82ca8-7152-41df-a37e-78e9fd6819c1": "of utility programs.\nother information\nmost information systems have one or more utility programs that can be capable of overriding system\nand application controls, for example diagnostics, patching, antivirus, disk defragmenters, debuggers,\nbackup and network tools.\n\u00a9 iso/iec 2022 - all rights reserved 109\nhochschulbibliothekszentrum des landes nordrhein-westfalen (hbz)\n09/06/2023 15:30:34\nprinted copies are uncontrolled\niso/iec 27002:2022(e)\n8.19 installation of software on operational systems\ncontrol type information cybersecurity operational security do-\nsecurity properties concepts capabilities mains\n#preventive #confidentiality #protect #secure_configuration |#protection\n#integrity #application_security\n#availability\ncontrol\nprocedures and measures should be implemented to securely manage software installation on\noperational systems.\npurpose\nto ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.\nguidance\nthe following guidelines should be",
        "09c234aa-e695-4b7d-a533-cff7f6bb87ec": "work instructions.\n53 in the case of error analysis and resolution, contact details for available technical support may also need to be provided.\n3.4 controls concerning personnel (group 6) 151\nin this extensive task according to a-5.37, it should be remembered once again that an isms may \"grow\" over the course of its operation, i.e., it does not have to be fully equipped from the beginning. in this respect, a schedule could be created for the necessary instructions, authors could be assigned, and perhaps a common template for all work instructions could be provided - and then this plan could be implemented step by step (e.g., over a period of two to three years).\n3.4 controls concerning personnel (group 6)\nin this group with controls a-6.1 to a-6.8, the focus is on requirements for the management of personnel. in addition to the organization's own personnel, it also includes personnel provided by other companies who are to work within the organization (external personnel). it does not matter whether it",
        "b6e95dfb-4b35-4973-9fb8-a26b702f82be": "of\nrequirements areas that should be considered may include the classification of the\ninformation involved, privacy considerations, data storage and transmission, logging and\ninput validation, amongst others.\n4.4.27 a.8.27 secure system architecture and engineering principles\nrelevant toolkit documents\ne principles for engineering secure systems\nwhen designing information systems, a set of guiding principles should be adopted which\nencourage the creation of secure environments by default. these principles can vary widely\nand can be established by the organization itself or taken from an external source such as\nnist (national institute for science and technology). at a basic level, principles could be as\nsimple as:\ne defence in depth\ne privacy by design\ne security by default\ne least privilege\ne adopt zero trust\nthe applicability of this control and the depth into which it requires definition will depend\nupon the size of your organization\u2019s infrastructure and the types of system",
        "4e799f48-35c7-4237-893d-427fd947edbd": "reviews of these documents, will require resources. you\u2019ll also need to develop an internal audit plan and a process to maintain your security policy. additionally\u2014and most importantly\u2014certification itself requires renewal every three years, which comes at an additional cost.\nfinally, you\u2019ll need to plan for the fees that come with surveillance audits, which take place each year between your iso 27001 certification audits. surveillance audits will cost your organization between $5,000-$10,000 each.\niso 27001 certification has the potential to be a great investment for your company. it can help ensure your security program\u2019s effectiveness, build trust with new customers, and achieve better business outcomes.",
        "7ef4fcfa-db61-4549-b07f-51deefd8213e": "implementing, and maintaining an information security management system (isms). * an isms is a framework of policies and procedures to minimise operational risks. * iso 27001 relies on best practices and proven security strategies for maintaining information security in organisations. ## what is iso 27001:2022?\niso 27001 is the internationally recognized standard for regulating\ninformation security in businesses. it offers guidance for building,\nimplementing, maintaining, and continuously improving an information security\nmanagement system (isms), supporting organisations in protecting their\ninformation assets.\nin 2022, the iso 27001 standard underwent its third major revision, resulting\nin the current version, iso 27001:2022. ### definition of iso 27001: who is responsible?\nthe official title of the german version is currently din en iso/iec\n27001:2022 information security, cybersecurity, and data protection \u2013\ninformation security management systems \u2013 requirements (iso/iec",
        "3de07aba-fcb3-4b49-ab6f-5b775a6cb5f9": "# iso 27001 clause 4.4: information security management system (isms)\nclause 4.4 of iso 27001:2022 is the requirement for organisations to\nestablish, implement, maintain, and continually improve an isms. this clause\nemphasises the importance of management commitment to information security and\nthe need to involve all relevant stakeholders in the development and\nimplementation of the isms.\n### iso 27001:2022 clause 4.4 information security management system\nthe organisation shall establish, implement, maintain and continually improve\nan information security management system, including the processes needed and\ntheir interactions, in accordance with the requirements of this document.\n### what are the key elements of iso 27001 clause 4.4?\nthe clause specifies that the isms must be established, implemented,\nmaintained, and continually improved in accordance with the requirements of\nthe iso 27001 standard. this includes the following:\n * defining the scope of the isms * developing and",
        "53692878-6c1d-42a3-b6a7-bf0460593dc2": "the levels of risk;\nevaluates the information security risks:\n1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and\n2) prioritize the analysed risks for risk treatment.\nthe organization shall retain documented information about the information security risk\nassessment process.\n6.1.3. information security risk treatment\nthe organization shall define and apply an information security risk treatment process to:\na)\nb)\nc)\nd)\ne)\nf)\nselect appropriate information security risk treatment options, taking account of the risk\nassessment results;\ndetermine all controls that are necessary to implement the information security risk treatment\noption(s) chosen;\nnote organizations can design controls as required, or identify them from any source.\ncompare the controls determined in 6.1.3 b) above with those in annex a and verify that no necessary\ncontrols have been omitted;\nnote1 annexacontainsacomprehensive list of control objectives and controls. users ofthis",
        "8604bd70-7d32-438d-901c-a52d6b545ca0": "much as possible. complex access controls within an\norganization can encourage users to find alternate, unauthorized methods of access.\npersonnel constraints:\nthe availability and salary cost of specialized skill sets to implement controls, and the ability to\nmove staff between locations in adverse operating conditions, should be considered. expertise may\nnot be readily available to implement planned controls or the expertise can be overly costly for the\norganization. other aspects, such as the tendency of some staff to discriminate other staff members\nwho are not security screened, can have major implications for security policies and practices. as\nwell, the need to hire the right people for the work, and finding the right people, can result in hiring\nbefore security screening is completed. the requirement for security screening to be completed\nbefore hiring is the normal, and safest, practice.\nconstraints of integrating new and existing controls:\nintegration of new controls in the existing",
        "d99eeb8b-aa73-47d6-87d8-7ef3a29eb16a": "- all rights reserved 1\nhochschulbibliothekszentrum des landes nordrhein-westfalen (hbz)\n09/06/2023 15:36:34\nprinted copies are uncontrolled\niso/iec 27002:2022(e)\n\u2014 site;\n\u2014 organization\u2019s structure.\n3.1.3\nattack\nsuccessful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an asset (3.1.2)\nor any attempt to expose, steal, or make unauthorized use of an asset (3.1.2)\n3.1.4\nauthentication\nprovision of assurance that a claimed characteristic of an entity (3.1.11) is correct\n3.1.5\nauthenticity\nproperty that an entity (3.1.11) is what it claims to be\n3.1.6\nchain of custody\ndemonstrable possession, movement, handling and location of material from one point in time until\nanother\nnote 1 to entry: material includes information and other associated assets (3.1.2) in the context of iso/iec 27002.\n[source: iso/iec 27050-1:2019, 3.1, modified \u2014 \u201cnote 1 to entry\u201d added]\n3.1.7\nconfidential information\ninformation that is not intended to be made available or disclosed to",
        "23a10d16-df1d-47ef-a0c7-95127303d7d7": "information security risk treatment is the process of selecting and\nimplementing controls to reduce the likelihood and impact of information\nsecurity risks. it is an essential part of any information security management\nsystem (isms) and is required by the iso 27001 standard.\nclause 8.3 of iso 27001 requires organisations to implement the information\nsecurity risk treatment plan and retain documented information on the results\nof that risk treatment.\nthis means that organisations must have a plan in place for how they will\naddress the risks that have been identified, and they must keep records of how\nthey have implemented that plan.\nhere are some of the things that are involved in requirement 8.3:\n * identifying and assessing risks * developing and implementing risk treatment plans * monitoring and reviewing the effectiveness of risk treatment plans * retaining documented information on the results of risk treatment\norganisations can use a variety of methods to implement",
        "090aac54-2d37-4118-b5a6-7a62047b6cfb": "body. an external auditor performs tests on your systems and procedures to ensure that they\u2019re up to par with iso standards.\nthe audit process also takes time, so it\u2019s important to think about how that may impact your organization and when you can expect to get the certification. the number of controls you need to implement can also affect the time it takes for you to achieve certification. internal audits\nbefore you achieve certification, you\u2019ll need to go through an internal audit. internal audits are required by the iso 27001 standard as a means of monitoring the effectiveness of your information security management system (isms). as a result of the internal audit, you will be required to implement corrective actions for any nonconformities identified.\nthe individual performing the internal audit must be independent of the personnel operating the isms. an employee of your organization can perform the internal audit, but if they are not considered independent, then you will have to hire an outside",
        "0e39e2d8-b6ef-41bd-b9e4-82ee54e1d957": "good level of\nprotection and performance. expert advice should be taken on the\nimplementation of a raid array.\n- the retention period for business information should be defined and\napplied to the backed-up data. it is particularly important to recognize\nthat legal requirements now increasingly require that e-mails are retained\nas business records. data vaults and single-instance e-mail storage may\nbe appropriate solutions to this requirement.\nmobile device back up is increasingly critical to organizations and decisions\nmade about how this is to be effected should be part of the mobile device\npolicy and procedures. as the fundamental controls that protects an organi-\nzation against compromise of critical or sensitive data on laptops or mobile\ndevices should now include some mix of boot-level whole disk encryption\nfor laptops and remote wipe for smartphones and similar mobile devices, it\nis essential that organizations implement some form of ongoing, incremen-\ntal background data and system synchronization",
        "edd08b88-93d2-4d49-b248-1e25f025c0ba": "how we make that decision has to take into account\nthe cost of controlling the risk: should we spend more, less\nthan, or the same as the potential cost of the impact?\niso 27001 defines the purpose of an isms as \u201c[preserving]\nthe confidentiality, integrity and availability of information\nby applying a risk management process and [giving]\nconfidence to interested parties that risks are adequately\nmanaged\u201d (clause 0.1). iso 27002 expands on the role of\nrisk management in clause 0.3. it says:\n123\n11: impact, including asset valuation\nthe selection of controls is dependent upon\norganizational decisions based on the criteria for risk\nacceptance, risk treatment options and the general risk\nmanagement approach applied to the organization, and\nshould also be subject to all relevant national and\ninternational legislation and regulations. control selection\nalso depends on the manner in which controls interact to\nprovide defence in depth.\nthis is helpful guidance, in that it says \u201cimpact is estimated\u201d,\nnot",
        "9bc43e9d-13fc-4892-8a43-8b6dfd4a5e72": "shall define and apply an information security risk assessment process that:\na) establishes and maintains information security risk criteria that include:\n1) the risk acceptance criteria; and\n2) criteria for performing information security risk assessments;\nb) ensures that repeated information security risk assessments produce consistent, valid and\ncomparable results;\n\u00a9 iso/iec 2013 - all rights reserved 3\niso/iec 27001:2013(e)\nc)\nd)\ne)\nidentifies the information security risks:\n1) apply the information security risk assessment process to identify risks associated with the loss\nof confidentiality, integrity and availability for information within the scope of the information\nsecurity management system; and\n2) identify the risk owners;\nanalyses the information security risks:\n1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were\nto materialize;\n2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and\n3) determine",
        "4c1364d1-7126-432d-b4a2-7db17236152b": "incidents, which is not possible in the case of natural events, but at least limit the damage after their occurrence.\nwhat measures can be taken here? we provide only a few examples:\nflood/water intrusion: detection systems, devices for drainage, pumps for localized water intrusion\nlightning strikes: external lightning protection (building protection) and internal lightning protection (e.g., surge protection for all relevant systems)\nfire: firewalls/fire doors, oxygen reduction system, smoke detectors, fire extinguishing systems\npower outages: uninterruptible power supply for short-term bridging, power backup systems (mobile or stationary emergency power generators) or redundant suppliers\nfor the implementation of this control, it may be advisable to seek advice from specialized companies. there are many individual aspects to consider, which would exceed the scope of this book to comment on.\nworking in security areas\ninstead of the term \"security area,\" we prefer the term \"security zone,\" which we",
        "4e55f703-c7c5-4847-8a7f-659803ead308": "acknowledged their duties (physical\nprotection, software updating, etc.), waiving ownership of business data, allowing remote wiping\nof data by the organization in case of theft or loss of the device or when no longer authorized to use\nthe service. in such cases, pii protection legislation should be considered;\nc) topic-specific policies and procedures to prevent disputes concerning rights to intellectual property\ndeveloped on privately owned equipment;\n82 \u00a9 iso/iec 2022 - all rights reserved\nhochschulbibliothekszentrum des landes nordrhein-westfalen (hbz)\n09/06/2023 15:30:34\nprinted copies are uncontrolled\niso/iec 27002:2022(e)\nd) access to privately owned equipment (to verify the security of the machine or during an\ninvestigation), which can be prevented by legislation;\ne) software licensing agreements that are such that organizations can become liable for licensing for\nclient software on user endpoint devices owned privately by personnel or external party users.\nwireless connections\nthe",
        "58b3efc9-7134-4118-b5b8-0b0c260f75e2": "gap between the individual\u2019s skills and those of the\ngeneric role, there are individuals who, for information security purposes,\nmust have very specific knowledge, skills and competencies that are in addi-\ntion to those needed by a group of employees of which they may be a part.\nclause 7.2.2 expects that there will be an individual tna, based on an\nindividual or additional assessment of the knowledge, skills and competence\nrequired for each of these roles, for each of the people in one of the indi-\nvidual or specialist roles identified above. where this is being put together\nfor a new employee, the offer letter might make permanent employment\nconditional on achieving certain stages within certain time-frames.\nclause 7.2 of the standard requires the organization to maintain records\nof competence and this requirement is satisfied by following the recommen-\ndations of this chapter and attaching records of education, training, skills,\nexperience and qualifications to the individual\u2019s personnel file. more",
        "af0d444d-9c90-4a31-a266-f70ee816a781": "the evidence in order to verify how the organization has defined and\nimplemented user registration and de-registration procedure. they might also check\nwhen user/employees left the organization and see whether user ids are disabled\nimmediately or not.\n146\nchapter 6 execution\na.9.2.2 user access provisioning (iso 27001 control)\na formal user access provisioning process should be implemented to assign or revoke\naccess rights for all user types to all systems and services.\nexplanation/what is required: the following points could be covered, based on\norganization business needs.\nbefore providing user access to the organization system and services, appropriate\napprovals must be taken from the owner of those system and services. it must be\nensured that access rights are granted as per the defined policy and the roles defined\nfor each user/designation. ids of users whose roles have changed or have left the\norganization must be disabled immediately. maintain the list of active and disabled\nuser ids.\nevidence",
        "ac31532e-0260-42a4-8422-0aab261eeb69": "malware;\ntaking care to protect against the introduction of malware during maintenance and emergency\nprocedures, which can bypass normal controls against malware;\nimplementing a process to authorize temporarily or permanently disable some or all measures\nagainst malware, including exception approval authorities, documented justification and review\ndate. this can be necessary when the protection against malware causes disruption to normal\noperations;\npreparing appropriate business continuity plans for recovering from malware attacks, including\nall necessary data and software backup (including both online and offline backup) and recovery\nmeasures (see 8.13);\nisolating environments where catastrophic consequences can occur;\ndefining procedures and responsibilities to deal with protection against malware on systems,\nincluding training in their use, reporting and recovering from malware attacks;\nproviding awareness or training (see 6.3) to all users on how to identify and potentially mitigate\nthe receipt,",
        "41d3796d-32f7-4381-b70e-a47417d51b8b": "to identify information security risks pertinent to\ntheir organization and the space in which they operate, and to select the\nappropriate controls to address those risks. the full standard provides a wide\nrange of controls that an organization can utilize to ensure that its approach\nto information security is comprehensive and well-suited to the organization.\nthe standard is applicable to organizations of any size or type.\niso 27001 is considered the global gold standard for ensuring the security\nof information and supporting assets. obtaining iso 27001 certification can\nhelp an organization prove its security practices to potential customers\nanywhere in the world.\n## what is an information security management system (isms)?\nan information security management system (isms) is a documented management\nsystem made up of security requirements and controls. a company can\ndemonstrate its implementation of and conformance with their isms through\ntheir policies, procedures, and operational processes. the iso",
        "01422dc5-deb3-4895-9b8a-84de3713b87a": "take little or no action to protect\ncontrols against malicious software (malware)\ntheir handhelds. multiple platforms mean that it is difficult to produce\ngeneric anti-malware software. handhelds are small, with relatively limited\nmemory and processing power, which limits the options for anti-malware\ndevelopment. free apps often come with their own brand of vulnerability.\nthe only secure approach for the organization to adopt is a layered one,\nwhich installs anti-malware software on the handheld (the endpoint) to\nconcentrate on the hand-held viruses, and to install an anti-malware solu-\ntion on the desktop that scans handhelds during each synchronization.\nthese needs will have to be taken into account when selecting an anti-\nmalware package, and the network will need to be appropriately configured.\norganizations should also consider, as part of the user access statement,\nincluding a warning about airborne viruses and the need for users to be alert\nto possible infections on mobile devices.\ncontrol of",
        "e281698f-50fe-4593-b52d-52f1b67c1b29": "organisation should follow up on the audit findings and implement any necessary corrective actions.\n## what to look for during an iso 27001 internal audit\nduring an iso 27001 internal audit, the auditor will look for evidence that\nthe isms is conforming to the requirements of iso 27001 and that it is\noperating effectively. the auditor will focus on the following areas and\nevidence that supports them:\n * risk assessment: the auditor will assess whether the organisation has conducted a thorough risk assessment and whether the identified risks have been appropriately addressed. * information security controls: the auditor will assess whether the organisation has implemented and is maintaining appropriate information security controls to mitigate the identified risks. * isms documentation: the auditor will assess whether the isms is adequately documented. you can find a list of the required documentation for the iso 27001 certification here. * awareness and training: the auditor will",
        "ca230139-7dc6-4920-b7e4-d115d5b73a89": "notification prior to any substantive customer\nimpacting changes being made to the way the service is delivered to the organization, including:\na) changes to the technical infrastructure (e.g. relocation, reconfiguration, or changes in hardware or\nsoftware) that affect or change the cloud service offering;\nb) processing or storing information in a new geographical or legal jurisdiction;\nc) use of peer cloud service providers or other sub-contractors (including changing existing or using\nnew parties).\nthe organization using cloud services should maintain close contact with its cloud service providers.\nthese contacts enable mutual exchange of information about information security for the use of the\ncloud services including a mechanism for both cloud service provider and the organization, acting as the\ncloud service customer, to monitor each service characteristic and report failures to the commitments\ncontained in the agreements.\nother information\nthis control considers cloud security from the",
        "2ec5078c-735c-4d6d-80f9-300574c61cb0": "than spreading your time too thinly. this control is\noften related to the maintenance of professional qualifications which require membership\nand cpe (continuing professional education) points to be logged. contact may be achieved\nvia various methods such as social media, attendance at webinars and conferences,\nsubscription to newsletters and participation in local regional groups.\n4.1.7 a.5.7 threat intelligence\nrelevant toolkit documents\ne threat intelligence policy\ne threat intelligence process\ne threat intelligence report\nthere is a wealth of information available, often free, about the types of threats your\norganization may face, and this control is concerned with bringing this together into a form\nthat can be actioned by your employees to reduce risk. generally approached at the\nstrategic, tactical and operational levels, a regular effort is required to obtain relevant\ninformation and process it so that its implications for your defences can be defined and\naction taken, such as patching and device",
        "56a63b71-7718-48e0-bc09-a319c36f2913": "monitor log files generated by network services. in a\nsimilar manner to nids, these systems look for patterns in the log files that\nsuggest that an intruder is attacking. there are a number of products that\nperform these various tasks and that can be quickly and easily identified\nthrough a product search. use of such a product should be as the result of a\nrisk assessment, and its use should be planned alongside any other network\nmonitoring and anti-malware tools that the organization chooses to deploy.\naccess control\nreference should also be made to the nist publication sp 800-31, intrusion\ndetection systems, which can be accessed on the nist website (see above).\nuser authentication for external connections\nit would make sense for the organization to ensure that access to its network\nby remote users is subject to authentication. a risk assessment should be the\nbasis of selecting an appropriate remote access authentication control;\nclearly, the existence of any dial-up or wireless access to the network",
        "5567afe1-c386-45a9-8b2d-fbfb0190cc90": "about the existence of such a channel.\nif you want to learn more about the topic of data leakage, refer to [13].\ncontrol a-8.12 - also a new candidate in the 2022 version of the standard - requires:\n- identifying data groups susceptible to data leakage and in need of protection\n- monitoring known channels as far as possible\n- taking immediate action and potentially blocking the transfer in case of suspicious transfer activities.\nthese requirements cannot be fulfilled \"manually\" in ongoing it operations; instead, suitable monitoring facilities are needed, such as data loss prevention (dlp) products for the detection/prevention of unauthorized data leaks. these products are primarily software-based but are often supported by hardware (dlp network monitors) in the network environment.\n202 3 controls: requirements and measures\ndlp tools are capable of identifying data as sensitive in an organization's it landscape through configurable rules, including them in monitoring, monitoring their movements, and",
        "613fa3d5-f3c3-44ea-9546-dd3ec367298a": "risk assessments.\ngain practical insights from our work with fr\u00e4nkische, where we guided them\nthrough their internal audit, paving the way for successful external\ncertification.",
        "83dfce1f-b358-4c9d-aa2f-1176d1239aad": "important to ensure that the procedure for dealing with security\nevents and incidents includes a section on the gathering and preparation of\nevidence and that all personnel likely to have roles in investigating such\nincidents are trained in this aspect. it is not always clear, at the commence-\nment of the investigation of a security incident, whether or not legal action\nmay follow. it is possible, therefore, that without proper procedures, vital\nevidence may initially be lost, or later deemed inadmissable in court.\nas iso27002 sets out (in clause 16.1.7), the steps that should be included\nin the investigation procedure are the collection of originals of all relevant\ndocuments, including details as to who found it, where and when, with\nwitness details if available. these records should then be securely retained so\nthat they can be accessed only by authorized persons and so that there is no\ntampering with them. copies of computer media (information on hard disks\nand on removable media such as cd-roms and usb",
        "18f78841-8f34-4c6c-85b9-b9694d6594f3": "windows or bars)\nshould not stand out in comparison to other rooms, as this would clearly\nindicate to a potential intruder where the most valuable assets might be\nstored. there should be no obvious signs outside the building to indicate\nhow valuable or important a room is.\n- as discussed earlier, information processing facilities managed by the\norganization should be physically separate from those managed by third\nparties, even if this means erecting a cage or some other form of physical\nsecurity within a shared secure area.\n\u00ab internal directories or telephone books or other guides that identify the\nlocation or telephone numbers of secure, sensitive areas should not be\naccessible by the public or unauthorized persons.\n- hazardous or combustible material, particularly office stationery, should\nnot be bulk-stored within a secure area. there should be a separate area,\nsome distance away, where such material is stored. regular inspections of\nsecure rooms, by someone other than those responsible for their",
        "81a1445e-9260-4dd7-b814-fef406a4380d": "should\nbe closely tied to the (we would hope, several times daily) availability of\nthe updates. the isms should retain records of the planned updates and\nof their actual occurrence. the discussion, earlier in this chapter, about\nhow to select anti-malware software is relevant here, as the evolution of\nmalware happens quickly and leads the evolution of anti-malware\nproducts. failure to update can expose the organization to severe threats,\nas new malware may be substantially more lethal than older variants.\n246\nit governance\nit is important that appropriate consideration is also given to endpoint\nsecurity: protecting notebook computers and mobile devices (particularly\nwhere they can be synchronized with data on the network such as diaries,\ncontacts, etc). wireless networks pose particular challenges, as there are\nairborne viruses that can infect them. in other words, anything that\ntransfers a file, or a part of a file, is also capable of transferring malware,\nand appropriate technical support plus a risk",
        "d279ee2f-4670-4558-98b6-b39b78cdaf4a": "reviewed on a\nregular basis. this is important because the needs and expectations of\ninterested parties can change over time. the review process should identify any changes in the needs and expectations\nof interested parties. the organisation should then make any necessary changes to the isms to ensure\nthat it remains effective before logging the change. if a review is conducted but there has been found to be no change required, it\nis still important to log that a review took place and to state what was done\nas part of the review.\n### how to pass an audit of iso 27001:2022 clause 4.2\nto pass an audit of iso 27001:2022 clause 4.2, follow these steps below:\n 1. understand the requirements of clause 4.2 2. identify your interested parties. 3. assess the needs and expectations of your interested parties. 4. address the needs and expectations of your interested parties in your isms. 5. document your understanding of the needs and expectations of your interested",
        "508ce84d-54f2-4a3e-a6fd-5af943b9b7de": "unauthorized access to screens and recording of activities. this risk also exists if it is possible to look at corresponding screens from outside through windows (with suitable optics) or observe ongoing activities.\nextreme cases - such as placing servers or floor printers in publicly accessible areas - occur in practice but do not require any comment. in principle, the choice of location or workplace for mobile it systems or in a home office falls under a-7.8: see the next control a-7.9.\na-7.9 security of assets outside the premises\nall equipment that is located outside the organization's premises and processes sensitive data or at least stores it must be adequately protected - namely against loss through negligence or theft, unauthorized access to content, obstruction/interruption of use, installation of trojans and other malware, and also against environmental influences.\nthese are typical threats for mobile it systems that are located outside the organization's premises for a large part of the time.",
        "dd60b699-c076-4f30-86d6-20e60927eb3f": "these devices\nare vulnerable to theft, loss, hacking, and unauthorized access while you leave them\nunattended.\n127\nchapter 6 execution\nnote sometimes organizations allow employees to bring and use their own/\npersonal mobile device. in such scenarios, appropriate controls must be\nimplemented so that organization\u2019s information is protected on these devices.\nhence, the iso 27001 standard guides you to be more aware and vigilant when you\nuse mobile devices outside the premises, as you are carrying with you the organization\u2019s\nconfidential information.\nevidence that can be prepared: a mobile device policy could be prepared, which\nmust clearly state the usage of mobile devices inside and outside the organization.\nconduct awareness sessions and maintain records about these sessions.\nnote it is important to make employees/contractors aware of how to use these\ndevices safely and remain vigilant of their surroundings.\nthe following example controls could be implemented to safely use mobile devices\n(also stated",
        "236aac7e-6a86-4324-875f-8659bbc52fb5": "these labels can be qr codes, bar codes, or\nrfids. these codes can be easily scanned to provide additional information about the\nasset, which makes it easier to monitor and track the assets.\nany asset that you think is crucial to your business needs to be labeled. each asset\nshould have a different identifier, such as a serial number or an asset identification\nnumber (ain). see figure 5-3 as an example.\n90\nchapter 5 risk management approach\nnote\nthere is no specific format for tagging assets. they should be tagged based\non your defined organizational procedure. some companies prefer not to mention\nthe company name when tagging the assets, for security purposes.\nsome best practices for labeling assets include:\nby item id: some assets are tagged based on their ids or location.\nfor example, if your company is in new delhi and you are tagging a\nlaptop from the software team, you can code it as follows. nd is for\nnew delhi. for laptops, you can assign a sequential code l001 to\nloon based on the number of",
        "65e4cc68-69ea-485c-a5e5-50aa1b6b58f8": "process should be organized in such a way that requirements for the information security of the remote control module to be ordered are identified and passed on to the supplier. the relevant control for this is a-5.8: information security in project management.\nin most cases, the requirements for information security were not clearly communicated to the service providers. this resulted in a lack of necessary security measures being implemented or communicated. it is important that the network operators ensure that the service providers are aware of the security requirements and implement them accordingly. this can be achieved, for example, by including the security requirements in the contracts with the service providers and regularly reviewing their compliance.\nby addressing these problems, the network operators were able to improve the implementation of the it security laws and ensure the protection of their critical infrastructures.\nidentification of remote control modules was not done and therefore not",
        "dad831e1-b108-4f9b-a733-19cd36f61d98": "adequate and the risks to the\norganization will not have been properly recognized or fully addressed, and\nthe strategic business goals are unlikely to have been considered.\n1so27001\nchange management\nthere have been many books written about change management programmes\nand initiatives. many such programmes fail to deliver the benefits that have\nbeen used to justify the expense of commencing and seeing them through.\nsuccessful implementation of an isms does not require a detailed change\nmanagement programme, particularly not one devised and driven by\nconsultants. what it does require is complete clarity among senior manag-\ners, those charged with driving the project forward and those whose work\npractices will be affected as to why the change is necessary, about what the\nend result must look like and why this result is essential.\nthe design and implementation of the isms should be driven by a project\nteam that is drawn from those parts of the organization most likely to be\naffected by its implementation as",
        "42f2fe79-b451-4907-b4f4-e56129c1387e": "therefore also deals\nwith internet acceptable use policies (aups).\nsecurity risks in e-mail\niso27002 identifies a number of security risks in e-mail. these include:\n\u00ab vulnerability of messages to unauthorized access, to unauthorized modi-\nfication and to denial-of-service attacks;\n\u00ab vulnerability of messages to error such as incorrect addressing, misdirec-\ntion or just the unreliability of the internet;\n+ issues around instant messaging and file sharing;\n- legal issues, such as potential need for proof of origin, dispatch and\nreceipt;\n+ uncontrolled remote user and internet access to e-mail accounts.\nmore important than any of these is the risk to the company that e-mail sent\nbetween organizations by individual members of staff may lead to unau-\nthorized exposure of confidential or sensitive information and a breach of\nconfidentiality, leading to bad publicity and possibly legal action. there is\nalready case history to show that organizations can be exposed to libel writs\nas a result of what a staff",
        "11803c02-4f6c-4de1-9269-2c9bab1ed404": "main-\ntain an inventory of them, of course, generally accepted accounting practice\nand legislation already require companies to maintain registers of all fixed\nassets within the organization. however, this requirement does not in prac-\ntice automatically extend to public-sector organizations. furthermore, the\nassets that are covered by the fixed asset register do not normally include all\nthe information assets of the company, particularly not the intangible infor-\nmation assets. moreover, the accounting fixed asset register reduces the\nvalue of assets over time, whereas many information assets either maintain\nvalue, or see their value increase over time.\nthe information assets of the organization should be identified during\nthe risk assessment process (see chapter 6), and the resulting schedule\nshould be checked against the fixed asset register to ensure that no assets\nhave been missed. the inventory should have a nominated owner, and the\nprocedures for maintaining it and, in particular, for accessing it in",
        "8fd2575b-013a-4dfc-84ae-ecb5ae63fe16": "from identified nonconformities\nfindings in your audit may create an opportunity to improve your information security strategy. if your auditor identified any nonconformities, be sure to implement corrective actions and track their effectiveness.",
        "75a1169a-cb6a-4f22-a7eb-7925911a9de5": "|#governance_and_\n#integrity security ecosystem #protec-\n#availability #information_protection |tion\ncontrol\naudit tests and other assurance activities involving assessment of operational systems should be\nplanned and agreed between the tester and appropriate management.\npurpose\nto minimize the impact of audit and other assurance activities on operational systems and business\nprocesses.\nguidance\nthe following guidelines should be observed:\na) agreeing audit requests for access to systems and data with appropriate management;\nb) agreeing and controlling the scope of technical audit tests;\nc) limiting audit tests to read-only access to software and data. if read-only access is not available to\nobtain the necessary information, executing the test by an experienced administrator who has the\nnecessary access rights on behalf of the auditor;\nd) if access is granted, establishing and verifying the security requirements (e.g. antivirus and\npatching) of the devices used for accessing the systems (e.g.",
        "9e4e15a9-fd29-49af-bc4d-9a8bba207805": "measures may not have functioned correctly, or another situation with security implications may arise or has already occurred. for example, the discovery of vulnerabilities in an organization's it system could be such a \"suspicious\" state.\nsuch a \"suspicious\" state is referred to as an (information security) event in the standard.\nan event does not necessarily have to result in harm to the organization - but if it threatens or has already occurred, the event becomes an (information security) incident.\nincident or (information security) incident upgraded.\nan incident always requires qualified handling to prevent damage from occurring or at least to limit it after it has occurred. this is the core task of incident management.\n20 critical infrastructures (in germany); the specified levels with their associated rules define the so-called traffic light protocol of the bsi for data exchange in the critical infrastructure environment.\n1.4 basic terms and connections\nin addition to event and incident, there",
        "f229fa0d-43ab-4b4b-ae8e-1b42c1176256": "external audit, where an auditor will assess portions of the\nisms.\n\u200d\n\u200d\n## who benefits from iso 27001 compliance?\n\u200d\niso 27001 compliance offers a win-win-win situation: it benefits you, your\nstaff, and your customers in various ways.\nthe iso 27001 certification benefits for your business include:\n * positioning your business as a stronger competitor so you can win more customers\n * protection for your intellectual property, brand, and professional reputation\n * retaining more of your customers\n * time savings and cost savings due to having more efficient processes\n * better security against a data breach and the associated costs like investigative costs and lawsuits\n * adherence to security and privacy regulations like gdpr and hipaa, allowing you to avoid penalties\n * ability to attract stronger, more security-minded staff\nwhen your business is iso 27001 compliant, it offers certain benefits to your\nstaff too, such as:\n * more efficient operations leading to fewer avoidable frustrations\n *",
        "dde448f3-5bf3-41ea-b06f-1201449dcc3f": "only the local laws but also any international or country laws where\nyour clients are based. otherwise, they cannot accept the products or services provided\nby the organization. hence, whenever new laws are published, they must be analyzed.\nany security controls implemented around them to safeguard information must be\nidentified as part of the improvement tracker.\nthere could be many more sources from where you can get the improvement\nareas identified. this list is a starting point to help you to think about and find sources.\nyour long-term goal should be to maintain and improve the information security\nmanagement system to the benefit of the organization.\nexecution plan\nonce you have identified your actionable improvement areas, it is time to go ahead and\nimplement them.\nthe main responsibility of the information security team is to collate all the gaps/\nimprovement areas on the improvement tracker in order of priority and target dates. it\nwould be difficult to work on all the improvements at the same",
        "65b89eed-a6ed-4926-9acf-738f995749b9": "the processing time from each ticket is weighted with the risk level of the corresponding vulnerability and then average values are calculated, high risk levels have a stronger influence on the result - the average value would then not be skewed by many vulnerabilities with low risk. such an adjustment of the measurement could also be carried out as part of continuous improvement.\nthe standard specifies some basic requirements for measurements of this kind:\ncomparability: if measurement data is collected multiple times for the same subject (e.g. at certain intervals), the results should be comparable to each other, i.e. not measured in different units or under different conditions (to the extent that it has an influence).\nif people are involved in the measurement, the following should also apply:\nreproducibility: if a measurement is repeated by the same person - under the same conditions - the same result should be obtained.\nin practice, one is usually satisfied if repeated measurements yield",
        "8a1dd7f9-8a85-4ea5-92a2-e871584d4121": "to follow.\n- contact details and for accessing appropriate support in the event of\nunexpected operational or technical difficulties, and what records should\nbe kept.\n- instructions for handling special outputs, such as special stationery, or\nwhat to do with failed output for special jobs. uncontrolled versions of\nthese instructions should be posted near the machines to which they\nrelate.\n- detailed system restart and recovery procedures to follow in the event of\nsystem failure. these procedures should be in the isms, and controlled\ncopies should be visibly posted near the equipment to which they relate,\nto enable them to be easily used when required.\nthere should also be detailed procedures (based on manufacturers\u2019 instruc-\ntions or user manuals) for all the basic housekeeping functions, including\ncomputer start-up and power-down, back-ups, equipment maintenance,\nmail handling, computer room usage, etc. these procedures should, wher-\never possible, be reflected in visible reminders as to requirements,",
        "0fafeb59-eb0f-4ee5-b329-f573d221dac6": "the three information attributes, there may be an\nimpact that has business consequences, one that has\nlegal/regulatory consequences, and one that has contractual\nconsequences. you must therefore assess, for each of these\npossibilities, what that impact might be. you have, in other\nwords, potentially nine decision points in respect of each\nthreat-vulnerability or event-consequence combination for\neach information asset.\nhere\u2019s an example using a threat-vulnerability assessment:\nimagine the risk assessment carried out in relation to an\norganisation\u2019s unencrypted backup tape, and specifically\nhow it is transported to secure off-site storage. a threat \u2014\ndriver forgetfulness or inattention \u2014 might exploit a\nvulnerability \u2014 the van door doesn\u2019t close properly unless\nit is forced shut and locked \u2014 with the consequence that\nthe backup tape might fall out into the road while in\ntransit. there is a realistic likelihood of this happening,\nand the potential impacts can be assessed as follows:\n123\n11: impact,",
        "411f799e-d81b-4e14-a38d-34ba67ae3b56": "its procedures as a result of controlling its response to them,\nso a bank of material that the organization can use in future training is built\nup.\nreporting software malfunctions\ncontrol 16.1.2 of iso27002 includes a requirement to report software\nmalfunctions. apparent software malfunctions are concerns for two reasons.\nthe first is that they affect the ability of one (and potentially more than one)\nuser to use the organization\u2019s information processing facilities. the second\nis that the apparent software malfunction might be some form of infection\nincluding spyware) that could destroy data, and thereafter the integrity of\ninformation, on the user\u2019s workstation and that could also, if not properly\ncontrolled, spread to other workstations on the organizational network.\nthe event reporting procedure should therefore incorporate the follow-\ning steps:\n1 users should, for a start, have been trained to realize that any unexpected\nor unusual behaviour on the workstation is possibly a software",
        "9a8de027-403a-49d9-a55b-7e53a1afe3c9": "cryptographic systems) on the same physical network.\na logical segmentation, such as vlan or vpn, can also be considered for the transport of classified data if a separate (logical) segment is available for each data class and the secure separation is proven according to the organization's rules (or other regulatory bodies).\nif the use of services by participants from other segments needs to be controlled, filtering - such as in the separating firewall - and authorization control of the network nodes are relevant.\nin the case of frequently encountered guest networks, strict control is rather obstructive: here, a \"fast\" connection to the internet or to a \"harmless\" part of the organization's network should be allowed. however, guest networks must be effectively separated from sensitive production networks. similarly, if customers of the organization are allowed to access certain data and applications as a user group, the corresponding area - also called an extranet - must be securely separated from the",
        "413b360d-668b-4176-af96-0330158159a0": "vulnerabilities to those assets.\n * assess the likelihood and impact of each threat.\n * develop and implement controls to mitigate the risks.\n#### how do i monitor and review my isms?\nthe isms should be monitored and reviewed on a regular basis to ensure that it\nis effective. this includes:\n * monitoring the effectiveness of the security controls.\n * reviewing the risk assessment.\n * conducting internal audits.\n * seeking feedback from stakeholders.",
        "e8914b74-309e-40a2-89a5-1c1f0076a817": "ownership\nof the asset to the individual and is defined as the individual\nor entity \u201cresponsible for the proper management of an asset\nover the whole asset lifecycle\u201d. this could, therefore, be a\nsystem administrator or a manager who is responsible for\ndefining how an asset or group of similar assets is used.\nthe owner of the asset is the person \u2014 or part of the business\n\u2014 responsible for appropriate classification and protection of\nthe asset. in real terms, allocating ownership to a part of the\norganisation can be ineffective, unless that part has a clearly\ndefined line of responsibility and individual accountability in\nplace.\nit is important to recognise that there may be a number of\nassets that have users, or custodians, who are not the\nnominated owners of the asset: for instance, the operating\nsystem is likely to be owned by the system administrator, but\nit will be deployed on workstations throughout the\norganisation and will be used by workstation users. the\nsystem administrator will be responsible",
        "a4f9fba4-209d-4481-ba98-2e0afbd147fc": "form the core of an isms manual.\n- evidence of the actions undertaken by the organization and _ its\nmanagement to specify the scope of the isms (business architecture\ndiagrams. organization charts, network maps, etc) the minutes of board\nand steering committee meetings, as well as any specialist reports).\n1so27001\n- a description of the management framework (steering committee, etc).\nthis could usefully be related to the organizational structure chart.\n+ the risk treatment plan and the underpinning, documented procedures\n(which should include responsibilities and required actions) that\nimplement the specified controls. a procedure describes who has to do\nwhat, under what conditions, or by when, and how. a work instruction\nis an even more detailed description of how to perform a specific task.\nprocedures (there might be one for each of the implemented controls) and\nwork instructions might be identified in the isms documentation, but\nwould be subject to a lower level of authorization than the manual.\n\u00ab",
        "6530df65-3f39-46f6-a3ad-e748006b5576": "packages. from time to time, the\nsoftware should get updates and approved patches.\nsecure system engineering principles should be written according to\nyour organization\u2019s in-house development activities. security should\nbe built at all levels and if any new technology or designs are added,\nthey must be reviewed for security risks.\noutsourced development. whenever development needs to be\noutsourced, there are many controls to be placed. when we share\ncode with other companies, it must be protected. the ownership of\nthe code must be ensured and intellectual property rights must be\nrespected.\nsystem security testing. there needs to be thorough testing of newly\ndeveloped and updated systems. for in-house development, the\ndevelopment team should perform the testing first and then an\nindependent testing team should test the product or the application.\nsystem acceptance testing must be done for all new systems or\nupgrades. testing must be done in a real environment to ensure that\nthe system does not have any",
        "cc5676da-b5be-4d68-ae8e-5b955eaec92c": "our isms. should we initially keep the scope small - for example, securing only core business processes - and gradually expand later? or would it be okay to establish a lower level of security than originally planned at the beginning? it is clear: none of these options are recommended, but what can be done?\nwe refer to external aspects as those brought to our organization from the outside. these include:\n2.1. context of the organization (isms-4) 35\n\u00a9 legal requirements (laws, regulations, decrees) that our organization must comply with. if we operate in more than one country, there may be several requirements to consider. eu requirements in the form of guidelines and regulations (such as the gdpr [1] on data protection or the eidas regulation [2] on electronic trust services) should not be overlooked. an example of a decree is the german vat application decree, which includes requirements regarding \"qualified electronic signature and electronic data exchange\" in section 14.4 - these will have an impact on",
        "3f8c7c3e-8e66-4694-b315-b6e49fcc2095": "response\nto the adversary\u2019s intelligence actions. examples of these kinds of actions are reverse social engineering\nor the use of honeypots to attract attackers.\nother information\ndata leakage prevention tools are designed to identify data, monitor data usage and movement, and\ntake actions to prevent data from leaking (e.g. alerting users to their risky behaviour and blocking the\ntransfer of data to portable storage devices).\ndata leakage prevention inherently involves monitoring personnel\u2019s communications and online\nactivities, and by extension external party messages, which raises legal concerns that should be\nconsidered prior to deploying data leakage prevention tools. there is a variety of legislation relating to\nprivacy, data protection, employment, interception of data and telecommunications that is applicable to\nmonitoring and data processing in the context of data leakage prevention.\ndata leakage prevention can be supported by standard security controls, such as topic-specific policies\non access",
        "82a21896-f077-4df4-87a4-dde7bdc9c6b4": "of your iso 27001 certification: the full audit. your\ncertification organization will conduct an in-depth investigation of your isms\nto evaluate your iso 27001 compliance. this can be an extensive on-site\nprocess.\n keep in mind, though, that compliance automation software like vanta can make\nthis process simpler. as it scans your system, vanta compiles and documents\nevidence of your compliance, so your auditor will have all this documentation\nin one convenient place.\n\u200d\n **8\\. receive your certification**\nif your auditor determines that you adhere to all the necessary components of\niso 27001, you will officially receive your certification.\n\u200d\n\u200d\n## maintain your iso 27001 certification\n\u200d\nit\u2019s important to understand that iso 27001 certification is not a one-time\nprocess. your certification will need to be renewed to some degree every year.\n these certificates use a three-year cycle. one year after your first\ncertification, your certification organization will conduct a less extensive\naudit to",
        "0b092f01-5382-4807-a1ef-a3af43865daf": "considered.\nscreening\ncontrol\nbackground verification checks on all candidates for employment\nshall be carried out in accordance with relevant laws, regulations\nand ethics and shall be proportional to the business requirements,\nthe classification of the information to be accessed and the per-\nceived risks.\na.7.1.2\nterms and conditions\nof employment\ncontrol\nthe contractual agreements with employees and contractors shall\nstate their and the organization\u2019s responsibilities for information\nsecurity.\na.7.2 during employment\nobjective: to ensure that employees and contractors are aware of and fulfil their information security\nresponsibilities.\nmanagement responsi-\nbilities\ninformation security\nawareness, education\nand training\ncontrol\nmanagement shall require all employees and contractors to apply\ninformation security in accordance with the established policies\nand procedures of the organization.\ncontrol\nall employees of the organization and, where relevant, contrac-\ntors shall receive appropriate",
        "614167fb-a5aa-4919-bbff-a6fa61e31afe": "and\nimplemented security controls for the privacy and protection of personal identifiable\ninformation.\n217\nchapter 6 execution\na.18.1.5 regulation of cryptography controls (iso 27001 control)\ncryptographic controls should be used in compliance with all relevant agreements,\nlegislation, and regulations.\nexplanation/what is required: an organization must use the cryptographic controls\nin compliance with all relevant agreements, legislation, and regulations, as there could\nbe restrictions on the way it needs to be implemented. failure to comply may result in\nfines or could impact the company image. hence, organizations are advised to discuss\nwith their legal team to analyze the specific legal requirements in countries where they\nare operate.\nevidence that can be prepared: cryptography usage policy and evidence of\ncryptography usage\nwho prepares it: department heads/managers along with the information security\nteam will identify and document evidence.\nfor external audit: the external auditor conducting",
        "711bfc1f-102f-4c07-bfad-c1defd649112": "including whether the incident form was\nused properly to report the incidents and what actions were taken for resolution.\na.6.1.4: contact with special interest groups (iso 27001 control)\nappropriate contacts with special interest groups or other specialist security forums and\nprofessional associations should be maintained.\nexplanation/what is required: although you learn many things from the iso 27001\nstandard, you must also learn from other industry best practices and other relevant\ninformation that is published from time to time to improve your team\u2019s knowledge about\nwho is responsible for implementing and monitoring controls on a regular basis. it is\nimportant to stay up to date and ready to prevent any information security attack on your\nsystems. hence, it is advisable to participate in security forums, seminars, and security\ninterest groups that share relevant and new information with the teams.\n125\nchapter 6 execution\nevidence that can be prepared: association with security forums, participation",
        "ca884959-4d4a-4541-aa18-e676ea15dc73": "completed on time and to budget * level of employee satisfaction with the isms\nthe specific items that need to be monitored and measured will vary depending\non the organisation's size, industry, and risk profile; however, all\norganisations should monitor and measure the items listed above to ensure the\neffectiveness of their isms.\nin addition to the above, organisations may also want to monitor and measure\nthe following:\n * **information security risks** **:** this includes monitoring and measuring the organisation\u2019s information security risks to identify any new or emerging risks. * **information security controls:** this includes monitoring and measuring the effectiveness of the organisation\u2019s information security controls to ensure that they are operating as intended. * **information security awareness and training:** this includes monitoring and measuring the effectiveness of the organisation\u2019s information security awareness and training programs to ensure that employees",
        "39fba19a-37ce-4571-97c2-9795d25e5cfe": "numbers, which are calculated by taking the sum of the\nvalues of confidentiality, integrity, and availability. if the sum value is more than 5, it\nbecomes important and you must implement controls. note the justification for asset\nvalue column. it is good to provide reasons in your own words so that nobody questions\nthe given asset\u2019s value.\nnote for each department, the asset value will be different. the importance of\nan asset may vary from department to department because they process and store\ndifferent information.\nthe asset, category, and asset value columns must be filled in for each department\ninvolved in the iso 27001 implementation journey. some of the assets could be similar,\nbut the data processed or stored by them could be different and their purposes could\ndiffer too.\nit helpdesk department\nwhatever you call the it support department, their functions and activities will basically\nbe the same. this department typically covers about 30-40% of the iso 27001 security\ncontrols implementation. the",
        "f4025d1d-e14a-4af7-9ac8-74146a95c19f": "case of\nmisconduct\nevidence that can be prepared: disciplinary policy or a standard operating\nprocedure, or both, could be prepared. feedback forms.\nwho prepares it: the human resources department.\nfor external audit: the external auditor conducting the iso 27001 certification\naudit will check for the disciplinary policy or a standard operating procedure.\n134\nchapter 6 execution\na.7.3 termination or change of employment\nobjective: to protect the organization\u2019s interests as part of the process of changing or\nterminating employment.\nexplanation: whenever any employee and contractor exits the organization their\nexit formalities must be done systematically. also, within the organization, if there is a\nchange in employment responsibilities, there should also be a standard process.\na.7.3.1 termination or change of employment responsibilities (iso 27001\ncontrol)\ninformation security responsibilities and duties that remain valid after termination\nor change of employment should be defined and communicated",
        "0c762c73-8461-4a22-baf9-61edc0ce834e": "context (isms-4):\na) which of its assets require controls, and\nb) who should be considered authorized or unauthorized,\nc) which access, entry, or usage should be allowed/prevented,\nd) how the controls should be practically implemented.\napproach for a: we copy the asset inventory and, in consultation with the asset owners listed therein, remove all assets for which there is no need for control from a business or security perspective, or where controls are carried out in other ways. we continue working with the remaining assets, which are the list of objects to which access control applies.\nfor point b, we need a list of individuals, groups of individuals, and roles that may be considered authorized or unauthorized. we generally refer to them as subjects for access control. in addition to individuals and roles, we also sort anything that can have access to our assets in any form - e.g. organizational units, customer groups - including individual it systems and applications that can themselves access data",
        "159e9064-e93d-4a89-bf92-43d2dade862e": "unit; in our opinion,\nthey are doing a disservice to their clients, as well as to the\nintegrity of the iso 27001 scheme. do not be tempted by\nsuch certification bodies to pursue an approach that is likely\nto be inadequate to your long-term needs.\nthe other issue with regard to scope \u2014 and that directly\nrelates to the risk management aspects of the project, as well\nas the project in general \u2014 is how it maps onto management\nresponsibilities at the top level. the scope of the isms\nshould be aligned with the boundaries of a single\n85\n6: information security policy and scoping\nmanagement team\u2019s responsibility. this should be the\nmanagement team that has authority to sign the information\nsecurity policy and has responsibility for directing and\nmanaging the organisation that falls within the scope. this\nmeans that when it comes to deciding on the acceptable level\nof risk it is just one person, or group (e.g. board or\nmanagement team) who decide, and this is demonstrated by\none individual signing off the",
        "56ec2788-7ad8-43ba-91db-dcd7c003153b": "objectives, rather than on the interests and skills of an individual\nmanager. all the staff and resources that might be necessary to make a\nparticular emergency plan work should be considered. plans should be\ndrafted by process or asset owners, in accordance with the planning process,\nand then submitted to the information security adviser for review.\nthe business continuity planning process should ensure that:\n+ there is a clear description (signed off by the board) of the circumstances\nin which the procedure is to be carried out.\n+ there is a clear description (signed off by the board) of what constitutes\nthe maximum acceptable level of loss of information or services, and this\ncriterion should drive all activity.\n\u00ab all responsibilities and detailed emergency procedures for all identified\ninterruptions are themselves identified and agreed internally, with clarity\nabout who has the authority to invoke the plan.\n- emergency procedures are implemented quickly enough to allow recovery\nand restoration of the",
        "209fa169-5231-4321-952b-4587bf4da588": "greatest extent possible. it is important to examine other options if\nsegregation is not an option, such as task reporting, audit trails, and\nincreased management oversight.\n### annex a.6.1.3: contact with authorities\ncommunication with the appropriate authorities must be kept open at all times.\nprocesses should be put in place to define when and with whom officials should\ncommunicate and how identified information security violations will be\nreported as soon as possible by organisations.\norganisations that have been attacked over the internet may compel authorities\nto take counter-measures. maintaining these connections may also be required\nin information security to assist incident management or business continuity\nand contingency planning operations. contacts with regulatory authorities are\nalso beneficial in predicting and planning for any changes in the rules or\nregulations that the organisation must enforce.\n### annex a.6.1.4: contact with interested groups\nspecial interest groups (sigs) are",
        "da360e85-6f4d-4b05-b799-e992287b43c6": "processes into automated and\ncontinuous system monitoring\nidentify and close any gaps in isms implementation in a timely manner",
        "0ca60011-766e-4833-b11c-6d71a7d96e05": "on.\n**2\\. on-site audit**\nin the second step, an on-site inspection is carried out. some of your\nemployees will be interviewed, and your systems will also be randomly checked.\nin addition to employees such as your ciso/isb, who directly deal with the\nisms, your cfo or ceo should give the auditor confidence that the financial\nresources for operating the isms are firmly set up.\nyou will already know during the inspection whether you\u2019re going to pass the\naudit and receive the certification, as the auditor will directly address\nminor and perhaps even significant issues.\nafterwards, the certification body first has to prove all non-conformities\naddressed by the auditor, which usually gives you the chance to improve your\ndocumentation before an official result of the audit is confirmed..\nmajor non-conformance will lead to a failed audit. the only thing left is to\nset the date and conditions for a follow-up audit together.\n**3\\. audit report and iso 27001 certificate**\nfinally, you will receive an audit",
        "630da8b8-3956-496a-b2ee-b5058ff307f1": "for achieving objectives was removed, as it\u2019s covered in clause 6.2.\nclause 9.1 \u201cmonitoring, measurement analysis and evaluation\u201d\ntransferring the note from the existing standard stating \u201cthe methods selected should produce comparable and reproducible results to be considered valid\u201d to the main body of the text lends crucial clarity about what qualifies as a \u201cvalid\u201d result according to the standard.\nclause 9.3 \u201cmanagement review\u201d\nthe reorganisation of this clause has resulted in three sub-clauses. item (c) was added to 9.3.2 management review inputs, now including \u201cchanges and needs and expectations of interested parties that are relevant to the information security management system.\u201d\nclause 10 \u201cimprovement\u201d\nthe arrangement of this clause has been inverted, so 10.1 is now \u201ccontinual improvement\u201d and 10.2 is now \u201cnonconformity and corrective action.\u201d\nwill iso/iec 27001:2022 changes affect my current iso/iec 27001 certificate?\nfirst of all, don\u2019t panic. the recent modifications in iso/iec 27001:2022 won\u2019t",
        "de37ecbd-ddb0-450a-991e-c14b0d80a4d0": "action);\n\u00ab the problems that there might be around future upgrades and maintenance\nif the changes go ahead and the vendor will not support the changes.\nwhere changes do go ahead (after initiating the change management process\ndiscussed above), retain a copy of the original, unchanged software; fully\ntest and document the changes; and ensure that they can be reapplied after\nall future upgrades. better still, adapt to the software!\ndevelopment and support processes\nsecure systems engineering principles\ncontrol 14.2.5 says the organization should \u2014 particularly if it engages in\ncomplex system development \u2014 establish clear, documented principles for\nengineering secure systems and should then ensure these principles are\napplied to all systems engineering efforts.\nsystems engineering is a formal discipline which focuses on how to design\nand manage complex systems across their lifecycles. system development,\ndesign, implementation, and ultimate decommission become increasingly\ndifficult with large or complex",
        "f28a6373-1b98-4662-92bc-e93d9a4281ae": "automated detection).\n- achieve a restoration of normal operation in an acceptable time frame (reaction).\nthe list roughly describes the task of so-called business continuity management (bcm) for business processes.\nthe organization's meals.\nsome of the organization's business processes will be critical insofar as high availability or maximum allowable downtime is required. such conditions are usually specified in the form of service level agreements (slas) or operational level agreements (olas). to comply with these slas/olas, we need preventive, detective, and reactive measures.\nusually, one starts with a so-called business impact analysis (bia) to determine the criticality of each business process and to identify the resources used by these processes.\nbased on this, a continuity solution is developed for each affected business process to meet the slas/olas. the solution usually consists of a package of preventive, detective, and reactive measures.\nreactive measures mainly include restart and recovery",
        "fa3aadd2-3d23-4a28-965a-fae613f423f8": "calling tree documents to be updated.\n\u00ab the critical assets and their whereabouts (together with any information\nnecessary to access them) need to be documented for each of the\ncomponents of each plan. any special operating skill or knowledge that\nmay be required to operate any of these assets also needs to be identified,\ntogether with provision for its availability.\ntesting, maintaining and reassessing business continuity plans\nthe organization should test bcps regularly and to carry out regular reviews\nto ensure that they remain up to date and effective, and that they address the\nrequirements for information security. untested bcps are only slightly more\nuseful than having none at all. the reality is that when a disaster strikes,\npeople do not have time to search out the last copy of their bcp, check to see\nbusiness and information security continuity management\nwhether or not it is up to date, work out what they are supposed to do and\nthen do it.\na useful bcp is one that clicks into action smoothly",
        "5432093b-2a5e-4e08-ad6c-f95350f5fb20": "conducting a management review to make sure upper management is aware of the entire isms. these reviews go over every single part of the isms\u2014including policies, metrics, operations, and any deficiencies in the internal audit.\nbefore undergoing an audit, steve suggests you have:\nall the basic documentation in place, including running the system for a period of three to six months.\na trained team that promotes a cyber aware culture.\nrisk assessment and risk treatment plans in place.\na connection with your certification body\u2014they can offer specific advice as to what you need to do to get ready and what you should be on the lookout for.\nat least 75% passing tests and controls in your compliance automation system.\n\u201cyou\u2019ll know if you\u2019re ready. do your internal audit, prepare your controls. if you have risk, identify risk and treatment plans.\u201d\nthese were just some of the questions covered in this edition of ask an auditor. check out the webinar to hear steve and troy\u2019s answers to these questions and",
        "ebf58f5a-5464-4da4-adea-b7ce5bc61f23": "the nonconformities procedure discussed earlier in this\nchapter and should be subject to the same level of monitoring, analysis and\nfollow-up as any others.\ninformation systems audit considerations\ncontrol 12.7.1 sets out how the organization should prepare for informa-\ntion systems audits (which might or might not) include technical compliance\nchecking, as well as audits of, for example, licences and software installa-\ntions. essentially, says iso27002, such audits should be scheduled so they\ndon\u2019t interrupt business activity. in principle, of course, any audit interrupts\nbusiness activity and therefore, the implementation of this control should be\naimed at minimizing disruption and selecting periods of low or reduced\nactivity and/or demand for carrying out any audit. moreover, testing should\nbe controlled, testers should preferably be limited to read-only access, and\nall testing logs should be controlled.\n2/\nthe iso27001 audit\nwhile some organizations might still debate the value of is027001",
        "5a0d580d-e959-4844-9596-f742bb9664de": "will have to be addressed and solutions found that can be\nconsistently and coherently applied across the whole organization. part of\nphysical and environmental security\nthe solution will lie in what sort of meeting rooms or available secured areas\ncan be used by employees, and part will depend on how information is clas-\nsified and what facilities are made available for its storage.\niso27002 provides very common-sense advice on the selection and\ndesign of a secure area, and this section should be read in conjunction with\nthe next sub-section, \u2018protecting against external and environmental threats\u2019.\nsecure area design should take account of the possibility of damage from\nfire, flood, explosion, civil unrest and other forms of natural or human-\ncreated disaster. the risks posed by neighbouring premises should be\nconsidered, such as potential leakage of water from outside the secure area.\nsecure storage facilities, such as safes and high-security document stores,\nalso need to be sited in such a way that they",
        "8e71ee99-0876-4e58-8992-ae68243b062e": "risk treatment plan is an essential tool for any\norganisation that wants to protect its information assets and improve its\ninformation security posture.",
        "04466265-f59d-4134-b4d1-bf4669961c00": "really be,\npart of the mainstream.\nthe internet engineering task force (ietf) is an open, international\ncommunity of practitioners concerned with the evolution of internet archi-\ntecture and its smooth operation. it has a number of working groups, which\nconsider and propose official standards and protocols for use on the inter-\nnet. its website can be accessed at www.ietf.org (archived at https://perma.\ncc/wq56-m5um). the fact that a protocol has been adopted by the ietf\nand by a number of supporting organizations does not, however, mean that\nevery single organization in that space has to - or indeed will \u2014 use it. the\ninternet is still wild. the four key security technologies (ssl, ipsec, s/mime\nsystem acquisition, development and maintenance\nand pkix) are briefly described below. there are a number of other tech-\nnologies, with various derivations, but these four are still the technological\nbasis of most internet security systems.\nsecure sockets layer (ssl)\nssl isa handshake protocol that was",
        "453b8b25-b295-42e8-a00d-3bcf189f756c": "reviewer.\n(c) the resources necessary for planning, operating, and maintaining the isms must be available.\nthis understandable requirement is naturally the sticking point in many organizations: resources are always limited - and who actually determines what is required when and for what purpose? initially, those responsible for information security (security officers, coordinators from the affected departments - perhaps a working group?) should prepare a resource plan for a specific period of time (typically 3 years) and submit it for approval. the plan must include the required personnel, all financial resources for setting up and operating the isms, and all resources necessary to establish and use the planned security measures. for these points, during the establishment phase of the isms, only an estimate can be given.\nin the discussion with management about the allocation of resources, it may be helpful to refer to recommendations from recognized auditors - their advice may carry more weight in such",
        "daa224a7-f0be-4b04-b7a1-5f4113c03616": "adopted ismses, the british standards institute group\n(bsi group) sought to define it standards outlining how organizations should design their isms to secure their\ninformation assets.\nin 1995, the bsi partnered with the united kingdom government's department of trade and industry (dti) to\nwrite vendor-neutral standards that uphold the availability, confidentiality, and integrity of an organization's\ndata and proprietary information. these essential it standards\u2014known as bs 7799\u2014became the foundation for\ntoday\u2019s iso 27001 standard.\nthe first part of bs 7799 focused on general information security management standards. after multiple\nrevisions, the iso adopted the first part of bs 7799 in 2000 and called it iso/iec 17799. after further revision, it\nwas renamed iso/iec 27002 in 2007. iso 27002 provides additional guidance to implement security controls\nrecommended in iso 27001.\nthe second and third parts of bs 7799 ultimately became the iso 27001:2005 standards. these guidelines\nspecify how to implement an",
        "b3e87dce-424a-4162-adb1-d76bcb86d9ed": "27001 certificate demonstrates your dedication to\nsafeguarding information and underscores your business's credibility in\npartners' eyes. this can give you a competitive edge and enhance your brand\nreputation.\n**assists legal compliance:**\niso 27001 certification aids in meeting your various business, legal,\nfinancial, and regulatory commitments. by identifying statutory and regulatory\nrequisites, you can mitigate the likelihood of costly breaches, subsequently\nreducing the risk of expensive legal consequences and fines.\n**secures personal data and intellectual property:**\nthe iso 27001 certification process offers an impartial evaluation of your\ninformation security strategy. it could also assist in managing your\nintellectual property and data sources while creating tangible proof of\nimplementation.\nmitigates costly cyber-related data breaches:\ndata breaches come with a hefty price tag. in 2023, the average cost of a data\nbreach was estimated at around $4.45 million (ibm, 2023). the iso",
        "b8877c67-cf6b-41b5-93fc-1d4a019fc406": "best practices you should best implement to do this\nand can be used very well as a checklist:\n * identify the expectations of your stakeholders regarding information security through conversations with them. * define the scope of your isms and the information security measures. * define a clear security policy. * conduct a risk assessment to identify any existing and potential risks to your information security. * implement measures and risk management methods that set clear objectives. * continuously evaluate the effectiveness of your information security practices and conduct regular risk assessments.\n### checklist: iso 27001 compliance\nbreaking down the path to iso 27001 compliance into individual steps, the\njourney looks as follows:\n 1. **prepare thoroughly** while reading the standard, you gain valuable insights into iso 27001 and its\nrequirements. additionally, there are numerous opportunities to further\neducate yourself on iso 27001. you can",
        "90bf1824-d4b3-4a1a-a5cc-26f02fae706e": "tests are reliable (see 8.31).\nother information\nmultiple test environments can be established, which can be used for different kinds of testing (e.g.\nfunctional and performance testing). these different environments can be virtual, with individual\nconfigurations to simulate a variety of operating environments.\n\u00a9 iso/iec 2022 - all rights reserved 125\nhochschulbibliothekszentrum des landes nordrhein-westfalen (hbz)\n09/06/2023 15:30:34\nprinted copies are uncontrolled\niso/iec 27002:2022(e)\ntesting and monitoring of test environments, tools and technologies also needs to be considered to\nensure effective testing. the same considerations apply to monitoring of the monitoring systems\ndeployed in development, test and production settings. judgement is needed, guided by the sensitivity\nof the systems and data, to determine how many layers of meta-testing are useful.\n8.30 outsourced development\ncontrol type information cybersecurity operational security domains\nsecurity properties concepts",
        "2030ac2d-0592-4e26-abb0-aa1b962367a2": "report and the certificate from your\nauditor. many certification companies are currently busy, so this may take a\nfew months.\n## what happens if you fail the external audit?\nthe external auditor will usually give you an indication during your external\naudit whether you are likely to pass or fail the audit. major nonconformities\nmay lead to a failed external audit \u2014 although this might seem like a major\nsetback, it needs to be seen as an opportunity to improve.\nwhen it comes to the 2022 version of iso 27001, there are 93 annex a controls\nthat cover various areas of an organisation. these controls are segmented into\n4 different categories (domains). depending on which are relevant for your\ncompany, risks, industry and customers \u2014 you will fulfil the requirements in\nspecific annexes.\nyou will receive an audit report; this will be your go-to to identify what you\nneed to change in order to pass your next external audit. it is also\nrecommended to speak with the auditors for further clarification on",
        "7963d0b2-9fbb-4682-9934-01b9146ab48d": "implementation projects.\n49\n\u00a9 abhishek chopra, mukund chaudhary 2020\na. chopra and m. chaudhary, implementing an information security management system,\nhttps://doi.org/10.1007/978-1-4842-5413-4 3\nchapter 3. project kick-off\npresenting a high-level plan\nwhen you're implementing a high-level plan, it is advisable to invite all the stakeholders\nand to set up high-level policies for information security. this involves:\ne setting up roles and responsibilities\ne defining rules for continual improvement\ne raising awareness of the team by providing them with regular\ntraining and communication\nso, how do you initiate a kick-off? the ciso (chief information security officer)\nor relevant authoritative person must organize the kick-off meeting and invite all the\nkey stakeholders associated with or working with the information security department.\nmany times, stakeholders are not aware of their role in the implementation, as the kick-\noff meeting is never planned. hence, a project\u2019s importance fades over time",
        "76d16257-79ea-4172-9707-26e7336730a9": "reserved\nhochschulbibliothekszentrum des landes nordrhein-westfalen (hbz)\n09/06/2023 15:30:34\nprinted copies are uncontrolled\niso/iec 27002:2022(e)\n5.25 assessment and decision on information security events\ncontrol type information cybersecurity operational security domains\nsecurity properties concepts capabilities\n#detective #confidentiality #detect #respond |#information_securi- |#defence\n#integrity ty_event_management\n#availability\ncontrol\nthe organization should assess information security events and decide if they are to be categorized as\ninformation security incidents.\npurpose\nto ensure effective categorization and prioritization of information security events.\nguidance\na categorization and prioritization scheme of information security incidents should be agreed for the\nidentification of the consequences and priority of an incident. the scheme should include the criteria to\ncategorize events as information security incidents. the point of contact should assess each information\nsecurity",
        "ee7a2136-72b7-4206-8a95-3d8a108ee187": "vulnerabilities in an information security incident. the impact of the incident scenarios is to be\ndetermined considering impact criteria defined during the context establishment activity. it can affect\none or more assets or part of an asset. thus, assets can have assigned values both for their financial\ncost and because of the business consequences if they are damaged or compromised. consequences can\nbe of a temporary nature or permanent as in the case of the destruction of an asset.\norganizations should identify the operational consequences of incident scenarios in terms of (but not\nlimited to):\n\u2014 investigation and repair time;\n\u2014 (work)time lost;\n\u2014 opportunity lost;\n\u2014 health and safety;\n\u2014 financial cost of specific skills to repair the damage; and\n\u2014 image reputation and goodwill.\ndetails on assessment of technical vulnerabilities can be found in b.3.\noutput: a list of incident scenarios with their consequences related to assets and business processes.\n8.3. risk analysis\n8.3.1 risk analysis",
        "5662f0b6-1229-4035-9e75-8a3167761e1c": "consequent savings benefit the\nbottom line or enable other controls to be deployed\nelsewhere. furthermore, as bs 7799-3 notes, \u201cfactors that\naffect the likelihood of the occurrence of the event and their\nconsequences of events can change, as can factors that affect\nthe suitability of or cost of the various treatment options\u201d\n(clause 12.3), which is echoed by iso 27005.\nthe logical approach (which should be reflected in your\nmethodology and, therefore, in your choice of risk\nassessment tool) is, as we indicated earlier, for the initial risk\nassessment to take place only after identifying the existing\ncontrols. it makes sense, in other words, to identify all\nexisting controls that are applied to each asset or risk at the\npoint of identifying the assets and then carrying out the initial\nrisk assessment, and then potentially do both a \u2018before\u2019 and\nan \u2018after\u2019 assessment.\nyou should easily be able to identify, in the \u2018after\u2019\nassessment, those risks that you have \u2018over-controlled\u2019 by\nthe fact that, in comparison",
        "5b5bafb9-097b-4eff-a3b2-a32dfbab3ce3": "measurements - otherwise, there may be little to do. another - perhaps better - option is to align with the schedule of internal audits according to isms-9.2 and the management review according to isms-9.3 in order to be able to present \"fresh\" evaluations in each case.\npoint 5\nwhat evidence is required regarding the monitoring/measurements?\nthe norm simply states: evidence of the results.\nthis includes measurement and monitoring protocols - with information about the subject, time, and location of the measurements, the person performing them, equipment used, etc. - as well as reports on completed assessments or evaluations.\nfrom the norm's perspective, these are records.\nconclusion on isms-9.1\nin general, this section of the standard is about...\n, to monitor the ongoing operation of the isms, to measure important metrics, and to condense them into meaningful indicators. the effectiveness of individual measures and processes as well as the isms as a whole are the main focus.\nthe organization is"
    },
    "relevant_docs": {
        "9fa7e16c-987b-4700-9048-cf7c2df46037": [
            "0ef1ecc3-b5a7-4ac1-bcfd-d9357f85b63b"
        ],
        "02246769-fd6b-413d-9dcc-b53b956b0f6e": [
            "0ef1ecc3-b5a7-4ac1-bcfd-d9357f85b63b"
        ],
        "42659caa-11e4-453f-9554-00a4fecc3e2e": [
            "b9ebd8fb-e98b-4b40-9b18-9022a309c5c8"
        ],
        "3cc4f586-7387-4dfe-ac20-3b6fa3440fb4": [
            "b9ebd8fb-e98b-4b40-9b18-9022a309c5c8"
        ],
        "02861940-53c2-4953-a3ce-8ebe5bac2df7": [
            "4188dfca-a862-43c5-87f9-96ffc99a3b6a"
        ],
        "46325c46-e487-43ea-bd43-196205a33063": [
            "4188dfca-a862-43c5-87f9-96ffc99a3b6a"
        ],
        "ef6c30bb-7a23-4865-8431-c8c9bb5206d2": [
            "aae0f8c8-c21c-4425-a8d1-d396d58b7d8b"
        ],
        "ed950482-0124-4886-89c3-230389fdc583": [
            "aae0f8c8-c21c-4425-a8d1-d396d58b7d8b"
        ],
        "fd348851-d006-4826-8174-1d38de90db14": [
            "08c79691-1a3d-4d17-832e-9e9b26ac1e15"
        ],
        "4b52958a-e15c-4d5d-9905-a82e8f1dbc9e": [
            "08c79691-1a3d-4d17-832e-9e9b26ac1e15"
        ],
        "09028450-6558-4ae4-bfac-a0944eeba3c0": [
            "4fbb58fe-de5f-404f-a2e5-d67e631396a6"
        ],
        "29324672-e27e-40bd-bedc-9b49fe36f24f": [
            "4fbb58fe-de5f-404f-a2e5-d67e631396a6"
        ],
        "ed843e16-7647-4514-b3ea-ae548ccf353e": [
            "50f8ab92-cd48-4f64-b334-494a3293df30"
        ],
        "eda4ae87-38e2-415e-89fd-0ace102a39e1": [
            "50f8ab92-cd48-4f64-b334-494a3293df30"
        ],
        "5094a1cc-0c6c-4473-817b-dee5f6299159": [
            "62efc227-c2be-4e2b-ab7e-14a3b9f0d5a9"
        ],
        "64d9a3fb-88ec-4d15-a51c-b46a038bc005": [
            "62efc227-c2be-4e2b-ab7e-14a3b9f0d5a9"
        ],
        "daff023c-2046-4b0c-819c-947688555715": [
            "daa7e108-6608-48db-90ae-94a6ffd55a29"
        ],
        "48a9e198-fc7c-4842-87cd-c99f3087309b": [
            "daa7e108-6608-48db-90ae-94a6ffd55a29"
        ],
        "23b902e3-5ffd-46de-b127-9d62bd6ba485": [
            "caaa0a69-5ad9-4841-96ca-a0f932811e21"
        ],
        "bfe3ecbe-7fec-497f-a0ab-4c214368e9d8": [
            "caaa0a69-5ad9-4841-96ca-a0f932811e21"
        ],
        "485ed01c-9c75-4993-b664-d489de334053": [
            "31967224-3533-4e6a-8fca-f2316f00af72"
        ],
        "b090671b-b3c3-47c1-8032-95bae578c981": [
            "31967224-3533-4e6a-8fca-f2316f00af72"
        ],
        "5dd87feb-c86d-4a24-a017-85d72a71610e": [
            "8b5ff7fb-8ae9-4e69-93df-a0069cb7d196"
        ],
        "625cd77b-21b1-48d4-8178-0cfd45c8b18c": [
            "8b5ff7fb-8ae9-4e69-93df-a0069cb7d196"
        ],
        "95432f18-ec02-49a4-900b-01fa5365b89f": [
            "ab4e20c7-c3a6-403c-b500-b81b65c94f43"
        ],
        "e6bbb863-49dc-4951-8338-61ef6d7d126f": [
            "ab4e20c7-c3a6-403c-b500-b81b65c94f43"
        ],
        "20b5b3f2-4228-44cc-8000-319832e26928": [
            "7f7ffea8-3e7c-4177-8f9c-797e90452fff"
        ],
        "97e2e275-a862-4726-88ea-318a83b48b0d": [
            "7f7ffea8-3e7c-4177-8f9c-797e90452fff"
        ],
        "c9d77f79-3732-4e65-91ef-6e25422d4838": [
            "90914c3c-d184-4b4e-91d0-94f33fbdfccd"
        ],
        "e7e852dd-6044-4964-a50e-347c438400f0": [
            "90914c3c-d184-4b4e-91d0-94f33fbdfccd"
        ],
        "a5b2bf8e-1a62-442f-a88f-63a59254ce19": [
            "d52be9df-d64a-455d-b897-cb512c5dbb25"
        ],
        "21244884-298a-44e9-8182-3c6adcc9c0a0": [
            "d52be9df-d64a-455d-b897-cb512c5dbb25"
        ],
        "8c5b123c-0120-44d3-aec2-ac047ad85dfa": [
            "15db25b9-6f00-424f-8c7b-2d61d2f03b0f"
        ],
        "7e2c13d2-9966-47ee-9ff5-ea802a384451": [
            "15db25b9-6f00-424f-8c7b-2d61d2f03b0f"
        ],
        "1b67ae6f-0c92-4ed9-9b22-6a47d93411a1": [
            "7dd6321a-aa4f-4c94-9253-d4780fc5a297"
        ],
        "218eb939-6c89-47e1-8409-a84ced9ed79e": [
            "7dd6321a-aa4f-4c94-9253-d4780fc5a297"
        ],
        "94db8ea0-a7b8-457b-8697-7da9e6ba7c1c": [
            "4f43b0ce-be97-49cd-a3fb-76c541a6df34"
        ],
        "22c3e285-0ab2-4d22-8446-24267aab3d50": [
            "4f43b0ce-be97-49cd-a3fb-76c541a6df34"
        ],
        "af47fdf9-e36f-432e-9add-c2079172dae6": [
            "a418494b-1cdb-469c-a651-dab4307ae7be"
        ],
        "bb012ad5-1c39-440e-af30-18684eb6fb69": [
            "a418494b-1cdb-469c-a651-dab4307ae7be"
        ],
        "c43e6d64-7483-48e2-95ae-d90518d2de5e": [
            "f586e1a3-6399-4de9-bc7d-3f427fade670"
        ],
        "9315c6d3-0d08-4331-8e7c-6cf31639956a": [
            "f586e1a3-6399-4de9-bc7d-3f427fade670"
        ],
        "320a19cc-1dd0-4df3-a739-388eee901755": [
            "ab0b61e7-e9ff-43b9-af0f-a40e31783f7c"
        ],
        "93863b5b-ea15-4292-94f9-42276c29a174": [
            "ab0b61e7-e9ff-43b9-af0f-a40e31783f7c"
        ],
        "153314ae-0151-481b-976f-77dab30cd4ab": [
            "17fee279-9c53-4ae2-8903-8cd90059c78a"
        ],
        "a5687beb-5e1a-4bf7-9095-7bb784b110b6": [
            "17fee279-9c53-4ae2-8903-8cd90059c78a"
        ],
        "802f3db9-6ff3-4d74-925c-76edbcabe254": [
            "1733ee83-2fd5-4dd7-b376-a9f57f0c9798"
        ],
        "aa75a5c2-8409-459c-9eee-f57e5f1051fa": [
            "1733ee83-2fd5-4dd7-b376-a9f57f0c9798"
        ],
        "b9e57750-12c8-4bc7-928d-d3e2796b1998": [
            "76404f60-8111-4607-8427-62a7efe85424"
        ],
        "2ee00e0b-3767-48c9-9b92-fd61a448a69a": [
            "76404f60-8111-4607-8427-62a7efe85424"
        ],
        "fc01779a-ddd5-4e61-9b57-a48f2c555492": [
            "2d7970e5-7fcb-4976-83fc-cf5b41816018"
        ],
        "22b8beda-42ba-4272-8d79-5d76dc92336c": [
            "2d7970e5-7fcb-4976-83fc-cf5b41816018"
        ],
        "e26cb88a-9bcb-4f29-85be-099a395a1a82": [
            "32e25db1-e44a-4bb1-9bf7-49856a57a136"
        ],
        "125cc775-1ebf-4921-ab0f-3b8ee32bfddd": [
            "32e25db1-e44a-4bb1-9bf7-49856a57a136"
        ],
        "e2f1e994-9440-46d6-a0cb-4eb86b4b32cf": [
            "43946d1c-0f7d-4d6e-af9e-a8b795130f1b"
        ],
        "3dba739f-c4e5-40fc-87ad-b3d4826ab2e7": [
            "43946d1c-0f7d-4d6e-af9e-a8b795130f1b"
        ],
        "8f290e6b-20f8-413b-8f4d-08e34b49ca30": [
            "e34b7081-0df8-4197-bd01-4be47ad95fa5"
        ],
        "37fcaa93-acf1-4c6f-9385-82360061d6aa": [
            "e34b7081-0df8-4197-bd01-4be47ad95fa5"
        ],
        "b778d000-0695-426c-a12c-6557ed6809c7": [
            "f90b2243-ab2a-49a5-98cd-5a738c991bc5"
        ],
        "56715b57-14a9-4d32-8bfe-88e53e4018c1": [
            "f90b2243-ab2a-49a5-98cd-5a738c991bc5"
        ],
        "4a237021-5945-4f20-87f0-751fe45224a5": [
            "b10f2b4d-cdbe-487e-9bcb-f4488568eea6"
        ],
        "f72ad738-5293-4ca3-8ca3-5288df8144d6": [
            "b10f2b4d-cdbe-487e-9bcb-f4488568eea6"
        ],
        "057b3cd5-7d3b-4943-bf5d-ad4a4eee5ac8": [
            "4d90dd3c-c4cb-4134-b640-4e028b230553"
        ],
        "b4dc6530-15f6-402c-919c-50b3bcabb96e": [
            "4d90dd3c-c4cb-4134-b640-4e028b230553"
        ],
        "7dfdcef8-21d4-4419-bc8e-024d49b7bed5": [
            "01efe271-e088-419f-9f45-07ff1da0f28b"
        ],
        "c88f6c9b-5b2d-4304-9910-109e9eb23596": [
            "01efe271-e088-419f-9f45-07ff1da0f28b"
        ],
        "df802a8b-dbf2-4764-b1e3-7f5a2d37a0b9": [
            "65dc2c1c-d4a2-4fd0-89d6-cf6f94ed0bc0"
        ],
        "e72a2c12-f686-4ed6-80f5-c90486337bf8": [
            "65dc2c1c-d4a2-4fd0-89d6-cf6f94ed0bc0"
        ],
        "1d1af8ec-c989-4611-bf78-32d73a311725": [
            "95555e4f-2a3b-4087-a8d3-535f6d4521a4"
        ],
        "9ace2c3b-23a7-4d52-99f2-85946ce3d26e": [
            "95555e4f-2a3b-4087-a8d3-535f6d4521a4"
        ],
        "e3da807e-0b97-4a34-9c06-1ded18dd3569": [
            "32fe9ed4-aa09-4c14-84f4-92e5e2715157"
        ],
        "32b8d822-e622-491d-a4aa-00c895dc4f55": [
            "32fe9ed4-aa09-4c14-84f4-92e5e2715157"
        ],
        "8d24db65-c6a1-4dc1-995d-cb6891e83d39": [
            "5731d60e-40a1-4dae-88b6-8a84e704a0ab"
        ],
        "4a74a1f3-c18f-45c4-bb87-d74680dae3e8": [
            "5731d60e-40a1-4dae-88b6-8a84e704a0ab"
        ],
        "5407cd0d-295f-40a3-b64f-96c0fff91de7": [
            "42077ab8-2817-463d-93f3-5cfc4f0fed27"
        ],
        "1cbc77b5-9356-46e4-9ac6-aa6ff096c602": [
            "42077ab8-2817-463d-93f3-5cfc4f0fed27"
        ],
        "8571e75f-966a-4db3-923f-90f7aa882625": [
            "1841b692-6808-4d24-89c9-cb4872134d81"
        ],
        "9ac87e82-65b1-41a2-9b10-1fc9a46bdbe0": [
            "1841b692-6808-4d24-89c9-cb4872134d81"
        ],
        "7045a54b-df29-4040-b573-e96a62de4659": [
            "6e5674ca-b57b-4378-9315-03997a7ced44"
        ],
        "2e167026-1cc2-477c-b20f-6fbbf38e7611": [
            "6e5674ca-b57b-4378-9315-03997a7ced44"
        ],
        "c66000e2-2970-44bc-966a-dfdc5bf35873": [
            "f15fe5cf-f57a-4398-8228-ca490ad154a3"
        ],
        "95ce842f-f30c-4cf3-90cb-e51c7162dfc4": [
            "f15fe5cf-f57a-4398-8228-ca490ad154a3"
        ],
        "90917b91-a8f8-433c-96ad-3a7e1c6b66f7": [
            "de1b9464-6884-4ced-85a9-2bbd974b4ad4"
        ],
        "3582e1db-6fd1-4360-9228-972f77d547ba": [
            "de1b9464-6884-4ced-85a9-2bbd974b4ad4"
        ],
        "9f1aebf3-d0d0-4a8a-980c-479b985668ac": [
            "f198aefb-8f50-4248-9131-5a4253bc4b7f"
        ],
        "076e58c1-28d2-4f64-a83c-a1eecf3133ee": [
            "f198aefb-8f50-4248-9131-5a4253bc4b7f"
        ],
        "2e968090-7a62-4043-b51f-21c38a389702": [
            "a1d37719-f8c5-4c6d-a1c3-3e01a6ad0f70"
        ],
        "4acd92e0-8344-466c-9882-96c8016d5485": [
            "a1d37719-f8c5-4c6d-a1c3-3e01a6ad0f70"
        ],
        "d84e73d0-38ec-4fcf-9024-1fa16281cc44": [
            "0dea6229-d68a-4ae4-9b68-c1ad50175855"
        ],
        "d3a1c594-8db1-4d9a-a53a-1e02f0b004a1": [
            "0dea6229-d68a-4ae4-9b68-c1ad50175855"
        ],
        "2c2f408e-424c-415e-92cd-cf7d3e17660d": [
            "f57b0154-34d2-4f0f-9031-80a2511cab91"
        ],
        "972b253c-ecb5-49da-b037-dec355014b11": [
            "f57b0154-34d2-4f0f-9031-80a2511cab91"
        ],
        "60aab0a1-73d6-4f00-bf56-e209c95f2aac": [
            "76dad14b-c071-4b1d-8314-d80fb8e2060e"
        ],
        "0e24b4a6-1b2b-4fa7-af91-b771cab799a8": [
            "76dad14b-c071-4b1d-8314-d80fb8e2060e"
        ],
        "f3bbea29-fe94-4fcf-a86d-67ac69d2de16": [
            "df1f0df8-f8a7-4baf-8d73-9787cfd67209"
        ],
        "63c1cc02-fe75-4cde-b270-3034f862b206": [
            "df1f0df8-f8a7-4baf-8d73-9787cfd67209"
        ],
        "5c6e9671-7da8-48d8-a4a4-9803af48ee5b": [
            "ab19c50e-8eb0-4c29-8c26-d51db6af7794"
        ],
        "ff5ac0d1-5112-4d13-978f-a14a5fbf9ef3": [
            "ab19c50e-8eb0-4c29-8c26-d51db6af7794"
        ],
        "7fc0d3f4-eb3c-46bb-aac8-2c759c21b5a0": [
            "23d99f5f-7f96-4189-bf97-08992ca17524"
        ],
        "0352e191-5966-4ad0-8598-e239e3ffb04c": [
            "23d99f5f-7f96-4189-bf97-08992ca17524"
        ],
        "95d33524-fe73-4570-9d35-27fc6c45bdfd": [
            "e7d7f970-c2c5-4d50-a849-a5c331ba1dab"
        ],
        "fb28253d-c3d2-48bc-b665-a56680b0ee82": [
            "e7d7f970-c2c5-4d50-a849-a5c331ba1dab"
        ],
        "79ca856d-015b-41f6-b54c-dd3cfcc3cd90": [
            "440099e7-55a3-490c-bb30-2c8194c392ce"
        ],
        "41f82cb8-ef82-4426-b3ac-10f8e8f6a69b": [
            "440099e7-55a3-490c-bb30-2c8194c392ce"
        ],
        "140ded07-bc39-4859-a219-00cf84b2d668": [
            "b48039a3-f931-4910-b356-63d070b6aedd"
        ],
        "56b42fdf-b645-4dd5-bd69-1b2fb9683925": [
            "b48039a3-f931-4910-b356-63d070b6aedd"
        ],
        "1aab1e4d-9d13-4404-b5bf-e208150d8bde": [
            "66007d14-e11f-4966-ab89-70b2c1e5a844"
        ],
        "df78630e-d9bb-49ec-8885-a19241560a44": [
            "66007d14-e11f-4966-ab89-70b2c1e5a844"
        ],
        "a1b5189f-e455-4cf4-9d37-e39620928b50": [
            "295b5bdc-0b4c-4c93-8e97-947c51078bf1"
        ],
        "3260da0f-66ec-40f1-8494-4b0a4f77837b": [
            "295b5bdc-0b4c-4c93-8e97-947c51078bf1"
        ],
        "b8d039fe-a2a3-4b7a-87df-3750c3ea99a5": [
            "6d039382-8f54-4dfb-9ece-a45edc07f90c"
        ],
        "619dba17-5372-45aa-8b2f-dbcab585120f": [
            "6d039382-8f54-4dfb-9ece-a45edc07f90c"
        ],
        "309b46ff-c0b9-4612-9ab2-467ce8545c87": [
            "642fee47-6ee6-4c5d-8432-9bf739e2fcf9"
        ],
        "564f79fb-e179-4d28-b468-be9850d9e652": [
            "642fee47-6ee6-4c5d-8432-9bf739e2fcf9"
        ],
        "2899615c-f1a4-4247-8f47-f878b132c2d6": [
            "fdf6cac7-1b23-4e70-ad21-de232392b778"
        ],
        "da5f708c-9854-41ed-92f1-0c91ead86324": [
            "fdf6cac7-1b23-4e70-ad21-de232392b778"
        ],
        "3d2f9d66-7929-49e6-b694-63bb9334a5bf": [
            "d19c6a1d-f7f1-4aa3-a1ce-a9a57f9de024"
        ],
        "ea55767d-7747-43f1-a917-2972b18711a9": [
            "d19c6a1d-f7f1-4aa3-a1ce-a9a57f9de024"
        ],
        "57190066-05c3-44f8-be02-12c51479e0c4": [
            "a2921295-40f4-4d71-9675-87a7e333a46d"
        ],
        "6a73450e-0fba-4322-8f7a-baeb23b525c8": [
            "a2921295-40f4-4d71-9675-87a7e333a46d"
        ],
        "d1f63d86-af0f-47b7-9ee8-c49ebf3ec0eb": [
            "d5a683d3-0088-4123-8f68-f8f76ef48fe9"
        ],
        "843b8b40-925b-4acb-9039-0de6e732f384": [
            "d5a683d3-0088-4123-8f68-f8f76ef48fe9"
        ],
        "ff1af595-a7a3-4ff9-9584-b1531d94c9f9": [
            "09a600af-a0c4-471a-8a91-5c4f0d08c799"
        ],
        "3c854f2a-7994-414a-813c-92060a19f8b9": [
            "09a600af-a0c4-471a-8a91-5c4f0d08c799"
        ],
        "22a82866-4120-4f0d-8b61-6757cf0f54a2": [
            "9ad8970c-cec4-49b0-9b0a-de10b2560686"
        ],
        "2ad25a64-4949-4c48-a94f-ad86fcd15cdc": [
            "9ad8970c-cec4-49b0-9b0a-de10b2560686"
        ],
        "30f98a7e-155b-4957-bd05-3cb397fca03e": [
            "edd89224-ef1c-4bd1-8773-4129efb74223"
        ],
        "3a6a032e-38b0-47c5-b29c-135e091bb4c9": [
            "edd89224-ef1c-4bd1-8773-4129efb74223"
        ],
        "996cb98a-8425-4bf4-a1f1-59800dca3ddc": [
            "c77df136-cb6f-4db0-92e5-bceaa10f1ace"
        ],
        "7e371dfe-53be-49f7-8a61-9f3c33d12458": [
            "c77df136-cb6f-4db0-92e5-bceaa10f1ace"
        ],
        "50821fe6-2d89-40dc-bdd1-f05175410050": [
            "539f5e57-b405-45a5-bdbb-fd2e9c37c5c4"
        ],
        "e9176fea-a4b5-4441-99a4-9c8c725ea98e": [
            "539f5e57-b405-45a5-bdbb-fd2e9c37c5c4"
        ],
        "b0a379da-66b0-4718-b1c1-d30c1ecd7a45": [
            "c5fe7d67-2752-410b-abc4-80500bfe5f49"
        ],
        "1aa3704f-39e8-42ed-aa98-a0db90269ada": [
            "c5fe7d67-2752-410b-abc4-80500bfe5f49"
        ],
        "3230aca0-b904-49b4-a9a0-82741685a5e9": [
            "f322baac-3355-4edd-a17f-b82ab819bbe1"
        ],
        "fd7f8b54-b7bd-47a1-8f09-b3edec56a939": [
            "f322baac-3355-4edd-a17f-b82ab819bbe1"
        ],
        "cd3cabf7-f252-431a-84e8-2a3dfca4e5b6": [
            "30876d23-bfc9-4a8d-a78f-702daf142f3f"
        ],
        "df4977eb-50c1-4f1c-8588-7a70e1af8bec": [
            "30876d23-bfc9-4a8d-a78f-702daf142f3f"
        ],
        "f5ed184b-5974-4dcb-b932-b7473e878b57": [
            "8c555cbb-aa1c-440b-bc9a-995f0089a9bf"
        ],
        "15d77f6f-2fbc-4cbb-822c-bcc2362f561c": [
            "8c555cbb-aa1c-440b-bc9a-995f0089a9bf"
        ],
        "45232064-b862-4cf5-9b1f-ccdbdf28a1c8": [
            "30b789d0-a623-4df0-bdb4-41ff328c59b6"
        ],
        "e17d27e0-bde4-44a2-b3ba-e62582d0bd1f": [
            "30b789d0-a623-4df0-bdb4-41ff328c59b6"
        ],
        "2e239d69-3964-4c5c-a276-028035a69402": [
            "9c6f0ca9-7662-4487-a8fb-514338238b90"
        ],
        "91ba4ff9-bb16-40e9-8f8e-442a21320ffe": [
            "9c6f0ca9-7662-4487-a8fb-514338238b90"
        ],
        "27d7f440-0919-4f90-95ef-a714cf3eeec8": [
            "c36b2a9a-1470-4c8a-b7a5-5ce4c7c621fe"
        ],
        "76c908d0-f6ec-4c9c-af39-8fbd4298da0f": [
            "c36b2a9a-1470-4c8a-b7a5-5ce4c7c621fe"
        ],
        "996fbca1-7f1a-46a5-925f-c25359047a7a": [
            "bb08096a-5d54-4790-9249-3c7328aebdc5"
        ],
        "96f7187d-c078-43ad-acfd-284c666c20c1": [
            "bb08096a-5d54-4790-9249-3c7328aebdc5"
        ],
        "06061d0e-47b5-404a-931d-40d2f817c697": [
            "9e633911-1d9b-4400-af40-43ee3b9e3fc3"
        ],
        "8877f96e-d3cd-4c38-bef2-f84f92461021": [
            "9e633911-1d9b-4400-af40-43ee3b9e3fc3"
        ],
        "9433d279-1ac0-4b94-8bb7-c2378b6116b0": [
            "69b9ea27-4c4b-406b-aa77-45fd54ee37c8"
        ],
        "18e17216-3760-44af-bedd-adc282f74550": [
            "69b9ea27-4c4b-406b-aa77-45fd54ee37c8"
        ],
        "7bd60d4a-f1b1-464f-b8d1-b133e7052309": [
            "4bbc873e-a7eb-44aa-827f-7735ea04d259"
        ],
        "0f949735-b1b3-40ff-8d51-9f518392dd1a": [
            "4bbc873e-a7eb-44aa-827f-7735ea04d259"
        ],
        "55d50249-0b6a-449f-9fd9-5193a99fdb64": [
            "2244fc27-bfd1-4afd-962e-6f11a40ff47c"
        ],
        "2690837c-63b6-49ec-9ee0-af711a8bcf4f": [
            "2244fc27-bfd1-4afd-962e-6f11a40ff47c"
        ],
        "721441f4-ff96-455d-b16d-12bb35439f1a": [
            "7fc7bb88-77af-4ac9-97e7-30f321e45665"
        ],
        "a6a6716f-36c5-408b-94e9-0fcb2ad7debc": [
            "7fc7bb88-77af-4ac9-97e7-30f321e45665"
        ],
        "72f52b6a-3e36-4f07-88d2-cb1c6fffab24": [
            "b317864d-228d-44a3-95ac-7fed74cf2452"
        ],
        "3792d89a-d453-4d84-a659-b3e25909ac1c": [
            "b317864d-228d-44a3-95ac-7fed74cf2452"
        ],
        "5f25f3ea-e461-4c91-825b-6c4ff1c6a9ac": [
            "2832d92e-e24b-43f4-b3df-67eb20ed483a"
        ],
        "04863d8c-a318-4271-86c5-02b6b0a8dbe1": [
            "2832d92e-e24b-43f4-b3df-67eb20ed483a"
        ],
        "a554387e-2589-4f47-a265-5ddef5a5c53f": [
            "ea9815e8-5286-40eb-b825-6cbf5da6db57"
        ],
        "397e5b43-a35a-43f4-a41a-c569a68bfda8": [
            "ea9815e8-5286-40eb-b825-6cbf5da6db57"
        ],
        "2f4a8692-3e20-49da-a625-37f94325d748": [
            "a6d81d49-52db-401e-b363-f0997f0056be"
        ],
        "154836bc-b82b-49fa-8155-414f49e5b32c": [
            "a6d81d49-52db-401e-b363-f0997f0056be"
        ],
        "36408ee5-63cb-47a6-9da1-26c5e37f7e26": [
            "b05966d4-cfe0-485e-ab0e-bd9b7de543ad"
        ],
        "c204917d-ba5e-4bcf-be6f-de25eac9d804": [
            "b05966d4-cfe0-485e-ab0e-bd9b7de543ad"
        ],
        "5bb43ebe-228c-4d73-8c7e-abd128b4248a": [
            "358d9217-2f27-4657-bfb6-21bf2d8c18e1"
        ],
        "7b6ade37-f8a3-4bb2-8676-1b059208f392": [
            "358d9217-2f27-4657-bfb6-21bf2d8c18e1"
        ],
        "6ddb8307-40b7-479e-841c-6a94c01f5b58": [
            "919fb2b7-a9ad-4adb-8407-3a6737afe2d4"
        ],
        "58bbd329-9f2c-44d3-86f5-9304cf5ec1b2": [
            "919fb2b7-a9ad-4adb-8407-3a6737afe2d4"
        ],
        "67c141c5-5699-4baf-bd7d-e4c53a30a2bb": [
            "cbb66fcc-929c-417d-931e-ba43b59c2409"
        ],
        "28422ffd-08de-4182-a23d-92d71de99d4c": [
            "cbb66fcc-929c-417d-931e-ba43b59c2409"
        ],
        "6c1d1d34-dd08-448f-b73c-37b398c5b1cd": [
            "aa113ca1-8219-4e60-b00e-5c5760622256"
        ],
        "3a2a6692-376f-4241-aa59-655c35f7750f": [
            "aa113ca1-8219-4e60-b00e-5c5760622256"
        ],
        "4ade3337-246b-406c-b14d-e70f0302daa4": [
            "9ed4d4cc-ef2c-4815-845c-5a5f364cbf64"
        ],
        "2cb9289d-5d3c-4b70-a2fa-fe1300c1f299": [
            "9ed4d4cc-ef2c-4815-845c-5a5f364cbf64"
        ],
        "2e67c79a-b0ed-43e3-90db-f0db180dcb06": [
            "56cad94e-faba-4d1b-8978-e59c185cdd74"
        ],
        "d64f7196-d69f-4199-a4ad-3bf7ecfcace7": [
            "56cad94e-faba-4d1b-8978-e59c185cdd74"
        ],
        "48694142-c73f-46f9-a608-2265cd80471f": [
            "c116a0c3-0b6c-4740-8ed6-8a5bbf664869"
        ],
        "eaafd471-a70b-4e43-8c15-ab01cceb1037": [
            "c116a0c3-0b6c-4740-8ed6-8a5bbf664869"
        ],
        "694daf80-63cb-45ce-8471-84c2a0be7343": [
            "8b57d71d-d7a9-465c-bc14-c4271b73bd1b"
        ],
        "b3a2cc12-384c-4fb2-85a4-4c9d1e24c07f": [
            "8b57d71d-d7a9-465c-bc14-c4271b73bd1b"
        ],
        "6ba2243b-8d37-495b-b7f1-efe7f2695c8b": [
            "1496d12f-d6de-49df-81b3-943e23d2897a"
        ],
        "6efeea5d-0d10-4a4c-80d8-3d943df37992": [
            "1496d12f-d6de-49df-81b3-943e23d2897a"
        ],
        "137d68fd-5c9c-4c76-a810-f0f74cf0c9ad": [
            "85bf0ae7-a240-43a0-a5e6-203cc8c3f6e8"
        ],
        "96a8fa53-147f-42ac-82cb-8ea66011ca13": [
            "85bf0ae7-a240-43a0-a5e6-203cc8c3f6e8"
        ],
        "d9197d92-5800-410d-90ed-d20f6a16da56": [
            "e2ed72f1-7cbd-470c-89ad-e83b67fec55c"
        ],
        "28a22baa-66ca-494b-8ca9-9a25061394a7": [
            "e2ed72f1-7cbd-470c-89ad-e83b67fec55c"
        ],
        "3826ad78-e182-49b1-bab1-8ecd00e6b596": [
            "c87568f6-4fd2-4a55-a46f-6ce10a404d38"
        ],
        "b7eaf7b3-6a9e-4d9a-baa5-435cb1a71f25": [
            "c87568f6-4fd2-4a55-a46f-6ce10a404d38"
        ],
        "dca11ec2-cb45-4210-9212-46cd74cc92a5": [
            "7619be21-4848-40ac-921f-e26e1cb0d7fd"
        ],
        "fb9db65b-5c66-47e3-861c-9181c9982003": [
            "7619be21-4848-40ac-921f-e26e1cb0d7fd"
        ],
        "778e3f99-cf22-493b-85de-201baa8f7e77": [
            "20510c5d-5723-4307-9bad-1df1bb810931"
        ],
        "629f3108-7624-4f1c-9a50-49cafd735003": [
            "20510c5d-5723-4307-9bad-1df1bb810931"
        ],
        "24074717-f166-4036-a9e9-be781a400082": [
            "11354320-7bfe-4b28-8359-5c5b8649d0ac"
        ],
        "8d8024ce-3b6e-4396-bc69-5dbf3396ed71": [
            "11354320-7bfe-4b28-8359-5c5b8649d0ac"
        ],
        "4eb9fa0e-df50-4679-810c-92956e0afd26": [
            "d0efbf5a-6a2f-4de3-8df0-224f7c8612cb"
        ],
        "a30f8767-1d56-451a-8234-4c9eb79648ef": [
            "d0efbf5a-6a2f-4de3-8df0-224f7c8612cb"
        ],
        "6aab11de-bfe7-44db-a7f3-1d406085c82b": [
            "d7eb5f40-2a22-41fb-8ace-6c714eadeab8"
        ],
        "090fd315-b454-4b9f-9ad2-66d7d133d5d8": [
            "d7eb5f40-2a22-41fb-8ace-6c714eadeab8"
        ],
        "2ba7c2c8-0d97-47a1-8c75-544c8b714100": [
            "c5dd66fd-05d4-4030-b381-1480242a472f"
        ],
        "254d657a-fc0c-4fb4-877f-268e73d19fb6": [
            "c5dd66fd-05d4-4030-b381-1480242a472f"
        ],
        "273b3948-0d9e-48df-bcbf-d7da1beacba6": [
            "2d355a45-ba28-455f-861b-acd6e74d394e"
        ],
        "2572178d-8654-4fc9-b89d-627361936dc4": [
            "2d355a45-ba28-455f-861b-acd6e74d394e"
        ],
        "5fb73abe-21e6-43f0-a1af-3ac50bcd8f71": [
            "a969e4a0-e81b-4796-9574-a44a0b3c61c4"
        ],
        "7a0bd37c-899e-4e0a-95b7-fdc3b284bad5": [
            "a969e4a0-e81b-4796-9574-a44a0b3c61c4"
        ],
        "a6ac9569-905c-4043-8df0-1e50a3bc57fe": [
            "32715012-b7be-4a05-aaa8-4d2540a254d9"
        ],
        "40bbfdf0-d137-414c-8664-8f7c8f4da652": [
            "32715012-b7be-4a05-aaa8-4d2540a254d9"
        ],
        "deb743d1-6ef2-450c-84a1-d0c604b832ce": [
            "5e058988-00f5-490b-a71f-a4d0913692bd"
        ],
        "b03b3cbd-4306-4587-ab5b-51b562bb2f9d": [
            "5e058988-00f5-490b-a71f-a4d0913692bd"
        ],
        "72238429-cc54-4ef8-b52b-c43bb879c855": [
            "23375829-0fe7-4962-b7bb-4471c2081aa4"
        ],
        "48e50732-ee96-41c1-a9de-1f93ae6c0e55": [
            "23375829-0fe7-4962-b7bb-4471c2081aa4"
        ],
        "5cee584a-56e9-407a-8881-c1727d18ea0b": [
            "3ca3a510-c0b7-4b7c-acc3-c2c590e211a4"
        ],
        "1558a893-1928-488d-9130-813b8e558a7c": [
            "3ca3a510-c0b7-4b7c-acc3-c2c590e211a4"
        ],
        "0ec98d9b-2b47-441d-933c-2b4f6fb9a99e": [
            "2131bf86-9838-4b48-808b-e453182c259d"
        ],
        "541fa7be-2b30-4ca6-957b-1c92451c9470": [
            "2131bf86-9838-4b48-808b-e453182c259d"
        ],
        "7b9f30d2-b009-424d-ac5a-6e44da961ae5": [
            "bfb9cd07-beaf-411e-9736-753d86157d5e"
        ],
        "e28e6c11-0c07-4e27-a087-8302f1f2c557": [
            "bfb9cd07-beaf-411e-9736-753d86157d5e"
        ],
        "007b9f19-1982-45ad-9403-5d215ac8b189": [
            "bde01834-69b8-45db-b0be-a8d34617b7b0"
        ],
        "4329b549-a757-4054-a5dc-c0fc2084372b": [
            "bde01834-69b8-45db-b0be-a8d34617b7b0"
        ],
        "e2ac27c9-2e6a-42fc-ba58-8702e69bc243": [
            "418fe790-3605-4bbd-b2d8-9972878b434f"
        ],
        "3b5eba00-6d16-45bc-ae47-ff7e902e91c0": [
            "418fe790-3605-4bbd-b2d8-9972878b434f"
        ],
        "16fd2c45-cc01-4074-80cb-c7528492dcfd": [
            "5f5c1707-feaa-438c-846b-e86d15519e72"
        ],
        "5575d013-e572-4af8-943a-267ff41be495": [
            "5f5c1707-feaa-438c-846b-e86d15519e72"
        ],
        "ecc5bd99-3ccf-4e1e-a8bd-974834aff725": [
            "d7c82ca8-7152-41df-a37e-78e9fd6819c1"
        ],
        "cef7f51b-d796-4679-9202-8962f5a0c835": [
            "d7c82ca8-7152-41df-a37e-78e9fd6819c1"
        ],
        "d14b7b20-41cc-4006-9405-9c86bbd54c6d": [
            "09c234aa-e695-4b7d-a533-cff7f6bb87ec"
        ],
        "59d9aead-eb23-4f57-85ab-bb7c09e600a3": [
            "09c234aa-e695-4b7d-a533-cff7f6bb87ec"
        ],
        "c81b1f5d-46a7-4636-b03b-bd28dff8f381": [
            "b6e95dfb-4b35-4973-9fb8-a26b702f82be"
        ],
        "b742d070-f3b5-422d-8ed2-10bb048989fb": [
            "b6e95dfb-4b35-4973-9fb8-a26b702f82be"
        ],
        "730767fe-9e61-4edf-8853-afea18a3f384": [
            "4e799f48-35c7-4237-893d-427fd947edbd"
        ],
        "86825eb5-2e61-4b58-b512-d7cf5973538e": [
            "4e799f48-35c7-4237-893d-427fd947edbd"
        ],
        "afb93c5b-59ad-4ca1-a260-b9154e02822c": [
            "7ef4fcfa-db61-4549-b07f-51deefd8213e"
        ],
        "049a23bd-8830-4004-a8fd-107f74239dc9": [
            "7ef4fcfa-db61-4549-b07f-51deefd8213e"
        ],
        "3f22065d-0e22-4bc9-bfc7-eacbb3f39b29": [
            "3de07aba-fcb3-4b49-ab6f-5b775a6cb5f9"
        ],
        "4a4be5a1-2762-4231-a291-3d12458b5fa1": [
            "3de07aba-fcb3-4b49-ab6f-5b775a6cb5f9"
        ],
        "6e5a2edd-6944-40f2-abd1-915003d095cb": [
            "53692878-6c1d-42a3-b6a7-bf0460593dc2"
        ],
        "4e960f54-47b1-4ba8-9d49-8d716959b5f9": [
            "53692878-6c1d-42a3-b6a7-bf0460593dc2"
        ],
        "2dad6825-f6fb-4db7-adf0-72499adef872": [
            "8604bd70-7d32-438d-901c-a52d6b545ca0"
        ],
        "71f044cb-afd9-4bf4-80ac-633386aa5d0d": [
            "8604bd70-7d32-438d-901c-a52d6b545ca0"
        ],
        "cb9f7a66-be49-4b28-9ebd-ec000abc2d8d": [
            "d99eeb8b-aa73-47d6-87d8-7ef3a29eb16a"
        ],
        "133e4fee-47ca-4461-b293-66ea509bbbff": [
            "d99eeb8b-aa73-47d6-87d8-7ef3a29eb16a"
        ],
        "fa7087a6-5955-46e1-8320-4034353707fe": [
            "23a10d16-df1d-47ef-a0c7-95127303d7d7"
        ],
        "d15e6797-8463-4fd2-b6a4-772bd7daf621": [
            "23a10d16-df1d-47ef-a0c7-95127303d7d7"
        ],
        "9b77a345-4b57-4008-8017-d9a4dfed6225": [
            "090aac54-2d37-4118-b5a6-7a62047b6cfb"
        ],
        "8046b101-bb2e-4437-bb6b-cd476c6a137f": [
            "090aac54-2d37-4118-b5a6-7a62047b6cfb"
        ],
        "e72fddfa-c69d-4733-a6e8-1e1ae188b144": [
            "0e39e2d8-b6ef-41bd-b9e4-82ee54e1d957"
        ],
        "8db69073-fff5-4d6d-babf-62273bdce4f7": [
            "0e39e2d8-b6ef-41bd-b9e4-82ee54e1d957"
        ],
        "87b0ef46-64e5-4be4-9215-aaab93ebdb39": [
            "edd08b88-93d2-4d49-b248-1e25f025c0ba"
        ],
        "fb520165-84ca-4930-bd9a-d34c840aedfe": [
            "edd08b88-93d2-4d49-b248-1e25f025c0ba"
        ],
        "ecd9c6c4-3af0-4d7e-acba-e9567e57f9fb": [
            "9bc43e9d-13fc-4892-8a43-8b6dfd4a5e72"
        ],
        "651d28c3-b977-4358-9391-c13a7a09fa6c": [
            "9bc43e9d-13fc-4892-8a43-8b6dfd4a5e72"
        ],
        "04e36a5f-d4ac-459d-bed1-15b011f9146f": [
            "4c1364d1-7126-432d-b4a2-7db17236152b"
        ],
        "2072dd73-789f-46c0-8473-199c7872fb9f": [
            "4c1364d1-7126-432d-b4a2-7db17236152b"
        ],
        "c0a4fee6-740b-49b4-9674-13496170d159": [
            "4e55f703-c7c5-4847-8a7f-659803ead308"
        ],
        "7afe663a-9d5a-4e76-a97d-9c0bde2d2edb": [
            "4e55f703-c7c5-4847-8a7f-659803ead308"
        ],
        "94ce41a0-7b04-43d5-8681-0190818e23ba": [
            "58b3efc9-7134-4118-b5b8-0b0c260f75e2"
        ],
        "2c6628d2-a150-4974-9171-c3a257cd52d2": [
            "58b3efc9-7134-4118-b5b8-0b0c260f75e2"
        ],
        "403d3b57-716d-44ec-8c7f-14e822d46f68": [
            "af0d444d-9c90-4a31-a266-f70ee816a781"
        ],
        "7ae8c285-4f38-454a-a0d7-257b7d7969c2": [
            "af0d444d-9c90-4a31-a266-f70ee816a781"
        ],
        "e434045d-0fda-44b3-a903-f14ebe55a78b": [
            "ac31532e-0260-42a4-8422-0aab261eeb69"
        ],
        "65c9d47a-2889-4795-8d05-25c9f54c0064": [
            "ac31532e-0260-42a4-8422-0aab261eeb69"
        ],
        "282c1f94-ae4b-48e9-8a11-7141b2b3edce": [
            "41d3796d-32f7-4381-b70e-a47417d51b8b"
        ],
        "37f1d0b7-a1c6-474c-a64d-fbd7f60de265": [
            "41d3796d-32f7-4381-b70e-a47417d51b8b"
        ],
        "17123179-5754-4036-83cf-120144b2732e": [
            "01422dc5-deb3-4895-9b8a-84de3713b87a"
        ],
        "7d42d795-a738-44da-8346-632555510a72": [
            "01422dc5-deb3-4895-9b8a-84de3713b87a"
        ],
        "92791128-0870-44f7-95f3-1ddbb0f4cbd0": [
            "e281698f-50fe-4593-b52d-52f1b67c1b29"
        ],
        "40af9c54-7a53-4464-8b02-daacba675909": [
            "e281698f-50fe-4593-b52d-52f1b67c1b29"
        ],
        "e140d214-9afb-43e3-a01b-8a13d05b6b1f": [
            "ca230139-7dc6-4920-b7e4-d115d5b73a89"
        ],
        "3638e6e5-fe69-4116-8c70-d23d1f45c85b": [
            "ca230139-7dc6-4920-b7e4-d115d5b73a89"
        ],
        "6ca6c589-f6b5-4b74-8a8c-afdd0d929c55": [
            "2ec5078c-735c-4d6d-80f9-300574c61cb0"
        ],
        "b0c9cb23-8f23-4f28-b791-fb47f73eff94": [
            "2ec5078c-735c-4d6d-80f9-300574c61cb0"
        ],
        "4349e83a-ee47-43f1-9096-5b924621ca67": [
            "56a63b71-7718-48e0-bc09-a319c36f2913"
        ],
        "5fea01f8-83bb-4e04-a4b7-58f09e132a6f": [
            "56a63b71-7718-48e0-bc09-a319c36f2913"
        ],
        "f345e3c4-fbbc-470a-99c5-beb75a72736c": [
            "5567afe1-c386-45a9-8b2d-fbfb0190cc90"
        ],
        "ab41a501-101e-4906-903d-02a8922336be": [
            "5567afe1-c386-45a9-8b2d-fbfb0190cc90"
        ],
        "9e56fcd0-5bfb-42d7-9e6b-5998739f27b3": [
            "613fa3d5-f3c3-44ea-9546-dd3ec367298a"
        ],
        "0b1cd56b-12ec-44f7-9bce-11ef0c55c858": [
            "613fa3d5-f3c3-44ea-9546-dd3ec367298a"
        ],
        "c5acee5b-1ed0-49e9-92fb-e8fbceb345ee": [
            "83dfce1f-b358-4c9d-aa2f-1176d1239aad"
        ],
        "4140ccb3-5137-434b-b191-39285632b5c1": [
            "83dfce1f-b358-4c9d-aa2f-1176d1239aad"
        ],
        "e79521c7-ba9d-4f16-a70e-603d55191b16": [
            "18f78841-8f34-4c6c-85b9-b9694d6594f3"
        ],
        "5fff0e94-51d9-408c-9679-15f738ba5ea8": [
            "18f78841-8f34-4c6c-85b9-b9694d6594f3"
        ],
        "30db9f70-03be-40c8-bca5-b339f03312fc": [
            "81a1445e-9260-4dd7-b814-fef406a4380d"
        ],
        "8b2433d6-364a-4aed-93df-217e23a8c928": [
            "81a1445e-9260-4dd7-b814-fef406a4380d"
        ],
        "2a68f8b0-9623-4676-b22b-b150eed53b1a": [
            "d279ee2f-4670-4558-98b6-b39b78cdaf4a"
        ],
        "377a8d3b-8f50-40a8-8bd6-81afbb85b845": [
            "d279ee2f-4670-4558-98b6-b39b78cdaf4a"
        ],
        "eae0fdbb-90b8-4b9d-b7d2-03e1f36d2e89": [
            "508ce84d-54f2-4a3e-a6fd-5af943b9b7de"
        ],
        "3ee87e0b-34e8-420e-b35d-c2082f73361b": [
            "508ce84d-54f2-4a3e-a6fd-5af943b9b7de"
        ],
        "dbaeb2fc-88a2-4394-91c1-2c5a25b289ba": [
            "dd60b699-c076-4f30-86d6-20e60927eb3f"
        ],
        "7ecaa10e-e696-4cfd-8b30-46064c244236": [
            "dd60b699-c076-4f30-86d6-20e60927eb3f"
        ],
        "46994878-aa95-4cf8-8ca7-c6ebe047f10f": [
            "236aac7e-6a86-4324-875f-8659bbc52fb5"
        ],
        "e70a2513-ab2d-4000-a7bb-ec41af7e022d": [
            "236aac7e-6a86-4324-875f-8659bbc52fb5"
        ],
        "1a2d25f5-29cd-472e-96a7-95943cd030bd": [
            "65e4cc68-69ea-485c-a5e5-50aa1b6b58f8"
        ],
        "96f5d13a-9c67-4537-b72a-160a5f913232": [
            "65e4cc68-69ea-485c-a5e5-50aa1b6b58f8"
        ],
        "bdc605a0-9a31-40bd-91aa-75fbb3ad40d3": [
            "dad831e1-b108-4f9b-a733-19cd36f61d98"
        ],
        "6813f7e3-0f9e-4b3d-a8b3-8adf987cc9ca": [
            "dad831e1-b108-4f9b-a733-19cd36f61d98"
        ],
        "a0d1d471-7342-43ad-8987-178030b176b7": [
            "42f2fe79-b451-4907-b4f4-e56129c1387e"
        ],
        "2f47f978-2e05-4f6b-a4eb-74893ed8fd83": [
            "42f2fe79-b451-4907-b4f4-e56129c1387e"
        ],
        "fded8500-431e-48bf-bc68-dc5d8ad8c542": [
            "11803c02-4f6c-4de1-9269-2c9bab1ed404"
        ],
        "8ce04e2b-1672-405f-b395-52621bbe2142": [
            "11803c02-4f6c-4de1-9269-2c9bab1ed404"
        ],
        "885962a5-db78-424b-a9c7-0791741466d6": [
            "8fd2575b-013a-4dfc-84ae-ecb5ae63fe16"
        ],
        "ad173987-d36d-413c-8fd6-f657435bdb1b": [
            "8fd2575b-013a-4dfc-84ae-ecb5ae63fe16"
        ],
        "5162794c-7d93-4064-a7c9-891831d408e4": [
            "75a1169a-cb6a-4f22-a7eb-7925911a9de5"
        ],
        "8a34b333-0bea-44a0-8b7f-dbe2c028175f": [
            "75a1169a-cb6a-4f22-a7eb-7925911a9de5"
        ],
        "e6defc34-75cf-4580-bbf3-3cd9787cf9b1": [
            "9e4e15a9-fd29-49af-bc4d-9a8bba207805"
        ],
        "d0883bad-3ec9-4206-a163-6098044923c7": [
            "9e4e15a9-fd29-49af-bc4d-9a8bba207805"
        ],
        "12d3d77b-33ef-4bf6-b424-09d0911a1cad": [
            "f229fa0d-43ab-4b4b-ae8e-1b42c1176256"
        ],
        "62f82c2e-6dd5-456b-9c65-fdd26ff4bd68": [
            "f229fa0d-43ab-4b4b-ae8e-1b42c1176256"
        ],
        "7bd6384d-d690-4e30-9d3d-f0f134704853": [
            "dde448f3-5bf3-41ea-b06f-1201449dcc3f"
        ],
        "9858e63f-c39f-4663-800a-dc60d30fd0bf": [
            "dde448f3-5bf3-41ea-b06f-1201449dcc3f"
        ],
        "af7ae685-f65c-4126-8312-dbe7d60dea38": [
            "65b89eed-a6ed-4926-9acf-738f995749b9"
        ],
        "0a9c6fa6-3627-4004-8ef8-4e21084a3e80": [
            "65b89eed-a6ed-4926-9acf-738f995749b9"
        ],
        "e4ac4e4d-b253-42b5-9e50-53c003e9ac6a": [
            "8a1dd7f9-8a85-4ea5-92a2-e871584d4121"
        ],
        "f46e9923-0681-40a0-a391-127e3f8805df": [
            "8a1dd7f9-8a85-4ea5-92a2-e871584d4121"
        ],
        "c6f3d5e1-1c4e-416a-bc50-ee7446b91b00": [
            "0fafeb59-eb0f-4ee5-b329-f573d221dac6"
        ],
        "05b22675-6bb1-4ee3-bab5-f698609294b0": [
            "0fafeb59-eb0f-4ee5-b329-f573d221dac6"
        ],
        "277896d2-70d4-4e2d-a315-2e1f271c36de": [
            "411f799e-d81b-4e14-a38d-34ba67ae3b56"
        ],
        "e6f76404-6d96-49b7-9009-61a46dfca355": [
            "411f799e-d81b-4e14-a38d-34ba67ae3b56"
        ],
        "aef6b17c-402f-4b77-bb0e-d267db4f09b2": [
            "9a8de027-403a-49d9-a55b-7e53a1afe3c9"
        ],
        "b5ab9522-84d5-474e-87cf-c25cd7c88356": [
            "9a8de027-403a-49d9-a55b-7e53a1afe3c9"
        ],
        "9e73f201-1c97-4043-80f1-829822586fdc": [
            "413b360d-668b-4176-af96-0330158159a0"
        ],
        "6af527c3-064e-45e5-a190-84ed4ac0d54a": [
            "413b360d-668b-4176-af96-0330158159a0"
        ],
        "aa862048-0ef7-497a-a4b5-ae78b946f7ce": [
            "e8914b74-309e-40a2-89a5-1c1f0076a817"
        ],
        "272190d1-0704-4366-9d54-00bdede4ff2a": [
            "e8914b74-309e-40a2-89a5-1c1f0076a817"
        ],
        "92eeb031-dd06-4028-8965-63bc9ba7bc2b": [
            "a4f9fba4-209d-4481-ba98-2e0afbd147fc"
        ],
        "c8f55445-cd28-42bc-ab37-6b1db3a793ef": [
            "a4f9fba4-209d-4481-ba98-2e0afbd147fc"
        ],
        "c8e9040a-18c9-4ff5-a004-36997529a46e": [
            "6530df65-3f39-46f6-a3ad-e748006b5576"
        ],
        "dab5bc5f-8ff1-480c-9492-767c36c00af1": [
            "6530df65-3f39-46f6-a3ad-e748006b5576"
        ],
        "2a7e30fe-c410-44f0-9e39-b702d3e4daac": [
            "cc5676da-b5be-4d68-ae8e-5b955eaec92c"
        ],
        "e7545927-0735-4bc1-a3e2-78e11276238b": [
            "cc5676da-b5be-4d68-ae8e-5b955eaec92c"
        ],
        "44cd5b99-95c5-4319-8146-5f6497ee38ab": [
            "3f8c7c3e-8e66-4694-b315-b6e49fcc2095"
        ],
        "5a1976d8-167b-48e1-b7de-f0fc0059c832": [
            "3f8c7c3e-8e66-4694-b315-b6e49fcc2095"
        ],
        "4ea96dbf-53ab-432d-9d35-46858396786b": [
            "82a21896-f077-4df4-87a4-dde7bdc9c6b4"
        ],
        "5ce1157c-c3a5-4117-b066-46851a5abb46": [
            "82a21896-f077-4df4-87a4-dde7bdc9c6b4"
        ],
        "0036366f-0e1c-4219-a23e-33f08b45bdfe": [
            "0b092f01-5382-4807-a1ef-a3af43865daf"
        ],
        "0ab2c5be-4145-45f5-9d05-94104927f9ae": [
            "0b092f01-5382-4807-a1ef-a3af43865daf"
        ],
        "fc25e79c-2109-4cdd-9831-c5a3a5ab754e": [
            "614167fb-a5aa-4919-bbff-a6fa61e31afe"
        ],
        "d7da17e2-1f5f-4784-b048-a0dce464ecdb": [
            "614167fb-a5aa-4919-bbff-a6fa61e31afe"
        ],
        "c6bfa6fa-1934-4780-9325-1c604fe18233": [
            "711bfc1f-102f-4c07-bfad-c1defd649112"
        ],
        "5dbfedf4-cf74-416a-8077-2c3232309fb8": [
            "711bfc1f-102f-4c07-bfad-c1defd649112"
        ],
        "4db5ded7-d8d1-4a5d-aad0-4361e236f431": [
            "ca884959-4d4a-4541-aa18-e676ea15dc73"
        ],
        "b4b814ca-2cda-46a7-a300-29bbf8847ae4": [
            "ca884959-4d4a-4541-aa18-e676ea15dc73"
        ],
        "4f0cdfb5-6fb8-4e5e-a8b1-9759469edb39": [
            "39fba19a-37ce-4571-97c2-9795d25e5cfe"
        ],
        "74b379e7-de8b-4c41-b5d6-20b135e4741b": [
            "39fba19a-37ce-4571-97c2-9795d25e5cfe"
        ],
        "5efb0f99-8397-47f2-9285-4d5e7d018ee5": [
            "f4025d1d-e14a-4af7-9ac8-74146a95c19f"
        ],
        "53247abc-58a5-4a55-9a07-6aeaec452201": [
            "f4025d1d-e14a-4af7-9ac8-74146a95c19f"
        ],
        "8070e233-5317-4038-89d8-e1be86ece0bf": [
            "0c762c73-8461-4a22-baf9-61edc0ce834e"
        ],
        "4edb0ece-9e1c-4ceb-ab12-160d65891acc": [
            "0c762c73-8461-4a22-baf9-61edc0ce834e"
        ],
        "cec9b3c8-e485-48ae-b6bb-8f3d321caf43": [
            "159e9064-e93d-4a89-bf92-43d2dade862e"
        ],
        "b9efd0a6-8093-4cfc-b951-8bcf67ee468b": [
            "159e9064-e93d-4a89-bf92-43d2dade862e"
        ],
        "8a9a27b4-62f9-4962-94f1-6d022027ff8b": [
            "56ec2788-7ad8-43ba-91db-dcd7c003153b"
        ],
        "281d95f1-685b-4756-8ba0-842236e2dd23": [
            "56ec2788-7ad8-43ba-91db-dcd7c003153b"
        ],
        "74134d68-2a41-4ad6-abc3-920ae87d8561": [
            "209fa169-5231-4321-952b-4587bf4da588"
        ],
        "b9044f9d-ba53-4b3e-8a9f-61d23248471f": [
            "209fa169-5231-4321-952b-4587bf4da588"
        ],
        "a90793c7-7615-44fa-8501-98fca6722058": [
            "da360e85-6f4d-4b05-b799-e992287b43c6"
        ],
        "894f5a88-1f3f-4249-90ec-8a61658ba521": [
            "da360e85-6f4d-4b05-b799-e992287b43c6"
        ],
        "038ac056-a19f-4076-b225-ba98df141cb8": [
            "0ca60011-766e-4833-b11c-6d71a7d96e05"
        ],
        "dfbda894-d560-4908-8fe0-be9287d3c77d": [
            "0ca60011-766e-4833-b11c-6d71a7d96e05"
        ],
        "9d9e2353-9251-4dec-9868-7a9f1b654b3f": [
            "630da8b8-3956-496a-b2ee-b5058ff307f1"
        ],
        "55eac1a7-26e0-42d1-b3a8-7fd03e46affa": [
            "630da8b8-3956-496a-b2ee-b5058ff307f1"
        ],
        "a168c0c0-d8ab-444e-81d5-875d52353819": [
            "de37ecbd-ddb0-450a-991e-c14b0d80a4d0"
        ],
        "c92c194f-b1a1-4240-8e7b-f90f147e908c": [
            "de37ecbd-ddb0-450a-991e-c14b0d80a4d0"
        ],
        "1ef89106-eb3b-4ddf-8de4-5c9fc984cc20": [
            "f28a6373-1b98-4662-92bc-e93d9a4281ae"
        ],
        "af30b1a7-60c3-4d59-98cc-3638718dc2b4": [
            "f28a6373-1b98-4662-92bc-e93d9a4281ae"
        ],
        "39f4c9ee-19e5-42c2-919b-1d2edd1be0a5": [
            "fa3aadd2-3d23-4a28-965a-fae613f423f8"
        ],
        "cf6bc048-95cd-44b1-80e3-58d69050d919": [
            "fa3aadd2-3d23-4a28-965a-fae613f423f8"
        ],
        "4536ce6a-0c14-4ac8-93ab-4e7a2ad47b88": [
            "5432093b-2a5e-4e08-ad6c-f95350f5fb20"
        ],
        "f12ea9af-6cc9-453f-a781-b56431b87e9b": [
            "5432093b-2a5e-4e08-ad6c-f95350f5fb20"
        ],
        "05001da0-899d-4bc1-8c9a-4d278b98a712": [
            "ebf58f5a-5464-4da4-adea-b7ce5bc61f23"
        ],
        "05363d00-0ee0-4206-99c7-c8e06e6d6099": [
            "ebf58f5a-5464-4da4-adea-b7ce5bc61f23"
        ],
        "4477c024-7ac0-46f4-81c8-330e4b741e20": [
            "5a0d580d-e959-4844-9596-f742bb9664de"
        ],
        "600067ca-80fa-4df9-95af-e175c3a088de": [
            "5a0d580d-e959-4844-9596-f742bb9664de"
        ],
        "35ce49dc-9da8-45ae-b91d-c7ae8ffca3f1": [
            "8e71ee99-0876-4e58-8992-ae68243b062e"
        ],
        "2e5c6142-bd36-473e-8649-200d3494dc71": [
            "8e71ee99-0876-4e58-8992-ae68243b062e"
        ],
        "470cc0af-4e19-47f6-ba49-a2ee59e650d5": [
            "04466265-f59d-4134-b4d1-bf4669961c00"
        ],
        "15cd59b6-c043-4f9f-a0eb-9fe6c3c9ac73": [
            "04466265-f59d-4134-b4d1-bf4669961c00"
        ],
        "67c9a220-f7af-440b-af09-7d91e3e7c9a8": [
            "453b8b25-b295-42e8-a00d-3bcf189f756c"
        ],
        "98738398-effb-4d7d-a6cf-43331bda490d": [
            "453b8b25-b295-42e8-a00d-3bcf189f756c"
        ],
        "5fed9125-d50f-47a2-b5c3-21f69614f512": [
            "daa224a7-f0be-4b04-b7a1-5f4113c03616"
        ],
        "cd3b399c-e367-4639-8fbb-d144c762b1a0": [
            "daa224a7-f0be-4b04-b7a1-5f4113c03616"
        ],
        "69709243-e35b-4ded-84f7-abb6ddb16acf": [
            "b3e87dce-424a-4162-adb1-d76bcb86d9ed"
        ],
        "ba23397b-7ce4-4c82-9023-4f1dea038d3c": [
            "b3e87dce-424a-4162-adb1-d76bcb86d9ed"
        ],
        "55c95291-f7d5-4a5b-8524-8b47493388a7": [
            "b8877c67-cf6b-41b5-93fc-1d4a019fc406"
        ],
        "3a89e636-88cd-425b-84d2-01464cd3025f": [
            "b8877c67-cf6b-41b5-93fc-1d4a019fc406"
        ],
        "d855cade-4910-4aec-9490-78cf5ddb8a1a": [
            "90bf1824-d4b3-4a1a-a5cc-26f02fae706e"
        ],
        "8c2b3490-781d-4ac6-ba11-8aba8bb71242": [
            "90bf1824-d4b3-4a1a-a5cc-26f02fae706e"
        ],
        "96fbb343-b847-439f-9370-f24c9912aa31": [
            "2030ac2d-0592-4e26-abb0-aa1b962367a2"
        ],
        "1dd5526f-ff8f-43e1-8589-a93a35b260a1": [
            "2030ac2d-0592-4e26-abb0-aa1b962367a2"
        ],
        "890d41aa-4fd2-4ac7-91d8-da1a87afe5c1": [
            "7963d0b2-9fbb-4682-9934-01b9146ab48d"
        ],
        "3ce9edf8-2b23-4875-9c7c-8b66051c47e5": [
            "7963d0b2-9fbb-4682-9934-01b9146ab48d"
        ],
        "83be69d9-3e7b-4ecf-ad52-795c6d9d929e": [
            "76d16257-79ea-4172-9707-26e7336730a9"
        ],
        "2aaeedd1-343e-4388-81f5-35cc67ea046f": [
            "76d16257-79ea-4172-9707-26e7336730a9"
        ],
        "9886a022-a65f-4f8a-8cbe-6074dff89fbd": [
            "ee7a2136-72b7-4206-8a95-3d8a108ee187"
        ],
        "448ec50b-696a-4d5c-a5c8-aa582a3ce857": [
            "ee7a2136-72b7-4206-8a95-3d8a108ee187"
        ],
        "407367a5-969c-4b3c-9abb-b3164b93a068": [
            "5662f0b6-1229-4035-9e75-8a3167761e1c"
        ],
        "b0b61bb7-708f-4735-96df-dee1cec11e3c": [
            "5662f0b6-1229-4035-9e75-8a3167761e1c"
        ],
        "c9a96ae2-29d3-47f9-b488-19d55a3255f0": [
            "5b5bafb9-097b-4eff-a3b2-a32dfbab3ce3"
        ],
        "73049cbb-d118-47ec-97ae-15e7957f90d4": [
            "5b5bafb9-097b-4eff-a3b2-a32dfbab3ce3"
        ]
    },
    "mode": "text"
}