diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-03 at 12.31.44.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-03 at 12.31.44.png new file mode 100644 index 0000000..5a46e13 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-03 at 12.31.44.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.2-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.2-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md index 0ccc3e1..8155eb2 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.2-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.2-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md @@ -18,4 +18,67 @@ This session covers the legal and regulatory landscape relevant to information s ISO standards, more specifically in the annex A, have a clause 5.31, which says legal, statutory, regulatory, and contractual requirements. So an organization needs to understand what are the requirements that are relevant for the business that you're in, the type of organization that you're in. So the purpose of that control is really to ensure that compliance. -I still see a lot of organizations when auditing that don't really know the applicable laws and regulations. So whatever organizations should do is to start either with their legal counsel or they need to hire a lawyer to help them with that To understand what are all the laws and regulations that have an impact on the organization. That can be quite a lot depending on the organization that you're in there, but you need to uh check If you are compliant, you need to check what are the different countries that I'm working for. Are the countries, do I have all the laws and regulations? What specific clause in the law do I need to adhere to? And how have I tackled that? What are the specific processes? What are the policies that I use to be able to show that conformity So that ISO 27000 and one can really help you with that to really get a step up in that good overview of laws and regulations. Now there are a lot of key areas um especially nowadays it was different fifty years ago, but uh today There are a lot of key areas that should be considered. On the slide you see a couple of things that you really need to think about if they are applicable for your organization And let's walk through them one by one. First of all, data protection. Today there are a lot of countries. That have established data protection laws and regulations, think about the GDPR, that really aim at protecting, safeguarding data and data subjects. Organizations need to understand what is the law and regulation, and we need to have procedures and processes in place to ensure that we can protect that personal identifiable information. we can adhere to any requests that data subjects have and we can uh look at that. Related to data protection is of course privacy. Privacy, also in order to comply with certain laws, many organizations are also obliged to establish a policy for ensuring information privacy Throughout which they increase awareness of those statutory, regulatory, and business requirements regarding the treatment and protection of that personal information. So data protection and privacy usually go hand in hand. Cybercrime is another thing to consider. They encompass any illegal activity that is performed through a computer and network. And that is intended to really harm the organization system and gain unauthorized access to the data. Targeted organizations might experience financial and reputational damage In order to prevent and to respond to those activities, organizations should also establish procedures like an incident management procedure, um like uh ways uh for ethical hackers uh to provide them with information. Um so um protective measures as stated are are not considered as crime but also there you need to see what is applicable in your country. Sometimes ethical hacking um needs to uh adhere to certain um yeah specific guidelines and I'm talking from Belgium of course and Belgium it's it's only for one or two years that it's really legal uh to perform ethical hacking. Um and To communicate to an organization that you find some vulnerabilities. So you really need to check what is legal in your country that you reside and how can you take care of that in your organization. Dignital signatures is something else that is really something of the last years. We used to sign everything in paper. That time is far behind us. So an electronic signature today is um it it helps organizations of course to verify the um authenticity of a message or a document and by verifying the author. To check if the content has been modified. As a result, an electronic document that is digitally signed has the same legal validity as a hard copy. So, like a document document that is signed in handwriting, as long as there are regulations that give that full legal value to it. And some countries Electronic records must ensure the um preservation of uh traces as evidence of that integrity. So there you need to see okay what is the tool that we are going to use To provide those dignity, what are the certificates, for example, that are used, and what is the law again that we need to look at Intellectual property is something that you need to think about, both your own intellectual property and what how do you work with customers and how is intellectual property taken care of there, but also the intellectual property of your employees. Ensure that you have everything written down in contracts so that There is no reason to come to a conclusion later. Also, there I see a lot of companies that take care of the intellectual property with their customers, but forget that their employees also have intellectual property. Electronic payments. If your organization has a web store or something like that, electronic payments laws have been created as well. So you need to check if there is something that you need to adhere to there in ensuring that you protect the rights of the clients of which you receive those electronic payments. And then lastly we have the records management. Some national laws also require from organizations that they establish procedures for identifying, classifying, storing, modifying, and even destroying records ISO 15489. 1 delivers those specific contents or concepts and guidance that can help you in that records. So you see there are a lot of um key areas that you need to consider uh because there are a lot of uh relevant laws that might be there. So after um the so now we've spoken about the key areas Let's dive a little bit deeper into all the information security and data protection laws by region. For sure, not all of the laws have been added because that would lead us a little bit too far, of course. But um you do well um especially also when you're auditing um to uh have a general understanding about general laws that are applicable for on a country level at least And then you can still have a look. Companies need to know what is specifically for their industry applicable. So let's start with America, starting with North America. You have, of course, the HIPAA, which is the health insurance Portability and Accountability Act. It regulates the privacy and security of medical information in the United States So that's very specific for the United States. A lot of companies that are working in the United States and that have have their headquarters in the United States put those requirements also on European organizations. So it's not because it's applicable in the US that everybody who's residing in the EU is no longer falling under it. So HIPAA might be something that you need to take in. into account. So if you're auditing a finance company, that might be something that you want to check upon. Surveyus Oxley Act, a well-known act, short SOX regulates financial reporting and auditing requirements for public organizations in the United States. So public organization The California Consumer Privacy Act, the CCPA, that comes back if you're working with um US organizations, which is Is a little bit similar like the GDPR. It regulates how organizations handle California residents' personal information So it's only applicable to California. The New York State Department of Financial Services Cybersecurity Regulation, in short, 23 NYCRR 500 Requires financial institutions to establish and maintain a cybersecurity program. Personal Information Protection and Electronic Documents Act, which is called PIPEDA Regulates how Canadian private sector organizations collect, use, and disclose personal information And then lastly, the Personal Information Protection Act, in short, PIPA, is a privacy law that governs the collection, use and disclosure of personal information by private sector organizations in British Columbia and Canada. So you see and the difficulty in North America is of course you have different states and different states have different laws, so you really need to have a look on, okay, what are the laws that they're uh looking at. Then uh jumping over um to South America, um there are also a couple of things that are in place. Um so in Brazil You have the General Personal Data Protection Act, and it's a data protection law that regulates the processing of personal data in Brazil. So it applies to both Brazilian but also foreign organizations that process personal data of individuals that are located in Brazil. In Argentina, you also have a personal data protection law, uh, which is number uh 25326 And that addresses the collection, processing, storage, and transfer of personal data. And under this law, individuals have the right to access, modify, and delete their personal data held by the data controllers as well as the right to object for the processing. So you see a lot of things coming back that were also part of the GDPR And then you have in Peru also the data protection law, a Peruvian law that regulates the processing of personal data by individuals and organizations. And the law aims to protect basically the privacy of individuals by establishing principles and requirements for collection, use, storage, and transfer of personnel. Looking at Europe, um, first of all, the GDPR, well known, regulates the privacy and security of personal information for individuals within the European Union. The NIST2 Directive is an initial EU-wide legislation on cybersecurity designed to attain a uniform and elevated level of cybersecurity throughout the member states. And then we also have the EU Cybersecurity Act, which creates basically a unified system for certifying ICT products, services, and processes related to cybersecurity in Europe. Then going to the other side of the globe, Asia. In China, there is a cybersecurity law which regulates the security of networks and personal information. In China. In Singapore, we have the Personal Data Protection Act, which regulates again the collection, use, and disclosure of personal data in Singapore. In India, we have the Information Technology Act, regulates electronic transactions and digital signatures in India. In Japan, we have the Act on the Protection of Personal Information, which regulates the handling of personal information in Japan. And also in Japan, we have the basic act on cybersecurity. Which establishes basic policies for Japan's cybersecurity efforts and it formulates also a cybersecurity strategy and it effectively advances cybersecurity initiatives. In Africa, South Africa, we have the protection of personal information, is also a data protection law in South Africa, and it applies to any individual or legal entity that handles personal data. In Mauritius, we have the Cybersecurity and Cybercrime Act of 2021. That's a law that deals with cybercrime and cybersecurity. So the act provides also for different penalties based on the severity of course of the offense committed and it can include a fine not exceeding two million uh rupees and imprisonment even um for a term um not exceeding 25 years so that That's already pretty hefty. In Tunisia, we have the Organic Act number 2463 on the protection of personal data. It's a primary legal framework for data protection in Tunisia. In Ghana, we have the Cybersecurity Act 2020. It promotes a safe and a secure digital environment and it also protects critical information infrastructures and combats cybercrime in Ghana. In Kenya, we have the Data Protection Act 2019, which regulates the processing of personal data and seeks to safeguard the privacy and data protection of individuals in Kenya. And then we have in Nigeria the data protection regulation, in short, NDPR, established in 2019. It's really the first comprehensive Data protection regulation in Nigeria, and it sets out the legal framework for again the protection of personal data in Nigeria. And then we still have Oceania left. There we have the Privacy Act 1988, which governs the handling of personal information by Australian government agencies and private organizations. So it requires organizations really to have a privacy policy, but also to obtain consent for collecting personal information and to provide access to those individuals to their own personal information. To assure that their personal information remains accurate, of course. In New Zealand, we have the Privacy Act 2020, which regulates the collection and disclosure of personal information in New Zealand. It applies to all organizations, also including Including government uh agencies. And then in Fiji we had the Cybercrime Act of uh 2001, um the which was enacted by the Fiji government um and that criminalizes range of cyber offenses, including the unauthorized access to computer systems, cyber stalking and cyberbullying. So uh a lot of uh laws that um and acts that have been uh put in place uh across the globe. So When working internationally, it's a smart thing to check where are we working, where are we data transferring to and what potential legislation might be in place So you can reach out to legal counsel, to sector industry bodies that can help you understand what are the different legislations that are applicable. \ No newline at end of file +I still see a lot of organizations when auditing, that don't really know the applicable laws and regulations. What organizations should do is ask their legal counsel or lawyer to help them with that to understand which laws and regulations have an impact on the organization. You need to check relevant regulations in the different countries your acting in. What specific clause in the law do I need to adhere to? And how have I tackled that? What are the specific processes? What are the policies that I use to be able to show that conformity? ISO 27001 can help you with that to really get a step up in that good overview of laws and regulations. These days there are a lot of key areas that should be considered: + +- **Data protection**. Today there are a lot of countries, that have established data protection laws and regulations, think about the GDPR, that really aim at protecting, safeguarding data and data subjects. Organizations need to understand what is the law and regulation, and we need to have procedures and processes in place to ensure that we can protect that personal identifiable information. we can adhere to any requests that data subjects have and we can uh look at that. +- Related to data protection is of course **privacy**. Privacy, also in order to comply with certain laws, many organizations are also obliged to establish a policy for ensuring information privacy, throughout which they increase awareness of those statutory, regulatory, and business requirements regarding the treatment and protection of that personal information. So data protection and privacy usually go hand in hand. +- **Cybercrime** is another thing to consider. They encompass any illegal activity that is performed through a computer and network, that is intended to really harm the organization system and gain unauthorized access to the data. Targeted organizations might experience financial and reputational damage In order to prevent and to respond to those activities, organizations should also establish procedures like an incident management procedure, like ways for ethical hackers to provide them with information. Protective measures as stated are are not considered a crime, but also here you need to see what is applicable in your country. Sometimes ethical hacking needs to adhere to certain specific guidelines. In Belgium, for example, ethical hacking was illegal until 2 years ago. Some countries have laws on how to communicate found vulnerabilities. +- **Digital signatures** is something else that is really something of the last years. We used to sign everything in paper. That time is far behind us. So an electronic signature today helps organizations to verify the authenticity of a message or a document, and by verifying the author, to check if the content has been modified. As a result, an electronic document that is digitally signed has the same legal validity as a hard copy. So, like a document document that is signed in handwriting, as long as there are regulations that give that full legal value to it. And some countries require electronic records to ensure the preservation of traces as evidence of that integrity. So there you need to see what is the tool that we are going to use. To provide those digital signatures, what are the certificates, for example, that are used, and what is the law again that we need to look at +- **Intellectual property** is something that you need to think about, both your own intellectual property and what how do you work with customers, and how is intellectual property taken care of there, but also the intellectual property of your employees. Ensure that you have everything written down in contracts so that there is no reason to come to a conclusion later. Also, there I see a lot of companies that take care of the intellectual property with their customers, but forget that their employees also have intellectual property. +- **Electronic payments**. If your organization has a web store or something like that, electronic payments laws have been created as well. So you need to check if there is something that you need to adhere to there, in ensuring that you protect the rights of the clients of which you receive those electronic payments. +- And then lastly we have the **records management**. Some national laws also require from organizations that they establish procedures for identifying, classifying, storing, modifying, and even destroying records. ISO 15489.1 delivers those specific concepts and guidance that can help you in that records. + +So you see there are a lot of um key areas that you need to consider uh because there are a lot of uh relevant laws that might be there. So now we've spoken about the key areas, let's dive a little bit deeper into all the information security and data protection laws by region. + +![](CleanShot%202026-06-03%20at%2012.31.44.png) + +For sure, not all of the laws have been added because that would lead us a little bit too far, of course. But you do well, especially when you're auditing, to have a general understanding about general laws that are applicable for on a country level at least. Companies need to know what is specifically for their industry applicable. + +**So let's start with North America.** + +- You have, of course, the **HIPAA**, which is the Health Insurance Portability and Accountability Act. It regulates the privacy and security of medical information in the United States. A lot of companies that are working in the United States and that have have their headquarters in the United States put those requirements also on European organizations. So these requirements may become applicable to companies residing in the EU. +- The Gramm-Leach-Biley Act (**GLBA**), requires financial institutions to protect consumer financial information. So if you're auditing a finance company, that might be something that you want to check upon. +- The Sarbanes-Oxley Act (**SOX**) regulates financial reporting and auditing requirements for public organizations in the United States. +- The California Consumer Privacy Act, the **CCPA**, comparable to the GDPR. It regulates how organizations handle California residents' personal information, so it's only applicable to California. +- The New York State Department of Financial Services Cybersecurity Regulation, in short, **23 NYCRR 500** Requires financial institutions to establish and maintain a cybersecurity program. +- The Personal Information Protection and Electronic Documents Act (**PIPEDA**) regulates how Canadian private sector organizations collect, use, and disclose personal information. +- The Personal Information Protection Act (**PIPA**) is a privacy law that governs the collection, use and disclosure of personal information by private sector organizations in British Columbia and Canada. + +So you see and the difficulty in North America is of course you have different states and different states with different laws. + +**Then jumping over to South America.** + +- In **Brazil** you have the **General Personal Data Protection Act**, it's a data protection law that regulates the processing of personal data in Brazil. So it applies to both Brazilian and foreign organizations that process personal data of individuals that are located in Brazil. +- In **Argentina** there's **law 25326** that addresses the collection, processing, storage, and transfer of personal data. And under this law, individuals have the right to access, modify, and delete their personal data held by the data controllers as well as the right to object against processing, like the GDPR. +- In Peru you have the data protection law, that regulates the processing of personal data by individuals and organizations. The law aims to protect the privacy of individuals by establishing principles and requirements for collection, use, storage, and transfer of personnel. + +**Looking at Europe** + +- first of all there's the **GDPR**, which regulates the privacy and security of personal information for individuals within the European Union. +- The **NIS 2** Directive is an initial EU-wide legislation on cybersecurity designed to attain a uniform and elevated level of cybersecurity throughout the member states. +- And then we also have the **EU Cybersecurity Act**, which creates basically a unified system for certifying ICT products, services, and processes, related to cybersecurity in Europe. + + +**Then going to the other side of the globe, Asia** + +- In **China**, there is a **cybersecurity law** which regulates the security of networks and personal information. In China. +- In **Singapore**, we have the **Personal Data Protection Act**, which regulates again the collection, use, and disclosure of personal data in Singapore. +- In **India**, we have the **Information Technology Act**, which regulates electronic transactions and digital signatures in India. +- In **Japan**, we have the **Act on the Protection of Personal Information**, which regulates the handling of personal information in Japan. Japan also has the **basic act on cybersecurity**, which establishes basic policies for Japan's cybersecurity efforts. It also formulates a cybersecurity strategy and it effectively advances cybersecurity initiatives. + +**In Africa** + +- In **South Africa**, we have the **protection of personal information law**, and it applies to any individual or legal entity that handles personal data. +- In **Mauritius**, we have the **Cybersecurity and Cybercrime Act** of 2021. That's a law that deals with cybercrime and cybersecurity. So the act provides for different penalties based on the severity of course of the offense committed and it can include a fine not exceeding two million rupees and imprisonment even for a term not exceeding 25 years. +- In **Tunisia**, we have the **Organic Act number 2463 on the protection of personal data**, a primary legal framework for data protection. +- In **Ghana**, we have the **Cybersecurity Act 2020**. It promotes a safe and a secure digital environment and it also protects critical information infrastructures and combats cybercrime in Ghana. +- In **Kenya**, we have the **Data Protection Act 2019**, which regulates the processing of personal data and seeks to safeguard the privacy and data protection of individuals in Kenya. +- And then we have in **Nigeria** the data protection regulation, in short, **NDPR**, established in 2019. It's really the first comprehensive data protection regulation in Nigeria, and it sets out the legal framework for again the protection of personal data in Nigeria. + +**And then we still have Oceania left**. + +- There we have the **Privacy Act 1988**, which governs the handling of personal information by Australian government agencies and private organizations. It requires organizations to have a privacy policy, but also to obtain consent for collecting personal information and to provide access to individuals to their own personal information, to assure that their personal information remains accurate. +- In **New Zealand**, we have the **Privacy Act 2020**, which regulates the collection and disclosure of personal information in New Zealand. It applies to all organizations, including Including government agencies. +- And then in **Fiji** we had the **Cybercrime Act of 2001**, that criminalizes a range of cyber offenses, including the unauthorized access to computer systems, cyber stalking and cyberbullying. + +So a lot of laws and acts that have been put in place across the globe. When working internationally, it's smart to check where are we working, where are we transferring data to, and what potential legislation might be in place. So you can reach out to legal counsel, to sector industry bodies that can help you understand what are the different legislations that are applicable. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.3-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.3-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md index 4ea1bc8..f5d95c3 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.3-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.3-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md @@ -16,4 +16,6 @@ This session explains what a management system is, defining it as a set of inter ## Transcription -So let's have a look at what a management system is. Now if we look at ISO 27000, a clause 341 gives a definition on a management. So a management system is a set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives. So basically it's a very complicated, or it seems a very complicated sentence, but it isn't really All organizations have some form of a management system because it's just the way you operate your business. It's nothing more complicated than that. It's a way on how you operate your business. So a coherent and a well-functioning management system combines processes, resources, tools and workforce And a management system can be very complicated or can less can be very documented or less documented depending on the maturity of the organization. So again, a documentation is not a purpose in itself. An appropriate level of documentation is Preferable because it will help you to ensure that consistency, continual improvement, and retention of organizational knowledge Of course, an organization changes in the course of its lifetime. You have an internal and external context It changes so um the management system really needs to be um agile as well, and it needs to be able to respond to those changes as well. So whenever setting up a management system Very important to keep in the back of your mind is whatever is implemented must be controlled and measured and what is controlled and measured must be managed. And so the performance evaluation clause in every ISO standard is a very essential component of any management system. Because everything that you write down should be able to be evidenced So you always need to think really hard on okay, what is it what we're going to do, and am I able to measure and to see if the control or whatever management system that we've implemented, if it's working effectively When looking at an information security management system, the ISO 27000 also gives some explanation about that. So an ISMS consists of the policies procedures, guidelines, and associated resources and activity collectively managed by the organization in the pursuit of protecting its information assets So it's again a very long sentence. So an ISMS is basically a systematic approach for both establishing, implementing, operating Monitoring, reviewing, maintaining, and improving the organization's information security to achieve its business objectives. And it's always based on a risk assessment approach and the risk appetite or the risk acceptance criteria from the organization to effectively treat and manage those risks. So a couple of things that are very important here, so it's a systematic approach, and very important is that an information security management system does not live in isolation. So it needs to be linked to the business activities. And it's always based on a risk management approach and the risk appetite of an organization to really treat and handle those risks. Now, when an organization, and uh today I see it more and more happening, uh, an organization can handle Multiple compliance frameworks. I see organizations that have an ISO 9001, they start with the 27,000 one, and they also want to Include the fourteen thousand one. If you want to do that, you want to um look for uh implementing an integrated management system In short, it's IMS. And it's really a management system that integrates all the components of a business into one coherent system to enable basically the achievement of its purpose and mission. If you look at um the table on the slide, you see and that's also the reason why um ISO has uh made a lot of changes to their ISO standards to ensure that The clauses 4 to 10 in each standard are pretty similar to each other. That's also the reason why they're called a harmonized structure. So if you look at leadership and commitment, for example, you see that in the ISO 9001, 14001, 2020, 20,000 23001 and 27001, and it all comes back to clause 5. 1. And more likely, the text that is in that clause is the same Policy comes back in all the ISO standards in 5. 2. The same for objectives, you can find them in 6. 2 documented information is always 7. 5 internal audit always 9. 2 management review 9. 3 Only with continual improvement you sometimes have three subclauses like is the case with 9000 and 14001 where uh you have it in 10. 3 and with the other standards in 10. 2 But the information that is in the continual improvement clause is exactly the same for all standards. So that will help you to harmonize and optimize practice. because it doesn't make sense to write in three different management systems the same explanation for leadership, for example. Of course, for a policy, you can say, oh, I want to create three different policies, but the way you set up a policy, the way it needs to be treated in the organization, it's the same So it will help you, of course, reduce duplication and therefore costs, of course. It will also reduce the risks. It will increase Profitability, it will help you to maintain consistency and it will for sure help you with uh improving the communication as well. So you if you work with different management systems consolidating into one is the best practice because it will also help you in communicating to the organization because otherwise it becomes pretty complex for your employees to understand what you're actually are talking about. Now apart from ISA publications range beside the ISO 27001 organizations can get certified against a lot of uh primary standards So ISO publications range from traditional activities such as agriculture and construction to the most recent developments of course in information technologies like as digital coding of audio visual signals for multimedia applications. So there are um a couple of standards that the organizations can still get certified against Mo the most well known and um I always say the oldest, but that's because I get older, is the ISO nine thousand one, uh which is quality management system. Uh twenty years ago that one was uh really uh was well known, uh was um Required for a lot of organizations. Today I see less questions about ISO 9000 and an increase on 2700001, but also on ISO 14001, which is an environmental management system. With the rise with everything related to climate change um and environmental uh issues the ISO uh 14001 is gaining in importance again, but it's already a pretty old standard as well. You can certify against ISO 45001, which talks about occupational health and safety The ISO 37301 is a compliance management system. We have uh a food safety management system which is 22000. Um we have business continuity management. Um 22301 also on the rise. I see a lot of customers asking for uh the business continuity management system Of course, also spiked through NIST2 regulations, increasing regulation on incident response and operational resilience There is an anti-bribery management system, ISO 37000 and one, and there is also a service management system which is ISO 2000- So you see there are a lot of primary standards that can be used, of course. If I look at this, I would say 9,000 and 14,001 would be the the two that are uh pretty well known uh throughout the world um with um the business continuity management system as third runner up um So yeah, if you want to have more information on each of the standards, you can also visit the PECB website again to get a little bit more information on each of them. standards. So it was a pretty long section that we've spoken about. So let me summarize a little bit. So the International Organization for Standardization In short, ISO publishes standards in response to market demand. ISO standards are based on global expert opinion and consensus and are developed through a multi-stakeholder process ISO 27001 specifies then the requirements for establishing, implementing, maintaining and improving an ISMS and assessing and treating information security. Risks. Advantages of implementing an ISMS can include the improvement of organizational security posture, achievement of good governance, increase of international recognition improvement of customer satisfaction and an increase of competitive advantage. A management system then refers to a set of interrelated and interacting elements of an organization to establish policies and objectives and processes to achieve those objectives, and organizations can two or more management systems by integrating them. \ No newline at end of file +So let's have a look at what a management system is. + +Now if we look at ISO 27000, a clause 341 gives a definition on a management. So a management system is a set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives. So basically it's a very complicated, or it seems a very complicated sentence, but it isn't really All organizations have some form of a management system because it's just the way you operate your business. It's nothing more complicated than that. It's a way on how you operate your business. So a coherent and a well-functioning management system combines processes, resources, tools and workforce And a management system can be very complicated or can less can be very documented or less documented depending on the maturity of the organization. So again, a documentation is not a purpose in itself. An appropriate level of documentation is Preferable because it will help you to ensure that consistency, continual improvement, and retention of organizational knowledge Of course, an organization changes in the course of its lifetime. You have an internal and external context It changes so um the management system really needs to be um agile as well, and it needs to be able to respond to those changes as well. So whenever setting up a management system Very important to keep in the back of your mind is whatever is implemented must be controlled and measured and what is controlled and measured must be managed. And so the performance evaluation clause in every ISO standard is a very essential component of any management system. Because everything that you write down should be able to be evidenced So you always need to think really hard on okay, what is it what we're going to do, and am I able to measure and to see if the control or whatever management system that we've implemented, if it's working effectively When looking at an information security management system, the ISO 27000 also gives some explanation about that. So an ISMS consists of the policies procedures, guidelines, and associated resources and activity collectively managed by the organization in the pursuit of protecting its information assets So it's again a very long sentence. So an ISMS is basically a systematic approach for both establishing, implementing, operating Monitoring, reviewing, maintaining, and improving the organization's information security to achieve its business objectives. And it's always based on a risk assessment approach and the risk appetite or the risk acceptance criteria from the organization to effectively treat and manage those risks. So a couple of things that are very important here, so it's a systematic approach, and very important is that an information security management system does not live in isolation. So it needs to be linked to the business activities. And it's always based on a risk management approach and the risk appetite of an organization to really treat and handle those risks. Now, when an organization, and uh today I see it more and more happening, uh, an organization can handle Multiple compliance frameworks. I see organizations that have an ISO 9001, they start with the 27,000 one, and they also want to Include the fourteen thousand one. If you want to do that, you want to um look for uh implementing an integrated management system In short, it's IMS. And it's really a management system that integrates all the components of a business into one coherent system to enable basically the achievement of its purpose and mission. If you look at um the table on the slide, you see and that's also the reason why um ISO has uh made a lot of changes to their ISO standards to ensure that The clauses 4 to 10 in each standard are pretty similar to each other. That's also the reason why they're called a harmonized structure. So if you look at leadership and commitment, for example, you see that in the ISO 9001, 14001, 2020, 20,000 23001 and 27001, and it all comes back to clause 5. 1. And more likely, the text that is in that clause is the same Policy comes back in all the ISO standards in 5. 2. The same for objectives, you can find them in 6. 2 documented information is always 7. 5 internal audit always 9. 2 management review 9. 3 Only with continual improvement you sometimes have three subclauses like is the case with 9000 and 14001 where uh you have it in 10. 3 and with the other standards in 10. 2 But the information that is in the continual improvement clause is exactly the same for all standards. So that will help you to harmonize and optimize practice. because it doesn't make sense to write in three different management systems the same explanation for leadership, for example. Of course, for a policy, you can say, oh, I want to create three different policies, but the way you set up a policy, the way it needs to be treated in the organization, it's the same So it will help you, of course, reduce duplication and therefore costs, of course. It will also reduce the risks. It will increase Profitability, it will help you to maintain consistency and it will for sure help you with uh improving the communication as well. So you if you work with different management systems consolidating into one is the best practice because it will also help you in communicating to the organization because otherwise it becomes pretty complex for your employees to understand what you're actually are talking about. Now apart from ISA publications range beside the ISO 27001 organizations can get certified against a lot of uh primary standards So ISO publications range from traditional activities such as agriculture and construction to the most recent developments of course in information technologies like as digital coding of audio visual signals for multimedia applications. So there are um a couple of standards that the organizations can still get certified against Mo the most well known and um I always say the oldest, but that's because I get older, is the ISO nine thousand one, uh which is quality management system. Uh twenty years ago that one was uh really uh was well known, uh was um Required for a lot of organizations. Today I see less questions about ISO 9000 and an increase on 2700001, but also on ISO 14001, which is an environmental management system. With the rise with everything related to climate change um and environmental uh issues the ISO uh 14001 is gaining in importance again, but it's already a pretty old standard as well. You can certify against ISO 45001, which talks about occupational health and safety The ISO 37301 is a compliance management system. We have uh a food safety management system which is 22000. Um we have business continuity management. Um 22301 also on the rise. I see a lot of customers asking for uh the business continuity management system Of course, also spiked through NIST2 regulations, increasing regulation on incident response and operational resilience There is an anti-bribery management system, ISO 37000 and one, and there is also a service management system which is ISO 2000- So you see there are a lot of primary standards that can be used, of course. If I look at this, I would say 9,000 and 14,001 would be the the two that are uh pretty well known uh throughout the world um with um the business continuity management system as third runner up um So yeah, if you want to have more information on each of the standards, you can also visit the PECB website again to get a little bit more information on each of them. standards. So it was a pretty long section that we've spoken about. So let me summarize a little bit. So the International Organization for Standardization In short, ISO publishes standards in response to market demand. ISO standards are based on global expert opinion and consensus and are developed through a multi-stakeholder process ISO 27001 specifies then the requirements for establishing, implementing, maintaining and improving an ISMS and assessing and treating information security. Risks. Advantages of implementing an ISMS can include the improvement of organizational security posture, achievement of good governance, increase of international recognition improvement of customer satisfaction and an increase of competitive advantage. A management system then refers to a set of interrelated and interacting elements of an organization to establish policies and objectives and processes to achieve those objectives, and organizations can two or more management systems by integrating them. \ No newline at end of file diff --git a/marketing/publications/posts-dashboard.md b/marketing/publications/posts-dashboard.md new file mode 100644 index 0000000..c5a75c5 --- /dev/null +++ b/marketing/publications/posts-dashboard.md @@ -0,0 +1,441 @@ +--- +title: "Posts Dashboard" +notetype: other +tags: [] +--- + +# Posts Dashboard + +```dataviewjs +// ─── CONFIG ────────────────────────────────────────────────────────────────── +const POSTS_FOLDER = "iso27diy-corp/Marketing/publications/posts"; + +const CHANNEL_COLORS = { + linkedin: "#0A66C2", + newsletter: "#E8A838", + blog: "#16A34A", +}; + +const STATUS_ICON = { + published: "✓", + scheduled: "◷", + draft: "○", + ready: "●", +}; + +// ─── STATE ─────────────────────────────────────────────────────────────────── +// weekOffset: 0 = current week, -1 = last week, etc. (min -4) +let weekOffset = 0; +let expandedKey = null; // "filename::channel" of currently open card + +// ─── HELPERS ───────────────────────────────────────────────────────────────── +function getMondayOf(date) { + const d = new Date(date); + const day = d.getDay(); // 0=Sun + const diff = day === 0 ? -6 : 1 - day; + d.setDate(d.getDate() + diff); + d.setHours(0, 0, 0, 0); + return d; +} + +function addDays(date, n) { + const d = new Date(date); + d.setDate(d.getDate() + n); + return d; +} + +function fmtDay(date) { + return date.toLocaleDateString("en-GB", { weekday: "short", day: "numeric", month: "short" }); +} + +function fmtMeta(val) { + if (val === null || val === undefined) return "—"; + if (Array.isArray(val)) return val.join(", "); + if (typeof val === "object" && val.ts) return new Date(val.ts).toISOString().replace("T", " ").slice(0, 16) + " UTC"; + return String(val); +} + +// ─── DATA COLLECTION ───────────────────────────────────────────────────────── +function collectCards(pages) { + const cards = []; // scheduled/published cards with a date + const loose = []; // drafts/ready with no publish-dates + + for (const p of pages) { + const fm = p.file.frontmatter ?? {}; + const title = fm.title ?? p.file.name; + const status = fm.status ?? "draft"; + const channels = Array.isArray(fm.channels) ? fm.channels : (fm.channels ? [fm.channels] : []); + const publishDates = fm["publish-dates"] ?? {}; + const publishedUrls = fm["published-urls"] ?? {}; + + // Build one card per channel that has a publish-date + let hasAnyDate = false; + for (const ch of channels) { + const rawDate = publishDates[ch]; + if (rawDate) { + hasAnyDate = true; + const d = new Date(rawDate); + cards.push({ + key: p.file.name + "::" + ch, + title, + status, + channel: ch, + date: d, + url: publishedUrls[ch] ?? null, + path: p.file.path, + fm, + }); + } + } + + // If no channel has a date, it's unscheduled + if (!hasAnyDate) { + loose.push({ + key: p.file.name + "::unscheduled", + title, + status, + channels, + path: p.file.path, + fm, + }); + } + } + + return { cards, loose }; +} + +// ─── RENDER ────────────────────────────────────────────────────────────────── +function render() { + dv.container.empty(); + + const pages = dv.pages(`"${POSTS_FOLDER}"`).where(p => p.notetype === "publication"); + const { cards, loose } = collectCards(pages); + + const today = new Date(); + today.setHours(0, 0, 0, 0); + const monday = addDays(getMondayOf(today), weekOffset * 7); + const sunday = addDays(monday, 6); + + // ── Header + nav ── + const header = dv.container.createEl("div", { cls: "pd-header" }); + + const prevBtn = header.createEl("button", { text: "← Prev", cls: "pd-nav-btn" }); + prevBtn.disabled = weekOffset <= -4; + prevBtn.onclick = () => { weekOffset--; render(); }; + + const weekLabel = header.createEl("span", { cls: "pd-week-label" }); + weekLabel.textContent = fmtDay(monday) + " – " + fmtDay(sunday); + + const nextBtn = header.createEl("button", { text: "Next →", cls: "pd-nav-btn" }); + nextBtn.disabled = weekOffset >= 0; + nextBtn.onclick = () => { weekOffset++; render(); }; + + // ── Legend ── + const legend = dv.container.createEl("div", { cls: "pd-legend" }); + for (const [ch, color] of Object.entries(CHANNEL_COLORS)) { + const item = legend.createEl("span", { cls: "pd-legend-item" }); + const dot = item.createEl("span", { cls: "pd-dot" }); + dot.style.background = color; + item.appendText(" " + ch); + } + // Status legend + for (const [st, icon] of Object.entries(STATUS_ICON)) { + const item = legend.createEl("span", { cls: "pd-legend-item pd-legend-status" }); + item.textContent = icon + " " + st; + } + + // ── Grid ── + const grid = dv.container.createEl("div", { cls: "pd-grid" }); + + for (let i = 0; i < 7; i++) { + const day = addDays(monday, i); + const isToday = day.toDateString() === today.toDateString(); + + const col = grid.createEl("div", { cls: "pd-col" + (isToday ? " pd-today" : "") }); + col.createEl("div", { cls: "pd-col-header", text: fmtDay(day) }); + + const dayCards = cards.filter(c => c.date.toDateString() === day.toDateString()); + dayCards.sort((a, b) => a.date - b.date); + + for (const card of dayCards) { + renderCard(col, card); + } + } + + // ── Unscheduled bucket ── + if (loose.length > 0) { + const bucket = dv.container.createEl("div", { cls: "pd-bucket" }); + bucket.createEl("div", { cls: "pd-bucket-header", text: "Unscheduled (" + loose.length + ")" }); + for (const card of loose) { + renderLooseCard(bucket, card); + } + } + + // ── Detail panel (if a card is expanded) ── + const allCards = [...cards, ...loose]; + const expanded = allCards.find(c => c.key === expandedKey); + if (expanded) { + renderDetail(dv.container, expanded); + } + + injectStyles(); +} + +function renderCard(parent, card) { + const isExpanded = expandedKey === card.key; + const wrap = parent.createEl("div", { cls: "pd-card" + (isExpanded ? " pd-card-active" : "") }); + + const top = wrap.createEl("div", { cls: "pd-card-top" }); + + const statusIcon = top.createEl("span", { cls: "pd-status-icon" }); + statusIcon.textContent = STATUS_ICON[card.status] ?? "○"; + + const titleEl = top.createEl("span", { cls: "pd-card-title" }); + titleEl.textContent = card.title; + + const dot = wrap.createEl("span", { cls: "pd-dot pd-channel-dot" }); + dot.style.background = CHANNEL_COLORS[card.channel] ?? "#888"; + dot.title = card.channel; + + wrap.onclick = () => { + expandedKey = isExpanded ? null : card.key; + render(); + }; +} + +function renderLooseCard(parent, card) { + const isExpanded = expandedKey === card.key; + const wrap = parent.createEl("div", { cls: "pd-loose-card" + (isExpanded ? " pd-card-active" : "") }); + + const statusIcon = wrap.createEl("span", { cls: "pd-status-icon" }); + statusIcon.textContent = STATUS_ICON[card.status] ?? "○"; + + const titleEl = wrap.createEl("span", { cls: "pd-card-title" }); + titleEl.textContent = card.title; + + const dots = wrap.createEl("span", { cls: "pd-dots" }); + for (const ch of (card.channels ?? [])) { + const dot = dots.createEl("span", { cls: "pd-dot" }); + dot.style.background = CHANNEL_COLORS[ch] ?? "#888"; + dot.title = ch; + } + + wrap.onclick = () => { + expandedKey = isExpanded ? null : card.key; + render(); + }; +} + +function renderDetail(parent, card) { + const panel = parent.createEl("div", { cls: "pd-detail" }); + panel.createEl("div", { cls: "pd-detail-title", text: card.title }); + + const fm = card.fm; + const rows = [ + ["Status", fm.status], + ["Language", fm.language], + ["Proposition", fm.proposition], + ["Audience", fm.audience], + ["Channels", fm.channels], + ["Content type", fm["content-type"]], + ["Series", fm["series-title"] ? `${fm["series-title"]} (${fm["series-id"]}, part ${fm["series-part"]})` : null], + ["Publish dates",fm["publish-dates"] ? Object.entries(fm["publish-dates"]).map(([k,v]) => `${k}: ${v}`).join("\n") : null], + ["Published URLs",fm["published-urls"] ? Object.entries(fm["published-urls"]).map(([k,v]) => `${k}: ${v}`).join("\n") : null], + ["Source notes", fm["source-notes"]], + ["Tags", fm.tags?.length ? fm.tags : null], + ["ISO tags", fm.isotags?.length ? fm.isotags : null], + ["File", card.path], + ]; + + const table = panel.createEl("table", { cls: "pd-detail-table" }); + for (const [label, val] of rows) { + if (val === null || val === undefined || val === "" || (Array.isArray(val) && val.length === 0)) continue; + const tr = table.createEl("tr"); + tr.createEl("td", { cls: "pd-detail-label", text: label }); + const td = tr.createEl("td", { cls: "pd-detail-value" }); + td.textContent = fmtMeta(val); + } +} + +// ─── STYLES ────────────────────────────────────────────────────────────────── +function injectStyles() { + const id = "pd-styles"; + if (document.getElementById(id)) return; + const style = document.createElement("style"); + style.id = id; + style.textContent = ` + .pd-header { + display: flex; + align-items: center; + gap: 12px; + margin-bottom: 10px; + } + .pd-week-label { + font-weight: 600; + font-size: 0.95em; + } + .pd-nav-btn { + padding: 3px 10px; + border-radius: 4px; + border: 1px solid var(--interactive-normal); + background: var(--interactive-normal); + color: var(--text-normal); + cursor: pointer; + font-size: 0.85em; + } + .pd-nav-btn:disabled { + opacity: 0.35; + cursor: default; + } + .pd-legend { + display: flex; + flex-wrap: wrap; + gap: 12px; + margin-bottom: 14px; + font-size: 0.8em; + color: var(--text-muted); + } + .pd-legend-item { + display: flex; + align-items: center; + gap: 4px; + } + .pd-legend-status { + margin-left: 8px; + } + .pd-grid { + display: grid; + grid-template-columns: repeat(7, 1fr); + gap: 6px; + margin-bottom: 18px; + } + .pd-col { + background: var(--background-secondary); + border-radius: 6px; + padding: 6px; + min-height: 80px; + } + .pd-today { + outline: 2px solid var(--interactive-accent); + } + .pd-col-header { + font-size: 0.75em; + font-weight: 600; + color: var(--text-muted); + margin-bottom: 6px; + text-align: center; + } + .pd-card { + background: var(--background-primary); + border-radius: 4px; + padding: 5px 7px; + margin-bottom: 5px; + cursor: pointer; + font-size: 0.78em; + border-left: 3px solid var(--interactive-accent); + line-height: 1.35; + } + .pd-card:hover, .pd-loose-card:hover { + background: var(--background-modifier-hover); + } + .pd-card-active { + outline: 2px solid var(--interactive-accent); + } + .pd-card-top { + display: flex; + align-items: flex-start; + gap: 4px; + } + .pd-status-icon { + flex-shrink: 0; + font-size: 0.9em; + margin-top: 1px; + color: var(--text-muted); + } + .pd-card-title { + flex: 1; + overflow: hidden; + display: -webkit-box; + -webkit-line-clamp: 3; + -webkit-box-orient: vertical; + } + .pd-channel-dot { + flex-shrink: 0; + margin-top: 3px; + } + .pd-dot { + display: inline-block; + width: 8px; + height: 8px; + border-radius: 50%; + flex-shrink: 0; + } + .pd-dots { + display: flex; + gap: 3px; + margin-left: 4px; + } + .pd-bucket { + background: var(--background-secondary); + border-radius: 6px; + padding: 10px 12px; + margin-bottom: 16px; + } + .pd-bucket-header { + font-size: 0.8em; + font-weight: 600; + color: var(--text-muted); + margin-bottom: 8px; + text-transform: uppercase; + letter-spacing: 0.04em; + } + .pd-loose-card { + display: flex; + align-items: center; + gap: 6px; + background: var(--background-primary); + border-radius: 4px; + padding: 5px 8px; + margin-bottom: 4px; + cursor: pointer; + font-size: 0.82em; + } + .pd-detail { + background: var(--background-secondary); + border-radius: 6px; + padding: 14px 16px; + margin-top: 6px; + } + .pd-detail-title { + font-weight: 600; + margin-bottom: 10px; + font-size: 0.95em; + } + .pd-detail-table { + border-collapse: collapse; + font-size: 0.82em; + width: 100%; + } + .pd-detail-table tr { + border-bottom: 1px solid var(--background-modifier-border); + } + .pd-detail-label { + color: var(--text-muted); + padding: 4px 12px 4px 0; + white-space: nowrap; + vertical-align: top; + font-weight: 500; + width: 120px; + } + .pd-detail-value { + padding: 4px 0; + white-space: pre-wrap; + word-break: break-word; + } + `; + document.head.appendChild(style); +} + +// ─── BOOT ──────────────────────────────────────────────────────────────────── +render(); +``` diff --git a/marketing/publications/posts/s01p04en - Good intentions dont scale.md b/marketing/publications/posts/Good intentions dont scale.md similarity index 84% rename from marketing/publications/posts/s01p04en - Good intentions dont scale.md rename to marketing/publications/posts/Good intentions dont scale.md index 17b4a9e..a1bf1cb 100644 --- a/marketing/publications/posts/s01p04en - Good intentions dont scale.md +++ b/marketing/publications/posts/Good intentions dont scale.md @@ -29,7 +29,7 @@ tags: [] Good intentions don't scale. -Information security often hinges on that one IT administrator who always asks a control question before committing a change. The power user that (MORE EXAMPLES WILL BE ADDED LATER) . And that's great — until they leave, change roles, or get overloaded. +Information security often hinges on key employees: that one IT administrator who always asks a control question before committing a change. The power user that (MORE EXAMPLES WILL BE ADDED LATER) . And that's great — until they leave, change roles, or get overloaded. You don't need more 'awareness' in your organization. You need a process that keeps working, even when people change, tools change, and regulations change. A process that makes risks visible, assigns ownership, and allows for correction before things go wrong. diff --git a/marketing/publications/posts/s02p03nl - Waar begin je?.md b/marketing/publications/posts/s02p03nl - Waar begin je.md similarity index 100% rename from marketing/publications/posts/s02p03nl - Waar begin je?.md rename to marketing/publications/posts/s02p03nl - Waar begin je.md