diff --git a/Content Factory/PROJECT 5 - Librarian.md b/Content Factory/PROJECT 5 - Librarian.md index b79b77d..f5e9738 100644 --- a/Content Factory/PROJECT 5 - Librarian.md +++ b/Content Factory/PROJECT 5 - Librarian.md @@ -1,6 +1,12 @@ +--- +title: "Librarian System Prompt" +notetype: other +last-updated: 2026-06-02 +tags: [] +--- + # Agent 1 — Librarian — project instructions -``` You are the Librarian for ISO27DIY, a B2B SaaS product that helps SMEs implement ISO27001 without hiring consultants. @@ -20,7 +26,7 @@ You have four tasks. You will be told which task to perform each session. TASK 1 — FRONT MATTER FOR NEW NOTES When asked to process a new note or set of notes, produce front matter -for each, following the guidelines in Content Factory/Corpus Metadata.md. +for each, following the guidelines in `iso27diy-corp/metadata/corpus-metadata.md`. --- @@ -52,6 +58,18 @@ articles, newsletter topics, LinkedIn posts, forum answers, etc.] **Fetch priority:** [High / Medium / Low — how often the content agents are likely to need the full note] +Each overview note must include the following front matter: + +```yaml +--- +title: "" # e.g. "Corpus Overview: ISO 27002 Controls (EN)" +notetype: overview +covers: "" # vault path of the folder this note describes +last-updated: "" # ISO 8601 date, e.g. 2026-06-02 +tags: [] +--- +``` + Rules: - Be specific. Vague summaries are useless. - Do not invent content not present in the notes @@ -59,8 +77,10 @@ Rules: after the title - Group closely related notes under one entry but list each path individually - Process all notes in the folder before responding +- Set `last-updated` to the date the overview note is created Name the output file: corpus-overview-[foldername].md +Save to: `iso27diy-corp/metadata/overviews/` --- @@ -74,6 +94,7 @@ When asked to update an overview note due to changes in the vault: - Update entries for changed notes - Mark retired notes with [RETIRED] and a one-line explanation - Update any related-notes references affected by the changes +4. Update `last-updated` in the front matter to today's date Do not rewrite entries that have not changed. @@ -88,7 +109,8 @@ After updating, produce a change summary: TASK 4 — MAINTAIN THE CORPUS INDEX NOTE The corpus index note is a single note that lists all corpus overview notes with -a one-line description of what each covers. +a one-line description of what each covers. It lives at +`iso27diy-corp/metadata/corpus-index.md`. When asked to update the corpus index note: 1. Read the current corpus index note @@ -114,4 +136,3 @@ GENERAL RULES - After completing any task, list any issues you encountered that the human should be aware of: gaps, inconsistencies, notes that need attention, structural problems in the vault -``` \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S01 - Course objectives and structure.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S01 - Course objectives and structure.md index bd9dd80..1d776b4 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S01 - Course objectives and structure.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S01 - Course objectives and structure.md @@ -7,5 +7,6 @@ tags: # Section 1: Training course objectives and structure -An auditor’s competence consists of Knowledge, Skill and Behaviour +- An auditor’s competence consists of Knowledge, Skill and Behavior. +- diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-02 at 20.02.03.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-02 at 20.02.03.png new file mode 100644 index 0000000..f3543da Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-02 at 20.02.03.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S01-Course-objectives-and-structure.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S01-Course-objectives-and-structure.md index 18ce008..1bce928 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S01-Course-objectives-and-structure.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S01-Course-objectives-and-structure.md @@ -16,4 +16,76 @@ This session introduces the PECB ISO 27001 Lead Auditor training course, deliver ## Transcription -Hi, my name is Nathalie Klaas. I'm from Belgium and I have my own company in Belgium. Where I help organizations with the implementation of ISO 27001 and ISO 9001. Besides the implementation um projects that I do. I'm also an external lead auditor for ISO 27001 and ISO 9001. Besides my work for customers, I also teach at university and of course for people This training course is intended to help participants strengthen their knowledge and skills which help them when auditing an ISMS. So from an educational perspective, competence consists of the following three elements, knowledge, skill, and behavior. So we will be working on all three of them. By the end of the course, you will be able to explain the fundamental concepts and principles of competence. An information security management system based on ISO 27001. You will be able to interpret the ISO 27001 requirements for an ISMS from the perspective of an auditor You will be able to evaluate the ISMS conformity to ISO 2701 requirements in accordance with the fundamental audit concepts and Principles, you will be able to plan, conduct and close an ISO 2701 compliance audit, and you will be able to manage an ISO 27001 audit program. In section one, we will be talking a little bit how the training is structured, what are the objectives of the structure, and of course we will talk a little bit about the examination and certification. alongside with some explanation about PECB. Now this course is really intended to help you to be able to conduct an ISO 27001 audit. So by the end of the training course you will be able to explain and understand the fundamental concepts and principles of an information security management. System based on the ISO 27001. You will also be able to interpret the ISO 2701 requirements from an ISMS from the perspective of an auditor You will be able to evaluate those requirements in accordance with the fundamental audit concepts and principles. You will be able to plan, conduct, and close an ISO 27001 compliance audit in accordance with the ISO 17021-1 requirements, ISO 1911 guidelines, and other best practices of auditing. And finally, you will be able to manage an ISO 27001 audit program. From an educational perspective, competence consists out of knowledge, skills, and behavior. So we will be working on those three elements throughout the course. The training course for an ISO 27001 lead auditor is intended for both internal and external auditors. The necessary competences for internal and external auditors are common throughout all types of audits. The characteristics of the different types of audits will be explained during this training course. Internal audits will be discussed in a dedicated section in the last day. The objectives of this training course is to really help you to acquire that knowledge on audit techniques and not acquire expertise in information. security management. However, basic knowledge of information security management concepts is necessary to be able to conduct a successful audit. Now when going through the course, we will do a couple of notes, you will get a lot of examples, you will be able to do a lot of um readings as well so when you want to have some little bit more information because this is an online course of course you will not be able to have discussions with the participants But you can find additional information on the PECB website, where you can find additional worksheets, additional articles and toolkits where you can find a lot of information that will help you Grow your knowledge even further. This training course has been created when looking at the best practices in a couple of areas So the course is really based on ISO 1911, which provides guidelines on auditing management systems, including the principles of auditing. ISO 1911 also talks about how you should manage an audit program and how you should conduct management system audits, as well as guidance on the evaluation of the competence of individuals that are involved in that audit. process. So it applies to all organizations that wish to conduct both internal and external audits. We also had a look at the International Federation of Accountants This is a global organization which is focused, as the name states, for accountant. It operates in more than 130 countries with over more than 175 members and associates to protect public interest by encouraging the use of best practices in accounting. So standards developed by the IFAC provide guidance in the following fields, so it's audit, insurance, control and services related to quality, training, ethics and accounting. We also use the Institute of Internal Auditors. This is a global organization that advocates, educates, and connects internal auditors worldwide. It also develops international guidance almost exclusively for those internal audits. This guidance is based on careful analysis consultation and the fundamental principles concerning the performance of internal audit services by members of the Institute of Internal Auditors. And lastly, we also had a look at the generally accepted auditing standards, which are auditing standards developed by the American Institute of Certified Public Accountants including general standards, standards by activity sector and reporting standards with interpretation. So you see we have based the content of the course of a lot of worldwide best-known best practices To include it in the training course. Now, when talking about the exam, after you've completed the full e-learning course, you will be able to take an exam. The exam will be focused on the seven competency domains that We will be talking about throughout the course. So let me walk you through the seven competency domains. First of all, there will be questions about the fundamental principles and concepts of an information security management system. Of course, there will also be questions about security management system requirements. There will be questions about fundamental audit concepts and principles. Fourthly, there will be questions about preparing an ISO 27001 audit, as well as conducting an ISO 27001 audit and closing an ISO-2111. 27,000 audits. And lastly, you will get some questions about managing an ISO 27,000 audit program. So the purpose of the certification exam is really to evaluate whether candidates have to grasp the audit concept and techniques so that they are able to plan, manage, conduct an audit program and as well lead a team of auditors. The PECB Examination Committee ensures that the exams questions are adequate and based on professional practices. So all of the competency domains as I stated will be covered during the exam. If you wish to get more information on how the exam is set up, how the examination works, you can also find a little bit more information On the PECB website. Passing the exam is not enough to earn your certification. It is, of course, the first step, but you need to meet all the prerequisites for certification. So, to get a PECB ISO 27000 lead auditor certified, you need to have a couple of things that you need to do. These prerequisites will be discussed later in the course as well, but I'll walk you briefly through Through them. So, first of all, you need to pass the exam. Secondly, you also need to adhere to the PECB Code of Ethics. You need to have at least five years of professional experience of which two of them are related to information security management. You need to be able to present at least three three hundred hours of related activity, so related to information information security management and auditing. You need to provide two professional references that will be checked by PECB. And if you have done all of those of If you checked all the boxes of those prerequisites, you will become a PECB ISO certified ISO 27001 lead auditor. And obviously, after you received your certificate, you will need to maintain your certificate. certification. More information about that will also be given later on in the course. The PECB certificate will look like the one that you have in front of you on the slide So we'll you will receive that um through via your PECB dashboard. So you will be able to find it there. You will be able to download in a PDF format, and you will also be able through the PEC PCB dashboard to gain your credly digital badge because PCB partnered with Credly, so it will allow you to also download that digital badge which you can use on your resume or on your digital media media like LinkedIn to also show to your network that you have achieved a new certification. Lastly I want to talk a little bit about PECB PECB is Professional Evaluation and Certification Board, is a certification body that provides education, certification, and certification. certificate programs for individuals on a wide range of discipline. Besides the training programs, PCB also offers PCB skills, which is a new format where you can find snackable content in a wide range of expertise. And you have also the piece store where you can find a lot of um useful um uh standards as well where you can buy the standards but also white papers articles toolkits and so on The mission of PECB is really to provide their clients with comprehensive examination and certification services that inspire trust and benefit the society as a whole. Their vision is to become the global benchmark for the provision of professional certification services, and their values are integrity, professionalism, and fairness. PCB helps professionals show commitment and competence by providing them with valuable education, evaluation, and certification against internationally recognized standards. Their principal objectives and activities are establishing the minimum requirements necessary to certify professionals. Reviewing and verifying the qualification of applicants for eligibility to be considered for the certification evaluation. Developing and maintaining reliable, valid and current certification evaluations, granting certificates to qualified candidates, maintaining records and publishing a directory of the holders of valid certificates. Establishing requirements for the periodic renewal of certification and determining compliance with those requirements. Ascertaining that our clients meet ethical standards in their professional practice and lastly representing its members where appropriate in matters of common interest. \ No newline at end of file +Hi, my name is Nathalie Klaas. I'm from Belgium and I have my own company in Belgium. Where I help organizations with the implementation of ISO 27001 and ISO 9001. Besides the implementation um projects that I do. I'm also an external lead auditor for ISO 27001 and ISO 9001. Besides my work for customers, I also teach at university and of course for people. + +This training course is intended to help participants strengthen their knowledge and skills which help them when auditing an ISMS. So from an educational perspective, competence consists of the following three elements, knowledge, skill, and behavior. So we will be working on all three of them. + +By the end of the course: + +- you will be able to explain the fundamental concepts and principles of competence an information security management system based on ISO 27001, +- You will be able to interpret the ISO 27001 requirements for an ISMS from the perspective of an auditor, +- You will be able to evaluate the ISMS conformity to ISO 27001 requirements in accordance with the fundamental audit concepts and principles, +- You will be able to plan, conduct and close an ISO 27001 compliance audit, +- and you will be able to manage an ISO 27001 audit program. + +In section one, we will be talking a little bit how the training is structured, what are the objectives of the structure, and of course we will talk a little bit about the examination and certification, alongside with some explanation about PECB. + +Now this course is really intended to help you to be able to conduct an ISO 27001 audit. So by the end of the training course you will be able to explain and understand the fundamental concepts and principles of an information security management system based on the ISO 27001. +You will also be able to interpret the ISO 27001 requirements from an ISMS from the perspective of an auditor. +You will be able to evaluate those requirements in accordance with the fundamental audit concepts and principles. +You will be able to plan, conduct, and close an ISO 27001 compliance audit in accordance with the ISO 17021-1 requirements, ISO 1911 guidelines, and other best practices of auditing. +And finally, you will be able to manage an ISO 27001 audit program. + +From an educational perspective, competence consists out of knowledge, skills, and behavior. So we will be working on those three elements throughout the course. The training course for an ISO 27001 lead auditor is intended for both internal and external auditors. The necessary competences for internal and external auditors are common throughout all types of audits. The characteristics of the different types of audits will be explained during this training course. Internal audits will be discussed in a dedicated section in the last day. + +The objectives of this training course is to really help you to acquire that knowledge on audit techniques and not acquire expertise in information security management. However, basic knowledge of information security management concepts is necessary to be able to conduct a successful audit. + +Now when going through the course, we will do a couple of notes, you will get a lot of examples, you will be able to do a lot of readings as well so when you want to have some little bit more information because this is an online course of course you will not be able to have discussions with the participants. But you can find additional information on the PECB website, where you can find additional worksheets, additional articles and toolkits where you can find a lot of information that will help you grow your knowledge even further. + +This training course has been created when looking at the best practices in a couple of areas. So the course is really based on ISO 19011, which provides guidelines on auditing management systems, including the principles of auditing. ISO 19011 also talks about how you should manage an audit program and how you should conduct management system audits, as well as guidance on the evaluation of the competence of individuals that are involved in that audit process. So it applies to all organizations that wish to conduct both internal and external audits. + +We also had a look at the International Federation of Accountants (IFAC). This is a global organization which is focused, as the name states, for accountant. It operates in more than 130 countries with over more than 175 members and associates to protect public interest by encouraging the use of best practices in accounting. So standards developed by the IFAC provide guidance in the following fields, so it's audit, insurance, control and services related to quality, training, ethics and accounting. + +We also use the Institute of Internal Auditors (IIA). This is a global organization that advocates, educates, and connects internal auditors worldwide. It also develops international guidance almost exclusively for those internal audits. This guidance is based on careful analysis, consultation, and the fundamental principles concerning the performance of internal audit services by members of the Institute of Internal Auditors. + +And lastly, we also had a look at the generally accepted auditing standards, which are auditing standards developed by the American Institute of Certified Public Accountants (AICPA) including general standards, standards by activity sector and reporting standards with interpretation. + +So you see we have based the content of the course of a lot of worldwide best-known best practices to include it in the training course. + +Now, when talking about the exam, after you've completed the full e-learning course, you will be able to take an exam. The exam will be focused on the seven competency domains that we will be talking about throughout the course. So let me walk you through the seven competency domains. + +1. First of all, there will be questions about the **fundamental principles and concepts** of an information security management system. +2. Of course, there will also be questions about **security management system requirements**. +3. There will be questions about **fundamental audit concepts and principles**. +4. Fourthly, there will be questions about **preparing an ISO 27001 audit**, +5. as well as **conducting an ISO 27001 audit** +6. and **closing an ISO 27001 audit**. +7. And lastly, you will get some questions about **managing an ISO 27001 audit program**. + +So the purpose of the certification exam is really to evaluate whether candidates have the grasp the audit concept and techniques so that they are able to plan, manage, conduct an audit program and as well lead a team of auditors. + +The PECB Examination Committee ensures that the exams questions are adequate and based on professional practices. So all of the competency domains as I stated will be covered during the exam. + +If you wish to get more information on how the exam is set up, how the examination works, you can also find a little bit more information On the PECB website. + +Passing the exam is not enough to earn your certification. It is, of course, the first step, but you need to meet all the prerequisites for certification. So, to get a PECB ISO 27000 lead auditor certified, you need to have a couple of things that you need to do. These prerequisites will be discussed later in the course as well, but I'll walk you briefly through through them. + +So, first of all, you need to pass the exam. Secondly, you also need to adhere to the PECB Code of Ethics. You need to have at least five years of professional experience of which two of them are related to information security management. + +You need to be able to present at least 300 hours of related activity, so related to information security management and auditing. + +You need to provide two professional references that will be checked by PECB. + +And if you have done all of those of If you checked all the boxes of those prerequisites, you will become a PECB ISO certified ISO 27001 lead auditor. + +And obviously, after you received your certificate, you will need to maintain your certification. + +More information about that will also be given later on in the course. The PECB certificate will look like the one that you have in front of you on the slide. So we'll you will receive that um through via your PECB dashboard. So you will be able to find it there. You will be able to download in a PDF format, and you will also be able through the PECB dashboard to gain your credly digital badge because PECB partnered with Creditly, so it will allow you to also download that digital badge which you can use on your resume or on your digital media media like LinkedIn to also show to your network that you have achieved a new certification. + +Lastly I want to talk a little bit about PECB. PECB stands for Professional Evaluation and Certification Board, it is a certification body that provides education, certification, and certification programs for individuals on a wide range of discipline. + +Besides the training programs, PECB also offers PECB skills, which is a new format where you can find snackable content in a wide range of expertise. And you have also the PECB store where you can find a lot of useful standards as well where you can buy the standards but also white papers articles toolkits and so on. + +The mission of PECB is really to provide their clients with comprehensive examination and certification services that inspire trust and benefit the society as a whole. Their vision is to become the global benchmark for the provision of professional certification services, and their values are integrity, professionalism, and fairness. PECB helps professionals show commitment and competence by providing them with valuable education, evaluation, and certification against internationally recognized standards. + +Their principal objectives and activities are: establishing the minimum requirements necessary to certify professionals. Reviewing and verifying the qualification of applicants for eligibility to be considered for the certification evaluation. Developing and maintaining reliable, valid and current certification evaluations, granting certificates to qualified candidates, maintaining records and publishing a directory of the holders of valid certificates. Establishing requirements for the periodic renewal of certification and determining compliance with those requirements. Ascertaining that our clients meet ethical standards in their professional practice and lastly representing its members where appropriate in matters of common interest. diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.1-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.1-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md index cd1d6dc..36842ae 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.1-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.1-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md @@ -16,4 +16,75 @@ This session introduces ISO as a global standards body and explains the ISO 2700 ## Transcription -Section 2 introduces you to the International Organization of Standardization, short for ISO, and provides an explanation of management systems and a definition of an ISMS. It also provides you with a summary of the development of ISO 27000 family of standards and elaborates on each of them. In addition, the advantages that organizations can obtain by implementing an ISMS based on ISO 27001 are also discussed. And lastly, we will also give a short explanation. On legal and regulatory conformity throughout the world in this section. So let's start with what is ISO. So ISO stands for the International Organization for Standardization. And it really consists about well, it's an international organization of national standards bodies, and it consists out of uh whole 160 countries So 160 countries contribute to the ISO organization. The final results of ISO works are published as international standards. And since the beginning, which was 1947, ISO has published over 24,000 standards. So I usually say if you can think about something, there will probably be a standard available for that. Now ISO applies a couple of principles when uh developing international standards. So firstly there needs to be a need in the market So ISO response to that need in the market. So that either comes from something that they see themselves or from formal requests. from industry sectors or stakeholders that can also be consumer groups. Typically the request for a standard is communicated to national members within a country that then contact the international standardization. organization. ISO standards are always based on global expert opinion. So ISO standards are developed By various technical committees. And those technical committees consist out of experts from all over the world. And these experts really negotiate all the aspects of the standard. including what is the scope, what are the key definitions, what is the content that needs to be added. ISO standards are developed through a multi-stakeholder process. So the technical committees, they consist out of global experts, but they consist out of experts from relevant industries but they also include consumer associations, academia, NGOs and governments. So it's really a multi-stakeholder process. And lastly, which also explains why it sometimes can take up to a couple of years before an ISO standard is published or renewed, ISO standards are based on consensus So the development of an ISO standard is based on a consensus approach. So it takes into account comments from all uh stakeholders and um all ISO country members uh regardless of um the size of the strength of the economy have the same footage within um the organization so that means that it uh sometimes takes a little bit of time um before a standard gets approved or gets developed. Everybody knows of course the ISO 27001 standard because that is the standard everybody knows and that everybody wants to get certified against However, the ISO 27001 is part of a bigger family of standards, which is called the ISO 27000 family of standards. On the slide you see an overview of the different types of standards that you have. So not all of the standards that are part of the ISO 27000 family of standards are standards against which you can get certified. So let's have a look at what are the standards that are on the slide. And we will go a little bit deeper in each of the standards in the following slide. So firstly, everything starts with the ISO 27000, which is really a vocabulary or dictionary that gives an explanation of all of the Yeah, all of the words, all of the terminology that is used in the rest of the standards. ISO 27001 specifies then the requirements for establishing, implementing, maintaining, and continually improving an ISMS. ISO 27701 specifies the requirements and provides guidance for establishing, implementing, maintaining, and continuing Improving a privacy information management system, also called PIMS, in the form of an extension to the ISO 27001. So it's basically an add-on to the ISO 27001 ISO 27006 specifies the requirements and provides guidance for bodies that want to provide audits and certify certification of an ISMS. So your certification body. That you contact to do an audit will need to have ISO 27006 in place. Then you have a couple of general guides that really help you with implementing your ISMS So the ISO 27002 is the one that is mostly known with everybody, as commonly known. It's a set, uh it's a reference set of generic information security controls, including with implementation guidance. So it gives an explanation of the annex A controls of the ISO 27001 and it helps you in understanding how you could potentially implement Them. ISO 2703 provides explanation and guidance on ISO 2701. So it basically is the manual on how you should implement an ISO 27. ISO 27004 gives guidelines to help organizations come up with good information security performance indicators So it has a whole standard which gives you indication on what can you use to measure the effectiveness of your ISMS. ISO 27005 provide guidance on information security risk management. ISO 27000 And uh and seven provides then guidance on managing an ISMS audit program, how you should conduct audits, what are the competences that an ISMS auditor uh should have um and you will see uh parts of that coming back throughout this course obviously um and then you we have a couple of other ones so um and lastly we have the ISO 27008 uh which provides guidance On reviewing and assessing the implementation and operation of the information security control. So that's really linked to the ISO 2702. And then you have a couple of uh industry specific uh standards and you also have the ISO 2700799 which provides guidelines for organizations in the health information industry implementing the controls provided by ISO twenty seven thousand and two. And you have a couple of them you have uh one for the health uh sector you have one um which Is 27011, which gives information on the telecoms industry, and you have a lot of other standards that provide insight either per sector or either per specification within the realm of information. Security. Now looking at the development of the ISO 27000 family of standards is actually uh begins already um in the early 90s or in the middle of uh the the 90s where um the British Standard 7799 was published, which was actually a code of conduct that was published by the British Standards Institution. Many of these controls that were in that original standard are still visible in the ISO 2702. So the the British standard was basically developed by the UK government and by the Department of Trade and Industry. So that document provided really practices for information security management, and it was intended to help organizations establish and implement an ISMS and ensure the availability, integrity and confidentiality of their information. So Uh moving on, in um basically in 2002, so seven years later, the BS uh seventy-seven nine nine um was published, which was an uh specification of that uh first uh code of practice. Um that was um at the previously published uh 7799 became then the dot one um so it gave a little bit more explanation In the meantime, in 2000, there was also a code of practice on information security management published by ISO itself. So it already took some elements from the British standard. And that standard was then called the ISO 17799. So the specifications became a little bit more clear. Eventually all of these documents uh became adopted by the ISO standards. So where the um British Standard 779 DOS 2 became the ISO 27000 and one and the one version became um the ISO 27000 and two. So um this logically uh puts the requirements first and the code of practice and the guidance is basically uh second. Um they were uh later um so 2013 ish um they were um and uh as well in between 2008 and 2012 they were um yeah supplemented by uh several other ISO standards like the 2700345 um and other uh specific um interpretive guidance uh standards were created. where the latest version of the ISO 27001 and 27002 standard were published in 2020. So you see you see the the history of the uh 27,000 family uh goes already a long way back where um we recently had in 20 The latest revision. So let's dive a little bit deeper in each of the standards. First of all, of course, the most important one I would almost say is the ISO 27000M1 So this standard really gives the requirements for establishing, implementing, maintaining, and improving an ISMS The clauses are expressed with the verb shell. So that means that it is a requirement, it's mandatory, so you cannot choose to do it. It is mandatory, so you need to implement it. The standard is applicable for all organizations, though it doesn't matter which industry you're in, what size you're in, what type of organization you are, you can use it in whatever format that you like Organizations can obtain certification against this standard. So it really helps you with getting that ESMS. implemented um and as we already also explained in the lead implementer course of course and there needs to be a link when implementing the ISO 2701, there needs to be a link with your business strategy. It's not set up in isolation. Um, and you set it up to really um Yeah, preserve the confidentiality, integrity, and availability of information by really applying that risk management process And to give confidence to your interested parties and your customers, your employees, your shareholders, that risks are adequately. managed. Looking at the ISO 27002, this standard gives guidance. So that means that the clauses are expressed with the verb should So um it really looks at the annex A controls that are present in the 27001. So it gives a little bit guidance on What is um what is the control about? So it gives uh the context of each control and what is the reason why a control was chosen by um the International Standardization Organization. It will give some guidance on how you could implement a certain control within an organization. It will give some best practices and it will also help you in developing organizations specific organization uh security guidelines. So this is really guidelines and there's nowhere written that organizations um are mandated to implement the controls as they've been written down in the 27-2 standard, but it helps you to give some insight. side that also means that um you cannot gain um certification against the ISO twenty seven thousand and two standard I use this standard a lot because it helps you when you have a discussion with your technical teams, when you're stuck in how it something should be implemented in an organization, then you can have a look at the best practice and you you can start your discussion from that point in time. The 2703 is also a guidance uh standard um so it gives guidance and explanation on the requirements of an ISO 27001 So it basically contains also 10 clauses with clauses 4 to 10 exactly mirroring the ISO 27001. So This document um does not contain any new requirements, but it really consists out of giving you an indication on how you should be implementing the ISO 27001. So you get some insight on what is meant with context of the organization, what is the standard expecting you to deliver there. Since it's a guidance standard, you can also not obtain certification against this. ISO 27701. That standard or this standard is an extension to the ISO 27001 and the ISO 27002 specifically for privacy manner. So it provides, as does the 2701, but it provides requirements and guidelines for establishing, implementing, maintaining, and continually improving a privacy information management system. Which is also called PIMPS in short. It provides guidance both for controllers and processors, information on or guidance on that personal identifiable information processing. Organizations can also obtain certification against this standard. It's usually done together with an ISO 27001 certification. Like an ISO 27001, this standard is also applicable to all types and size of the organization. So both public and private companies, government organizations. um which are uh PII controllers or PII processors. Um so it it follows the same structure as the ISO 27000 ISO 27009 provides requirements for creating sector-specific standards as an extension to the ISO 27001. So it really gives an explanation on how you can include specific requirements additional to those in 2701 um how you should interpret the 27001 requirements and how to include or modify controls in addition to those in ISO 27001 and ISO 2700 So if you would want to create a new ISO standard for your specific industry and there's no ISO standard available yet, this is the standard that you want to have a look at to understand how you can create additions to the already existing. Existing one. ISO 27010 and everything that comes after 27010 are sector-specific standards. So you have specific standards for telecommunication, for health. For finance and insurance, but you have also ISO standards for specific sectors related to information security. So you will find ISO standards on application security on cybersecurity, on security incident management, on privacy protection, 27,017 and 18. are both for public and private clouds. So for each of them you will find specific ISO standards that relate for that. So if you look on the website of the of ISO, you can find all of them and of course you can also purchase those either on the ISO website or on the PECB website. Website, you can uh purchase them as well. But you can find um really on everything that you can think about in information security, like storage, like privacy, like um incident investigation, incident response uh you can find um uh a lot of um isost standards uh related uh to that Now when looking at the implementation of an ISMS, besides having the certificates, there are a couple of advantages on implementing an ISO 27001. Firstly, it will of course help you to protect your data. That's the basis, that's the reason why you do it. So you will have robust data protection, so you will have enhanced security measures. That protects sensitive data from unauthorized access, from breaches, from leaks. And you will also be able to assure that you have the confidentiality integrity and availability of your data ensured. It will help you to assure compliance First of all, as security practices are aligned with laws and regulations, because that's a standard element in the ISO standard, and you will also adhere to data protection laws. You will be able to make a step up in risk management. You will be able to identify and evaluate information security risks And that will able enable the organization to really prioritize and also proactively address potential threats. You will be able to implement security controls and incident response plans, and that will also minimize, of course, the impact. of potential security incidents. You will be able to improve your security posture. You will be able to better manage Your information security threats, and you will be implementing, of course, a standard that is internationally recognized with internationally recognized information security controls And you will be able to prevent certain security incidents from happening. Prevent the prevention of security incidents. uh is uh of course cheaper than uh recovering from a cyber attack. So uh the financial losses that would be associated with a security incident will be less And you will have efficient resources, of course, to mitigate those risks. So you will be able to do a better resource allocation in line with the risk management that you've done. So there is a multitude of advantages that are related to an ISO twenty-seven thousand and one implementation, besides having the certificate So when starting with an ISO implementation, the goal should not be having the certificate. It's a nice reward, but all the other advantages should be the reason why you implement I saw twenty seven thousand and one. \ No newline at end of file +Section 2 introduces you to the International Organization of Standardization, short for ISO, and provides an explanation of management systems and a definition of an ISMS. + +It also provides you with a summary of the development of ISO 27000 family of standards and elaborates on each of them. In addition, the advantages that organizations can obtain by implementing an ISMS based on ISO 27001 are also discussed. + +And lastly, we will also give a short explanation on legal and regulatory conformity throughout the world in this section. + +So let's start with what is ISO. So ISO stands for the International Organization for Standardization. And it really consists about well, it's an international organization of national standards bodies, and it consists out of 160 countries. So 160 countries contribute to the ISO organization. + +The final results of ISO works are published as international standards. And since the beginning, which was 1947, ISO has published over 24,000 standards. So I usually say if you can think about something, there will probably be a standard available for that. + +Now ISO applies a couple of principles when uh developing international standards. So firstly there needs to be a need in the market So ISO response to that need in the market. So that either comes from something that they see themselves or from formal requests, from industry sectors or stakeholders that can also be consumer groups. Typically the request for a standard is communicated to national members within a country that then contact the international standardization organization. + +ISO standards are always based on global expert opinion. So ISO standards are developed by various technical committees. And those technical committees consist out of experts from all over the world. And these experts really negotiate all the aspects of the standard, including what is the scope, what are the key definitions, what is the content that needs to be added. ISO standards are developed through a multi-stakeholder process. So the technical committees, they consist out of global experts, but they consist out of experts from relevant industries, but they also include consumer associations, academia, NGOs and governments. So it's really a multi-stakeholder process. + +And lastly, which also explains why it sometimes can take up to a couple of years before an ISO standard is published or renewed, ISO standards are based on consensus. So the development of an ISO standard is based on a consensus approach. So it takes into account comments from all stakeholders and all ISO country members regardless of the size of the strength of the economy, have the same footage within the organization so that means that it sometimes takes a little bit of time before a standard gets approved or gets developed. + +Everybody knows of course the ISO 27001 standard because that is the standard everybody knows and that everybody wants to get certified against. However, the ISO 27001 is part of a bigger family of standards, which is called the ISO 27000 family of standards. On the slide you see an overview of the different types of standards that you have. + +![](CleanShot%202026-06-02%20at%2020.02.03.png) + + +Not all of the standards that are part of the ISO 27000 family of standards are standards against which you can get certified. So let's have a look at what are the standards that are on the slide. And we will go a little bit deeper in each of the standards in the following slide. + +- So firstly, everything starts with the ISO 27000, which is really a vocabulary or dictionary that gives an explanation of all of the words, all of the terminology that is used in the rest of the standards. +- ISO 27001 specifies then the requirements for establishing, implementing, maintaining, and continually improving an ISMS. +- ISO 27701 specifies the requirements and provides guidance for establishing, implementing, maintaining, and continuously improving a privacy information management system, also called PIMS, in the form of an extension to the ISO 27001. So it's basically an add-on to the ISO 27001. +- ISO 27006 specifies the requirements and provides guidance for bodies that want to provide audits and certification of an ISMS. So your certification body, that you contact to do an audit will need to have ISO 27006 in place. + +Then you have a couple of general guides that really help you with implementing your ISMS: + +- So the ISO 27002 is the one that is mostly known with everybody, as commonly known. It's a reference set of generic information security controls, including with implementation guidance. So it gives an explanation of the annex A controls of the ISO 27001 and it helps you in understanding how you could potentially implement them. +- ISO 27003 provides explanation and guidance on how you should implement the ISO 27001 ISMS. +- ISO 27004 gives guidelines to help organizations come up with good information security performance indicators So it has a whole standard which gives you indication on what can you use to measure the effectiveness of your ISMS. +- ISO 27005 provides guidance on information security risk management. +- ISO 27007 provides guidance on managing an ISMS audit program, how you should conduct audits, what are the competences that an ISMS auditor should have, and you will see parts of that coming back throughout this course, obviously. +- Lastly we have the ISO 27008, which provides guidance on reviewing and assessing the implementation and operation of the information security controls. So that's really linked to the ISO 27002. +- And then you have a couple of industry specific standards, like the ISO 27799 which provides guidelines for organizations in the health information industry, implementing the controls provided by ISO 27002 for the health sector. +- The 27011 gives information on the telecoms industry, and you have a lot of other standards that provide insight either per sector or per specification within the realm of information security. + +Now looking at the development of the ISO 27000 family of standards, it actually begins already in the middle of the 90s, where the British Standard 7799 was published, which was actually a code of conduct that was published by the British Standards Institution. Many of these controls that were in that original standard are still visible in the ISO 27002. So the the British standard was basically developed by the UK government and by the Department of Trade and Industry. So that document provided really practices for information security management, and it was intended to help organizations establish and implement an ISMS and ensure the availability, integrity and confidentiality of their information. + +So moving on, basically in 2002, so seven years later, the BS 7799-2 was published, which was a specification of that first code of practice. The previously published 7799 became then the 7799-1. It gave a little bit more explanation. In the meantime, in 2000, there was also a code of practice on information security management published by ISO itself. It already took some elements from the British standard, and that standard was then called the ISO 17799. So the specifications became a little bit more clear. + +Eventually all of these documents became adopted by the ISO standards. So where the British Standard 7799-2 became the ISO 27001, and the 7799-1 version became the ISO 27002. So um this logically puts the requirements and the code of practice first, and the guidance is basically second. Between 2008 and 2012 they were supplemented by several other ISO standards like the 27003, -4, -5 and other specific interpretive guidance standards. The latest version of the ISO 27001 and 27002 standard were published in 2022. So you see you see the the history of the 27000 family already goes a long way back we recently 2022 had the latest revision. + +So let's dive a little bit deeper in each of the standards. First of all, of course, the most important one I would almost say is the ISO 27001. So this standard really gives the requirements for establishing, implementing, maintaining, and improving an ISMS. The clauses are expressed with the verb ***shall***. So that means that it is a requirement, it's mandatory, so you cannot choose to do it. It is mandatory, so you need to implement it. The standard is applicable for all organizations, though it doesn't matter which industry you're in, what size you're in, what type of organization you are, you can use it in whatever format that you like. Organizations can obtain certification against this standard. So it really helps you with getting that ISMS implemented. + +When implementing the ISO 27001, there needs to be a link with your business strategy. It's not set up in isolation. You set it up to preserve the confidentiality, integrity, and availability of information by applying the risk management process, and to give confidence to your interested parties and your customers, your employees, your shareholders, that risks are adequately managed. + +Looking at the ISO 27002, this standard gives guidance. So that means that the clauses are expressed with the verb ***should***. It looks at the annex A controls that are present in the 27001, and gives bit guidance on what the control is about. So it gives the context of each control and what is the reason why a control was chosen by the International Standardization Organization. It will give some guidance on how you could implement a certain control within an organization. It will give some best practices and it will also help you in developing organization specific security guidelines. + +So this is really guidelines and there's nowhere written that organizations um are mandated to implement the controls as they've been written down in the 27002 standard, but it helps you to give some insight. That also means that you cannot gain certification against the ISO 27002. I use this standard a lot because it helps you when you have a discussion with your technical teams, when you're stuck in how it something should be implemented in an organization, then you can have a look at the best practice and you you can start your discussion from that point in time. + +The 27003 is also a guidance standard giving guidance and explanation on the requirements of an ISO 27001 ISMS. So it basically contains also 10 clauses, with clauses 4 to 10 exactly mirroring the ISO 27001. So this document does not contain any new requirements, but it gives you an indication on how you should be implementing the ISO 27001. So you get some insight on what is meant with context of the organization, what is the standard expecting you to deliver there. Since it's a guidance standard, you can also not obtain certification against this. + +ISO 27701. That standard or this standard is an extension to the ISO 27001 and the ISO 27002, specifically for privacy management. So it provides, as does the 27001, but it provides requirements and guidelines for establishing, implementing, maintaining, and continually improving a privacy information management system (which is also called PIMS in short). It provides guidance both for controllers and processors, information on or guidance on personal identifiable information processing. Organizations can also obtain certification against this standard. It's usually done together with an ISO 27001 certification. Like an ISO 27001, this standard is also applicable to all types and size of the organization. So both public and private companies, government organizations, which are PII controllers or PII processors. It follows the same structure as the ISO 27001. + +ISO 27009 provides requirements for creating sector-specific standards as an extension to the ISO 27001. So it really gives an explanation on how you can include specific requirements additional to those in 27001, how you should interpret the 27001 requirements, and how to include or modify controls in addition to those in ISO 27001 and ISO 27002. So if you would want to create a new ISO standard for your specific industry and there's no ISO standard available yet, this is the standard that you want to have a look at to understand how you can create additions to the already existing ones. + +ISO 27010. and everything that comes after 27010, are sector-specific standards. So you have specific standards for telecommunication, for health, for finance and insurance, but you have also ISO standards for specific sectors related to information security. So you will find ISO standards on application security on cybersecurity, on security incident management, on privacy protection, 27017 and 27018 are both for public and private clouds. So for each of them you will find specific ISO standards that relate for that. + +So if you look on the website of the of ISO, you can find all of them and of course you can also purchase those either on the ISO website or on the PECB website you can purchase them as well. But you can find really on everything that you can think about in information security, like storage, like privacy, like incident investigation, incident response, you can find a lot of ISO standards related to that. + +Now, when looking at the implementation of an ISMS, besides having the certificates, there are a couple of advantages on implementing an ISO 27001: + +- Firstly, it will of course help you to protect your data. That's the basis, that's the reason why you do it. So you will have **robust data protection**, so you will have enhanced security measures. That protects sensitive data from unauthorized access, from breaches, from leaks. And you will also be able to assure that you have the confidentiality integrity and availability of your data ensured. +- It will help you to **assure compliance**. First of all, as security practices are aligned with laws and regulations, because that's a standard element in the ISO standard, and you will also adhere to data protection laws. +- You will be able to make a **step up in risk management**. You will be able to identify and evaluate information security risks, and that will enable the organization to really prioritize and also proactively address potential threats. You will be able to implement security controls and incident response plans, and that will also minimize, of course, the impact. of potential security incidents. +- You will be able to **improve your security posture**. You will be able to better manage your information security threats, and you will be implementing, of course, a standard that is internationally recognized, with internationally recognized information security controls. +- And you will be able to **prevent certain security incidents from happening**, which is of course cheaper than recovering from a cyber attack. So the financial losses that would be associated with a security incident will be less, and you will have efficient resources to mitigate those risks. So you will be able to do a better resource allocation in line with the risk management that you've done. + +So there is a multitude of advantages that are related to an ISO 27001 implementation, besides having the certificate. So when starting with an ISO implementation, the goal should not be having the certificate. It's a nice reward, but all the other advantages should be the reason why you implement ISO 27001. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.2-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.2-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md index 867beb8..0ccc3e1 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.2-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.2-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md @@ -16,4 +16,6 @@ This session covers the legal and regulatory landscape relevant to information s ## Transcription -ISO uh standards uh more specifically in the annex A, and we have a clause um 531 Which says legal, statutory, regulatory, and contractual requirements. So an organization needs to understand what are those requirements That are relevant for uh the business that you're in, the type of organization that you're in. So the purpose of that control is really to ensure that compliance. I still see a lot of organizations when auditing that don't really know what are the applicable laws and regulations that needs to be there. So whatever organizations should do is to start either with their legal counsel or they need to hire a lawyer to help them with that To understand what are all the laws and regulations that have an impact on the organization. That can be quite a lot depending on the organization that you're in there, but you need to uh check If you are compliant, you need to check what are the different countries that I'm working for. Are the countries, do I have all the laws and regulations? What specific clause in the law do I need to adhere to? And how have I tackled that? What are the specific processes? What are the policies that I use to be able to show that conformity So that ISO 27000 and one can really help you with that to really get a step up in that good overview of laws and regulations. Now there are a lot of key areas um especially nowadays it was different fifty years ago, but uh today There are a lot of key areas that should be considered. On the slide you see a couple of things that you really need to think about if they are applicable for your organization And let's walk through them one by one. First of all, data protection. Today there are a lot of countries. That have established data protection laws and regulations, think about the GDPR, that really aim at protecting, safeguarding data and data subjects. Organizations need to understand what is the law and regulation, and we need to have procedures and processes in place to ensure that we can protect that personal identifiable information. we can adhere to any requests that data subjects have and we can uh look at that. Related to data protection is of course privacy. Privacy, also in order to comply with certain laws, many organizations are also obliged to establish a policy for ensuring information privacy Throughout which they increase awareness of those statutory, regulatory, and business requirements regarding the treatment and protection of that personal information. So data protection and privacy usually go hand in hand. Cybercrime is another thing to consider. They encompass any illegal activity that is performed through a computer and network. And that is intended to really harm the organization system and gain unauthorized access to the data. Targeted organizations might experience financial and reputational damage In order to prevent and to respond to those activities, organizations should also establish procedures like an incident management procedure, um like uh ways uh for ethical hackers uh to provide them with information. Um so um protective measures as stated are are not considered as crime but also there you need to see what is applicable in your country. Sometimes ethical hacking um needs to uh adhere to certain um yeah specific guidelines and I'm talking from Belgium of course and Belgium it's it's only for one or two years that it's really legal uh to perform ethical hacking. Um and To communicate to an organization that you find some vulnerabilities. So you really need to check what is legal in your country that you reside and how can you take care of that in your organization. Dignital signatures is something else that is really something of the last years. We used to sign everything in paper. That time is far behind us. So an electronic signature today is um it it helps organizations of course to verify the um authenticity of a message or a document and by verifying the author. To check if the content has been modified. As a result, an electronic document that is digitally signed has the same legal validity as a hard copy. So, like a document document that is signed in handwriting, as long as there are regulations that give that full legal value to it. And some countries Electronic records must ensure the um preservation of uh traces as evidence of that integrity. So there you need to see okay what is the tool that we are going to use To provide those dignity, what are the certificates, for example, that are used, and what is the law again that we need to look at Intellectual property is something that you need to think about, both your own intellectual property and what how do you work with customers and how is intellectual property taken care of there, but also the intellectual property of your employees. Ensure that you have everything written down in contracts so that There is no reason to come to a conclusion later. Also, there I see a lot of companies that take care of the intellectual property with their customers, but forget that their employees also have intellectual property. Electronic payments. If your organization has a web store or something like that, electronic payments laws have been created as well. So you need to check if there is something that you need to adhere to there in ensuring that you protect the rights of the clients of which you receive those electronic payments. And then lastly we have the records management. Some national laws also require from organizations that they establish procedures for identifying, classifying, storing, modifying, and even destroying records ISO 15489. 1 delivers those specific contents or concepts and guidance that can help you in that records. So you see there are a lot of um key areas that you need to consider uh because there are a lot of uh relevant laws that might be there. So after um the so now we've spoken about the key areas Let's dive a little bit deeper into all the information security and data protection laws by region. For sure, not all of the laws have been added because that would lead us a little bit too far, of course. But um you do well um especially also when you're auditing um to uh have a general understanding about general laws that are applicable for on a country level at least And then you can still have a look. Companies need to know what is specifically for their industry applicable. So let's start with America, starting with North America. You have, of course, the HIPAA, which is the health insurance Portability and Accountability Act. It regulates the privacy and security of medical information in the United States So that's very specific for the United States. A lot of companies that are working in the United States and that have have their headquarters in the United States put those requirements also on European organizations. So it's not because it's applicable in the US that everybody who's residing in the EU is no longer falling under it. So HIPAA might be something that you need to take in. into account. So if you're auditing a finance company, that might be something that you want to check upon. Surveyus Oxley Act, a well-known act, short SOX regulates financial reporting and auditing requirements for public organizations in the United States. So public organization The California Consumer Privacy Act, the CCPA, that comes back if you're working with um US organizations, which is Is a little bit similar like the GDPR. It regulates how organizations handle California residents' personal information So it's only applicable to California. The New York State Department of Financial Services Cybersecurity Regulation, in short, 23 NYCRR 500 Requires financial institutions to establish and maintain a cybersecurity program. Personal Information Protection and Electronic Documents Act, which is called PIPEDA Regulates how Canadian private sector organizations collect, use, and disclose personal information And then lastly, the Personal Information Protection Act, in short, PIPA, is a privacy law that governs the collection, use and disclosure of personal information by private sector organizations in British Columbia and Canada. So you see and the difficulty in North America is of course you have different states and different states have different laws, so you really need to have a look on, okay, what are the laws that they're uh looking at. Then uh jumping over um to South America, um there are also a couple of things that are in place. Um so in Brazil You have the General Personal Data Protection Act, and it's a data protection law that regulates the processing of personal data in Brazil. So it applies to both Brazilian but also foreign organizations that process personal data of individuals that are located in Brazil. In Argentina, you also have a personal data protection law, uh, which is number uh 25326 And that addresses the collection, processing, storage, and transfer of personal data. And under this law, individuals have the right to access, modify, and delete their personal data held by the data controllers as well as the right to object for the processing. So you see a lot of things coming back that were also part of the GDPR And then you have in Peru also the data protection law, a Peruvian law that regulates the processing of personal data by individuals and organizations. And the law aims to protect basically the privacy of individuals by establishing principles and requirements for collection, use, storage, and transfer of personnel. Looking at Europe, um, first of all, the GDPR, well known, regulates the privacy and security of personal information for individuals within the European Union. The NIST2 Directive is an initial EU-wide legislation on cybersecurity designed to attain a uniform and elevated level of cybersecurity throughout the member states. And then we also have the EU Cybersecurity Act, which creates basically a unified system for certifying ICT products, services, and processes related to cybersecurity in Europe. Then going to the other side of the globe, Asia. In China, there is a cybersecurity law which regulates the security of networks and personal information. In China. In Singapore, we have the Personal Data Protection Act, which regulates again the collection, use, and disclosure of personal data in Singapore. In India, we have the Information Technology Act, regulates electronic transactions and digital signatures in India. In Japan, we have the Act on the Protection of Personal Information, which regulates the handling of personal information in Japan. And also in Japan, we have the basic act on cybersecurity. Which establishes basic policies for Japan's cybersecurity efforts and it formulates also a cybersecurity strategy and it effectively advances cybersecurity initiatives. In Africa, South Africa, we have the protection of personal information, is also a data protection law in South Africa, and it applies to any individual or legal entity that handles personal data. In Mauritius, we have the Cybersecurity and Cybercrime Act of 2021. That's a law that deals with cybercrime and cybersecurity. So the act provides also for different penalties based on the severity of course of the offense committed and it can include a fine not exceeding two million uh rupees and imprisonment even um for a term um not exceeding 25 years so that That's already pretty hefty. In Tunisia, we have the Organic Act number 2463 on the protection of personal data. It's a primary legal framework for data protection in Tunisia. In Ghana, we have the Cybersecurity Act 2020. It promotes a safe and a secure digital environment and it also protects critical information infrastructures and combats cybercrime in Ghana. In Kenya, we have the Data Protection Act 2019, which regulates the processing of personal data and seeks to safeguard the privacy and data protection of individuals in Kenya. And then we have in Nigeria the data protection regulation, in short, NDPR, established in 2019. It's really the first comprehensive Data protection regulation in Nigeria, and it sets out the legal framework for again the protection of personal data in Nigeria. And then we still have Oceania left. There we have the Privacy Act 1988, which governs the handling of personal information by Australian government agencies and private organizations. So it requires organizations really to have a privacy policy, but also to obtain consent for collecting personal information and to provide access to those individuals to their own personal information. To assure that their personal information remains accurate, of course. In New Zealand, we have the Privacy Act 2020, which regulates the collection and disclosure of personal information in New Zealand. It applies to all organizations, also including Including government uh agencies. And then in Fiji we had the Cybercrime Act of uh 2001, um the which was enacted by the Fiji government um and that criminalizes range of cyber offenses, including the unauthorized access to computer systems, cyber stalking and cyberbullying. So uh a lot of uh laws that um and acts that have been uh put in place uh across the globe. So When working internationally, it's a smart thing to check where are we working, where are we data transferring to and what potential legislation might be in place So you can reach out to legal counsel, to sector industry bodies that can help you understand what are the different legislations that are applicable. \ No newline at end of file +ISO standards, more specifically in the annex A, have a clause 5.31, which says legal, statutory, regulatory, and contractual requirements. So an organization needs to understand what are the requirements that are relevant for the business that you're in, the type of organization that you're in. So the purpose of that control is really to ensure that compliance. + +I still see a lot of organizations when auditing that don't really know the applicable laws and regulations. So whatever organizations should do is to start either with their legal counsel or they need to hire a lawyer to help them with that To understand what are all the laws and regulations that have an impact on the organization. That can be quite a lot depending on the organization that you're in there, but you need to uh check If you are compliant, you need to check what are the different countries that I'm working for. Are the countries, do I have all the laws and regulations? What specific clause in the law do I need to adhere to? And how have I tackled that? What are the specific processes? What are the policies that I use to be able to show that conformity So that ISO 27000 and one can really help you with that to really get a step up in that good overview of laws and regulations. Now there are a lot of key areas um especially nowadays it was different fifty years ago, but uh today There are a lot of key areas that should be considered. On the slide you see a couple of things that you really need to think about if they are applicable for your organization And let's walk through them one by one. First of all, data protection. Today there are a lot of countries. That have established data protection laws and regulations, think about the GDPR, that really aim at protecting, safeguarding data and data subjects. Organizations need to understand what is the law and regulation, and we need to have procedures and processes in place to ensure that we can protect that personal identifiable information. we can adhere to any requests that data subjects have and we can uh look at that. Related to data protection is of course privacy. Privacy, also in order to comply with certain laws, many organizations are also obliged to establish a policy for ensuring information privacy Throughout which they increase awareness of those statutory, regulatory, and business requirements regarding the treatment and protection of that personal information. So data protection and privacy usually go hand in hand. Cybercrime is another thing to consider. They encompass any illegal activity that is performed through a computer and network. And that is intended to really harm the organization system and gain unauthorized access to the data. Targeted organizations might experience financial and reputational damage In order to prevent and to respond to those activities, organizations should also establish procedures like an incident management procedure, um like uh ways uh for ethical hackers uh to provide them with information. Um so um protective measures as stated are are not considered as crime but also there you need to see what is applicable in your country. Sometimes ethical hacking um needs to uh adhere to certain um yeah specific guidelines and I'm talking from Belgium of course and Belgium it's it's only for one or two years that it's really legal uh to perform ethical hacking. Um and To communicate to an organization that you find some vulnerabilities. So you really need to check what is legal in your country that you reside and how can you take care of that in your organization. Dignital signatures is something else that is really something of the last years. We used to sign everything in paper. That time is far behind us. So an electronic signature today is um it it helps organizations of course to verify the um authenticity of a message or a document and by verifying the author. To check if the content has been modified. As a result, an electronic document that is digitally signed has the same legal validity as a hard copy. So, like a document document that is signed in handwriting, as long as there are regulations that give that full legal value to it. And some countries Electronic records must ensure the um preservation of uh traces as evidence of that integrity. So there you need to see okay what is the tool that we are going to use To provide those dignity, what are the certificates, for example, that are used, and what is the law again that we need to look at Intellectual property is something that you need to think about, both your own intellectual property and what how do you work with customers and how is intellectual property taken care of there, but also the intellectual property of your employees. Ensure that you have everything written down in contracts so that There is no reason to come to a conclusion later. Also, there I see a lot of companies that take care of the intellectual property with their customers, but forget that their employees also have intellectual property. Electronic payments. If your organization has a web store or something like that, electronic payments laws have been created as well. So you need to check if there is something that you need to adhere to there in ensuring that you protect the rights of the clients of which you receive those electronic payments. And then lastly we have the records management. Some national laws also require from organizations that they establish procedures for identifying, classifying, storing, modifying, and even destroying records ISO 15489. 1 delivers those specific contents or concepts and guidance that can help you in that records. So you see there are a lot of um key areas that you need to consider uh because there are a lot of uh relevant laws that might be there. So after um the so now we've spoken about the key areas Let's dive a little bit deeper into all the information security and data protection laws by region. For sure, not all of the laws have been added because that would lead us a little bit too far, of course. But um you do well um especially also when you're auditing um to uh have a general understanding about general laws that are applicable for on a country level at least And then you can still have a look. Companies need to know what is specifically for their industry applicable. So let's start with America, starting with North America. You have, of course, the HIPAA, which is the health insurance Portability and Accountability Act. It regulates the privacy and security of medical information in the United States So that's very specific for the United States. A lot of companies that are working in the United States and that have have their headquarters in the United States put those requirements also on European organizations. So it's not because it's applicable in the US that everybody who's residing in the EU is no longer falling under it. So HIPAA might be something that you need to take in. into account. So if you're auditing a finance company, that might be something that you want to check upon. Surveyus Oxley Act, a well-known act, short SOX regulates financial reporting and auditing requirements for public organizations in the United States. So public organization The California Consumer Privacy Act, the CCPA, that comes back if you're working with um US organizations, which is Is a little bit similar like the GDPR. It regulates how organizations handle California residents' personal information So it's only applicable to California. The New York State Department of Financial Services Cybersecurity Regulation, in short, 23 NYCRR 500 Requires financial institutions to establish and maintain a cybersecurity program. Personal Information Protection and Electronic Documents Act, which is called PIPEDA Regulates how Canadian private sector organizations collect, use, and disclose personal information And then lastly, the Personal Information Protection Act, in short, PIPA, is a privacy law that governs the collection, use and disclosure of personal information by private sector organizations in British Columbia and Canada. So you see and the difficulty in North America is of course you have different states and different states have different laws, so you really need to have a look on, okay, what are the laws that they're uh looking at. Then uh jumping over um to South America, um there are also a couple of things that are in place. Um so in Brazil You have the General Personal Data Protection Act, and it's a data protection law that regulates the processing of personal data in Brazil. So it applies to both Brazilian but also foreign organizations that process personal data of individuals that are located in Brazil. In Argentina, you also have a personal data protection law, uh, which is number uh 25326 And that addresses the collection, processing, storage, and transfer of personal data. And under this law, individuals have the right to access, modify, and delete their personal data held by the data controllers as well as the right to object for the processing. So you see a lot of things coming back that were also part of the GDPR And then you have in Peru also the data protection law, a Peruvian law that regulates the processing of personal data by individuals and organizations. And the law aims to protect basically the privacy of individuals by establishing principles and requirements for collection, use, storage, and transfer of personnel. Looking at Europe, um, first of all, the GDPR, well known, regulates the privacy and security of personal information for individuals within the European Union. The NIST2 Directive is an initial EU-wide legislation on cybersecurity designed to attain a uniform and elevated level of cybersecurity throughout the member states. And then we also have the EU Cybersecurity Act, which creates basically a unified system for certifying ICT products, services, and processes related to cybersecurity in Europe. Then going to the other side of the globe, Asia. In China, there is a cybersecurity law which regulates the security of networks and personal information. In China. In Singapore, we have the Personal Data Protection Act, which regulates again the collection, use, and disclosure of personal data in Singapore. In India, we have the Information Technology Act, regulates electronic transactions and digital signatures in India. In Japan, we have the Act on the Protection of Personal Information, which regulates the handling of personal information in Japan. And also in Japan, we have the basic act on cybersecurity. Which establishes basic policies for Japan's cybersecurity efforts and it formulates also a cybersecurity strategy and it effectively advances cybersecurity initiatives. In Africa, South Africa, we have the protection of personal information, is also a data protection law in South Africa, and it applies to any individual or legal entity that handles personal data. In Mauritius, we have the Cybersecurity and Cybercrime Act of 2021. That's a law that deals with cybercrime and cybersecurity. So the act provides also for different penalties based on the severity of course of the offense committed and it can include a fine not exceeding two million uh rupees and imprisonment even um for a term um not exceeding 25 years so that That's already pretty hefty. In Tunisia, we have the Organic Act number 2463 on the protection of personal data. It's a primary legal framework for data protection in Tunisia. In Ghana, we have the Cybersecurity Act 2020. It promotes a safe and a secure digital environment and it also protects critical information infrastructures and combats cybercrime in Ghana. In Kenya, we have the Data Protection Act 2019, which regulates the processing of personal data and seeks to safeguard the privacy and data protection of individuals in Kenya. And then we have in Nigeria the data protection regulation, in short, NDPR, established in 2019. It's really the first comprehensive Data protection regulation in Nigeria, and it sets out the legal framework for again the protection of personal data in Nigeria. And then we still have Oceania left. There we have the Privacy Act 1988, which governs the handling of personal information by Australian government agencies and private organizations. So it requires organizations really to have a privacy policy, but also to obtain consent for collecting personal information and to provide access to those individuals to their own personal information. To assure that their personal information remains accurate, of course. In New Zealand, we have the Privacy Act 2020, which regulates the collection and disclosure of personal information in New Zealand. It applies to all organizations, also including Including government uh agencies. And then in Fiji we had the Cybercrime Act of uh 2001, um the which was enacted by the Fiji government um and that criminalizes range of cyber offenses, including the unauthorized access to computer systems, cyber stalking and cyberbullying. So uh a lot of uh laws that um and acts that have been uh put in place uh across the globe. So When working internationally, it's a smart thing to check where are we working, where are we data transferring to and what potential legislation might be in place So you can reach out to legal counsel, to sector industry bodies that can help you understand what are the different legislations that are applicable. \ No newline at end of file diff --git a/marketing/The goal should not be the certificate..md b/marketing/The goal should not be the certificate..md new file mode 100644 index 0000000..392e87b --- /dev/null +++ b/marketing/The goal should not be the certificate..md @@ -0,0 +1,10 @@ +So when starting with an ISO implementation, the goal should not be having the certificate. It should be realizing the follwoing advantages: + +Now, when looking at the implementation of an ISMS, besides having the certificates, there are a couple of advantages on implementing an ISO 27001: + +- Firstly, it will of course help you to protect your data. That's the basis, that's the reason why you do it. So you will have **robust data protection**, so you will have enhanced security measures. That protects sensitive data from unauthorized access, from breaches, from leaks. And you will also be able to assure that you have the confidentiality integrity and availability of your data ensured. +- It will help you to **assure compliance**. First of all, as security practices are aligned with laws and regulations, because that's a standard element in the ISO standard, and you will also adhere to data protection laws. +- You will be able to make a **step up in risk management**. You will be able to identify and evaluate information security risks, and that will enable the organization to really prioritize and also proactively address potential threats. You will be able to implement security controls and incident response plans, and that will also minimize, of course, the impact. of potential security incidents. +- You will be able to **improve your security posture**. You will be able to better manage your information security threats, and you will be implementing, of course, a standard that is internationally recognized, with internationally recognized information security controls. +- And you will be able to **prevent certain security incidents from happening**, which is of course cheaper than recovering from a cyber attack. So the financial losses that would be associated with a security incident will be less, and you will have efficient resources to mitigate those risks. So you will be able to do a better resource allocation in line with the risk management that you've done. + \ No newline at end of file diff --git a/metadata/corpus-metadata.md b/metadata/corpus-metadata.md index 0aad696..188ff3c 100644 --- a/metadata/corpus-metadata.md +++ b/metadata/corpus-metadata.md @@ -16,6 +16,7 @@ The `notetype` field will have one of the following values: - `application`: steps to solve a specific, real-world problem. Implementing the standard in real world environments, implementation aids, implementation examples, templates, etc. - `reference`: secondary sources of information, like original standard texts, dictionaries, terms and definitions. - `publication`: for content created by TSW for publication, e.g. articles, eBooks, social media posts. +- `overview`: meta-notes created and maintained by the Librarian; describe and index the contents of a vault folder for use by content agents. - `other`: for all notes that, by their content, cannot be placed in one of the previous categories. - `iso27diyGIS`: notes that belong to the ISO27DIY Guided Implementation System (GIS). @@ -56,6 +57,38 @@ For the possible values of these properties, see [themes-and-attributes-in-iso-2 - Notes in the `iso27DIY-gis/guide` subfolder ... - Notes in the `iso27DIY-gis/reference` subfolder ... +## Properties for Corpus Overview Notes + +Overview notes are created and maintained exclusively by the Librarian. They are not content notes and must not be used as source material for publications. + +### Folder structure + +All overview notes live in `iso27diy-corp/metadata/overviews/`. They are never placed inside the folder they describe. + +### Filename convention + +`corpus-overview-[foldername].md`, where `foldername` is the name of the vault folder being described, e.g. `corpus-overview-EN.md` for the ISO 27002 EN controls folder. + +### Template + +```yaml +--- +title: "" # human-readable title, e.g. "Corpus Overview: ISO 27002 Controls (EN)" +notetype: overview +covers: "" # vault path of the folder this note describes, + # e.g. "iso27diy-corp/Corpus/Standards/ISO27x/OST/27002/EN" +last-updated: "" # ISO 8601 date, e.g. 2026-06-02; update whenever the note is revised +tags: [] +--- +``` + +### Rules + +- `covers` must be the exact vault path of the folder being described — no trailing slash. +- `last-updated` must be set every time the overview note is modified. +- Overview notes do not carry `isotags`, `language`, or `status` — these fields are not applicable. +- The Librarian updates `last-updated` and the corpus index note (`corpus-index.md`) whenever an overview note is created or revised. + ## Properties for Publications Publications are found in `iso27diy-corp/Marketing/publications` and are of `notetype` `publication`. diff --git a/metadata/librarian-system-prompt.md b/metadata/librarian-system-prompt.md new file mode 100644 index 0000000..3c82483 --- /dev/null +++ b/metadata/librarian-system-prompt.md @@ -0,0 +1,138 @@ +--- +title: "Librarian System Prompt" +notetype: other +last-updated: 2026-06-02 +tags: [] +--- + +# Librarian System Prompt + +You are the Librarian for ISO27DIY, a B2B SaaS product that helps SMEs implement +ISO27001 without hiring consultants. + +Your job is to keep the Obsidian knowledge vault structured, consistent, and +navigable. You do not create content for publication. You create and maintain +the metadata and overview structures that allow the content agents to work +effectively. + +You have access to: +- The Obsidian vault via MCP +- The corpus index note and all corpus overview notes in the project knowledge base + +You have four tasks. You will be told which task to perform each session. + +--- + +TASK 1 — FRONT MATTER FOR NEW NOTES + +When asked to process a new note or set of notes, produce front matter +for each, following the guidelines in `iso27diy-corp/metadata/corpus-metadata.md`. + +--- + +Rules: +- Do not invent content not present in the note +- If the note is thin or incomplete, set status to Needs review and explain why +- If you cannot identify related notes confidently, leave related-notes blank + rather than guessing + +--- + +TASK 2 — CREATE A NEW OVERVIEW NOTE + +When asked to create an overview note for a vault folder: +1. Read all notes in the specified folder via MCP +2. Produce an overview note using the following format for each note or cluster: + +**Title:** [note title or cluster name] +**Path:** [filename or folder path — list each note path individually for clusters] +**Summary:** [2-3 sentences on what this note actually contains — substance, not just topic] +**Key concepts and terms:** [main concepts, frameworks, or terminology covered] +**ISO27001 relevance:** [how this connects to ISO27001 implementation, compliance, +or cybersecurity practice] +**ISO27DIY relevance:** [how this could support product messaging, content marketing, +or user education] +**Related notes:** [other notes in the vault this connects to, if known] +**Content potential:** [1-2 sentences on what kind of content this could fuel — +articles, newsletter topics, LinkedIn posts, forum answers, etc.] +**Fetch priority:** [High / Medium / Low — how often the content agents are likely +to need the full note] + +Each overview note must include the following front matter: + +```yaml +--- +title: "" # e.g. "Corpus Overview: ISO 27002 Controls (EN)" +notetype: overview +covers: "" # vault path of the folder this note describes +last-updated: "" # ISO 8601 date, e.g. 2026-06-02 +tags: [] +--- +``` + +Rules: +- Be specific. Vague summaries are useless. +- Do not invent content not present in the notes +- Flag any note that seems outdated, incomplete, or too thin with [REVIEW] + after the title +- Group closely related notes under one entry but list each path individually +- Process all notes in the folder before responding +- Set `last-updated` to the date the overview note is created + +Name the output file: corpus-overview-[foldername].md +Save to: `iso27diy-corp/metadata/overviews/` + +--- + +TASK 3 — UPDATE AN EXISTING OVERVIEW NOTE + +When asked to update an overview note due to changes in the vault: +1. Read the current overview note +2. Read the affected notes in the vault via MCP — new, updated, or retired notes +3. Make the minimum changes necessary to bring the overview note current: + - Add entries for new notes + - Update entries for changed notes + - Mark retired notes with [RETIRED] and a one-line explanation + - Update any related-notes references affected by the changes +4. Update `last-updated` in the front matter to today's date + +Do not rewrite entries that have not changed. + +After updating, produce a change summary: +- What was added +- What was updated +- What was retired +- Any [REVIEW] flags raised + +--- + +TASK 4 — MAINTAIN THE CORPUS INDEX NOTE + +The corpus index note is a single note that lists all corpus overview notes with +a one-line description of what each covers. It lives at +`iso27diy-corp/metadata/corpus-index.md`. + +When asked to update the corpus index note: +1. Read the current corpus index note +2. Check it against the actual overview notes in the vault via MCP +3. Add entries for new overview notes +4. Update entries where the scope of an overview note has changed +5. Remove entries for retired overview notes + +Index entry format: +**[overview note name]** — [one-line description of what vault section it covers] +Path: [path to overview note] +Last updated: [date] + +--- + +GENERAL RULES + +- Never invent facts, summaries, or relationships not present in the actual notes +- When in doubt about a relationship between notes, leave it blank and flag it + for the human to resolve +- If a task is ambiguous — for example, it is unclear whether two notes should + be grouped or kept separate — ask before proceeding +- After completing any task, list any issues you encountered that the human + should be aware of: gaps, inconsistencies, notes that need attention, + structural problems in the vault diff --git a/metadata/overviews/corpus-overview-AuditGlue.md b/metadata/overviews/corpus-overview-AuditGlue.md new file mode 100644 index 0000000..7ffcdfd --- /dev/null +++ b/metadata/overviews/corpus-overview-AuditGlue.md @@ -0,0 +1,403 @@ +--- +title: "Corpus Overview: AuditGlue" +notetype: overview +covers: "iso27diy-corp/AuditGlue" +last-updated: 2026-06-02 +tags: [] +--- + +# Corpus Overview: AuditGlue + +This note covers all markdown files in `iso27diy-corp/AuditGlue` and its `System alternative` subfolder. The folder contains product design, requirements, technical architecture, and research notes for the iso27DIY product — primarily the AuditGlue GRC component and its underlying platform. + +--- + +## Top-level notes + +--- + +**Title:** PRD Product Requirements Document for iso27DYI +**Path:** `iso27diy-corp/AuditGlue/PRD Product Requirements Document for iso27DYI.md` +**Summary:** The foundational product requirements document for iso27DIY, defining the three-component system: Guided Implementation System (GIS), AuditGlue GRC tool, and Knowledge Base. Covers client and user definitions (SME, no dedicated compliance officer), design principles (incremental rather than linear, smartwatch-style coaching), and technical requirements including multi-tenancy, LLM integration, and output formats. Includes a functional diagram reference. +**Key concepts and terms:** GIS (Guided Implementation System), AuditGlue, Knowledge Base, Modules and Sessions, slot-filling, PDCA cycle, ISMS, proof of implementation, Statement of Applicability, multi-tenancy +**ISO27001 relevance:** Directly describes a system designed to guide SMEs through ISO 27001 implementation. References ISMS structure, clause/control tagging, and certification audit preparation throughout. +**ISO27DIY relevance:** This is the core product definition document. Content agents should use it to understand the product's purpose, scope, and value proposition. +**Related notes:** `iso27diy-corp/AuditGlue/AuditGlue Workflows.md`, `iso27diy-corp/AuditGlue/GIS-content-map.md`, `iso27diy-corp/AuditGlue/System alternative/Design Document for ISO 27001 Certification Support Online Service.md` +**Content potential:** Foundational for product messaging, investor pitches, and onboarding content. Also useful for explaining the product architecture to technical audiences. +**Fetch priority:** High + +--- + +**Title:** AuditGlue Workflows +**Path:** `iso27diy-corp/AuditGlue/AuditGlue Workflows.md` +**Summary:** Describes the user interaction flows within AuditGlue: following a Session, re-visiting a Session, triggering an Automation, and working with Tasks. Defines the four task statuses (Backlog, ToDo, Done, Finalized) and explains how automations depend on prior tasks being completed. Written in Dutch. +**Key concepts and terms:** Sessions, Modules, Tasks, Automations, task statuses (Backlog/ToDo/Done/Finalized), slot-filling, n8n workflow trigger, LLM content generation, maturity levels +**ISO27001 relevance:** The workflow models how a user builds ISMS evidence through guided tasks — directly implementing the PDCA cycle required by ISO 27001. +**ISO27DIY relevance:** Core reference for understanding the GIS user experience and automation pipeline. Relevant for writing user onboarding content and help documentation. +**Related notes:** `iso27diy-corp/AuditGlue/PRD Product Requirements Document for iso27DYI.md`, `iso27diy-corp/AuditGlue/AuditGlue metadata.md`, `iso27diy-corp/AuditGlue/Conceptual ERD.md` +**Content potential:** Basis for product explainer content, user documentation, and feature descriptions on the website. +**Fetch priority:** High + +--- + +**Title:** AuditGlue metadata +**Path:** `iso27diy-corp/AuditGlue/AuditGlue metadata.md` +**Summary:** Defines the reserved metadata fields for AuditGlue Session files, including `id`, `module`, `session`, `title`, `related_assets`, `related_references`, `related_form`, `related_automation`, and `automation_depends_on`. Explains the purpose and usage of each field and provides a source example for copy-paste. +**Key concepts and terms:** Session metadata, YAML front matter, `automation_depends_on`, `related_form`, `related_assets`, module hierarchy, session id +**ISO27001 relevance:** Indirect — this metadata scheme is what enables the GIS to link sessions to ISO 27001 clause and control identifiers. +**ISO27DIY relevance:** Technical reference for the content team building GIS session files. Agents creating or editing session content must follow this schema. +**Related notes:** `iso27diy-corp/AuditGlue/Metadata in YAML.md`, `iso27diy-corp/AuditGlue/AuditGlue Workflows.md` +**Content potential:** Low — internal technical reference, not a source for publication content. +**Fetch priority:** Medium + +--- + +**Title:** Metadata in YAML +**Path:** `iso27diy-corp/AuditGlue/Metadata in YAML.md` +**Summary:** A reference table of required and optional YAML metadata keys for GIS Session files, with field names, value types, examples, and explanations. More detailed and structured than `AuditGlue metadata.md`, and includes a copy-paste source example. +**Key concepts and terms:** YAML metadata, `implements`, `feeds_into`, `depends_on`, `related_form`, `related_assets`, session id convention +**ISO27001 relevance:** The `implements` field directly links sessions to ISO 27001 clauses and controls (e.g., `ISO27001:2022:C.6.2`). +**ISO27DIY relevance:** Technical reference for GIS content authors. Supersedes or complements `AuditGlue metadata.md`. +**Related notes:** `iso27diy-corp/AuditGlue/AuditGlue metadata.md` +**Content potential:** None — internal technical reference only. +**Fetch priority:** Medium + +--- + +**Title:** Conceptual ERD +**Path:** `iso27diy-corp/AuditGlue/Conceptual ERD.md` +**Summary:** A Mermaid entity-relationship diagram showing the core data model for AuditGlue. Defines relationships between Session, Task, FormValues, Document, DocVersion, and NormArticle. Key rules: a Session has zero or one Task; a Document is proof for one or more NormArticles; a Document can have multiple versions. +**Key concepts and terms:** ERD, Session, Task, FormValues, Document, DocVersion, NormArticle, proof of implementation, version management +**ISO27001 relevance:** The `NormArticle` entity directly represents ISO 27001 clauses and controls. The model captures how user tasks produce documents that serve as audit proof for specific norm articles. +**ISO27DIY relevance:** Foundational data model for AuditGlue. Required reading for anyone building or extending the platform. +**Related notes:** `iso27diy-corp/AuditGlue/AuditGlue Workflows.md`, `iso27diy-corp/AuditGlue/System alternative/TypeDB structure for ISO27DIY.md` +**Content potential:** Low — technical architecture note. Could inform a technical blog post about how AuditGlue models the audit evidence chain. +**Fetch priority:** Medium + +--- + +**Title:** GIS Content Map +**Path:** `iso27diy-corp/AuditGlue/GIS-content-map.md` +**Summary:** A complete hierarchical map of the GIS module and session structure, from m100 (Implementing with ISO27DIY) through m900 (ISO 27001 Audits). Each session entry links to the actual GIS session file and to the relevant ISO 27001 clauses and ISO 27002 controls. Covers strategy, context, risks, measures, supporting the ISMS, and evaluation. +**Key concepts and terms:** GIS modules (m100–m900), Sessions, ISO 27001 clause mapping, ISO 27002 control mapping, ISMS implementation sequence +**ISO27001 relevance:** This is the master navigation map for the entire ISO 27001 implementation journey as structured by iso27DIY. Every clause and control in scope is referenced here. +**ISO27DIY relevance:** Critical reference for content agents navigating the GIS. Also useful for communicating the product's coverage and completeness to prospects. +**Related notes:** `iso27diy-corp/AuditGlue/PRD Product Requirements Document for iso27DYI.md`, `iso27diy-corp/AuditGlue/Modules, Screens and Content.md` +**Content potential:** Basis for content about the iso27DIY implementation roadmap; could support marketing claims about full ISO 27001 coverage. +**Fetch priority:** High + +--- + +**Title:** Modules, Screens and Content [REVIEW] +**Path:** `iso27diy-corp/AuditGlue/Modules, Screens and Content.md` +**Summary:** Brief note pointing to other sources for the three user modes: guided implementation (references video series), operational (references Nedap ISMS tool structure), and audit mode (references NHC dashboard). Thin on original content — primarily a set of cross-references. +**Key concepts and terms:** Guided implementation mode, operational mode, audit mode, Nedap, NHC +**ISO27001 relevance:** Indirect — describes the three operational contexts for using AuditGlue. +**ISO27DIY relevance:** Low standalone value; useful only as a navigation aid to other notes. +**Related notes:** `iso27diy-corp/AuditGlue/Three user modes for AuditGlue.md`, `iso27diy-corp/AuditGlue/GIS-content-map.md` +**Content potential:** Low — too thin for content generation without the referenced sources. +**Fetch priority:** Low + +--- + +**Title:** Three user modes for AuditGlue +**Path:** `iso27diy-corp/AuditGlue/Three user modes for AuditGlue.md` +**Summary:** Defines the three modes of AuditGlue: Guided Implementation (step-by-step for novices, with rich explanatory content), Operational (GRC forms and dashboards for experienced users), and Audit (matrix interface mapping ISO 27001 clauses and controls to risks, policies, and evidence). Note body is duplicated. +**Key concepts and terms:** Guided implementation, operational mode, audit mode, GRC, audit matrix, proofs, risk/control matrix +**ISO27001 relevance:** The audit mode directly maps to the ISO 27001 audit process structure. +**ISO27DIY relevance:** Useful for product positioning and feature description content. The three-mode model is a differentiator worth communicating. +**Related notes:** `iso27diy-corp/AuditGlue/Modules, Screens and Content.md`, `iso27diy-corp/AuditGlue/PRD Product Requirements Document for iso27DYI.md` +**Content potential:** Good basis for product explainer content and website feature descriptions. +**Fetch priority:** Medium + +--- + +**Title:** AuditGlue Personae [REVIEW] +**Path:** `iso27diy-corp/AuditGlue/AuditGlue Personae.md` +**Summary:** A bare five-item bullet list of personas: Client/business owner, Auditor, Expert (support role), Content Editor, and Administrator. No descriptions or elaboration. +**Key concepts and terms:** Personas, roles +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Too thin to use without `Personae and Roles.md` for context. +**Related notes:** `iso27diy-corp/AuditGlue/Personae and Roles.md` +**Content potential:** None in current state. +**Fetch priority:** Low + +--- + +**Title:** Personae and Roles +**Path:** `iso27diy-corp/AuditGlue/Personae and Roles.md` +**Summary:** Lists business personae (implementer, auditor internal/external, business manager, compliance officer, CISO), system roles (admin, user, power user), and ISMS roles from ISO 27001 (risk owner, incomplete). Also includes two user persona sketches: a startup co-owner and a lone professional in a low-security-affinity organization. +**Key concepts and terms:** Personas, ISMS roles, risk owner, system roles, compliance officer, CISO +**ISO27001 relevance:** References ISO 27001 roles including risk owner; relevant to clause 5.3 (organizational roles, responsibilities, and authorities). +**ISO27DIY relevance:** Useful for audience targeting in content and for defining user segments in product marketing. +**Related notes:** `iso27diy-corp/AuditGlue/AuditGlue Personae.md`, `iso27diy-corp/AuditGlue/PRD Product Requirements Document for iso27DYI.md` +**Content potential:** Basis for persona-driven content and customer empathy messaging. +**Fetch priority:** Medium + +--- + +**Title:** Most Challenging Clauses in ISO 27001 +**Path:** `iso27diy-corp/AuditGlue/Most Challenging Clauses in ISO 27001.md` +**Summary:** Lists the ISO 27001 clauses that practitioners find most difficult: Clause 4 (context and boundaries), Clause 6 (risk assessment), Clause 9 (performance evaluation), Clause 10 (corrective action), and Annex A (control mapping and Statement of Applicability). Includes specific sub-challenges for each. +**Key concepts and terms:** Clause 4 context, Clause 6 risk assessment, Clause 9 performance evaluation, Clause 10 corrective action, Statement of Applicability, risk methodology, nonconformity +**ISO27001 relevance:** Directly maps to real-world implementation pain points for each clause referenced. +**ISO27DIY relevance:** Highly relevant for content marketing — these pain points are exactly the problems iso27DIY solves. Strong basis for LinkedIn posts, newsletter topics, and landing page copy. +**Related notes:** `iso27diy-corp/AuditGlue/GIS-content-map.md` +**Content potential:** Excellent source for "why ISO 27001 is hard" content, problem-aware messaging, and feature justification. +**Fetch priority:** High + +--- + +**Title:** ISO27DIY Plain English Template [REVIEW] +**Path:** `iso27diy-corp/AuditGlue/iso27DIY Plain English Template.md` +**Summary:** A bare outline for a "Plain English" control description template: Control ID/Title, Properties, one-sentence summary, Implementation Guidance (required/recommended/relations), real-life examples, and remarks. No worked example or populated content. +**Key concepts and terms:** Plain English, control template, implementation guidance +**ISO27001 relevance:** Describes a format for making ISO 27002 controls accessible to non-experts. +**ISO27DIY relevance:** Relevant to the corpus content format, but too thin to use without a worked example. +**Related notes:** `iso27diy-corp/AuditGlue/Policy Card Example for Access to Software Applications.md` +**Content potential:** Low in current state — needs a populated example to be useful. +**Fetch priority:** Low + +--- + +**Title:** Policy Card Example for Access to Software Applications +**Path:** `iso27diy-corp/AuditGlue/Policy Card Example for Access to Software Applications.md` +**Summary:** A detailed worked example of a "Policy Card" for an access control policy, covering purpose, scope, risk mitigation, method, metrics, measurement, evaluation, version control, and documentation. Shown in both structured bullet format and as a JSON object. References ISO 27001 controls 5.15 and 5.18. +**Key concepts and terms:** Policy Card, access control policy, version control, metrics, measurement, evaluation, JSON policy schema, ISO27001:2022:A.5.15, ISO27001:2022:A.5.18 +**ISO27001 relevance:** Directly implements controls A.5.15 (Access control) and A.5.18 (Access rights). Demonstrates the policy structure required by ISO 27001. +**ISO27DIY relevance:** Concrete example of a core iso27DIY output artifact. Useful for product demos, documentation, and content showing what "good" looks like. +**Related notes:** `iso27diy-corp/AuditGlue/iso27DIY Plain English Template.md` +**Content potential:** Strong basis for content showing what a compliant policy looks like in practice. Good for educational posts and product demos. +**Fetch priority:** High + +--- + +**Title:** ISO27DIY benefits [REVIEW] +**Path:** `iso27diy-corp/AuditGlue/ISO27DIY benefits.md` +**Summary:** A three-bullet stub listing product benefits (saves consulting fees, scale confidently, implement scalable security practices), plus two competitor URLs (Sprinto, instant27001.com). No elaboration. +**Key concepts and terms:** Value proposition, consulting fees, scalability +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Relevant to marketing but too thin in current state. The competitor links suggest this was being used for competitive research. +**Related notes:** None +**Content potential:** None in current state — needs significant development. +**Fetch priority:** Low + +--- + +**Title:** Idea Validation +**Path:** `iso27diy-corp/AuditGlue/Idea Validation.md` +**Summary:** A saved Reddit post from r/microsaas describing a three-step idea validation methodology: problem thesis and user interviews, building an MVP in 30 days, and marketing to collect feedback. Not original content — saved for inspiration. +**Key concepts and terms:** Idea validation, problem thesis, MVP, user interviews, Reddit marketing, feedback loops +**ISO27001 relevance:** None. +**ISO27DIY relevance:** Background research on SaaS product validation methodology. Not a source for publication content. +**Related notes:** None +**Content potential:** None — third-party content saved for reference. +**Fetch priority:** Low + +--- + +**Title:** Scale up markt NL [REVIEW] +**Path:** `iso27diy-corp/AuditGlue/Scale up markt NL.md` +**Summary:** Brief note referencing NLgroeit's Top 250 Dutch growth companies list (with Erasmus University) and their mentorship programme for companies over €1M revenue. Two links, no analysis. +**Key concepts and terms:** NLgroeit, Dutch growth companies, mentorship, scale-up market +**ISO27001 relevance:** None. +**ISO27DIY relevance:** Market research reference — potential prospect pool or partnership lead for the Dutch advisory practice. +**Related notes:** None +**Content potential:** Low — background research only. +**Fetch priority:** Low + +--- + +**Title:** List of possible partners +**Path:** `iso27diy-corp/AuditGlue/List of possible partners.md` +**Summary:** Three-item list of potential partners: The Art of Service (InfoSec Kanban boards), Certificeringsadvies (independent external audits), and a Gumroad seller (SCM content, cross-posting offer). +**Key concepts and terms:** Partners, InfoSec Kanban, external audits, cross-posting +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Business development reference. Certificeringsadvies is potentially relevant as an audit partner. +**Related notes:** None +**Content potential:** None — internal business development note. +**Fetch priority:** Low + +--- + +**Title:** Possible Colabs [REVIEW] +**Path:** `iso27diy-corp/AuditGlue/Possible Colabs.md` +**Summary:** Single entry: Phil Odence of Black Duck/Synopsys, a connection via Richard ten Cate (The Red Button), potentially relevant to software due diligence. No further detail. +**Key concepts and terms:** Black Duck, Synopsys, software due diligence +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Business development note — possibly relevant for supply chain security content partnerships. +**Related notes:** None +**Content potential:** None in current state. +**Fetch priority:** Low + +--- + +**Title:** iso27DIY-MoC (Map of Content) +**Path:** `iso27diy-corp/AuditGlue/iso27DIY-MoC.md` +**Summary:** A Map of Content linking to all major note clusters for the iso27DIY product: marketing source material, product design, method, agents, content, and platform. Functions as the top-level navigation hub for the entire AuditGlue folder and connected areas of the vault. +**Key concepts and terms:** Map of Content, navigation, product design, marketing, platform, agents +**ISO27001 relevance:** None directly — this is a navigation note. +**ISO27DIY relevance:** High value as a navigation aid for agents needing to find connected notes quickly. Should be fetched early in any session working across AuditGlue material. +**Related notes:** Most notes in `iso27diy-corp/AuditGlue/` and connected folders. +**Content potential:** None — internal navigation note. +**Fetch priority:** High + +--- + +## System alternative subfolder + +This subfolder contains technical architecture, stack evaluation, and platform design notes. Most are research outputs or AI-generated design documents rather than original product decisions. + +--- + +**Title:** Design Document for ISO 27001 Certification Support Online Service +**Path:** `iso27diy-corp/AuditGlue/System alternative/Design Document for ISO 27001 Certification Support Online Service.md` +**Summary:** An AI-generated (Perplexity) design document for an online ISO 27001 certification support service, produced in response to a structured prompt. Covers objectives, features (documentation hub, expert guidance, automation, self-assessment, training, community, tool integrations), user roles, user journey, technical architecture, and a 12-month roadmap. Saved as reference material, not original work. +**Key concepts and terms:** Documentation hub, risk assessment engine, compliance tracker, self-assessment, e-learning, consultant marketplace, freemium model, GDPR +**ISO27001 relevance:** Describes a service that maps closely to iso27DIY's own value proposition. Useful for competitive benchmarking and feature gap analysis. +**ISO27DIY relevance:** Reference for product design thinking. Not a source for publication content. +**Related notes:** `iso27diy-corp/AuditGlue/PRD Product Requirements Document for iso27DYI.md` +**Content potential:** Low — AI-generated reference, not original content. +**Fetch priority:** Low + +--- + +**Title:** Application architecture +**Path:** `iso27diy-corp/AuditGlue/System alternative/Application architecture.md` +**Summary:** A decision framework for distributing functionality across WeWeb (frontend), SQL functions/RPC, Edge Functions, and Database Triggers. Provides a decision matrix by performance, security, external integration, complexity, and real-time requirements, with practical worked examples. +**Key concepts and terms:** WeWeb, Supabase, Edge Functions, SQL functions, Database Triggers, RPC, decision matrix, business logic placement +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Technical architecture reference for developers building on the preferred stack. +**Related notes:** `iso27diy-corp/AuditGlue/System alternative/iso27DIY Preferred Stack.md`, `iso27diy-corp/AuditGlue/System alternative/Building functionality in Supabase.md` +**Content potential:** None — technical reference only. +**Fetch priority:** Low + +--- + +**Title:** iso27DIY Preferred Stack +**Path:** `iso27diy-corp/AuditGlue/System alternative/iso27DIY Preferred Stack.md` +**Summary:** Evaluates and recommends the WeWeb (frontend) + Supabase (backend) low-code stack for iso27DIY's MVP. Covers rationale for each component, lock-in risk, entry costs, and best practices for avoiding vendor lock-in. Also covers business logic placement options across WeWeb workflows, Supabase database functions, and Edge Functions. +**Key concepts and terms:** WeWeb, Supabase, low-code, vendor lock-in, Edge Functions, Postgres functions, Vue.js, REST API, TypeScript +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Technical stack decision reference for developer onboarding and architectural discussions. +**Related notes:** `iso27diy-corp/AuditGlue/System alternative/Application architecture.md`, `iso27diy-corp/AuditGlue/System alternative/iso27DIY stack deployment.md` +**Content potential:** None — technical reference only. +**Fetch priority:** Low + +--- + +**Title:** iso27DYI architecture with LLM +**Path:** `iso27diy-corp/AuditGlue/System alternative/iso27DYI architecture with LLM.md` +**Summary:** Covers options for integrating LLM functionality into the WeWeb + Supabase stack: direct API calls (OpenAI/Anthropic), Node.js/Express middleware, Supabase Edge Functions, and serverless functions. Also covers self-hosting options (Ollama, vLLM, TGI). Recommends Supabase Edge Functions as the most elegant approach. +**Key concepts and terms:** LLM integration, Ollama, vLLM, TGI, Supabase Edge Functions, OpenAI API, Anthropic API, self-hosted LLM, slot-filling +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Technical reference for the LLM integration layer relevant to content generation and slot-filling automation in the GIS. +**Related notes:** `iso27diy-corp/AuditGlue/System alternative/iso27DIY Preferred Stack.md` +**Content potential:** None — technical reference only. +**Fetch priority:** Low + +--- + +**Title:** Building functionality in Supabase +**Path:** `iso27diy-corp/AuditGlue/System alternative/Building functionality in Supabase.md` +**Summary:** Reference overview of Supabase's functionality-building methods: SQL functions, Edge Functions, RPC, Database Triggers, RLS policies, auto-generated REST APIs, real-time subscriptions, GraphQL, webhooks, and PostgREST extensions. +**Key concepts and terms:** Supabase, SQL functions, Edge Functions, RPC, Database Triggers, RLS, GraphQL, webhooks +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Technical reference for Supabase development decisions. +**Related notes:** `iso27diy-corp/AuditGlue/System alternative/Application architecture.md` +**Content potential:** None — technical reference only. +**Fetch priority:** Low + +--- + +**Title:** iso27DIY stack deployment +**Path:** `iso27diy-corp/AuditGlue/System alternative/iso27DIY stack deployment.md` +**Summary:** Step-by-step deployment guidance for the WeWeb + Supabase stack: publishing via WeWeb, custom domain setup, Supabase production configuration (RLS, backups, connection pooling), environment variable management, and a security checklist. +**Key concepts and terms:** WeWeb deployment, Supabase deployment, RLS, CORS, environment variables, custom domain, CDN +**ISO27001 relevance:** None directly, though the security checklist aligns loosely with secure deployment practices. +**ISO27DIY relevance:** Operational reference for the development team. +**Related notes:** `iso27diy-corp/AuditGlue/System alternative/iso27DIY Preferred Stack.md` +**Content potential:** None — operational reference only. +**Fetch priority:** Low + +--- + +**Title:** No local installs +**Path:** `iso27diy-corp/AuditGlue/System alternative/No local installs.md` +**Summary:** Confirms that end users need no local software beyond a modern browser — the entire stack runs in the cloud. Includes cited references. +**Key concepts and terms:** Web-based access, no local install, browser-based, Deno, edge deployment +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Relevant for product positioning — "nothing to install" is a selling point for the SME target audience. +**Related notes:** `iso27diy-corp/AuditGlue/System alternative/iso27DIY Preferred Stack.md` +**Content potential:** Low but usable for product messaging. +**Fetch priority:** Low + +--- + +**Title:** Agent Design Intent Card +**Path:** `iso27diy-corp/AuditGlue/System alternative/Agent Design Intent Card.md` +**Summary:** Notes from a Cognigy conversation design course on designing conversational agents. Covers intent modeling (Who/What/Intention/Reason), the stateless nature of conversations, personality and persona design for bots, and Contact Profiles for persistence. +**Key concepts and terms:** Conversational agent design, intent, utterance, stateless conversation, bot persona, Contact Profile, Cognigy +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Design reference for the slot-filling conversational agent in the GIS. +**Related notes:** `iso27diy-corp/AuditGlue/AuditGlue Workflows.md` +**Content potential:** None — design reference only. +**Fetch priority:** Low + +--- + +**Title:** TypeDB structure for ISO27DIY +**Path:** `iso27diy-corp/AuditGlue/System alternative/TypeDB structure for ISO27DIY.md` +**Summary:** An AI-generated (Gemini) TypeDB schema for representing ISO 27001 and 27002 entities and relationships, including standards, clauses, controls, actors, assets, artifacts, risks, events, and processes. Covers full TypeQL schema definition and a Mermaid diagram. Saved as an alternative/research note — not the current production data model. +**Key concepts and terms:** TypeDB, TypeQL, knowledge graph, entity-relationship, controls, actors, artifacts, evidence, proof of implementation, graph database +**ISO27001 relevance:** Models the full ISO 27001/27002 entity landscape including relationships between controls, clauses, actors, artifacts, and evidence. +**ISO27DIY relevance:** Research/alternative design note. The conceptual model informs the current ERD even if TypeDB is not the chosen technology. +**Related notes:** `iso27diy-corp/AuditGlue/Conceptual ERD.md` +**Content potential:** Low — could inform a technical blog post about knowledge graphs and ISO 27001. +**Fetch priority:** Low + +--- + +**Title:** iso27DIY UI ideas +**Path:** `iso27diy-corp/AuditGlue/System alternative/iso27DIY UI ideas.md` +**Summary:** Brief note with UI inspiration references: Advisera Conformio, Cognigy academy (conversation design), PECB eLearning, and a Base44 writing assistant. Primarily screenshots with minimal commentary. +**Key concepts and terms:** UI inspiration, guided implementation, eLearning, conversation design +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Design research reference. +**Related notes:** `iso27diy-corp/AuditGlue/System alternative/Agent Design Intent Card.md` +**Content potential:** None — visual reference only. +**Fetch priority:** Low + +--- + +## Files not processed + +The following files in this folder are not markdown notes and were excluded from this overview: + +- Image files: `Canvas Cyclus.png`, `CleanShot 2025-07-17 at 10.45.16.png`, and multiple PNGs in `System alternative/` +- `PolicyCard_Example_5.15.yaml` — YAML example; related to the Policy Card note +- `iso27DIY content modules.canvas`, `System alternative/iso27DIY Functional Diagram.canvas`, `System alternative/iso27DIY UI Canvas.canvas` — Obsidian Canvas files +- `System alternative/iso27DYI High level data structure.pdf` — not read +- `System alternative/slot_config_erd.mermaid`, `slot_config_schema.sql`, `slot_manager_implementation.py` — code/schema files + +The following markdown files in `System alternative/` were not read due to batch size constraints and should be processed in a follow-up pass: +- `JSON validation for Postgres.md` +- `SQL vs NoSQL.md` +- `SupaBase Edge Functions.md` +- `SupaBase edge functions portability.md` +- `Using AI to create policies.md` +- `When to use JSON types in Supabase.md` +- `Source text.md` (appears to be empty) + +--- + +## Issues to flag + +1. **`AuditGlue Personae.md` vs `Personae and Roles.md`** — Two notes covering overlapping ground with no clear relationship. Consider merging or deprecating the shorter one. +2. **`Modules, Screens and Content.md`** — Thin note largely redundant with `Three user modes for AuditGlue.md` and `GIS-content-map.md`. Candidate for removal. +3. **`ISO27DIY benefits.md`** — Stub. Develop or delete. +4. **`iso27DIY Plain English Template.md`** — Outline without a worked example. Needs population before it's useful. +5. **Six `System alternative` notes unread** — Batch size constraint. Require a follow-up pass to complete this overview. +6. **`Source text.md`** — Empty file. Remove. +7. **`iso27DYI High level data structure.pdf`** — Unread. May contain architecture information not captured elsewhere. +8. **Duplicate body in `Three user modes for AuditGlue.md`** — Entire note body appears twice. Clean up.