Renamed some folders

2026-04-29 14:20:35 +02:00 · 2026-04-29 14:20:35 +02:00 · 3c800ae860
commit 3c800ae860
parent 3542083f69
278 changed files with 113 additions and 113 deletions
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,15 @@
+## Benefits of ISO 27001
+
+- Easier sales
+	- Accelerates your customer’s Purchase Decision Process ("Sell with Confidence. Worldwide.")
+	- Certification for this standard is increasingly becoming a knock-out criterium for [Examples of vendor selection questionnaires](../../../../🎇%20Sparks/Examples%20of%20vendor%20selection%20questionnaires.md).
+- Raises your infosec maturity level   
+	- Raise your [Maturity Models](../../../../📚️%20Literature%20notes/Maturity%20Models.md) from incident driven to improvement focussed
+	- Continual improvement of security
+- Increased resilience
+	- be prepared for events that threaten your business continuity
+- Accountability / responsibility
+	- [Corporate social responsibility](../../../../📚️%20Literature%20notes/Corporate%20social%20responsibility.md)
+	- Voorkómen maatschappelijke ontwrichting (voorbeeld: een massale cyberaanval legt de Rotterdamse havens stil)
+	- Encourage transparency. "We believe that transparency, such as having a permissive vulnerability disclosure policy (VDP) that encourages security research, is a key characteristic of a good, mature security program".
+	- https://www.maastrichtuniversity.nl/data-protection-corporate-social-responsibility
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,203 @@
+Use: ISO 27001 in 10 steps - Slide Deck
+
+<!--- Intro -->
+
+Hello and welcome! 
+
+In this 7 minute video you will learn 
+what ISO 27001 *is*,
+how it can benefit your organization, 
+how you should implement it, 
+and how you can get certified.
+
+I'm Richard Kranendonk.
+
+
+---
+<!--- # Benefits -->
+<!--- [[ISO 27001 in 220 - slide 1 - Benefits]] -->
+ 
+ISO 27001 is an internationally recognized standard for information security management.
+
+Having a certificate will make sales easier in B2B markets, 
+
+and if well implemented ISO27k1 will increase your resilience against cybersecurity threats ... 
+
+and raise your maturity level from incident driven to continual improvement.
+
+
+
+---
+<!--- # Structure -->
+<!--- [[ISO 27001 in 220 - slide 2 - Structure]] -->
+
+
+27k1 consists of 2 parts.
+
+A process to manage information security, called the ISMS, 
+
+and a list of controls to mitigate information security risks, called Annex A. 
+
+---
+<!--- Process -->
+<!--- [[ISO 27001 in 220 - slide 3 - Risk management process]] -->
+
+The ISMS, which stands for Information Security Management System,
+is an iterative process for managing your security risks and implementing continual improvement.
+
+You start with identifying and analysing your risks
+
+Then you select controls to mitigate those risks, and implement them
+
+You Monitor the execution of the Controls to see if they work
+
+and evaluate how effective they are in lowering your risks.
+
+You then enter the next cycle by re-analysing the risk, and adjusting your controls where necessary. 
+
+---
+<!--- # Context -->
+<!--- [[ISO 27001 in 220 - slide 4 - Context of the ISMS]] -->
+
+To implement this process, you have to establish the context in which the ISMS will operate.
+
+You have to identify the factors that influence your information security risks, including:
+- macro-environmental factors (like political and legal developments, demographic trends, economic and technological developments)
+- your organization's strategy and culture
+- strengths and weaknesses of your organization
+- different internal and external stakeholders, and their interests
+- laws, regulations, and standards that apply to your business
+- and your business processes themselves.
+
+You also need to set the Scope of your ISMS, which means defining which business activities you're seeking certification for.
+
+---
+<!--- # Responsibilities -->
+<!--- [[ISO 27001 in 220 - slide 5 - Responsibilities]] -->
+
+ISO27k1 makes top management responsible for the success of the ISMS, by:
+- demanding it shows leadership and commitment
+- setting information security objectives 
+- making shure information security policies are implemented and adhered to
+- defining relevant roles and assigning responsibilities
+- and providing the necessary resources and support.
+
+
+---
+<!--- # The CIA Triad -->
+<!--- [[ISO 27001 in 220 - slide 6 - The CIA Triad]] -->
+ 
+Managing information security means paying respect to the CIA Triad of Confidentiality, Integrity and Availability. The importance of each principle may vary for different kinds of information.
+
+---
+<!--- # Assets -->
+<!--- [[ISO 27001 in 220 - slide 7 - Assets]] -->
+
+To identify *what* needs to be protected, you need to create an Asset Inventory, 
+and identify the *impact* of loss of confidentiality, integrity and availability on your different information assets. 
+You need to organize your assets into categories, classify them, and label them, so that it's clear how they must be handled.
+
+
+---
+<!--- # Risks -->
+<!--- [[ISO 27001 in 220 - slide 8 - Risks]] -->
+
+When you *know* your assets, you can identify your *risks*. 
+Risk is a function of the probability that a negative event will occur, and the impact the event will have, *once* it occurs. 
+
+This *risk score* helps you set priorities for treatment.
+
+Risk Treatment means either *mitigating* the risk, by implementing a control,
+*transfering* the risk to another party, 
+*avoiding* the risk, by not performing the activities associated with it, 
+or *accepting* the risk.
+ 
+
+---
+<!--- # Controls -->
+<!--- [[ISO 27001 in 220 - slide 9 - Controls]] -->
+
+
+For every risk that you decide to mitigate, 
+you must select one or more appropriate Controls from Annex A.
+
+Annex A lists 114 controls, 
+including physical controls, like access to facilities,
+logical controls, like backups and encryption,
+and organizational controls, such as instruction and vendor management.
+
+Every control needs to be applied in your organization, unless you can convincingly argue that they should not apply to you. 
+This is done in your Statement of Applicability.
+
+
+
+---
+<!--- # Documentation -->
+<!--- [[ISO 27001 in 220 - slide 10 - Documentation]] -->
+
+27k1 mandates that you document your activities with regards to the ISMS, as proof of the actual implementation. This documentation is the main focus of certification audits.
+
+Required documentation includes:
+- Information security Policies
+- Analyses of risks, incidents and non-conformities
+- Log files, measurements, and evaluation reports
+- and Planning, for implementation, evaluations, and audits 
+
+
+---
+<!--- # Management Review -->
+<!--- [[ISO 27001 in 220 - slide 11 - Management Review]] -->
+
+A Management Review must periodically be conducted by 'top management' and must include:
+
+- the status of actions from previous management reviews;
+- changes in internal and external issues;
+- feedback from interested parties;
+- results of risk assessments and treatment plans
+- an assessment of the effectiveness of the ISMS as a whole
+- and decisions about necessary changes and possible improvements.
+
+
+---
+<!--- # Certification -->
+<!--- [[ISO 27001 in 220 - slide 12 - Certification]] -->
+
+The Certification Audit consists of a review of the documentation mentioned in this video, and additional observations and interviews. 
+It takes anywhere from 3 days to 4 weeks, depending on the size of the organization.
+The result is a report with observations and minor, and possibly major, non-conformities. 
+You get 90 days to resolve the issues, after which you will be issued your certificate.
+
+The certificate is valid for 3 years, during which there will be 2 Surveillance audits. You need to re-certify every 3 years.
+
+---
+<!--- # Recapitulate -->
+<!--- [[ISO 27001 in 220 - slide 12A - Recapitulate]] -->
+
+To summarize, these are the 15 steps to implement ISO 27001 and get your certificate:
+
+1. Involve Top Management 
+2. Define the context of the ISMS
+3. Set the Scope and Objectives
+4. Establish a Team and assign Responsibilities
+5. Initiate the ISMS process through regular Team Meetings
+6. Create an Information Asset Inventory
+7. Identify business impact of compromise to Assets
+8. Classify Information Assets
+9. Identify and analyse Risks
+10. Determine Risk Treatment
+11. Select and Implement Controls
+12. Draft information security policies 
+13. Collect or create other required documentation
+14. Conduct Management Reviews
+15. Request a Certification Audit
+
+---
+<!--- # Closing -->
+<!--- [[ISO 27001 in 220 - slide 13 - Closing]] -->
+
+So, there you have it, the short introduction to getting your ISO 27001 certification!
+
+Please share this video with those who might benefit. 
+
+You can download the slide deck used in this video at ISO27DIY.com, where you will also find additional resources for implementing ISO 27001 in *your* organization.
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,289 @@
+	Use [[ISO 27001 in 10 steps - Slide Deck]]
+
+# Introduction 220
+Hello and welcome to ISO 27001 in 2 minutes and 20 seconds.
+
+I'm Richard Kranendonk.
+
+In this video I will explain what ISO 27001 is, how it can benefit you, how you can implement it in your organization, and how you can get certified.
+
+So let's go.
+
+**-> Slide**
+
+# ISO 27001 and it's benefits
+
+ISO 27001 is an internationally recognized standard for information security management, developed and maintained by the International Organization for Standardization, located in Geneva, Switzerland.
+
+Having an ISO 27k1 certificate is a knock-out criterium for most vendor selection shortlists, and as such is rapidly becoming a 'license to operate' in B2B environments.
+
+Being certified will speed up purchasing processes, and help win your client's trust.
+
+There are also additional benefits:
+- if well implemented, ISO27K1 will raise your maturity level from incident driven to continual improvement.
+- your company will be more resilient against cybersecurity threats.
+- and of course there's the aspect social responsibility
+
+So, let's take a closer look at the standard itself.
+
+**-> Slide**
+
+Related note: [ISO 27001 benefits](ISO%2027001%20benefits.md)
+
+
+# Structure of ISO 27001 
+
+The ISO 27k1 consists of 2 parts:
+- a process to identify, manage and document information security risks, called the ISMS or Information Security Management System.
+- a list of controls to mitigate (or control) the risks you've identified, called "Annex A"
+
+The process part is described in chapters 4 through 10, and the controls are listed in an addendum called ''Annex A"
+
+Let's start with the process.
+
+**-> Slide**
+
+
+# Risk management process
+
+ISO 27001 describes a cyclic, iterative process for managing your security risks. This is usually linked to the so called Deming cycle with its 4 steps of Plan, Do, Check, Act, but I find these a bit to abstract and confusing, so I prefer the following:
+
+1. Identify and Analyse Risks
+2. Define and Implement Controls (putting measures in place to mitigate those risks)
+3. Monitor (the execution of the Controls)
+4. Evaluate (the effectivity of the controls in lowering your risks)
+
+... and then you enter the next cycle by re-analysing the risk, and adjusting your controls where necessary. This process of continous improvement is a core requirement of ISO 27001. 
+
+You may also gather from this slide that the ISO 27001 standard is at its core a Risk Management framework.
+
+Now, the essence of acquiring and keeping an ISO 27001 certificate, is that you are able to proof that you are actually executing this cycle. You do this by creating and maintaining documentation:
+
+ADD ARTEFACTS TO MANAGEMENT CIRCLE
+Identify and Analyse Risks			| Risk Analysis
+Define and Implement Controls	| Policies and Implementation Plans for Controls
+Monitor 										| Reports and Logs		
+Evaluate										| (formal) Evaluations or for instance Meeting Notes
+
+This documented set of processes is commonly referred to as the Information Security Management System, or ISMS.
+
+**-> Slide**
+
+The ISMS does not exist in splendid isolation: there are lots of internal and external factors that have an influence on the development of risks and controls. These must be identified.
+
+# Context of the ISMS
+
+Slide: [[ISO 27001 in 220 - slide 4 - Context of the ISMS]]
+
+Factors that can have an influence on your information security risks, and how you manage them, include:
+
+- macro-environmental factors (like political and legal developments, demographic trends, economics and technological developments)
+- your organization's strategy and culture
+- strengths and weaknesses of your organization
+- different internal and external stakeholders, and their interests
+- and your business processes
+
+Most of these will be periodically or continuously changing, and that's why the cyclical nature of the ISMS is so important.
+
+The ISO 27001 standard demands that you are aware of these internal and external issues, and that you document how these influence your Information Security Management System.
+
+Management science provides numerous well known tools that are of use here, I will elaborate this subject in the full ISO27DIY video that deals with this subject.
+
+Next, it's important that you define the boundaries and applicability of the ISMS, or "Scope".
+
+# Scope of the ISMS
+Slide: [[ISO 27001 in 220 - slide 5 - Scope of the ISMS]]
+
+As you now know, ISO 27001 is all about managing risks. Because you can't take responsibility for all risks that will become known to you, it's important to set the boundaries of the landscape you are seeking certification for.
+
+This is done through the scope statement. The scope statement clarifies which business processes the ISMS is applied to.
+
+For example:
+- Delivering hosted desktops and complementary cloud services 
+- Consulting, implementing and executing data services for direct mail activities
+- Developing, maintaining and managing a software solution
+- Producing and visualizing 3D content
+
+The scope of the ISMS is also the scope of your ISO 27001 certification, and as such will be visible to your stakeholders.
+
+Relevant literature notes:
+- [ISO 27001 examples of scope statements](../../ISO%2027001%20examples%20of%20scope%20statements.md)
+
+# Leadership, roles and responsibilities
+ISO 27001 demands that top management must show leadership and commitment with regards to the ISMS, by:
+
+- setting objectives for information security, making sure they are met, and promoting continual improvement
+- establishing an information security policy
+- integrating the ISMS procedures into the organization’s processes
+- providing the necessary resources and support
+- communicating the importance of information security and actually directing managment and personell to contribute to this process.
+
+You see there's a quite heavy demand on top management for committing to the success of the Information Security Management System.
+
+While the responsibilities of top management are relatively detailed in ISO 27001, it is charistically unspecified for all other roles. ISO 27001 just states that relevant roles and responsibilities must be assigned and communicated by top management.
+
+The only responsibilities mentioned explicitly are:
+- ensuring conformity of the ISMS to the Standard
+- reporting on the performance of the ISMS to top management.
+- planning and executing an audit programme
+
+ISO 27001 also mentions the roles of Asset Owner and Risk Owner, but other than that you are free to define roles and responsibilities yourself.
+
+So, now that we have identified the context of the ISMS and set the boundaries, identified roles and responsibilities, it's time to put the risk management process in motion.
+
+# The CIA Triad
+
+As you recall from Slide: [[ISO 27001 in 220 - slide 3 - Risk management process]], this starts with identifying risks. 
+
+More specifically, risks associated with the loss of confidentiality, integrity and availability of information, also known as the 'CIA triad'.
+
+When you bring up the topic of information security, most people will think of the confidentiality aspect, first: personal or sensitive data falling into the wrong hands. And we can read about breaches like that in the media daily. But integrity and availability can be equally important for information. Think about the availability of your website on the day you launch your new sales campaign, or the integrity of product data in your webshop. In both examples confidentiallity isn't a factor, but the impact of not having the data available or not being able to trust the data can be dramatic nonetheless.
+
+So two things to remember here: the CIA triad of confidentiality, integrity and availability, and the fact that the importance of these aspects may differ for different kinds of information assets. Let's look at assets.
+
+# Creating the Asset Inventory
+
+Earlier, in Slide: [[ISO 27001 in 220 - slide 4 - Context of the ISMS]], we looked at the context of the ISMS, and may have identified risks affecting the organization as a whole, like laws and regulations, stakeholder interests and known weaknesses of the organization.
+
+Now it's time to increase the granularity of our risk identification process, and we're going to do that by looking at the objects we are actually seeking security for, namely our information assets.
+
+ISO 27001 mandates an Inventory of Information Assets, meaning collections of information and the facilities used to process that information.
+
+So what is an information asset? A Word document? A database table? A server or laptop? ISO 27001 won't tell you. A practical standpoint is that anything that's worth securing or protecting, is an Asset. Don't lose yourself in endless discussions about where one asset ends and the next one begins. 
+
+Remember: the ISMS best works with an iterative approach. Just start somewhere and refine it in the next cycles.
+
+A practical way to start identifying information assets is to create a workshop situation with a small team, and ask the question what sort of information assets people use in their day to day jobs. 
+
+Now that we have a first draft of our Asset Inventory, we need to look at the possible impact of compromises to these assets, and identify 'critical assets'. 
+
+We can do that by scoring each asset on the security principles of the CIA triad: Confidentiality, Integrity and Availability. To keep it easy, I would suggest using a comparative approach and attach a score of High, Medium or Low.
+
+Your asset inventory may grow fairly large over time, and it's practical to classify your assets into groups, taking into account aspects like value, sensitivity, criticality and legal requirements. That way you don't have to define protection measures on an asset-by-asset basis, and by labeling the information assets, you will make it easier for people to know how to handle each asset.
+
+Now that we know what information assets are most important to protect, and what aspect of information security needs the most attention, we can move on to identifying Risks.
+
+# Identifying, Analyzing and Treating Risks
+
+Risks occur when there's a chance of assets being compromised. Intentionally, or accidentally. A laptop may be stolen, a threat actor may gain access to a database, or your power supply may be interrupted by a flood.
+
+You must identify the risks of loss of confidentiality, integrity and availability of your information assets.
+
+ISO 27001 defines risk as a function of the probability that this loss will occur, and the impact it will have once that event occurs. R = P x I.
+
+Again, don't loose yourself in academic discussions on the exact likelihoods of occurance and levels of impact. Keep in mind that the goal here is to be able to prioritize actions and the dedication of resources. I haven't been through an audit yet, where qualifying both probability and impact as either High, Medium or Low wasn't good enough.
+
+Also, don't try to create the 'Complete list of risks': start with the top-of-mind risks and expand and refine in the next iterations.
+
+See also [Assets, Vulnerabilities, Threats, Risks](../../../../🎇%20Sparks/Assets,%20Vulnerabilities,%20Threats,%20Risks.md).
+
+Next, you need to decide on Risk Treatment.
+
+# Risk Treatment
+You can take several actions on a Risk:
+- Mitigate it, 
+- Transfer it – to another party.
+- Avoid it, by not performing the activities or using the technology associated with the risk
+- or Accept it
+
+ISO 27001 dictates that you should at least define your risk acceptance criteria, by setting maximum levels for chance and impact. Everything above that should lead to action.
+
+For all risks you decide to mitigate, you must now find an appropriate Control, which brings us to the infamous Annex A.
+
+# Annex A Controls
+Slide: [[ISO 27001 in 220 - slide 6 - Annex A Controls]]
+
+Annex A lists 114 controls, or measures to mitigate your various information security risks. They include physical controls, dealing with access to areas and processing facilities, technical controls like password protection and encryption, and organizational controls, like training and instruction and vendor management.
+
+The idea is that you apply each and every one of them, unless you can convincingly argue that they should not apply to you. For instance, if you only use virtual servers hosted by a provider, controlling physical access to a server room would not apply to your organization.
+
+You need to write down which controls from Annex A are, or will be applied by your organisation, in the so called Statement of Applicability. 
+
+Relevant notes: 
+- [ISO 27001 Approaching Annex A](../../ISO%2027001%20Approaching%20Annex%20A.md)
+- [ISO 27001 Statement of Applicability](../../ISO%2027001%20Statement%20of%20Applicability.md)
+
+# Documenting the ISMS
+This picture of the ISMS was in one of the first slides:
+
+ADD ARTEFACTS TO MANAGEMENT CIRCLE
+Identify and Analyse Risks			| Risk Analysis
+Define and Implement Controls	| Policies, Implementation Plans
+Monitor 										| Reports and Logs		
+Evaluate										| (formal) Evaluations or for instance Meeting Notes
+
+We've done our Risk Analysis and selected the appropriate Controls. For Controls that haven't been implemented yet, you should have some sort of demonstrable planning.
+
+Controls must have an associated Policy, which describes what risk the control is supposed to mitigate, how the control should be applied, who is responsible for applying the control, and how, and by whom, the effectiveness of the control will be established.
+
+Risks and Controls must be periodically evaluated. These evaluations must also be planned and documented.
+
+# Performance evaluation
+
+Next to the periodical evaluation of Controls, ISO 27001 defines some other important mechanisms to guard the effectiveness of the ISMS, ensure continual improvement, and maintain compliance with the ISO 27001 standard. These are:
+- management review
+- Internal audits
+- External audits
+
+## Management Review
+
+The Management Review must be conducted periodically (usually yearly) by 'top management' and must cover:
+
+a) the status of actions from previous management reviews;
+b) changes in relevant external and internal issues;
+c) feedback on the information security performance
+d) feedback from interested parties;
+e) results of risk assessment and status of risk treatment plan; and
+f) opportunities for continual improvement.
+
+The outputs of the management review must include decisions related to continual improvement and necessary changes to the ISMS.
+
+## Internal audits     
+Internal audits must be conducted at planned intervals to provide information on whether the ISMS:
+
+a) conforms to the requirements of the organization and of the standard
+b) is effectively implemented and maintained.
+
+It's advisable to structure internal audits in the same way external audits are conducted, namely by asking the auditees for documented proof for the correct implementation of each of ISO 27k1's clauses and applicable controls.
+
+Internal audits are often planned multiple times per year, with each audit covering a subset of the complete standard.
+
+Moving on to External audits, the first external audit you'll have, is the ISO 27001 Certification audit.
+
+# Certification
+The ISO 27001 Certification audit consists of 2 stages.
+
+Stage 1 is a document review, in which the auditor looks for a set of described procedures, plans and assessments, most of which have been mentioned in this video.
+
+Once all these documents have been produced, you'll move on to Stage 2, also called The Main Audit, which ssually follows a few weeks after Stage 1.
+
+Stage 2 focusses on proof of actual implementation of your ISMS processes and risk controls. This is checked mainly by asking for records of activities, but also through observation and employee interviews.
+
+The certifcation audit takes anywhere from 3 days to 4 weeks, depending on the size of the organization.
+
+See: [ISO 27001 Cost of Certification](../../../../../../iso27DIY-gis/reference/ISO%2027001%20Cost%20of%20Certification.md)
+
+## Report
+The auditor will report the findings using 3 categories:
+
+- Observations, which may be handled by the organization as it sees fit
+- Minor non-conformities: which are deviations from the standard that do not affect the ability to achieve the ISMS's goals. They require drafting a Corrective Action Plan to resolve the issue
+- Major non-conformities, which do affect the ISMS's ability to achieve the intended results. These prevent the certificate from being issued.
+
+The auditor will set a deadline for resolving the non-conformities, usually 90 days. After you've reported the issue as being solved, and supplied evidence, the auditor will issue the certificate.
+
+The certificate is valid for a period of 3 years, during which there will be 2 'controle' audits. After the third year, you will again have a full-blown re-certification audit.
+
+External audits should be performed by accredited certification bodies, listed on the International Accreditation Forum's website.
+
+See [ISO 27001 Certification audit](../../ISO%2027001%20Certification%20audit.md)
+
+
+# Closing
+So, there you have it, the ISO 27001 in XX minutes.
+
+If you liked this video/ helped you, please …
+
+If you want to learn more about implementing iso 27 on your organization without paying excessive consulting fees, head on over to ISO27DIY.com. 
+
+Download the slide deck
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,6 @@
+The following picture is actually about a more general 'IT Service Managment system' but can be adapted to clarify the structure of [ISO 27001 A.13.2 Information transfer](../ISO%2027001%202013/ISO%2027001%20A.13.2%20Information%20transfer.md).
+
+![](../../../../💡Drafts%20and%20Ideas/Service%20management%20system%20block%20diagram.png)
+
+Source: https://theartofservice.com/wp-content/uploads/2021/07/Picture-1.png
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,23 @@
+*For the technical platform that supports this content, see [🧰 Resource portal](🧰%20Resource%20portal.md)*
+
+Additional resources that may be offered on [ISO27DIY.com](ISO27DIY.com.md):
+
+- Hi-res video's 
+- ISO27DIY method as an eBook
+- Slide decks (PDF)
+- Editable PowerPoint slide decks – to adapt to your own intended use
+- other workshop materials
+- Templates and example documents
+- [ISO27DIY Community forum](ISO27DIY%20Community%20forum.md)
+- Support Desk
+- Video consulting
+- AuditGlue free for 6 months
+- Discount on external audit by one of our partners (see [[Partner for external audits]])
+
+There's a [Things project](things:///show?id=WrsCKrKd86aYAUxCoo7KhC) for creating additional resources.
+
+### Related notes
+- [ISO27DIY membership tiers](ISO27DIY%20membership%20tiers.md)
+- For identifying and creating further additional resources, see the [Working back from the Annex A dashboard](Working%20back%20from%20the%20Annex%20A%20dashboard.md) note.
+- [Blurbs](../../../../🎇%20Sparks/Blurbs.md)
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,3 @@
+- [Perverse prikkels in de normindustrie](../../../../💡Drafts%20and%20Ideas/Perverse%20prikkels%20in%20de%20normindustrie.md)
+- [GRC software is geschreven voor domeindeskundigen](../../../../💡Drafts%20and%20Ideas/GRC%20software%20is%20geschreven%20voor%20domeindeskundigen.md)
+- [Problems solved](../../../../💡Drafts%20and%20Ideas/Problems%20solved.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,15 @@
+Child notes:
+- [Blurbs](../../../../🎇%20Sparks/Blurbs.md)
+- [Toegevoegde waarde van ISO27DIY](../../../../💡Drafts%20and%20Ideas/Toegevoegde%20waarde%20van%20ISO27DIY.md)
+- [Friendly targets](../../../../../../💡Permanent%20ideas/Friendly%20targets.md)
+- [Possible Colabs](../../../../🎇%20Sparks/Possible%20Colabs.md)
+- [List of possible partners](../../../../💡Drafts%20and%20Ideas/List%20of%20possible%20partners.md)
+- [ISO27DIY Business drivers](ISO27DIY%20Business%20drivers.md)
+- [AuditGlue Business model](../AuditGlue%20Business%20model.md)
+- [[### Related notes
+- [ISO27DIY membership tiers](ISO27DIY%20membership%20tiers.md)
+- For identifying and creating further additional resources, see the [Working back from the Annex A dashboard](Working%20back%20from%20the%20Annex%20A%20dashboard.md) note.
+- [Blurbs](../../../../🎇%20Sparks/Blurbs.md)
+
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,29 @@
+
+# Build it
+- What  “jobs” that will motivate your users to come to the online community?
+- what are they looking for? What will they get out of it? Maybe it’s to gain insider knowledge, an answer to a question, learn, develop a sense of belonging, and gain exposure.
+
+
+# Test questions
+examples:
+
+- As someone interested in _______, would you join an online community where you could connect and interact with other individuals interested in _________?
+- What specific _________ -related topics interest you the most?
+- In which activities would you be most likely to participate?
+
+# Monitor
+Set engagement metrics and business metrics (probably available in the platform)
+
+
+[Source](https://www.higherlogic.com/blog/9-steps-to-consider-before-launching-your-online-community/) 
+
+
+# Traffic
+> There is no magic number here, but you should wait for 5,000 or more daily unique visitors before launching a forum. Just consider that we had around 10,000 RSS readers on DailyWritingTips when we launched the DWT Forum, and out of those only 400 or so registered for the Forum. [Source](https://www.webhostingsecretrevealed.net/blog/blogging-tips/starting-and-running-a-forum-for-your-website/)
+
+[Community rules example](https://forum.vbulletin.com/forum/general/chit-chat/69839-a-good-set-of-rules-for-your-board-as-wellas-moderator-tips)
+
+# Structure
+Determining topics using SEO tools:
+> Using SEO tools we can study real world search data and understand market dynamics. For instance, SEM Rush “Topic Research Tool” allows use to generate content ideas based on monthly search volume in a country. 
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,18 @@
+
+Phase | Action | Completed status
+---|--- | ---
+Risk identification | Identify Risks | Risk identified
+Controls selection | Select Controls | Controls selected
+Implementation planning | Plan implementation | Implementation planned
+Controls implementation | Implement Controls | Controls implemented
+Control execution | Execute Control | Control executed
+Evaluation | Evaluate effectivenes | Effectiveness Evaluated
+Adaption | Plan adaption | Adaption planned
+
+
+
+
+![](ISO27DIY%20ISMS%20cycle.001.jpeg)
+
+
+Suggestion for Artifact: [ISO27DIY implementation dashboard](🏺%20ISO27DIY%20Artefacts/ISO27DIY%20implementation%20dashboard.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,81 @@
+Related: [ISO27DIY Manifesto](ISO27DIY%20Manifesto.md)
+
+The essence of the ISO 27001 standard is mitigating known information security risks by implementing applicable controls for risk mitigation from a pre-defined set (the Annex A).
+
+To get certified, an organization must be able to prove adequate implementation of a) a set of risk management processes, and b) a set of risk mitigating controls. You can prove this implementation to an auditor by producing relevant documentation in respons to the auditors questions. 
+
+Documentation can have the form of plans, policies, communication, analyses, evaluations, meeting minutes, logs and reports, etc. In ISO27DIY, we use the term  'Artifacts'.
+
+The ISO27DIY method focuses on producing all necessary artifacts to successfully pass an ISO 27001 certification audit. [^id]
+
+[^id]: At this point any ISO 27001 consultant will rightfully argue that information security is not about producing documents, but about thinking and doing security. The truth is it would take a considerable effort to consistently produce all the required proof *without* actually doing it. And that *if* you're actually doing security, it's not that hard to produce a consitent set of required documentation. there's not much point in faking it.
+
+Each Session treats one or more ISMS 'topics'.
+
+In every ISMS topic, Actions that have to be executed/performed are identified.
+
+The Actions have to be defined within the organizational context, in organization-specific Policies.
+
+The Actions to be executed/performed need to be Planned and Documented.
+
+So there's **Actions, and Artifacts**:
+- Plans
+- Policies
+- Documents – reviews, analyses, reports, logs, checklists, etc.
+
+### Artifacts
+Artifacts have:
+- a version number and date, to establish ...
+- an owner and producer: someone who's responsible for ... and someone who's responsible for ...
+- a period/frequency/cycle length – because of the iterative nature of the ISO 27001 ISMS
+- a 'next execution' date for actions
+- a 'next review' date for policies
+- A a 'reviewer' – can be a person or a committee / meeting
+
+Artifacts are tagged with:
+- the standard's Controls or Clauses that are addressed with the Artifact in question
+- the ['phase'](ISO27DIY%20ISMS%20Cycle.md) the Artifact is proof of: Plan, Implement, Execute, Evaluate, Adapt <- at least define 'Implement' to include Execution
+
+The purpose of this tagging is to make auditing easier and to produce an [Implementation Dashboard](🏺%20ISO27DIY%20Artefacts/ISO27DIY%20implementation%20dashboard.md) to get an overview of progress and gaps.
+
+Artifacts have a written ISO27DIY Recipe on how to create them. The Recipe is a plain English translation of the original ISO 27002 Implementation Guidance, augmented with examples and learnings from practice.
+
+### Policies
+Policies are a subset of Artifacts and will typically have the following content:
+*To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S*. 
+
+See [ISO27DIY Policy Card template](📒%20Templates/ISO27DIY%20Policy%20Card%20template.md)
+
+### Risks
+Risks need to have:
+- associated information asset
+- Analysis
+- Treatment
+- mitigating control(s)
+
+### Controls
+Controls (need to) have:
+- associated risk
+- Implementation plan
+- Evaluation
+- etc.
+
+
+### Standard requirements 
+Take into consideration that there are specific requirements for 'documented information', see:
+- [ISO_27001_OT C 7.5.2 Creating and updating](../ISO%2027001%202013/ISO_27001_OT%20C%207.5.2%20Creating%20and%20updating.md)
+- [ISO 27001 C 7.5.3 Control of documented information](../ISO%2027001%202013/ISO%2027001%20C%207.5.3%20Control%20of%20documented%20information.md)
+- [ISO 27001 A 5.1.1 Policies for information security](../ISO%2027001%202013/ISO%2027001%20A%205.1.1%20Policies%20for%20information%20security.md)
+
+- - [Advised Documents for ISO 27001](../../../../../../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md)
+
+
+## Tooling provisions
+- [About ISO27DIY Policy Cards](../About%20ISO27DIY%20Policy%20Cards.md)
+- [ISO27DIY Kanban board](ISO27DIY%20Kanban%20board.md)
+
+## Related
+- Each session should follow a set [ISO27DIY Workshop Overview template](📒%20Templates/ISO27DIY%20Workshop%20Overview%20template.md).
+- Sessions should target the [ISO27DIY Target audience](ISO27DIY%20Target%20audience.md).
+- [ISO27DIY Additional resources](ISO27DIY%20Additional%20resources.md)
+- [[List of ISO 27001 articles per Session]]
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,9 @@
+The Kanban board includes:
+- actions to be taken and artifacts to be created; which are the results from the Workshops – see [ISO27DIY Workshop Overview template](📒%20Templates/ISO27DIY%20Workshop%20Overview%20template.md) 
+- References to the ISO 27001 clauses and controls
+
+Examples / templates may be offered as a (freebee) resource - see [🧰 Resource portal](🧰%20Resource%20portal.md)
+
+Related:
+- [Working back from the Annex A dashboard](Working%20back%20from%20the%20Annex%20A%20dashboard.md)
+- See [Topical InfoSec Kanban’s](../../../../📚️%20Literature%20notes/Topical%20InfoSec%20Kanban’s.md) for inspiration.
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,4 @@
+1. Implementation is a team effort
+2. Iterate and improve: start simple and stupid, then expand and improve – don't overthink stuff
+3. Integrate into existing workflows, security is not an add on or a checklist
+4. 
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,9 @@
+# Recipe for Policies
+> The Recipe is a plain English translation of the original ISO 27002 Implementation Guidance, augmented with examples and learnings from practice.
+
+- Template: [ISO27DIY Policy Card template](📒%20Templates/ISO27DIY%20Policy%20Card%20template.md)
+- Guidance: [A 5.1 Policies for information security](../../../../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.1_PE%20Policies%20for%20information%20security.md)
+- Examples:
+	- Information Security Policy
+	- Topic-specific policies
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,4 @@
+Related to [ISO27DIY Policy Card template](📒%20Templates/ISO27DIY%20Policy%20Card%20template.md)
+
+Identify risk owner
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,26 @@
+
+>A step-by-step for creating the Deliverables (i.e. Artifacts)
+
+Template?: [ISO27DIY Workshop Script template](📒%20Templates/ISO27DIY%20Workshop%20Script%20template.md)
+
+# Introduction to the ISO27DIY workshop series
+
+- Welcome to this Session
+- Synopsis
+- Section 1: Creating Deliverable A
+- Section 2: Creating Deliverable B
+- Section 3: How to perform Action P
+- Resume
+- Action list
+- Next session
+
+
+Hi, my name is Richard Kranendonk, and I have helped dozens of organizations to acquire and maintain their ISO 27001 certification. In the process I've become convinced that, with some guidance, most organizations are perfectly capable of implementing ISO 27001 themselves, without the need for spending thousands of euros on consulting fees.
+
+These videos were created to help you do just that.
+
+You will be guide step by step through a series of workshops, starting with explaining the core principles of ISO 27001, and ending with the certification process. 
+
+I will explain how you can implement the required security management processes in your own organization, and create the documented proof that auditors look for. 
+
+These video series is accompanied by the ISO27DIY.com website, where you will find additional resources.
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,12 @@
+
+The target audience for the [📼 ISO27DIY Video Series](📼%20ISO27DIY%20Video%20Series.md) are people who want to, or consider, implementing an ISO 27001 compliant ISMS in their organization.
+
+The videos are made with the person, who has taken on the role of project manager for the ISO 27001 implementation, in mind. As such, it offers explanations of core concepts, werkvormen, practical advice and real world examples. 
+
+The videos are also perfectly geschikt to be used in a workshop setting with your ISO 27001 project team, or to serve as eLearning material or as explanatory material for teams  who will be involved in the implementation of ISO 27001 related processes within their department/organizational unit.
+
+Additional resources, like templates, assessment tools, and example documents, are available through the ISO27DIY.com website, which also offers high-res versions of the videos made freely available on YouTube.
+
+# References
+- [ISO27DIY.com](ISO27DIY.com.md)
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,24 @@
+>The description is publishable content.
+>[[ISO27DIY Script for Video n.n VideoTitle|Script for this Workshop]]
+
+# Stakeholders
+In this video you'll learn how to create a stakeholder analysis, identifying the stakeholders and their needs and expectations, and how they influence your information security.
+ 
+[Clause 4.2](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties) states ...
+
+> C 4.2: interested parties relevant to the ISMS, and their requirements relevant to information security, including legal, regulatory and contractual obligations.
+
+ [ISO 31000 5.4.1](../../ISO31000-5.4.1-Understanding-the-organization-and-its-context.md):
+ 
+> Examine "external stakeholders’ relationships, perceptions, values, needs and expectations"  
+
+- [ ] See also [Stakeholder Analysis](../../../../🎇%20Sparks/Stakeholder%20Analysis.md)
+- [ ] And [this](https://www.pmi.org/learning/library/stakeholder-analysis-pivotal-practice-projects-8905) from the Project Management Institute
+
+
+You've now covered Clause 4.2: [Understanding the needs and expectations of interested parties](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties).
+
+In the next video, ...
+[ISO27DIY Video B.1 Processes and Assets - Business processes](ISO27DIY%20Video%20B.1%20Processes%20and%20Assets%20-%20Business%20processes.md)
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,20 @@
+>The description is publishable content.
+>[[ISO27DIY Script for Video n.n VideoTitle|Script for this Workshop]]
+
+# Legal, regulatory and contractual obligations
+In this video you'll learn ...
+ 
+[Clause 4.2](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties) states ...
+
+> C 4.2: interested parties relevant to the ISMS, and their requirements relevant to information security, including legal, regulatory and contractual obligations.
+> 
+> See also [ISO 31000 5.4.1](../../ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
+
+
+
+You've now covered Clause 4.2: [Understanding the needs and expectations of interested parties](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%202%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties).
+
+In the next video, ...
+[ISO27DIY Video B.1 Processes and Assets - Business processes](ISO27DIY%20Video%20B.1%20Processes%20and%20Assets%20-%20Business%20processes.md)
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,42 @@
+>The description is publishable content.
+>[[ISO27DIY Script for Video n.n VideoTitle|Script for this Workshop]]
+
+# Internal issues
+In this video you'll learn how to document the *internal* issues in your organization that have influence on the ISMS.
+
+[Clause 4.1](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%201%20Understanding%20the%20organization%20and%20its%20context) states that you must determine which external and internal issues are relevant to the goals of the organization, and the performance of the ISMS.
+
+> C 4.1: external and internal issues relevant to organizational goals and the performance of the ISMS
+> 
+>See also [ISO 31000 5.4.1](../../ISO31000-5.4.1-Understanding-the-organization-and-its-context.md):
+>
+>Examining the organization’s internal context may include, but is not limited to:
+> - vision, mission and values;
+> - governance, organizational structure, roles and accountabilities;
+> - strategy, objectives and policies;
+> - the organization’s culture;
+> - standards, guidelines and models adopted by the organization;
+>- capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies);
+> - data, information systems and information flows;
+> - relationships with internal stakeholders, taking into account their perceptions and values;
+> - contractual relationships and commitments;  
+> - interdependencies and interconnections.
+
+Bij de implementatie van het ISMS ook rekening houden met andere relevante projecten in de organisatie (die ook als bron van informatie kunnen dienen), zoals:
+- Een intranet-project waarvoor een content-inventarisatie heeft plaatsgevonden
+- De integratie van een HR-systeem met de AAD, zodat bij onboarding van nieuwe medewerkers automatisch rechten kunnen worden toegekend
+- Een GDPR project, waarbinnen een verwerkingsregister is opgezet en procedures zijn opgesteld voor datalekken
+- Een BI project waarvoor de informatiestromen in kaart zijn gebracht.
+ 
+....
+....
+....
+
+
+Together with the [[ISO27DIY Video A.1 Context and Scope - External issues|previous video]], you've now covered Clause 4.1: [Understanding the organization and its context](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%201%20Understanding%20the%20organization%20and%20its%20context).
+
+[Next](ISO27DIY%20Video%20A.2%20Context%20and%20Scope%20-%20Stakeholders.md), we will analyse the needs and expectations of external and internal stakeholders.
+
+
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,14 @@
+# Scope statement
+
+[Clause 4.3](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%203%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system) states ...
+
+> C 4.3: Determine the scope of the ISMS (boundaries and applicability), with consideration for 4.1, 4.2, and interfaces and dependencies with other organizations.
+> 
+> The scope shall be available as documented information.
+> 
+> See also [ISO 31000 5.4.1](../../ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
+
+
+You've now covered Clause 4.3: [Determining the scope of the ISMS](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%203%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system).
+
+In the next video, ...
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,4 @@
+## For the end of chapter N: 
+You may have noticed that I've taken a somewhat cavalier approach about some parts of the contextual analysis. Don't get me wrong, it deserves serious attention, I'm just trying to save you from getting hung up on specifics in this early phase of the project. Remember you should take an iterative approach to the ISMS. You *will* revisit these artifacts in a next cycle and be able to improve them with new insights. 
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,15 @@
+# Business processes
+
+[Clause 4.3](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%203%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system) states ...
+
+> C 4.3: Determine the scope of the ISMS (boundaries and applicability), with consideration for 4.1, 4.2, and interfaces and dependencies with other organizations.
+> 
+> The scope shall be available as documented information.
+> 
+> See also [ISO 31000 5.4.1](../../ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
+
+
+You've now PARTIALLY covered Clause 4.3: [Determining the scope of the ISMS](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%203%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system).
+
+In the next video, ...
+[ISO27DIY Video B.2 Processes and Assets - Interfaces and dependencies](ISO27DIY%20Video%20B.2%20Processes%20and%20Assets%20-%20Interfaces%20and%20dependencies.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,16 @@
+# Interfaces and dependencies
+
+[Clause 4.3](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%203%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system) states ...
+
+> C 4.3: Determine the scope of the ISMS (boundaries and applicability), with consideration for 4.1, 4.2, and interfaces and dependencies with other organizations.
+> 
+> The scope shall be available as documented information.
+> 
+> See also [ISO 31000 5.4.1](../../ISO31000-5.4.1-Understanding-the-organization-and-its-context.md)
+
+
+
+You've now PARTIALLY covered Clause 4.3: [Determining the scope of the ISMS](../ISO%2027001%202013/ISO%2027001_OT%20C%204%20Context%20of%20the%20organization.md#4%203%20Determining%20the%20scope%20of%20the%20information%20security%20management%20system).
+
+In the next video, ...
+[ISO27DIY Video A.5 Context and Scope - Scope statement](ISO27DIY%20Video%20A.5%20Context%20and%20Scope%20-%20Scope%20statement.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,7 @@
+# Asset Inventory
+
+Create an Asset Inventory
+	- Identify Information Assets
+	- Identify the impact of compromise of each asset;
+	- Classify information assets by required Confidentiality, Integrity and Availability;
+	- Label assets accordingly.
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,5 @@
+Analyse Risks and Select Treatment
+	- Identify Risks for loss of Confidentiality, Integrity and Availability
+	- Calculate Risk Scores as Probability x Impact to set priorities;
+	- Choose to Control, Transfer, Avoid or Accept the risk.
+	- Appoint risk owners;
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,64 @@
+[Introduction to the workshop series](ISO27DIY%20Workshop%200%20-%20Introduction%20to%20the%20ISO27DIY%20workshop%20series.md)
+
+Understanding ISO 27001
+
+[Preparing the implementation project](ISO27DIY%20Workshop%201%20-%20Preparing%20the%20project.md)
+
+[Project kickoff meeting](ISO27DIY%20Workshop%202%20-%20Project%20kickoff%20meeting.md)
+
+A. Context and Scope
+	1. [[ISO27DIY Video A.1 Context and Scope - External issues]]
+	2. [ISO27DIY Video A.2 Context and Scope - Stakeholders](ISO27DIY%20Video%20A.2%20Context%20and%20Scope%20-%20Stakeholders.md)
+	3. [ISO27DIY Video A.3 Context and Scope - Regulations and Contracts](ISO27DIY%20Video%20A.3%20Context%20and%20Scope%20-%20Regulations%20and%20Contracts.md)
+	4. [ISO27DIY Video A.4 Context and Scope - Internal issues](ISO27DIY%20Video%20A.4%20Context%20and%20Scope%20-%20Internal%20issues.md)
+	5. [ISO27DIY Video A.5 Context and Scope - Scope statement](ISO27DIY%20Video%20A.5%20Context%20and%20Scope%20-%20Scope%20statement.md)
+	6. [ISO27DIY Video A.6 Context and Scope - Roundup](ISO27DIY%20Video%20A.6%20Context%20and%20Scope%20-%20Roundup.md)
+
+B. Business Processes and Information Assets
+	1. [ISO27DIY Video B.1 Processes and Assets - Business processes](ISO27DIY%20Video%20B.1%20Processes%20and%20Assets%20-%20Business%20processes.md)
+	2. [ISO27DIY Video B.2 Processes and Assets - Interfaces and dependencies](ISO27DIY%20Video%20B.2%20Processes%20and%20Assets%20-%20Interfaces%20and%20dependencies.md)
+	3. [ISO27DIY Video B.3 Processes and Assets - Asset Inventory](ISO27DIY%20Video%20B.3%20Processes%20and%20Assets%20-%20Asset%20Inventory.md)
+
+C. Risks and Treatment
+	1. [ISO27DIY Video C.1 Risks and Treament - Risk Identification](ISO27DIY%20Video%20C.1%20Risks%20and%20Treament%20-%20Risk%20Identification.md)
+
+
+[[ISO27DIY Workshop 6 Controls selection | Select and Implement Controls]]
+Select and Implement Controls
+	- Identify all controls from Annex A necessary for the chosen risk treatment;
+	- Draft a 'Statement of Applicability' for the Annex A controls;
+	- Plan the implementation ('risk treatment plan').
+	- Introducing the [ISO27DIY implementation dashboard](🏺%20ISO27DIY%20Artefacts/ISO27DIY%20implementation%20dashboard.md)
+
+[[ISO27DIY Workshop 7 ISMS documentation | Document the ISMS activities]]
+Document the ISMS activities
+	- Write information security policies
+	- Record risk analyses and treatment decisions
+	- Register incidents and non-conformities
+	- Collect log files, measurements, and evaluation reports
+	- Plan implementation, evaluations, and audits.
+
+Identify or Plan Remaining Controls
+
+[[ISO27DIY Workshop 8 Management Reviews|Conduct Management Reviews]]
+Conduct Management Reviews
+	Review:
+	• Status of actions
+	• External and Internal Changes
+	• Feedback from Stakeholders
+	• Risk assessment results and Treatment plans
+	• Effectiveness of the ISMS
+	• Decisions on changes and improvements.
+
+
+[[ISO27DIY Workshop 9 Certification|Prepare for Certification]]
+Prepare for Certification
+- Internal audit - [Conducting an internal audit](../../../../../../💡Permanent%20ideas/Conducting%20an%20internal%20audit.md)
+- [ISO27DIY Workshop X - Certification](ISO27DIY%20Workshop%20X%20-%20Certification.md)
+
+
+# Previous art
+
+There's this workshop structure document for NHC clients: ![](ISO%2027001%20workshop%20onderwerpen.docx)
+
+I've made several sets of slide decks for workshops. Those for Kaliber, Nedap and Networking4AL are the most recent.
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,56 @@
+>The Workshop Overview is publishable content.
+>[Script for this Workshop](ISO27DIY%20Script%20for%20Workshop%200%20-%20Introduction%20to%20the%20ISO27DIY%20workshop%20series.md)
+
+# Introduction to the ISO27DIY workshop series
+
+## Synopsis
+
+In this workshop we will create:
+- Deliverable A, to achieve Purpose 1
+- Deliverable B, to achieve Purpose 2
+- Introduction
+- Overview of the sessions - see [ISO27DIY Videos list](ISO27DIY%20Videos%20list.md)
+- Explanation of the [ISO27DIY Implementation method](ISO27DIY%20Implementation%20method.md)
+- What can be found on the [🧰 Resource portal](🧰%20Resource%20portal.md)
+
+Workshop attendees:
+- A
+- B
+- C
+
+Facilities and materials needed for this workshop:
+- X
+- Y
+- Z
+
+## Video
+![](../../../../📎%20Attachments/YouTube-icon-small.png)
+
+Length of workshop video: .. minutes
+Estimated workshop duration: .. minutes
+
+
+## Tasks
+In the workshop, the following tasks are identified for the ISO 27001 backlog:
+
+Id | Task | Deadline | Template
+--- | --- | --- | ---
+001 | Create Deliverable A | Before next workshop | Link to template/example
+002 | Create Deliverable B | mm-dd-yy | Link to template/example
+001 | Perform Action P | mm-dd-yy | Link to template/example
+
+	
+## Deliverables
+- list of deliverables, same as last column of Task list
+
+## 2022 Controls
+*The following Annex A Controls have been addressed in this session:*
+- x
+- y
+- z
+
+# Relevant literature
+**... for finishing this session note:**
+- [ISO27DIY Target audience](ISO27DIY%20Target%20audience.md)
+- [ISO 27001 in 10 steps - Script](ISO%2027001%20in%2010%20steps%20-%20Script.md)
+- [ISO 27001 in 27000 words](ISO%2027001%20in%2027000%20words.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,63 @@
+>The Workshop Overview is publishable content.
+>[[ISO27DIY Script for Workshop X - Workshop Title|Script for this Workshop]]
+
+# Preparing the implementation project
+
+## Synopsis
+In this workshop we will create:
+- an Implementation Plan, for the project to implement the ISO 27001 system and acquire your certification;
+- a Target Operational Model, describing how the ISO 27001 Information Security Management System will be maintained in your organization;
+- a Stakeholder Presentation to sell the project to your primary stakeholders.
+
+With these documents you will be able to:
+- convince management and other stakeholders to give the go ahead and allocate time and money for implementing ISO 27001;
+- prepare the Kickoff meeting for the ISO 27001 implementation project.
+
+Workshop attendees:
+- A
+- B
+- C
+
+Facilities and materials needed for this workshop:
+- X
+- Y
+- Z
+
+
+## Workshop video
+![](../../../../📎%20Attachments/YouTube-icon-small.png)
+
+Length of workshop video: .. minutes
+Estimated workshop duration: .. minutes
+
+Media used in this video:
+- e.g. Link to Slide deck
+
+
+## Tasks
+Id | Task | Responsible | Deadline | Template
+--- | --- | --- | --- | ---
+001 | Describe the Target Operational Model | Project Lead | mm-dd-yy | [[ISO27DIY Target Operational Model for the ISMS|ISO27DIY Target Operational Model]]
+002 | Draft the ISO 27001 implementation plan | Project Lead | mm-dd-yy | [ISO 27001 Implementation Plan](🏺%20ISO27DIY%20Artefacts/ISO%2027001%20Implementation%20Plan.md)
+003 | Create ISO 27001 stakeholder presentation | Project Lead | mm-dd-yy | [ISO 27001 Stakeholder Presentation](🏺%20ISO27DIY%20Artefacts/ISO%2027001%20Stakeholder%20Presentation.md)
+004 | Get approval and funding for the implementation | Project Lead | mm-dd-yy | n/a
+005 | Organize the project kickoff meeting | Project Lead | mm-dd-yy | n/a
+
+	
+## Deliverables
+- [ISO27DIY Target Operational Model for the ISMS](🏺%20ISO27DIY%20Artefacts/ISO27DIY%20Target%20Operational%20Model%20for%20the%20ISMS.md)
+- [ISO 27001 Implementation Plan](🏺%20ISO27DIY%20Artefacts/ISO%2027001%20Implementation%20Plan.md)
+- [ISO 27001 Stakeholder Presentation](🏺%20ISO27DIY%20Artefacts/ISO%2027001%20Stakeholder%20Presentation.md)
+
+
+
+## 2022 Controls
+The following Annex A Controls have been addressed in this session:
+- x
+- y
+- z
+
+
+# Relevant literature
+**... for finishing this session note:**
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,7 @@
+Note:
+The kickoff meeting initiates the ISMS process
+
+
+
+- [ISO27DIY Kickoff Meeting agenda](🏺%20ISO27DIY%20Artefacts/ISO27DIY%20Kickoff%20Meeting%20agenda.md)
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,13 @@
+
+Before the certification audit, have an external audit. For missing spots.
+
+
+
+
+At the end of of this session, ask people to share their results because it helps improve the method. 
+
+
+
+
+Related
+[External audits](../../../../🎇%20Sparks/External%20audits.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,13 @@
+This note will describe the different membership tiers on [ISO27DIY.com](ISO27DIY.com.md).
+
+Free Tier | Paid Membership
+------------ | ------------
+Forum | Text based support
+Slide decks (PDF) | Templates and example documents
+... | Editable slide decks
+
+
+See also: 
+- [🧰 Resource portal](🧰%20Resource%20portal.md)
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,2 @@
+Will contain:
+- [ISO27DIY Additional resources](ISO27DIY%20Additional%20resources.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,8 @@
+# About Control 5.1: Policies for information security
+
+[Original Text](../../OST/27002/EN/a-5.1-Policies-for-information-security.md)
+[Plain English](../../../../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.1_PE%20Policies%20for%20information%20security.md)
+ISO 27002:2013: 05.1.1, 05.1.2
+
+
+[Brontekst](../../OST/27002/NL/a-5.1-Beleidsregels-voor-informatiebeveiliging.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,5 @@
+Start with the [](../../../../📎%20Attachments/ISO%2027001%20Implementatie%20dashboard%20Annex%20A.xlsx) as a framework.
+Every cell gets one or more corresponding [ISO27DIY Kanban board](ISO27DIY%20Kanban%20board.md) items. So they are all linked to at least one of the ISO 27001 controls or ISO 27001 clauses.
+
+Note that in this approach all [About ISO27DIY Policy Cards](../About%20ISO27DIY%20Policy%20Cards.md), [Advised Documents for ISO 27001](../../../../../../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md), and identified risks and controls will appear on the Kanban board, directly or indirectly.
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,15 @@
+- [📼 ISO27DIY Video Series](📼%20ISO27DIY%20Video%20Series.md)
+- [🧰 Resource portal](🧰%20Resource%20portal.md)
+- [💾 AuditGlue software](💾%20AuditGlue%20software.md)      
+
+- [ISO 27001 in 10 steps - Script](ISO%2027001%20in%2010%20steps%20-%20Script.md)
+
+
+- [ISO27DIY Business model](ISO27DIY%20Business%20model.md)
+- [ISO 27001 in 27000 words](ISO%2027001%20in%2027000%20words.md)
+- ISO 27001 in Plain English e-Book
+- Searchable Standards Database
+- [[List of ISO 27001 articles per Session]]
+
+related:
+- [ISO27DIY Additional resources](ISO27DIY%20Additional%20resources.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,40 @@
+	- [[Assembling a Project Team]]
+
+Skeleton project plan contents:
+		- [ISO 27001 benefits](../ISO%2027001%20benefits.md)
+		- [ISO27DIY benefits](../../../../../🎇%20Sparks/ISO27DIY%20benefits.md)
+
+
+## Benefits
+Benefits of ISO 27001 certification are:  
+	
+	1) Easier sales of your product/service in B2B markets 💶
+	
+	2) Raises #infosec maturity from incident driven to continual improvement 📈
+	
+	3) Increases #CyberResilience 🦾
+	
+	4) Improves accountability and responsibility 🕊️
+
+	- Collect quotes from internal and external stakeholders
+
+	- Collect examples from your customer’s vendor selection questionnaires
+
+## Costs
+
+	- Hours
+
+		- Identify implementation team
+
+	- Out of pocket costs
+
+		- Certification
+
+	- Investments
+
+		- GRC Tooling
+
+	- Operational costs
+
+		Costs for maintaining compliance, not for the implementing and operating the security controls themselves, because that would bring the whole security budget into your project.
+See [ISO27DIY Target Operational Model for the ISMS](ISO27DIY%20Target%20Operational%20Model%20for%20the%20ISMS.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,10 @@
+- explain ISO 27001
+- outline [TOM](ISO27DIY%20Target%20Operational%20Model%20for%20the%20ISMS.md)
+- outline [project](ISO%2027001%20Implementation%20Plan.md)
+
+
+
+## Related:
+- [ISO 27001 benefits](../ISO%2027001%20benefits.md)
+- [ISO27DIY benefits](../../../../../🎇%20Sparks/ISO27DIY%20benefits.md)
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,16 @@
+
+# Kickoff meeting agenda
+- Outline the project
+- Cost and benefits
+
+- Discuss worries, hopes, risks, expected benefits, etc.
+	- Risks and Possibilities (see the Standard) and how to deal with them
+
+- Identify project team Roles and Responsibilities
+
+	Establish the Information Security Team
+	Have regular team meetings
+	Iterate through the risk mgt process to achieve continuous improvement.
+
+
+- Document the meeting
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,14 @@
+TOM: "What does running an ISO compliant ISMS look like, organization wise?"
+
+See: [Target Operational Model](../../../../../📚️%20Literature%20notes/Target%20Operational%20Model.md) 
+
+- What's expected of senior management on board: 
+		- Show leadership and commitment
+		- Set information security objectives
+		- Implement information security policies
+		- Define roles and responsibilities
+		- Provide resources and support
+		- Consider requesting certification
+	- [Organizing Cybersecurity](../../../../../🎇%20Sparks/Organizing%20Cybersecurity.md)
+
+- [Target Operational Model](../../../../../📚️%20Literature%20notes/Target%20Operational%20Model.md)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,6 @@
+The purpose of the Implementation Dashboard is to get an overview of progress and gaps and make auditing easier.
+
+See this:
+- [example Excel sheet (NL version)](../../../../../📎%20Attachments/ISO%2027001%20Implementatie%20dashboard%20Annex%20A.xlsx)
+- [example Excel sheet (EN version)](ISO%2027001-2013%20Implementation%20Dashboard.xlsx)
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,14 @@
+Pivoting away from 'guided implementation management' to:
+> AuditGlue: a place to create and collect all the necessary documentation to get your ISO 27001 certification. 
+
+
+
+Related:
+- [Three user modes for AuditGlue](../../../../💡Drafts%20and%20Ideas/Three%20user%20modes%20for%20AuditGlue.md)
+- [Distributed usage of AuditGlue](../../../../../../💡Permanent%20ideas/Distributed%20usage%20of%20AuditGlue.md)
+- [Modules, Screens and Content](../../../../💡Drafts%20and%20Ideas/Modules,%20Screens%20and%20Content.md)
+- [AuditGlue ERD](../AuditGlue%20ERD.md)
+- [AuditGlue Business model](../AuditGlue%20Business%20model.md)
+
+
+To ensure the security of the AuditGlue product, we may use the [Minimum Viable Secure Product checklist](https://mvsp.dev/mvsp.en/index.html)
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,31 @@
+## Maatregel nr + Titel
+NORM:JAAR [[link naar brontekst]]
+
+#### Wat
+Beschrijving van de beheersmaatrege;l
+
+#### Waarom
+Doel van de maatregel
+
+#### Hoe
+- Lijst van uit te voeren activiteiten
+
+##### Sub van Hoe
+Eisen aan de structuur en inhoud van artefacten, en andere aanwijzingen.
+
+#### Overige informatie
+- lijst
+
+#### Bewijs
+Auditors kijken naar bewijzen van de implementatie van het proces. Dit kan bijvoorbeeld de volgende vorm aannemen:
+
+| Omschrijving van bewijs | ISO27DIY artefact |
+| ----------------------- | ----------------- |
+| Omschrijving 1          | Artefact 1        |
+
+#### Gerelateerd
+Naar deze maatregel wordt verwezen in:
+- [ ] Andere beheersmaatregelen binnen dezelfde norm die verwijzen naar deze maatregel
+
+Andere gerelateerde ISO 27x beheersmaatregelen:
+- [ ] Gerelateerde ISO 27x beheersmaatregelen die *niet* letterlijk in de brontekst genoemd worden.
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,38 @@
+[Source text](../../../../../🎇%20Sparks/Source%20text.md)
+
+## Control ID + Title
+
+#### What
+Control description
+
+#### Why
+Control purpose
+
+#### How
+- List of activities to be performed
+
+
+##### Sub of How
+Requirements for the structure and content of artefects, and other guidance.
+
+#### Other information
+- list
+
+#### Proof
+Auditors will look for proof of process implementation. This may take the form of:
+
+Description of proof | ISO27DIY artefact
+-------------------- | -----------------
+Description 1        | Artefact 1
+
+
+#### Related
+This control is referred to in:
+- [ ] Other controls within the same standard that literally mention this control
+
+Related ISO 27x controls:
+- [ ] Related ISO 27x controls that are not mentioned literally in the source text.
+
+Related 2013 version controls:
+- [ ] Related 2013 version controls according to the ISO 27002 2022 Index [[ISO 27002 2022 to 2013 Conversion table]]
+- [ ] Implicitly related 2013 version controls
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,73 @@
+Related to:
+- [ISO27DIY Risk Analysis Card template](../ISO27DIY%20Risk%20Analysis%20Card%20template.md)
+- [Policy Card Example for Access to Software Applications](../../../../../../AuditGlue/Policy%20Card%20Example%20for%20Access%20to%20Software%20Applications.md)
+
+*Note: onder NIS2 moeten managers ook de "gevolgen van cyberveiligheidsmaatregelen voor hun organisatie" kunnen beoordelen.*
+
+>Format for Policy Card note-tile: ISO27DIY Policy for xxx
+
+## Version Control
+
+| Type            | Value |
+| --------------- | ----- |
+| Version number: | x.xx  |
+| Version date:   | x.xx  |
+| Document owner: | name  |
+| Approved by:    | name  |
+| Approved on:    | date  |
+| Next review:    | date  |
+
+The Document Owner is responsible for development and implementation of the policy.
+
+- [ ] Check Standard on documentation and ownership
+- [ ] Check 'responsible' vs. 'accountable' / [Responsibility assignment matrices](../../../../../📚️%20Literature%20notes/Responsibility%20assignment%20matrices.md)
+
+## Policy subject
+
+> 
+
+## Relevant ISO 27001 topics
+## Goal
+>described in terms of risk mitigation
+
+## Description
+>To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S. 
+
+Note: also the Annex A category of controls: technical, human, organizational, physical ...
+## Scope
+>E.g. organization as a whole vs. topic-specific: certain business activities, organizational units, or the implementation of specific controls.
+>Also define Exemptions and Exceptions.
+
+## Associated Risks
+
+## Tags
+>- Addressed ISO 27001 controls & clauses.
+>- Phase 
+
+## Responsibilities
+For writing the policy 
+For implementing the policy (Control Owner)
+
+## Measuring and monitoring
+How / Who / When
+Documented in -> location/document
+
+## Evaluation
+- How
+- By whom
+- When ("at planned intervals or if significant changes occur": review frequency)
+
+Documented in -> location/document
+
+## Change procedure
+incl getting approval
+
+## Related policies
+- x
+- y
+
+## Approved
+Name: | name
+--- | ---
+Signature: | signature
+Date: | date
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,76 @@
+Filename format: `ISO27DIY Video n.n ChapterTitle - VideoTitle`
+
+>The description is publishable content.
+>[[ISO27DIY Script for Video n.n VideoTitle|Script for this Workshop]]
+
+# Title
+
+> In this video you'll learn ...
+
+
+## Synopsis
+
+In this workshop we will create:
+> - Deliverable A, which is ...;
+> - Deliverable B, which is ...;
+> - etc.
+
+With these documents you will be able to:
+> - achieve Purpose 1;
+> - achieve Purpose 2.
+
+Workshop attendees:
+> - A
+> - B
+> - C
+
+Needed for this workshop:
+> Facilities
+> Materials
+> Resources
+> Existing documentation
+
+## Workshop video
+![](../../../../../📎%20Attachments/YouTube-icon-small.png)
+
+Length of workshop video: .. minutes
+Estimated workshop duration: .. minutes
+
+Media used in this video:
+> e.g. Link to Slide deck
+
+## Tasks
+In the workshop, the following tasks are identified for the ISO 27001 backlog:
+
+Id | Task | Deadline | Template
+--- | --- | --- | ---
+001 | Create Deliverable A | Before next workshop | Link to template/example
+002 | Create Deliverable B | mm-dd-yy | Link to template/example
+001 | Perform Action P | mm-dd-yy | Link to template/example
+
+	
+## Deliverables
+> list of deliverables, same as last column of Task list
+
+## ISO 27001 requirements addressed
+In this workshop, the following ISO 27001 requirements have been addressed:
+
+Clauses (chapters 4-10):
+>- C.x
+> - C.y
+> - C.z
+
+Controls (Annex A, 2022 version):
+> A.x
+> A.y
+> A.z
+
+
+# Relevant literature
+> **... for finishing this session note:**
+> - link to note
+> - link to note
+
+
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,72 @@
+Filename format: `ISO27DIY Workshop X - Workshop Title`
+
+>The Workshop Overview is publishable content.
+>[[ISO27DIY Script for Workshop X - Workshop Title|Script for this Workshop]]
+
+# Title
+## Synopsis
+
+In this workshop we will create:
+> - Deliverable A, which is ...;
+> - Deliverable B, which is ...;
+> - etc.
+
+With these documents you will be able to:
+> - achieve Purpose 1;
+> - achieve Purpose 2.
+
+Workshop attendees:
+> - A
+> - B
+> - C
+
+Needed for this workshop:
+> Facilities
+> Materials
+> Resources
+> Existing documentation
+
+## Workshop video
+![](../../../../../📎%20Attachments/YouTube-icon-small.png)
+
+Length of workshop video: .. minutes
+Estimated workshop duration: .. minutes
+
+Media used in this video:
+> e.g. Link to Slide deck
+
+## Tasks
+In the workshop, the following tasks are identified for the ISO 27001 backlog:
+
+Id | Task | Deadline | Template
+--- | --- | --- | ---
+001 | Create Deliverable A | Before next workshop | Link to template/example
+002 | Create Deliverable B | mm-dd-yy | Link to template/example
+001 | Perform Action P | mm-dd-yy | Link to template/example
+
+	
+## Deliverables
+> list of deliverables, same as last column of Task list
+
+## ISO 27001 requirements addressed
+In this workshop, the following ISO 27001 requirements have been addressed:
+
+Clauses (chapters 4-10):
+>- C.x
+> - C.y
+> - C.z
+
+Controls (Annex A, 2022 version):
+> A.x
+> A.y
+> A.z
+
+
+# Relevant literature
+> **... for finishing this session note:**
+> - link to note
+> - link to note
+
+
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,14 @@
+Filename format: `ISO27DIY Script for Workshop X - Workshop Title`
+
+>A step-by-step for creating the Deliverables (i.e. Artifacts)
+
+# Title
+
+- Welcome to this Session
+- Synopsis
+- Section 1: Creating Deliverable A
+- Section 2: Creating Deliverable B
+- Section 3: How to perform Action P
+- Resume
+- Action list
+- Next session
--- a/Templates/ISO_27002_NL_Template_Attribuuttabel.md
+++ b/Templates/ISO_27002_NL_Template_Attribuuttabel.md
@ -0,0 +1,9 @@
+
+| Attribuut                            | Waarde |
+| :----------------------------------- | :----- |
+| Type beheersmaatregel:               |        |
+| Informatiebeveiligingseigenschappen: |        |
+| Cybersecurityconcepten:              |        |
+| Operationele capaciteiten:           |        |
+| Beveiligingsdomeinen:                |        |
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,7 @@
+
+| **Activiteit**            | Wk01 | Wk02 | Wk03 | Wk04 | Wk05 | Wk06 | Wk07 | Wk08 | Wk09 | Wk10 | Wk11 | Wk12 | Wk13 | Wk14 | Wk15 | Wk16 | Wk17 | Wk18 | Wk19 | Wk20 |
+| ------------------------- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- |
+| **Beschrijving**          |      |      |      |      |      |      |      |      |      |      |      |      |      |      |      |      |      |      |      |      |
+
+
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,4 @@
+- [ISO27DIY Implementation method](ISO27DIY%20Implementation%20method.md)
+- [ISO27DIY Videos list](ISO27DIY%20Videos%20list.md)
+- [ISO27DIY Workshop Overview template](📒%20Templates/ISO27DIY%20Workshop%20Overview%20template.md)
+
--- a/Corpus/Standards/ISO27x/legacy/iso27DIY
+++ b/Corpus/Standards/ISO27x/legacy/iso27DIY
@ -0,0 +1,17 @@
+*This is for the technical side of things. For the content, see [ISO27DIY Additional resources](ISO27DIY%20Additional%20resources.md)*
+
+Current stack:
+- Website [ISO27DIY.com](ISO27DIY.com.md), hosted on carrd.co, domain hosted by Hover.com
+- Mail hello@iso27diy.com, hosted by Hover.com -> change to richard@
+- Twitter ISO27DIY, DOB October 11, 1999, registered with hello @iso27diy.com
+- Revue for newsletters -> personalize 
+- Gumroad for Paid membership site
+- Airtable for ISO 27x in Plain English database
+
+Additions to be considered:
+- Support desk en Community Forum: JoinSecret.com geeft credits voor 6 maanden gratis Zendesk: https://www.joinsecret.com/offers/zendesk-coupon-2379
+- Calendly-like solution for making appointments
+
+How to's and other resources for using these platforms:
+- https://www.makerpad.co/tutorial/how-to-create-a-membership-community-using-gumroad
+- Scott Hemeter published a CRM database to the Airtable Universe, which seems to be free to copy. https://www.airtable.com/universe/expgN0YhrOxu9Nupm/crm-template-smb. He has published about this on his blog: https://scotthemmeter.com/tag/crm-template/. Scott is open to communications about this.