Initial commit

AuditGlue/AuditGlue Workflows.md

@@ -0,0 +1,43 @@
+# AuditGlue Workflows
+
+## Volgen van een Session
+
+- gebruiker klikt uit het Sessions-menu een les aan
+- gebruiker kan een Reference-link aanklikken voor achtergrondinformatie/ voorbeelden, een modal opent
+- een Sessie kan 0 of 1 taak hebben.
+- de taak kan bestaan uit het invoeren van waarden (tekst) of het uploaden van een document.
+- Zie voor nader uitleg over het Werken met Taken hieronder.
+
+## Re-visiting a Session
+
+- gebruiker klikt uit het Sessions-menu een les aan
+- als er al eerder waarden (tekst) is ingevoerd, of al eerder een document geüpload is, wordt dit uit de database opgehaald en kan de gebruiker wijzigingen aanbrengen (cq. een nieuwe versie van het document uploaden)
+
+## Triggering an Automation
+
+- Een Automation is een ondersteunende tool bij een Task – bijv. het genereren van een ‘Acceptable Use Policy’.
+- De Automation wordt in de AuditGlue UI getoond als een Start-button met een omschrijving/verklaring van wat de Automation doet.
+- De Start-button triggert een workflow in n8n.
+- In AuditGlue is een indicatie ‘Working …’ te zien.
+- De workflow doet typisch het volgende:
+- - er wordt input opgehaald vanuit de database (*).
+    - deze input wordt samen met een prompt naar een LLM gestuurd.
+    - het resultaat wordt als document opgeslagen in de database (formaat ntb, de gebruiker moet de content kunnen wijzigen)
+- In AuditGlue is een knop ‘Edit Result’ te zien.
+- De gebruiker kan de tekst indien gewenst aanpassen (en opslaan)
+- De gebruiker kan de taak (waarvan de Automation een onderdeel is) markeren als Completed
+
+(*) Er zitten hier dus afhankelijkheden en configuratie-uitdagingen:
+
+- de input voor een Automation bestaat uit de resultaten van eerder uitgevoerde taken
+- die taken moeten als ‘Completed’ gemarkeerd zijn
+- er moet ergens gedefinieerd zijn welke input nodig is voor een Automation
+- er moet ergens een prompt gedefinieerd zijn
+
+## Werken met Taken
+
+Een taak heeft één van de volgende 4 statussen:
+1. Status Backlog: de taak moet nog uitgevoerd worden, maar niet nu.
+2. Status ToDo: de gebruiker heeft de taak toegevoegd aan haar persoonlijke werklijst – de taak is zichtbaar in de sidebar als een 'To Do'.
+3. Status Done: de gebruiker vindt de taak voldoende afgerond om verder mee te gaan – deze status is de vereiste voor `automation_depends_on`.
+4. Status Finalized: de taak is 'ready for audit' – deze status wordt gebruikt in een (nog te ontwerpen) voortgangsoverzicht waarop de gebruiker kan zien in hoeverre zij klaar is voor de audit.

AuditGlue/Conceptual ERD.md

@@ -0,0 +1,19 @@
+# Conceptual ERD
+
+
+```mermaid
+erDiagram
+    Session ||--o| Task : "has 0..1"
+    Session }o--o{ NormArticle : "has 0..n"
+    Task ||--o| FormValues : "has 0..1"
+    Task ||--o| Document : "has 0..1"
+    Document }o--o{ NormArticle : "references n..n"
+    Document ||--|{ DocVersion : "has 1..n"
+```
+- A Session can cover zero or more NormArticles
+- A Session can have one or zero tasks to complete
+- The Task can be to fill in one or more values in a Form. The values are stored for later retrieval.
+- The Task can be to upload a Document. The Document is stored for later retrieval.
+- If a new version of a Document is uploaded, a new DocVersion is created.
+- A Document is **proof for** one or more NormArticles (ISO 27001 Controls or Chapters)
+- A NormArticle is **proven by** one or more documents

AuditGlue/GIS-content-map.md

@@ -0,0 +1,74 @@
+# GIS Content Map
+
+- **m100: Implementing with ISO27DIY**
+	- [[m100s010-Modules-and-Sessions|m100s010]]: Modules and Sessions
+	- [[m100s020-about-AuditGlue|m100s020]]: About AuditGlue
+- **m200: About ISO 27001**
+	- [[m200s010-about-ISO27001|m200s010]]: About ISO 27001
+- **m300: Strategy, Risks and Leadership**
+	- [[m300s010-introduction|m300s010]]: Introduction to Strategy, Risks and Leadership
+	- [[m310s010-organizational-goals|m310s010]]: Organizational Goals
+	- [[m310s020-threat-landscape|m310s020]]: The Threat Landscape
+	- [[m310s030-Identifying-Strategic-Risks|m310s030]]: Identifying Strategic Risks
+	- [[m310s040-qualifying-risks|m310s040]]: Qualifying Risks
+	- [[m310s050-qualifying-impact|m310s050]]: Qualifying Impact
+	- [[m310s060-creating-the-risk-matrix|m310s060]]: Creating the Risk Matrix
+	- [[m310s070-Governance-model|m310s070]]: Governance model
+	- m310s080: Information Security Policy ([[ISO_27001_2022_5.2_MoC Policy|C5.2]])
+- **m400: Context of the Organization** 
+	- [[m400s010-introduction|m400s010]]: Introduction: Why Context Matters
+	- m400s020: Standards, Laws and Regulations  ([[ISO_27001_2022_4.2_MoC Understanding the needs and expectations of interested parties|C4.2]], [[ISO_27002_2022_5.31_MoC Legal, statutory, regulatory and contractual requirements|A5.31]], [[ISO_27002_2022_5.34_MoC Privacy and protection of PII|A5.34]])
+	- m400s030: [[iso27diy-git-SYNC!/m300/m300s520-DESTEP-analysis|m300s520]]: **DESTEP analysis**  ([[ISO_27001_2022_4.2_MoC Understanding the needs and expectations of interested parties|C4.2]])
+	- m400s040: [[iso27diy-m300s510|m300s510]]:  **SWOT analysis** ([[ISO_27001_2022_4.1_MoC Understanding the organization and its context|C4.1]])
+	- m400s050: Stakeholder Analysis ([[ISO_27001_2022_4.2_MoC Understanding the needs and expectations of interested parties|C4.2]])
+	- **m410:Organizational Structures**
+		- [[Introduction for Organizational Structures]]
+		- Organizational processes ([[ISO_27001_2022_4.1_MoC Understanding the organization and its context|C4.1]])
+		- Organization Chart ([[ISO_27001_2022_4.1_MoC Understanding the organization and its context|C4.1]])
+		- Job architecture ([[ISO_27001_2022_4.1_MoC Understanding the organization and its context|C4.1]])
+		- Physical context (sites, buildings, areas) ([[ISO_27002_2022_7.1_MoC Physical security perimeters|A7.1]])
+		- Asset identification ([[ISO_27002_2022_5.9_MoC Inventory of information and other associated assets|A5.9]], [[ISO_27002_2022_5.32_MoC Intellectual property rights|A5.32]])
+	- **420: Planning the Implementation**
+		- [[m300s120-Setting-ISMS-Objectives|m300s120]]: Setting ISMS Objectives
+		- [[iso27diy-git-SYNC!/m300/m300s200-scope|m300s200]]: Setting the Scope
+		- Planning the ISMS implementation ([[ISO_27001_2022_6.1.1_MoC General|C6.1.1]])
+- **m500: Risks and Measures**
+	- Risk identification ([[ISO_27001_2022_6.1.2_MoC Information security risk assessment|C6.1.2]])
+	- Risk analysis ([[ISO_27001_2022_6.1.2_MoC Information security risk assessment|C6.1.2]])
+	- Data classification ([[ISO_27002_2022_5.12_MoC Classification of information|A5.12]])
+	- Technical vulnerabilities Test ([[ISO_27002_2022_8.8_MoC Management of technical vulnerabilities|A8.8]])
+	- Threat analysis (technical) ([[ISO_27001_2022_6.1.2_MoC Information security risk assessment|C6.1.2]], [[ISO_27002_2022_5.7_MoC Threat intelligence|A5.7]], [[ISO_27002_2022_5.6_MoC Contact with special interest groups|A5.6]])
+	- Controls identification ([[ISO_27001_2022_6.1.3_MoC Information security risk treatment|C6.1.3]])
+	- Roles and responsibilities ([[ISO_27001_2022_5.2_MoC Policy|C5.2]], [[ISO_27001_2022_5.3_MoC Organizational roles, responsibilities and authorities|C5.3]], [[ISO_27002_2022_5.4_MoC Management responsibilities|A5.4]], [[ISO_27002_2022_5.3_MoC Segregation of duties|A5.3]], [[ISO_27002_2022_5.5_MoC Contact with authorities|A5.5]]) – see [[m400-more-governance]]
+	- Planning Controls implementation ([[ISO_27001_2022_8.1_MoC Operational planning and control|C8.1]])
+	- Risk Management ([[ISO_27001_2022_8.1_MoC Operational planning and control|C8.1]], [[ISO_27001_2022_8.2_MoC Information security risk assessment|C8.2]], [[ISO_27001_2022_8.3_MoC Information security risk treatment|C8.3]], [[ISO_27001_2022_10.1_MoC Continual improvement|C10.1]])
+	- Controls implementation ([[ISO_27001_2022_8.3_MoC Information security risk treatment|C8.3]])
+- **m600: Supporting the ISMS**
+	- Resources ([[ISO_27001_2022_7.1_MoC Resources|C7.1]]) 
+	- Competencies ([[ISO_27001_2022_7.2_MoC Competence|C7.2]])
+	- Documentation ([[ISO_27002_2022_5.33_MoC Protection of records|A5.33]], [[ISO_27001_2022_7.5.2_MoC Creating and updating|C7.5.2]])
+	- Policies ([[ISO_27002_2022_5.1_MoC Policies for information security|A5.1]])
+	- Review calendar ([[ISO_27002_2022_5.35_MoC Independent review of information security|A5.35]], [[ISO_27001_2022_7.5.2_MoC Creating and updating|C7.5.2]])
+	- Communication and Awareness ([[ISO_27001_2022_7.3_MoC Awareness|C7.3]], [[ISO_27001_2022_7.4_MoC Communication|C7.4]])
+- **m700: Securing the Business**
+	- m710: Business Continuity
+		- Incident management ([[ISO_27002_2022_5.24_MoC Information security incident management planning and preparation|A5.24]], [[ISO_27002_2022_5.25_MoC Assessment and decision on information security events|A5.25]], [[ISO_27002_2022_5.26_MoC Response to information security incidents|A5.26]], [[ISO_27002_2022_5.27_MoC Learning from information security incidents|A5.27]], [[ISO_27002_2022_5.28_MoC Collection of evidence|A5.28]], [[ISO_27002_2022_5.29_MoC Information security during disruption|A5.29]], [[ISO_27002_2022_5.5_MoC Contact with authorities|A5.5]], [[ISO_27002_2022_5.6_MoC Contact with special interest groups|A5.6]])
+		- Business Impact Analyses ([[ISO_27002_2022_5.29_MoC Information security during disruption|A5.29]], [[ISO_27002_2022_5.30_MoC ICT readiness for business continuity|A5.30]])
+		- Business Continuity Planning ([[ISO_27002_2022_5.29_MoC Information security during disruption|A5.29]], [[ISO_27002_2022_5.30_MoC ICT readiness for business continuity|A5.30]], [[ISO_27002_2022_7.11_MoC Supporting utilities|A7.11]], [[ISO_27002_2022_5.5_MoC Contact with authorities|A5.5]])
+	- m720: People Processes
+		- HR Policies ([[ISO_27002_2022_6.1_MoC Screening|A6.1]], [[ISO_27002_2022_6.2_MoC Terms and conditions of employment|A6.2]], [[ISO_27002_2022_6.3_MoC Information security awareness, education and training|A6.3]], [[ISO_27002_2022_6.4_MoC Disciplinary process|A6.4]], [[ISO_27002_2022_6.5_MoC Responsibilities after termination or change of employment|A6.5]], [[ISO_27002_2022_6.6_MoC Confidentiality or non-disclosure agreements|A6.6]])
+		- User policies ([[ISO_27002_2022_5.10_MoC Acceptable use of information and other associated assets|A5.10]], [[ISO_27002_2022_5.11_MoC Return of assets|A5.11]], [[ISO_27002_2022_5.12_MoC Classification of information|A5.12]], [[ISO_27002_2022_5.13_MoC Labelling of information|A5.13]], [[ISO_27002_2022_5.14_MoC Information transfer|A5.14]], [[ISO_27002_2022_5.37_MoC Documented operating procedures|A5.37]], [[ISO_27002_2022_6.7_MoC Remote working|A6.7]], [[ISO_27002_2022_6.8_MoC Information security event reporting|A6.8]], [[ISO_27002_2022_7.7_MoC Clear desk and clear screen|A7.7]], [[ISO_27002_2022_8.24_MoC Use of cryptography|A8.24]])
+		- Training ([[ISO_27002_2022_6.3_MoC Information security awareness, education and training|A6.3]])
+	- 730: Technology processes
+		- Access Control ([[ISO_27002_2022_5.15_MoC Access control|A5.15]], [[ISO_27002_2022_5.16_MoC Identity management|A5.16]], [[ISO_27002_2022_5.17_MoC Authentication information|A5.17]], [[ISO_27002_2022_5.18_MoC Access rights|A5.18]], [[ISO_27002_2022_8.2_MoC Privileged access rights|A8.2]], [[ISO_27002_2022_8.3_MoC Information access restriction|A8.3]], [[ISO_27002_2022_8.4_MoC Access to source code|A8.4]], [[ISO_27002_2022_8.5_MoC Secure authentication|A8.5]])
+		- Technologies lifecycle ([[ISO_27002_2022_5.8_MoC Information security in project management|A5.8]], [[ISO_27002_2022_5.23_MoC Information security for use of cloud services|A5.23]], [[ISO_27002_2022_8.26_MoC Application security requirements|A8.26]], [[ISO_27002_2022_8.27_MoC Secure system architecture and engineering principles|A8.27]], [[ISO_27002_2022_8.28_MoC Secure coding|A8.28]], [[ISO_27002_2022_8.29_MoC Security testing in development and acceptance|A8.29]], [[ISO_27002_2022_8.30_MoC Outsourced development|A8.30]], [[ISO_27002_2022_8.31_MoC Separation of development, test and production environments|A8.31]], [[ISO_27002_2022_8.32_MoC Change management|A8.32]], [[ISO_27002_2022_8.33_MoC Test information|A8.33]], [[ISO_27002_2022_7.13_MoC Equipment maintenance|A7.13]], [[ISO_27002_2022_7.14_MoC Secure disposal or re-use of equipment|A7.14]], [[ISO_27002_2022_8.6_MoC Capacity management|A8.6]])
+		- Vendor management ([[ISO_27002_2022_5.19_MoC Information security in supplier relationships|A5.19]], [[ISO_27002_2022_5.20_MoC Addressing information security within supplier agreements|A5.20]], [[ISO_27002_2022_5.21_MoC Managing information security in the ICT supply chain|A5.21]], [[ISO_27002_2022_5.22_MoC Monitoring, review and change management of supplier services|A5.22]], [[ISO_27002_2022_5.23_MoC Information security for use of cloud services|A5.23]], [[ISO_27002_2022_8.29_MoC Security testing in development and acceptance|A8.29]])
+		- Device management ([[ISO_27002_2022_7.9_MoC Security of assets off-premises|A7.9]], [[ISO_27002_2022_7.10_MoC Storage media|A7.10]], [[ISO_27002_2022_8.1_MoC User endpoint devices|A8.1]], [[ISO_27002_2022_8.7_MoC Protection against malware|A8.7]])
+		- IT administration ([[ISO_27002_2022_8.7_MoC Protection against malware|A8.7]], [[ISO_27002_2022_8.8_MoC Management of technical vulnerabilities|A8.8]], [[ISO_27002_2022_8.9_MoC Configuration management|A8.9]], [[ISO_27002_2022_8.10_MoC Information deletion|A8.10]], [[ISO_27002_2022_8.11_MoC Data masking|A8.11]], [[ISO_27002_2022_8.12_MoC Data leakage prevention|A8.12]], [[ISO_27002_2022_8.13_MoC Information backup|A8.13]], [[ISO_27002_2022_8.14_MoC Redundancy of information processing facilities|A8.14]], [[ISO_27002_2022_8.15_MoC Logging|A8.15]], [[ISO_27002_2022_8.16_MoC Monitoring activities|A8.16]], [[ISO_27002_2022_8.17_MoC Clock synchronization|A8.17]], [[ISO_27002_2022_8.18_MoC Use of privileged utility programs|A8.18]], [[ISO_27002_2022_8.19_MoC Installation of software on operational systems|A8.19]], [[ISO_27002_2022_8.20_MoC Networks security|A8.20]], [[ISO_27002_2022_8.21_MoC Security of network services|A8.21]], [[ISO_27002_2022_8.22_MoC Segregation of networks|A8.22]], [[ISO_27002_2022_8.23_MoC Web filtering|A8.23]], [[ISO_27002_2022_8.24_MoC Use of cryptography|A8.24]], [[ISO_27002_2022_8.25_MoC Secure development life cycle|A8.25]], [[ISO_27002_2022_8.26_MoC Application security requirements|A8.26]], [[ISO_27002_2022_8.27_MoC Secure system architecture and engineering principles|A8.27]], [[ISO_27002_2022_8.28_MoC Secure coding|A8.28]], [[ISO_27002_2022_8.29_MoC Security testing in development and acceptance|A8.29]], [[ISO_27002_2022_8.30_MoC Outsourced development|A8.30]], [[ISO_27002_2022_8.31_MoC Separation of development, test and production environments|A8.31]], [[ISO_27002_2022_8.32_MoC Change management|A8.32]], [[ISO_27002_2022_8.33_MoC Test information|A8.33]], [[ISO_27002_2022_8.34_MoC Protection of information systems during audit testing|A8.34]], [[ISO_27002_2022_5.6_MoC Contact with special interest groups|A5.6]]) 
+		- Physical security ([[ISO_27002_2022_7.1_MoC Physical security perimeters|A7.1]], [[ISO_27002_2022_7.2_MoC Physical entry|A7.2]], [[ISO_27002_2022_7.3_MoC Securing offices, rooms and facilities|A7.3]], [[ISO_27002_2022_7.4_MoC Physical security monitoring|A7.4]], [[ISO_27002_2022_7.5_MoC Protecting against physical and environmental threats|A7.5]], [[ISO_27002_2022_7.6_MoC Working in secure areas|A7.6]], [[ISO_27002_2022_7.7_MoC Clear desk and clear screen|A7.7]], [[ISO_27002_2022_7.8_MoC Equipment siting and protection|A7.8]], [[ISO_27002_2022_7.12_MoC Cabling security|A7.12]])
+- **800: Evaluate and Improve** ([[ISO_27001_2022_9_MoC Performance evaluation|C9]], [[ISO_27001_2022_10_MoC Improvement|C10]])
+	- Audits and Reviews ([[ISO_27001_2022_9.2_MoC Internal audit|C9.2]], [[ISO_27002_2022_5.35_MoC Independent review of information security|A5.35]], [[ISO_27002_2022_5.36_MoC Compliance with policies, rules and standards for information security|A5.36]])
+	- Management Reviews ([[ISO_27001_2022_9.3_MoC Management review|C9.3]])
+	- Planning of Changes ([[ISO_27001_2022_6.3_MoC Planning of changes|C6.3]])
+- **900: ISO 27001 Audits**
+	- Afwijkingen en Correcties ([[ISO_27001_2022_10.1_MoC Continual improvement|C10.1]])

AuditGlue/PRD Product Requirements Document for iso27DYI.md

@@ -0,0 +1,96 @@
+---
+tags:
+  - iso27DIY
+  - design
+---
+
+# iso27DYI Product Requirements Document (PRD)
+
+## Product
+iso27DYI is a web application that offers guided application of the ISO 27001 framework.
+The purpose of the system is to guide the ‘Client’ in the implementation of an ISO 27001 compliant Information Security Management System (ISMS), and store all the proofs of implementation, so that the Client can pass the ISO 27001 certification audit successfully. 
+
+### Design Guidelines
+The goal is to build a fully functioning system as described below. We will start with a MVP release and expand and refine on that. The functionality of the MVP release has not been defined yet, neither has the release planning of road map.
+
+Pointers:
+- iso27DIY assumes the user has no a priori knowledge of cybersecurity management or ISMS's
+- iso27DIY guides the client in what to identify, assess and produce, how to do it, and in what order
+- iso27DYI's guidance will feel like a smartwatch fitness coach, rather than having the user walking down checklists
+- iso27DIY provides best practice examples and generates compliant content based on the user's input
+- iso27DYI will help the client with building the necessary capabilities to maintain the ISMS within his own organization
+- the content will be organized in Modules, with each module consisting of one or more Sessions
+- the route through the modules is incremental rather that linear (though there are information-dependencies between the modules) – artefacts will be expanded as needed, to facilitate the integration of the ISO 27001 framework in the client's business and management processes (example: incremental RASCI matrix).
+ 
+### Client and User
+The Client is typically an SME, with no dedicated compliance officer and little knowledge of information security management and the ISO 27001 standard. 
+The ‘User’ is the person made responsible for implementing the ISO 27001 standard within the SME. He or she is typically employed as the ‘IT Manager’ or COO. 
+
+### Some words about the ISO 27001 standard
+The ISO 27001 consists of a prescribed process for managing security risks (the ‘Management System‘), and a number of risk mitigating measures (‘Controls’) that must be implemented to mitigate those risks. 
+According to the ISO 27001, the structure of the management process and its constituent steps, must be described as ‘Policies’. 
+The implementation of the Controls must also be described in Policies. 
+Furthermore, the ISO 27001 requires Proof of implementation. This can take the form of policies, guidelines, manuals, logs, minutes, plans, reports, classifications, etc. 
+There must be evidence of a PDCA cycle being continuously applied to the management system and it’s controls.
+
+## The iso27DYI system 
+The system contains of three main parts: the Guided Implementation System (GIS) that helps the user to identify, collect and create the Proofs of implementation of the ISMS and its controls, the GRC tool (called ‘AuditGlue’) to store and manage these Proofs, and the Knowledge Base, which supports the identification and generation of Proofs. 
+
+### Guided Implementation System
+The GIS (Guided Implementation System) takes a User step by step through the implementation of the ISO 27001 management process and its accompanying controls. The implementation is divided into several ‘Modules’, each consisting of several ‘Sessions’. 
+In each Module and Session the User is introduced to the topic at hand through a mixture of videos and texts. The User may be asked to provide information that is relevant to the topic. This happens through a stateful dialogue with a proactive conversational agent. The task of the agent is to fill predefined data slots. 
+The User must have the option to request further explanation, examples either general or specific to the type of Client organization or business process, and support by a Consultant. 
+Support (for implementing the ISMS, not for the usage of the system) is given by an LLM Chat Agent, but can be ‘escalated’ easily into a request to get support by a human consultant. 
+
+Modules and Sessions do not necessarily have to be completed sequentially, but in some cases a Module or Session may be dependent on the information gathered or outcome produced in earlier Modules or Sessions. 
+The progress of the Client and User is visualized in a simple and attractive way, both for progress through Modules and Sessions and for progress towards ‘certification readiness’. 
+
+The Modules, Sessions, and content elements of the GIS will be tagged with identifiers referring to the controls and clauses of the ISO 27001 standard (not by the user but through the management interface, see below). 
+
+The GIS produces artifacts by combining the user’s input with its internal knowledge base. These artifacts may be example Proofs of implementation (as mentioned before), or tailored plans and action lists to construct these Proofs or collect them if they may already be present in the organization. 
+
+All inputs and artifacts are stored in the AuditGlue database. 
+
+The content (text, videos, questionnaires, etc.) that is made available to the user through the GIS are the intellectual property of Thinking Security Works, the company behind iso27DYI. The architecture of the system must prevent this content from being copied or altered by Clients, Users or other parties. 
+
+### AuditGlue
+AuditGlue is used to store and manage all inputs and artifacts collected or generated through the iso27DIY Guided Implementation System, plus additional artifacts the User deems relevant to the ISO 27001 certification audit. 
+Inputs and artifacts collected or generated through the iso27DIY GIS will be tagged with (roughly) the same identifiers as the Module or Session through which they where collected or generated. 
+Additional artifacts added by the User must be tagged by the user with at least one of the ISO 27001 related identifiers. 
+The user is provided with a mechanism for creating and managing their own tagging system, additional to the ISO 27001 related identifiers provided by the system. 
+The contents of the AuditGlue database may be altered by the user. Version management is implemented for CRUD actions on the content. User may compare different versions of the same documents to show the differences. 
+AuditGlue provides Auditing Views on the contents of the AuditGlue database to support the auditing proces, following the structure of the ISO 27001 standard. 
+
+### The Knowledge Base
+The user input is used to build a knowledge base about organizational structures, processes, policies, risks and measures related to information security and compliance. This knowledge base is then used to improve the quality of the interaction with users (e.g. asking questions more specific to the context of the user and his type of organization). The knowledge base is not accessible to the User. 
+
+### Management interfaces 
+Management interfaces must be added to the system to allow employees of Thinking Security Works to:
+- Manage the contents of the GIS
+- Construct questionnaires and add them as contents to the GIS
+- Manage system tags and attach them to the contents
+- Manage Users and allow access to functionality based on their Plan. 
+
+## Functional Diagram
+
+![[CleanShot 2025-07-17 at 10.45.16.png]]
+
+## iso72DYI Technical Requirements
+
+- The system must support multiple Clients, with each client having one or more Users. It is essential that no Client, or any of its Users, ever gets access to another Client’s data. This must be implemented at database level. 
+- The system uses a combination of structured questionnaires, forms, document ingestion and chat agents to acquire user input. 
+- The system uses templates and LLM to generate artifacts. These artifacts consist of text and simple graphics (bitmap images). Output formats are Markdown, DOCX and PDF. 
+- Onboarding must be handled on the iso27diy.com website and should be as frictionless as possible. 
+
+### Leading Principles
+
+- languages, frameworks, technologies and platforms must be selected to maximize security, portability, maintainability and scaleability (roughly in that order)
+- current preferences are JavaScript/TypeScript, SQL, JSON/JSONB/JSON Schema, SurveyJS, Postgres
+- the source code will be available under a, yet to be decided, OSS license
+- third party code and frameworks that used in the system must be available under OSS licenses that allow commercial use without licensing fees
+- dependencies on third party code must be kept to a minimum
+- the number of deployment platforms (data layer, application logic, front end) must be kept to a minimum
+- user authorization and payment services will be handled through vested service providers
+- the LLM(s) must be deployed ‘locally’
+- deployment costs must be acceptable (funds are limited)
+- architecture, source code and deployment methods must be well documented throughout the project

AuditGlue/System alternative/Agent Design Intent Card.md

@@ -0,0 +1,28 @@
+---
+tags:
+  - project/iso27DIY
+  - dev
+  - llm
+  - agent
+---
+[Cognigy course](https://academy.cognigy.com/courses/take/conversation-design-course/lessons/24748613-request-and-reply) Proceed with 4.3
+
+**Agent Design Intent Card**
+![[Agent Design Intent Card.png]]
+
+Notice:
+- Who = the user
+- What = the utterance
+- Intention = get todays menu
+- Reason = to order food
+
+A conversation is inherently stateless: it probably won't follow your designed workflow. The user may ignore the bot and continue on his own path.
+
+**Personality, Persona**
+A Bot needs a Name and a Character. 
+
+It is a good idea to also have a capability for smalltalk. Users will ask 'how's the weather' or 'how should I prepare for a Zombie attack' or will say 'I love you'
+[Search Google for repository](https://www.google.com/search?client=safari&rls=en&q=repository+of+intents+and+utterances+for+smalltalk+chatbots&ie=UTF-8&oe=UTF-8)
+[A collection of sample utterances in various languages](https://github.com/codeforequity-at/botium-utterances).
+
+Contact Profile: creates persistence, by remembering, for instance, the user's preferences and home address, so the bot doesn't have to ask the same questions again each time.

AuditGlue/System alternative/Using AI to create policies.md

@@ -0,0 +1,36 @@
+AI-enabled tooling to guide and advise employees in different roles in the organization.
+
+Examples:
+
+**Risk analysis**
+- C-level: high level policies state that we analyse risks and identify mitigating measures when starting a new project
+	- Policy_Agent drafts a context specific policy based on best practices
+- Project manager:
+	- Risk_Agent provides an overview of the steps to be taken, who to involve in what way (based on stakeholder analyses, creating a RASCI matrix) and guides the project manager through gathering the data. Maybe even plan meetings and send out invites.
+- Integrate with project management and GRC software
+
+**Vendor selection**
+- C-level: high level policies state the security requirements for vendors and applications
+	- Policy_Agent drafts a context specific policy based on best practices
+- VendorQ_agent creates questionnaires to send out to a selection of vendors
+- Q_Comparison_agent compares the returned questionnaires with the requirements and creates a table comparing the vendors
+
+**Data classification**
+1. questionnaire on how employees would classify different kinds of documents
+2. a classification matrix is suggested based on the results
+3. once the policy is established, this serves as a metric on how the perception of different groups of employees differs from the norm
+4. develop interventions based on these differences
+
+**Threat analysis**
+- do a threat analysis, see [[Create a threat analysis chatbot]]
+
+
+**Policy drafting**
+
+**Auditing**
+- a virtual auditor, that interviews you, and identifies areas for improvement
+
+**Feed the bot**
+- Blokdyk content
+- NHC cases
+ 

AuditGlue/System alternative/iso27DIY Functional Diagram.canvas

@@ -0,0 +1,32 @@
+{
+	"nodes":[
+		{"id":"75c30201fb81b0ec","type":"group","x":-320,"y":140,"width":550,"height":1020,"label":"GIS Guided Implementation System"},
+		{"id":"350b211777e89313","type":"group","x":820,"y":140,"width":560,"height":568,"label":"AuditGlue GRC Tool"},
+		{"id":"a5694aadef906b53","x":820,"y":840,"width":560,"height":320,"type":"group","label":"Knowledge Base"},
+		{"id":"43e5cc1fa3f296af","type":"text","text":"UI/UX","x":190,"y":-510,"width":430,"height":230},
+		{"id":"25aa3aae60de546d","type":"file","file":"📎 Attachments/noun-human-7596266.png","x":-120,"y":-860,"width":235,"height":235},
+		{"id":"f675351f27b4c1ba","type":"file","file":"📎 Attachments/noun-window-104597.png","x":277,"y":-440,"width":117,"height":117,"color":"5"},
+		{"id":"3e88c02ada1829d9","type":"file","file":"📎 Attachments/noun-bot-7868864.png","x":427,"y":-440,"width":117,"height":117,"color":"4"},
+		{"id":"541f3f74ded720a8","type":"text","text":"Example productions and templates","x":-297,"y":655,"width":505,"height":105},
+		{"id":"2d283f7e2af85112","type":"text","text":"Implementation Journey (method)","x":-299,"y":192,"width":505,"height":100},
+		{"id":"336beb2011a0552f","type":"text","text":"Training content","x":-297,"y":350,"width":505,"height":100},
+		{"id":"092a8b1f2b7b6107","type":"text","text":"Library of business processes and structures","x":-301,"y":500,"width":507,"height":105},
+		{"id":"4e7485a3417d5d7a","type":"text","text":"Client organization data","x":-297,"y":813,"width":505,"height":105},
+		{"id":"1663363e7f4bc888","type":"text","text":"ISO 27001 Clauses and Controls\nISO 27002 etc. Guidance","x":-297,"y":980,"width":508,"height":102},
+		{"id":"cb0bca515071c048","type":"text","text":"Document Management","x":840,"y":206,"width":505,"height":105},
+		{"id":"7bf3f2be62b62520","type":"text","text":"Planning","x":840,"y":361,"width":505,"height":105},
+		{"id":"4689e7cb295c69a7","type":"text","text":"Task Management","x":840,"y":518,"width":505,"height":105},
+		{"id":"0c16a220cda9191b","type":"file","file":"📎 Attachments/iso27DYI High level data structure.pdf","x":-301,"y":1620,"width":680,"height":402}
+	],
+	"edges":[
+		{"id":"7255ca95371b2d3c","fromNode":"43e5cc1fa3f296af","fromSide":"top","toNode":"25aa3aae60de546d","toSide":"right","label":"show & teach"},
+		{"id":"52c2a8120e9954a3","fromNode":"25aa3aae60de546d","fromSide":"bottom","toNode":"43e5cc1fa3f296af","toSide":"left","label":"provide information"},
+		{"id":"0172cf6f3059639b","fromNode":"43e5cc1fa3f296af","fromSide":"top","toNode":"25aa3aae60de546d","toSide":"bottom","label":"ask questions"},
+		{"id":"af9db9e573ed4ac8","fromNode":"75c30201fb81b0ec","fromSide":"top","toNode":"43e5cc1fa3f296af","toSide":"bottom","label":"provide guidance\nand examples"},
+		{"id":"b8c13d2facda3ed2","fromNode":"1663363e7f4bc888","fromSide":"left","toNode":"4e7485a3417d5d7a","toSide":"left","label":"determine\ndata slots"},
+		{"id":"4857e13f77b0fa91","fromNode":"75c30201fb81b0ec","fromSide":"right","toNode":"350b211777e89313","toSide":"left","label":"create productions"},
+		{"id":"3d50ce33887c86a9","fromNode":"43e5cc1fa3f296af","fromSide":"bottom","toNode":"350b211777e89313","toSide":"top","label":"provide proofs"},
+		{"id":"942358d1d84bbd49","fromNode":"4e7485a3417d5d7a","fromSide":"right","toNode":"a5694aadef906b53","toSide":"left"},
+		{"id":"dd7ff9142619fc0e","fromNode":"350b211777e89313","fromSide":"bottom","toNode":"a5694aadef906b53","toSide":"top"}
+	]
+}

AuditGlue/System alternative/iso27DIY Preferred Stack.md

@@ -0,0 +1,248 @@
+---
+tags:
+  - project/iso27DIY
+  - "#stack"
+  - WeWeb
+  - "#SupaBase"
+---
+
+# Preferred Low-Code Stack for iso27DIY 
+
+[Perplexity](https://www.perplexity.ai/search/so-far-in-this-conversation-we-KS4D76gkQQi0e7OVClx9qQ)
+
+**Key Requirements**
+* Low-code web app development
+* Avoid vendor/code lock-in
+* Minimal entry costs for MVP
+
+### Frontend: WeWeb
+* **Why:**
+  * Exports clean, customizable Vue.js code, allowing you to fully own and modify your frontend outside the platform~[5](https://www.nocodefinder.com/blog-posts/no-code-tools-export-code)~.
+  * You can self-host, integrate with CI/CD, and deploy anywhere (AWS, Netlify, etc.)~[5](https://www.nocodefinder.com/blog-posts/no-code-tools-export-code)~.
+  * Flexible integration with external backends via APIs.
+* **Entry Cost:**
+  * Free tier available; paid plans for advanced features, but MVPs can start with minimal cost~[5](https://www.nocodefinder.com/blog-posts/no-code-tools-export-code)~.
+
+### Backend: Supabase
+* **Why:**
+  * Supabase is open source, offers a free tier, and provides a scalable PostgreSQL backend with authentication, storage, and real-time features. Supabase offers Edge Functions for business logic.
+  * Airtable is easy for non-developers, but for long-term flexibility, Supabase is preferable.
+* **Entry Cost:**
+  * Generous free tier for Supabase; Airtable also has a free plan.
+
+### Integration Layer
+* Use REST or GraphQL APIs to connect WeWeb (frontend) with Supabase/Airtable (backend).
+* This loose coupling ensures you can swap out either layer later, minimizing lock-in~[4](https://www.outsystems.com/blog/posts/vendor-lock-in/)~.
+
+⠀
+### Why This Stack?
+* **No Vendor Lock-In:**
+  * Exported frontend code (WeWeb) is fully customizable and can be hosted anywhere~[5](https://www.nocodefinder.com/blog-posts/no-code-tools-export-code)~.
+  * Backend is open source (Supabase) or easily exportable (Airtable data).
+  * Keeping backend and frontend separate via APIs further reduces lock-in risk~[4](https://www.outsystems.com/blog/posts/vendor-lock-in/)~.
+* **Low Entry Cost:**
+  * Both WeWeb and Supabase offer free tiers suitable for MVPs.
+  * No upfront infrastructure or licensing costs.
+* **Learning Curve:**
+  * WeWeb’s drag-and-drop interface is beginner-friendly, and Vue.js is widely documented.
+  * Supabase’s dashboard and documentation are accessible for those new to backend development.
+
+⠀
+### Alternative Open-Source Low-Code Platform: Appsmith
+* **Why:**
+  * Open source, can be self-hosted, and is built for internal tools and dashboards~[3](https://www.appsmith.com/blog/low-code-platforms)~.
+  * No vendor lock-in, full access to source code, and usage-based pricing (even free for community edition)~[3](https://www.appsmith.com/blog/low-code-platforms)~.
+  * Integrates with 18+ databases and APIs.
+* **Best For:**
+  * Internal tools, admin panels, and data-driven apps.
+
+⠀
+### Summary Table
+| **Stack Component** | **Recommended Tool** | **Lock-In Risk** | **Entry Cost** | **Export/Ownership** |
+|:-:|:-:|:-:|:-:|:-:|
+| Frontend | WeWeb | Very Low | Free tier | Full code export |
+| Backend | Supabase | None | Free tier | Open source |
+| Alternative | Appsmith | None | Free tier | Self-hosted |
+
+
+### Best Practices to Avoid Lock-In
+* **Keep your database and business logic outside the low-code platform when possible**~[4](https://www.outsystems.com/blog/posts/vendor-lock-in/)~.
+* **Use open standards (REST, GraphQL) for integration**.
+* **Choose platforms that allow code/data export and self-hosting**~[5](https://www.nocodefinder.com/blog-posts/no-code-tools-export-code)~.
+
+⠀
+**In summary:**
A stack using WeWeb (frontend, code export), Supabase (backend, open source), and API integration offers the best balance of low entry cost, minimal lock-in, and flexibility for a web app MVP. For internal tools, Appsmith is a strong open-source alternative~[3](https://www.appsmith.com/blog/low-code-platforms)[5](https://www.nocodefinder.com/blog-posts/no-code-tools-export-code)~.
+1 ~[https://acropolium.com/blog/low-code-mvp/](https://acropolium.com/blog/low-code-mvp/)~
+2 ~[https://www.mintbit.com/blog/top-7-low-slash-no-code-platforms-for-building-an-mvp/](https://www.mintbit.com/blog/top-7-low-slash-no-code-platforms-for-building-an-mvp/)~
+3 ~[https://www.appsmith.com/blog/low-code-platforms](https://www.appsmith.com/blog/low-code-platforms)~
+4 ~[https://www.outsystems.com/blog/posts/vendor-lock-in/](https://www.outsystems.com/blog/posts/vendor-lock-in/)~
+5 ~[https://www.nocodefinder.com/blog-posts/no-code-tools-export-code](https://www.nocodefinder.com/blog-posts/no-code-tools-export-code)~
+6 ~[https://impalaintech.com/blog/low-code-platforms-list/](https://impalaintech.com/blog/low-code-platforms-list/)~
+7 ~[https://www.akveo.com/blog/top-low-code-development-platforms](https://www.akveo.com/blog/top-low-code-development-platforms)~
+8 ~[https://deployd.co/blog/low-code-vs-traditional-development-cost-comparison-guide](https://deployd.co/blog/low-code-vs-traditional-development-cost-comparison-guide)~
+9 ~[https://www.linkedin.com/pulse/best-low-code-platforms-mvp-development-amit-prakash-swucf](https://www.linkedin.com/pulse/best-low-code-platforms-mvp-development-amit-prakash-swucf)~
+10 ~[https://www.appbuilder.dev/blog/vendor-lock-in](https://www.appbuilder.dev/blog/vendor-lock-in)~
+11 ~[https://www.outsystems.com/application-development/vendor-lock-in-challenges-and-concerns/](https://www.outsystems.com/application-development/vendor-lock-in-challenges-and-concerns/)~
+12 ~[https://refine.dev/blog/low-code-tools/](https://refine.dev/blog/low-code-tools/)~
+13 ~[https://rocketdevs.com/blog/low-code-development-platforms](https://rocketdevs.com/blog/low-code-development-platforms)~
+14 ~[https://impalaintech.com/blog/mvp/low-code-mvp/](https://impalaintech.com/blog/mvp/low-code-mvp/)~
+15 ~[https://www.netguru.com/blog/bubble-no-code-development](https://www.netguru.com/blog/bubble-no-code-development)~
+16 ~[https://www.reddit.com/r/SaaS/comments/1fqi03v/what_are_the_best_nocode_tools_to_build_an_mvp/](https://www.reddit.com/r/SaaS/comments/1fqi03v/what_are_the_best_nocode_tools_to_build_an_mvp/)~
+17 ~[https://www.reddit.com/r/nocode/comments/1fp6857/suggestions_for_a_no_code_platform_that_doesnt/](https://www.reddit.com/r/nocode/comments/1fp6857/suggestions_for_a_no_code_platform_that_doesnt/)~
+18 ~[https://thectoclub.com/tools/best-low-code-platform/](https://thectoclub.com/tools/best-low-code-platform/)~
+19 ~[https://www.dhiwise.com/post/how-vibe-coding-compares-to-low-code-platforms](https://www.dhiwise.com/post/how-vibe-coding-compares-to-low-code-platforms)~
+20 ~[https://techstartups.com/2025/03/01/no-code-and-ai-coding-tools-risks-dangers-limitations-and-hidden-costs-you-need-to-know/](https://techstartups.com/2025/03/01/no-code-and-ai-coding-tools-risks-dangers-limitations-and-hidden-costs-you-need-to-know/)~
+21 ~[https://vinova.sg/2025/06/03/the-cost-of-developing-an-mvp-budgeting-for-success/](https://vinova.sg/2025/06/03/the-cost-of-developing-an-mvp-budgeting-for-success/)~
+22 ~[https://www.appbuilder.dev/blog/building-an-mvp-with-low-code](https://www.appbuilder.dev/blog/building-an-mvp-with-low-code)~
+23 ~[https://budibase.com/blog/open-source-low-code-platforms/](https://budibase.com/blog/open-source-low-code-platforms/)~
+24 ~[https://www.reddit.com/r/nocode/comments/1j8oemu/the_ultimate_list_to_coding_nocode_and_lowcode/](https://www.reddit.com/r/nocode/comments/1j8oemu/the_ultimate_list_to_coding_nocode_and_lowcode/)~
+25 ~[https://dev.to/kamal_deeppareek_f5bb5d8/no-codelow-code-tools-for-mvp-development-in-2025-1k3d](https://dev.to/kamal_deeppareek_f5bb5d8/no-codelow-code-tools-for-mvp-development-in-2025-1k3d)~
+26 ~[https://snappify.com/blog/best-low-code-tools](https://snappify.com/blog/best-low-code-tools)~
+27 ~[https://deployd.co/low-code-migration-hub/top-5-low-code-migration-strategies-for-enterprise-apps](https://deployd.co/low-code-migration-hub/top-5-low-code-migration-strategies-for-enterprise-apps)~
+28 ~[https://www.jmix.io/tech-library/low-code-vs-less-code/](https://www.jmix.io/tech-library/low-code-vs-less-code/)~
+
+WeWeb for the Frontend
+Supabase for the Database
+Supabase Edge Functions for business logic
+Postgres functions for data-centric rules.
+## Programming the business logic 
+
+With a WeWeb and Supabase stack, you have several options for where to implement business logic, each with different trade-offs for maintainability, scalability, and lock-in:
+
+### 1. WeWeb Workflows (Frontend)
+* **What:** Use WeWeb’s built-in visual workflows, conditional logic, and custom JavaScript code blocks to handle simple business rules, UI logic, and API orchestration.
+* **Best for:** UI-centric logic, simple validations, or workflows tightly coupled to the user interface.
+* **Limitations:** Puts logic on the client side, which can expose sensitive rules and make maintenance harder as complexity grows~[1](https://community.weweb.io/t/recommendation-for-business-logic-using-supabase/8320)[4](https://www.nocodeassistant.agency/blog/weweb-and-supabase)[5](https://www.weweb.io/integrations/supabase)~.
+
+⠀
+### 2. Supabase Database Layer
+* **What:** Implement business logic in PostgreSQL using database functions, triggers, and stored procedures.
+* **Best for:** Data validation, calculations, and workflows that must be enforced at the data level (e.g., keeping business rules close to the data, ensuring integrity).
+* **Pros:**
+  * Logic is centralized, secure, and portable (standard SQL/Postgres).
+  * Reduces vendor lock-in, since you can migrate your database and functions to another Postgres-compatible host if needed~[3](https://www.reddit.com/r/Supabase/comments/1kcm181/how_do_you_get_around_the_lack_of_a_business/)~.
+* **Cons:**
+  * Writing and maintaining complex logic in SQL/PLpgSQL can be challenging and less flexible than using a general-purpose language~[1](https://community.weweb.io/t/recommendation-for-business-logic-using-supabase/8320)[3](https://www.reddit.com/r/Supabase/comments/1kcm181/how_do_you_get_around_the_lack_of_a_business/)~.
+
+⠀
+### 3. Supabase Edge Functions
+* **What:** Write serverless functions (in TypeScript/JavaScript) that run on Supabase’s infrastructure and are callable via HTTP endpoints.
+* **Best for:**
+  * More complex business logic, integrating with external APIs, or workflows that shouldn’t run on the client.
+  * Use cases such as checkout flows, custom validations, sending emails, or handling webhooks~[2](https://supabase.com/blog/simplify-backend-with-data-api)~.
+* **Pros:**
+  * Keeps logic off the client, improves security, and is more maintainable for complex scenarios.
+  * Flexible: you can write logic in a modern language and integrate with any service.
+* **Cons:**
+  * Adds some operational overhead (deployment, monitoring).
+  * Still somewhat tied to Supabase’s serverless environment, but easier to migrate than pure no-code logic~[1](https://community.weweb.io/t/recommendation-for-business-logic-using-supabase/8320)[2](https://supabase.com/blog/simplify-backend-with-data-api)[3](https://www.reddit.com/r/Supabase/comments/1kcm181/how_do_you_get_around_the_lack_of_a_business/)~.
+
+⠀
+### 4. Dedicated Backend (Optional Extra Layer)
+* **What:** Build a separate backend (e.g., with Node.js, Python, or another stack) to act as a business logic/API layer between WeWeb and Supabase.
+* **Best for:**
+  * Large projects, highly complex business rules, or when you want maximum portability and control.
+* **Pros:**
+  * Full flexibility, easy to migrate, and not tied to any one platform.
+* **Cons:**
+  * Increases development and maintenance effort; may not be necessary for MVPs~[3](https://www.reddit.com/r/Supabase/comments/1kcm181/how_do_you_get_around_the_lack_of_a_business/)~.
+
+⠀
+### Best Practice for MVPs
+* Start with **Supabase Edge Functions** for business logic that shouldn’t be exposed to the client, and use **Postgres functions** for data-centric rules.
+* Use WeWeb workflows for UI-level logic only.
+* If your app grows in complexity, you can introduce a dedicated backend later without major refactoring.
+
+⠀
+### Summary Table
+| **Option** | **Language** | **Lock-in Risk** | **Best for** | **Notes** |
+|:-:|:-:|:-:|:-:|:-:|
+| WeWeb Workflows | Visual/JS | High | UI logic, simple workflows | Not secure for sensitive logic |
+| Supabase DB Functions | SQL/PLpgSQL | Low | Data validation, calculations | Portable, but SQL-centric |
+| Supabase Edge Functions | TypeScript/JS | Moderate | Complex, secure business logic | Good balance for most MVPs |
+| Dedicated Backend (API) | Any | Very Low | Large/complex projects | Most flexible, most work |
+
+
+**In conclusion:**
You do not need an extra backend layer for most MVPs. Use Supabase Edge Functions and database functions for business logic, and reserve WeWeb workflows for UI-level tasks. This approach keeps your logic secure, maintainable, and minimizes lock-in while allowing for future migration or scaling~[1](https://community.weweb.io/t/recommendation-for-business-logic-using-supabase/8320)[2](https://supabase.com/blog/simplify-backend-with-data-api)[3](https://www.reddit.com/r/Supabase/comments/1kcm181/how_do_you_get_around_the_lack_of_a_business/)[4](https://www.nocodeassistant.agency/blog/weweb-and-supabase)[5](https://www.weweb.io/integrations/supabase)~.
+1 ~[https://community.weweb.io/t/recommendation-for-business-logic-using-supabase/8320](https://community.weweb.io/t/recommendation-for-business-logic-using-supabase/8320)~
+2 ~[https://supabase.com/blog/simplify-backend-with-data-api](https://supabase.com/blog/simplify-backend-with-data-api)~
+3 ~[https://www.reddit.com/r/Supabase/comments/1kcm181/how_do_you_get_around_the_lack_of_a_business/](https://www.reddit.com/r/Supabase/comments/1kcm181/how_do_you_get_around_the_lack_of_a_business/)~
+4 ~[https://www.nocodeassistant.agency/blog/weweb-and-supabase](https://www.nocodeassistant.agency/blog/weweb-and-supabase)~
+5 ~[https://www.weweb.io/integrations/supabase](https://www.weweb.io/integrations/supabase)~
+6 ~[https://community.weweb.io/t/recommendation-for-business-logic-using-supabase/8320?page=2](https://community.weweb.io/t/recommendation-for-business-logic-using-supabase/8320?page=2)~
+7 ~[https://community.weweb.io/t/can-supabase-do-the-entire-backend-with-advanced-logic/4181](https://community.weweb.io/t/can-supabase-do-the-entire-backend-with-advanced-logic/4181)~
+8 ~[https://www.reddit.com/r/Supabase/comments/17c1izo/all_business_logic_within_supabase/](https://www.reddit.com/r/Supabase/comments/17c1izo/all_business_logic_within_supabase/)~
+9 ~[https://www.youtube.com/watch?v=fZbkLElKuFQ](https://www.youtube.com/watch?v=fZbkLElKuFQ)~
+10 ~[https://community.weweb.io/t/any-date-for-full-supabase-integration/6050](https://community.weweb.io/t/any-date-for-full-supabase-integration/6050)~
+
+
+
+## What to familiarize myself with
+
+**Summary**
+- WeWeb’s visual tools and 
+- Some JavaScript for the frontend
+- PostgreSQL for the database
+- TypeScript/JavaScript for Supabase Edge Functions
+- Learn how to connect and consume RESTful endpoints
+
+If you choose WeWeb for the frontend, Supabase for the database, Supabase Edge Functions for business logic, and Postgres functions for data-centric rules, here are the languages and frameworks you should familiarize yourself with:
+
+### WeWeb (Frontend)
+* **Visual Development:**
+  * Most UI and workflow logic can be built visually with WeWeb’s drag-and-drop interface~[2](https://www.weweb.io/blog/front-end-design-guide)[8](https://www.weweb.io/blog/no-code-web-app-guide)~.
+* **JavaScript:**
+  * For custom UI interactions, logic, or integrating with APIs, some knowledge of JavaScript is helpful~[2](https://www.weweb.io/blog/front-end-design-guide)[5](https://unicoconnect.com/careers/weweb)~.
+* **HTML & CSS (Basics):**
+  * While not strictly required, understanding HTML and CSS will help you troubleshoot, customize, and polish your app’s appearance~[2](https://www.weweb.io/blog/front-end-design-guide)[5](https://unicoconnect.com/careers/weweb)[6](https://www.merixstudio.com/blog/10-skills-need-be-frontend-developer)~.
+* **RESTful APIs:**
+  * Learn how to connect and consume RESTful endpoints, as WeWeb integrates with external APIs for dynamic data~[2](https://www.weweb.io/blog/front-end-design-guide)[5](https://unicoconnect.com/careers/weweb)~.
+⠀
+### Supabase (Database)
+* **SQL (PostgreSQL dialect):**
+  * For writing queries, managing data, and especially for creating Postgres functions (stored procedures) to handle data-centric business rules~[5](https://unicoconnect.com/careers/weweb)~.
+* **Database Concepts:**
+  * Understanding tables, relationships, authentication, and permissions in a relational database context~[5](https://unicoconnect.com/careers/weweb)~.
+
+⠀
+### Supabase Edge Functions (Business Logic)
+* **TypeScript/JavaScript:**
+  * Supabase Edge Functions are written in TypeScript or JavaScript, so you’ll need to be comfortable with at least one of these languages to implement backend business logic.
+
+⠀
+### General Web Development Skills<!-- {"fold":true} -->
+* **Version Control (Git):**
+  * Basic familiarity with Git for managing code, especially if you export code from WeWeb or collaborate with others~[3](https://www.reddit.com/r/webdev/comments/10ve6j2/what_skills_should_a_front_end_web_developer_have/)[6](https://www.merixstudio.com/blog/10-skills-need-be-frontend-developer)~.
+* **Testing & Debugging:**
+  * Ability to test and debug both frontend and backend logic to ensure a robust application~[2](https://www.weweb.io/blog/front-end-design-guide)[5](https://unicoconnect.com/careers/weweb)~.
+
+⠀
+### Summary Table
+| **Layer** | **Language/Frameworks** | **Why Learn It?** |
+|:-:|:-:|:-:|
+| WeWeb (Frontend) | Visual builder, JavaScript | UI building, custom logic, API integration |
+|  | HTML, CSS (basics) | Troubleshooting, advanced UI customization |
+| Supabase (Database) | SQL (Postgres) | Queries, data modeling, Postgres functions |
+| Supabase Edge Functions | TypeScript/JavaScript | Secure, scalable backend business logic |
+| General Dev Skills | REST APIs, Git | Integration, code management, team collaboration |
+
+**In summary:**
You’ll primarily work with WeWeb’s visual tools and some JavaScript for the frontend, SQL/Postgres for the database, and TypeScript/JavaScript for Supabase Edge Functions. This stack minimizes lock-in, is approachable for new developers, and leverages widely-used, well-documented technologies~[2](https://www.weweb.io/blog/front-end-design-guide)[5](https://unicoconnect.com/careers/weweb)~.
+
+1 ~[https://www.nocodeinstitute.io/nocode-jobs/weweb-developer](https://www.nocodeinstitute.io/nocode-jobs/weweb-developer)~
+2 ~[https://www.weweb.io/blog/front-end-design-guide](https://www.weweb.io/blog/front-end-design-guide)~
+3 ~[https://www.reddit.com/r/webdev/comments/10ve6j2/what_skills_should_a_front_end_web_developer_have/](https://www.reddit.com/r/webdev/comments/10ve6j2/what_skills_should_a_front_end_web_developer_have/)~
+4 ~[https://careerfoundry.com/en/blog/web-development/frontend-developer-skills](https://careerfoundry.com/en/blog/web-development/frontend-developer-skills)~
+5 ~[https://unicoconnect.com/careers/weweb](https://unicoconnect.com/careers/weweb)~
+6 ~[https://www.merixstudio.com/blog/10-skills-need-be-frontend-developer](https://www.merixstudio.com/blog/10-skills-need-be-frontend-developer)~
+7 ~[https://skillcrush.com/blog/skills-to-become-a-front-end-developer/](https://skillcrush.com/blog/skills-to-become-a-front-end-developer/)~
+8 ~[https://www.weweb.io/blog/no-code-web-app-guide](https://www.weweb.io/blog/no-code-web-app-guide)~
+
+
+### Learning JavaScript
+
+* **Mozilla Developer Network (MDN) Web Docs:** Excellent and comprehensive JavaScript guide.
+* **freeCodeCamp:** Interactive courses that teach you programming fundamentals.
+* **The Odin Project:** A full-stack curriculum that starts with JavaScript fundamentals.
+* **Codecademy:** Interactive lessons for foundational concepts.
+* **"Eloquent JavaScript" by Marijn Haverbeke:** A free online book (more challenging, but very thorough).
+

AuditGlue/System alternative/iso27DIY UI Canvas.canvas

@@ -0,0 +1,13 @@
+{
+	"nodes":[
+		{"id":"ebb754722fcc96f6","type":"group","x":-620,"y":-480,"width":320,"height":340,"label":"Setting up the ISMS"},
+		{"id":"17fd5c52210c7811","type":"group","x":-220,"y":-480,"width":320,"height":340,"label":"Maintaining the ISMS"},
+		{"id":"718433e9856ea0aa","type":"group","x":-220,"y":-60,"width":320,"height":340,"label":"Support"},
+		{"id":"ab1cb1a22b54522f","type":"group","x":180,"y":-480,"width":320,"height":340,"label":"Auditing the ISMS"}
+	],
+	"edges":[],
+	"metadata":{
+		"version":"1.0-1.0",
+		"frontmatter":{}
+	}
+}

AuditGlue/System alternative/iso27DIY UI ideas.md

@@ -0,0 +1,21 @@
+---
+tags:
+  - iso27DIY
+  - design
+---
+**Advisera Conformio Guided implementation**
+https://advisera.com/conformio/
+
+
+**academy.cognigy.com**
+Video courses for conversation design
+![[Cognigy.png|1000]]
+
+**PECB eLearning** 
+
+![[CleanShot 2025-07-01 at 13.59.22 1.png|1000]]
+
+**Writing assistant made with Base44**
+
+![[screenshot 1.png]]
+

AuditGlue/System alternative/iso27DIY stack deployment.md

@@ -0,0 +1,70 @@
+---
+tags:
+  - iso27DIY
+  - dev
+  - WeWeb
+  - SupaBase
+---
+## WeWeb Frontend Deployment
+
+**WeWeb handles deployment automatically:**
+
+- WeWeb applications are deployed directly from their platform
+- Go to your WeWeb editor and click “Publish”
+- WeWeb will generate a production URL for your app
+- You can connect a custom domain through WeWeb’s domain settings
+- WeWeb uses a global CDN for fast loading times
+
+**Custom domain setup:**
+
+- In WeWeb, go to Project Settings > Domain
+- Add your custom domain and follow their DNS configuration instructions
+- Update your domain’s DNS records to point to WeWeb’s servers
+
+## Supabase Backend Deployment
+
+**Supabase is already cloud-hosted:**
+
+- Your Supabase project runs on their managed infrastructure
+- No separate deployment needed for the database and API
+- Ensure your project is on a paid plan for production use (removes limitations)
+- Configure Row Level Security (RLS) policies for data protection
+
+## Integration Configuration
+
+**Environment variables and API keys:**
+
+- In WeWeb, configure your Supabase connection in the backend integrations
+- Use your production Supabase URL and anon key (not the local development ones)
+- Ensure CORS is properly configured in Supabase for your WeWeb domain
+- Set up authentication redirects to point to your production WeWeb URL
+
+**Database preparation:**
+
+- Run any pending migrations in Supabase
+- Set up proper indexes for performance
+- Configure backup policies
+- Review and tighten security rules
+
+## Additional Production Considerations
+
+**Performance optimization:**
+
+- Enable caching where appropriate in WeWeb
+- Optimize your Supabase queries and add indexes
+- Consider setting up database connection pooling if needed
+
+**Monitoring and maintenance:**
+
+- Set up Supabase monitoring and alerts
+- Configure error tracking in WeWeb if available
+- Plan for regular database maintenance
+
+**Security checklist:**
+
+- Review all RLS policies in Supabase
+- Ensure API keys are properly scoped
+- Configure proper CORS settings
+- Set up proper authentication flows
+
+The main advantage of this stack is that both platforms handle the infrastructure complexity for you - WeWeb manages the frontend hosting and CDN, while Supabase handles the database, API, and authentication infrastructure.

AuditGlue/System alternative/iso27DYI architecture with LLM.md

@@ -0,0 +1,88 @@
+---
+tags:
+  - iso27DIY
+  - architecture
+  - LLMgenerated
+---
+# iso27DYI architecture with LLM
+
+For connecting WeWeb (frontend) and Supabase (backend) with LLM functionality, you have several technology options:
+- **OpenAI API** or **Anthropic API** directly from your middleware
+- **Supabase JavaScript client** for database operations
+- **WeWeb API calls** to your middleware endpoints
+
+Since WeWeb works well with REST APIs and Supabase has excellent API support, you can build a middleware layer:
+
+1. **Node.js/Express API** - Create API endpoints that:
+    - Receive requests from WeWeb
+    - Query Supabase for data
+    - Call LLM APIs (OpenAI, Anthropic, etc.)
+    - Return processed responses to WeWeb
+2. **Supabase Edge Functions** - Use Supabase's serverless functions to:
+    - Handle LLM processing directly within your Supabase environment
+    - Access your database without additional API calls
+    - Deploy TypeScript/JavaScript functions that WeWeb can call
+3. **Serverless Functions** (Vercel, Netlify, or AWS Lambda):
+    - Deploy functions that orchestrate between WeWeb, Supabase, and LLMs
+    - Good for scaling and keeping costs predictable
+
+
+The **Supabase Edge Functions** approach is often the most elegant since it keeps everything in your existing Supabase ecosystem and supports TypeScript natively.
+
+``` typescript
+// Edge function that:
+// 1. Receives user input from WeWeb
+// 2. Queries Supabase database for context
+// 3. Calls OpenAI/Anthropic API directly
+// 4. Returns response to WeWeb
+
+```
+
+**For your slot-filling + content generation use case:**
+
+- Direct API calls to LLMs work perfectly
+- Supabase handles your data needs
+- WeWeb handles the UI interactions
+
+## Self-hosting the LLM
+For self-hosting an LLM with an easy API, here are the simplest options:
+
+**Ollama (Easiest)**
+
+- Install Ollama on your server
+- Pull models like `llama3`, `mistral`, `codellama`
+- Built-in REST API at `http://localhost:11434`
+- Simple JSON requests, OpenAI-compatible endpoints
+- Works great for development and moderate production use
+
+**vLLM (Best for Production)**
+
+- High-performance serving with OpenAI-compatible API
+- Excellent throughput and batching
+- Simple command: `vllm serve model-name --api-key your-key`
+- API available at `http://localhost:8000/v1/`
+
+**Text Generation Inference (TGI)**
+
+- Hugging Face's production-ready solution
+- Docker container deployment
+- OpenAI-compatible API
+- Good performance optimization
+
+**For your Supabase setup:**
+
+1. Deploy Ollama/vLLM on a server (or even locally for development)
+2. From your Supabase Edge Functions, make HTTP requests to your LLM API
+3. No need to change your WeWeb → Supabase → LLM flow
+
+**Quick start with Ollama:**
+
+```bash
+# Install and run
+curl -fsSL https://ollama.ai/install.sh | sh
+ollama serve
+ollama pull llama3
+```
+
+Then your Edge Functions can call `POST http://your-server:11434/api/generate`
+