richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-19 15:29:42 +02:00
commit 570d74d4dd
67 changed files with 4609 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

37
marketing/campaigns/Brand Values.md Normal file
View file

@ -0,0 +1,37 @@
# iso27DIY Brand values
Primary:
* **A**uthenticity
* **C**larity
* **E**mpowerment
Secondary:
* Value Creation
* Organizational Alignment
* Context-Driven Intelligence
* Practicality Over Bureaucracy
* Inclusivity
## Based on: Our thoughts and beliefs on current practices
I created iso27DIY because I think / believe …
- The core principles of the ISO 27001 are often overlooked in implementations and audits. These are that, when implementing the ISO 27001s ISMS and Controls, informed decisions should be made based on risks, context, and the means and capabilities of the organization.
- Furthermore, the ISMS must be implemented in such a way that it is helpful in realizing organizational goals, mitigates risks the organizations faces in achieving these, and promote seizing opportunities, especially with regard to information security.
- Current implementation approaches take the letter of the standard instead of the spirit, and force the business into adapting overly complex procedures and building an artificial paper reality.
- ISO 27001 is a Framework, not a prescriptive checklist.
- Checklist-based approaches are not effective, because they lack internal cohesion, connection to organizationals goals, risk- and context awareness. They do not implement security in a way that contributes to an organizations mission and negate the organizations capabilities for making intelligent choices based on context, risk and proportionality.
- This makes ISO 27001 impopular with management and workfloor, causing it to become ineffective.
- The language and structure of the ISO 27001 standard is hard to comprehend because of the formalistic language, internal cross references, and duplications of elements at different levels. This creates a certain mystique that forces organizations to hire a priest (i.e. consultant) to help them understand what to do.
- SMEs think they lack adequate time, trained personnel, and budget to manage the implementation process effectively
## The ISO27DIY way
- iso27DIY tells the story of ISO 27001 and 27002 in such a way, that you will understand the essence of the standard, and are able to make informed and compliant choices based on context, risk and proportionality.
- iso27DIY helps you identify security practices already in place in your organization, and enhance, translate and document them in such a way that comliance requirements are met. (control mapping)
- iso27DIY lets you implement the ISMS and controls in such a way that they actually improve the organizations security posture, create value at all levels of the organization, and create a culture of security.
- iso27DIY does not force you to adopt contra-productive security procedures and maintain unnecessary documentation.
- We believe in your capability to do it yourself!

47
marketing/campaigns/FUD with Certification.md Normal file
View file

@ -0,0 +1,47 @@
# Fears, Uncertainties, and Doubts with ISO 27001 certification
People who need to implement ISO 27001 within their organization, often worry about the following:
* Am I doing it right
* Did I interpret this article correctly
* Havent I forgotten anything
* Are we doing enough
* How long will this take
* How will I get people to cooperate
* This will bring a mound of unnecessary paperwork
* We will need to implement unworkable procedures
* This will take all flexibility out of our way of working
* We will become robots
* We will need to implement all kind of expensive measures
## Themes
The challenges they face an be grouped in several themes, as described below.
**Lack of leadership / top management support**
- leadership doesn't fully understand the value of ISO 27001, sees it as a bureaucratic burden instead of a strategic priority
- not a priority for middle management because of leadership stance
- lack of resource allocation (time, money and people) due to lack of leadership
**Business alignment**
- overly long and confusing policies that are difficult for employees to understand and auditors to navigate
- Risk of ISMS becoming isolated from real business processes, especially when internal responsibility lies with people lacking authority or visibility into all business areas.
* integration of management processes, process documentation, and continuous evaluation
**Acceptance / buy in at operational level:**
- (cultural) resistance from employees, beccause ISO 27001 implementation often introduces new policies and processes that can be perceived as burdensome or unnecessary
- this is aggravated if staff don't understand the benefits and/or aren't properly trained
- this is aggravated if the ISMS is implemented as, or perceived as, an artificial system for certification rather than an integrated part of the company's culture and operations
**Documentation /policy tuning:**
- how to create and maintaining policies and procedures that are both comprehensive enough to satisfy auditors and practical enough for employees to follow.
- Over-engineering of a one-size-fits-all approach from templates, leading to massive, unwieldy documents, instead of tailoring the documentation to the specific needs and size of the organization
- finding the balance between being thorough and being concise how much detail or separation is appropriate for policies, procedures, and supporting documentation
**On Risks:**
- How do we properly identify, analyze, and prioritize all relevant risks.
- Fear of missing a critical risk or not prioritizing them correctly.
**Passing the audit:**
- When is a control implemented "enough" to pass an audit and a fear of misinterpreting the auditor's expectations. This often stems from the fact that ISO 27001 is a framework, not a prescriptive checklist.
- Lack of structured and impartial internal audit processes

31
marketing/campaigns/ISO27DIY Solution and Components.md Normal file
View file

@ -0,0 +1,31 @@
# ISO27DIY: Solution and Components
We are developing a solution for SMEs that will guide them through the ISO 27001 implementation, and prepare for a successful certification audit, without needing to hire expensive consultants. The solution is called ISO27DIY.
These are the **components** of the solution:
- **ISO27DYI Guided Implementation System**: A series of 50+ micro sessions take you through the steps to successfully implement ISO 27001, creating all required documentation as you go. Use our AI assistent to generate tailor made information security policies.
- **GRC Tooling**: Our easy to use AuditGlue system lets you manage all artifacts produced with the Guided Implementation. Plus tooling for stuff like risk analyses, data classification and asset inventarization.
- **Controls Library**: Practical examples for your type of organization, for all 94 controls of Annex A, actionable and in Plain English.
- **Expert Support**: Get online with one of our experienced ISO 27001 implementation consultants to help you find a solution for any challenges you might face.
- **Preliminary audits**: Plan one or more sessions with certified ISO 27001 auditors to prepare you for your certification.
These are the **design principles** for the solution:
- The customer is typically an SME, with no dedicated compliance officer and little knowledge of information security management and the ISO 27001 standard.
- The user of the solution is the person made responsible for implementing the ISO 27001 standard within the SME. He or she is typically employed as the Tech person or the COO.
- iso27DIY guides the client in what to identify, assess and produce, how to do it, and in what order
- iso27DYI's guidance will feel like a smartwatch fitness coach, rather than having the user walking down checklists
- iso27DIY provides best practice examples and generates compliant content based on the user's input
- iso27DYI will help the client with building the necessary capabilities to maintain the ISMS within his own organization
## Components in a table
| Guided Implementation | **Controls Library** | GRC Tooling |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| A series of 50+ micro sessions take you through the steps to succesfully implement ISO 27001, creating all required documentation as you go. Use our AI assistent to generate tailor made information security policies. | Practical examples for your type of organization, for all 94 controls of Annex A, actionable and in Plain English. | Our easy to use AuditGlue system lets you manage all artifacts produced with the Guided Implementation. Plus tooling for stuff like risk analyses, data classification and asset inventarization. |
| **Expert Support** | **Preliminary audits** |
| ------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------- |
| Get online with one of our experienced ISO 27001 implementation consultants to help you find a solution for any challenges you might face. | Plan one or more sessions with certified ISO 27001 auditors to prepare you for your certification. |

46
marketing/campaigns/ISO27DIY communication style.md Normal file
View file

@ -0,0 +1,46 @@
# Communication Style Guide
## Voice and tone
Direct, confident, and plain-spoken. No corporate jargon. No filler. Every word earns its place. The tone is authoritative without being academic, and human without being casual.
## Sentence structure
Short sentences are preferred. Long sentences are broken up. Parallelism is used deliberately — three-part structures work well when each part carries equal weight. Fragments are acceptable when they land a point cleanly.
## Word choices
- Prefer concrete over abstract
- Prefer active over passive
- Prefer simple over sophisticated
- "Effective" over "impactful"
- "Enables" over "empowers"
- "Adapt" and "adaptive" over "dynamic" or "agile"
- Avoid: "leverage", "synergy", "holistic", "seamless", "robust"
## What to avoid
- Negative framing — state what good looks like, not what bad looks like
- Accusatory or confrontational language — invite people to something better rather than criticising what they do now
- Over-explanation — trust the reader
- Hedging — commit to the statement
- Bullet points where prose works better
## Manifesto-style writing specifically
- Value statements follow the "X over Y" format — both sides should name real things people recognise
- The right-hand side is not villainised — it has value, it just comes second
- Principles are short, declarative, and standalone — each one a truth that can be read in isolation
- Forward-leaning and positive — declare what good looks like
- Aphoristic where possible — aim for sentences that could be quoted
## The reader
The audience is entrepreneurs and business managers implementing ISO 27001 themselves. They are intelligent, pragmatic, and time-poor. They are put off by complexity and consultant-speak. They respond to clarity, honesty, and respect for their intelligence.
## Editing instincts
- If two sentences say the same thing, cut one
- If a word is ambiguous, replace it
- If a sentence trails off, find a stronger closing beat
- If something sounds like it came from a brochure, rewrite it

20
marketing/campaigns/Personal Writing Style.md Normal file
View file

@ -0,0 +1,20 @@
## Writing Style — Richard / ISO27DIY
**Tone** Direct and businesslike, without being cold. You write as someone who has done it themselves and takes the reader seriously. No inflated consultant-speak, no unnecessary politeness buffers.
**Sentence structure** A preference for short, assertive sentences. You use the long sentence to explain, the short sentence to land the point. Contrast works well for you: "You document upfront — this is how we'll do it — and afterwards — this is what we did and what it produced."
**Word choice** No jargon unless necessary, and when used, immediately explained. You use plain terms where possible, but don't shy away from industry-standard terminology (_top management_, _Statement of Applicability_, _risk owner_) where it's the accepted term. No woolly management language — you don't say "suboptimal"; you say "wrong order."
**Structure** Step-by-step, but never mechanical. Each step has its own logic, which you briefly explain before instructing. You explicitly connect steps to each other ("the context analysis from step 2", "the risk score from step 6") — the reader never loses the thread.
**Figurative language** Sparing but precise. You choose images and expressions that everyone understands and that address exactly the right objection or expectation — no decoration for its own sake.
**What you consistently avoid**
- Rhetorical questions as openers
- Meta-commentary ("what I'm trying to say is...")
- Repeating the headline in the introduction
- False modesty or unnecessary hedging
**Core character** Clear, honest, mildly opinionated. You are the guide who knows the route — not the consultant trying to impress.

20
marketing/campaigns/Persoonlijke Schrijfstijl.md Normal file
View file

@ -0,0 +1,20 @@
# Schrijfstijl — Richard / ISO27DIY
**Toon** Direct en zakelijk, zonder afstandelijkheid. Je schrijft als iemand die het zelf heeft gedaan en de lezer serieus neemt. Geen opgeblazen consultantentaal, geen onnodige beleefdheidsbuffers.
**Zinsstructuur** Voorkeur voor korte, assertieve zinnen. Je gebruikt de lange zin om uit te leggen, de korte zin om te landen. Contrasten werken goed voor je: "Je documenteert vooraf — zo gaan we het doen, en achteraf — zo hebben we het gedaan."
**Woordkeus** Geen jargon tenzij noodzakelijk, en dan direct uitgelegd. Je gebruikt Nederlandse termen waar het kan (_directiebeoordeling_, _risico-eigenaar_), maar schroomt niet voor Engels waar het de standaardterm is (_top management_, _Statement of Applicability_). Geen wollige managementtaal — "niet effectief" vervang je door "verkeerde volgorde".
**Structuur** Stap-voor-stap, maar niet mechanisch. Elke stap heeft een eigen logica die je kort toelicht voordat je instrueert. Je verbindt stappen expliciet aan elkaar ("de contextanalyse uit stap 2", "de risicoscore uit stap 6") — de lezer verliest nooit het overzicht.
**Beeldtaal** Spaarzaam maar raak. Zevenmijlslaarzen, rocket science, formulierenwinkel — je kiest beelden die iedereen begrijpt en die precies het juiste bezwaar of de juiste verwachting adresseren.
**Wat je consequent vermijdt**
- Retorische vragen als opener
- Meta-commentaar ("wat ik wil zeggen is...")
- Herhalingen van de kop in de inleiding
- Valse bescheidenheid of onnodige relativering
**Kernkarakter** Helder, eerlijk, licht eigenzinnig. Je bent de gids die de route kent, niet de consultant die indruk wil maken.

41
marketing/campaigns/Taglines and Payoffs.md Normal file
View file

@ -0,0 +1,41 @@
Current:
* Certification shouldn't be a barrier to competition.
- Guided ISO 27001 implementation. No consulting required.
- ISO27DIY: Get Certified Keep Growing
# Taglines
* ISO 27001. **Mastered**.
* You've got this. We'll show you how.
* ISO 27001 for All!
* Make your auditor happy
* Implementing ISO 27001 is no Rocket Science ... but the manual can be darn confusing!
* ISO 27001 used to be Rocket Science … until we rewrote the manual
- Certify Smarter
- **The Smart path to ISO 27001 certification**
- We simplify ISO 27001 compliance
- ISO 27001 made Easy
- ISO 27001: Why make it difficult?
- **We help SMEs secure ISO 27001 certification**
- We help SMEs prepare for ISO 27001 certification
- We get SMEs certification-ready
- Navigate through ISO 27001 certification ... Easily
- ISO 27001 certification with confidence
- Supporting SMEs in achieving ISO 27001 readiness
- Streamlining ISO 27001 certification prep for SMEs
## Payoff suggestions
* "Big company security, small company budgets”
* "ISO 27001 certification achievable for SMEs"
* "Enterprise security, startup agility"
* “Enterprise-level security for SMEs
* "Security standards for real businesses"
* "Compliance that fits your business"
* "No organization left behind in cybersecurity"
* "Build on what works. Fix what doesn't."
* “More security, less consulting”
* “Clarity. Not Consultancy.”
* “ISO 27001 that makes sense”
* "Security standards. Demystified."
* "Enterprise security, democratized."

123
marketing/campaigns/doelgroepen.md Normal file
View file

@ -0,0 +1,123 @@
# Doelgroepen & marktsegmenten — ISO27DIY
---
## Segment 1 — Founders & SaaS-bedrijven
**Profiel**
Technische oprichters van software- of SaaS-bedrijven. Ze hebben security serieus genomen, maar niet systematisch. Het ISMS bestaat uit losse tools en documenten, niet als samenhangend managementsysteem.
**Motief**
Enterprise-sales. Een grote klant of aanbesteding stelt ISO 27001 als harde voorwaarde. De certificering is geen overtuiging maar een dealbreaker die ze willen wegnemen — bij voorkeur snel en zonder externe consultant.
**Trigger**
"We verliezen een deal als we dit niet hebben."
**Boodschap**
Je security is waarschijnlijk beter dan je denkt. Wat ontbreekt is de aantoonbaarheid — een managementsysteem dat een auditor kan volgen. Dat is oplosbaar, ook zonder groot budget of consultant.
**Kanalen**
- LinkedIn (eigen netwerk + groepen)
- Reddit: r/SaaS, r/ISO27001, r/startups
- Hacker News
- Nieuwsbrief
---
## Segment 2 — MKB-directeuren
**Profiel**
Directeuren van kleine tot middelgrote bedrijven die zelf geen IT-achtergrond hebben. Ze zijn eindverantwoordelijk maar delegeren security aan een IT-beheerder of externe partij. ISO 27001 komt op hun radar via een klant, verzekeraar of aanbesteding.
**Motief**
Zakelijke continuïteit en klantbehoud. De certificering is een investering die ze willen begrijpen — wat kost het, wat levert het op, wat wordt er van hen verwacht?
**Trigger**
"Een opdrachtgever vraagt erom" of "onze verzekeraar stelt strengere eisen."
**Boodschap**
ISO 27001 is geen IT-project — het is een managementsysteem. De directie is er niet de uitvoerder van, maar wél de eindverantwoordelijke. Dit eBook legt uit wat dat concreet betekent, wat het kost, en hoe het proces eruitziet.
**Kanalen**
- LinkedIn
- Nieuwsbrief
- Google (SEO op "ISO 27001 MKB", "kosten ISO 27001 certificering")
---
## Segment 3 — Dienstverleners zonder online kern
**Profiel**
Organisaties die persoonsgegevens of klantdata verwerken, maar zichzelf niet als IT-bedrijf zien. Denk aan kinderopvang, installatietechnici, IoT-leveranciers, facilitaire dienstverleners. Ze worden geconfronteerd met ISO 27001 als eis van een opdrachtgever of in een aanbesteding — terwijl ze zelf nauwelijks weten wat het inhoudt.
**Motief**
Marktoegang. Ze willen aan een specifieke eis voldoen om een contract te winnen of te behouden. De drijfveer is extern, niet intern.
**Trigger**
"Onze opdrachtgever vraagt om een ISO 27001-certificaat. We weten niet waar we moeten beginnen."
**Boodschap**
ISO 27001 is niet alleen voor techbedrijven. Als je persoonsgegevens verwerkt of toegang hebt tot de systemen van je opdrachtgever, ben je al in scope. Dit eBook legt uit wat er van je wordt verwacht — en dat het minder ingewikkeld is dan het klinkt.
**Kanalen**
- Brancheverenigingen en sectormedia (kinderopvang, installatiebranche, IoT/OT)
- LinkedIn via branchegroepen
- Google (SEO op "ISO 27001 kinderopvang", "ISO 27001 leverancier opdrachtgever", "ISO 27001 niet-IT bedrijf")
---
## Segment 4 — Organisaties onder regelgevingsdruk
**Profiel**
Bedrijven die vanuit wet- en regelgeving hun informatiebeveiliging moeten aantonen — denk aan NIS-2, de Cyberbeveiligingswet (Cbw), de Cyber Resilience Act (CRA), of sectorspecifieke eisen. Ze hebben geen expliciete ISO 27001-behoefte, maar zoeken wel een aanpak die hun compliance-last structureel oplost.
**Motief**
Regelgevingsdruk en aansprakelijkheidsreductie. Ze moeten iets doen — en willen niet voor elke nieuwe wet opnieuw het wiel uitvinden.
**Trigger**
"We moeten aan NIS-2 voldoen. Hoe pakken we dat aan zonder voor elke regelgeving een apart traject op te zetten?"
**Boodschap**
ISO 27001 is geen doel op zich — het is een fundament. Een goed ingericht ISMS dekt de kern van wat NIS-2, de Cbw en de CRA van je vragen. Eén systeem, meerdere regelgevingen afgedekt. Dat is efficiënter dan losse compliance-trajecten per wet.
**Kanalen**
- LinkedIn (compliance, legal, risk management doelgroep)
- Google (SEO op "NIS-2 ISO 27001", "Cbw informatiebeveiliging", "CRA compliance basis")
- Branchemedia en vakbladen (recht, compliance, risk)
- Nieuwsbrief
---
## Segment 5 — MSP's (Managed Service Providers)
**Profiel**
IT-dienstverleners die het MKB ontzorgen op het gebied van infrastructuur, beheer en security. Ze zijn het eerste aanspreekpunt als een klant een ISO 27001-vraag krijgt — van een opdrachtgever, verzekeraar of aanbesteding. Ze hebben doorgaans zelf geen uitgewerkt ISO 27001-aanbod, maar zien de vraag wel toenemen.
**Motief**
Dienstenpakket uitbreiden en klantbehoud. Een MSP die zijn klant kan helpen met ISO 27001-voorbereiding, bindt die klant en vergroot de omzet per account. ISO27DIY is voor hen geen product dat ze zelf gebruiken, maar één dat ze aanbieden of doorverwijzen — als white label, als partnerproduct, of als referral.
**Trigger**
"Mijn klant heeft ISO 27001 nodig. Ik wil dat kunnen oplossen zonder zelf een compliance-afdeling op te bouwen."
**Boodschap**
Jouw klanten krijgen steeds vaker de vraag naar ISO 27001. Met ISO27DIY kun je die vraag beantwoorden — zonder zelf het wiel uit te vinden. Schaalbaar, gestructureerd, en inzetbaar naast je bestaande dienstverlening.
**Relatie tot andere segmenten**
MSP's zijn geen eindgebruiker maar een distributiekanaal. Via hen bereik je segmenten 2 en 3 — de MKB-directeur en de dienstverlener zonder online kern — op het moment dat de behoefte concreet is en de MSP al vertrouwen heeft opgebouwd.
**Kanalen**
- LinkedIn (IT-channel, MSP-communities)
- Vakbladen en events: Channel Connect, MSP Summit, IT-channelmedia
- Directe partnerwerving via outreach
---
## Overzicht
| Segment | Primaire trigger | Kernboodschap | Prioriteit kanalen |
|---|---|---|---|
| Founders / SaaS | Dealbreaker in enterprise-sales | Aantoonbaarheid, niet security | LinkedIn, Reddit, HN |
| MKB-directeuren | Klanteis of verzekeraar | Managementsysteem, niet IT-project | LinkedIn, Google |
| Dienstverleners zonder online kern | Opdrachtgeverseis | Ook voor niet-IT bedrijven | Branchemedia, Google |
| Regelgevingsdruk (NIS-2 / Cbw / CRA) | Wettelijke verplichting | Één fundament, meerdere wetten | LinkedIn, Google, vakbladen |
| MSP's | Klant heeft ISO 27001 nodig | Distributiepartner, niet eindgebruiker | LinkedIn, channel-events, outreach |