diff --git a/Content Factory/Phase 0 - Strategy Session.md b/Content Factory/Phase 0 - Strategy Session.md index b3e5d8d..6bbb675 100644 --- a/Content Factory/Phase 0 - Strategy Session.md +++ b/Content Factory/Phase 0 - Strategy Session.md @@ -1,6 +1,6 @@ # Phase 0 — Strategy Session — Prompt -Prepare the strategy session by creating a [Brand Image Note](../marketing/branding/Brand%20Image%20Note.md) +Prepare the strategy session by creating a [brand-image-note](../Marketing/branding/brand-image-note.md) **Starting a Strategic Mode session** diff --git a/marketing/.DS_Store b/marketing/.DS_Store index 0003415..9a355d7 100644 Binary files a/marketing/.DS_Store and b/marketing/.DS_Store differ diff --git a/marketing/branding/Brand Image Note.md b/marketing/branding/Brand Image Note.md deleted file mode 100644 index 0d108f2..0000000 --- a/marketing/branding/Brand Image Note.md +++ /dev/null @@ -1,4 +0,0 @@ -# Brand Image Note - -[docx](iso27diy-brand-image-note.docx) - diff --git a/marketing/branding/brand-image-note.md b/marketing/branding/brand-image-note.md new file mode 100644 index 0000000..d7a345d --- /dev/null +++ b/marketing/branding/brand-image-note.md @@ -0,0 +1,226 @@ +--- +title: "Brand Image Note — ISO27DIY / Thinking Security Works" +notetype: other +language: en +last-updated: "2026-06-05" +tags: [] +--- + +# Brand Image Note + +ISO27DIY / Thinking Security Works + +*Prepared for brand strategy and content strategy sessions* + +Version 1.0 · April 2026 · Confidential + +--- + +## 1. What We Know About Ourselves + +### Product Description + +ISO27DIY is a guided implementation system that takes SMEs through ISO 27001 certification without needing to hire consultants. It combines five components: + +| Component | Description | +| --- | --- | +| **Guided Implementation System** | 50+ micro-sessions that walk the user through the full ISO 27001 implementation, producing required documentation along the way. | +| **AuditGlue GRC Tool** | Manages all artifacts, supports risk analyses, data classification, and asset inventarisation. Includes AI-powered policy generation and version control. | +| **Controls Library** | Plain-English guidance for all 94 Annex A controls, with practical examples tailored to the organisation's type. | +| **Expert Support** | On-demand access to experienced ISO 27001 implementors via email, chat, or video call. | +| **Preliminary Audits** | Sessions with PECB Certified Lead Auditors to validate certification readiness before the real thing. | + +### Pricing + +| Tier | Annual | Monthly | +| --- | --- | --- | +| **Implementation** | €39/month | €49/month | +| **Implementation + Support** | €99/month | €119/month | +| **Pre-certification audit** | €299/session | (3-hr sessions, ~4 total) | +| **Expert video call** | €49/call | (30 minutes) | + +### Founder Background + +**Richard Kranendonk** — CEO & Founder, ISO27DIY / Thinking Security Works + +- 30 years in IT as a consultant and project manager +- Specialised in Privacy (GDPR) and Information Security (ISO 27001) since 2017 +- Certifications: CISSP, ECPC-B, PECB ISO 27001 Lead Auditor +- Former CISO at Booking.com and Ultimaker (3D printing) +- Has personally guided dozens of SME clients through ISO 27001 certification and renewal across healthcare, software development, traffic management systems, and industrial environments +- Works with a small, focused team: one developer (Luka de Jong) and two others, including advisory board member Bas Meyberg (co-founder of an MSSP, lecturer in Cyber Security at HU Utrecht, CISO) + +*The credibility story is specific and layered. A PECB Lead Auditor who has operated as CISO at Booking.com — one of the world's largest digital platforms — building a tool to help SMEs get certified themselves is a genuinely unusual founder profile. The sector diversity of past client work (healthcare, industrial, traffic systems — not just SaaS) directly supports the positioning that ISO27DIY works for organisations that don't think of themselves as tech companies.* + +*Richard's own quote from the team page captures the brand's core argument: **"ISO 27001 isn't complex. It's been made complex by an industry that profits from the confusion."*** + +### Origin Story + +The frustration that built ISO27DIY came from the inside — not from watching clients struggle, but from being the person trying to make ISO 27001 mean something within organisations that treated it as a compliance tax. + +As a CISO and Privacy & Security manager, Richard observed ISO 27001 compliance being treated as a staff responsibility rather than a business ownership issue — seen as unnecessary bureaucracy instead of what it actually is: a quality and risk management instrument that can move the business forward and transform an incident-driven organisation into a learning organisation with process maturity. + +The core belief that drives the product: ISO 27001 is not rocket science. The standard has been made artificially complex by an industry that profits from the confusion. Consultants, certification bodies, and GRC vendors all benefit from the mystique. SMEs pay the price. + +> ⚠ **GAP** — The specific trigger moment is not yet documented. Was there a particular client, audit, or internal experience that made the decision to build this concrete? That story will matter to the brand strategist. +> +> - *Was there a specific moment — a client conversation, an audit outcome, or an internal experience — that made you decide to build this rather than keep consulting?* + +### What ISO27DIY Is Not + +ISO27DIY explicitly differs from: + +- **Expensive consultants** — the product exists because consulting fees are a barrier to competition for SMEs +- **Template kits** — generic templates give no guidance on adaptation; ISO27DIY generates tailored content based on the organisation's actual input +- **Checkbox / compliance theatre** — checklist-based implementations lack internal cohesion and don't create real security +- **Enterprise GRC tools** — built for organisations with dedicated compliance teams; not for the tech person or COO at an SME doing this on top of their regular job +- **Free internet resources patched together** — takes months, produces no structured result, high risk of critical gaps + +The phrase used internally: **Theatre of Compliance** — implementing ISO 27001 as a performance for auditors rather than as a functional management system. + +### Current State of the Brand + +**Taglines in Active Use** + +- Certification shouldn't be a barrier to competition +- Guided ISO 27001 implementation. No consulting required. +- ISO27DIY: Get Certified – Keep Growing + +**Tone and Communication Style** + +Fully documented and consistent across all touchpoints. Direct, plain-spoken, no corporate jargon, short sentences, mildly opinionated. Authoritative without being academic. The communication style guide, personal writing style notes, and manifesto are all aligned. + +**Content Published** + +- Website homepage (live, with transparent pricing) +- Two blog posts: 9-step implementation roadmap in Dutch and English +- LinkedIn company page copy +- eBook: *De ISO 27001 audit — Wat je écht moet weten* (Dutch, April 2026) +- Manifesto: *The Manifesto for Information Security Management* (published March 2026, under Thinking Security Works brand) + +**Visual Identity** + +- Logo: Bold, compact mark — ISO 27|DIY stacked, with 'DIY' in a price-tag device. Red and navy. The price-tag device is a smart visual pun: certification as something you acquire, but also as something you do yourself. +- Website: Dark navy footer, clean white body, blue CTAs. Professional, not startup-scrappy. +- Team page: Illustrated portraits rather than photos — adds personality, differentiates from generic headshot-on-white. +- eBook: White with dot-grid background, blue accent line, navy typography. Professional without being corporate. +- The company name in the footer of the website is Thinking Security Works. TSW is the parent company; they also offer privacy and security consulting and a workshop method for risk identification and management called 'The Canvas Method'. This can be dropped if it is better for marketing. + +--- + +## 2. What We Know About Our Audience + +### Target Segments + +Five segments are defined. The primary user of the product — the person doing the implementation work — is typically the internal tech person or COO, not the director who made the decision. + +| Segment | Trigger | Core message | Priority channels | +| --- | --- | --- | --- | +| Founders & SaaS | "We lose the deal if we don't have this" | Aantoonbaarheid, not security | LinkedIn, Reddit, HN | +| SME directors | Client or insurer demand | Management system, not IT project | LinkedIn, Google SEO | +| Non-digital service providers | Supplier requirement | Also for non-tech organisations | Trade media, Google SEO | +| Regulatory pressure (NIS-2/Cbw/CRA) | Legal obligation | One foundation, multiple regulations | LinkedIn, Google, trade press | +| MSPs | Client needs ISO 27001 | Distribution partner, not end user | LinkedIn, channel events, outreach | + +### What the Audience Fears and Wants + +Based on sector knowledge and direct implementation experience — not yet validated through customer research (pre-launch). The FUD clusters into six themes: + +- **Doing it wrong** — misinterpreting the standard, missing something critical, failing the audit +- **Getting stuck** — not knowing what 'enough' looks like; the framework is not prescriptive +- **Internal resistance** — employees seeing it as bureaucratic overhead; management not prioritising it +- **Documentation overload** — massive, unwieldy policies that nobody reads or follows +- **Consultant dependency** — feeling they can't do it without external help, meaning cost and loss of control +- **Time and budget** — SMEs believe they lack the resources to manage the process + +What success looks like in their terms: *passing the audit without disrupting the business, without hiring consultants, and without ending up with a paper system nobody uses.* + +### How They Currently Solve the Problem + +- Hire a consultant — expensive, creates dependency, often produces compliance theatre +- Buy a template kit — cheap, but no guidance on adaptation or context +- Patch together free internet resources — months of work, no structure, high risk of gaps +- Do nothing — common until a trigger forces action (client demand, insurer, regulation) +- Enterprise GRC tools (Vanta, Drata, Sprinto) — built for funded tech companies, not SMEs; pricing and complexity are barriers + +### Customer Signal + +> ⚠ **GAP** — No signal yet — ISO27DIY is approaching closed beta / MVP launch. The audience psychology above is built on sector knowledge and the founder's direct experience as a CISO and implementor, not on validated customer research. The first beta cohort should be treated as a research opportunity. +> +> - *What questions do you want the first beta users to answer that would validate or challenge the assumptions above?* + +--- + +## 3. What We Know About the Market + +### Competitive Landscape + +**Direct Product Competitors** + +| Competitor | Positioning | Where they fall short | +| --- | --- | --- | +| Advisera | Documentation packages + e-learning. 'We've done the thinking for you.' | Template-kit mentality. No guided process, no tailoring, no philosophy. | +| ISMS.online | SaaS GRC platform, documentation-heavy, established player. | Built for compliance managers, not for the SME tech person doing it themselves. | +| isoplanner.app | ISO 27001 project planning tool, regional focus. | Tooling without guidance. No audit expertise behind it. | +| isomanager.nl | Dutch GRC platform, SME-oriented. | Generic, no distinct point of view, no founder authority. | +| Instant 27001 | Fast-track kit, minimal guidance. | Speed over substance. Classic compliance theatre risk. | +| Vanta / Drata / Sprinto | Compliance automation for funded tech companies. | Wrong audience, wrong price point, automation-first not understanding-first. | + +**Category Competitors** + +- Local ISO 27001 consultancies — compete on relationships and trust, no consistent positioning, create dependency +- Template marketplaces (Etsy, specialist sites) — compete on price, deliver no guidance, no tailoring + +> ⚠ **GAP** — Competitive analysis is based on general market knowledge, not direct research. Confirm: which of these come up in prospect conversations? Which have you looked at directly and formed a view on? + +### The Gap ISO27DIY Occupies + +This is the clearest and most differentiated part of the brand. Nobody else in this space is saying: + +*ISO 27001 is a framework for context-driven, risk-proportionate decisions — not a checklist. Your security is probably better than you think. What you're missing is the system to make it visible and auditable. You can build that yourself.* + +The positioning gap in one line: guided, opinionated, philosophy-first implementation at SME price points. Not automation. Not templates. Not consulting. A structured path that respects the intelligence of the person doing the work and the specifics of their organisation. + +### Category Conventions and Where They Fail + +The ISO 27001 market communicates in one of two registers: + +- **Fear and complexity** — consultancies and enterprise tools lean on FUD: the standard is hard, the risks are real, you need us +- **Speed and automation** — compliance platforms promise fast certification, implying the content of compliance is a solved problem + +Both treat ISO 27001 as a transaction — something to get through. Neither treats it as a management practice worth building properly. + +ISO27DIY's position cuts against both: **clarity over fear, substance over speed.** The category convention that fails the audience is the assumption that ISO 27001 is either too hard to do yourself (consultancy narrative) or too simple to think about (automation narrative). The actual audience needs neither fear nor shortcuts. They need a guide who knows the route. + +--- + +## 4. Open Questions for the Strategy Session + +The following need answers before or during the session. + +### Founder Story + +- *Was there a specific moment — a client, an audit outcome, or an internal experience — that made you decide to build this rather than keep consulting?* + +### Brand Architecture + +- *Is Richard the explicit face of ISO27DIY — named, quoted, visible — or does the brand stand more independently from the founder over time?* + +### Competitive Intelligence + +- *Which competitors come up when you're in a sales conversation — by name? Which have you looked at directly and formed a view on?* +- *Where do you see Vanta, Drata, and local consultancies most visibly failing the people you're targeting?* + +### Customer Validation + +- *What questions do you want the first beta users to answer that would validate or challenge the audience assumptions in this document?* +- *Are there any early conversations — sales calls, LinkedIn reactions, responses to the blog or manifesto — that gave you signal on what lands and what doesn't?* + +### Tone and Positioning + +- *The 'rebellious touch' is named as a differentiator. Where is the line between rebellious and credible? What does it look like in practice — in a LinkedIn post, in an onboarding screen, in a sales email?* +- *The manifesto uses Agile-style value statements (X over Y). Is that the right format for the brand, or is it a starting point that needs evolving?* + +--- + +© 2026 Thinking Security Works · iso27diy.com · Confidential diff --git a/marketing/branding/iso27diy-brand-image-note.docx b/marketing/branding/iso27diy-brand-image-note.docx deleted file mode 100644 index 966f314..0000000 Binary files a/marketing/branding/iso27diy-brand-image-note.docx and /dev/null differ diff --git a/marketing/proposition/Elevator Pitch.md b/marketing/proposition/Elevator Pitch.md deleted file mode 100644 index 143efbe..0000000 --- a/marketing/proposition/Elevator Pitch.md +++ /dev/null @@ -1,14 +0,0 @@ -## Elevator pitch - -ISO27DIY is a method to implement information security management, and become ISO 27001 compliant, without the need for external consultants or expensive software. -The ISO27DIY workshop series is freely available on YouTube, dramatically lowering the barrier for certification for small and medium enterprises to become ISO 27001 certified. -Additional resources and support are available on the iso27diy.com website. - -### Key value proposition - -* A method for implementing ISO 27001 in your own organization -* Workshop videos freely available on YouTube -* No need for external consultants or expensive software - - -See also [ISO27DIY benefits](../../AuditGlue/ISO27DIY%20benefits.md) \ No newline at end of file diff --git a/marketing/proposition/ISO27DIY-pitch-deck.pptx b/marketing/proposition/ISO27DIY-pitch-deck.pptx new file mode 100644 index 0000000..06396ff Binary files /dev/null and b/marketing/proposition/ISO27DIY-pitch-deck.pptx differ diff --git a/marketing/proposition/elevator-pitch.md b/marketing/proposition/elevator-pitch.md new file mode 100644 index 0000000..ab81a00 --- /dev/null +++ b/marketing/proposition/elevator-pitch.md @@ -0,0 +1,7 @@ +ISO 27001 is hard op weg een license to operate te worden. Grote bedrijven worden door regelgeving verplicht hun leveranciersketen te beveiligen — en schuiven die eis door naar hun toeleveranciers. Wie niet gecertificeerd is, verliest de opdracht. + +Voor kleinere organisaties zijn de gangbare opties niet realistisch. Een specialist in dienst nemen is te duur. Een medewerker vrijmaken kost capaciteit die je niet hebt. Een consultant inhuren is kostbaar en lost je kennisprobleem niet op. Zelf aan de slag met een boek en templates van internet? Steile leercurve, grote foutkans, en uiteindelijk nog steeds geen werkend documentatiesysteem. + +ISO27DIY is een interactieve, stap-voor-stap aanpak die is afgestemd op jouw organisatie. Je bouwt gaandeweg je ISMS op, implementeert de vereiste maatregelen, en produceert alle documentatie die een auditor verwacht. Alles sla je op in een geïntegreerde GRC-oplossing die eenvoudig is maar krachtig genoeg. Als je vastloopt, kun je online een ervaren expert inschakelen. En voordat de auditor komt, laat je een proefaudit doen. + +Als de auditor komt, ben je er klaar voor. \ No newline at end of file diff --git a/metadata/overviews/corpus-overview-Marketing.md b/metadata/overviews/corpus-overview-Marketing.md new file mode 100644 index 0000000..f9bc840 --- /dev/null +++ b/metadata/overviews/corpus-overview-Marketing.md @@ -0,0 +1,474 @@ +--- +title: "Corpus Overview: Marketing" +notetype: overview +covers: "iso27diy-corp/Marketing" +last-updated: "2026-06-06" +tags: [] +--- + +# Corpus Overview: Marketing + +This folder contains all marketing-related material for ISO27DIY: brand identity, market proposition, channel strategy, published and in-progress content, and marketing infrastructure (UTM tracking). It is organised into four subfolders: `automation`, `branding`, `proposition`, and `publications`. + +--- + +## automation + +**Title:** UTM Tracking System +**Path:** +- `iso27diy-corp/Marketing/automation/UTM coding scheme.md` +- `iso27diy-corp/Marketing/automation/UTM-tracking.md` +- `iso27diy-corp/Marketing/automation/utm-tracker.xlsx` +**Summary:** Two complementary notes documenting the UTM parameter system used to track traffic from marketing channels to iso27diy.com. The coding scheme note defines the controlled vocabulary for all five UTM parameters (source, medium, campaign, content, term), with example URLs for key scenarios. The tracking note explains what UTM parameters are and how they work. An accompanying spreadsheet holds the master tracker. +**Key concepts and terms:** UTM parameters, utm_source, utm_medium, utm_campaign, utm_content, campaign tracking, Umami analytics, traffic attribution +**ISO27001 relevance:** None directly; operational marketing infrastructure. +**ISO27DIY relevance:** Essential for measuring which channels and campaigns drive signups and downloads. Without this, content performance is invisible. +**Related notes:** `iso27diy-corp/Marketing/publications/content-calendar.md`, `iso27diy-corp/Marketing/branding/Taglines and Payoffs.md` +**Content potential:** Not content source material — operational reference for anyone creating UTM-tagged links. +**Fetch priority:** Low — reference when creating new links, not for content generation. + +--- + +## branding + +**Title:** Brand Values +**Path:** `iso27diy-corp/Marketing/branding/Brand Values.md` +**Summary:** Defines the three primary brand values (Authenticity, Clarity, Empowerment) and five secondary values. More substantively, articulates the founding beliefs behind ISO27DIY: that ISO 27001 implementations fail because they treat a framework as a checklist, that the standard's language creates artificial complexity requiring consultants, and that SMEs are capable of doing this themselves with the right guidance. +**Key concepts and terms:** Brand values, ACE (Authenticity/Clarity/Empowerment), ISO 27001 spirit vs letter, checklist implementations, SME capability, risk-based approach +**ISO27001 relevance:** Directly frames the product's positioning against the dominant (and in Richard's view flawed) approach to ISO 27001 implementation. +**ISO27DIY relevance:** Core positioning document. Grounds all messaging in a coherent worldview. Content agents should internalise this before producing anything. +**Related notes:** `iso27diy-corp/Marketing/branding/ISO27DIY communication style.md`, `iso27diy-corp/Marketing/branding/FUD with Certification.md`, `iso27diy-corp/Marketing/branding/Value Proposition Canvas for iso27DIY.md` +**Content potential:** Underpins thought leadership content; the beliefs listed here map to blog post and LinkedIn post angles. +**Fetch priority:** High — foundational reference for all content and messaging. + +--- + +**Title:** FUD with Certification +**Path:** `iso27diy-corp/Marketing/branding/FUD with Certification.md` +**Summary:** A structured inventory of the fears, uncertainties, and doubts that ISO 27001 implementers experience, organised into five themes: lack of leadership support, business alignment, employee buy-in, documentation/policy tuning, risk assessment, and passing the audit. Each theme names specific worries and failure patterns. This is the raw material for empathy-based marketing. +**Key concepts and terms:** FUD, top management support, business alignment, ISMS integration, documentation overengineering, risk assessment anxiety, audit readiness, cultural resistance +**ISO27001 relevance:** Maps directly to the most common implementation failure modes: absent leadership, template-based documentation, poor risk methodology, audit unpreparedness. +**ISO27DIY relevance:** High-value input for persona-based messaging, landing page copy, newsletter hooks, and lead magnets. Every bullet point here is a potential content angle. +**Related notes:** `iso27diy-corp/Marketing/branding/Brand Values.md`, `iso27diy-corp/Marketing/proposition/Doelgroepen.md`, `iso27diy-corp/Marketing/publications/eBook-Audit/` +**Content potential:** Extremely high. Checklist-to-post conversions, "does this sound familiar?" hooks, pain-point-led LinkedIn posts, FAQ content. +**Fetch priority:** High — reference whenever writing audience-facing copy. + +--- + +**Title:** ISO27DIY Solution and Components +**Path:** `iso27diy-corp/Marketing/branding/ISO27DIY Solution and Components.md` +**Summary:** Describes the five product components (Guided Implementation System, GRC Tooling/AuditGlue, Controls Library, Expert Support, Preliminary Audits) and the design principles behind them. Target user is the non-specialist person made responsible for ISO 27001 in an SME — typically the tech person or COO. The guiding metaphor is a "smartwatch fitness coach" rather than a checklist. +**Key concepts and terms:** Guided Implementation System, AuditGlue, Controls Library, Expert Support, Preliminary Audits, micro-sessions, AI policy generation, SME, non-specialist user +**ISO27001 relevance:** The product directly supports ISO 27001 implementation across all phases. +**ISO27DIY relevance:** The canonical product description. Should be the source of truth for any content describing what the product is. +**Related notes:** `iso27diy-corp/Marketing/branding/Value Proposition Canvas for iso27DIY.md`, `iso27diy-corp/Marketing/branding/LinkedIn Company Page for iso27DYI.md`, `iso27diy-corp/Marketing/publications/website/homepage-content.md` +**Content potential:** Product explainers, feature-focused posts, comparison content (ISO27DIY vs consultant/templates/GRC tools). +**Fetch priority:** High — reference for any product-describing content. + +--- + +**Title:** Communication Style Guide +**Path:** `iso27diy-corp/Marketing/branding/ISO27DIY communication style.md` +**Summary:** Brand-level writing guidelines covering voice, tone, sentence structure, word choices, and things to avoid. Specifies the manifesto format (X over Y, both sides named and neither villainised). Describes the reader as intelligent, pragmatic, and time-poor — put off by complexity and consultant-speak. +**Key concepts and terms:** Voice and tone, sentence structure, manifesto format, X over Y, word choices (avoid: leverage/synergy/holistic/seamless), reader profile +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Governs all brand communication. Content agents must apply this consistently. +**Related notes:** `iso27diy-corp/Marketing/branding/Personal Writing Style.md`, `iso27diy-corp/Marketing/branding/Persoonlijke Schrijfstijl.md` +**Content potential:** Not content source — style reference. +**Fetch priority:** High — always apply when generating or reviewing brand content. + +--- + +**Title:** Personal Writing Style (EN + NL) +**Path:** +- `iso27diy-corp/Marketing/branding/Personal Writing Style.md` +- `iso27diy-corp/Marketing/branding/Persoonlijke Schrijfstijl.md` +**Summary:** Richard's personal writing style as applied to ISO27DIY content. Direct and businesslike, preference for short assertive sentences, long sentences for explanation, contrast for emphasis. Uses industry-standard terminology where it's the accepted term, otherwise plain language. Explicitly avoids rhetorical openers, meta-commentary, headline repetition, and false modesty. The NL note is the Dutch-language equivalent. +**Key concepts and terms:** Sentence contrast, assertive voice, jargon policy, structural consistency, cross-reference between steps, figurative language (sparing) +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Needed by any content agent producing posts or articles attributed to Richard. +**Related notes:** `iso27diy-corp/Marketing/branding/ISO27DIY communication style.md` +**Content potential:** Not content source — style reference. +**Fetch priority:** Medium — fetch when producing Richard-attributed content. + +--- + +**Title:** LinkedIn Company Page +**Path:** `iso27diy-corp/Marketing/branding/LinkedIn Company Page for iso27DYI.md` +**Summary:** The full text of the ISO27DIY LinkedIn company page About section. Describes the problem (ISO 27001 as price of entry for enterprise deals, no room for consultants, templates useless without context), then introduces the product components, the approach (no Theatre of Compliance, build on what already works), and closes with the tagline "Get Certified — Keep Growing." +**Key concepts and terms:** LinkedIn About text, Theatre of Compliance, price of entry, enterprise deals, certification-ready +**ISO27001 relevance:** Positions ISO 27001 certification as a business enabler rather than a compliance burden. +**ISO27DIY relevance:** Live public-facing copy; useful reference for channel-specific tone and messaging length. +**Related notes:** `iso27diy-corp/Marketing/branding/ISO27DIY Solution and Components.md`, `iso27diy-corp/Marketing/branding/Taglines and Payoffs.md` +**Content potential:** Reference for LinkedIn-specific framing and length norms. +**Fetch priority:** Low — consult when updating LinkedIn assets. + +--- + +**Title:** Snippets for Marketing ISO27DIY +**Path:** `iso27diy-corp/Marketing/branding/Snippets for marketing iso27DIY.md` +**Summary:** Loose collection of copy fragments, positioning ideas, and product description drafts. Includes the "We work with what you've got" framing, the Steve Jobs iPhone analogy ("a stack of templates AND a GRC program AND a consultant leading you through the process"), and early articulations of the control-mapping concept. +**Key concepts and terms:** Control mapping, "work with what you've got", iPhone analogy, guided implementation framing +**ISO27001 relevance:** Touches on control mapping and artifact reuse — directly relevant to how ISO 27001 implementation is reframed for SMEs. +**ISO27DIY relevance:** Rough but usable — some fragments here are stronger than finished copy elsewhere. Worth scanning for hooks. +**Related notes:** `iso27diy-corp/Marketing/branding/ISO27DIY Solution and Components.md`, `iso27diy-corp/Marketing/branding/Taglines and Payoffs.md` +**Content potential:** Hook fragments, concept seeds for posts and landing pages. +**Fetch priority:** Low — useful to browse, not to rely on as authoritative source. + +--- + +**Title:** Taglines and Payoffs +**Path:** `iso27diy-corp/Marketing/branding/Taglines and Payoffs.md` +**Summary:** Working list of tagline and payoff candidates, with current active taglines flagged. Active: "Certification shouldn't be a barrier to competition", "Guided ISO 27001 implementation. No consulting required.", "ISO27DIY: Get Certified – Keep Growing." Also includes a long backlog of candidates at various stages. +**Key concepts and terms:** Taglines, payoffs, brand messaging, certification framing +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Source of truth for approved taglines. Content agents should not invent new taglines without checking here first. +**Related notes:** `iso27diy-corp/Marketing/branding/LinkedIn Company Page for iso27DYI.md`, `iso27diy-corp/Marketing/branding/Snippets for marketing iso27DIY.md` +**Content potential:** Not content — reference for sign-offs and CTAs. +**Fetch priority:** Low — fetch when finalising content that needs a closing line. + +--- + +**Title:** Value Proposition Canvas +**Path:** `iso27diy-corp/Marketing/branding/Value Proposition Canvas for iso27DIY.md` +**Summary:** Partially completed Value Proposition Canvas. Products & Services, Pain Relievers, and Gain Creators are populated. Customer Jobs and Pains sections are present but empty. Pain Relievers focus on time/cost efficiency, removing documentation burden, and mitigating audit fear. Gain Creators focus on strategic advantage, confidence, and operational integration. +**Key concepts and terms:** Value Proposition Canvas, pain relievers, gain creators, audit fear, documentation burden, strategic advantage +**ISO27001 relevance:** Frames how ISO27DIY addresses the specific pains of ISO 27001 implementation. +**ISO27DIY relevance:** Useful strategic reference; incomplete — the Customer Jobs and Pains sections need to be filled in. +**Related notes:** `iso27diy-corp/Marketing/branding/FUD with Certification.md`, `iso27diy-corp/Marketing/proposition/Doelgroepen.md` +**Content potential:** Moderate — useful for structuring landing pages and pitch decks, but needs completion first. +**Fetch priority:** Low — [REVIEW] incomplete; Customer Jobs and Pains sections are empty. + +--- + +**Title:** Brand Image Note +**Path:** `iso27diy-corp/Marketing/branding/Brand Image Note.md` +**Summary:** A comprehensive brand strategy document (Version 1.0, April 2026) covering four areas: (1) What we know about ourselves — product components and pricing, Richard's founder background (CISSP, PECB Lead Auditor, former CISO at Booking.com and Ultimaker), origin story, what ISO27DIY is not, and current brand state including taglines, communication style, published content, and visual identity. (2) What we know about our audience — five-segment overview with triggers and messaging, six FUD clusters, how prospects currently solve the problem, and a gap note that customer signal is not yet validated. (3) What we know about the market — competitive landscape (Advisera, ISMS.online, isoplanner, Vanta/Drata/Sprinto, local consultancies), the positioning gap ISO27DIY occupies, and where category conventions (fear/complexity vs speed/automation) fail the audience. (4) Open questions for strategy sessions — founder story, brand architecture, competitive intelligence, customer validation, and tone/positioning. +**Key concepts and terms:** Brand strategy, founder credibility, Theatre of Compliance, positioning gap, competitive landscape, FUD clusters, customer validation gap, visual identity, open questions +**ISO27001 relevance:** Frames the entire product positioning relative to how ISO 27001 is typically sold and implemented. +**ISO27DIY relevance:** The single most comprehensive brand reference document in the vault. Covers product, audience, market, and strategy in one place. Essential context for brand strategy sessions and for any agent needing to understand what the product is and why it exists. +**Related notes:** `iso27diy-corp/Marketing/branding/Brand Values.md`, `iso27diy-corp/Marketing/branding/FUD with Certification.md`, `iso27diy-corp/Marketing/proposition/Doelgroepen.md`, `iso27diy-corp/Marketing/branding/ISO27DIY Solution and Components.md` +**Content potential:** Not a content source — strategic reference. The open questions in Section 4 are actionable items for the founder. +**Fetch priority:** High — fetch for any brand strategy, positioning, or competitive context work. + +--- + +**Title:** Website Color Scheme and Design Overview +**Path:** +- `iso27diy-corp/Marketing/branding/website-color-scheme.md` +- `iso27diy-corp/Marketing/branding/website-design-overview.md` +**Summary:** Detailed technical references for the ISO27DIY website visual design. The color scheme note documents grid/dot overlay settings. The design overview is a comprehensive specification covering fonts (Gambarino for headings, Inter for body, Fragment Mono for card titles), the full named color palette (18 swatches), section-by-section surface/card pairings, and element-level CSS properties for navbar, hero, features, pricing, team, blog, and footer sections. +**Key concepts and terms:** Gambarino, Inter, Fragment Mono, color palette (dgtlblue, carbon, deepteal, etc.), dot grid overlay, section surface pairs +**ISO27001 relevance:** None. +**ISO27DIY relevance:** Technical reference for web design work. Not relevant to content creation. +**Related notes:** — +**Content potential:** None — design specification, not content. +**Fetch priority:** Low — fetch only when doing web design or front-end work. + +--- + +## proposition + +**Title:** Doelgroepen & Marktsegmenten +**Path:** `iso27diy-corp/Marketing/proposition/Doelgroepen.md` +**Summary:** Detailed audience segmentation covering five segments: Founders/SaaS companies (enterprise sales trigger), MKB directors (customer or insurer pressure), service providers without a tech core (contract requirement), organisations under regulatory pressure (NIS-2/Cbw/CRA), and MSPs as distribution channel. Each segment has profile, motive, trigger, messaging, and channel recommendations. Summary table at the end. +**Key concepts and terms:** Market segments, Founders/SaaS, MKB directors, dienstverleners, NIS-2, Cbw, CRA, MSP, trigger-based messaging, channel priority +**ISO27001 relevance:** Directly relevant — each segment's primary trigger relates to ISO 27001 or equivalent regulatory requirements. +**ISO27DIY relevance:** The primary audience reference document. Content agents should consult this before creating audience-targeted content to ensure the right trigger, message, and channel are matched. +**Related notes:** `iso27diy-corp/Marketing/branding/FUD with Certification.md`, `iso27diy-corp/Marketing/proposition/Channels.md` +**Content potential:** High — each segment description contains hooks, angles, and channel-specific messaging that can be developed into posts, email sequences, and landing pages. +**Fetch priority:** High — reference for any audience-targeted content. + +--- + +**Title:** Marketing Channels +**Path:** `iso27diy-corp/Marketing/proposition/Channels.md` +**Summary:** A list of marketing channels and communities by audience type: developer communities (Product Hunt, Indie Hackers, HN, Reddit), MSP channels (Fortmesa link), SME communities (NCSC Community), auditor communities (ISACA, NOREA), and LinkedIn groups. Mostly links, minimal commentary. +**Key concepts and terms:** LinkedIn groups, Reddit, Hacker News, Indie Hackers, Product Hunt, ISACA, NOREA, NCSC, MSP channels +**ISO27001 relevance:** None directly. +**ISO27DIY relevance:** Reference for where to distribute content. Thin note — most strategic channel thinking is in `Doelgroepen.md`. +**Related notes:** `iso27diy-corp/Marketing/proposition/Doelgroepen.md` +**Content potential:** None — operational channel list. +**Fetch priority:** Low — occasional reference when planning distribution. + +--- + +**Title:** Elevator Pitch +**Path:** `iso27diy-corp/Marketing/proposition/Elevator Pitch.md` +**Summary:** A short NL-language pitch structured around three moves: the problem (ISO 27001 becoming a licence to operate, with no realistic options for smaller organisations — consultant too expensive, freeing up staff too costly, templates useless without guidance), the solution (ISO27DIY as an interactive step-by-step approach tailored to the organisation, building the ISMS and documentation as you go, with integrated GRC tooling, on-demand expert access, and a pre-certification audit option), and a one-line close ("Als de auditor komt, ben je er klaar voor"). +**Key concepts and terms:** Licence to operate, supply chain pressure, ISMS opbouw, GRC-oplossing, expert support, proefaudit +**ISO27001 relevance:** Directly positions around ISO 27001 certification. +**ISO27DIY relevance:** Current and usable. Aligns with the product as described in the homepage and Solution and Components notes. Good NL-language starting point for pitch copy. +**Related notes:** `iso27diy-corp/Marketing/branding/ISO27DIY Solution and Components.md`, `iso27diy-corp/Marketing/publications/website/homepage-content.md` +**Content potential:** The three-move structure (problem/solution/close) is adaptable for email sequences, ad copy, and sales scripts. +**Fetch priority:** Medium — useful when drafting NL-language pitch or sales material. + +--- + +## publications + +### content-calendar.md + +**Title:** Content Calendar (Dataview Dashboard) +**Path:** `iso27diy-corp/Marketing/publications/content-calendar.md` +**Summary:** A Dataview JS-powered interactive content calendar that renders a weekly grid view of all publication notes in the `posts/` folder. Shows scheduled, published, draft, and unscheduled posts by channel, with an expandable detail panel for front matter metadata. Navigable by week, back to four weeks. +**Key concepts and terms:** Dataview JS, content calendar, publication status, channel tracking, weekly grid, front matter schema +**ISO27001 relevance:** None. +**ISO27DIY relevance:** The central operational view for the content publishing workflow. Requires all post notes to have `notetype: publication` and populated front matter to appear correctly. +**Related notes:** All notes in `iso27diy-corp/Marketing/publications/posts/` +**Content potential:** None — tooling infrastructure. +**Fetch priority:** Low — infrastructure note, not content. + +--- + +### posts/ — Published series: S01 "Security as an Organisational Challenge" + +**Title:** S01 — Security as an Organisational Challenge (EN + NL) +**Path:** +- `iso27diy-corp/Marketing/publications/posts/s01p01en - IT is not going to fix your security problem.md` +- `iso27diy-corp/Marketing/publications/posts/s01p01nl - De IT afdeling gaat jouw beveiliging niet op orde krijgen.md` +- `iso27diy-corp/Marketing/publications/posts/s01p02en - All security risks start with a decision.md` +- `iso27diy-corp/Marketing/publications/posts/s01p02nl - Een beveiligingsrisico begint met een beslissing.md` +- `iso27diy-corp/Marketing/publications/posts/s01p03en - Security is a management issue.md` +- `iso27diy-corp/Marketing/publications/posts/s01p03nl - Security is geen IT-probleem, maar een managementvraagstuk.md` +**Summary:** A three-part LinkedIn series (published in both English and Dutch) arguing that information security is a management problem, not an IT problem. Post 1 uses concrete examples (shared admin accounts, departed employee accounts, CRM access outside legal scope) to show IT cannot own these risks. Post 2 shows that most risks originate in daily decisions and offers four simple non-technical fixes. Post 3 closes with ISO 27001 as the management framework that makes security organisational — and an invitation to contact. +**Key concepts and terms:** Security as management issue, IT department limits, daily decisions and risk, management ownership, ISO 27001 as management framework, #managingsecurity +**ISO27001 relevance:** Post 3 explicitly positions ISO 27001 as the solution to organisational security ownership — governance, risk management, continuous improvement. +**ISO27DIY relevance:** Core thought leadership series establishing Richard's advisory positioning. Strong content that can be repurposed. +**Related notes:** `iso27diy-corp/Marketing/publications/posts/agent-instructie.md`, `iso27diy-corp/Marketing/publications/posts/richard-context.md`, `iso27diy-corp/Marketing/branding/Brand Values.md` +**Content potential:** Repurposable as blog articles, newsletter issues, or segmented into standalone tips. The Dutch versions could also feed the NL newsletter if one exists. +**Fetch priority:** Medium — published; useful as reference for tone and series format. + +--- + +### posts/ — Published series: S02 "Cbw-compliance in 8 stappen" + +**Title:** S02 — Cbw-compliance in 8 stappen (NL, 5 posts published + 2 drafts) +**Path:** +- `iso27diy-corp/Marketing/publications/posts/s02p01nl - Op 1 juli treedt de Cbw in werking.md` +- `iso27diy-corp/Marketing/publications/posts/s02p02nl - Je cybersecurity hoeft niet perfect te zijn.md` +- `iso27diy-corp/Marketing/publications/posts/s02p03nl - Waar begin je.md` +- `iso27diy-corp/Marketing/publications/posts/s02p04nl - Hoe kun je als bestuurder aantonen dat je voldoet aan de Cbw.md` +- `iso27diy-corp/Marketing/publications/posts/s02p05nl - De Cbw is geen project.md` +- `iso27diy-corp/Marketing/publications/posts/s02p06nl - Bonus post Cbw en 27001.md` *(draft — empty body)* +- `iso27diy-corp/Marketing/publications/posts/s02pxxnl - Er is geen diploma voor Cbw-compliance.md` *(draft — stub)* +- `iso27diy-corp/Marketing/publications/posts/s02pxxnl - Toch een Cbw checklist.md` *(draft — links to cbw-checklist.html)* +**Summary:** A five-part published LinkedIn series (NL) for business directors on the Dutch Cyberbeveiligingswet (Cbw, in force 1 July 2026), covering personal board liability (Art. 24), the 8-step compliance framework, and the argument that compliance is a continuous management process not a project. Two bonus drafts: one stub on ISO 27001 vs Cbw, one linking to an external Cbw checklist HTML tool. +**Key concepts and terms:** Cyberbeveiligingswet (Cbw), NIS-2, personal board liability, Art. 21 minimum measures, Art. 24 board knowledge requirement, risk management, ketenverantwoordelijkheid, 8 stappen, #managingsecurity +**ISO27001 relevance:** Post 5 explicitly links Cbw compliance to ISO 27001 as a structural solution. The 8-step framework maps closely to ISO 27001 implementation logic. +**ISO27DIY relevance:** Strong topical series tied to a live regulatory deadline. Cbw-related content will have high resonance with MKB-directors segment through mid-2026. The draft posts are incomplete and need attention. +**Related notes:** `iso27diy-corp/Marketing/proposition/Doelgroepen.md` (Segment 4), `iso27diy-corp/Marketing/publications/posts/Do you supply EU customers.md` +**Content potential:** The 8-step framework could become a standalone guide, blog series, or lead magnet. The Cbw/ISO 27001 connection is underexplored in the published posts. +**Fetch priority:** Medium — published posts are reference material; drafts need decisions. + +--- + +### posts/ — Standalone posts and drafts + +**Title:** "You can't automate ISO 27001 compliance" (draft) +**Path:** `iso27diy-corp/Marketing/publications/posts/You can't automate ISO 27001 compliance.md` +**Summary:** A draft LinkedIn post (EN) arguing that AI-automation tools cannot replace the organisational reality that ISO 27001 certification requires. Lists specific auditor questions that AI-generated documents cannot answer — on scope rationale, risk scoring methodology, SoA decisions, incident response testing, and policy ownership. Positions the real purpose of ISO 27001 as responsibility, awareness, decision-making, and accountability. +**Key concepts and terms:** AI compliance tools, certification audit, auditor questions, scope statement, risk register, SoA, incident response, organisational reality vs paper ISMS +**ISO27001 relevance:** High — directly addresses what auditors actually probe and why document generation is insufficient. +**ISO27DIY relevance:** Strong differentiation from AI-certificate-in-a-day competitors. Credibility content. +**Related notes:** `iso27diy-corp/Marketing/publications/posts/AuditLens CISO agents.md` +**Content potential:** High — publish-ready with minor editing. Good for LinkedIn and as a blog post. +**Fetch priority:** Medium. + +--- + +**Title:** AuditLens CISO Agents (comment/response) +**Path:** `iso27diy-corp/Marketing/publications/posts/AuditLens CISO agents.md` +**Summary:** Contains the full text of a LinkedIn post by someone else (Khansa Rahim) promoting an AI-agent-based ISO 27001 implementation approach, followed by Richard's comment rebutting it with five specific auditor questions that expose the paper-reality problem. Not a standalone post — a comment response. +**Key concepts and terms:** AI agents, ISMS automation, paper reality, auditor challenge questions, AuditLens +**ISO27001 relevance:** The rebuttal touches on scope rationale, risk methodology, SoA linkage, incident response, and CISO accountability — all core audit topics. +**ISO27DIY relevance:** Source material for the "you can't automate this" angle. The auditor challenge questions here are sharp and reusable. +**Related notes:** `iso27diy-corp/Marketing/publications/posts/You can't automate ISO 27001 compliance.md` +**Content potential:** The comment text could be the basis for a standalone post. Not publishable as-is. +**Fetch priority:** Low — use as source material, not publish target. + +--- + +**Title:** "Do you supply EU customers?" (draft) +**Path:** `iso27diy-corp/Marketing/publications/posts/Do you supply EU customers.md` +**Summary:** A draft LinkedIn post (EN) targeting suppliers to EU essential/important sector organisations, explaining NIS-2 supply chain requirements and listing the Art. 21(2) minimum measures they will be asked to demonstrate. Links to an ISO27DIY interactive NIS-2 checklist and offers a consultation call. +**Key concepts and terms:** NIS-2, supply chain responsibility, Art. 21(2) minimum measures, security questionnaire, MSP audience +**ISO27001 relevance:** The minimum measures listed map directly to ISO 27001 controls. +**ISO27DIY relevance:** Strong for MSP and supply-chain-exposed audiences. The CTA (checklist + call) is well-structured. +**Related notes:** `iso27diy-corp/Marketing/publications/posts/s02p01nl - Op 1 juli treedt de Cbw in werking.md`, `iso27diy-corp/Marketing/proposition/Doelgroepen.md` (Segment 3 and 5) +**Content potential:** Ready to publish with minimal editing. Also works as a follow-up in a Cbw-themed newsletter. +**Fetch priority:** Medium. + +--- + +**Title:** "Good intentions don't scale" (draft, incomplete) +**Path:** `iso27diy-corp/Marketing/publications/posts/Good intentions dont scale.md` +**Summary:** A draft post (EN) about reliance on key individuals for security — arguing that informal dependence on diligent employees is not resilient. Makes the case for a repeatable management process. Marked "(MORE EXAMPLES WILL BE ADDED LATER)" — incomplete. Assigned as S01 Part 4 in the series front matter, though S01 was already published as a 3-part series. +**Key concepts and terms:** Resilience, key person dependency, repeatable process, ISO 27001 stripped to its core, continuous improvement +**ISO27001 relevance:** Argues for ISO 27001's core value (management process, ownership, continuous improvement) over its bureaucratic form. +**ISO27DIY relevance:** Strong angle that hasn't been fully developed. The key-person-dependency hook is relatable for SMEs. +**Related notes:** `iso27diy-corp/Marketing/publications/posts/s01p03en - Security is a management issue.md` +**Content potential:** High if completed. Currently incomplete. +**Fetch priority:** Low — [REVIEW] incomplete; needs examples filled in before it can be published. + +--- + +**Title:** Promotie: "In 9 stappen naar ISO 27001-certificering" +**Path:** `iso27diy-corp/Marketing/publications/posts/promoting-9-steps.md` +**Summary:** A promotion planning note for the 9-steps blog post, including a title discussion (arguing the current title is too generic), four stronger alternative titles, and ready-to-use copy variants for LinkedIn (long and short), X/Twitter, newsletter, and WhatsApp/Slack. UTM campaign reminder included. +**Key concepts and terms:** Blog promotion, multichannel copy variants, title optimisation, wrong-order hook +**ISO27001 relevance:** Indirect — the post promotes a 9-step ISO 27001 implementation guide. +**ISO27DIY relevance:** Operational promotional asset — copy can be used directly when the blog post is pushed live. +**Related notes:** `iso27diy-corp/Marketing/publications/website/9-stappen-naar-ISO-27001-certificering.md`, `iso27diy-corp/Marketing/publications/website/9-steps-alternatieve-titel.md` +**Content potential:** Ready-to-use promotional copy — low effort to deploy. +**Fetch priority:** Medium — fetch when scheduling the blog post promotion. + +--- + +**Title:** Agent Instructie — LinkedIn Content +**Path:** `iso27diy-corp/Marketing/publications/posts/agent-instructie.md` +**Summary:** Instructions for an AI content assistant helping Richard write LinkedIn posts. Defines the 3-post series format (Prikkel → Perspectief → Handvat), tone of voice requirements, what to avoid, how to end Post 3, and a planned theme list covering 12+ topics across strategic, implementation, and controls-series angles. +**Key concepts and terms:** 3-post series format, tone of voice, empathetic framing, theme list, closing formats +**ISO27001 relevance:** The theme list covers core ISO 27001 and security management topics. +**ISO27DIY relevance:** Operational reference for the LinkedIn content workflow. The theme list is a useful backlog. +**Related notes:** `iso27diy-corp/Marketing/publications/posts/richard-context.md` +**Content potential:** The theme list is a content backlog. Not itself publishable. +**Fetch priority:** Medium — reference when starting a new LinkedIn series. + +--- + +**Title:** Richard Context +**Path:** `iso27diy-corp/Marketing/publications/posts/richard-context.md` +**Summary:** Background brief on Richard for content assistance: 30 years IT experience, security/privacy specialist since 2017, roles in project/programme management and governance. Key positioning: he takes security out of IT and makes it a management responsibility. Critical stances documented: controls over-emphasis vs risk management, ISO 27001 misperceived as complex, certificate-as-snapshot vs culture. LinkedIn network mix of IT professionals and business leaders. +**Key concepts and terms:** Personal background, advisory positioning, sectoral experience (zorg, software, MSP), critical stances, LinkedIn network profile +**ISO27001 relevance:** Frames how Richard approaches ISO 27001 — the rationale behind his content and advisory angles. +**ISO27DIY relevance:** Foundational reference for any content attributed to Richard or positioning ISO27DIY via his personal brand. +**Related notes:** `iso27diy-corp/Marketing/publications/posts/agent-instructie.md` +**Content potential:** Not directly — but essential context for producing credible Richard-attributed content. +**Fetch priority:** Medium — fetch when producing advisory-position content or personal-brand posts. + +--- + +### posts/ — S02 supporting: Cbw checklist post (draft) + +*(Covered under S02 cluster above.)* + +--- + +### website/ + +**Title:** Homepage Content +**Path:** `iso27diy-corp/Marketing/publications/website/homepage-content.md` +**Summary:** Full text of the ISO27DIY website homepage, covering the hero headline ("Get ready for ISO 27001 certification. No consulting required."), three core value pillars (Build the ISMS, Map Controls, Manage Documentation), the three target personas (small team chasing enterprise deals, wants guidance not consultants, wants compliance to mean something), pricing table (Implementation €39/mo, Implementation + Support €99/mo, add-ons), and footer CTA. +**Key concepts and terms:** Homepage copy, pricing (€39/€99 monthly), AuditGlue, Guided Implementation, PECB Certified Lead Auditors, target personas, free trial CTA +**ISO27001 relevance:** Describes the product's ISO 27001 support capabilities across all implementation phases. +**ISO27DIY relevance:** Live product homepage. Source of truth for current pricing and product framing. Must be updated when pricing or product changes. +**Related notes:** `iso27diy-corp/Marketing/branding/ISO27DIY Solution and Components.md`, `iso27diy-corp/Marketing/branding/Taglines and Payoffs.md` +**Content potential:** Useful reference for anyone writing about the product — pricing, personas, feature descriptions. +**Fetch priority:** Medium — [REVIEW] verify pricing is current before citing in content. + +--- + +**Title:** The Manifesto for Information Security Management (TSW Manifesto) +**Path:** `iso27diy-corp/Marketing/publications/website/tsw-manifesto.md` +**Summary:** The ISO27DIY/Thinking Security Works manifesto. Opens with four "X over Y" value statements (Business over security, Purpose over policy, Iteration over perfection, Risk-based decisions over checkbox compliance). Followed by 10 principles for effective ISMS implementation, covering business enablement, adaptability, accountability at all levels, regular cross-functional dialogue, exception handling as policy signal, risk ownership, and reflection. +**Key concepts and terms:** Manifesto, X over Y format, ISMS principles, business enablement, adaptability, accountability, PDCA, risk ownership, iteration +**ISO27001 relevance:** Directly articulates what a well-implemented ISO 27001 ISMS should achieve and how it differs from checkbox compliance. +**ISO27DIY relevance:** Brand philosophy document. One of the strongest pieces of brand content in the vault. Highly quotable. +**Related notes:** `iso27diy-corp/Marketing/branding/Brand Values.md`, `iso27diy-corp/Marketing/branding/ISO27DIY communication style.md` +**Content potential:** High — individual principles can become standalone posts. The X over Y statements work as hooks. Can anchor a "philosophy" email sequence. +**Fetch priority:** High — reference frequently for thought leadership content. + +--- + +**Title:** 9-Steps Blog Posts (EN + NL) and Title Discussion +**Path:** +- `iso27diy-corp/Marketing/publications/website/9-steps-to-ISO-27001-Certification.md` +- `iso27diy-corp/Marketing/publications/website/9-stappen-naar-ISO-27001-certificering.md` +- `iso27diy-corp/Marketing/publications/website/9-steps-alternatieve-titel.md` +**Summary:** Full-length blog post in both English and Dutch covering the 9-step ISO 27001 certification roadmap, with the core argument that most organisations start with the controls (Annex A) rather than the risk management foundation — which is the wrong order. Steps cover: define objectives, map context, assign responsibilities, start documenting, classify information, assess risks, define controls and plan implementation, implement controls, embed the ISMS. A separate note critiques the original title as generic and proposes alternatives anchored in the "wrong order" hook. +**Key concepts and terms:** 9-step roadmap, wrong order, risk management foundation, context analysis, RASCI, information classification, SoA, management review, internal audit, PDCA +**ISO27001 relevance:** Comprehensive — covers clauses 4–10 implicitly and the full Annex A control selection process. +**ISO27DIY relevance:** Cornerstone content. Long-form, credibility-building, SEO-relevant. The Dutch version enables NL-market reach. Promotional copy exists in `promoting-9-steps.md`. +**Related notes:** `iso27diy-corp/Marketing/publications/posts/promoting-9-steps.md`, `iso27diy-corp/Marketing/publications/website/homepage-content.md` +**Content potential:** Very high. Already developed; can be serialised, repromoted, translated into a checklist, or turned into a lead magnet. +**Fetch priority:** High — key reference content. + +--- + +### eBook-Audit/ + +**Title:** eBook: De ISO 27001 Audit (NL) +**Path:** +- `iso27diy-corp/Marketing/publications/eBook-Audit/ebook-iso27001-audit.md` *(master source)* +- `iso27diy-corp/Marketing/publications/eBook-Audit/Alles wat je wilt weten over de ISO 27001 audit.md` *(earlier draft/research version)* +- `iso27diy-corp/Marketing/publications/eBook-Audit/Alles over de Audit - structuur.md` *(outline)* +- `iso27diy-corp/Marketing/publications/eBook-Audit/Angsten over de audit.md` +- `iso27diy-corp/Marketing/publications/eBook-Audit/Hoe bereid je je voor.md` +- `iso27diy-corp/Marketing/publications/eBook-Audit/Hoe technisch is de audit.md` +- `iso27diy-corp/Marketing/publications/eBook-Audit/Wie moeten er aanwezig zijn.md` +- `iso27diy-corp/Marketing/publications/eBook-Audit/eBook download triggers.md` +- `iso27diy-corp/Marketing/publications/eBook-Audit/ISO27DIY-ebook.pdf` *(compiled output)* +**Summary:** A complete Dutch-language eBook on the ISO 27001 audit and certification process. The master source (`ebook-iso27001-audit.md`) covers: why certify, readiness criteria, costs (€5K–€20K for initial audit, ISO 27006 day norms), how to choose a certification body, the Stage 1/Stage 2 audit structure, what auditors ask and how, four documentation layers, common non-conformities (incomplete risk registers, unrecorded access reviews, untested incident response), audit findings classification (observation/minor/major), the Corrective Action Plan process, and post-audit certification lifecycle. The `eBook download triggers.md` contains ready-to-use promotional copy for LinkedIn (long, short, ultra-short), newsletter, and a landing page. +**Key concepts and terms:** Stage 1/Stage 2 audit, ISO 27006, audit day norms, certification body, PECB, major/minor non-conformity, CAP, surveillance audit, four documentation layers, common non-conformities, closing meeting +**ISO27001 relevance:** Directly addresses the certification process end-to-end, including practical guidance on what constitutes sufficient evidence and what auditors actually probe. +**ISO27DIY relevance:** The main lead magnet. Promotional copy is already written. This is the highest-effort content asset in the Marketing folder and should be treated accordingly. +**Related notes:** `iso27diy-corp/Marketing/branding/FUD with Certification.md`, `iso27diy-corp/Marketing/publications/posts/promoting-9-steps.md` +**Content potential:** Already a complete product. Individual sections (costs, Stage 1 vs Stage 2, common non-conformities) can be repurposed as standalone posts. The landing page copy in `eBook download triggers.md` is ready to use. +**Fetch priority:** High — major content asset; fetch `ebook-iso27001-audit.md` for authoritative source. + +--- + +### Scratch file/ + +**Title:** Scratch File Long List [REVIEW] +**Path:** `iso27diy-corp/Marketing/publications/Scratch file/longlist.md` +**Summary:** A large, unstructured accumulation of content ideas, links, quotes, incident case studies (Orthopedium, NZA, Junis, Parnassia), raw research notes on risk analysis limitations, ESG/employee participation, shadow IT, phishing awareness failures, GRC tool failure modes, and various other angles. Also contains a section on real-world human error breach incidents with granular detail. Mixed languages (NL/EN). +**Key concepts and terms:** Shadow IT, phishing awareness limits, GRC tool implementation failure, human error incidents, risk analysis limitations, ESG, security culture, least privilege, process maturity +**ISO27001 relevance:** Multiple items touch on ISO 27001 controls in practice (access management, incident management, supplier management, project security). The incident case studies are usable as illustration material. +**ISO27DIY relevance:** Rich raw material but requires significant curation. The incident examples (Junis, Orthopedium, NZA) are unusually specific and valuable as real-world illustration. +**Related notes:** `iso27diy-corp/Marketing/publications/Scratch file/startproblemen of vastloper.md`, `iso27diy-corp/Marketing/publications/Scratch file/GRC software is geschreven voor domeindeskundigen.md` +**Content potential:** High potential, low immediate usability. Needs triage to identify post-ready material. +**Fetch priority:** Low — browse for ideas; do not treat as authoritative. + +--- + +**Title:** Standalone Scratch Notes +**Path:** +- `iso27diy-corp/Marketing/publications/Scratch file/startproblemen of vastloper.md` +- `iso27diy-corp/Marketing/publications/Scratch file/Data classification - how to make labels stick.md` +- `iso27diy-corp/Marketing/publications/Scratch file/Example of ISO 27001 mystique.md` +- `iso27diy-corp/Marketing/publications/Scratch file/GRC software is geschreven voor domeindeskundigen.md` +- `iso27diy-corp/Marketing/publications/Scratch file/Hoe dwing je verantwoordelijkheid af.md` +- `iso27diy-corp/Marketing/publications/Scratch file/Least privilege, need-to-know - principles vs practice.md` +- `iso27diy-corp/Marketing/publications/Scratch file/Perverse prikkels in de normindustrie.md` +- `iso27diy-corp/Marketing/publications/Scratch file/Privacy protection in Databases.md` +- `iso27diy-corp/Marketing/publications/Scratch file/The goal should not be the certificate..md` +- `iso27diy-corp/Marketing/publications/Scratch file/Toegevoegde waarde van ISO27DIY.md` +- `iso27diy-corp/Marketing/publications/Scratch file/Voordelen van processvolwassenheid.md` +- `iso27diy-corp/Marketing/publications/Scratch file/Weerbaarheid - bereid je voor op verstoring.md` +**Summary:** A collection of topic-specific scratch notes at various stages of development. Highlights: *GRC software is geschreven voor domeindeskundigen* makes the case that GRC tools arrive too late in the implementation process and proposes generating documentation at the moment decisions are made. *Perverse prikkels in de normindustrie* identifies structural incentives that keep ISO 27001 unnecessarily complex (consultants, CIs, GRC vendors). *Example of ISO 27001 mystique* demonstrates with a concrete example how the standard's recursive cross-referencing creates confusion. *Least privilege, need-to-know* is a substantial research note with AI-generated analysis comparing least privilege implementation between admin/IT roles and business data access. *Weerbaarheid* explains BIA, BCP, IRP, and DRP with definitions and metrics (RTO, RPO, MTPD). *Voordelen van processvolwassenheid* connects CMM process maturity to ISO 27001 pillars. Several notes are stubs (Privacy in Databases, Data classification, Toegevoegde waarde). +**Key concepts and terms:** GRC tool timing, documentation at decision point, perverse incentives, ISO 27001 mystique, recursive standard structure, least privilege, PAM vs business data governance, BIA/BCP/IRP/DRP, RTO/RPO, process maturity, CMM +**ISO27001 relevance:** Multiple notes address ISO 27001 implementation problems directly. *Weerbaarheid* covers ISO 27001 clause 8 and BCP requirements. *Perverse prikkels* is a sharp critique of the certification industry. +**ISO27DIY relevance:** Several of these notes contain strong content angles that align with the brand's core positioning: the GRC-timing problem, the perverse incentives critique, and the mystique example could all become high-quality posts. +**Related notes:** `iso27diy-corp/Marketing/branding/Brand Values.md`, `iso27diy-corp/Marketing/publications/Scratch file/longlist.md` +**Content potential:** High for several notes. *GRC software*, *Perverse prikkels*, *Example of mystique*, and *Weerbaarheid* are closest to publishable. Others are stubs. +**Fetch priority:** Medium — fetch individual notes when developing content on those specific topics. + +--- + +## Issues for your attention + +1. **Value Proposition Canvas** is incomplete. Customer Jobs and Pains sections are blank. This limits its usefulness as a strategic reference. Worth completing or flagging as a work-in-progress. + +2. **S02 bonus drafts** (s02p06, s02pxxnl ×2): two are stubs with minimal content, one links to an external HTML asset. No decision has been made on whether these will be published. They show up as unscheduled in the content calendar. Recommend deciding: publish, park, or delete. + +3. **"Good intentions don't scale"** is flagged incomplete in the note itself. It's assigned as S01 Part 4 in the front matter, but S01 was published as a 3-part series. Either complete and publish it standalone, or reassign/remove the series metadata. + +4. **Least privilege note** in the Scratch file contains extensive AI-generated research text (multiple Gemini outputs). This is research material, not Richard's voice. If it's ever used for a post, it needs full rewriting. + +5. **Homepage content pricing** — the note shows €39/€99 pricing tiers. If pricing has changed, this note is stale and will mislead content agents who reference it. + +6. **Scratch file** in general is very large and unsorted. It mixes live content ideas with dead links, old incident cases, and research fragments. A triage pass would reduce noise significantly. + +7. **`eBook-Audit/` folder** contains build artefacts (`build.sh`, `iso27diy-book.tex`, `ebook-design-reference.html` ×2, `ISO27DIY-ebook.pdf`). These are not content notes and are not indexed here. They don't need to be in the corpus overview but their presence may cause confusion in vault searches.