richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

created pitch deck, elevator pitch, marketing overview note

Browse source
This commit is contained in:
Richard Kranendonk 2026-06-05 12:09:24 +02:00
parent b583e962bf
commit ae27a60bcf
9 changed files with 708 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
marketing/.DS_Store vendored
View file

Binary file not shown.

4
marketing/branding/Brand Image Note.md
View file

@ -1,4 +0,0 @@
# Brand Image Note
[docx](iso27diy-brand-image-note.docx)

226
marketing/branding/brand-image-note.md Normal file
View file

@ -0,0 +1,226 @@
---
title: "Brand Image Note — ISO27DIY / Thinking Security Works"
notetype: other
language: en
last-updated: "2026-06-05"
tags: []
---
# Brand Image Note
ISO27DIY / Thinking Security Works
*Prepared for brand strategy and content strategy sessions*
Version 1.0 · April 2026 · Confidential
---
## 1. What We Know About Ourselves
### Product Description
ISO27DIY is a guided implementation system that takes SMEs through ISO 27001 certification without needing to hire consultants. It combines five components:
| Component | Description |
| --- | --- |
| **Guided Implementation System** | 50+ micro-sessions that walk the user through the full ISO 27001 implementation, producing required documentation along the way. |
| **AuditGlue GRC Tool** | Manages all artifacts, supports risk analyses, data classification, and asset inventarisation. Includes AI-powered policy generation and version control. |
| **Controls Library** | Plain-English guidance for all 94 Annex A controls, with practical examples tailored to the organisation's type. |
| **Expert Support** | On-demand access to experienced ISO 27001 implementors via email, chat, or video call. |
| **Preliminary Audits** | Sessions with PECB Certified Lead Auditors to validate certification readiness before the real thing. |
### Pricing
| Tier | Annual | Monthly |
| --- | --- | --- |
| **Implementation** | €39/month | €49/month |
| **Implementation + Support** | €99/month | €119/month |
| **Pre-certification audit** | €299/session | (3-hr sessions, ~4 total) |
| **Expert video call** | €49/call | (30 minutes) |
### Founder Background
**Richard Kranendonk** — CEO & Founder, ISO27DIY / Thinking Security Works
- 30 years in IT as a consultant and project manager
- Specialised in Privacy (GDPR) and Information Security (ISO 27001) since 2017
- Certifications: CISSP, ECPC-B, PECB ISO 27001 Lead Auditor
- Former CISO at Booking.com and Ultimaker (3D printing)
- Has personally guided dozens of SME clients through ISO 27001 certification and renewal across healthcare, software development, traffic management systems, and industrial environments
- Works with a small, focused team: one developer (Luka de Jong) and two others, including advisory board member Bas Meyberg (co-founder of an MSSP, lecturer in Cyber Security at HU Utrecht, CISO)
*The credibility story is specific and layered. A PECB Lead Auditor who has operated as CISO at Booking.com — one of the world's largest digital platforms — building a tool to help SMEs get certified themselves is a genuinely unusual founder profile. The sector diversity of past client work (healthcare, industrial, traffic systems — not just SaaS) directly supports the positioning that ISO27DIY works for organisations that don't think of themselves as tech companies.*
*Richard's own quote from the team page captures the brand's core argument: **"ISO 27001 isn't complex. It's been made complex by an industry that profits from the confusion."***
### Origin Story
The frustration that built ISO27DIY came from the inside — not from watching clients struggle, but from being the person trying to make ISO 27001 mean something within organisations that treated it as a compliance tax.
As a CISO and Privacy & Security manager, Richard observed ISO 27001 compliance being treated as a staff responsibility rather than a business ownership issue — seen as unnecessary bureaucracy instead of what it actually is: a quality and risk management instrument that can move the business forward and transform an incident-driven organisation into a learning organisation with process maturity.
The core belief that drives the product: ISO 27001 is not rocket science. The standard has been made artificially complex by an industry that profits from the confusion. Consultants, certification bodies, and GRC vendors all benefit from the mystique. SMEs pay the price.
> ⚠ **GAP** — The specific trigger moment is not yet documented. Was there a particular client, audit, or internal experience that made the decision to build this concrete? That story will matter to the brand strategist.
>
> - *Was there a specific moment — a client conversation, an audit outcome, or an internal experience — that made you decide to build this rather than keep consulting?*
### What ISO27DIY Is Not
ISO27DIY explicitly differs from:
- **Expensive consultants** — the product exists because consulting fees are a barrier to competition for SMEs
- **Template kits** — generic templates give no guidance on adaptation; ISO27DIY generates tailored content based on the organisation's actual input
- **Checkbox / compliance theatre** — checklist-based implementations lack internal cohesion and don't create real security
- **Enterprise GRC tools** — built for organisations with dedicated compliance teams; not for the tech person or COO at an SME doing this on top of their regular job
- **Free internet resources patched together** — takes months, produces no structured result, high risk of critical gaps
The phrase used internally: **Theatre of Compliance** — implementing ISO 27001 as a performance for auditors rather than as a functional management system.
### Current State of the Brand
**Taglines in Active Use**
- Certification shouldn't be a barrier to competition
- Guided ISO 27001 implementation. No consulting required.
- ISO27DIY: Get Certified Keep Growing
**Tone and Communication Style**
Fully documented and consistent across all touchpoints. Direct, plain-spoken, no corporate jargon, short sentences, mildly opinionated. Authoritative without being academic. The communication style guide, personal writing style notes, and manifesto are all aligned.
**Content Published**
- Website homepage (live, with transparent pricing)
- Two blog posts: 9-step implementation roadmap in Dutch and English
- LinkedIn company page copy
- eBook: *De ISO 27001 audit — Wat je écht moet weten* (Dutch, April 2026)
- Manifesto: *The Manifesto for Information Security Management* (published March 2026, under Thinking Security Works brand)
**Visual Identity**
- Logo: Bold, compact mark — ISO 27|DIY stacked, with 'DIY' in a price-tag device. Red and navy. The price-tag device is a smart visual pun: certification as something you acquire, but also as something you do yourself.
- Website: Dark navy footer, clean white body, blue CTAs. Professional, not startup-scrappy.
- Team page: Illustrated portraits rather than photos — adds personality, differentiates from generic headshot-on-white.
- eBook: White with dot-grid background, blue accent line, navy typography. Professional without being corporate.
- The company name in the footer of the website is Thinking Security Works. TSW is the parent company; they also offer privacy and security consulting and a workshop method for risk identification and management called 'The Canvas Method'. This can be dropped if it is better for marketing.
---
## 2. What We Know About Our Audience
### Target Segments
Five segments are defined. The primary user of the product — the person doing the implementation work — is typically the internal tech person or COO, not the director who made the decision.
| Segment | Trigger | Core message | Priority channels |
| --- | --- | --- | --- |
| Founders & SaaS | "We lose the deal if we don't have this" | Aantoonbaarheid, not security | LinkedIn, Reddit, HN |
| SME directors | Client or insurer demand | Management system, not IT project | LinkedIn, Google SEO |
| Non-digital service providers | Supplier requirement | Also for non-tech organisations | Trade media, Google SEO |
| Regulatory pressure (NIS-2/Cbw/CRA) | Legal obligation | One foundation, multiple regulations | LinkedIn, Google, trade press |
| MSPs | Client needs ISO 27001 | Distribution partner, not end user | LinkedIn, channel events, outreach |
### What the Audience Fears and Wants
Based on sector knowledge and direct implementation experience — not yet validated through customer research (pre-launch). The FUD clusters into six themes:
- **Doing it wrong** — misinterpreting the standard, missing something critical, failing the audit
- **Getting stuck** — not knowing what 'enough' looks like; the framework is not prescriptive
- **Internal resistance** — employees seeing it as bureaucratic overhead; management not prioritising it
- **Documentation overload** — massive, unwieldy policies that nobody reads or follows
- **Consultant dependency** — feeling they can't do it without external help, meaning cost and loss of control
- **Time and budget** — SMEs believe they lack the resources to manage the process
What success looks like in their terms: *passing the audit without disrupting the business, without hiring consultants, and without ending up with a paper system nobody uses.*
### How They Currently Solve the Problem
- Hire a consultant — expensive, creates dependency, often produces compliance theatre
- Buy a template kit — cheap, but no guidance on adaptation or context
- Patch together free internet resources — months of work, no structure, high risk of gaps
- Do nothing — common until a trigger forces action (client demand, insurer, regulation)
- Enterprise GRC tools (Vanta, Drata, Sprinto) — built for funded tech companies, not SMEs; pricing and complexity are barriers
### Customer Signal
> ⚠ **GAP** — No signal yet — ISO27DIY is approaching closed beta / MVP launch. The audience psychology above is built on sector knowledge and the founder's direct experience as a CISO and implementor, not on validated customer research. The first beta cohort should be treated as a research opportunity.
>
> - *What questions do you want the first beta users to answer that would validate or challenge the assumptions above?*
---
## 3. What We Know About the Market
### Competitive Landscape
**Direct Product Competitors**
| Competitor | Positioning | Where they fall short |
| --- | --- | --- |
| Advisera | Documentation packages + e-learning. 'We've done the thinking for you.' | Template-kit mentality. No guided process, no tailoring, no philosophy. |
| ISMS.online | SaaS GRC platform, documentation-heavy, established player. | Built for compliance managers, not for the SME tech person doing it themselves. |
| isoplanner.app | ISO 27001 project planning tool, regional focus. | Tooling without guidance. No audit expertise behind it. |
| isomanager.nl | Dutch GRC platform, SME-oriented. | Generic, no distinct point of view, no founder authority. |
| Instant 27001 | Fast-track kit, minimal guidance. | Speed over substance. Classic compliance theatre risk. |
| Vanta / Drata / Sprinto | Compliance automation for funded tech companies. | Wrong audience, wrong price point, automation-first not understanding-first. |
**Category Competitors**
- Local ISO 27001 consultancies — compete on relationships and trust, no consistent positioning, create dependency
- Template marketplaces (Etsy, specialist sites) — compete on price, deliver no guidance, no tailoring
> ⚠ **GAP** — Competitive analysis is based on general market knowledge, not direct research. Confirm: which of these come up in prospect conversations? Which have you looked at directly and formed a view on?
### The Gap ISO27DIY Occupies
This is the clearest and most differentiated part of the brand. Nobody else in this space is saying:
*ISO 27001 is a framework for context-driven, risk-proportionate decisions — not a checklist. Your security is probably better than you think. What you're missing is the system to make it visible and auditable. You can build that yourself.*
The positioning gap in one line: guided, opinionated, philosophy-first implementation at SME price points. Not automation. Not templates. Not consulting. A structured path that respects the intelligence of the person doing the work and the specifics of their organisation.
### Category Conventions and Where They Fail
The ISO 27001 market communicates in one of two registers:
- **Fear and complexity** — consultancies and enterprise tools lean on FUD: the standard is hard, the risks are real, you need us
- **Speed and automation** — compliance platforms promise fast certification, implying the content of compliance is a solved problem
Both treat ISO 27001 as a transaction — something to get through. Neither treats it as a management practice worth building properly.
ISO27DIY's position cuts against both: **clarity over fear, substance over speed.** The category convention that fails the audience is the assumption that ISO 27001 is either too hard to do yourself (consultancy narrative) or too simple to think about (automation narrative). The actual audience needs neither fear nor shortcuts. They need a guide who knows the route.
---
## 4. Open Questions for the Strategy Session
The following need answers before or during the session.
### Founder Story
- *Was there a specific moment — a client, an audit outcome, or an internal experience — that made you decide to build this rather than keep consulting?*
### Brand Architecture
- *Is Richard the explicit face of ISO27DIY — named, quoted, visible — or does the brand stand more independently from the founder over time?*
### Competitive Intelligence
- *Which competitors come up when you're in a sales conversation — by name? Which have you looked at directly and formed a view on?*
- *Where do you see Vanta, Drata, and local consultancies most visibly failing the people you're targeting?*
### Customer Validation
- *What questions do you want the first beta users to answer that would validate or challenge the audience assumptions in this document?*
- *Are there any early conversations — sales calls, LinkedIn reactions, responses to the blog or manifesto — that gave you signal on what lands and what doesn't?*
### Tone and Positioning
- *The 'rebellious touch' is named as a differentiator. Where is the line between rebellious and credible? What does it look like in practice — in a LinkedIn post, in an onboarding screen, in a sales email?*
- *The manifesto uses Agile-style value statements (X over Y). Is that the right format for the brand, or is it a starting point that needs evolving?*
---
© 2026 Thinking Security Works · iso27diy.com · Confidential

BIN
marketing/branding/iso27diy-brand-image-note.docx
View file

Binary file not shown.

14
marketing/proposition/Elevator Pitch.md
View file

@ -1,14 +0,0 @@
## Elevator pitch
ISO27DIY is a method to implement information security management, and become ISO 27001 compliant, without the need for external consultants or expensive software.
The ISO27DIY workshop series is freely available on YouTube, dramatically lowering the barrier for certification for small and medium enterprises to become ISO 27001 certified.
Additional resources and support are available on the iso27diy.com website.
### Key value proposition
* A method for implementing ISO 27001 in your own organization
* Workshop videos freely available on YouTube
* No need for external consultants or expensive software
See also [ISO27DIY benefits](../../AuditGlue/ISO27DIY%20benefits.md)

BIN
marketing/proposition/ISO27DIY-pitch-deck.pptx Normal file
View file

Binary file not shown.

7
marketing/proposition/elevator-pitch.md Normal file
View file

@ -0,0 +1,7 @@
ISO 27001 is hard op weg een license to operate te worden. Grote bedrijven worden door regelgeving verplicht hun leveranciersketen te beveiligen — en schuiven die eis door naar hun toeleveranciers. Wie niet gecertificeerd is, verliest de opdracht.
Voor kleinere organisaties zijn de gangbare opties niet realistisch. Een specialist in dienst nemen is te duur. Een medewerker vrijmaken kost capaciteit die je niet hebt. Een consultant inhuren is kostbaar en lost je kennisprobleem niet op. Zelf aan de slag met een boek en templates van internet? Steile leercurve, grote foutkans, en uiteindelijk nog steeds geen werkend documentatiesysteem.
ISO27DIY is een interactieve, stap-voor-stap aanpak die is afgestemd op jouw organisatie. Je bouwt gaandeweg je ISMS op, implementeert de vereiste maatregelen, en produceert alle documentatie die een auditor verwacht. Alles sla je op in een geïntegreerde GRC-oplossing die eenvoudig is maar krachtig genoeg. Als je vastloopt, kun je online een ervaren expert inschakelen. En voordat de auditor komt, laat je een proefaudit doen.
Als de auditor komt, ben je er klaar voor.