richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added some NIS 2 info, small changes in folder structure

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-26 09:52:24 +02:00
parent 0cabbc383f
commit f9ed01cdea
25 changed files with 576 additions and 116 deletions
Download patch file Download diff file Expand all files Collapse all files

40
Corpus/Corpus overview notes.md Normal file
View file

@ -0,0 +1,40 @@
# Create corpus overview notes
Here's a prompt you can use. Run it once per note or cluster of notes, feeding Claude the content each time.
---
**PROMPT Replace [X] with your folder path before running it.**
You have access to my Obsidian vault via MCP. Read all notes in the folder [USER MUST SPECIFY FOLDERNAME] and process them into a structured corpus overview.
This overview will be used by an AI content strategist and writer to plan and draft content for ISO27DIY, a B2B SaaS product that helps SMEs implement ISO27001 without hiring consultants.
For each note or cluster of related notes, produce an overview entry in the following format:
---
**Title:** [note title or cluster name]
**Path:** [filename or folder path — list each note path individually for clusters]
**Summary:** [2-3 sentences on what this note actually contains — substance, not just topic]
**Key concepts and terms:** [main concepts, frameworks, or terminology covered]
**ISO27001 relevance:** [how this connects to ISO27001 implementation, compliance, or cybersecurity practice]
**ISO27DIY relevance:** [how this could support product messaging, content marketing, or user education]
**Related notes:** [other notes in the vault this connects to, if known]
**Content potential:** [1-2 sentences on what kind of content this could fuel — articles, newsletter topics, LinkedIn posts, forum answers, etc.]
**Fetch priority:** [High / Medium / Low — how often the content agents are likely to need the full note]
---
Rules:
- Be specific. Vague summaries are useless.
- Do not invent content that isn't in the note. If something is unclear or thin, say so.
- Group closely related notes under one entry but list each path individually.
- Flag any note that seems outdated, incomplete, or too thin to be useful with a [REVIEW] tag after the title.
- Process all notes in the folder before responding. Do not stop after the first note.
---
**How to use it**
Paste the prompt, then paste the raw content of one note or a group of related notes. Run it in batches. Once you have all the entries, compile them into a single Obsidian note called something like `_corpus-overview.md` and upload that to the Project knowledge base.
If your notes are well-tagged or linked in Obsidian, you can also group by tag or folder and process whole clusters at once, which saves a lot of runs.

15
Corpus/Standards/NIS 2 Cbw/Art.21 Cybersecurity risk-management measures.md Normal file
View file

@ -0,0 +1,15 @@
# Art.21 Cybersecurity risk-management measures
1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services. Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entitys exposure to risks, the entitys size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.
2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:
- (a) policies on risk analysis and information system security;
- (b) incident handling;
- (c) business continuity, such as backup management and disaster recovery, and crisis management;
- (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- (g) basic cyber hygiene practices and cybersecurity training;
- (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- (i) human resources security, access control policies and asset management;
- (j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

0
Corpus/Standards/NIS 2 Cbw/NIS 2 Checklist artikel 21.md → Corpus/Standards/NIS 2 Cbw/NIS 2 Checklist artikel 21 NL.md
View file

2
Corpus/Standards/NIS 2 Cbw/NIS 2 Index.md
View file

@ -16,7 +16,7 @@
[Wetsvoorstel Cbw](Wetsvoorstel%20Cyberbeveiligingswet%20Cbw.pdf)
[Blogpost - NIS 2 en de Canvas Methode](../../../Canvas%20Method/Blogpost%20-%20NIS%202%20en%20de%20Canvas%20Methode.md)
[NIS 2 Checklist artikel 21](NIS%202%20Checklist%20artikel%2021.md)
[NIS 2 Checklist artikel 21 NL](NIS%202%20Checklist%20artikel%2021%20NL.md)
[NIS 2 voor Humankind](../../../Clients/Humankind/NIS%202%20voor%20Humankind.pdf)

29
Corpus/Standards/NIS 2 Cbw/NIS 2 Scope.md Normal file
View file

@ -0,0 +1,29 @@
Here is the full list, split by annex.
**Annex I — Sectors of High Criticality (Essential Entities)**
1. Energy — electricity, oil, gas, hydrogen, district heating and cooling
2. Transport — air, rail, water, road
3. Banking — credit institutions
4. Financial market infrastructures — trading venues, central counterparties
5. Health — hospitals, reference laboratories, manufacturers of critical medical devices, pharmaceutical manufacturers
6. Drinking water — suppliers and distributors
7. Wastewater — collection, treatment, disposal
8. Digital infrastructure — internet exchange points, DNS providers, TLD registries, cloud computing, data centres, content delivery networks, trust service providers, electronic communications networks
9. ICT service management (B2B) — managed service providers, managed security service providers
10. Public administration — central and regional government bodies
11. Space — operators of ground-based infrastructure
**Annex II — Other Critical Sectors (Important Entities)**
1. Postal and courier services
2. Waste management
3. Chemicals — manufacture, production, distribution
4. Food — wholesale distribution, industrial production and processing
5. Manufacturing — medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, other transport equipment
6. Digital providers — online marketplaces, online search engines, social networking platforms
7. Research organisations
**Regardless of size — always in scope**
DNS providers, TLD registries, trust service providers, and public electronic communications providers fall under the directive irrespective of their size.

500
Corpus/Standards/NIS 2 Cbw/nis2-article21-checklist.html Normal file
View file

@ -0,0 +1,500 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>NIS2 Article 21 Checklist</title>
<style>
@import url('https://fonts.googleapis.com/css2?family=DM+Serif+Display:ital@0;1&family=DM+Mono:wght@400;500&family=DM+Sans:wght@300;400;500&display=swap');
:root {
--ink: #1a1a2e;
--paper: #f5f0e8;
--accent: #c84b31;
--muted: #6b6560;
--line: #d4cfc7;
--check-bg: #eef7f0;
--check-border: #2d7a4f;
}
* { box-sizing: border-box; margin: 0; padding: 0; }
body {
background: var(--paper);
color: var(--ink);
font-family: 'DM Sans', sans-serif;
font-weight: 300;
line-height: 1.7;
min-height: 100vh;
}
.page {
max-width: 820px;
margin: 0 auto;
padding: 60px 40px 80px;
}
header {
border-bottom: 2px solid var(--ink);
padding-bottom: 32px;
margin-bottom: 48px;
}
.kicker {
font-family: 'DM Mono', monospace;
font-size: 11px;
letter-spacing: 0.18em;
text-transform: uppercase;
color: var(--accent);
margin-bottom: 12px;
}
h1 {
font-family: 'DM Serif Display', serif;
font-size: clamp(28px, 5vw, 42px);
line-height: 1.15;
font-weight: 400;
margin-bottom: 16px;
}
.subtitle {
font-size: 15px;
color: var(--muted);
max-width: 580px;
line-height: 1.6;
}
.subtitle strong {
color: var(--ink);
font-weight: 500;
}
.checklist {
display: flex;
flex-direction: column;
gap: 0;
}
.item {
border-bottom: 1px solid var(--line);
padding: 32px 0;
display: grid;
grid-template-columns: 48px 1fr;
gap: 0 24px;
transition: background 0.2s;
}
.item:last-child {
border-bottom: none;
}
.item-left {
display: flex;
flex-direction: column;
align-items: center;
padding-top: 4px;
gap: 12px;
}
.checkbox {
width: 24px;
height: 24px;
border: 2px solid var(--ink);
border-radius: 4px;
cursor: pointer;
position: relative;
flex-shrink: 0;
transition: all 0.15s;
background: white;
}
.checkbox:hover {
border-color: var(--check-border);
background: var(--check-bg);
}
.checkbox.checked {
background: var(--check-border);
border-color: var(--check-border);
}
.checkbox.checked::after {
content: '';
position: absolute;
left: 5px;
top: 2px;
width: 10px;
height: 6px;
border-left: 2px solid white;
border-bottom: 2px solid white;
transform: rotate(-45deg);
}
.article-ref {
font-family: 'DM Mono', monospace;
font-size: 10px;
color: var(--muted);
letter-spacing: 0.05em;
text-align: center;
line-height: 1.3;
}
.item-right {}
.item-header {
display: flex;
align-items: baseline;
gap: 12px;
margin-bottom: 8px;
flex-wrap: wrap;
}
.letter-badge {
font-family: 'DM Serif Display', serif;
font-size: 22px;
color: var(--accent);
line-height: 1;
flex-shrink: 0;
}
.item-title {
font-family: 'DM Sans', sans-serif;
font-size: 17px;
font-weight: 500;
color: var(--ink);
line-height: 1.3;
}
.item-description {
font-size: 14px;
color: var(--muted);
margin-bottom: 14px;
line-height: 1.65;
}
.example-block {
background: white;
border-left: 3px solid var(--accent);
padding: 12px 16px;
border-radius: 0 6px 6px 0;
}
.example-label {
font-family: 'DM Mono', monospace;
font-size: 10px;
letter-spacing: 0.12em;
text-transform: uppercase;
color: var(--accent);
margin-bottom: 4px;
}
.example-text {
font-size: 13px;
color: var(--ink);
line-height: 1.6;
}
.progress-bar {
position: sticky;
top: 0;
z-index: 10;
background: var(--paper);
border-bottom: 1px solid var(--line);
padding: 10px 40px;
display: flex;
align-items: center;
gap: 16px;
font-family: 'DM Mono', monospace;
font-size: 12px;
color: var(--muted);
}
.progress-track {
flex: 1;
height: 4px;
background: var(--line);
border-radius: 2px;
overflow: hidden;
}
.progress-fill {
height: 100%;
background: var(--check-border);
border-radius: 2px;
width: 0%;
transition: width 0.3s ease;
}
.progress-count {
white-space: nowrap;
color: var(--ink);
font-weight: 500;
}
footer {
margin-top: 48px;
padding-top: 24px;
border-top: 1px solid var(--line);
font-family: 'DM Mono', monospace;
font-size: 11px;
color: var(--muted);
display: flex;
justify-content: space-between;
flex-wrap: wrap;
gap: 8px;
}
@media (max-width: 600px) {
.page { padding: 40px 20px 60px; }
.progress-bar { padding: 10px 20px; }
.item { grid-template-columns: 36px 1fr; gap: 0 16px; }
}
</style>
</head>
<body>
<div class="progress-bar">
<span>Progress</span>
<div class="progress-track">
<div class="progress-fill" id="progressFill"></div>
</div>
<span class="progress-count" id="progressCount">0 / 10</span>
</div>
<div class="page">
<header>
<div class="kicker">Directive (EU) 2022/2555 · Article 21(2)</div>
<h1>NIS2 Cybersecurity Measures<br>Self-Assessment Checklist</h1>
<p class="subtitle">
The ten minimum measures required of <strong>essential and important entities</strong> under NIS2.
Use this checklist to assess your current status. Tick each item when you can demonstrate
documented, implemented, and reviewed measures — not just intent.
</p>
</header>
<div class="checklist" id="checklist">
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(a)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">a</span>
<span class="item-title">Risk Analysis &amp; Information Security Policy</span>
</div>
<p class="item-description">
You have a documented policy covering how your organisation identifies, assesses, and manages risks to your network and information systems. The policy is approved by management, reviewed periodically, and based on a structured risk analysis — not a generic template.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">An annual risk assessment session with department heads produces a risk register. The results inform a written information security policy, signed by the board, that is reviewed whenever significant changes occur — a new system, a new supplier, a reorganisation.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(b)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">b</span>
<span class="item-title">Incident Handling</span>
</div>
<p class="item-description">
You have documented procedures for detecting, reporting, responding to, and recovering from security incidents. Staff know what constitutes an incident, who to notify, and what steps to follow. Procedures also cover the mandatory reporting obligations to national authorities under NIS2.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">A one-page incident response procedure defines four severity levels. For significant incidents, it names the responsible person, sets a 24-hour internal escalation deadline, and references the 72-hour notification requirement to the national authority. The procedure is tested once a year in a tabletop exercise.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(c)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">c</span>
<span class="item-title">Business Continuity, Backup &amp; Crisis Management</span>
</div>
<p class="item-description">
You have a business continuity plan that covers cyber scenarios. It defines recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems, documents your backup regime, and assigns responsibilities for crisis management. The plan is tested and kept current.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">Your BCP includes a ransomware scenario: systems are unavailable for 48 hours. The plan defines which processes can continue manually, who contacts customers, and how to restore from backups. Backups are stored off-site, tested quarterly, and the maximum acceptable data loss is documented as 24 hours.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(d)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">d</span>
<span class="item-title">Supply Chain Security</span>
</div>
<p class="item-description">
You assess the cybersecurity practices of your direct suppliers and service providers. You know which suppliers have access to your systems or data, what your dependency on them is, and what is contractually agreed regarding security. The security standard you apply to yourself applies equally to your supply chain.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">You maintain a supplier register with a risk profile per vendor. Critical IT suppliers complete an annual security questionnaire. Contracts include minimum security requirements and an obligation to notify you within 24 hours of a security incident that may affect your systems.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(e)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">e</span>
<span class="item-title">Security in System Acquisition, Development &amp; Maintenance</span>
</div>
<p class="item-description">
Security requirements are built into how you procure, develop, and maintain systems — not added afterwards. This includes a process for identifying and addressing vulnerabilities in software and hardware you use, and a policy on responsible disclosure of vulnerabilities you discover.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">Before deploying new software, your IT team runs a security review checklist. Vendors are required to provide patch timelines for known vulnerabilities. A process exists to apply critical patches within 72 hours and to track open vulnerabilities until resolved.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(f)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">f</span>
<span class="item-title">Effectiveness Assessment of Cybersecurity Measures</span>
</div>
<p class="item-description">
You have a documented process to periodically evaluate whether your security measures are actually working. This is not a one-off exercise — it is a recurring review cycle (PDCA) that produces findings, decisions, and evidence. Compliance is not the goal; demonstrated effectiveness is.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">An annual internal audit reviews a selection of security controls against the risk register. Findings are reported to the board with a remediation plan. The results of the previous year's audit are compared to track improvement over time.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(g)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">g</span>
<span class="item-title">Cyber Hygiene &amp; Cybersecurity Training</span>
</div>
<p class="item-description">
All staff are trained on basic cybersecurity practices relevant to their role. Training is recurring, not a one-off onboarding activity. You can demonstrate that training took place and that it covered current threats. A culture exists where employees feel safe reporting suspicious activity.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">New employees complete a security awareness module within their first two weeks. All staff receive an annual refresher covering phishing, password hygiene, and what to do when something looks wrong. Participation is logged. Phishing simulations are run twice a year to test awareness in practice.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(h)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">h</span>
<span class="item-title">Cryptography &amp; Encryption Policy</span>
</div>
<p class="item-description">
You have a documented policy on the use of cryptography, covering when and how encryption is applied to data at rest and in transit. The policy specifies approved algorithms and key management practices. It is reviewed when technology or threat landscapes change.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">Your policy states that all data classified as confidential must be encrypted at rest using AES-256, and that all external data transfers use TLS 1.2 or higher. Laptops are encrypted by default. Encryption keys are managed centrally, with access restricted to authorised personnel.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(i)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">i</span>
<span class="item-title">Human Resources Security, Access Control &amp; Asset Management</span>
</div>
<p class="item-description">
Access rights are granted on a need-to-know basis and reviewed regularly. Joiners, movers, and leavers are handled through a formal process that includes timely revocation of access. You maintain an up-to-date register of information assets and know who is responsible for each one.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">HR notifies IT on the last day of employment. The IT checklist for leavers covers revocation of all accounts, return of devices, and a brief handover conversation about tools used. Access rights are reviewed per department every six months. A simple asset register lists systems, data classifications, and owners.</p>
</div>
</div>
</div>
<div class="item">
<div class="item-left">
<div class="checkbox" onclick="toggle(this)"></div>
<span class="article-ref">Art. 21<br>2(j)</span>
</div>
<div class="item-right">
<div class="item-header">
<span class="letter-badge">j</span>
<span class="item-title">Multi-Factor Authentication &amp; Secured Communications</span>
</div>
<p class="item-description">
Where appropriate, multi-factor authentication (MFA) is in place for access to systems and data — particularly for remote access, privileged accounts, and critical applications. Sensitive internal communications use secured channels. Emergency communication systems are documented and tested.
</p>
<div class="example-block">
<div class="example-label">Example</div>
<p class="example-text">MFA is mandatory for all remote access via VPN, all cloud applications, and all accounts with administrative privileges. A policy defines which communication channels are approved for sharing confidential information. In the event of a system outage, an offline contact list and fallback procedure exists for crisis communication.</p>
</div>
</div>
</div>
</div>
<footer>
<span>Directive (EU) 2022/2555 · Article 21(2)(aj)</span>
<span>Tick only when documented, implemented, and reviewable</span>
</footer>
</div>
<script>
function toggle(el) {
el.classList.toggle('checked');
updateProgress();
}
function updateProgress() {
const total = document.querySelectorAll('.checkbox').length;
const checked = document.querySelectorAll('.checkbox.checked').length;
document.getElementById('progressFill').style.width = (checked / total * 100) + '%';
document.getElementById('progressCount').textContent = checked + ' / ' + total;
}
</script>
</body>
</html>