richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up Literature folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 12:48:01 +02:00
parent 73a6380034
commit fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
Download patch file Download diff file Expand all files Collapse all files

5
AuditGlue/AuditGlue Personae.md Normal file
View file

@ -0,0 +1,5 @@
- Client/business owner: User, owner of the company, tech person, made responsible for ISO 27001
- Auditor
- Expert (Support role)
- Content Editor
- Administrator

BIN
AuditGlue/Canvas Cyclus.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

7
AuditGlue/ISO27DIY benefits.md Normal file
View file

@ -0,0 +1,7 @@
- ISO27DIY saves you consulting fees. That's interesting if you have a low budget (Startup or internally)
- Scale confidently
- Implement security practices that scale
https://www.sprinto.com/
https://instant27001.com/

60
AuditGlue/Idea Validation.md Normal file
View file

@ -0,0 +1,60 @@
# Idea Validation
https://www.reddit.com/r/microsaas/comments/1kvxsdb/the_exact_steps_i_took_to_validate_my_idea_before/
I know what it's like to try to market a product that no one wants, Ive built two that completely failed. No one wanted them and I wasted months trying to make it work.
Ive also built successful products and the key difference was that the successful products solved a real problem. It sounds obvious but its easy to forget sometimes.
The hard part is how you validate that you are solving a real problem so I thought Id share exactly how I did it:
**Step one: Start with a problem thesis and talk to users**
- I was a founder and I had a problem that I suspected other founders had too
- So I had my problem thesis and the next step was to talk to my would-be users to see if the problem was real and to understand their view of it better
- I made a post on [r/SaaS](https://www.reddit.com/r/SaaS/) and [r/indiehackers](https://www.reddit.com/r/indiehackers/) asking founders to answer a few questions and in return I would give them feedback on whatever they were building
- The key part here was offering them something in return for their time. That makes it a lot easier to get answers
- Here's one of the posts if youre curious: [https://www.reddit.com/r/indiehackers/comments/1ea1cpd/lets_exchange_feedback/](https://www.reddit.com/r/indiehackers/comments/1ea1cpd/lets_exchange_feedback/)
- The got me in touch with 8-10 founders who were willing to answer my survey.
- I asked questions about pain points related to the problem and tried to get an idea if they were willing to adopt the solution I had in mind.
- The responses were positive so I had the green light to start building a simple first version
**Step two: Building the MVP**
- This is the easy part. Who doesnt love building?
- The critical thing here was that I tried to understand what the survey responses were telling me and built a bare bones solution addressing the pain points of these people
- I built fast. Around 30 days for the MVP
- That's it. It was time to market this MVP and see if I can get some users
**Step three: Marketing and collecting feedback**
- First I set a clear goal. It wasnt about getting customers, I just wanted as much feedback as possible so I would need active users. Understanding how to make the product better is so much more valuable at this point
- I set the goal of getting 20 active users in two weeks
- Then I asked myself where my users hang out and the answer was X and Reddit
- Next step was to set daily volume targets. I decided to do 5 posts and 50 replies on X every day and on Reddit I would just write a new post when I had something that had worked well on X
- So I knew exactly what to do every day and then I just executed that plan. It was easy, because I just had to take action, no questions asked
- Two weeks later I had hit 100 users
That was the validation process I used. From there on, all I had to do was improve the product based on what users were telling me and continue marketing. That has taken me all the way to $7,300/mo and growth just becomes easier with time.
I hope my journey can inspire some of you to not give up and to follow a solid process for building your product.
Feel free to ask if you have any questions.

4
AuditGlue/List of possible partners.md Normal file
View file

@ -0,0 +1,4 @@
- [The Art of Service](../Corpus/Sparks/The%20Art%20of%20Service.md) offers topical InfoSec Kanban boards
- 'Certificeringsadvies' offers independent external audits, they were employed by Networking4all
- [Muddassir via Gumroad](https://community.gumroad.com/c/share-your-wins/boring-fields-like-supply-chains-can-be-creative-enough-to-sell-digital-products?login_token=RyhWoyqXw2kT5de2eNp6RYjL6U4NY1aKLPmS#comment_wrapper_4014940). Runs a site on SCM and has offered to cross post content.

22
AuditGlue/Modules, Screens and Content.md Normal file
View file

@ -0,0 +1,22 @@
See also [Three user modes for AuditGlue](Three%20user%20modes%20for%20AuditGlue.md)
# Guided implementation mode
The 'guided implementation mode' will (roughly) resemble the structure and sequence of the [📼 ISO27DIY Video Series](../Corpus/Standards/ISO27x/legacy/iso27DIY%20mk%20I/📼%20ISO27DIY%20Video%20Series.md). This will be the reference for now.
# Operational mode
Here's the ISMS tool structure created in cooperation with Nedap: [Nedap ISMS tool structure](../Clients/Nedap%20ISMS%20tool%20structure.md).
There's also this [ISO 27001 structure diagram](../Corpus/Standards/ISO27x/legacy/iso27DIY%20mk%20I/ISO%2027001%20structure%20diagram.md).
See also the ISMS Tool and Overzicht beveiliging Excel sheets created for NHC:
- ![](../Corpus/ISMS/NHC%20ISMS%20tool_template%20nieuw.xlsx)
- ![](../Corpus/ISMS/NHC%20Overzicht%20beveiliging%20nieuw.xlsx)
# Audit mode
![](../Corpus/ISMS/NHC%20ISO%2027001%20Implementatie%20dashboard%20Annex%20A.xlsx)

18
AuditGlue/Most Challenging Clauses in ISO 27001.md Normal file
View file

@ -0,0 +1,18 @@
# Most Challenging Clauses in ISO 27001
Professionals cite difficulties with:
* **Clause 4: Context of the Organization**
* defining the organizations boundaries
* determining relevant interested parties
* documenting the complex interrelationships among processes required by Clause 4.4. Show how processes interact and link to business needs
* **Clause 6: Planning (Risk Assessment and Objectives)**
* identifying, evaluating, and treating risks
* choosing a risk methodology
* ensuring risk assessments meet auditor expectations
* **Clause 9: Performance Evaluation**
* Monitoring, measurement, analysis, and evaluation (especially Clause 9.1), esp. establish meaningful objectives, gather relevant metrics, and provide evidence of improvement.
* **Clause 10: Improvement (Nonconformity and Corrective Action)**
* a systematic approach to identifying, investigating, and tracking corrective actions.
* **Annex A Control Mapping and Statement of Applicability**
* The breadth of required controls and the need to justify inclusions/exclusions create confusion

30
AuditGlue/Personae and Roles.md Normal file
View file

@ -0,0 +1,30 @@
---
tags:
- project/iso27DIY
- dev
- design
---
Personae:
- co-owner of a scrappy startup
- lonely professional within an organization with low cybersecurity affinity (Dennis Clarisse bij Multrship)
Business Personae:
- implementator
- auditor (intern)
- auditor (extern)
- business manager (afdeling, proces)
- compliance officer
- CISO
- n.b. de IT afdeling is niet anders dan een business afdeling, alleen zitten er meer risicos en hebben ze meer maatregelen te implementeren (ook buiten hun eigen afdeling)
System roles:
- admin
- user
- power user
- whatever
ISMS roles (extract from ISO 27001):
- risk owner
- …

6
AuditGlue/Possible Colabs.md Normal file
View file

@ -0,0 +1,6 @@
Phil Odence of Black Duck / Synopsis
https://twitter.com/podence
https://www.linkedin.com/in/podence/
Connectie van Richard ten Cate (The Red Button), die volgens mij sales voor Black Duck heeft gedaan.
Zie ook [Software due diligence](../Corpus/Information%20Security/Software%20due%20diligence.md).

8
AuditGlue/Scale up markt NL.md Normal file
View file

@ -0,0 +1,8 @@
# Top 250 van NL groeiers
[NLgroeit](https://www.nlgroeit.nl/) heeft in oktober samen met de Erasmus universiteit een top 250 van NL groeiers [gepubliceerd](https://ece.nl/app/uploads/Top-250-Insight_report-EN.pdf).
NLgroeit biedt ook mentorschap door ervaren ondernemers, vanaf een omzet van 1 miljoen.

46
AuditGlue/System alternative/No local installs.md Normal file
View file

@ -0,0 +1,46 @@
---
tags:
- SupaBase
- project/iso27DIY
- WeWeb
- dev
- stack
---
# No local components on edge devices
Prompt:
`Once the web service is developed with this technologies, what would need to be installed on MacOS and Windows edge devices to use this service?
For your web service using WeWeb (front end) and Supabase with Deno-powered Edge Functions (back end), **no special software needs to be installed on MacOS or Windows edge devices** (such as end-user computers or tablets) to use the service. Heres why:
- **Web-Based Access:** The service is accessed via a web browser (Chrome, Safari, Edge, Firefox, etc.), which is already installed on most devices[^2_1][^2_2].
- **No Local App Required:** Since WeWeb generates a standard web app and Supabase Edge Functions expose APIs over HTTPS, users simply need an internet connection and a modern browser.
- **Edge Functions Run in the Cloud:** The Deno runtime and your server-side logic are executed on Supabases infrastructure, not on the users device[^2_3].
**In summary:**
Users access your service through their browser—nothing needs to be installed on their MacOS or Windows devices beyond a standard web browser and internet connection.
[^2_1]: [https://docs.weweb.io/start-here/frequently-asked-questions.html](https://docs.weweb.io/start-here/frequently-asked-questions.html)
[^2_2]: [https://macchina.io/blog/internet-of-things/provide-secure-remote-access-iot-edge-devices/](https://macchina.io/blog/internet-of-things/provide-secure-remote-access-iot-edge-devices/)
[^2_3]: [https://blog.stackademic.com/everything-you-need-to-know-about-supabase-from-beginner-to-expert-f3889025442b](https://blog.stackademic.com/everything-you-need-to-know-about-supabase-from-beginner-to-expert-f3889025442b)
[^2_4]: [https://www.halo-lab.com/blog/building-fast-backends-in-supabase](https://www.halo-lab.com/blog/building-fast-backends-in-supabase)
[^2_5]: [https://stackoverflow.com/questions/1856753/web-service-solutions-from-mac](https://stackoverflow.com/questions/1856753/web-service-solutions-from-mac)
[^2_6]: [https://community.weweb.io/t/question-for-weweb-devs-with-a-macbook-pro/7304](https://community.weweb.io/t/question-for-weweb-devs-with-a-macbook-pro/7304)
[^2_7]: [https://stackoverflow.com/questions/76761877/bubble-io-or-weweb-which-is-best-for-application-development](https://stackoverflow.com/questions/76761877/bubble-io-or-weweb-which-is-best-for-application-development)
[^2_8]: [https://nocodealliance.org/tool-overview/weweb](https://nocodealliance.org/tool-overview/weweb)
[^2_9]: [https://slashdot.org/software/comparison/WeWeb-vs-Webflow/](https://slashdot.org/software/comparison/WeWeb-vs-Webflow/)
[^2_10]: [https://www.apple.com/server/docs/Windows_Services_TB_v10.4.pdf](https://www.apple.com/server/docs/Windows_Services_TB_v10.4.pdf)
---

52
AuditGlue/System alternative/SQL vs NoSQL.md Normal file
View file

@ -0,0 +1,52 @@
---
tags:
- dev
- dbms
---
https://gemini.google.com/app/0a9f0423e7379308
SQL and NoSQL represent two fundamental approaches to database management, each with distinct characteristics that make them suitable for different use cases.
Here's a breakdown of their key differences:
**SQL Databases (Relational Databases)**
- **Structure:** SQL databases are relational, meaning they organize data into predefined, structured tables with rows and columns. Each table has a fixed schema that dictates the data types and relationships between columns.
- **Schema:** They have a rigid, predefined schema. All data entered into a table must conform to this schema. Changes to the schema (e.g., adding a new column) can be complex and may require downtime.
- **Query Language:** They use SQL (Structured Query Language) for defining, manipulating, and querying data. SQL is a powerful and standardized language for complex queries and transactions.
- **Scalability:** Traditionally, SQL databases scale vertically, meaning you increase the capacity of a single server (e.g., by adding more CPU, RAM, or storage). While some SQL databases can be scaled horizontally (distributed across multiple servers), it's generally more complex to implement than with NoSQL.
- **Data Types:** Best suited for structured data where relationships between data are clear and consistent.
- **ACID Properties:** SQL databases generally adhere to ACID (Atomicity, Consistency, Isolation, Durability) properties, which guarantee data integrity and reliability for transactions. This is crucial for applications requiring high data consistency, such as financial transactions.
- **Examples:** MySQL, PostgreSQL, Oracle, SQL Server.
- **Use Cases:** Ideal for applications requiring complex queries, strong data consistency, and defined relationships, such as e-commerce platforms, banking systems, and traditional business applications.
**NoSQL Databases (Non-Relational Databases)**
- **Structure:** NoSQL databases are non-relational and offer more flexible data structures. They don't use the traditional table-based model. Instead, they store data in various formats:
- **Document-oriented:** Data is stored in flexible, semi-structured "documents" (e.g., JSON, BSON, XML).
- **Key-value stores:** Data is stored as key-value pairs, similar to a dictionary.
- **Wide-column stores:** Data is stored in column families, which can be thought of as tables with dynamic columns.
- **Graph databases:** Data is stored as nodes and edges, representing relationships between entities.
- **Schema:** They have a dynamic or "schemaless" schema. This means different records within the same database can have different fields, offering high flexibility and making it easier to adapt to changing data requirements.
- **Query Language:** NoSQL databases typically use their own specific query languages, which can vary widely between different NoSQL solutions. These languages are often optimized for the specific data model of the database.
- **Scalability:** NoSQL databases are designed for horizontal scalability, meaning you can easily distribute data and load across multiple servers or nodes. This makes them highly suitable for handling large volumes of data and high traffic.
- **Data Types:** Can handle structured, semi-structured, and unstructured data. This makes them ideal for big data, IoT, and real-time analytics.
- **ACID Properties:** Many NoSQL databases relax some ACID properties in favor of availability and performance (often adhering to BASE - Basically Available, Soft state, Eventually consistent - principles). While some NoSQL databases do offer ACID compliance, it's not a universal characteristic.
- **Examples:** MongoDB (document), Redis (key-value), Cassandra (wide-column), Neo4j (graph).
- **Use Cases:** Well-suited for applications that require rapid scalability, flexibility, and the ability to handle large volumes of diverse data, such as social media platforms, content management systems, real-time analytics, and mobile applications.
**Summary Table:**
| | | |
|---|---|---|
|**Feature**|**SQL Databases (Relational)**|**NoSQL Databases (Non-Relational)**|
|**Data Model**|Tabular (rows and columns)|Document, Key-Value, Wide-Column, Graph, etc.|
|**Schema**|Predefined, rigid|Dynamic, flexible (schemaless)|
|**Query Language**|SQL (Structured Query Language)|Varies (e.g., MQL for MongoDB, Cypher for Neo4j)|
|**Scalability**|Primarily vertical, some horizontal options|Primarily horizontal|
|**Data Types**|Structured data|Structured, semi-structured, unstructured|
|**ACID Properties**|Generally ACID compliant|Often BASE compliant (eventual consistency)|
|**Best For**|Complex queries, transactional data, strong consistency|Large volumes of diverse data, high scalability, agile development|
The choice between SQL and NoSQL depends heavily on the specific requirements of your application, including the nature of your data, scalability needs, consistency requirements, and development flexibility.

0
AuditGlue/System alternative/Source text.md Normal file
View file

76
AuditGlue/System alternative/SupaBase Edge Functions.md Normal file
View file

@ -0,0 +1,76 @@
---
tags:
- stack
- dev
- "#SupaBase"
- project/iso27DIY
---
# SupaBase Edge Functions
Perplexity, 13 juni 2025
Prompt: `Im planning to build a web service using WeWeb to develop the front end, with SupaBase for the back end. SupaBase offers Edge Functions which are developed using Deno. Tell me more about Deno within the context of my web service
If you use Supabase Edge Functions in your web service, youll be working with Deno as the runtime for your server-side logic. Heres what that means for your project:
- **Deno is a secure, modern JavaScript/TypeScript runtime**: Deno runs your code with secure defaults, requiring explicit permissions for things like file and network access, which reduces security risks[^1_1][^1_2].
- **Edge Functions are written in TypeScript or JavaScript**: You can use modern language features, and Deno supports TypeScript out of the box—no extra setup needed[^1_3][^1_4].
- **Serverless and globally distributed**: Supabase Edge Functions run close to your users, reducing latency and improving performance for API endpoints, webhooks, and custom backend logic[^1_3][^1_5].
- **Simple dependency management**: Deno uses URL-based imports, so you dont need a package manager or node_modules directory. Modules are imported directly from URLs and cached locally[^1_4].
- **Direct database access**: You can connect to your Supabase Postgres database from within Deno Edge Functions using libraries like `deno-postgres`[^1_5].
- **Scalable and auto-deployed**: Edge Functions are deployed instantly and auto-scale with demand, making them suitable for both small and large workloads[^1_3].
In summary, Deno in the context of your Supabase backend lets you write secure, modern, and scalable server-side code that integrates tightly with your database and runs close to your users for better performance[^1_3][^1_5][^1_4].
<div style="text-align: center"></div>
[^1_1]: [https://docs.deno.com/runtime/fundamentals/web_dev/](https://docs.deno.com/runtime/fundamentals/web_dev/)
[^1_2]: [https://kinsta.com/blog/deno-js/](https://kinsta.com/blog/deno-js/)
[^1_3]: [https://app.studyraid.com/en/read/8395/231617/creating-edge-functions-in-supabase](https://app.studyraid.com/en/read/8395/231617/creating-edge-functions-in-supabase)
[^1_4]: [https://www.codingandbeyond.com/2025/04/13/deno-just-another-javascript-runtime-for-backend/](https://www.codingandbeyond.com/2025/04/13/deno-just-another-javascript-runtime-for-backend/)
[^1_5]: [https://www.restack.io/docs/supabase-knowledge-supabase-deno-integration](https://www.restack.io/docs/supabase-knowledge-supabase-deno-integration)
[^1_6]: [https://www.reddit.com/r/Deno/comments/1fxkbu4/whats_the_fastest_web_framework_for_deno/](https://www.reddit.com/r/Deno/comments/1fxkbu4/whats_the_fastest_web_framework_for_deno/)
[^1_7]: [https://dev.to/ndaidong/6-things-i-just-learned-after-implementing-my-first-deno-web-service-18a8](https://dev.to/ndaidong/6-things-i-just-learned-after-implementing-my-first-deno-web-service-18a8)
[^1_8]: [https://docs.deno.com/runtime/reference/web_platform_apis/](https://docs.deno.com/runtime/reference/web_platform_apis/)
[^1_9]: [https://fresh.deno.dev](https://fresh.deno.dev)
[^1_10]: [https://dev.to/ndesmic/building-a-minimal-web-dev-server-with-deno-4gab](https://dev.to/ndesmic/building-a-minimal-web-dev-server-with-deno-4gab)
---
# So is Deno like a compiler?
Deno is not a compiler in the traditional sense. It is primarily a **JavaScript and TypeScript runtime**—meaning it executes your code, similar to how Node.js or a web browser runs JavaScript[^3_4][^3_5]. However, Deno does offer a `deno compile` command, which can package your script and its dependencies into a self-contained executable binary. This allows you to distribute your application as a standalone program that does not require Deno to be installed on the target machine[^3_2][^3_3].
In summary:
- **Deno is a runtime** for running JavaScript/TypeScript code.
- **Deno can also act as a compiler** when you use `deno compile` to produce standalone executables[^3_2][^3_3].
<div style="text-align: center"></div>
[^3_1]: [https://stackoverflow.com/questions/65715026/whats-the-difference-beetween-deno-install-and-deno-compile](https://stackoverflow.com/questions/65715026/whats-the-difference-beetween-deno-install-and-deno-compile)
[^3_2]: [https://deno.com/blog/deno-compile-executable-programs](https://deno.com/blog/deno-compile-executable-programs)
[^3_3]: [https://docs.deno.com/runtime/reference/cli/compile/](https://docs.deno.com/runtime/reference/cli/compile/)
[^3_4]: [https://dev.to/emnudge/deno-an-unfinished-beauty-4bhn](https://dev.to/emnudge/deno-an-unfinished-beauty-4bhn)
[^3_5]: [https://www.ionos.com/digitalguide/websites/web-development/deno/](https://www.ionos.com/digitalguide/websites/web-development/deno/)
[^3_6]: [https://deno.land/x/deno@v1.7.1/docs/tools/compiler.md](https://deno.land/x/deno@v1.7.1/docs/tools/compiler.md)
[^3_7]: [https://docs.deno.com/runtime/contributing/building_from_source/](https://docs.deno.com/runtime/contributing/building_from_source/)
[^3_8]: [https://docs.deno.com/runtime/](https://docs.deno.com/runtime/)

94
AuditGlue/System alternative/SupaBase edge functions portability.md Normal file
View file

@ -0,0 +1,94 @@
---
tags:
- iso27DIY
- architecture
- SupaBase
- LLMgenerated
---
# SupaBase edge functions portability
Supabase Edge Functions are built on Deno and use web standards (see below), which makes them relatively portable compared to platform-specific serverless functions. Here's what you need to know about their transportability:
**What makes them portable:**
- They run on Deno runtime, which is available on multiple platforms
- Use standard Web APIs (fetch, Request, Response objects)
- Written in TypeScript/JavaScript
- Follow web standards rather than proprietary APIs
**Where you can potentially run them:**
- **Deno Deploy** - Most direct migration since it's the same runtime
- **Cloudflare Workers** - Good compatibility due to similar web standards approach
- **Vercel Edge Functions** - Also supports web standard APIs
- **Netlify Edge Functions** - Uses Deno runtime as well
- **Self-hosted Deno** - Can run on your own infrastructure
**Considerations for migration:**
- **Supabase-specific features** - Functions that use Supabase client libraries or database connections will need adaptation
- **Environment variables** - May need to reconfigure for different platforms
- **Database connections** - Will need to update connection strings and potentially authentication methods
- **Deployment configuration** - Each platform has its own deployment process
**Best practices for portability:**
- Keep business logic separate from platform-specific code
- Use standard web APIs where possible
- Abstract database connections and external service calls
- Use environment variables for configuration
The code itself is generally portable, but you'll need to handle platform-specific configurations and potentially refactor any Supabase-specific integrations when moving to other platforms.
## Web standards
Supabase Edge Functions use several key web standards that make them portable across modern serverless platforms:
**Core Web APIs:**
- **Request/Response API** - Standard HTTP request and response objects
- **Fetch API** - For making HTTP requests to external services
- **URL API** - For parsing and manipulating URLs
- **Headers API** - For working with HTTP headers
- **ReadableStream/WritableStream** - For streaming data
**JavaScript/Web Platform Standards:**
- **Web Streams API** - For handling streaming data
- **TextEncoder/TextDecoder** - For encoding/decoding text
- **AbortController/AbortSignal** - For canceling operations
- **FormData** - For handling form submissions
- **URLSearchParams** - For working with query parameters
**Async/Promise Standards:**
- **Promise API** - Standard promise handling
- **async/await** - Modern asynchronous JavaScript syntax
**Crypto and Security:**
- **Web Crypto API** - For cryptographic operations (hashing, encryption)
- **Crypto.randomUUID()** - For generating UUIDs
**Data Handling:**
- **JSON** - Standard JSON parsing and stringification
- **Blob API** - For handling binary data
- **ArrayBuffer** - For working with binary data
**Example of standard usage:**
```javascript
// Standard Request/Response pattern
export default async function handler(req: Request): Promise<Response> {
const url = new URL(req.url)
const data = await req.json()
return new Response(JSON.stringify({ message: 'Hello' }), {
headers: { 'Content-Type': 'application/json' }
})
}
```
These standards are what make Edge Functions compatible with platforms like Cloudflare Workers, Vercel Edge Functions, and Netlify Edge Functions, since they all implement the same web standard APIs rather than proprietary interfaces.

438
AuditGlue/System alternative/TypeDB structure for ISO27DIY.md Normal file
View file

@ -0,0 +1,438 @@
---
tags:
- project/iso27DIY
- dev
- graphDB
- dbms
- design
---
# TypeDB structure for ISO27DIY
**Prompt for Gemini**
You are an information consultant specialized in TypeDB databases. I am the client.
I need a TypeDB database for all the information on clauses and controls of ISO 27001 and 27002.
The information that is important to me, and for which I need to be able to query the database, is:
- the identifiers and titles of controls in the annexes
- The purpose of controls
- The implementation guidance for controls
- The actors involved in the implementation, evaluation and approval of controls
- The artifacts needed to prove implementation
- The actions and processes described in the chapters/clauses from the main body of ISO 27001 and 27002
- The relationship between these entities or objects.
You will write the TypeQL declarative patterns to describe the database structure.
## Output
Okay, client. Based on the provided ISO 27001 and ISO 27002 source materials, I will outline a TypeDB schema using TypeQL declarative patterns to represent the information you've requested. This schema will allow you to query relationships between standards, clauses, controls, actors, artifacts, requirements, risks, events, and processes as described in the sources.
Here is the schema definition:
define
// ATTRIBUTES
// Common Identifiers and Names
identifier sub attribute, value type string;
title sub attribute, value type string;
name sub attribute, value type string;
// Text Descriptions
description sub attribute, value type string;
purpose-text sub attribute, value type string;
guidance-text sub attribute, value type string;
content sub attribute, value type string; // For artifact content (e.g., policy text)
text sub attribute, value type string; // For requirement text
// Control Specific Attributes
control-type sub attribute, value type string; // e.g., #Preventive, #Detectif, #Corrigerend
security-property sub attribute, value type string; // e.g., #Vertrouwelijkheid, #Integriteit, #Beschikbaarheid
cybersecurity-concept sub attribute, value type string;
operational-capability sub attribute, value type string;
security-domain sub attribute, value type string;
// Actor Specific Attributes
actor-type sub attribute, value type string; // e.g., 'organization', 'person', 'external-party'
external-party-type sub attribute, value type string; // e.g., 'supplier', 'authority', 'special-interest-group', 'cloud-provider'
role-name sub attribute, value type string; // e.g., 'implementer', 'approver', 'owner', 'user', 'responsible', 'evaluator', 'party'
// Asset Specific Attributes
asset-type sub attribute, value type string; // e.g., 'information', 'IT-asset', 'physical-asset', 'service'
sensitivity-level sub attribute, value type string;
current-classification sub attribute, value type string; // Links to Classification level name
// Artifact Specific Attributes
artifact-type sub attribute, value type string; // e.g., 'policy', 'procedure', 'record', 'plan', 'agreement', 'schema', 'evidence', 'documentation', 'inventory-list'
is-documented sub attribute, value type boolean;
approval-status sub attribute, value type string; // e.g., 'approved', 'draft'
approval-level sub attribute, value type string; // e.g., 'management', 'board'
review-period sub attribute, value type string; // e.g., 'annual', 'biannual'
// Requirement Specific Attributes
requirement-source sub attribute, value type string; // e.g., 'legal', 'regulatory', 'contractual', 'stakeholder', 'business'
// Risk Specific Attributes
risk-type sub attribute, value type string; // e.g., 'information security risk', 'privacy risk'
// Event Specific Attributes
event-type sub attribute, value type string; // e.g., 'information security event', 'information security incident', 'disruption'
category sub attribute, value type string; // e.g., Incident categorization schema value
priority sub attribute, value type string; // e.g., Incident prioritization schema value
// Process Specific Attributes
process-name sub attribute, value type string; // Using name attribute for processes
// Standard Specific Attributes
standard-version sub attribute, value type string;
// ENTITIES
// Represents ISO standards like 27001 or 27002
standard sub entity,
owns identifier @key, // e.g., "ISO/IEC 27001", "ISO/IEC 27002"
owns standard-version; // e.g., "2022", "2023"
// Represents clauses within the main body of a standard (e.g., ISO 27001 Clauses 4-10, ISO 27002 Clauses 5-8 as presented)
clause sub entity,
owns identifier @key, // e.g., "4", "5.1" (if modeling 27001 control clauses)
owns title, // e.g., "Context of the organization", "Policies for information security"
owns description; // Content text from the clause
// Represents information security controls, primarily from ISO/IEC 27002
control sub entity,
owns identifier @key, // e.g., "5.9", "8.4"
owns title, // e.g., "Inventory of information and other associated assets"
owns purpose-text,
owns guidance-text,
owns control-type,
owns security-property,
owns cybersecurity-concept,
owns operational-capability,
owns security-domain;
// Abstract type for any entity that can perform actions or have responsibilities
actor sub entity,
owns actor-type @key; // Discriminator: 'organization', 'person', 'external-party'
organization sub actor, owns name @key;
person sub actor, owns name @key;
external-party sub actor,
owns name @key,
owns external-party-type; // 'supplier', 'authority', 'special-interest-group', etc.
// Represents information and other associated assets
asset sub entity,
owns name @key, // e.g., "Customer Database", "Laptop", "Cloud Storage Service"
owns asset-type,
owns sensitivity-level,
owns current-classification; // Refers to a Classification level (string for simplicity here)
// Represents documentation, records, plans, agreements, schemas, evidence
artifact sub entity,
owns name @key, // e.g., "Information Security Policy", "Supplier Agreement XYZ", "Risk Assessment Report"
owns artifact-type,
owns content,
owns is-documented,
owns approval-status,
owns approval-level,
owns review-period;
// Represents legal, regulatory, contractual, business, or stakeholder requirements
requirement sub entity,
owns text @key,
owns requirement-source; // e.g., 'legal', 'contractual', 'business'
// Represents information security risks
risk sub entity,
owns description @key,
owns risk-type;
// Represents information security events or incidents
event sub entity,
owns event-type @key, // e.g., 'information security event', 'information security incident', 'disruption'
owns description,
owns category,
owns priority;
// Represents business processes or information security management processes
process sub entity,
owns process-name @key, // e.g., "Risk Assessment Process", "Incident Management Process"
owns description;
// RELATIONS
// Standard Structure: Clause and Control are part of a Standard
part-of-standard sub relation,
clause-part owns identifier, // Role for clause identifier
control-part owns identifier, // Role for control identifier
standard-part owns identifier; // Role for standard identifier
clause part-of-standard: clause-part;
control part-of-standard: control-part;
standard part-of-standard: standard-part;
// Relationships describing who defines/creates artifacts
defines-artifact sub relation,
definer plays actor,
defined-artifact plays artifact;
// Relationship describing who implements controls or requirements
implements sub relation,
implementer plays actor,
implemented-subject plays control | requirement; // Can implement controls or requirements
// Relationship describing responsibility for controls, assets, processes, artifacts
responsible-for sub relation,
responsible plays actor,
responsibility-subject plays control | asset | process | artifact,
owns role-name; // e.g., 'owner', 'manager', 'coordinator'
// Relationship describing who approves artifacts (e.g., management approves policies)
approves sub relation,
approver plays person, // Typically a person (management)
approved-artifact plays artifact,
owns approval-level;
// Relationship describing who evaluates what (e.g., organization evaluates supplier, manager evaluates compliance)
evaluates sub relation,
evaluator plays actor,
evaluated-subject plays actor | control | asset | process | artifact, // Evaluate other actors, controls, assets, processes, artifacts
owns role-name; // e.g., 'internal-reviewer', 'independent-reviewer'
// Relationship describing how requirements or risks are addressed
addresses sub relation,
subject-to-address plays requirement | risk,
addressing-method plays control | process | artifact; // Controls, processes, or artifacts address requirements/risks
// Relationship between assets
associated-with sub relation,
asset-a plays asset,
asset-b plays asset;
// Relationship describing who uses assets
uses-asset sub relation,
user plays actor | process, // Actors or processes use assets
used-asset plays asset;
// Relationship describing who accesses assets (specifically information/data)
accesses-asset sub relation,
accessor plays actor,
accessed-asset plays asset; // Typically asset type 'information' or asset with information
// Relationship describing what is covered by an agreement artifact
covered-by-agreement sub relation,
subject plays asset, // Assets or services covered
agreement plays artifact; // Artifact type 'agreement'
// Relationship describing actors and artifacts involved in a process
involved-in-process sub relation,
participant plays actor,
process plays process,
owns role-name; // e.g., 'responsible', 'contributor'
artifact involved-in-process: process-artifact; // Role for artifacts used in processes (input/output/tool)
process involved-in-process: process;
actor involved-in-process: participant;
// Relationship between processes/assets/persons and events (e.g., incident impacts asset)
relates-to-event sub relation,
subject plays process | asset | person, // What is related to the event
event plays event,
owns role-name; // e.g., 'impacted-asset', 'involved-person', 'triggering-process'
// Relationship describing controls or processes active during disruption events
during-disruption sub relation,
subject plays control | process, // Controls or processes
disruption-event plays event; // Event type 'disruption'
// Relationship describing plans or requirements informed by analysis artifacts
informed-by-artifact sub relation,
subject plays artifact | requirement, // Plan artifact or Requirement
informing-artifact plays artifact; // Analysis results artifact (e.g., BIA report)
// General relationship for using artifacts
uses-artifact sub relation,
user plays actor | process,
used-artifact plays artifact;
// Relationship describing artifacts serving as evidence for control/clause/requirement/process implementation or compliance
serves-as-evidence-for sub relation,
evidence plays artifact,
subject plays control | clause | requirement | process;
// Relationship for cross-referencing between controls
references-control sub relation,
referencing-control plays control,
referenced-control plays control;
// Relationship describing how controls, processes, or organizations meet requirements
meets-requirement sub relation,
subject plays control | process | organization,
requirement plays requirement;
// Relationship linking requirements back to the clause they are found in (if applicable)
requirement-in-clause sub relation,
requirement plays requirement,
clause plays clause;
## Explanation of the Schema
**Attributes:** These define the properties that entities can have, such as identifier, title, purpose-text, guidance-text, name, type, etc. Each attribute is defined with its value type (e.g., string, boolean). Some attributes are marked @key within an entity definition, meaning they uniquely identify instances of that entity type.
**Entities:** These are the main objects or concepts in your database, like standard, control, organization, asset, artifact, etc. They own attributes to describe their properties.
**Relations:** These define how entities relate to each other. Each relation defines roles that entities play in that relationship. For example, in the responsible-for relation, an actor plays the responsible role for a subject(which could be a control, asset, process, or artifact), and the relation itself owns a role-name attribute to specify the nature of that responsibility (e.g., 'owner', 'manager').
**How this Schema Addresses Your Needs:**
**Identifiers and titles of controls:** Captured by the control entity with identifier and title attributes.
**Purpose of controls:** Captured by the control entity with the purpose-text attribute.
**Implementation guidance for controls:** Captured by the control entity with the guidance-text attribute.
**Actors involved in the implementation, evaluation and approval of controls:** Captured by the actor entities (organization, person, external-party) and relationships like implements, evaluates, responsible-for, and approves. The role-name attribute on relationships like responsible-for and evaluates allows specifying the exact role (e.g., 'implementer', 'reviewer', 'approver').
**Artifacts needed to prove implementation:** Captured by the artifact entity and the serves-as-evidence-forrelationship, linking an artifact instance to the control, clause, requirement, or process it provides evidence for.
**Actions and processes described in the chapters/clauses:** Captured by the clause entity (holding the text description), the process entity, and relationships like involved-in-process which links actors and artifacts to specific processes described.
**The relationship between these entities or objects:** Defined explicitly by the TypeQL relations, allowing you to traverse the graph and discover how different concepts are connected according to the sources. For example, you can find which controls are implemented by a specific organization (implements relation), which artifacts are required for a control (serves-as-evidence-for relation), or which personnel are involved in an incident management process (involved-in-process relation).
This schema provides a solid foundation for building your TypeDB database based on the ISO 27001 and 27002 sources you provided. You can populate this schema with instances derived from the text (e.g., create an organization instance, a control instance for 5.9, an artifact instance for an Inventory List, and link them using the defined relations).
## Mermaid diagram
Syntax errors:
- the bracketed numbers, e.g. `risk [3]`
- `note over` seems to confuse the parser
```
graph TD
standard{{"Standard<br/>identifier @key<br/>title"}}
clause{{"Clause<br/>identifier @key<br/>title<br/>text"}}
requirement{{"Requirement<br/>identifier @key<br/>text"}}
control{{"Control<br/>identifier @key<br/>title<br/>purpose-text<br/>guidance-text"}}
organization{{"Organization<br/>name @key"}}
person{{"Person<br/>name @key"}}
external_party{{"External Party<br/>name @key"}}
asset{{"Asset<br/>name @key<br/>type"}}
artifact{{"Artifact<br/>name @key<br/>type"}}
risk{{"Risk<br/>identifier @key<br/>description"}}
event{{"Event<br/>identifier @key<br/>description"}}
process{{"Process<br/>identifier @key<br/>description"}}
standard -- "defines clause" --> clause
clause -- "part-of standard" --> standard
clause -- "contains requirement" --> requirement
requirement -- "part-of clause" --> clause
requirement -- "addressed-by control" --> control
control -- "addresses requirement" --> requirement
risk -- "treated-by control" --> control
control -- "treats risk" --> risk [3]
organization -- "implements control" --> control [2]
person -- "implements control" --> control [2]
external_party -- "implements control" --> control [2]
organization -- "evaluates control" --> control [2]
person -- "evaluates control" --> control [2]
external_party -- "evaluates control" --> control [2]
organization -- "approves control" --> control [2]
person -- "approves control" --> control [2]
external_party -- "approves control" --> control [2]
organization -- "responsible-for subject" --> control [2]
organization -- "responsible-for subject" --> asset [2]
organization -- "responsible-for subject" --> process [2]
organization -- "responsible-for subject" --> artifact [2]
person -- "responsible-for subject" --> control [2]
person -- "responsible-for subject" --> asset [2]
person -- "responsible-for subject" --> process [2]
person -- "responsible-for subject" --> artifact [2]
external_party -- "responsible-for subject" --> control [2]
external_party -- "responsible-for subject" --> asset [2]
external_party -- "responsible-for subject" --> process [2]
external_party -- "responsible-for subject" --> artifact [2]
organization -- "involved-in process" --> process [2]
person -- "involved-in process" --> process [2]
external_party -- "involved-in process" --> process [2]
artifact -- "involved-in process" --> process [2]
artifact -- "serves-as-evidence-for subject" --> control [2]
artifact -- "serves-as-evidence-for subject" --> clause [2]
artifact -- "serves-as-evidence-for subject" --> requirement [2]
artifact -- "serves-as-evidence-for subject" --> process [2]
event -- "managed-by control" --> control [4, 5]
control -- "manages event" --> event [4, 5]
asset -- "protected-by control" --> control [6]
control -- "protects asset" --> asset [6]
note over organization, person, external_party: Actors are Organization, Person, External Party [2]
note over control, asset, process, artifact: The 'responsible-for' relation has a 'role-name' attribute (e.g., 'owner', 'manager') [1, 2]
note over control, clause, requirement, process: The 'serves-as-evidence-for' relation links Artifacts to these subjects [2]
```
## Explanation of Mermaid diagram
- The diagram visualizes the entities identified in the schema such as `standard`, clause, `control`, `organization`, `person`, `external-party`, `asset`, `artifact`, `risk`, `event`, and `process`.
* Some of the key attributes mentioned in the schema definition are listed within the entity nodes (e.g., `identifier @key`, `title`, `purpose-text`, `guidance-text`). Attributes marked with `@key` are unique identifiers for entity instances.
* The arrows represent the **Relations** defined in the schema. Each relation connects entities and the labels on the arrows indicate the name of the relation (e.g., `defines`, t`reated-by`) and the **Role** that the entity at the start of the arrow plays in that relationship (e.g., `defines clause`, `treated-by control`).
* Specific relationships are shown as described or implied by the sources:
* Standards define clauses.
* Clauses contain requirements.
* Requirements are addressed by controls.
* Risks are treated by controls.
* Actors (`organization`, `person`, `external-party`) can implement, evaluate, or approve controls. These are specific types of actors mentioned in the sources.
* Actors can be responsible for controls, assets, processes, and artifacts. This relation type (`responsible-for`) includes a role-nameattribute in the schema to specify the nature of responsibility (e.g., 'owner', 'manager').
* Actors and artifacts can be involved in processes. The term 'process' is defined as a set of interrelated activities.
* Artifacts serve as evidence for controls, clauses, requirements, or processes. Records, a type of artifact, are information maintained as evidence.
* Controls can manage events.
* Controls can protect assets. An asset can be a bedrijfsmiddel. Assets include information and other related items.
This diagram provides a visual representation of how the different components of the ISO 27001/27002 framework, as mapped into a TypeDB schema, are intended to interrelate according to the sources. The structure allows for querying and traversing these connections to understand the relationships between requirements, the controls implemented to meet them, the risks they address, the assets involved, the processes they are part of, the actors responsible, and the artifacts serving as evidence
# Graph dbs for PoC
Building a Proof of Concept (POC) for a Knowledge Graph in Information Security and Compliance on a Mac Mini M2, with an eye towards LLM integration, requires a robust, well-maintained, and performant open-source property graph database.
Here are the top contenders, focusing on your specific criteria:
Top Choices for Your POC
* Neo4j Community Edition
* Pros:
* Gold Standard: Neo4j is arguably the most widely recognized and mature property graph database. It has a massive community, extensive documentation, and a wealth of learning resources (GraphAcademy).
* Cypher Query Language: Cypher is a highly intuitive and powerful declarative query language specifically designed for property graphs. It's excellent for expressing complex patterns and traversals, which is ideal for security and compliance use cases (e.g., "find all assets vulnerable to a specific threat, mitigated by a weak control, and subject to GDPR").
* M2 Compatibility: Neo4j Desktop (which includes the Community Edition) runs natively on macOS, including Apple Silicon (M1/M2/M3), making installation and local development very smooth. You can also run it via Docker.
* Strong LLM Integration Ecosystem: Neo4j has heavily invested in LLM integrations. They have a dedicated "GraphRAG" initiative, LangChain integrations, and many tutorials showing how to use LLMs for knowledge graph construction (extracting entities and relationships from unstructured text) and for generating natural language queries from human questions. This ecosystem is probably the most mature for LLM interaction.
* Visualization: Neo4j Browser provides excellent built-in visualization, which is crucial for understanding complex security relationships in a knowledge graph.
* Cons:
* Licensing: The Community Edition is open source under GPLv3, but some advanced features (like clustering for high availability/scalability) are only in the Enterprise Edition (commercial license). For a POC, this isn't usually an issue.
* Memgraph Community Edition
* Pros:
* High Performance (In-Memory): Memgraph is an in-memory graph database, making it exceptionally fast for queries and real-time analytics. This could be a significant advantage for dynamic security analysis or incident response simulations.
* OpenCypher Support: It supports OpenCypher, making it compatible with Neo4j's powerful query language. This allows for easy migration if you later decide to switch or leverage existing Cypher knowledge.
* M2 Compatibility: Runs well on macOS (including M2), often installed via brew.
* Good LLM Integration: Memgraph has actively promoted its use in GraphRAG applications and offers integrations with tools like LangChain for LLM interaction, similar to Neo4j.
* MAGE (Memgraph Advanced Graph Extensions): Provides a library of graph algorithms that can be very useful for advanced security analytics (e.g., finding central assets, identifying attack paths).
* Cons:
* In-Memory (for POC): While fast, being primarily in-memory means you'll need to be mindful of the Mac Mini's RAM limitations for very large datasets in a long-running POC. However, for a typical POC scope, this is often manageable. Persistent storage is supported, but the core strength is in-memory.
* Smaller Community: While growing, its community is smaller than Neo4j's.
* Apache AGE (PostgreSQL Extension)
* Pros:
* Leverages PostgreSQL: If you're already familiar with PostgreSQL or want to keep your graph data alongside relational data, AGE is a compelling choice. It offers the ACID compliance and robustness of Postgres.
* Cypher-like Querying: It provides a Cypher-like query language (called age_graph_query) within SQL, allowing you to run graph queries directly on your Postgres database.
* M2 Compatibility: As a PostgreSQL extension, it runs wherever PostgreSQL runs, including natively on Mac Mini M2.
* Apache Project: Being an Apache project means it's community-driven and open-source with a clear governance model.
* Cons:
* Less Native Graph Performance: While good, it's an extension to a relational database, so its raw graph traversal performance might not match native graph databases like Neo4j or Memgraph for extremely deep or complex traversals.
* LLM Integration Maturity: While you can certainly integrate it with LLMs via custom code (e.g., using LangChain and a PostgreSQL connector), the specific "GraphRAG" tools and tutorials might be less direct compared to Neo4j's dedicated ecosystem. You'd be building more of that integration yourself.
Key Considerations for Your POC
* Ease of Setup/Local Development on Mac Mini M2: All options listed are generally easy to install via Homebrew or Docker on Apple Silicon.
* Query Language: Both Neo4j and Memgraph use (or support) Cypher, which is excellent for security knowledge graphs. Apache AGE uses a Cypher-like syntax.
* LLM Integration (MPC Server):
* Data Extraction: LLMs can be used to extract entities (assets, vulnerabilities, controls, regulations) and relationships from unstructured text (e.g., security reports, compliance documents, threat intelligence). Your chosen graph database will then store this structured data.
* Retrieval Augmented Generation (RAG): This is where the "MPC server" comes in. Your LLM application will query the knowledge graph to retrieve relevant context (e.g., "what controls mitigate this vulnerability for these assets?") and feed that context to the LLM to generate more accurate and grounded responses (e.g., "Here's how to address CVE-X affecting your web server, according to NIST CSF control AC-3").
* Text-to-Graph/Graph-to-Text: LLMs can also help translate natural language questions into graph queries (e.g., "show me my compliance posture for PCI DSS" -> Cypher query) and translate graph query results back into human-readable text.
* Vector Search: Many modern graph databases are integrating vector capabilities. This allows you to store embeddings (numerical representations) of nodes and relationships, enabling semantic search and similarity matching, which is very useful for LLM applications.
Recommendation for POC:
For a POC on a Mac Mini M2 with a strong focus on LLM integration for InfoSec/Compliance, Neo4j Community Edition is often the safest and most feature-rich choice.
* Its mature ecosystem, dedicated GraphRAG tools, and intuitive Cypher language will significantly accelerate your development and experimentation with LLMs.
* The community support and wealth of online resources mean you'll likely find solutions to problems quickly.
* The visualization capabilities are excellent for demonstrating the value of the knowledge graph to stakeholders.
If you hit performance bottlenecks with Neo4j (which is unlikely for a typical POC unless your dataset is truly massive), or if you have a strong existing PostgreSQL ecosystem you want to leverage, then Memgraph (for raw speed) or Apache AGE (for PostgreSQL integration) are excellent alternatives.

25
AuditGlue/System alternative/When to use JSON types in Supabase.md Normal file
View file

@ -0,0 +1,25 @@
# When to use JSON types in Supabase
Use JSON/JSONB columns in Supabase when you have these specific scenarios:
**Semi-structured data with varying schemas** - Perfect for user preferences, product attributes that differ by category, or configuration settings where each record might have different fields. For example, storing product metadata where electronics have different attributes than clothing.
**Nested object relationships** - When you need to store hierarchical data like address information (street, city, state, country), contact details with multiple phone numbers, or complex form responses with dynamic fields. This avoids creating multiple related tables for simple nested data.
**Flexible schema requirements** - Applications where you cant predict all the fields upfront, like user-generated content, API responses youre caching, or analytics events with varying properties.
**Rapid prototyping** - During development when your data structure is still evolving and you dont want to constantly run migrations to add new columns.
**Avoid JSON/JSONB when:**
**You need frequent atomic updates** to individual properties - SQL columns are better for fields youll update often independently, like user status or counters.
**Heavy relational queries** - If you need complex JOINs or foreign key relationships, traditional normalized tables are more efficient.
**Frequent filtering/sorting** on specific fields - While JSONB can be indexed, dedicated columns with proper indexes perform better for fields you query regularly.
**Data integrity is critical** - SQL constraints, foreign keys, and data types provide stronger guarantees than JSON validation.
**Simple, well-defined structures** - A users email, name, and created_at timestamp should be regular columns, not JSON.
A good hybrid approach is using both: core, frequently-queried fields as columns, with a JSONB column for flexible metadata or preferences. This gives you the best of both worlds.

32
AuditGlue/System alternative/postgreSQL and JSON.md Normal file
View file

@ -0,0 +1,32 @@
PostgreSQL has excellent JSON support with dedicated JSON and JSONB data types. JSONB is particularly powerful as it stores JSON in a binary format thats faster to query. PostgreSQL offers extensive JSON operators and functions, GIN indexing for JSON fields, and the ability to mix relational and JSON data in the same database.
Supabase has excellent JSONB support since its built on PostgreSQL, which has one of the best JSON implementations among relational databases.
With Supabase, you can:
**Create JSONB columns** in your tables through the dashboard or SQL commands
```sql
ALTER TABLE your_table ADD COLUMN metadata JSONB;
```
**Query JSONB data** using PostgreSQLs rich JSON operators:
- `->` for accessing JSON object fields
- `->>` for getting JSON values as text
- `@>` for checking if JSON contains specific key-value pairs
- `?` for checking if a key exists
**Index JSONB columns** for better performance using GIN indexes:
```sql
CREATE INDEX idx_metadata ON your_table USING GIN (metadata);
```
**Use Supabases client libraries** to work with JSONB seamlessly. The JavaScript client, for example, handles JSON serialization/deserialization automatically.
**Filter and search** JSONB data in your queries through the Supabase API or SQL.
Supabase also provides a nice interface in their dashboard for viewing and editing JSONB data, making it developer-friendly. Since its PostgreSQL under the hood, you get all the JSON performance benefits like binary storage, fast querying, and the ability to mix JSON with traditional relational data.
This makes Supabase a solid choice if you want the convenience of a hosted database service with powerful JSON capabilities.

101
AuditGlue/System alternative/slot_config_erd.mermaid Normal file
View file

@ -0,0 +1,101 @@
erDiagram
conversation_flows {
UUID id PK
VARCHAR name
TEXT description
BOOLEAN is_active
TIMESTAMP created_at
TIMESTAMP updated_at
}
slot_definitions {
UUID id PK
UUID flow_id FK
VARCHAR slot_name
VARCHAR slot_type
BOOLEAN is_required
INTEGER priority
VARCHAR depends_on_slot
JSONB dependency_value
TIMESTAMP created_at
}
slot_validations {
UUID id PK
UUID slot_id FK
VARCHAR validation_type
JSONB validation_rule
TEXT error_message
TIMESTAMP created_at
}
slot_questions {
UUID id PK
UUID slot_id FK
VARCHAR question_type
TEXT question_text
TEXT follow_up_text
BOOLEAN is_default
JSONB context_conditions
TIMESTAMP created_at
}
conversation_sessions {
UUID id PK
VARCHAR user_id
UUID flow_id FK
VARCHAR session_status
VARCHAR current_slot
JSONB collected_slots
JSONB context_data
TIMESTAMP started_at
TIMESTAMP completed_at
TIMESTAMP last_interaction
}
slot_collection_attempts {
UUID id PK
UUID session_id FK
VARCHAR slot_name
TEXT user_input
JSONB extracted_value
BOOLEAN is_valid
JSONB validation_errors
INTEGER attempt_number
TIMESTAMP created_at
}
%% Relationships
conversation_flows ||--o{ slot_definitions : "has many"
slot_definitions ||--o{ slot_validations : "has many"
slot_definitions ||--o{ slot_questions : "has many"
conversation_flows ||--o{ conversation_sessions : "has many"
conversation_sessions ||--o{ slot_collection_attempts : "has many"
%% Additional annotations
slot_definitions {
string slot_type "text|number|email|phone|date|boolean|choice"
string depends_on_slot "Optional reference to another slot"
json dependency_value "Required values for dependency"
}
slot_validations {
string validation_type "regex|range|length|choices|custom"
json validation_rule "Validation parameters"
}
slot_questions {
string question_type "initial|clarification|validation_error|confirmation"
json context_conditions "When to use this question variant"
}
conversation_sessions {
string session_status "active|completed|paused|abandoned"
json collected_slots "Key-value pairs of collected data"
json context_data "Additional session context"
}
slot_collection_attempts {
json extracted_value "Processed user input"
json validation_errors "List of validation failures"
}

112
AuditGlue/System alternative/slot_config_schema.sql Normal file
View file

@ -0,0 +1,112 @@
-- Core conversation flow definitions
CREATE TABLE conversation_flows (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
name VARCHAR(100) NOT NULL,
description TEXT,
is_active BOOLEAN DEFAULT true,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Define individual slots with their properties
CREATE TABLE slot_definitions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
flow_id UUID REFERENCES conversation_flows(id),
slot_name VARCHAR(100) NOT NULL,
slot_type VARCHAR(50) NOT NULL, -- 'text', 'number', 'email', 'phone', 'date', 'boolean', 'choice'
is_required BOOLEAN DEFAULT true,
priority INTEGER DEFAULT 1, -- Lower numbers = higher priority
depends_on_slot VARCHAR(100), -- Optional dependency on another slot
dependency_value JSONB, -- Required value(s) for dependency
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(flow_id, slot_name)
);
-- Validation rules for each slot
CREATE TABLE slot_validations (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
slot_id UUID REFERENCES slot_definitions(id),
validation_type VARCHAR(50) NOT NULL, -- 'regex', 'range', 'length', 'choices', 'custom'
validation_rule JSONB NOT NULL, -- Store validation parameters
error_message TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Question templates for each slot
CREATE TABLE slot_questions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
slot_id UUID REFERENCES slot_definitions(id),
question_type VARCHAR(50) NOT NULL, -- 'initial', 'clarification', 'validation_error', 'confirmation'
question_text TEXT NOT NULL,
follow_up_text TEXT, -- Optional follow-up or explanation
is_default BOOLEAN DEFAULT false,
context_conditions JSONB, -- When to use this question variant
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Store conversation state and collected slot values
CREATE TABLE conversation_sessions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id VARCHAR(100) NOT NULL,
flow_id UUID REFERENCES conversation_flows(id),
session_status VARCHAR(50) DEFAULT 'active', -- 'active', 'completed', 'paused', 'abandoned'
current_slot VARCHAR(100),
collected_slots JSONB DEFAULT '{}',
context_data JSONB DEFAULT '{}', -- Additional context
started_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
completed_at TIMESTAMP,
last_interaction TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Track individual slot collection attempts
CREATE TABLE slot_collection_attempts (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
session_id UUID REFERENCES conversation_sessions(id),
slot_name VARCHAR(100) NOT NULL,
user_input TEXT,
extracted_value JSONB,
is_valid BOOLEAN,
validation_errors JSONB,
attempt_number INTEGER DEFAULT 1,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Sample data for a customer onboarding flow
INSERT INTO conversation_flows (name, description) VALUES
('customer_onboarding', 'New customer information collection');
-- Sample slot definitions
INSERT INTO slot_definitions (flow_id, slot_name, slot_type, is_required, priority)
SELECT id, 'full_name', 'text', true, 1 FROM conversation_flows WHERE name = 'customer_onboarding';
INSERT INTO slot_definitions (flow_id, slot_name, slot_type, is_required, priority)
SELECT id, 'email', 'email', true, 2 FROM conversation_flows WHERE name = 'customer_onboarding';
INSERT INTO slot_definitions (flow_id, slot_name, slot_type, is_required, priority, depends_on_slot, dependency_value)
SELECT id, 'phone', 'phone', true, 3, 'contact_preference', '["phone", "both"]'
FROM conversation_flows WHERE name = 'customer_onboarding';
-- Sample validation rules
INSERT INTO slot_validations (slot_id, validation_type, validation_rule, error_message)
SELECT id, 'length', '{"min": 2, "max": 100}', 'Name must be between 2 and 100 characters'
FROM slot_definitions WHERE slot_name = 'full_name';
INSERT INTO slot_validations (slot_id, validation_type, validation_rule, error_message)
SELECT id, 'regex', '{"pattern": "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"}', 'Please enter a valid email address'
FROM slot_definitions WHERE slot_name = 'email';
-- Sample questions
INSERT INTO slot_questions (slot_id, question_type, question_text, follow_up_text)
SELECT id, 'initial', 'Hi! I''d like to help you get started. What''s your full name?', 'Please provide your first and last name'
FROM slot_definitions WHERE slot_name = 'full_name';
INSERT INTO slot_questions (slot_id, question_type, question_text)
SELECT id, 'validation_error', 'That doesn''t look like a valid name. Could you please try again?'
FROM slot_definitions WHERE slot_name = 'full_name';
-- Indexes for performance
CREATE INDEX idx_conversation_sessions_user_flow ON conversation_sessions(user_id, flow_id);
CREATE INDEX idx_conversation_sessions_status ON conversation_sessions(session_status);
CREATE INDEX idx_slot_definitions_flow_priority ON slot_definitions(flow_id, priority);
CREATE INDEX idx_slot_collection_attempts_session ON slot_collection_attempts(session_id);

356
AuditGlue/System alternative/slot_manager_implementation.py Normal file
View file

@ -0,0 +1,356 @@
from typing import Dict, List, Optional, Any
from dataclasses import dataclass, field
from enum import Enum
import json
import re
from datetime import datetime
import uuid
class SlotType(Enum):
TEXT = "text"
NUMBER = "number"
EMAIL = "email"
PHONE = "phone"
DATE = "date"
BOOLEAN = "boolean"
CHOICE = "choice"
class ValidationType(Enum):
REGEX = "regex"
RANGE = "range"
LENGTH = "length"
CHOICES = "choices"
CUSTOM = "custom"
class QuestionType(Enum):
INITIAL = "initial"
CLARIFICATION = "clarification"
VALIDATION_ERROR = "validation_error"
CONFIRMATION = "confirmation"
@dataclass
class SlotValidation:
validation_type: ValidationType
validation_rule: Dict[str, Any]
error_message: str
@dataclass
class SlotQuestion:
question_type: QuestionType
question_text: str
follow_up_text: Optional[str] = None
context_conditions: Optional[Dict[str, Any]] = None
@dataclass
class SlotDefinition:
slot_name: str
slot_type: SlotType
is_required: bool = True
priority: int = 1
depends_on_slot: Optional[str] = None
dependency_value: Optional[List[str]] = None
validations: List[SlotValidation] = field(default_factory=list)
questions: List[SlotQuestion] = field(default_factory=list)
@dataclass
class ConversationSession:
session_id: str
user_id: str
flow_id: str
collected_slots: Dict[str, Any] = field(default_factory=dict)
current_slot: Optional[str] = None
context_data: Dict[str, Any] = field(default_factory=dict)
session_status: str = "active"
class SlotManager:
def __init__(self, db_connection):
self.db = db_connection
self.flows = {}
self.validators = {
ValidationType.REGEX: self._validate_regex,
ValidationType.LENGTH: self._validate_length,
ValidationType.RANGE: self._validate_range,
ValidationType.CHOICES: self._validate_choices,
}
def load_flow_configuration(self, flow_name: str) -> List[SlotDefinition]:
"""Load slot configuration from database"""
query = """
SELECT
sd.slot_name, sd.slot_type, sd.is_required, sd.priority,
sd.depends_on_slot, sd.dependency_value,
sv.validation_type, sv.validation_rule, sv.error_message,
sq.question_type, sq.question_text, sq.follow_up_text, sq.context_conditions
FROM conversation_flows cf
JOIN slot_definitions sd ON cf.id = sd.flow_id
LEFT JOIN slot_validations sv ON sd.id = sv.slot_id
LEFT JOIN slot_questions sq ON sd.id = sq.slot_id
WHERE cf.name = %s AND cf.is_active = true
ORDER BY sd.priority, sd.slot_name
"""
results = self.db.execute(query, (flow_name,)).fetchall()
# Group by slot_name
slots_data = {}
for row in results:
slot_name = row['slot_name']
if slot_name not in slots_data:
slots_data[slot_name] = {
'definition': {
'slot_name': row['slot_name'],
'slot_type': SlotType(row['slot_type']),
'is_required': row['is_required'],
'priority': row['priority'],
'depends_on_slot': row['depends_on_slot'],
'dependency_value': row['dependency_value'],
},
'validations': [],
'questions': []
}
# Add validation if present
if row['validation_type']:
validation = SlotValidation(
validation_type=ValidationType(row['validation_type']),
validation_rule=row['validation_rule'],
error_message=row['error_message']
)
slots_data[slot_name]['validations'].append(validation)
# Add question if present
if row['question_type']:
question = SlotQuestion(
question_type=QuestionType(row['question_type']),
question_text=row['question_text'],
follow_up_text=row['follow_up_text'],
context_conditions=row['context_conditions']
)
slots_data[slot_name]['questions'].append(question)
# Convert to SlotDefinition objects
slot_definitions = []
for slot_data in slots_data.values():
definition = SlotDefinition(
**slot_data['definition'],
validations=slot_data['validations'],
questions=slot_data['questions']
)
slot_definitions.append(definition)
return sorted(slot_definitions, key=lambda x: x.priority)
def get_next_slot_to_collect(self, session: ConversationSession,
slot_definitions: List[SlotDefinition]) -> Optional[SlotDefinition]:
"""Determine the next slot that needs to be collected"""
for slot_def in slot_definitions:
# Skip if already collected
if slot_def.slot_name in session.collected_slots:
continue
# Check if slot is required
if not slot_def.is_required:
continue
# Check dependencies
if slot_def.depends_on_slot:
if slot_def.depends_on_slot not in session.collected_slots:
continue # Dependency not met
collected_value = session.collected_slots[slot_def.depends_on_slot]
if slot_def.dependency_value and collected_value not in slot_def.dependency_value:
continue # Dependency condition not met
return slot_def
return None
def validate_slot_value(self, slot_def: SlotDefinition,
user_input: str) -> tuple[bool, Any, List[str]]:
"""Validate user input for a slot"""
errors = []
extracted_value = user_input.strip()
# Type-specific extraction
if slot_def.slot_type == SlotType.NUMBER:
try:
extracted_value = float(extracted_value)
except ValueError:
errors.append("Please enter a valid number")
return False, user_input, errors
elif slot_def.slot_type == SlotType.BOOLEAN:
lower_input = extracted_value.lower()
if lower_input in ['yes', 'y', 'true', '1']:
extracted_value = True
elif lower_input in ['no', 'n', 'false', '0']:
extracted_value = False
else:
errors.append("Please answer with yes or no")
return False, user_input, errors
# Run validations
for validation in slot_def.validations:
is_valid, error_msg = self._run_validation(validation, extracted_value)
if not is_valid:
errors.append(error_msg)
return len(errors) == 0, extracted_value, errors
def _run_validation(self, validation: SlotValidation, value: Any) -> tuple[bool, str]:
"""Run a specific validation rule"""
validator = self.validators.get(validation.validation_type)
if not validator:
return True, ""
try:
is_valid = validator(value, validation.validation_rule)
return is_valid, validation.error_message if not is_valid else ""
except Exception as e:
return False, f"Validation error: {str(e)}"
def _validate_regex(self, value: str, rule: Dict[str, Any]) -> bool:
pattern = rule.get('pattern', '')
return bool(re.match(pattern, str(value)))
def _validate_length(self, value: str, rule: Dict[str, Any]) -> bool:
length = len(str(value))
min_len = rule.get('min', 0)
max_len = rule.get('max', float('inf'))
return min_len <= length <= max_len
def _validate_range(self, value: float, rule: Dict[str, Any]) -> bool:
min_val = rule.get('min', float('-inf'))
max_val = rule.get('max', float('inf'))
return min_val <= value <= max_val
def _validate_choices(self, value: Any, rule: Dict[str, Any]) -> bool:
choices = rule.get('choices', [])
return value in choices
def get_question_for_slot(self, slot_def: SlotDefinition,
question_type: QuestionType = QuestionType.INITIAL,
context: Optional[Dict[str, Any]] = None) -> str:
"""Get appropriate question text for a slot"""
# Find matching question
for question in slot_def.questions:
if question.question_type == question_type:
# Check context conditions if present
if question.context_conditions and context:
if not self._check_context_conditions(question.context_conditions, context):
continue
question_text = question.question_text
if question.follow_up_text:
question_text += f" {question.follow_up_text}"
return question_text
# Fallback to generic question
return f"Could you please provide your {slot_def.slot_name.replace('_', ' ')}?"
def _check_context_conditions(self, conditions: Dict[str, Any],
context: Dict[str, Any]) -> bool:
"""Check if context conditions are met"""
for key, expected_value in conditions.items():
if key not in context:
return False
if context[key] != expected_value:
return False
return True
def save_conversation_session(self, session: ConversationSession):
"""Save session state to database"""
query = """
INSERT INTO conversation_sessions
(id, user_id, flow_id, session_status, current_slot, collected_slots, context_data)
VALUES (%s, %s, %s, %s, %s, %s, %s)
ON CONFLICT (id) DO UPDATE SET
session_status = EXCLUDED.session_status,
current_slot = EXCLUDED.current_slot,
collected_slots = EXCLUDED.collected_slots,
context_data = EXCLUDED.context_data,
last_interaction = CURRENT_TIMESTAMP
"""
self.db.execute(query, (
session.session_id,
session.user_id,
session.flow_id,
session.session_status,
session.current_slot,
json.dumps(session.collected_slots),
json.dumps(session.context_data)
))
def is_conversation_complete(self, session: ConversationSession,
slot_definitions: List[SlotDefinition]) -> bool:
"""Check if all required slots have been collected"""
for slot_def in slot_definitions:
if slot_def.is_required and slot_def.slot_name not in session.collected_slots:
# Check if this slot should be skipped due to dependencies
if slot_def.depends_on_slot:
if slot_def.depends_on_slot not in session.collected_slots:
continue
collected_value = session.collected_slots[slot_def.depends_on_slot]
if slot_def.dependency_value and collected_value not in slot_def.dependency_value:
continue
return False
return True
# Example usage
def example_conversation_flow():
# This would be your actual database connection
db_connection = None # Replace with real DB connection
slot_manager = SlotManager(db_connection)
# Load flow configuration
flow_name = "customer_onboarding"
slot_definitions = slot_manager.load_flow_configuration(flow_name)
# Create new session
session = ConversationSession(
session_id=str(uuid.uuid4()),
user_id="user123",
flow_id=flow_name
)
# Main conversation loop
while not slot_manager.is_conversation_complete(session, slot_definitions):
# Get next slot to collect
next_slot = slot_manager.get_next_slot_to_collect(session, slot_definitions)
if not next_slot:
break
# Get question for this slot
question = slot_manager.get_question_for_slot(next_slot)
print(f"Bot: {question}")
# Simulate user input
user_input = input("User: ")
# Validate input
is_valid, extracted_value, errors = slot_manager.validate_slot_value(next_slot, user_input)
if is_valid:
session.collected_slots[next_slot.slot_name] = extracted_value
print(f"Bot: Great! I've got your {next_slot.slot_name}.")
else:
error_question = slot_manager.get_question_for_slot(
next_slot, QuestionType.VALIDATION_ERROR
)
print(f"Bot: {error_question}")
print(f"Errors: {', '.join(errors)}")
# Save session
slot_manager.save_conversation_session(session)
print("Bot: Thanks! I have all the information I need.")
session.session_status = "completed"
slot_manager.save_conversation_session(session)

11
AuditGlue/Three user modes for AuditGlue.md Normal file
View file

@ -0,0 +1,11 @@
I foresee different user modes for AuditGlue:
- Guided implementation: the novice user is taken step by step through the process of setting up the ISMS, including the identification of risks and the definition of controls. There is a lot of content (text, animations, video's) explaining the process and ISO 27001.
- Operational: aimed at users with ISO 27001 domain knowledge and experience. Offers traditional GRC software forms and dashboards
- Audits: offers an interface to facilitate internal and external audits. Based on a matrix with the ISO 27001 clauses and controls, against columns for identified risks, defined controls, stated policies, implementation (planned or achieved), measurements, monitoring activities, and evaluation outcomes. Each cell contains (links to) proofs.
I foresee different user modes for AuditGlue:
- Guided implementation: the novice user is taken step by step through the process of setting up the ISMS, including the identification of risks and the definition of controls. There is a lot of content (text, animations, video's) explaining the process and ISO 27001.
- Operational: aimed at users with ISO 27001 domain knowledge and experience. Offers traditional GRC software forms and dashboards
- Audits: offers an interface to facilitate internal and external audits. Based on a matrix with the ISO 27001 clauses and controls, against columns for identified risks, defined controls, stated policies, implementation (planned or achieved), measurements, monitoring activities, and evaluation outcomes. Each cell contains (links to) proofs.

6
AuditGlue/iso27DIY content modules.canvas
View file

@ -429,7 +429,7 @@
"width":340,
"height":80
},
{"id":"6c394a4088d586b3","type":"file","file":"iso27diy-corp/Corpus/Attachments/Canvas Cyclus.png","x":382,"y":620,"width":278,"height":200},
{"id":"6c394a4088d586b3","type":"file","file":"iso27diy-corp/Canvas Method/Canvas Cyclus.png","x":382,"y":620,"width":278,"height":200},
{
"id":"1e6b25bf6dcb833e",
"type":"text",
@ -470,8 +470,8 @@
"width":1068,
"height":60
},
{"id":"ddfc9917c2c7fc66","type":"file","file":"iso27diy-corp/Corpus/Attachments/Canvas Cyclus.png","x":-408,"y":620,"width":278,"height":200},
{"id":"27d02011ccccb4c0","type":"file","file":"iso27diy-corp/Corpus/Attachments/Canvas Cyclus.png","x":-19,"y":620,"width":278,"height":200}
{"id":"ddfc9917c2c7fc66","type":"file","file":"iso27diy-corp/Canvas Method/Canvas Cyclus.png","x":-408,"y":620,"width":278,"height":200},
{"id":"27d02011ccccb4c0","type":"file","file":"iso27diy-corp/Canvas Method/Canvas Cyclus.png","x":-19,"y":620,"width":278,"height":200}
],
"edges":[],
"metadata":{

59
AuditGlue/iso27DIY-MoC.md Normal file
View file

@ -0,0 +1,59 @@
---
tags:
- project/iso27DIY
- type/MoC
---
## Marketing source material
[ISO27DIY Solution and Components](../marketing/branding/ISO27DIY%20Solution%20and%20Components.md)
[Value Proposition Canvas for iso27DIY](../marketing/branding/Value%20Proposition%20Canvas%20for%20iso27DIY.md)
[Brand Values](../marketing/branding/Brand%20Values.md)
[FUD with Certification](../marketing/branding/FUD%20with%20Certification.md)
[PRD Product Requirements Document for iso27DYI](PRD%20Product%20Requirements%20Document%20for%20iso27DYI.md)
[iso27DIY Functional Diagram](System%20alternative/iso27DIY%20Functional%20Diagram.canvas)
[iso27DIY content modules](iso27DIY%20content%20modules.canvas)
## Marketing
[Pricing](../Corpus/Various/The%20Psychology%20Behind%20SaaS%20Pricing.md)
[[Pricing Tiers for iso27DIY|Tiers]]
[[SEO guide for Carrd|Website SEO]]
[Idea Validation](Idea%20Validation.md)
## Method
[Samenhang tussen ISMS producten](../Corpus/ISMS/Samenhang%20tussen%20ISMS%20producten.md)
[ISO 27001 2023 Processen en Artefacten](../Corpus/Standards/ISO27x/OST/ISO%2027001%202023%20Processen%20en%20Artefacten.md)
[Advised Documents for ISO 27001](../iso27DIY-gis/reference/Advised%20Documents%20for%20ISO%2027001.md)
[Examples of Proof for auditors](../Sparks/Examples%20of%20Proof%20for%20auditors.md)
[About ISO27DIY Policy Cards](../💡Permanent%20ideas/About%20ISO27DIY%20Policy%20Cards.md)
## Design
[Modules Canvas](iso27DIY%20content%20modules.canvas)
[About the flow](../Sparks/About%20iso27diy/About%20the%20flow.md)
[UI ideas](System%20alternative/iso27DIY%20UI%20ideas.md)
### Agents
[Create a proactive conversational agent](../Corpus/Various/Create%20a%20proactive%20conversational%20agent.md)
[Create an interview agent](../Corpus/Various/Create%20an%20interview%20agent.md)
[Agent Design Intent Card](System%20alternative/Agent%20Design%20Intent%20Card.md)
[Create a threat analysis chatbot](../Corpus/Various/Create%20a%20threat%20analysis%20chatbot.md)
[Instruct an LLM on available tools](../Corpus/Various/Instruct%20an%20LLM%20on%20available%20tools.md)
[LLM Prompt types](../Corpus/Various/LLM%20Prompt%20types.md)
## Content
[ISO27DIY Videos list](../🧱%20Projects/iso27DIY%20mk%20I/ISO27DIY%20Videos%20list.md)
## Platform
[Design Document for ISO 27001 Certification Support Online Service](../Corpus/Various/Design%20Document%20for%20ISO%2027001%20Certification%20Support%20Online%20Service.md)
[Personae and Roles](Personae%20and%20Roles.md)
[TypeDB structure for ISO27DIY](System%20alternative/TypeDB%20structure%20for%20ISO27DIY.md)
[Client segregation in SaaS](../Corpus/Information%20Security/Client%20segregation%20in%20SaaS.md)
[Building functionality in Supabase](../Corpus/Various/Building%20functionality%20in%20Supabase.md)
[SupaBase edge functions portability](System%20alternative/SupaBase%20edge%20functions%20portability.md)
[Connect LLM to Supabase to create content](../Corpus/Various/Connect%20LLM%20to%20Supabase%20to%20create%20content.md)
[Application architecture](../Corpus/Various/Application%20architecture.md)
[iso27DYI architecture with LLM](System%20alternative/iso27DYI%20architecture%20with%20LLM.md)
[iso27DIY stack deployment](System%20alternative/iso27DIY%20stack%20deployment.md)
[SurveyJS](../Corpus/Standards/SurveyJS.md)
[WeWeb Security Pre-Launch Checklist](../Corpus/ISMS/Policy%20examples/WeWeb%20Security%20Pre-Launch%20Checklist.md)