richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Vault restructure

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-23 11:51:51 +02:00
parent d45797d121
commit ff77508bd1
1433 changed files with 415450 additions and 1201 deletions
Download patch file Download diff file Expand all files Collapse all files

4
AuditGlue/GIS-content-map.md
View file

@ -22,7 +22,7 @@
- m400s040: [[iso27diy-m300s510|m300s510]]: **SWOT analysis** ([C4.1](../Corpus/Standards/MoCs/ISO_27001_2022_4.1_MoC%20Understanding%20the%20organization%20and%20its%20context.md))
- m400s050: Stakeholder Analysis ([C4.2](../Corpus/Standards/MoCs/ISO_27001_2022_4.2_MoC%20Understanding%20the%20needs%20and%20expectations%20of%20interested%20parties.md))
- **m410:Organizational Structures**
- [Introduction for Organizational Structures](../../🎇%20Sparks/Introduction%20for%20Organizational%20Structures.md)
- [Introduction for Organizational Structures](../Corpus/🎇%20Sparks/Introduction%20for%20Organizational%20Structures.md)
- Organizational processes ([C4.1](../Corpus/Standards/MoCs/ISO_27001_2022_4.1_MoC%20Understanding%20the%20organization%20and%20its%20context.md))
- Organization Chart ([C4.1](../Corpus/Standards/MoCs/ISO_27001_2022_4.1_MoC%20Understanding%20the%20organization%20and%20its%20context.md))
- Job architecture ([C4.1](../Corpus/Standards/MoCs/ISO_27001_2022_4.1_MoC%20Understanding%20the%20organization%20and%20its%20context.md))
@ -47,7 +47,7 @@
- Resources ([C7.1](../Corpus/Standards/MoCs/ISO_27001_2022_7.1_MoC%20Resources.md))
- Competencies ([C7.2](../Corpus/Standards/MoCs/ISO_27001_2022_7.2_MoC%20Competence.md))
- Documentation ([A5.33](../Corpus/Standards/MoCs/ISO_27002_2022_5.33_MoC%20Protection%20of%20records.md), [C7.5.2](../Corpus/Standards/MoCs/ISO_27001_2022_7.5.2_MoC%20Creating%20and%20updating.md))
- Policies ([A5.1](../../🧱%20Projects/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md))
- Policies ([A5.1](../Corpus/Standards/ISO27x/archive/iso27DIY%20mk%20I/ISO_27002_2022_5.1_MoC%20Policies%20for%20information%20security.md))
- Review calendar ([A5.35](../Corpus/Standards/MoCs/ISO_27002_2022_5.35_MoC%20Independent%20review%20of%20information%20security.md), [C7.5.2](../Corpus/Standards/MoCs/ISO_27001_2022_7.5.2_MoC%20Creating%20and%20updating.md))
- Communication and Awareness ([C7.3](../Corpus/Standards/MoCs/ISO_27001_2022_7.3_MoC%20Awareness.md), [C7.4](../Corpus/Standards/MoCs/ISO_27001_2022_7.4_MoC%20Communication.md))
- **m700: Securing the Business**

36
AuditGlue/Metadata in YAML.md Normal file
View file

@ -0,0 +1,36 @@
# Metadata in YAML
## For session files
| Required | Key | Value | Example | Explanation |
| ------------ | -------------- | --------------- | ---------------------------- | ------------------------------------------------------------------------------------------------------ |
| * | id | string | m123s456 | 123 denotes Module, 456 denotes Session |
| * | module | string | 123 | Module id |
| * | session | string | 456 | Session id |
| * | title | string | Establishing Objectives | Module title as displayed on screen |
| | implements | list of strings | ISO27001:2022:C.6.2 | Reference to norm articles; C is Clause and A is Annex (i.e. control) |
| | feeds_into | list of strings | m200s030 | Outcomes of the current session are inputs for the denoted session - not processed, for oversight only |
| | depends_on | list of strings | m100s010 | Module+Session id from which the outcomes are input for the current session |
| * | related_form | *tbd* | *tbd* | Denotes Formdown file for session |
| | related_assets | list of strings | m123s456-objectives-examples | Denotes related asset-files |
- Key-value pairs may be included in any order, as long as the required keys are there
- Additional key-value pairs can be added as you see fit AuditGlue will ignore them
- Filenames for content and assets can be chosen freely: AuditGlue uses the metatada to weave it's magic
### Source example (for copy-paste)
---
id: m300s100
module: 300
session: 100
title: Establishing Objectives
implements:
- ISO27001:2022:C.6.2
feeds_into:
depends_on:
related_form:
related_assets:
- m300s100-objectives-examples
---

87
AuditGlue/Policy Card Example for Access to Software Applications.md Normal file
View file

@ -0,0 +1,87 @@
# Policy Card Example for Access to Software Applications
- PolicyTitle: "Application access policy "
- RelevantStandardArticles: <tags> ISO27001:2022:A.5.15, ISO27001:2022:A.5.18
- VersionControl
- VersionNumber: 3.14
- VersionDate: 15-12-2024
- DocumentOwner: "Alex Hanover"
- ApprovedBy: "Marian Faithful" <signature>
- ApprovedDate: 08-01-2025
- NextReview: 15-12-2025
- Purpose
- Goal (in terms of risk mitigation): "To protect classified data from unauthorized access"
- Scope : "All applications in use within the organization" // E.g. organization as a whole vs. topic-specific: certain business activities, organizational units, or the implementation of specific controls. Also define Exemptions and Exceptions.
- RisksMitigated: "Unauthorized access to classified data" // outcome from the Risk Analysis activity
- ControlsImplemented: <tags> ISO27001:2022:5.15, ISO27001:2022:5.18
- Method
- Implementation ('How it's done'): "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S."
- Metrics: "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework " (to establish effectiveness)
- Measurement: "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT" // How, When, and By Whom
- Evaluation: "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT" // How, When, and By Whom
- Reviews and Changes
- Review: "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer"
- Changes: "Changes to this policy will be prepared by the policy o"
- Responsibilities (for implementation and review)
- PolicyWriting: "IT consultant"
- PolicyApproval: "CISO"
- Implementation: "IT Administration dept."
- Documentation
- PolicyDocuments: <pointers>
- ProcedureDescriptions: <pointers>
- MeasurementReports: <pointers>
- EvaluationReports: <pointers>
## In JSON format
```
JSON
{
"PolicyTitle": "Application access policy",
"RelevantStandardArticles": [
"ISO27001:2022:5.15",
"ISO27001:2022:5.18"
],
"VersionControl": {
"VersionNumber": "3.14",
"VersionDate": "2024-12-15",
"DocumentOwner": "Alex Hanover",
"ApprovedBy": "Marian Faithful",
"ApprovedDate": "2025-01-08",
"NextReview": "2025-12-15"
},
"Purpose": {
"Goal": "To protect classified data from unauthorized access",
"Scope": "All applications in use within the organization",
"RisksMitigated": "Unauthorized access to classified data",
"ControlsImplemented": [
"ISO27001:2022:5.15",
"ISO27001:2022:5.18"
]
},
"Method": {
"Implementation": "To mitigate the risk of X, controls A, B and C will be implemented on asset Y by Responsible Z. The effectiveness will be measured through P and will be evaluated by Q according to method R, following planning S.",
"Metrics": "Number of users with unjustly granted access to each application, compared to the necessary access following from the Job Framework",
"Measurement": "The number of users with unjust access will be determined each quarter by HR, based on the current access matrix delivered by IT",
"Evaluation": "The effectiveness of the control will be evaluated quarterly by the Compliance Officer in a meeting with HR and IT"
},
"ReviewsAndChanges": {
"Review": "This policy will be reviewed yearly or if relevant and significant changes occur in the organization, in a meeting with the CISO, COO and Compliance Officer",
"Changes": "Changes to this policy will be prepared by the policy o",
"Responsibilities": {
"PolicyWriting": "IT consultant",
"PolicyApproval": "CISO",
"Implementation": "IT Administration dept."
}
},
"Documentation": {
"PolicyDocuments": [],
"ProcedureDescriptions": [],
"MeasurementReports": [],
"EvaluationReports": []
}
}
```
```JSON
```

42
AuditGlue/PolicyCard_Example_5.15.yaml Normal file
View file

@ -0,0 +1,42 @@
PolicyTitle: Application access policy
RelevantStandardArticles:
- ISO27001:2022:5.15
- ISO27001:2022:5.18
VersionControl:
VersionNumber: '3.14'
VersionDate: '2024-12-15'
DocumentOwner: Alex Hanover
ApprovedBy: Marian Faithful
ApprovedDate: '2025-01-08'
NextReview: '2025-12-15'
Purpose:
Goal: To protect classified data from unauthorized access
Scope: All applications in use within the organization
RisksMitigated: Unauthorized access to classified data
ControlsImplemented:
- ISO27001:2022:5.15
- ISO27001:2022:5.18
Method:
Implementation: To mitigate the risk of X, controls A, B and C will be implemented
on asset Y by Responsible Z. The effectiveness will be measured through P and
will be evaluated by Q according to method R, following planning S.
Metrics: Number of users with unjustly granted access to each application, compared
to the necessary access following from the Job Framework
Measurement: The number of users with unjust access will be determined each quarter
by HR, based on the current access matrix delivered by IT
Evaluation: The effectiveness of the control will be evaluated quarterly by the
Compliance Officer in a meeting with HR and IT
ReviewsAndChanges:
Review: This policy will be reviewed yearly or if relevant and significant changes
occur in the organization, in a meeting with the CISO, COO and Compliance Officer
Changes: Changes to this policy will be prepared by the policy owner and proposed to the CISO.
Responsibilities:
PolicyWriting: IT consultant
PolicyApproval: CISO
Implementation: IT Administration dept.
Documentation:
PolicyDocuments: []
ProcedureDescriptions: []
ProofExecution: []
MeasurementReports: []
EvaluationReports: []

2
AuditGlue/System alternative/Using AI to create policies.md
View file

@ -22,7 +22,7 @@ Examples:
4. develop interventions based on these differences
**Threat analysis**
- do a threat analysis, see [Create a threat analysis chatbot](../../Drafts%20and%20Ideas/Controls/Create%20a%20threat%20analysis%20chatbot.md)
- do a threat analysis, see [Create a threat analysis chatbot](../../Corpus/💡Drafts%20and%20Ideas/Controls/Create%20a%20threat%20analysis%20chatbot.md)
**Policy drafting**

12
AuditGlue/iso27DIY Plain English Template.md Normal file
View file

@ -0,0 +1,12 @@
# Plain English Template
- Control ID - Title
- Properties
- In one sentence
- Implementation Guidance
- Required
- Recommended
- Relations to other clauses/controls/standards
- Real life examples
- Remarks

6
AuditGlue/iso27DIY content modules.canvas
View file

@ -429,7 +429,7 @@
"width":340,
"height":80
},
{"id":"6c394a4088d586b3","type":"file","file":"📎 Attachments/Canvas Cyclus.png","x":382,"y":620,"width":278,"height":200},
{"id":"6c394a4088d586b3","type":"file","file":"iso27diy-corp/Corpus/📎 Attachments/Canvas Cyclus.png","x":382,"y":620,"width":278,"height":200},
{
"id":"1e6b25bf6dcb833e",
"type":"text",
@ -470,8 +470,8 @@
"width":1068,
"height":60
},
{"id":"ddfc9917c2c7fc66","type":"file","file":"📎 Attachments/Canvas Cyclus.png","x":-408,"y":620,"width":278,"height":200},
{"id":"27d02011ccccb4c0","type":"file","file":"📎 Attachments/Canvas Cyclus.png","x":-19,"y":620,"width":278,"height":200}
{"id":"ddfc9917c2c7fc66","type":"file","file":"iso27diy-corp/Corpus/📎 Attachments/Canvas Cyclus.png","x":-408,"y":620,"width":278,"height":200},
{"id":"27d02011ccccb4c0","type":"file","file":"iso27diy-corp/Corpus/📎 Attachments/Canvas Cyclus.png","x":-19,"y":620,"width":278,"height":200}
],
"edges":[],
"metadata":{