Minor changes

Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05b - Performance evaluation.md

@@ -1,6 +1,7 @@
 # Clause 9: Performance evaluation
 
 Clause 9 handles Performance evaluation. It consists of 3 parts:
+
 - [Monitoring, measurement, analysis and evaluation](../../../MoCs/ISO_27001_2022_9.1_MoC%20Monitoring,%20measurement,%20analysis%20and%20evaluation.md)
 - [Internal audit](../../../MoCs/ISO_27001_2022_9.2_MoC%20Internal%20audit.md)
 - [Management review](../../../MoCs/ISO_27001_2022_9.3_MoC%20Management%20review.md) 

Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05d - Prindos case.md

@@ -0,0 +1,39 @@
+# Prindos case
+
+## Description
+
+Prindos is a software development company, headquartered in Milan, Italy, that specializes in creating custom solutions for financial institutions. The software applications and tools that the company develops help companies in the financial sector to tackle challenges and achieve their objectives, including processing sensitive data, which necessitates a strong commitment to information security. 
+
+The company's reputation for robust security was recently challenged when one of its major clients experienced operational disruptions due to a software vulnerability of the application provided by Prindos. The software had availability problems as it was not adequately tested for high user loads, leading to server downtime and slow response times during peak hours. Customers were unable to access their accounts or perform critical transactions, causing significant inconvenience and frustration. 
+
+To address this, Prindos initiated an update project. This project aimed to transition to a platform that uses auto-scaling features in cloud to automatically adjust resources as needed. This would ensure that sufficient resources are available and can be dynamically allocated based on demand. 
+
+However, the project encountered critical issues related to internal governance, including a lapse in the segregation of duties. This issue became particularly evident when Julia, the software development team leader, went on maternity leave, and her responsibilities were transferred to the software developing team members. Due to staffing constraints, some members of the software development team were also tasked with software quality testing responsibilities. This dual role created a conflict of interest, as developers were essentially reviewing and approving their own code. 
+
+Recognizing the importance of the situation and the need to uphold trust with its clientele, Prindos decided on a series of strategic initiatives. The main initiative of the company was the implementation of an information security management system (ISMS) based on ISO/IEC 27001. This decision aimed to enhance its security posture to a globally recognized benchmark. 
+
+While reviewing and selecting security controls, Prindos decided to review ISO/IEC 27001’s 93 security controls and implement all those that are applicable. Before selecting the necessary controls for implementation to ensure information security, Prindos chose to initiate a risk assessment to identify security gaps. Recognizing the paramount importance of proactively scrutinizing potential vulnerabilities in the software development and deployment processes, the company opted for a self-directed methodology. This approach focuses on evaluating organizational, strategic issues, and security practices, ultimately leading Prindos to select the OCTAVE method. 
+
+Prindos committed to refining its maintenance and support protocols to swiftly address and investigate any security breaches or incidents. To prevent a recurrence of the same problem, it also introduced clearer segregation of roles within the software development team, ensuring that responsibilities are distributed appropriately and that each team member's role is well-defined and aligned with their expertise. 
+
+Based on the scenario above, answer the following question.
+
+1. Which of the following options presents a vulnerability in Prindos’ system?
+	1. Server downtime and slow response times
+	2. Insufficient software testing for high user loads
+	3. Cloud auto-scaling features to dynamically allocate resources
+
+2. The update of the software failed due to the lack of staff. What is Prindos facing in this case?
+	1. A personnel vulnerability
+	2. A human actions threat
+	3. An organizational threat
+
+3. As part of the ISMS implementation, Prindos defined clear roles and responsibilities for the software development team. What is the function of this control?
+	1. Preventive
+	2. Detective
+	3. Corrective
+
+4. What type of security controls did Prindos implement to address segregation of duties issues?
+	1. Managerial control
+	2. Administrative control
+	3. Legal control

Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.3-Fundamental-concepts-and-principles-of-information-security.md

@@ -28,7 +28,9 @@ So we have some controls that you might call **technical controls**. So technica
 
 **Categorizing controls by what they do**
 
-But I think most people would accept, even with really good technical controls, that a lot of them are dependent on good processes that are followed by an organization. And this is where we talk about **administrative controls**. So administrative controls are where organizations bring in certain *processes to manage risk*. So you could have things around people like segregation of duties, job rotations, proper approval processes, your change management processes. These would all be example of administrative controls. But also having adequate procedures in place to manage technical controls. So for example, let's say we introduced a a security incident and event monitoring tool, which is a technical control, we'd probably have a bunch of administrative controls to go with it, such as stating how often the reviews of those logs have having a process that would be followed if we detected something suspicious. Those would be administrative processes. So often these will go hand in hand. And when we think about setting up an ISMS, we also have managerial controls. So **managerial controls are focused on people, and management of people** within the organization. So having things like management reviews, training and awareness programs, having proper internal audits to check that policy, etc. has been followed properly, disciplinary processes, etc. These would all fit under the the banner of managerial controls. 
+But I think most people would accept, even with really good technical controls, that a lot of them are dependent on good processes that are followed by an organization. And this is where we talk about **administrative controls**. So administrative controls are where organizations bring in certain *processes to manage risk*. So you could have things around people like segregation of duties, job rotations, proper approval processes, your change management processes. These would all be example of administrative controls. But also having adequate procedures in place to manage technical controls. So for example, let's say we introduced a a security incident and event monitoring tool, which is a technical control, we'd probably have a bunch of administrative controls to go with it, such as stating how often the reviews of those logs have having a process that would be followed if we detected something suspicious. Those would be administrative processes. So often these will go hand in hand. 
+
+And when we think about setting up an ISMS, we also have managerial controls. So **managerial controls** are focused on people, and management of people within the organization. Things like management reviews, training and awareness programs, having proper internal audits to check that policy, etc. has been followed properly, disciplinary processes, etc. These would all fit under the the banner of managerial controls. 
 
 And then we also have **legal controls** and there's two points of view on that. Legal controls are controls we would implement in order to fulfill our obligations under laws and regulations. And also where we use legal instruments to protect our information and information systems. So for example, if we asked people to sign a non-disclosure agreement, providing it's legally sound, that would be a legal control. Or let's imagine you have a supplier and you expect that supplier to meet certain security requirements and that's specified in contract, then that contract is essentially a legal instrument, it's a legal control that's helping to protect us. 
 

Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S05.3-Overview-of-ISO-27001-requirements.md

@@ -26,6 +26,7 @@ And we know that in Annex A, there are a list of 93 security controls that we ca
 Also what's important is point f, obtaining the risk owners approval for the risk treatment plan and the acceptance of residual risk. That's the risk that's going to be left after the treatment has took place. This is vitally important. This is one that sometimes I have identified as being a problem as an auditor, where I've seen very good risk processes, but then a disconnect between the process and the risk owner. So I'm always looking to see that the risk owner was involved and ultimately made that final decision. 
 
 But before we look at the statement of applicability, and a risk treatment plan, we need to talk generally about the different risk treatment options that exist. So let's imagine an information security risk has been identified and we want to do something about it. I'll go through a few different options. 
+
 ![](CleanShot%202026-06-06%20at%2015.33.55.png)
 
 **Risk modification** means changing the circumstances around a risk. So that might be about implementing controls to reduce vulnerability. So let's say for example I have a network architecture and we identify the way in which the network segregated leaves its vulnerable to the attack. So we propose more granular segregation and introducing some kind of firewalling technology. We'd be doing a risk modification to **reduce the vulnerability and the likelihood**. 
@@ -55,7 +56,7 @@ Now as an auditor, I still look at ISO 27002, to make sure I'm familiar with the
 ![](CleanShot%202026-06-06%20at%2015.55.57.png)
 
 
-Now, there's a diagram we've included here, this sort of thing that looks a bit like a wheel, if you like. And this is for people who may be familiar or may have worked with the 2013 version of the standard. and want to see the comparison between the Annex there and Annex A in the newer standard, the newest version being the 20th So in the 2013 version of the standard, and some organizations are still aligned to that because they've got till the uh I think the end of uh October in 2024 to try transition so maybe some of us still sort of uh using that. That had in the annex 114 security controls grouped into areas which were called control objectives A5 through A18, covering many topics. And what we've seen in the new version is an effort to simplify that, to put 93 controls into four distinct areas. And people certainly have their opinions on what they prefer, but that's where we are today. And of course, the logical question I get asked is, hang on, we've gone from 114 controls to 93, so surely the newer version of the standard isn't quite as strong. 
+Now, there's a diagram we've included here, this sort of thing that looks a bit like a wheel, if you like. And this is for people who may be familiar or may have worked with the 2013 version of the standard. and want to see the comparison between the Annex there and Annex A in the newer standard, the newest version being the 20th. So in the 2013 version of the standard, and some organizations are still aligned to that because they've got till the uh I think the end of uh October in 2024 to try transition so maybe some of us still sort of uh using that. That had in the annex 114 security controls grouped into areas which were called control objectives A5 through A18, covering many topics. And what we've seen in the new version is an effort to simplify that, to put 93 controls into four distinct areas. And people certainly have their opinions on what they prefer, but that's where we are today. And of course, the logical question I get asked is, hang on, we've gone from 114 controls to 93, so surely the newer version of the standard isn't quite as strong. 
 That's not actually true at all because none of the controls from 2013 have been deleted as such. What's happened is in the newer version in 2022 quite a few of those controls have been merged. So in other words, where you had separate controls, describing something that have been brought together. And actually there's new controls in Annex A of the 2022 version. Things like threat intelligence, data loss prevention, data masking and information deletion, configuration management, web filtering, those are a few that I can name, that have been added. So believe it or not, actually you've now got more controls in the annex than you did in the previous version. There are plenty of documents out there that do show a mapping as well available online that if you want to see the mapping between the two annexes 
 
 So, with all of this in mind, the organization implementing the ISMS needs to to create a document called a **statement of applicability**. This SoA, statement of applicability, is a document that lists all 93 controls, and the organization will state whether they apply or not. If they do, why? And if they don't, why not? 

business-server/VPS stack.md

@@ -1,17 +1,28 @@
 # VPS Infrastructure stack
 per 11 April 2026
 
-| Component | Details | Platform |
+| Component         | Details                                                    | Platform                                                                 |
-|-----------|---------|----------|
+| ----------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------ |
-| Website hosting | iso27diy.com — statische site | Netlify |
+| Website hosting   | iso27diy.com — statische site                              | Netlify                                                                  |
-| DNS | iso27diy.com + analytics.iso27diy.com | Netlify DNS |
+| DNS               | iso27diy.com + analytics.iso27diy.com                      | Netlify DNS                                                              |
-| Domeinregistrar | iso27diy.com gekocht hier | Hover |
+| Domeinregistrar   | iso27diy.com gekocht hier                                  | Hover                                                                    |
-| VPS | Ubuntu 24.04 · 8 GB RAM · 2 vCPU · 100 GB SSD | Hostinger |
+| VPS               | Ubuntu 24.04 · 8 GB RAM · 2 vCPU · 100 GB SSD              | Hostinger                                                                |
-| Analytics app | analytics.iso27diy.com · poort 3000 (intern) | Umami |
+| Analytics app     | analytics.iso27diy.com · poort 3000 (intern)               | Umami                                                                    |
-| Database | PostgreSQL 15 · alleen Docker intern netwerk | Docker |
+| Database          | PostgreSQL 15 · alleen Docker intern netwerk, t.b.v. Umami | Docker                                                                   |
-| Reverse proxy | Handelt HTTPS af, stuurt door naar Umami op :3000 | Nginx |
+| Reverse proxy     | Handelt HTTPS af, stuurt door naar Umami op :3000          | Nginx                                                                    |
-| SSL | Automatisch vernieuwd · analytics.iso27diy.com | Let's Encrypt |
+| SSL               | Automatisch vernieuwd · analytics.iso27diy.com             | Let's Encrypt                                                            |
-| fail2ban | SSH brute-force bescherming | Hostinger VPS |
+| fail2ban          | SSH brute-force bescherming                                | Hostinger VPS                                                            |
+| reverse proxy (?) |                                                            | nginx                                                                    |
+| appointments      | service URL + port                                         | [Easy\!Appointments](https://github.com/alextselegidis/easyappointments) |
+| projects          |                                                            | Vikunja                                                                  |
+
+OnlyOffice
+JitsiMeet
+
+| Component | Platform | URL / port | Details |
+| --------- | -------- | ---------- | ------- |
+|           |          |            |         |
+
 
 ---