The last couple of days I was in the rabbithole and created a git driven document workflow for information management systems. Basically a bunch of bash scripts, but well structured with a deterministic build process to create PDF documents and PDF forms based on markdown documents but with frontmatter, a pre- and post-processor.
Minimalistic dependencies, free and open source,
P.S: using this for many years for my blog and whitepapers, so it’s quite “battle hardend”
Enjoy!
in the meantime the isms-document-work got an name: “Epyy”, a mascot and an internet-domain:
Today, I’ve uploaded a landingpage (in German langaugae) made with Hugo, a static page generator.
Really, really nice project, thanks for adding it. Looks great and solves the 27001 problems for the most small businesses.
Guess I’m out of the loop here
What problem does this solve ?
Can you explain it to me in a quick post ?
It’s a document workflow following to IEC 27001 which allows you to work with your documents following to the standard which is often in use in industries. We have a workflow like this in our system, we implemented it different but this is for free especially for small companies which have to follow this standard while their customers would otherwise not doing contracting.
So this software set up handles the documentation aspects of an ISMS - not the implementation of one ?
Correct ?
Just trying to get past “it follows a standard” kind of explanation as to what it DOES
ISO 27001 is like an operating system for organisations when it comes to information security. You need to be able to provide evidence of everything:
Many manage their ISMS in Word and Excel. But this does not meet the requirements. Changes, for instance, cannot be traced. Nobody knows which version is the latest etc.
This is where this document worklow comes into play, with Git as Audit-trail and Markdown serving as the single source of truth. However, the strength of this workflow lies in the snippets that automate everything. For example, checking other documents whether a control (checkbox) is selected or not.
Here in Europe, companies of significance or critical importance must demonstrate that they take information security seriously. Managing directors are held personally accountable, see NIS2 regulation.
Exactly. And this standard is used as IEC standard also by Deloitte USA for example. And if you want to be deliverer in that structure you also have to fulfill that standard. For european vendorf less complex cause for us it is normal for long time now.
Thanks for that description
So this really serves as the back boy for a well documented information security system
But it ISNT the actual implementation of any system
Just the documentation portion
Nothing wrong with that I just wanted to understand what this addressed
Makes sense
its like many other ISO standards where documenting the processes is as big a component of the process as anything
Exactly and here is my USP:
Some companies esp. SMEs buying expensive SaaS solutions with harmful side-effects. For instance: Vendors often claim, that “their” templates are copyrighted. When you cancel your SaaS subscription (e.g. to move everything inhouse) then you are not entiteld to use your documentation anymore. This means you must rewrite everything from the scratch. These legal issues, technical debts and uncertainty are not acceptable at all.
Free software protects your long.time ISMS investment.
That’s a real problem especially when leaving the vendor alone. But you delivered a solution which has non of this problems.
Ah yes
Vendor Lock in !
Gotta love it
Seen it so many times in so many ways
At least now I have a much better idea what this project does & how it helps
Thanks !