Posts on Fr-ISO

Notes and Knowledgebase

blog@evers-senne.de (Friso) — Sun, 22 Feb 2026 17:26:56 +0200

Before 2023 and why change that

Before 2023 I uses Microsoft OneNote to manage my notes and my knowledge base and structured it with groups and pages. It was easy to use, but there were features I did not use like handwriting or putting content in boxes anywhere on the canvas of a page. Links between pages were rare at that time. Switching between devices with OneNote-Apps and the web resulted in collisions every now and then and it was kind of impossible to resolve or better to not create. Then I saw Obsidian on the screen of a friend, and immediately like the idea of Markdown files as open standard and tool agnostic. I did some experiments with Obsidian and a WebDav-plugin to synchronize to my own Nextcloud, but observed that this produces collisions again and I did not want to store my business notes on my private Nextcloud. Parallel to the technical details I read about Zettelkasten and started to create links between Notes. And OneNote can do that, but changing names of pages or rearrange the structure always renders the links useless. The original Zettelkasten-Linking by manually assigned IDs seems outdated today. So EOL for my OneNote usage.

New Setup from Summer 2023

As a former developer, linux user and Open Source fan, I finally decided for VS Code and some markdown extensions. Synchronization via our company Gitlab was a no-brainer. So I created the new knowledge base and notes by:

Export OneNote pages as Word Documents in DOCX or the like.
Use Pandoc to convert DOCX files to MD in quick batch (bash) job.
check in first baseline and start to polish and refactor the notes.
Link them with [[filename]] and let the extension repair links when moving or renaming files. Looks like the base for a Zettelkasten, only adding an Inbox.md for daily fast ingestion to be sorted later.

A few weeks later I learned about the PARA structure and it seems totally obvious that this scheme would ease the decisions where to put files and where to find them again. So I gave it a try and introduced the outer structure as folder:

Projects
Areas of responsibility (accountable)
Resources
Archive

In level 2, I created folders for topics like Sofware 1, Team, Security and of course most topics are in all PARAM top-level folders. Having also many office documents in my OneDrive, I also applied the PARA system there and replicated the complete directory structure from my Zettelkasten/Git world. But mixing Markdown with Git office documents with OneDrivs (sync) seems so scary to me that a hesitated to do that.

Extensions and common workflows

There are many Markdown relate VS-Code extensions, after some try-and-error, this selection survived for 2 years:

Enhanced markdown preview
Markdown Memo
Markdown Checkboxes
Todo-Tree,
Print (to render in browser, share easily in Teams meetings, export as PDFs)
Git (of course)

When choosing filenames I always try to use compact but descriptive ones and thus I always had the whish to open files which I remember parts of the name very easily. VS-Code provides ‘Ctrl-P’ for exactly that, great! That command evolved to my most often used way to open a file (90 % for sure). I do not exploit any Zettelkasten or PARA structure, but it fits to my personal “associative memory” (brain). Adding a macro (short text) to expand dateto the ISO formatted date of today allows me to create new entries with heading like ## 2026-01-24 Alignment with Peter very fast.

Mobile usage

There is no VS-Code for my iPad or my Android phone, so it needs a different tool chain there, but git and MD are well established. I use it for personal as well as for business by having dedicated git repos for each (on different git servers, of course).

iPad

Obsidian as editor on the iPad serves very well. These lines are written with that. There is one non-free git app for iOS, but how to work with git in an open source fashion? Then there came ish along! A Linux shell being able to mount directories on iPad. So easy: Run ish, install git, mount obsidian directory, git clone, done! Even the VPN connection to my company was transparent as expected. One small issue was, that ish has two filesystem options to use: ios and ios-unsafe. With ios, the git commands get stuck, only ios-unsafe works well.

Android

It took until early 2025 to discover zettelnotes, an Android app for note taking based in markdown and being able to directly sync with git repos. Extremely useful for short notes of ideas. Works like a charm, no head-aches or scary tooling needed around.

Todos revisited

Until mid of 2025 I used Microsoft TODO to manage my personal tasks, but always had many - [] markdown tasks in my notes. So at that point in time I strived to fuse the task management escaping from the next Microsoft app. The Todo-Tree extension in VS Code is very powerful and I combined it with a few macros:

Defining TODO status : WIP, PRI, WAI, NOR, LON (Work in Progress, Priority, Waiting for other, Normal, Longterm).
Configure Todo-Tree to identify - [WIP] blah blah as a task of status WIP and same for the other status
Not using - [x] for closed tasks at all there was no need for a change from - [WIP] to done, I just remove the lines when a task is done. Git has the history.
Assigning colors and an order to rank todos like above.
Defining macros to create a new task just based on the three letter status WIP -> - [WIP]
Status changes are done manually.
Optional: defining scope filters to reduce the displayed tasks to subsets. WIth that setup I can write my todos in the files and context they belong to, and Todo-Tree renders a neat list with many options to display. That serve me well since autumn 2025.

PARA transposed

The combination of PARA and interlinking like Zettelkasten serves well for me until late in 2025. Having Git as a backend I never lost a line of notes. If a collision happens, I can resolve it precisely. And yes, even due to the fact that I am the only user of my knowledge base, I create collision by forgetting to commit and push on one of my devices.

Having the four-folder PARA as top level structure started to bother me first in the beginning of 2025. I decided to evict the archived files into a different git repo zettelarchive, because Ctrl-P always suggested filenames from the archive. So PARA reduced to PAR. In my OneDrive, I always had the challenge to decide between Project (P) and Area of Responsibility (A). The strict definition of a project to end some day did not hold and I did not move files between these fast enough to reflect changes in priority. In both (P) and (A) I had identical subfolder for my topics to manage, that ambiguity was never solved. In the beginning of 2026 I decided to transpose the structure:

Top level is now topic/theme/project, e.g. Software1, Security
Second level Active is a fused (P) and (A)
Second level Passive is the old (R) Resources

If I would have to chose an acronym, it could be T/AP: [Topic]/{Active|Passive}. Good enough for now, safe enough to try. And of course I also applied that scheme to my OneDrive, replicating the exact folder structure.

OneDrive sync

After an experiment to use rclone bisync ... to sync my OneDrive side-by-side with my zettelkasten, I overcome my hesitation and start to really mix both worlds.

Based on the identical folder structure, it should match.
rclone is limited to sync only a handful of top-level folders, not all Microsoft invented directories I never use.
Git has extensive entries in .gitignore to not feel responsible for all the office files.
Markdown is included in bisync and send to OneDrive so it can be shared with other file by file.
Markdown in OneDrive should not be modified, or at least should not be modified on both sides. I would like to avoid mergen with rclone.

Example: NIS2

blog@evers-senne.de (Friso) — Sun, 04 Jan 2026 00:00:00 +0000

Example: NIS-2

When applying the approach from the originals to NIS2 in summer 2023, I started with the EU version, the original NIS-2 directive. First learning: A directive has to be transferred into national law by each nation state to get activated, no further grace period. A regulation (de.: Verordnung) is activated by EU, but always contains a grace period of approximately 36 month. NIS2 was released in 2022, so the text was finalized and the minimum level of requirements was defined. On 2024-10-17 latest, the nation states should have released their national version, implementing the EU version. Some did, others not. Germany was close to release at end of 2024, but got delayed on the last mile and released the NIS2UmsuCG in 2025-12-05. But again: The EU version give a very good base line to assess the relevance for a company. Appendix A and Appendix B listed sectors and of companies in scope, other limits where stated in the main paragraphs. Seeing the first three drafts of the german version revealed, that most definitions have been copied without modifications. But at some points Germany decided to tighten the strings a bit. But the evolution of the german draft also demonstrated, that these points changed. (number of employee and turn over vs. or). The scope for the authorities and administrative bodies in contrast has been relaxed as good as possible, because security may cost money and the federal state tries to avoid costs by trading in security. Ugly, but no impact on commercial companies.

Mapping to my company

Finally, our conclusion was, that we are at least “important entity” (“wichtige Einrichtung”), but due to the fact that our HQ runs the data center for our CSOs, we (the HQ) are data center provider and that is “essential entity” (“wesentliche Einrichtung” (EU) / “besonders wichtige Einrichtung” (DE)). No problem, the real risk management requirements are the same, just the penalties increase and audits can be initiated without any special trigger. Having all that documented helps to align with legal department and helps to keep the CDO / board in sync. Yes, it costs some hours or days, more time than asking a consultant. But now we (me, legal, CDO) are confident that we understand all implications and any auditor will appreciate a written documentation.

Implementation with ISO 27001

After identifying the need to implement NIS-2, or better: be NIS-2 compliant, the next question are: How big is the gap and what remains to do? So a fit-gap analysis has to be done and for that, the real requirements should be more precise than the few paragraphs of the article 21 of the NIS-2.

The best internationally visible standard for information security with respect to risk management is the ISO 27001. It defines requirements for a Information Security Management System (ISMS) but unlike other management system norms it also requires 93 (version: 2022) “controls” to be implemented. These are the hard facts, the base line of information security.

A comparison to other frameworks like BSI Grundschutz ort NIST Cyber Security Framework yield that ISO 27001 leaves room for individual implementations (BSI Grundschutz is very comprehensive and specific), it can be certified (NIST CSF not) and it seems to evolve to a standard like ISO 9001, which is mandatory for many companies.

Mapping NIS-2 to ISO 27001

In the internet, multiple source can be found to map the NIS-2 requirements to the control of the ISO 27001. These are not “officially approved” but when reading them, the mapping seems obvious and reasonable. So ISO 27001 sets our new base line.

(The norm it self is not freely available, so no direct links are given here.)

Gps Tracks @ home

blog@evers-senne.de (Friso) — Sun, 13 Apr 2025 17:26:56 +0200

Sources

Using Garmin devices to record my outdoor activities, all tracks are send to Garmin-cloud via the app GarminConnect automatically. This is very convenient and cloud-to-cloud connections forward the tracks to Strava and Komoot. Long before the Bluetooth-Cloud-Automagic-era I already used a Garmin Edge 710 with USB connectivity only. As a Linux user I read out the TCX files from the mass storage, stored it locally and sent it to Garmin years later for completeness.

Archiving at home

But I cannot accept Garmin as a long-term archive for all data of highly personal value. My track archive dates back until 2008 and I do not wont to loose it some day just because a company goes out of business or the like. So digging in the web I found a script to download activities from Garmin as GPX files. For many years this helped me to just download and sync to my own Nextcloud. The smart watches also can record health data and the Body Battery is one of the highlights for me. So the next logical step was to also archive these data at home. The library python-garminconnect offers a complete API to Garmin cloud and to store time series data, InfluxDB seems to be a good choice. So a few lines of glue code later, a new script was born to

Download health data and send to my local InfluxDB,
Download activities, save as local GPX files and let Nextcloud client sync to my self-hosted Nextcloud.
A decent backup strategy (3-2-1) shall help to not loose data.

Visualizing #1

Nextcloud’s plugin Gpxpod can scan directories and visualize all GPX/TCX files on a map. Because all geo data was already synced to Nextcloud, this was a no-brainer and worked very well for many years. But when the plugin architecture changes, it seems that all geo-filtering was done in the frontend (the browser) and in my setup this totally crashed. Selecting a directory with only hundreds of tracks results in too many of track points. Sending these to the browser need time and bandwidth, filtering for the current viewport of the map in the browser needs memory and CPU. So my browser tab gets stuck and then crashed.

Visualizing #2

Recently I stumbled upon Dawarich (German for “I was there”). May that solve my geo-visualization problem? 20 Minutes later I had the Postgres, Dawarich and the Sidekick container up and running (Redis was already available) and imported the first tracks. The visualization and filters are really great. But with a million points it ran into the same problem, maybe in the backend but with the result of being unusable.

Data filtering and simplification

So it seems I have to work on the data. First approach was, to separate files in directories based on their area. Reason: There are far more files from my home region than from other regions e.g. vacation trips. But the later are more interesting. So I added a geo-filter to my script from above:

taking the first track point of each file and compare to predefined geo-bounding boxes,
put all tracks from “home” into a directory,
put all tracks from “fomer home” into a second directory,
Put all other tracks in a third directory.

For Nextcloud / Gpxpod this helped to focus on other regions, but rendering was still very slow. My home region was still to large in number of files / track points.

Next step: Sub-sampling. The original tracks have a sampling rate of 1 to a few seconds, resulting in very precise recordings. But for coarse visualization this is not required. Fiddling with gpsbabel on the commandline I decided that filtering according to a cross track error of 10 meters ("-x simplify, crosstrack,error=0.01k") reduces the number of track points to 5 % and only very sharp turns get distorted. The visual quality in Dawarich and Gpxpod is totally sufficient.

To add this step to my sync script I chose the lazy way: Just calling for gpsbabel as an external command.

Summary

Getting all data from Garmin semi-automatically (start the script), filtering tracks geographically by bounding boxes and simplifying to 5 % of data is required to visualize >2000 tracks in Gpxpod and Dawarich. But the result is great: I can see all my activities, even those in my home region interactively on a single map!

Originals

blog@evers-senne.de (Friso) — Sat, 12 Apr 2025 00:00:00 +0000

Finding upcoming regulations

The web is full of articles about new laws and regulations, but many sites from law firms write more like: “you know there is this new regulation”, “do you really know, what this implies to your company? “, “Relax, we can help you”. Some sites like openkritis.de really summarize the originals, and give status updates. Tech-News like Heise write every now and then about upcoming regulations, that all can serve as a starting point and to get an overview of the landscape. My latest gold nuggets are

The originals

But at the end, there is only one source of truth: The original document. The European Union (Eur-Lex) and many nation states directly publish all finally released regulations and even work-in-progress. The well known search engines help to find it. When getting into the role as ISO and getting notice about NIS2, I started to read about new regulations and discovered CRA, DSA, DMA, DA etc. Are the relevant for the company I am working for? What does it mean in details? Goal: Reading the originals to the point required to assess the relevance and document the assessment to never have to read to original again.

Approach to read and document

Reading texts like EU laws is not much fun, but the following approach served me well.

Screening the original and finding the paragraphs which are most relevant,
skipping the pages with reasoning, cross references and other stuff, which seems irrelevant for now. - - Searching for the following answers and taking notes about my findings:
- For whom (company) or what (product) does it apply? Are we in scope?
- State of law: When will it be activated, direcly from EU, or by national law? Any grace periods?
- Any special inclusions or exclusions (companies, products, …)?
If is seems to apply, then I dig deeper:
- What is new, what to implement, to adhere, to do in detail?
- Is it detailed enough, or does it need other documents?
- Does it apply to only some products, some departments, …?

Approval from legal department

I am not a lawyer, I have no background in law, so for NIS2 I decided to cross-check my analysis with our legal department. Handing in the written analysis with references into the original document gives a good starting point to ask for verifications and approval. Based on the feedback I revise the document. That way, I learned more details, saved the legal team some time and have an approved documentation about relevance of that particular law wrt to our company.

Using generative AI

Using Langdoc as a frontend for ChatGPT or similar, I tried to speed the above process and learned these points:

Based on the knowledge horizon (date of training data), the model may know the law of interest or not.
A RAG (retrieval augmented generation) based tool like Langdoc with dedicated model or Perplexity is much better to find current state of documents.
Downloading the original document and uploading it to the AI-tool serves very well.

Then prompting for the questions and pointing to the document gave me very good results and references to the particular pages. That way I saved 80 % of time while having my answers and can verify them with a single click.

Launch day

blog@evers-senne.de (Friso) — Wed, 26 Feb 2025 00:00:00 +0000

tl;dr

Today, I finally launched my “Blog and Website” project. Topics will touch cybersecurity, IT@home, ski mountaineering. Starting with two articles about me, but more content is already prepared.

Why these pages

On this website I plan to publish some articles about things I learned, things I am engaged in and topics of my interest. I am not using any social media very intensively and I want to control my own content, so I decided to do it as in the beginning of the web: create a personal web page. Other channels might be used to post updates with links.

Who is me

See the required Imprint for the most relevant details. My interests and connections will become visible with dedicated articles. In addition, my nearly unique name might be identifiable in other channels.

English or German?

So while my mother tongue is German, writing in English seems mandatory to me to address a wider audience compared to German only. Today’s web browser offer translations on the fly, but writing English text myself is a nice training I do not want to miss. So, if you need a different language, please use the translation feature of your browser.

No comment feature?

For now I do not offer a comment feature or discussions directly. Please do not hesitate to contact my by mail blog@evers-senne.de for any questions, corrections are need of discussion.

My sports and activities

blog@evers-senne.de (Friso) — Sun, 23 Feb 2025 00:00:00 +0000

Cannot live without

Over the years I developed a passion for multiple outdoor sports, and I took care to find matching sports for summer and winter. When living in north of Germany, road biking was sufficient: Summer and winter are nearly equally cold/warm, terrain nearly flat. But when moving to the Black Forrest, a hill region in south of Germany, more opportunities came along and the winters are not so nice for biking. So today it splits as follows.

Summer

Mountain Biking in the Black Forrest and sometimes in the Alps is very much fun. Long up-hills, fast or technical down-hills, not using shaped trails, the terrain is always challenging enough for me.
Road biking is like flying, at least in comparison to mountain biking. But the climbs can also be long and exausting.
Hiking, if all else fails, in the Black Forrest or in the real mountains. This is the activity which is most compatible with other people.
Sometimes: Climbing, Via Ferrata. Doing this to infrequently, the power and technique always fades away over the weeks and month of other sports.
Every now and then: Running, Trail Running. In summer this only fills the last gaps in my calendar.

Winter

Ski Mountaineering, as a tour guide and trainer in DAV, I organize multiple events and trainings per year.
Running is my replacement for cycling, when it is too cold out side. As long as there is no snow in the trails, I prefer trail running. But more or less flat around the lake is at least acceptable.
Some times: Downhill skiiing. Riding down pistes only happens once or twice a year. Going off-piste is preferred.

Tracking, not trecking

Since 2008 I use Garmin devices to record nearly all sportive movements. This gives a nice history of tracks and statistics, from home region and all trips.

Garmin: jfevers
Strava: Jan-Friso Evers-Senne

Visualizing tracks my self is a different story, will published later.

My way into cyber security

blog@evers-senne.de (Friso) — Sun, 23 Feb 2025 00:00:00 +0000

tl;dr

After many years in the field of computer vision, I switched focus to cybersecurity, more or less by accident. Inside the same company.

From computer vision to device security

In 2018 my job role suddenly changed from computer vision and image processing to managing development of data loggers. The scope of the project I joined was to develop a small temperature logger working offline most of the time and sending collected data via BlueTooth on button press. The device was 80 % finished and some one asked me to put “some security into it”. One brilliant engineer from a different team already had already proposed a concept with asymmetric encryption, private / public keys per device, certificates and an internal certificate authority, but he could not sell it to the development team or the management, so my role was more like understand both worlds, translate between tech and management and finally approve the concept. The implementation on the microcontroller was difficult due to restrictions in RAM and storage. But with the right libraries it finally worked out.

First steps to standardize

In parallel to the development project another internal project was launched to define internal security standards for future products. But due to some interesting changes in management, the involved team fall apart. After a review of the very abstract ideas of the former team, I proposed to integrate “security” into our existing development process by some simple steps:

Write some basic security requirements on a level that all developers can easily understand and QA can easily test, e.g. “Use TLS 1.2 for all HTTPS connections”
Integrate these requirements into the project template sucht that every new project hast to implement or at least check applicability.
Add a mandatory “IoT security concept” to the early development phase which describes how to implement the requirements and which is approved by me.
Add the step of a security analysis (risk assessment) to the development process to discuss remaining risks and assess them.
Add the mandatory approval of CDO (and me) to the final product release

More than devices…

From that time on, everybody asked me for my “expertise” or even opinion when it comes to “security”. So for example, when customers sent questionnaires about “Security”, those were directly forward to me, great. These customers were using our cloud software, and they did a vendor assessment, asking many details about the security of the cloud software itself, but also also about our internal security processes. Answering these vendor assessments, I learned a lot about what we have in place, and even more about what be should have. From some colleagues I heard complains that we need some “governance”, they were missing an instance giving clear rules and direction. So we proposed our CDO the idea of an “information security governance team”. In February 2023 this ISGT was founded and in April I was appointed as the ISO for the company. To get up to speed I visited different gatherings and so I learned about NIS2 in July 2023 Ok, now my mission for the next year or more was set: NIS2 compliance.

Trainings and Certs

blog@evers-senne.de (Friso) — Sat, 01 Jun 2024 00:00:00 +0000

ISMS Security Officer

In June 2024 I finished courses and exams at mITSM in Munich and got the title ICO ISMS Security Officer according to ISO/IEC 27001:2022

Check the badge by downloading (keep filename"!) and pasting here: “https://badgecheck.io/"