Basic Guided tour

[ab-smith]

Based on the requests and suggestions by the community to ease up the onboarding.

[KlavsKlavsen]

I've just setup ciso locally - for testing out for our small business.
I was hoping this would somehow help give me a structured approach to implementing ISO 27001:2022, GDPR etc.
I can see the ideas (kind of) - that you can define assets, risk scenarios.. applied controls (to handle risk in someway) etc.

But I could really use some more examples of how this would/should be used to improve security (which is the ultimate goal).

Do you make one "complete initial security assessment" ?
Do you start with "production systems" - and create assets and risks you can think of for those.. or ?
Could really use a Q&A thing f.ex. - to "ask questions" - and create objects or something.. or just a couple of good complete examples of how this is used by organisations successfully.

f.ex. I've found that I can create a primary asset (a service of our own we depend on) - and a supporting asset (the k8s cluster it runs on) and another supporting asset (the servers the k8s cluster consists of). Below that lies my cloud provider (hetzner in this case) and datacenter risks.

I've created a applied control - but that is not showing up under "action plan".. only the '23' imported ones are.. for unknown reason.

also - I'd prefer to not list "physical assets" - such as servers manually - but f.ex. be able to import them from CSV atleast - or point to our CMDB (where I could add an API that would work for CISO to automaticly discover new assets).
(support for pointing to an inventory URL perhaps - that responds with a defined standard response - would work). And then in Pro - you can add support for various proprietary CMDBs - to pull from them specificly.

That way those assets could automaticly be "complained" about not being marked under any compliance check.. (until I do that) etc.

There are many ways this could go.. Its great to see an open source solution to GRC..