12-Days- ISO 27001 Roadmap

We organize the ISO 27001 Roadmap into 14 days & a preparation. In the below overview, we share what to address during every days and how to prepare.

GENERAL:

  • **for all Sections and Subsections, a wiki page is created to guide you – an overview of all wiki pages per section https://compleye.wiki/compleyeonline/.**
  • In Compleye Online you can find at (the top of) each section a link to the assigned wiki page.
  • Assign a Compliance Officer, who will be in charge of the Roadmap and will address all the To Do’s and prepare every day. Use the invites for the Ask-me-Anything Sessions in case you have questions.
  • If you are in the Compliance Guide Program – Compleye has taken the (interim) role of Compliance Officer and will prepare and organize the 12 days planned.

Topic

To Do’s

sections

Subsection

(use) Template (name)

X ray

In the free X-ray session, Compleye will design your X-ray. Upload to your client board

Dashboard

X ray

Compleye will also upload all the individual X-ray components to your client board.

IT infrastructure

X-ray Components

Operations

Determine if you want to use the sections: @people, suppliers, assets, and access management. Read wiki https://compleye.wiki/setup-scale-your-operations/

(ISMS) Team

Upload all your team members or just the ISMS Team members who will make use of the platform.

People@

Assets

Add all your assets to complete the list.

Asset Management

Suppliers

Add all your suppliers to complete the list – or we can upload all suppliers if a list is available

Risks & Opportunities

Supplier Overview

Tools & Access

Decide if you want to use this section or use another tool for access management. Don’t forget to keep track of external stakeholders (suppliers) for access management.

Measures & Controls

Access Management

ISMS Organization

To understand CH 4-10 of ISO27001 and how the platform supports with evidence. Start reading this document. You will need to review in the final stage to add roles. and responsibilities. upload the first version in Policies & Procedures.

Policies & Procedures

ISMS Mandatory Topic CH4-10 

Prepare

The Wiki home page includes 5 videos on how compleye online supports ISO 27001 – watch the videos. https://compleye.wiki/

Topic

To Do’s

sections

Subsection

(use) Template (name)

ISMS Organization

Read Wiki to understand the Policies & procedure section

Policies & Procedures

Policies & Procedures

ISMS Organization

Go over the list of Templates – try using the search functionality

Policies & Procedures

Templates

Operational Planning & Control

Go over the wiki of OPC’s to understand the functionality

Measures & Controls

OPC

ISMS Operational Planning template – still in concept

Risk Management

Adopt your Risk Management approach

Policies & Procedures

Risk and Opportunities Policy Statement

Scope

Document your scope in the ISMS Mandatory Topics Ch 4-10 document

Policies & Procedures

ISMS Mandatory Topic CH4-10

Business Strategy

Read wiki and define your ISMS Objectives

Strategy & Ambition

ISMS Objectives

Business Strategy

Read the wiki and define your Organization & Context.

Strategy & Ambition

Organization & Context

Scope – Statement of Applicability

Go over all topics – assess applicability and justifications. create your first version.
We advise using the template (not the section) – less time-consuming. Upload the SoA in the subsection documentation

ISO Certification

Documentation

SoA vs 2022 – prefilled

Supplier Management

Read the template and adopt the policy

Policies & Procedures

Supplier Management Procedure

Supplier Management

add templates supplier checklists (from the template)

Policies & Procedures

Checklists

Scope information

Document all information in the General tab for all your X-ray components

IT Infra X-ray

General

Topic

To Do’s

Section

Subsection

Use Template

HR Management

Read, adopt and upload

Leadership & Management

HR Documentation

Security Officer Role

Incident Management

Read, adopt and upload

Policies & Procedures

Incident Management Procedure

Incident Management

let TechTeam adopt CAPA – Incident Report templates in the tool they use for implementation

IT Security

check content and adopt policy (V1, finalize later when all info is available)

Policies & procedures

Security Policy.

Office & HW security

Read, adopt and upload

Policies & Procedures

Workspace & Equipment Policy

Password Management

Read, adopt and upload

Policies & Procedures

Password Management Policy

Contractual Agreements

check wiki and add all template contracts

Legal & Compliance

Contracts Overview

Contractual Agreements

Check wiki and add IP content

Legal & Compliance

Intellectual property

Contractual Agreements

check wiki and add all stakeholders and requirements

Legal & Compliance

Interested Parties & Legal Requirements

Topic

To Do’s

Section

Subsection

Use Template

Data Classification

Read Content, check wiki and adopt policy

Policies & Procedures

Data Classification Policy

Data Classification

Use the policy guidelines to add content to the section. Check your X-ray if you have addressed all data sources as well. Define per data source if data is part of data regulations (PII/personal data)

Risks & Opportunities

Data Classification

ROPA

Start creating ROPA by making use of the templates.

Policies & Procedures

ROPA template

Legal Base

Define for GDPR Data the legal base in the section. [Or can also be added in section Data Classification (by adding extra field (legal base) – add additional fields in the data classification policy]

Legal & Compliance

GDPR _ Legal Base

Cookie Policy

Check your Cookie Policy with the template (address all topics)

Policies & Procedures

Cookie Policy

Privacy Policy

Check your Privacy Policy with the template (address all topics)

Policies & Procedures

Privacy Policy

DPA

Add your DPA template to the section

Legal & Compliance

Contracts Overview

DPA

Add all your DPA’s with stakeholders (suppliers, customers etc.) to the DPA overview

Legal & Compliance

GDPR – DPA Overview

User Documentation

You can add all End-User documentation in this section (next to Cookie policy, privacy policy all communication)

Legal & Compliance

GDPR _ User Documentation

Procedures

Adopt and upload your Data Breach procedure

Policies & procedures

Data Breach Procedure

Procedures

Adopt and upload your Data Breach procedure

Policies & procedures

Data Subject Request Policy 

Procedures

Adopt, adjust and upload your Data Rentention Policy

Policies & Procedures

Data Retention Policy

HR

Read the role and responsibilities and assign a person. Upload document – add role in 🤠‘@people section change

Leadership & Management

HR Documentation

Privacy Officer Role

Register

Read the wiki and make sure the privacy officer will make use of this register

Legal & Compliance

GDPR _ User GDPR Rights
Requests

Register

Read the wiki and make sure the privacy officer will make use of this register

Legal & Compliance

GDPR _ Data Breaches

Assessment

Define if you need to perform an DPIA (if you are controller of customer/end-user data). and if so perform DPIA, upload document, create findings and assign improvements

Risks & Opportunities

DPIA

Data Protection Impact Assessment Template  

Assessment

Perform, upload document and add findings and create improvements

Risks & Opportunities

GDPR Assessment

GDPR Assessment

TopicTo Do’sSectionSubsectionUse Template
Data BackupRead, adjust content and adopt policyIT Infra X-ray Server Environment Backup Procedure
Access ManagementRead, adjust content and adopt policyPolicies & proceduresIdentity and access management Policy
Access ManagementList all your tooling and applications you use (read wiki,) and create your overview for internal and external access. [add extra field e.g. 2nd admin and link to Access Management page the tool, for efficiency purpose]Measures & ControlsAccess Management
CryptographyRead, adjust content and adopt policyPolicies & proceduresCryptography Policy
MetricsRead Wiki, check SLA, define incidents,
KPI’s, Objectives, other metrics that you want to keep track of.
Measures & ControlsSecurity metrics

Topic

To Do’s

Section

Subsection

Use Template

Threat Intelligence

Read, adjust content and adopt policy

Policies & procedures

Threat Intelligence Procedure

SDLC

Homework for SO-TechLead to embed in daily operations and tooling of Dev Team. Once finalised upload a pdf in platform.

Policies & procedures

Software Development Life cycle

Outsourced Development

check content and adopt guidelines in your SDLC and other policies. Upload the document with your notes.

Policies & procedures

Guidelines for outsourcing development

Log & Monitoring

check the wiki (link to page) for log and
monitoring info – implement to your needs.

Measures & Controls

Security Metrics

Logging & Monitoring Information

Topic

To Do’s

Section

Subsection

Use Template

HR

Review, adjust and adopt this policy to the most efficient way. 

Leadership & Management

HR Documentation

HR Policy & Code of Conduct

HR

Discuss with HR how you will organise your onboarding and offboard and the evidence created. You can make
use of the Checklist In and checklist out on the platform – or choose
otherwise

Policies & procedures

Checklist IN and Checklist OUT

HR

Determine who will be CO – can be interim during Compliance Guide Program and adopt the role description. 

Leadership & Management

HR Documentation

Compliance Officer Role

HR

add additional information: Organisational Chart, relevant organisational documentation (e.g. how you register and train competences in general)

Leadership & Management

HR Documentation

Sales, Privacy Check

Assess in which countries (next to HQ) customers are serviced- and assess privacy regulations. Add additional security and privacy requirements. 

Legal & Compliance

Global Impact

Sales, Privacy Check

Explain how this section can be used during sales processes – read wiki and add all vendor assessments already performed

Risks & Opportunities

Vendor Assessment

ISMS

adopt your communication policy, assign roles and responsibilities.

Policies & procedures

ISMS Communication Policy

Change
Management

decide on documentation of changes

Policies & procedures

Change Management Procedure

Change
Management

add Template for change management checklist

Checklist

Change Management Procedure

Change
Management

Find an example to implement your first change in the X-ray component. E.g. for ISMS Team – Implement new roles for ISMS Team. Make use of the change management checklist. 

IT Infra X-ray

Change & Impact

ISMS

Start working on connecting everything with X-ray components

IT Infra X-ray

Interactions  

ISMS

Collect all information sources

Policies & procedures

Authorities & External Feeds and Resources

Topic

To Do’s

Section

Subsection

Use Template

IT Security Assessment

Go over the procedure first – before performing the ISRA assessment

Policies & procedures

ISRA Procedure

IT Security Assessment

Perform assessment, define findings, let C-level approve, add to section and create improvements

Risks & Opportunities

ISRA 

ISRA Template 

Topic

To Do’s

Section

Subsection

Use Template

Business Assessment

Choose the template (generic or technical), if it is the first time – choose generic. Perform, assign findings and improvements

Risks & Opportunities

Business Continuity Plan

BCP – Generic Option

Business Assessment

Choose the template (generic or technical), if technical involve SO with DRP knowledge. Perform, assign findings and improvements

Risks & Opportunities

Business Continuity Plan

BCP – Technical Option

Business Assessment

Go over the entire document, adjust where needed, assign findings and improvements – make part of BCP. (choose for overview the doc or excel version)

Risks & Opportunities

Business Continuity Plan

ISMS & Business Processes -excel and word version

Topic

To Do’s

Section

Subsection

Use Template

Management
Review

When all assessments have been performed – go for the Management review. Prepare (start with closed improvements) organise 1-2 meetings with the team. Assign findings and improvements. If for 2nd time – you can choose to perform first the Internal Audit. 

ISO Certification

Management Review

Management Review Template

TopicTo Do’sSectionSubsectionUse Template
Security
Awareness Training
Organise the training, prepare the slides, and let ISMS team members perform the training. Check the results of the questionnaire after the training. Evaluate during ISMS meeting. Ad all evidence to the training sectionLeadership & ManagementTrainingSecurity Awareness Training Slides
TopicTo Do’sSectionSubsectionUse Template
Internal
Audit
Share the procedure with ISMS
team and upload
Policies & ProcedureInternal Audit Procedure
Internal
Audit
Use this section during preparation of Internal AuditAudit ViewISO 27001
Internal
Audit
Perform the assessment, make use of the audit View. Plan and prepare 2 meetings: investigations meeting and C-level approval of findings. Upload results, add findings and assign improvements.ISO CertificationInternal AuditInternal Audit Criteria & Investigation Notes
HRGo over the role description and upload.Leadership & ManagementHR DocumentationInternal Auditor Role
TopicTo Do’sSectionSubsectionUse Template
Security
Meeting
Prepare for external audit – perform proper security meeting – go over all topics. Assign CTA’s OperationsSecurity meetings
Security
Meeting
Make sure all ISMS team members have added the email addresses for CTA’s (OPC’s and Improvements)OperationsCall to Actions
External AuditPrepare for external audit: go over planning stage 1 and stage 2. Who will take over the role of CO and guide the external audit? Audit tips

Topic

To Do’s

Section

Subsection

Use Template

Compleye
Online

Invite the Auditor as observer to your client board. 

Internal Audit topic

Internal Auditor will be available during stage 2 – for the topic Internal Audit. Plan the dates in the agenda

TopicTo Do’sSectionSubsectionUse Template
MaintenanceWatch the video on wiki homepage – how to maintain your ISMS