Security Meetings
Although there is no hard requirement in ISO27001 to organize security meetings, you will need to organize a governance structure for your ISMS. In this chapter tips how to.
We advised you already at your first step with Compleye Online, at section People@ to organize an ISMS Team – representing Business, Operations and Technology. For Startups that probably will be the CEO/COO and CTO. And your governance structure will be simple, During Security Meetings you can make decisions on all topics related to ISMS. If you scale your business, you will need to assign a compliance officer (can be the COO) that will organize your ISMS and more team members can be assigned to specific tasks and jobs.
Documentation
Although we do not like to decrease the amount of documentation in policies/procedures, it is important to document certain ISMS information. (e.g. improvements, learnings, changes, insights etc.) And that kind of information is important to auditors, as they always say – If you did not document it, it did not happen. That is why we suggest that every time you have meetings with your ISMS Team – you will make notes, hence this section Security meetings.
We created already a list of agenda topics – that you can use, and will need to address on regular base – to keep yourself in control of your ISMS. We suggest to organize every month a security meeting, where you address all of the topics on the agenda. Depending on changes and progress you can organize more in depth meetings separate.
If ISMS team members do not prepare the agenda (check the progress on improvements or controls) before the meeting, you will need (much) more time then 1 hour.
Tips:
- Assign a security meeting owner, that will check 1 week before security meeting the agenda. e.g. remind ISMS team members to solve the Call to Actions, check the controls and progress on improvements.
- Documentation of changes in X-Ray, should be made in the specific section of component – you can add notes on the impact (e.g. is a new security assessment needed?) in this section.
- Changes in security metrics definition is probably a job that will be done on a yearly base. If the ISMS Team is happy with the security metrics, skip this agenda point.
- Assign a person responsible for adding Security Metrics/Incidents and add 1 days before the security meeting and let him/her summarize the info. In case there is an incident it needs to be documented and CAPA procedure needs to be followed. Refer to CAPA Procedure template provided to you in Templates section,
- New customers/projects – is added because a lot of Startups will need to perform a compliance assessment with every new customer. e.g. new contracts, new countries to be implemented, DPA? etc. make your notes (and call to actions) and make use of other sections to write the notes. this is a job for Compliance Officer, to coordinate and assess.
- Suppliers is something that is usually forgotten, check the wiki on Overview Suppliers. you have probably more then you realize. Keep track of it and ensure that with the selection of new suppliers the Supplier Management Procedure is being followed. Do not forget to document the selection and change of Suppliers as well (add that info as doc to the specific supplier overview).
- New Team members = follow a Checklist IN (and out if leaving). make someone responsible for the checklists and ensure that the document is stored (e.g. in @people section)
- Controls – this is an important task: always check if controls have been executed, evaluated and/or skipped and evidence or justification is in place.
- Improvements – The security meeting is the perfect place to evaluated the progress and things that are blocking. I an improvement has no progress for a long time, you will need research the cause. Is this still a priority? is it already solved by another activity? Make your notes on the improvements cards themselves. And add only notes in this sections, if you have an overall suggestion on progress, time management, ownership etc. Refer to Improvement procedure template (and create your own from it if you don’t have it yet) for clarity and guidance.
- And we have a section for other relevant ISMS topics if needed.
- If you address a topic, with notes – the number will colour green – as being addressed and on the list. Meaning that if you re-open a meeting it is easy to see with topics you have addressed during security meeting. If you do not have time to address all topics – that is ok, you can always organize a second meeting.
- you can also use this agenda for in depth meetings on certain topics.
Note that you can find templates for all the procedures and policies that we refer to here on Templates section of Compleye Online. Read about it also here in wiki.
Call to actions
- Next to your notes, you can assign Calls to action.
- Keep them simple and short (there are not improvements, just simple reminders on things to do)
- Adding a Call to action will open another menu:
short sentence to give the call to action a title
add a deadline
add an owner
- Once a call to action is created your can Remove or Close it, by making use of the … menu
- Once closed, you can Remove or Reopen it, by making use of the … menu
Add new Security Meeting
| Field Name | Description | Example |
| Date | calendar date picker – select a date of the Security meeting | {date} |
| Attendees | Select from the drop down list who from the team is attending current Security Meeting | {names} |
| Agenda Topics | notes – free text field to address each of the topics on the agenda | {text} |
| Calls to action | ||
| +add call to action – | add a short description of the task title | |
| action point | free text field | |
| deadline | select a date for when this is due | |
| owner | select an owner form the drop down list |
