Compliance process requires to have an ISMS team for the ISMS set up and implementation. Furthermore it is a requirement to have an overview of all team members so security and privacy can be created around people and processes. Here are some requirements to start with:
- Assign ISMS Roles from your team. We advise that you start with assigning 2 team members responsible for your ISMS. Always ensure that there is knowledge of Technology and Business within your ISMS.
- Assign the minimum mandatory security roles to the ISMS Team members. Security Officer (SO), Data Protection Officer (DPO). In the section roles and responsibility we will explain more about the specific roles. Once your ISMS will mature over the years, more team members can be assigned for specific roles or activities.
- If you have an office, you are responsible for the physical security of your office. You can easily solve this by keeping track of who will have access to the office (by key/card/code). If you have that security outsourced (eg: you make use of co-working spaces) you need to check if that is a part of your contract.
- If you hire people, ISO27001 expects that you are in control on the number of team members all the time. The job title, team and who will lead/mentor that person.
- You will need to be in control of your labor contracts. Especially if you are in the scaling phase, it is handy to have expiry dates etc. in one place.
From a Compleye Online perspective, the People@ section should be the first section that you address. As this is linked to multiple other fields in other sections and to make use of all features, you will need to fill in at least all your team members’ name, status (active/non-active) and the job title.
Definition of your Team Members: your employees, or individuals that have a contract with your company (This can be a shareholder with a management contract or freelancer contract. As long as they are working more time for you than anyone else). When an individual is tied to a company and delivers people as services – you will need to profile them as suppliers and not as team members.
- There is a functionality to add documents (eg. contract, referrals, etc) for each new team member.
We have added more fields than the mandatory ISO27001 requirements in this section. You can choose if you want to make use of it. We have divided the input into 3 sections:
General – Organizational information
Contact –Not an ISMS mandatory. However it can be very useful to have this information in place (eg: personal email for payslips, all telephone numbers in one place and private information). Also, the reminder notifications will be sent to the email address registered here when the function is enabled. Please make sure to check the authorization level of users – who has access and who has observer rights.
Contract – You can fill in all information and also upload the contract when needed. We have enabled functionality for the authorization levels. You can add observer rights and access on individual assigned sections. Still, be careful when adding the contract with confidential information (eg: bank account and salary details). In the Section Legal & Compliance contract templates are being addressed.
- In accordance with the ISO requirements, part of the onboarding of new team members is to present them with Security Policy and any internal security rules or procedures for employees. In Templates section you can find templates for the Security Policy, Code of Conduct, Human Resource Policy, Workspace & Equipment Policy. When you have adopted these, attach them also to this section under the Procedure/Info.
Team Member Name
Add name (first and family name)
Options are Active or Not Active.
Under contract Y/N
Indicate job title in a free text format.
CTO, Developer, Operations. In the module Jobs and Descriptions you can find an overview of jobs.
Select gender from radio buttons, options are Female or Male.
Select from a drop-down menu, options are Employee, Individual Contract or Other
See definition of Team members, stick to that. If you choose Other, add a special field.
Specify team in a free text format.
If you are not yet organized in teams, create 2 teams : business and tech team. Everyone who is not a developer, will be part of business team. It is the start of your organizational development.
Indicate mentor or team lead in a free text format.
Your first ISMS team members (business and tech) should take a mentor role.
In case of founder/C-Level team members, assign mentor between founders/C-Level, just to be complete and assign mentors to everyone.
Indicate used office access tool in a free text format.
If you are not responsible for security of your office, you do not have to address this.
ISMS Team Member
Indicate if a member is part of ISMS team using radio buttons, options are Yes or No.
Assign at least 2 ISMS Team Members, 1 representing business and 1 representing technology.
Define ISM role in a free text format.
Make sure that at least someone is the Data Protection Officer (DPO) and someone is the Security Officer (SO). In module Roles & Competences you can find more information.
Include phone number in a free text format.
Please make sure that you check if access to this information is restricted. As this kind of HR information is classified as restricted. And should only be available for authorized team members.
Include private email in a free text format.
Include address in a free text format.
Include emergency contact details in a free text format.
Type of Contract
Specify type of contract from a drop-down menu, options are:
Choose the type of contract applicable for the Team member. If making use of Other:
Select date using an embedded calendar.
Select date using an embedded calendar.