ISO 27001 requires that you have an ISMS team for set up, implementation and maintenance. You must also have an overview of all team members so security and privacy can be created around people and processes. Here are some requirements to start with:
- Assign specific ISMS roles to people so that you know who will be part of the ISMS team.
- Assign ISMS roles from your team. We advise that you start by assigning a minimum of 2 team members responsible for your ISMS. Always ensure that there is knowledge of technology and business within your ISMS.
- Assign the minimum mandatory security roles to the ISMS team members – Security Officer (SO), Privacy Officer (PO) and Compliance officer (CO). At least one C-Level person must be assigned to your ISMS Team.
- It’s practical to assign a Compliance Officer (CO) to take on the role of Privacy Officer (PO) as well as the responsibility of set up, implementation and maintenance of the ISMS.
- In the section ‘Roles and Responsibilities’, we’ll explain more about the specific roles. As your ISMS matures, more team members can be assigned to specific roles or activities.
- If you have an office, you’re responsible for the physical security of your office. You can address this by keeping track of who’ll have access to the office (by key/card/code). If the security is outsourced (e.g., you make use of co-working spaces), you need to check if it’s part of your contract.
- If you hire people, ISO 27001 expects that you’re in control of the number of team members, their job titles and who will lead/mentor each person.
- You’ll need to be in control of your labour contracts. If you’re in the scaling phase, it’s handy to have expiry dates etc. in one place.
- From a Compleye Online perspective, the People@ section should be the first section that you address. As this is linked to multiple other fields in other sections and to make use of all features, you will need to fill in all your team members’ names, statuses (active/non-active) and job titles.
TIP: Team members are your employees, or individuals that have a contract with your company. That could be anyone from a shareholder with a management contract to a freelancer (if they’re working more time for you than anyone else). Don’t forget that when an individual is tied to a company and delivers people as services, you will need to profile them as suppliers and not team members.]
Let’s look at the different fields:
Add First name and Surname.
Default is ‘Active’. when a team member leaves, you can change the status to ‘Not Active’. As a default, only active team members will be shown in the overview.
- Job Title
Add team member’s job title.
We have designed this section so that it can be used as a first HR tool for small companies with no HR tool in place. Please check the authorization level of users when you add personal information to this section.
We have divided the input into 3 sections:
- General – Organisational information
- Contact – Personal Information
- Contract – Contract Expiry dates
- Gender: choose male/female
- Profile: this is where you can choose if a person is an employee or works on an individual contract. If people are contracted as a supplier, choose ‘other’.
- Team: you can add different teams, depending on your organisation. This can help e.g., if you want to make selections in the overview on a specific team.
- Mentor/Team Lead: you can add the mentor or team lead. This is important for some auditors, so make sure you assign it a name.
- Office key/card/code: If you have an office space, you’ll need to prove that you’re in control of access to the office, so make sure you’ve documented who has a key to gain access.
- ISMS team member: if team members are part of the ISMS Team, check this box.
- ISMS role: write down the specific ISMS role – or describe what their function/role is.
- Enable reminder notifications: only for team members that are regular users of the platform and who have access to the sections ‘Controls’, ‘Improvements’ and ‘Calls-to-Action’. Reminder mails can be sent if a team member is assigned as an owner with a deadline.
Additional documents can be uploaded if you want to use this section as your HR organisation. Please first check who will have access to the section with respect to confidential information.
+Add new fields
You can add more fields to control HR/ISMS issues (e.g., Criminal Record Check) and customise this section.
It might be handy to have your team members’ contact details in 1 place.
Please note that the email address in this tab is reserved for notification mails and can’t be used for private email addresses. If you want to document private email addresses, make use of the +add new field functionality in this tab.
If you want to keep track of expiry dates of contracts, this is the place.
Team Member Name
Add name (first and family name)
Options are Active or Not Active.
Under contract Y/N
Indicate job title in a free text format.
CTO, Developer, Operations. In the module Jobs and Descriptions you can find an overview of jobs.
Select gender from radio buttons, options are Female or Male.
Select from a drop-down menu, options are Employee, Individual Contract or Other
See definition of Team members, stick to that. If you choose Other, add a special field.
Specify team in a free text format.
If you are not yet organized in teams, create 2 teams : business and tech team. Everyone who is not a developer, will be part of business team. It is the start of your organizational development.
Indicate mentor or team lead in a free text format.
Your first ISMS team members (business and tech) should take a mentor role.
In case of founder/C-Level team members, assign mentor between founders/C-Level, just to be complete and assign mentors to everyone.
Indicate used office access tool in a free text format.
If you are not responsible for security of your office, you do not have to address this.
ISMS Team Member
Indicate if a member is part of ISMS team using radio buttons, options are Yes or No.
Assign at least 2 ISMS Team Members, 1 representing business and 1 representing technology.
Define ISM role in a free text format.
Make sure that at least someone is the Data Protection Officer (DPO) and someone is the Security Officer (SO). In module Roles & Competences you can find more information.
Include phone number in a free text format.
Please make sure that you check if access to this information is restricted. As this kind of HR information is classified as restricted. And should only be available for authorized team members.
Include private email in a free text format.
Include address in a free text format.
Include emergency contact details in a free text format.
Type of Contract
Specify type of contract from a drop-down menu, options are:
Choose the type of contract applicable for the Team member. If making use of Other:
Select date using an embedded calendar.
Select date using an embedded calendar.