DIY Roadmap

Sections in this step will give you an overview of your assets and resources and enable you to control them as well eg in People@ Overview you can keep track of the expiry date of your employee’s contracts. To ensure that you will make use of all the functionalities, we advise following a specific order, because they are connected to other steps. eg If you add a team member you will be able to assign them as owners of suppliers or assign them to tasks.  

Section topicSub Topic (top menu)  
Leadership & Management people@   
Measures & controls Asset Management   
Risks & Opportunities Suppliers Overview  
Measures & controls Access Management Software Access 

When finishing step 1, we offer a free X-Ray Session with one of our Lean Compliance Designers.  

In this 1,5 hour session, we dive into your Value Proposition, explore your Organization & Context, Interested Parties & Legal Requirements, and co-create your own X-Ray. This X-Ray will be the base for scope and we will assign the X-Ray Components for the next phase.  

This is also a great way for us to get to know you and for you to address your most important compliance questions. After this Session you will be able to finish the following Sections: 

Section   Topic  Sub Topic (top menu)  
Strategy & ambition  Organisation & Context   
Legal & compliance  Interested Parties & Legal Requirements   
IT infrastructure X-Ray  Customized X-Ray Components 

After the X-Ray Session, you will have a much clearer picture on what are the riskiest parts of your business. Now it is time to document all the risks and continue with gathering information that you probably already have in place (legal documents). And if you do not have all documentation in place (e.g. security procedures & policies), we will provide you with templates, to be customized by yourself.  

Section  Topic  Sub topic (top menu)  
Legal & compliance  Intellectual Property    
Legal & compliance  Contracts Overview    
Legal & compliance  GDPR  Legal Basis, User Documentation, User GDPR Rights Requests, Data Breaches, DPA Overview 
Legal & compliance  Global impact    
Risks & opportunities  Data Classification    
Risks & opportunities  Information Security Risk Assessment    
Risks & opportunities  Disaster Recovery Plan    
Risks & opportunities  Supplier Assessment    
Risks & opportunities  GDPR Assessment    
Risks & opportunities  DPIA    
Policies & Procedures  Policies  Security, Privacy 
   Procedures    
Leadership & Management  Roles and Competences    
Leadership & Management  Organization, Jobs and Descriptions    
Operations  Improvements   

The next part is the core of your ISMS – this is where you are going to define what you want to achieve and what activities you are going to undertake. And of course, you will need to assign owners and deadlines to all activities.  

Section   Topic  Sub Topic (top menu)  
Measures & controls  Controls    
Measures & controls  Asset Management     
Measures & controls  Security Metrics    
Measures & controls  Access Management  X-Ray Components 
Leadership & Management  Training    
Strategy & ambition  ISMS Objectives    
Operations  Security Meetings    
Operations  Call to Actions 

If or when you decide to get certified for ISO27001, these last modules are mandatory to get you well prepared. Start first with the Preparation to understand how and when to start up that process, so you know what costs, time, and resources you need to assign.  

TopicSub Topic (top menu)  
Risks & opportunities Business Continuity Plan   
ISO Certification Documentation Ch 4-10 ISO27001   
Internal Audit Internal Audit    
ISO Certification Scope    
ISO Certification Statement of applicability    
ISO Certification Management review   
  

Audit Companies – General information

Certification of ISO27001 can only be given by an external Audit Company, Compleye is not a certified body – we only advise and support SME’s with our Platform and Services. Audit  Companies (certifying bodies) below are the ones that we have worked with in the past and at the moment. Please note that these are just examples; there are international Audit organizations and in each country there are also audit companies that work only in that country. We will keep the information and examples of Audit Companies that we work with up to date in this Wiki. 

Audit Companies (Certifying Bodies) Compleye works with:

BSI   https://www.bsigroup.com/

TUV  https://www.tuvsud.com/

DNV  https://www.dnv.nl/

With your initial inquire for the external audit, you will receive an intake form from the Audit Company, which needs to be filled in and submitted. Audit Company will come back to you with its proposal and pricing, based on the information you provided in the intake form.

Some notes to start with:

  • Most Audit Companies are not familiar working with Start-ups and Scale-ups. 
  • The external auditors are sometimes hired and work as contractors for the Audit Company, and each of them have their own style. So always ask if the audit has experience with Startups.
  • Every Audit Company has their own onboarding process – it starts always with an intake form, that can sometimes be extensive and is needed to define the scope of the audit. 
  • Based on the intake form they will define the pricing and proposal. 
  • Audit Companies work with fixed days that are needed, depending on the size of your organization (fte team members), the complexity of your IT Infrastructure and you will need to be a bit creative with that. Teams below 10fte is much cheaper than larger scale companies.
  • Audit Companies always want to visit your office – that is part of rules they need to comply with. Do not laugh… there are also Standards/Norms that they need to comply with. 
  • Most of them are not used working with Online Organizations and/or Organizations that only (partly) make use of Co-Working spaces. And it is our experience that most auditors like to visit you, and pay a lot of attention to your physical security elements. 
  • There are audit companies that are developing new methods and like to work with Startups – Compleye is searching for Audit Companies that understand how Online Organizations work and know the challenges of Startups and that become familiar with Compleye Online Platform, so external audits can become more pleasant experience. Hopefully in the near future we can refer you to specific Audit Companies, that fit that profile. We will keep you informed. 

Preparing for External Audit

Depending on the size of the organization and complexity of technology the Audit Company will make a proposal for 3 years.
Year 1 is divided into 2 stages: stage 1: decide if you eligible for certification and stage 2: the in depth audit.
Year 2 and 3: control audits.

Indication of pricing: If your organization size <10 fte, with an average IT complexity; pricing will be around 8-10 K Euro (year 1: 3,5 days and year 2+3: 2 days a year).  They will charge more (days) if you grow your organization on a yearly base.  

Process:

  • Request the proposal for the certification from the Audit Company approx.. 6-8 months in advance
    Most of the audit companies have long waiting lists.
  • Make sure you have closed step 1,2 and 3.  Start with your Internal Audit 3 months in advance and have your Management Review ready 1-2 months before external audit.
  • Start with final preparations for the certification 4-6 weeks before external audit:
    • Do the review on mandatory documentation
      (SOA, Internal Audit, Scope, Management Review and the Documentation of Chapter 4-10 – templates available in Compleye Online)
    • Review of internal audit improvements and in Year 2 and 3 the external audit improvements.
    • Define what work still needs to be done and assign tasks to all ISMS Team Members.
    • Train and prepare your Team Members who are taking part in the external audit, so that everyone is on the same line, informed and well prepared to answer questions and present the evidence. Make use of the Audit Tips, part of our Templates.
  • Agree within your ISMS team who will facilitate the external audit days from the company’s side, and act as contact person with external Auditor. Be in contact and ask or agenda.
  • During External Audit, the Auditor is in the lead and will explain the process/agenda.
  • After the audit make sure to de-brief and address the findings of the external audit by creating the follow-up plan.
  • Create Corrective Action Plan that needs to formally be submitted to the Audit Company in case of findings that are classified as non-conformities   

In case you require, Compleye also delivers guidance through the certification process and follow through the audit with your company. Please contact us for more info on this service.