Sections in this step will give you an overview of your assets and resources and enable you to control them as well eg in People@ Overview you can keep track of the expiry date of your employee’s contracts. To ensure that you will make use of all the functionalities, we advise following a specific order, because they are connected to other steps. eg If you add a team member you will be able to assign them as owners of suppliers or assign them to tasks.
When upgrading your account from (free) Startupper to a DIY Subscription we will kick off with a (free) X-Ray Session with one of our Lean Compliance Designers.
During this session we dive into your Value Proposition exploring your product, services, data flows, your IP and high risk suppliers – we visualize this in an X-Ray and will add that to your dashboard. Next to that we will divide it into smaller components and add them to the section IT Infrastructure X-Ray.
The session is also a great way for us to get to know you and your team, and an opportunity to discuss your compliance challenges.
After this session you will be even more prepared to finish the topics of step 2.
After the X-Ray Session, you will have a much clearer picture on what are the riskiest parts of your business. Now it is time to document all the risks and continue with gathering information that you probably already have in place (legal documents). And if you do not have all documentation in place (eg security procedures & policies), we will provide you with templates, to be customized by yourself.
|Section||Topic||Sub topic (top menu)|
|Legal & compliance||Intellectual Property|
|Legal & compliance||Contracts Overview|
|Risks & opportunities||Data Classification|
|Legal & compliance||Global impact|
|Legal & compliance||GDPR||Legal Basis, User Documentation, User GDPR Rights Requests, Data Breaches, DPA Overview|
|Risks & opportunities||Information Security Risk Assessment|
|Risks & opportunities||Disaster Recovery Plan|
|Risks & opportunities||Supplier Assessment|
|Risks & opportunities||GDPR Assessment|
|Risks & opportunities||DPIA|
|Policies & Procedures||Policies||Security, Privacy|
|Leadership & Management||Roles and Competences|
|Leadership & Management||Organization, Jobs and Descriptions|
The next part is the core of your ISMS – this is where you are going to define what you want to achieve and what activities you are going to undertake. And of course, you will need to assign owners and deadlines to all activities.
|Section||Topic||Sub Topic (top menu)|
|Measures & controls||Controls|
|Measures & controls||Asset Management|
|Measures & controls||Security Metrics|
|Measures & controls||Access Management||X-Ray Components|
|Leadership & Management||Training|
|Strategy & ambition||ISMS Objectives|
|Operations||Call to Actions|
If or when you decide to get certified for ISO27001, these last modules are mandatory to get you well prepared. Start first with the Preparation to understand how and when to start up that process, so you know what costs, time, and resources you need to assign.
|Topic||Sub Topic (top menu)|
|Risks & opportunities||Business Continuity Plan|
|ISO Certification||Documentation Ch 4-10 ISO27001|
|Internal Audit||Internal Audit|
|ISO Certification||Statement of applicability|
|ISO Certification||Management review|
Audit Companies – General information
Certification of ISO27001 can only be given by an external Audit Company, Compleye is not a certified body – we only advise and support SME’s with our Platform and Services. Audit Companies (certifying bodies) below are the ones that we have worked with in the past and at the moment. Please note that these are just examples; there are international Audit organizations and in each country there are also audit companies that work only in that country. We will keep the information and examples of Audit Companies that we work with up to date in this Wiki.
Audit Companies (Certifying Bodies) Compleye works with:
With your initial inquire for the external audit, you will receive an intake form from the Audit Company, which needs to be filled in and submitted. Audit Company will come back to you with its proposal and pricing, based on the information you provided in the intake form.
Some notes to start with:
Preparing for External Audit
Depending on the size of the organization and complexity of technology the Audit Company will make a proposal for 3 years.
Year 1 is divided into 2 stages: stage 1: decide if you eligible for certification and stage 2: the in depth audit.
Year 2 and 3: control audits.
Indication of pricing: If your organization size <10 fte, with an average IT complexity; pricing will be around 8-10 K Euro (year 1: 3,5 days and year 2+3: 2 days a year). They will charge more (days) if you grow your organization on a yearly base.
In case you require, Compleye also delivers guidance through the certification process and follow through the audit with your company. Please contact us for more info on this service.