ISO27001 DIY Roadmap

Sections in this step will give you an overview of your assets and resources and enable you to control them as well eg in People@ Overview you can keep track of the expiry date of your employee’s contracts. To ensure that you will make use of all the functionalities, we advise following a specific order, because they are connected to other steps. eg If you add a team member you will be able to assign them as owners of suppliers or assign them to tasks.  

Section topicSub Topic (top menu)  
Leadership & Management people@   
Measures & controls Asset Management   
Risks & Opportunities Suppliers Overview  
Measures & controls Access Management Software Access 

When upgrading your account from (free) Startupper to a DIY Subscription we will kick off with a (free) X-Ray Session with one of our Lean Compliance Designers.

During this session we dive into your Value Proposition exploring your product, services, data flows, your IP and high risk suppliers – we visualize this in an X-Ray and will add that to your dashboard. Next to that we will divide it into smaller components and add them to the section IT Infrastructure X-Ray.
The session is also a great way for us to get to know you and your team, and an opportunity to discuss your compliance challenges. 

After this session you will be even more prepared to finish the topics of step 2.

Section  topic Sub Topic (top menu)  
Strategy & ambition Organization & Context  
Legal & compliance Interested Parties & Legal Requirements  
IT infrastructure X-Ray Customized X-Ray Components 

After the X-Ray Session, you will have a much clearer picture on what are the riskiest parts of your business. Now it is time to document all the risks and continue with gathering information that you probably already have in place (legal documents). And if you do not have all documentation in place (eg security procedures & policies), we will provide you with templates, to be customized by yourself.

Section Topic Sub topic (top menu)  
Legal & compliance Intellectual Property   
Legal & compliance Contracts Overview   
Risks & opportunities  Data Classification 
Legal & compliance Global impact   
Legal & compliance GDPRLegal Basis, User Documentation, User GDPR Rights Requests, Data Breaches, DPA Overview 
Risks & opportunities Information Security Risk Assessment   
Risks & opportunities Disaster Recovery Plan   
Risks & opportunities Supplier Assessment   
Risks & opportunities GDPR Assessment   
Risks & opportunities DPIA   
Policies & Procedures Policies Security, Privacy 
  Procedures   
Leadership & Management Roles and Competences   
Leadership & Management Organization, Jobs and Descriptions   
Operations Improvements  

The next part is the core of your ISMS – this is where you are going to define what you want to achieve and what activities you are going to undertake. And of course, you will need to assign owners and deadlines to all activities.  

Section  Topic Sub Topic (top menu)  
Measures & controls Controls   
Measures & controls Asset Management    
Measures & controls Security Metrics   
Measures & controls Access Management X-Ray Components 
Leadership & Management Training   
Strategy & ambition ISMS Objectives   
Operations Security Meetings   
Operations Call to Actions 

If or when you decide to get certified for ISO27001, these last modules are mandatory to get you well prepared. Start first with the Preparation to understand how and when to start up that process, so you know what costs, time, and resources you need to assign.  

TopicSub Topic (top menu)  
Risks & opportunities Business Continuity Plan   
ISO Certification Documentation Ch 4-10 ISO27001   
Internal Audit Internal Audit    
ISO Certification Scope    
ISO Certification Statement of applicability    
ISO Certification Management review   
  

Audit Companies – General information

Certification of ISO27001 can only be given by an external Audit Company, Compleye is not a certified body – we only advise and support SME’s with our Platform and Services. Audit  Companies (certifying bodies) below are the ones that we have worked with in the past and at the moment. Please note that these are just examples; there are international Audit organizations and in each country there are also audit companies that work only in that country. We will keep the information and examples of Audit Companies that we work with up to date in this Wiki. 

Audit Companies (Certifying Bodies) Compleye works with:

BSI   https://www.bsigroup.com/

TUV  https://www.tuvsud.com/

DNV  https://www.dnv.nl/

With your initial inquire for the external audit, you will receive an intake form from the Audit Company, which needs to be filled in and submitted. Audit Company will come back to you with its proposal and pricing, based on the information you provided in the intake form.

Some notes to start with:

  • Most Audit Companies are not familiar working with Start-ups and Scale-ups. 
  • The external auditors are sometimes hired and work as contractors for the Audit Company, and each of them have their own style. So always ask if the audit has experience with Startups.
  • Every Audit Company has their own onboarding process – it starts always with an intake form, that can sometimes be extensive and is needed to define the scope of the audit. 
  • Based on the intake form they will define the pricing and proposal. 
  • Audit Companies work with fixed days that are needed, depending on the size of your organization (fte team members), the complexity of your IT Infrastructure and you will need to be a bit creative with that. Teams below 10fte is much cheaper than larger scale companies.
  • Audit Companies always want to visit your office – that is part of rules they need to comply with. Do not laugh… there are also Standards/Norms that they need to comply with. 
  • Most of them are not used working with Online Organizations and/or Organizations that only (partly) make use of Co-Working spaces. And it is our experience that most auditors like to visit you, and pay a lot of attention to your physical security elements. 
  • There are audit companies that are developing new methods and like to work with Startups – Compleye is searching for Audit Companies that understand how Online Organizations work and know the challenges of Startups and that become familiar with Compleye Online Platform, so external audits can become more pleasant experience. Hopefully in the near future we can refer you to specific Audit Companies, that fit that profile. We will keep you informed. 

Preparing for External Audit

Depending on the size of the organization and complexity of technology the Audit Company will make a proposal for 3 years.
Year 1 is divided into 2 stages: stage 1: decide if you eligible for certification and stage 2: the in depth audit.
Year 2 and 3: control audits.

Indication of pricing: If your organization size <10 fte, with an average IT complexity; pricing will be around 8-10 K Euro (year 1: 3,5 days and year 2+3: 2 days a year).  They will charge more (days) if you grow your organization on a yearly base.  

Process:

  • Request the proposal for the certification from the Audit Company approx.. 6-8 months in advance
    Most of the audit companies have long waiting lists.
  • Make sure you have closed step 1,2 and 3.  Start with your Internal Audit 3 months in advance and have your Management Review ready 1-2 months before external audit.
  • Start with final preparations for the certification 4-6 weeks before external audit:
    • Do the review on mandatory documentation
      (SOA, Internal Audit, Scope, Management Review and the Documentation of Chapter 4-10 – templates available in Compleye Online)
    • Review of internal audit improvements and in Year 2 and 3 the external audit improvements.
    • Define what work still needs to be done and assign tasks to all ISMS Team Members.
    • Train and prepare your Team Members who are taking part in the external audit, so that everyone is on the same line, informed and well prepared to answer questions and present the evidence. Make use of the Audit Tips, part of our Templates.
  • Agree within your ISMS team who will facilitate the external audit days from the company’s side, and act as contact person with external Auditor. Be in contact and ask or agenda.
  • During External Audit, the Auditor is in the lead and will explain the process/agenda.
  • After the audit make sure to de-brief and address the findings of the external audit by creating the follow-up plan.
  • Create Corrective Action Plan that needs to formally be submitted to the Audit Company in case of findings that are classified as non-conformities   

In case you require, Compleye also delivers guidance through the certification process and follow through the audit with your company. Please contact us for more info on this service.