ISO27001 DIY Roadmap

Depending on the stage and phase your company is in, you can approach this step in different ways. From ‘ I am a startup and organize my operations in Excel’ to ‘ I am already an established company and have HR and Assets tools in place ‘ and everything in between.

Guidance:

  • If you have everything organized in a spreadsheet, you might want to make use of all the sections in this first step. Please read this dedicated page that will describe the advantages of using these sections and how you can switch to external tooling once you scale your business.

If you are already using other tools:

  • If you already have an external tool for HR Management: only add people who are involved in your compliance (ISMS) team.
  • If you already have an external tool for Hardware Assets: you can skip the section.
  • If you already have an external tool for (Software) Access Management: you can skip this section. (Do ask yourself if that overview cover all Software tooling – including the free ones, make sure you read at least the wiki to understand the requirements)
  • The Supplier Overview section is something that you do not want to skip . Although you might have a nice overview of suppliers in your financial administration – that list will not be complete, as free tooling is most likely not included in your financial admin, and in general this section is focused on security, business continuity, and quality risks or suppliers.

To ensure that you will make use of all the functionalities, we advise following a specific order, because they are connected to other steps.

eg :If you add a team member you will be able to assign them as owners of suppliers or assets and assign them to tasks.

If you need assistance with adding long lists of information to these sections(eg Suppliers) we can support you by adding them to Compleye Online for you.

section themeSubtopic (top menu)  
Leadership & Management People@   
Measures & controls asset management   
Risks & Opportunities Supplier overview  
Measures & controls AccessManagement Software Access 

When upgrading your account from (free) Startupper to a DIY Subscription we will kick off with a (free) X-Ray Session with one of our Lean Compliance Designers.

During this session we dive into your Value Proposition exploring your product, services, data flows, your IP and high risk suppliers – we visualize this in an X-Ray and will add that to your dashboard. Next to that we will divide it into smaller components and add them to the section IT Infrastructure X-Ray.
The session is also a great way for us to get to know you and your team, and an opportunity to discuss your compliance challenges. 

After this session you will be even more prepared to finish the topics of step 2.

section  theme Subtopic (top menu)  
Strategy & ambition Organization & Context  
Legal & compliance Interested Parties & Legal Requirements  
IT infrastructure X-Ray Customized X-Ray Components 

After the X-Ray Session, you will have a much clearer picture on what are the riskiest parts of your business. Now it is time to document all the risks and continue with gathering information that you probably already have in place (legal documents). And if you do not have all documentation in place (eg security procedures & policies), we will provide you with templates, to be customized by yourself.

section Topic Subtopic (top menu)  
Legal & compliance Intellectual property   
Legal & compliance Contract Overview   
Risks & Opportunities  Data Classification 
Legal & compliance Global impact   
Legal & compliance GDPRLegal Basis, User Documentation, User GDPR Rights Requests, Data Breaches, DPA Overview 
Risks & Opportunities Information Security Risk Assessment   
Risks & Opportunities Disaster recovery plan   
Risks & Opportunities Supplier Assessment   
Risks & Opportunities GDPR Assessment   
Risks & Opportunities DPIA 
Risks & Opportunities Threat intelligence
Policies & Procedures  Policies & proceedings  Security, Privacy 
Leadership & Management Roles and Competences   
Leadership & Management Organisation, Jobs and Descriptions   
operations Improvements  

The next part is the core of your ISMS – this is where you are going to define what you want to achieve and what activities you are going to undertake. And of course, you will need to assign owners and deadlines to all activities.  

section  Topic Subtopic (top menu)  
Measures & controls Operational Planning and control   
Measures & controls Asset Management    
Measures & controls Security metrics   
Measures & controls Access Management X-Ray Components 
Leadership & Management Training   
Strategy & ambition ISMS Objectives   
operations Security Meetings   
operations Call to Actions 

If or when you decide to get certified for ISO 27001, these last modules are mandatory to get you well prepared. Start first with the Preparation to understand how and when to start up that process, so you know what costs, time, and resources you need to assign.  

TopicSubtopic (top menu)  
Risks & Opportunities Business Continuity Plan   
ISO Certification Documentation Ch 4-10 ISO 27001   
Internal audit Internal audit    
ISO Certification Scope    
ISO Certification Statement of applicability    
ISO Certification Management review   
  

Audit Companies – General information

Certification of ISO27001 can only be given by an external Audit Company, Compleye is not a certified body – we only advise and support SME’s with our Platform and Services. Audit Companies (certifying bodies) below are the ones that we have worked with in the past and at the moment. Please note that these are just examples; there are international Audit organizations and in each country there are also audit companies that work only in that country. We will keep the information and examples of Audit Companies that we work with up to date in this Wiki. 

Audit Companies (Certifying Bodies) Compleye works with:

BSI    https://www.bsigroup.com/

TUV   https://www.tuvsud.com/

DNV   https://www.dnv.nl/

3angles https://3angles.nl/en/

With your initial inquire for the external audit, you will receive an intake form from the Audit Company, which needs to be filled in and submitted. Audit Company will come back to you with its proposal and pricing, based on the information you provided in the intake form.

Some notes to start with:

  • Most Audit Companies are not familiar working with Start-ups and Scale-ups. 
  • The external auditors are sometimes hired and work as contractors for the Audit Company, and each of them have their own style. So always ask if the audit has experience with Startups.
  • Every Audit Company has their own onboarding process – it always starts with an intake form, that can sometimes be extensive and is needed to define the scope of the audit. 
  • Based on the intake form they will define the pricing and proposal. 
  • Audit Companies work with fixed days that are needed, depending on the size of your organization (fte team members), the complexity of your IT Infrastructure and you will need to be a bit creative with that. Teams below 10 fte are much cheaper than larger scale companies.
  • Audit Companies always want to visit your office – that is part of rules they need to comply with. Don’t laugh… there are also Standards/Norms that they need to comply with. 
  • Most of them are not used working with Online Organizations and/or Organizations that only (partly) make use of Co-Working spaces. And it is our experience that most auditors like to visit you, and pay a lot of attention to your physical security elements. 
  • There are audit companies that are developing new methods and like to work with Startups – Compleye is searching for Audit Companies that understand how Online Organizations work and know the challenges of Startups and that become familiar with Compleye Online Platform, so external audits can become more pleasant experience. Hopefully in the near future we can refer you to specific Audit Companies, that fit that profile. We will keep you informed. 

Preparing for External Audit

Depending on the size of the organization and complexity of technology the Audit Company will make a proposal for 3 years.
Year 1 is divided into 2 stages: stage 1: decide if you are eligible for certification and stage 2: the in depth audit.
Year 2 and 3: control audits.

Indication of pricing: If your organization size <10 fte, with an average IT complexity; pricing will be around 8-10 K Euro (year 1: 3.5 days and year 2+3: 2 days a year). They will charge more (days) if you grow your organization on a yearly base.  

Process:

  • Request the proposal for the certification from the Audit Company approx.. 6-8 months in advance
    Most of the audit companies have long waiting lists.
  • Make sure you have closed step 1,2 and 3. Start with your Internal Audit 3 months in advance and have your Management Review ready 1-2 months before external audit.
  • Start with final preparations for the certification 4-6 weeks before external audit:
    • Do the review on mandatory documentation
      (SOA, Internal Audit, Scope, Management Review and the Documentation of Chapter 4-10 – templates available in Compleye Online)
    • Review of internal audit improvements and in Year 2 and 3 the external audit improvements.
    • Define what work still needs to be done and assign tasks to all ISMS Team Members.
    • Train and prepare your Team Members who are taking part in the external audit, so that everyone is on the same line, informed and well prepared to answer questions and present the evidence. Make use of the Audit Tips, part of our Templates.
  • Agree within your ISMS team who will facilitate the external audit days from the company’s side, and act as contact person with external Auditor. Be in contact and ask or agenda.
  • During External Audit, the Auditor is in the lead and will explain the process/agenda.
  • After the audit make sure to de-brief and address the findings of the external audit by creating the follow-up plan.
  • Create Corrective Action Plan that needs to be formally submitted to the Audit Company in case of findings that are classified as non-conformities   

In case you require, Compleye also delivers guidance through the certification process and follow through the audit with your company. Please contact us for more information on this service.