ISMS Setup according to Chapter 4-10 ISO27001

Implementing your Information Security Management System (ISMS) in Compleye Online according to ISO27001 requirements can be complex. Compleye Online is designed to comply with the ISO27001 standard. Please find below a description how we follow Chapters 4 – 10 of ISO27001 and how evidence is created. This evidence can also be used for other frameworks (e.g. SOC-2 ISO9001, ISO27701 etc.)


  • Some content will need to be adjusted to your own organisation’s needs. (marked with underlign)  
  • Some content refers to specific templates [T] – or you can use or create your documents.
  • Some content refers to specific (sub)sections in your client board and are linked to dedicated wiki pages.

ISO27001; Chapter 4-10

4. Context of the Organization

4.1 Understanding organization and its context

To ensure the desired outcome of the ISMS, a thorough analysis and documentation of both internal and external factors that may impact business operations, product services, and the ISMS have been conducted.

The information documented in the Organization and Context section provides insight into the organisation and context topic.

This section describes and contains:

  • The product and service offering details and descriptions.
  • The organization description.
  • The identified internal and external issues.
  • Third parties frequently refer to regulatory authorities and other relevant third-party stakeholders.

Add a presentations/pitch deck by making use of the procedure/info button in the section to share with auditor.

4.2 Needs and Expectations of Interested Parties

Establishing the ISMS context and identifying the expectations and requirements of interested parties is mandatory. Stakeholders, which include both internal and external to the organization, may have specific needs, expectations and requirements regarding the organization’s information security.

A complete overview of all stakeholders (internal & external) and their expectations is documented and reviewed annually in the Interested Parties & Legal Requirements section.

This includes legal and regulatory requirements and contractual obligations. The ISMS Reference column illustrates how these requirements are integrated and executed within the ISMS.

4.3 ISMS scope

The primary objective of defining the ISMS scope is to delineate the specific processes, services, systems, or departments to be protected. To effectively define the ISMS scope, careful consideration of the X Ray diagram, relevant stakeholders, business and customer profiles, including security expectations or requirements, is essential.

The ISMS scope is visualized in the X-Ray Diagram – on the Dashboard and further described in the IT Infrastructure X Ray section.

For the external audit, a concise scope of 1-2 sentences is required to be displayed on the ISO27001 certificate. This describes the defined and established ISMS scope, as per below example:

“The design, development, and maintenance of the SaaS platform align with Statement of Applicability version 1”

4.4 Information security management system

The organization is required to establish, implement, maintain, and continuously improve an information security management system, including its necessary processes and their interactions, in compliance with the requirements set forth in this document.

To ensure the identification of key ISMS operational processes and their interactions with business processes, an ISMS and Business Process Assessment [T] was conducted as part of the overall Business Continuity Assessment (BCP)[T], stored in section BCP. Documents are approved by management and will be reviewed annually.

5. Leaderhip

5.1 Commitment

Management demonstrates a prioritized, top-down commitment to information security.  Top management has overall responsibility for the ISMS and is a member of the ISMS team along with the CTO, demonstrating C-level commitment to the operational ISMS.

This means that top management:

  • Directs the ISMS by prioritizing security and privacy requirements and allocating adequate resources to security operations.
  • Communicates with employees and encourages them to comply with the security strategy and the relevant policies and procedures outlined in the Security Policies and Procedures

How is management committed to information security: 

The CEO/CTO plays a role in defining the Context & Organization, as outlined in this section of Compleye Online, to ensure alignment with the organization’s strategy.

– Annual reviews & approvals of the Organization and Context section by management.

Security is embedded in operational processes:

Each policy and procedure have an assigned owner. All processes undergo security reviews and are evaluated annually by the designated individual.

– Annual reviews & approvals included in the Policies & Procedures section.


Annually, the CEO/COO/CTO evaluates the resources required for the ISMS team, which consists of the CEO, CTO, and the Compliance Officer.

– The OPC “Assess resources needed for ISMS Team” is established in the OPC section. A C-level person is designated as the owner.


The CEO/COO/CTO attends security awareness training to demonstrate its importance and commitment to continuous improvement.

– See Training section and include security awareness training and the presence of team members.


The CEO/COO/CTO is responsible for the annual definition and approval of the ISMS objectives.

– See ISMS Objectives section for the annual review and approvals conducted by C-Level.

The CEO/COO/CTO is responsible for the annual management review, which evaluates the effectiveness of the ISMS.

– See Management Review section for the annual review and approvals conducted by C-Level.


The CEO/COO/CTO actively participates in the ISMS Team, driving a culture of continuous improvement.

– Continuous Improvement is a topic covered in the Management Review, which is reviewed and approved annually by the C-level. Please refer to the Management Review section for details.


If multiple C-level roles are defined, each C-level individual will assume responsibility for specific areas within the ISMS Team.

– See section People@, CEO and CTO should be members of the ISMS Team.

5.2 Information Security Policy

The CTO is responsible for defining and approving the Security Policy[T], which is aligned with the scope and purpose of the organization. The Security Policy and its supporting security procedures are stored in the Policies and Procedures section, along with documentation detailing the “Annual Review and Approval” process.

The  Security Policy includes, but is not limited to, the following topics:

  • Security Objectives
  • Commitment to meeting relevant requirements, such as legal and regulatory mandates and stakeholder expectations, to ensure comprehensive compliance
  • Commitment to continuous improvement.
  • Key security technical and organizational measures include network security measures, configuration management, data masking, data leakage prevention measures, and data encryption.
  • Availability to team members, customers and/or other stakeholders as deemed appropriate (see the ISMS Communication Policy [T]in the Policies and Procedures section).
  • The Information Security Policy is reviewed annually by the CTO (see the Annual Review and Approval Process in the Policies and Procedures section).

5.3 Roles and responsibilities

The allocation of sufficient resources to the ISMS is essential to ensure effective security measures. To achieve this, an ISMS team is formed with representatives from business, operations and technology, including the CEO/CTO. Key information, such as incidents and assessment results, is communicated to the entire C-level team for review and approval.

The roles of the Security Officer [T], Privacy Officer [T]and Compliance Officer [T] are established and documented. (see section People@).

General descriptions of roles and responsibilities can be found in the HR & Organization documentation section. However, the lean approach dictates that the ISMS team shares overall responsibility. This means that roles and tasks may need to be adopted as required by the business.

Roles and responsibilities of personnel are reviewed and approved on a regular basis, with relevant competencies documented in specific ISMS roles and responsibilities. (See OPC “Review of ISMS Team Competencies” in the Operational Planning & Control (OPC) section).

Ownership of documents, findings, controls and activities is assigned within Compleye Online. As the business grows, activities may be delegated to non-ISMS team members and new ISMS team members may be invited to join.

6. Planning

6.1 Actions to address risks and opportunities

Understanding and assessing the identified risks and opportunities is critical to ensuring that the established ISMS can effectively achieve its desired outcomes and performance. This comprehensive approach enhances the ability to address potential threats and capitalize on opportunities within the stakeholder ecosystem.

 As a result of the stakeholder ecosystem assessment,  the following annual assessments is conducted:

An owner is assigned to each risk assessment. Further details can be found in the Risk and Opportunity Policy [T] , which describes how the established ISMS framework addresses risks and opportunities.

The assessments result findings that will be subsequently addressed in:

  • Improvements: Progress on each improvement is monitored and assessed by the ISMS team within the Improvements Owners are identified and, upon completion, effectiveness is assessed and documented in preparation for the annual management review report.
  • Operational Planning Controls (OPCs): Recurring activities can be identified in the Operational Planning & Control (OPC) section as solutions to address findings. OPC are outlined by frequency, procedure, criteria and evidence. Owners are assigned and effectiveness is evaluated after execution. Changes to OPCs are included in the annual Management Review Report.

In addition, the Statement of Applicability[T] provides a summary of the position on each information security control. This statement, along with the review and approval process, is documented and maintained in the Statement of Applicability document.

6.2. Information security objectives and how to meet them

 Information security objectives must be specific, measurable, achievable, relevant, and time-bound (SMART)” to effectively address the  legal, contractual, customer and third party security requirements.

These objectives are documented in the ISMS Objectives section. Each objective describes what will be done (key result), the resources required and the responsible party.

 In addition, recognizing the importance of regular monitoring, progress and any shortfalls in meeting these objectives are discussed and documented monthly via the Security Metrics section or the Security meeting section.

Each year, the ISMS objectives undergo a comprehensive review, evidence gathering, and evaluation as part of the Management Review Report [T]. Subsequently, new objectives are established based on the same principles and criteria, and monitoring is carried out accordingly.

6.3 Planning of changes

 All identified planned changes are discussed at (regular) security meetings, following the agenda outlined in the Security Meeting section. The ISMS team is tasked with assessing the need for changes to the Information Security Management System and their impact on business operations.

 Once agreed, the ISMS team plans the change, considering the potential risks to established ISMS operations and the business. This process is documented using the Change & Impact Checklist, which is appended to the X-Ray Component section. Further details can be found in the Change Management Procedure [T].

7. Support

7.1 Resources

 Dedicated to providing adequate resources to meet the needs and objectives of the ISMS, ensuring allocated time for ISMS activities, financial resources and infrastructure.

 The resources allocated to the ISMS are discussed and assessed in the Management Review document, which is presented to top management on a regular basis (see Management Review section).

The personnel assigned within the ISMS scope serve as key resources and may include management, employees, contractors, suppliers, stakeholders and others. The assigned resources within the ISMS scope are documented in the People section.

An annual review conducted by the CEO/COO will determine the resources required for the ISMS (see OPC “Assess Resources Needed for ISMS Team” in the Operational Planning Control (OPC) section). Additional ISMS team members are assigned as needed.

7.2 Competence

The key competencies for the ISMS team are defined and documented in the role description documents [T] available in the HR & Organization documentation section. Additional training for knowledge and/or competencies is organized as needed, with improvements assigned accordingly. The assigned competencies are selected, reviewed and approved annually (see OPC “Review of ISMS Team Competencies” in the Operational Planning Control (OPC) section).

7.3 Awareness

It’s imperative that team members are made aware of their information security responsibilities and encouraged to take an active role in improving effectiveness and performance.

Each year, all team members undergo ISMS awareness training [T]. During these sessions, feedback and comments are openly discussed and addressed with the participants. Training records, together with supporting materials, participant lists and evaluation results, are documented in the Training section. In addition, relevant policies and procedures are communicated to team members following security awareness training and as part of the onboarding process.

7.4 Communication

Recognizing the fundamental importance of communication in implementing an ISMS, emphasis is placed on facilitating clear and efficient channels to promote seamless coordination and understanding.

 An ISMS communication policy [T]has been established (refer to the Policies and Procedures section) and outlines the individuals involved, the rationale, timing, and content of communication regarding our ISMS, both internally and externally.

An agile communication process is maintained. Given the small ISMS Team and the need for flexibility, communication remains transparent and supports business operations consistently.

 The CEO/CTO is ultimately responsible for communicating the ISMS. It is of the utmost importance to us that information security is always prioritized during business and operational activities. One effective communication tool involves regularly delivering security awareness training [T]to all employees, including new hires during the onboarding process.


All ISMS evidence is meticulously documented and/or stored within Compleye Online, seamlessly integrated within the relevant sections or added as a document or linked to another application. To ensure the continuous assessment of documentation for suitability and adequacy, all documentation undergoes periodic review and approval at defined intervals, as detailed in the relevant OPC in Operational Planning & Control (OPC) section.

Furthermore, all policies and procedures are stored in the Policies and Procedures section, complete with the assigned owner, versioning tracking, and change. These are reviewed and approved within the Reviews and Approval functionality. When it comes to the mandatory documentation for Chapters 4-10 [T], this is explicitly defined within this document.

Finally, backup for policies and procedures is organized outside Compleye Online, ensuring accessibility for all team members.

8. Operation

8.1 Planning and control

 Operational planning is overseen by the established Operational Planning & Control activities (OPC) [Template available fro all mandatory ISMS OPC’s], which automatically oversees the execution of key operational security activities. The primary mechanism for implementing this requirement is as follows:

  • OPCs are implemented with assigned ownership and scheduled at the planned interval in accordance with the predefined adherence to procedures and criteria, as well as the defined evidence. This process is documented and tracked within the Operational Planning & Control (OPC)
  • The incorporation of a systematic mechanism for the documentation and implementation of improvements with clear ownership and tracked deadlines for completion. The improvements are documented and tracked in a systematic manner within the Improvements section
  • During the Security Meeting, any changes to operations (e.g., suppliers, team, new features, IT infrastructure, etc.) are tracked and documented. A standard agenda is followed, with notes taken and calls to action assigned as needed, as outlined in the Security Meetings
  • In accordance with the Change Management Procedure [T], certain changes will be documented using Change Management Checklists, which will be tracked in the Checklist
  • ISMS operational criteria are established in the Operational Planning and Control (OPC)

8.2 Risk assessment

Annually, an Information Security Risk Assessment (ISRA)[T] is conducted to ensure that the organization’s security standards are consistently upheld. This comprehensive evaluation enables the identification and resolution of security risks, thereby enhancing the organization’s overall security posture.

 The ISRA section contains documented evidence of conducted ISRA. Any identified and approved findings are recorded and transferred to the Improvements section, where they are tracked for completion. This includes documenting the identified root cause, if applicable, along with the treatment plan, assigned ownership, and deadline for completion.

8.3 Risk treatment

 Risk treatment is a vital component of risk management. It entails determining how identified findings will be addressed and mitigated. Once a finding has been identified and approved, it is recorded in the Improvement section. These findings may arise during risk assessments, internal or external audits, or simply as part of ongoing continuous improvements during routine operations. The improvements section includes the following steps:

  • Clear Ownership: Each improvement is assigned a responsible owner, ensuring accountability and effective implementation.
  • Cross-Functional Impact Assessment: Evaluation of how improvements may affect various areas within business operations or technical aspects.
  • Root Cause Analysis: Utilizing the 5 Whys technique to identify and address the underlying causes of identified issues, facilitating comprehensive solution
  • Deadline for Completion: Setting clear deadlines for completion, ensuring timely resolution and proactive management of improvements.
  • Origin Documentation: Recording the origins of improvements, providing valuable context and insight into the finding.
  • Treatment Plan: Crafting a detailed treatment plan that outlines step-by-step actions to address findings.

For more information, please refer to the Risks and Opportunities Policy [T] stored in the Policies and Procedures section.

9. Performance Evaluation

9.1 Monitoring and Analysis

A comprehensive framework of security metrics and controls has been developed to provide a robust evaluation of the ISMS performance. This framework ensures a thorough assessment and continuous improvement.

  • Security metrics are defined for each IT infrastructure component and tracked in the Security Metrics These metrics are assessed during regular security meetings. At least once a year, the definitions of these metrics are reviewed for accuracy and relevance.
  • During the Management Review, the effectiveness of the ISMS is evaluated to ensure alignment with organizational objectives and continuous improvement efforts (see Management Review section).
  • Before closing each improvement, its effectiveness is evaluated to ensure that the implemented corrective action plan meets the intended objectives and contributes to the enhancement of the ISMS (see Improvements section).
  • The effectiveness of each control is assessed after its execution and before closure, as outlined in the Operational Planning & Control (OPC) This process ensures that controls are functioning as intended and meeting the desired objectives.
  • An Operational Planning and Control (OPC) mechanism is also instituted to regularly review the effectiveness of preventive and corrective actions. (see Operational Planning & Control (OPC) section).

9.2 Internal Audit

Internal audits play a critical role in ensuring compliance by providing an independent and objective assessment of the ISMS. These audits are conducted by an independent internal auditor who evaluates the effectiveness of the ISMS implementation, identifies areas for improvement, and ensures compliance with relevant requirements. Internal audits involve the review of documentation, processes and controls documented and maintained in Compleye to verify their conformance with the standards and the organization’s policies and procedures

The internal audit procedure [T], along with the outlined scope and internal audit program, is documented and stored in the Policies and Procedures section, ensuring that a systematic approach is in place for conducting internal audits. While Role description of the Internal auditor [T]can be found in the HR & Organization section.

Internal audits are performed annually by the designated Internal Auditor in accordance with the Internal Audit Plan [T]. The Designated Auditor is (insert name of auditor If no internal auditor is available, this function may be outsourced to Compleye for objectivity and impartiality).

Audit findings are presented and discussed during the investigation meeting with the ISMS Team and management. Upon approval of the audit report and findings, the Internal Audit report and supporting documentation are stored in the Internal Audit section. In addition, findings are also documented in the Internal Audit Section and automatically converted into improvements and stored in the Improvements section.

9.3 Management Review

An annual management review is conducted to assess the effectiveness of the ISMS and its alignment with the organization’s objectives and risks. This review follows the results of the internal audit and precedes the external audit.

The report is embedded in Compleye Online in the Management Review section.

The mandatory topics evaluated in the Management Review are as follows:

  • The status of actions from previous management reviews
  • Changes in external and internal issues that are relevant to the information security management system
  • Feedback on the information security performance, including trends
  • Fulfillment of information security objectives.
  • Feedback on the information security performance such as nonconformities and corrective actions.
  • Feedback from interested parties
  • Results of risk assessment and status of risk treatment plan; and
  • Opportunities for continual improvement.

For each topic, the improvements identified during the review period and any relevant information are evaluated. Where appropriate, opportunities for improvement are identified and documented in the Improvements section.

This process is overseen and approved by the CEO and is integrated into the Management Review section.

10. Improvement

 10.1 Non-conformity and corrective action

 All findings (non-conformities and corrective actions) lead to the definition of an improvement. These are documented in the Improvements section, which includes root cause analysis, assigned owner, and timeframe for completion.  When an improvement is evaluated, its effectiveness and evidence are addressed and documented.

The progress of implementation is documented in the module and further tracked in Security Meetings (see Security Meeting section) to ensure timely completion.

10.2 Continual improvement

To ensure the effectiveness of the ISMS, continuous improvement in management system operation is prioritized. The ISMS team identifies specific improvement opportunities and documents them in the Improvements section, including their origin, root cause, and treatment plan, which are tracked for completion.