[this is a series of 6 short stories – explaining how to setup ISO27001 framework and operational ISMS in 5Days. Every day we spend 1 hour interviewing CEO/COO and 1 hour with CTO – tackling the Business and Tech topics in our 5DaysIntensive ISMS Program (5DII)

During the Intake – we have designed your first X-Ray – already created a structure, by introducing icons and using symbols for flows between hardware, stakeholders and components. However, it can still be a bit of a labyrinth – complexity depending on the phase the Venture is in. So from the X-Ray (labyrinth) we are going to organize the compliance documentation on a ‘checkboard’ with Mandatory ISO27001 topics for every vertical list. That is why we organize separate conversations with Business and Tech; not to create brainstorm sessions, but to challenge each one on the topics that they are in charge of. During the next 5 days we conduct interviews with a high tempo to collect necessary information to fill all the squares of the checkboard.  

Strategy, Legal and IT Infrastructure –  The first 3 topics to address on day 1. It is scary – and not only for the Ventures I can assure you. For us this is the moment that we need to prove that we can translate the complex world of Compliance into understandable choices for the Venture to make. The Strategy we address is the compliance strategy, that needs to support the Business Strategy and the Product Roadmap.  
 
Strategy & Ambition – Most of our customers are young companies with huge ambitions and it is our job to challenge the Business strategy by asking the right compliance questions. We follow your business strategy and explain what the compliance consequences are or could become. We make use of our experience and give general examples of likeminded customers – it is always up to you to decide what choices you make.  
 
Legal – We do see a lot of young companies struggling with this topic, when starting a business, you are focussed on Pilots and Proof of Concepts, getting your first customers and develop your Minimum Viable Product. You cannot afford expensive layers to setup legal frameworks – and probably your (corporate) customer will provide your first contracts. So, in this phase we support you with structure in your contracts, Privacy templates and a GDPR assessment, delivering suggestions for improvements. 
 
IT Infrastructure – This should be a piece-of-cake for the CTO, and most of the times it is, as we already have an X-Ray of the entire IT infrastructure designed. Furthermore, our experience is that most CTOs are quite knowledgeable about cybersecurity topics and if not, they probably have outsourced the job with a professional party. However, the one thing that Tech People do not excel in is story telling; meaning that when asked they always underestimate the work they already performed, assuming that what they do is not good enough. This is exactly the reason that I like working with young Smart Tech Companies – I think most of them work already (at least) 70% compliant, they are just not aware of that. So, our job in the 5DII Program is to share knowledge and together create the evidence that is needed to become ISO27001 compliant. The 5DII is most of all a security awareness training for the CEO/COO and CTO.  

Results of Day 1 – The X-Ray is adjusted and approved, started with Tech documentation.  Stakeholders defined with legal requirements. Concept Ambition.