[this is a series of 6 short stories – explaining how to setup ISO27001 framework and operational ISMS in 5Days. Every day we spend 1 hour interviewing CEO/COO and 1 hour with CTO – tackling the Business and Tech topics in our 5DaysIntensive ISMS Program (5DII)] 
 
On Day 2 we actually become an ISMS Team together – we have created a daily ritual and have shared already so much information about the why and what of your company. During this day you will feel much more in charge and are ready to define your Security Culture and we will teach you the basics of Compliance language. Meaning that next time you are in a corporate boardroom – you can impress your future customer with your new Lean Compliance Dictionary.  

HR, Operational overviews, Business Process – the topics we address with the CEO/COO and while writing it down we should address at the same time, that it does not matter how you are organized, how many people are working in your team. ISMS can be implemented with a team as small as 3 people and there is no need to have a CEO/COO/CTO/CIO/CMO/COO/UFO in place to become compliant. We just need to make a distinguish between Business and Product (Tech). And today for the Business Person the Office and Operations is central, so sometimes we add another person to the ISMS team if that seems convenient or helpful.  
 
As mentioned, Compleye focuses on Young companies – and we do know what kind of operational challenges young companies face when scaling fast. However, the ISO27001 requires a certain level of professionality in keeping track of information. Therefore, we have created C-Board (Your Company Dashboard) with mandatory ISO27001 overviews.  

Today we will setup your C-Board and arrange how information will be delivered – creating a “Houston Control” feeling for you as an entrepreneur. This is one of the advantages to start your compliance journey with the ISO27001; it is a broad list of requirements – that covers (almost) all general topics of running a business. In this way you are forced to organize yourself on the topics that you have not yet covered as a young company. For us the reason to call ISO27001 – your license to operate (a quote I borrowed from an ISO27001 Auditor).  

Next to that, we check how your business process is organized. If not yet documented, you will use our customer/project procedure that is easy to customize and maintain. We will give you suggestions for security controls and document all your settings. We align your office (resources) to your Operations (primary business process) – in this way you start creating culture with security values in the core.  
 
IT Risk Assessment (ISRA) and Disaster Recovery Plan (DRP) – for Tech this is one of the most important topics to address and at the same time it can become the most costly part of your compliance framework. However, we will take it step by step and start with an assessment of your X-Ray and mandatory ISO27001 threats. At the end of the day, we will deliver your first ISRA report with a few suggestions for improvements. And we will show how you can setup a DRP and Test plan at low costs, while gaining insights on your Cybersecurity agenda for the next years to come. Important information to share with your investors!  
 
Results of Day 2 – Mandatory ISRA and DRP in place, alignment between your Operational Business Process and Office Organization (resources) and adaptation of new compliance language.