[this is a series of 6 short stories – explaining how to setup ISO27001 framework and operational ISMS in 5Days. Every day we spend 1 hour interviewing CEO/COO and 1 hour with CTO – tackling the Business and Tech topics in our 5DaysIntensive ISMS Program (5DII)]

Today – at the 3rd Day – we are even going to speed up the process. More like a tick-tack-tick-tack line during the interviews. On day 1 – during the 10-minute kick off – I already apologized myself that there will be times that I will be interrupting people during interviews. And today that is very much needed, with the amount of topics we need to address.  

Supplier Assessment and Leadership & Management – 2 topics we will address from the Business Side. For Supplier Management we have designed a standard Procedure, selection, profile, onboarding assessment and the in-depth assessment procedure for medium and high risks suppliers. Supplier assessment is split between Business and Tech, depending on the profile of suppliers. And standard documentation for your Leadership & Management – with respect to compliance topics. During 1 hour we tell and ask at high speed how it should work for a young and lean company and while in conversation with you, we will customize on details. 

It might sound unbelievable to address both topics in 1 hour – however, it is possible. The secret to the Compleye Approach is that we designed our ISMS Framework inspired by the Mark Twain quote: “I apologize for such a long letter – I didn’t have time to write a short one.” Compliance Documentation normally is a large pile of paper – policies, procedures, forms, controls etc.  I think that is the lazy way of compliance – and comparable with lazy developers, writing a lot of code (content or text) so you have done your job, without considering if that will work for your product (or processes) for the long run. What we did is stripping all of the unnecessary content of compliance documentation and stick to the core and intention of ISO27001 norm. Making our standards and templates simple and easy to understand for everyone. That is why it is possible to push and pull so many topics in 1 hour.  
 
Security policies, procedures and IT Supplier Management – on the Agenda today for Tech. There are a lot of topics where we need to define a policy for –  Open Source, Cryptography, Tooling etc. – it is our job today to define policies while interviewing the CTO. And it might sound strange, but we do not need to define something new – we just need to document what your current position is with respect to these IT Topics. So today we do a lot of tick-tack-tick-tack with your CTO to unveil the existing policies. And will give insights to your CTO to develop those policies in the future.  

IT Suppliers are a special and important topic in the ISO27001. It is not only the providers of your cloud environment that you need to take into consideration. We need to dive into the tools that your Tech Team is using to monitor the Cloud and develop the source code. Your SDLC (software development life cycle) is key in this process and if not yet in place – we push you to create your first one.  
 
Results of Day 3 – All the mandatory procedures have at least a concept phase, we have listed all your suppliers, performed a first onboarding assessment and you will have documented procedures around your compliance topics of Leadership and Management.