[this is a series of 6 short stories – explaining how to setup ISO27001 framework and operational ISMS in 5Days. Every day we spend 1 hour interviewing CEO/COO and 1 hour with CTO – tackling the Business and Tech topics in our 5DaysIntensive ISMS Program (5DII)]
Day 1-3 we plan in week 1, whereas Day 4 and 5 will be planned in the second week. It will give you time to digest topics we have addressed. And we need to create a mind shift in week 2. We will start handing over responsibilities of the ISMS Framework. Day 4 is the start of that mind shift, where we need to re-align Tech and Business on compliance decisions made.
Topics to address for Business are: Business Continuity Plan (BCP) and GDPR Assessment and we report back the results of Tech topics. This will result in finishing the (security) Objectives – part of the Day1 agenda, so we can finalize this topic. It is an important one; it will show if the Venture is able to define security KPIs other than to become ISO27001 Certified and if the 3 days Intensive of the first week paid off. Our goal is to define at least 2 other security objectives – so you can start focussing on how to monitor security and call official incidents.
The BCP is a topic that can be approached in many ways. Some compliance professionals think it should be all about the disaster recovery plan (DRP), other are more focussed on the Data Transactions within the entire IT Infrastructure and some only on the suppliers assessment. What we need to cover is all the above and more. However not all at the same time. We will explain what topics the BCP needs to cover; we will perform a High-level assessment, co-create and define how and when the next one will be planned.
We will share the results of the GDPR Assessment – which we have performed for you – by reviewing your privacy statement and all 10 steps to become GDPR compliant. This is the final topic on the Legal framework list; probably there is still some work to be done. We make sure that improvements have been addressed and there is final new structure on the legal content.
With the CTO we dive a little deeper into the risk assessments and data classification – defining what type of data sources flow through all your team’s laptops and mobile phones. How do we classify and label the data sources and what rules should apply to use those assets? That will be turned into security procedures. We try to make it easy – by providing templates and checklists that we created based upon the experience with other (like minded) smart technology companies.
During the daily interviews we do ask for evidence – and today we dive deeper into the importance of evidence. For (external) auditors there is one rule: if you cannot prove that it happened – it did not happen. So today we explain what kind of evidence can be used for your ISMS. And we define what evidence we use for e.g., the security controls. For different topics we need to collect different types of evidence.
By the end of the day, we have a pretty good idea on where you stand as a Venture in the ISMS. And we can draw up the final agenda for the last day.
Results of Day 4 – All the lists addressed during interviews should now be completed, all the mandatory ISO27001 topics are addressed.