Topics to address for Business are: Business Continuity Plan (BCP) and GDPR Assessment and we report back the results of Tech topics. This will result in finishing the (security) Objectives. It is an important one; it will show if the Venture is able to define security KPIs other than to become ISO27001 Certified. Our goal is to define at least 2 other security objectives – so you can start focussing on how to monitor security and call official incidents.
The BCP is a topic that can be approached in many ways. Some compliance professionals think it should be all about the disaster recovery plan (DRP), other are more focussed on the Data Transactions within the entire IT Infrastructure and some only on the suppliers assessment. What we need to cover is all the above and more. However not all at the same time. We will explain what topics the BCP needs to cover; we will perform a High-level assessment, co-create and define how and when the next one will be planned.
We will share the results of the GDPR Assessment – which we have performed for you – by reviewing your privacy statement and all 10 steps to become GDPR compliant. This is the final topic on the Legal framework list; probably there is still some work to be done. We make sure that improvements have been addressed and there is final new structure on the legal content.
With the CTO we dive a little deeper into the risk assessments and data classification – defining what type of data sources flow through all your team’s laptops and mobile phones. How do we classify and label the data sources and what rules should apply to use those assets? That will be turned into security procedures. We try to make it easy – by providing templates and checklists that we created based upon the experience with other (like minded) smart technology companies.
We do ask for evidence – and we dive deeper into the importance of evidence. For (external) auditors there is one rule: if you cannot prove that it happened – it did not happen. So today we explain what kind of evidence can be used for your ISMS. And we define what evidence we use for e.g., the security controls. For different topics we need to collect different types of evidence.