Building ISO 27001 Security Program (High Level) Roadmap

This is assuming there isn’t any certifications or audits completed for the organization.

3 Months

  • Create a ISMS Policy and Define ISMS Scope
  • Complete 27001 Gap Analysis
  • Build a Policy Portal
  • Develop new policies required from the 27001 Gap Analysis
  • Develop procedures to enact the policies requirements
  • Research and Select GRC Tool for the organization
  • Assign Roles and responsibilities for ISO 27001
  • IF NO SECURITY TRAINING TOOL: Create security awareness and educational trainings for the company and specific teams (For the time being)
  • Complete ISO 27001 Risk Assessment

6 Months

  • Create a governance program for different security areas like Infrastructure, Application, HR and Personnel Security, SOC and others
  • Develop a Risk Management Process
  • Deploy and Integrate GRC Tools across functional teams
  • Continue to update policies
  • Identify critical security audit areas, establish the audit process and have completed audit of few areas
  • Create and update security risk metrics to measure the risk levels across systems and processes
  • Research and Select Security Awareness Training Tool for the organization

7 Months

  • Rollout security awareness trainings for the company and Engineering teams using Security Awareness Training tool

8 Months

  • Complete internal audit of critical processes and as required for ISO 27001
  • Complete Statement of Applicability
  • Complete risk assessments of high risk processes and come up with gaps and recommendations
  • Continue to update policies

12 Months

  • Successfully complete ISO 27001 certification

Next post will be covering building a SOC2 Security program roadmap.

You can purchase some of my prepared ISO 27001 documents that are ready for download at https://songer.gumroad.com/