Building ISO 27001 Security Program (High Level) Roadmap

This is assuming there isn’t any certifications or audits completed for the organization. 3 Months

  • Complete 27001 Gap Analysis
  • Build a Policy Portal

Develop new policies required from the 27001 Gap Analysis

  • Research and Select GRC Tool for the organization
  • Assign Roles and responsibilities for ISO 27001
  • IF NO SECURITY TRAINING TOOL: Create security awareness and educational trainings for the company and specific teams (For the time being)
  • Complete ISO 27001 Risk Assessment

6 Months

  • Develop a Risk Management Process
  • Deploy and Integrate GRC Tools across functional teams
  • Continue to update policies
  • Identify critical security audit areas, establish the audit process and have completed audit of few areas
  • Create and update security risk metrics to measure the risk levels across systems and processes
  • Research and Select Security Awareness Training Tool for the organization

7 Months

8 Months

  • Complete Statement of Applicability
  • Complete risk assessments of high risk processes and come up with gaps and recommendations
  • Continue to update policies

12 Months

Next post will be covering building a SOC2 Security program roadmap.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store