By Austin Songer in ISO 27001 — Jul 18, 2022

Building ISO 27001 Security Program (High Level) Roadmap

This is assuming there isn’t any certifications or audits completed for the organization.

3 Months

Create a ISMS Policy and Define ISMS Scope
Complete 27001 Gap Analysis
Build a Policy Portal
Develop new policies required from the 27001 Gap Analysis
Develop procedures to enact the policies requirements
Research and Select GRC Tool for the organization
Assign Roles and responsibilities for ISO 27001
IF NO SECURITY TRAINING TOOL: Create security awareness and educational trainings for the company and specific teams (For the time being)
Complete ISO 27001 Risk Assessment

Create a governance program for different security areas like Infrastructure, Application, HR and Personnel Security, SOC and others
Develop a Risk Management Process
Deploy and Integrate GRC Tools across functional teams
Continue to update policies
Identify critical security audit areas, establish the audit process and have completed audit of few areas
Create and update security risk metrics to measure the risk levels across systems and processes
Research and Select Security Awareness Training Tool for the organization

Rollout security awareness trainings for the company and Engineering teams using Security Awareness Training tool

Complete internal audit of critical processes and as required for ISO 27001
Complete Statement of Applicability
Complete risk assessments of high risk processes and come up with gaps and recommendations
Continue to update policies

Next post will be covering building a SOC2 Security program roadmap.

You can purchase some of my prepared ISO 27001 documents that are ready for download at https://songer.gumroad.com/