| Document ID | ISMS-ROAD-001 |
| Version | 0.1 |
| Status | Draft (live tracker) |
| Classification | Internal |
| Owner | Managing Director |
| Last reviewed | (updated as work progresses) |
| Target | ISO/IEC 27001:2022 certification |
Already in place (drafts on this wiki):
Already in operational use (real, not aspirational):
These are required by ISO/IEC 27001:2022 Clauses 4–10. Without
them, certification is not possible.
| Doc | Clause | Status |
|---|---|---|
| Scope of the ISMS | 4.3 | ✓ Done |
| Information Security Policy | 5.2 | ✓ Done |
| Roles and responsibilities | 5.3 | ✓ Covered in master policy |
| Risk Assessment Process | 6.1.2 | Missing |
| Risk Treatment Process | 6.1.3 | Missing |
| Statement of Applicability | 6.1.3 d) | Missing — top priority |
| Information Security Objectives | 6.2 | Missing |
| Documented Information Control | 7.5 | Missing |
| Evidence of competence | 7.2 | Template needed |
| Internal Audit Programme | 9.2 | Missing |
| Management Review Procedure | 9.3 | Missing |
| Nonconformity / Corrective Action Procedure | 10 | Missing |
Each policy in this list covers a clutch of Annex A controls. The
Statement of Applicability (Phase 1, top priority) determines exactly
which.
| Policy | Annex A | Status |
|---|---|---|
| Backup | A.8.13, A.5.30, A.8.24 | ✓ Done |
| Incident Response | A.5.24–A.5.28 | ✓ Done |
| Access Control | A.5.15–A.5.18, A.8.2–A.8.5 | ✓ Done |
| Acceptable Use | A.5.10, A.6.7, A.8.1 | Missing |
| Cryptography | A.8.24 | Missing |
| Data Classification | A.5.12, A.5.13 | Missing |
| Privacy / Personal Data | A.5.34 | Missing |
| Supplier Security | A.5.19–A.5.22 | Missing |
| Business Continuity Policy | A.5.29 | Missing (have the plan, need the policy) |
| Physical Security | A.7.1–A.7.14 | Missing |
| Personnel Security | A.6.1–A.6.8 | Missing |
| Information Transfer | A.5.14 | Missing |
| Compliance / Legal Register | A.5.31, A.5.36 | Missing |
ISO 27001 won't certify on documents alone. The auditor wants to see
evidence that controls are operating. Each record template needs
to exist as a page; data is added as evidence accumulates.
| Record | Status |
|---|---|
| Backup test log | Template needed |
| Restore test log | Template needed |
| Access review log | Template needed |
| Training log | Template needed |
| Change log | Template needed |
| Incident register | Template needed |
| Internal audit log | Template needed |
| Management review minutes | Template needed |
| DR test log | Template needed |
| Asset disposal certificates | Template needed |
The certification body wants at least one cycle of evidence — real
risk assessments performed, real internal audits run, real management
reviews held, real records of controls operating. Plan: ~3–6 months
of operating the ISMS once Phases 1–3 are in place.
Concrete activities during this phase:
When Phases 1–4 have produced enough evidence, engage a certification
body accredited by DAkkS (Germany's accreditation body) — for
example DEKRA, TÜV, BSI, DQS.
Subject to consistent weekly time investment from the Managing Director:
| Phase | Effort | Calendar window |
|---|---|---|
| Phase 1 (mandatory clause docs) | High — most of the writing burden | 4–8 weeks |
| Phase 2 (remaining topic policies) | Medium | 4–8 weeks (in parallel with Phase 1) |
| Phase 3 (record templates) | Low | 1–2 weeks |
| Phase 4 (operational embedding) | Continuous | 3–6 months minimum |
| Phase 5 (external audit) | One-off engagements | 1–3 months |
End-to-end: 9–15 months is realistic.
| Version | Date | Notes |
|---|---|---|
| 0.1 | issue date | Initial roadmap |