Building an information security program from scratch

A multi-step approach that defines plans and processes can drastically reduce time and resources to enhance security posture.

September 7, 2022

Blue and violet gradient

The common question from Information Security professionals when implementing new programs is usually: How long will this take?

The main reason for this is that the process of building an InfoSec program is a dark art, made confusing by the myriad of different security frameworks, differing customer demands, and lack of InfoSec talent to help you figure it all out. In this blog we’ll provide guidance on the three stages of building your InfoSec program in more understandable terms, so you can get started getting more secure.

The three phases of building an information security program from scratch

To simplify, building an InfoSec program can be broken into three main phases:


Phase 1: Define your InfoSec plan

While many organizations skip this step, this is the best place to start to save time and money in the long run, not to mention to be prepared in advance when you have to go through a customer security due diligence process. I like to think of this phase as having three main steps.

  • Step 1: What is your goal? Are you looking to get a specific certification such as SOC 2, ISO 27001, HIPAA, etc.? Or are you simply looking to get secure based on a respected industry framework such as NIST CSF or GDPR? This is the best way to define what policies and controls you need to have.
  • Step 2: Conduct a risk assessment. Once you have defined your goal, sit down and think about what risks your product or service presents to your clients. What is the impact if your service is compromised and client data is lost or stolen? What is the likelihood that this may occur based on your architecture and where the client’s data travels and is stored? If you can have a clear response on these questions, you will greatly improve the trust from your prospects and customers.
  • Step 3: Document your InfoSec policies and controls. Your InfoSec program consists of two main components – policies and controls. Policies are more high-level guidelines approved by management that are “containers” for your specific security controls. Controls are the more “actionable” tasks that you can implement and prove are implemented by providing evidence. For example, a policy would be “Organization members use strong passwords” with all the requirements around password characteristics and protection standards, and a control within this policy would be “A password management system is implemented for all organization users”.

Expected Time Spent: This is dependent on whether you write these controls yourself or not. Working with an automated system that offers prebuilt policies and controls and mapped to industry security frameworks will reduce this time and effort drastically.

Phase 2: Implement Information Security controls

Once you have your game plan figured out, the next phase is where your team actually implements the plan. As said above, the actionable part of your InfoSec plan is all in the controls. Most security frameworks have between 20 and 150 specific security controls. In this phase, you will want to assign these controls much like any other development or IT task and track it to ensure it is implemented. This is the most time-consuming part of the project, because you actually have to do the work—no sugar-coating things here. If you have been practicing good security hygiene, then you may be off to a head start, but odds are there are missing controls.

To make this phase faster, your team could use an automated project management system to assign, track and remind control owners to implement these controls, as they can be numerous and difficult to manage.

Expected Time Spent: This varies depending on the size of organization and security maturity level, but this is always the longest part of the process. On average, it takes InfoSec programs 3-6 months to implement all security controls for a framework such as SOC 2 or ISO 27001.

Phase 3: Prove compliance

Now you’re in the home stretch. The final phase is the exam. You’ve done all your work, and now it’s time to prove you’re secure. Proving compliance can take many forms, from responding to security questionnaires to having independent auditors attest to your InfoSec plan. The most common method is a third-party audit for a framework such as SOC 2, ISO 27001, or others.

When the auditor comes in, they’ll give you a list of “evidence requests,” or “procedures”. These are requests to provide proof that the security controls have been implemented. Evidence can include:

  • Documentation of a specific policy
  • Screenshots of configuration screens
  • Checklists of decommissioned servers
  • Sample set of event logs

If you’ve done a good job implementing your controls in Phase 2, the evidence gathering phase will be much easier. Once complete, the auditor will review your evidence and provide their opinion along with a certificate of attestation that you can share with your clients.

Expected Time Spent: Most of the time spent in this phase is in collecting evidence for controls that may have not been implemented yet, or going back and forth with the auditor on requests for more information. You can accelerate this process by using an automated audit project management system that allows you to assign and track tasks with your team, as well as collaborate with your team and auditor on any questions that come up. With a certification automation system, this phase can be completed in two months or less.

Final thoughts on building an InfoSec program

For many, the thought of building a security program or getting certified can cause anxiety. But it doesn’t have to be that way. Half the battle is having a clear plan of why you’re doing it. Once that’s clear, it’s a matter of organization and execution. OneTrust Certification Automation’s mission is to demystify this process by giving you prebuilt plan creation tools, and then automate and accelerate the process with technology. While no solid InfoSec program is built in a day, if you follow the phases above, it’s possible to have a certified InfoSec program in less than six months, which will go a long way to establishing trust with your prospects and customers.

Learn more about building out an InfoSec program and gaining compliance with a well-known framework by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.

You may also like


Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 02, 2023

Learn more


Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more