The common question from Information Security professionals when implementing new programs is usually: How long will this take?
The main reason for this is that the process of building an InfoSec program is a dark art, made confusing by the myriad of different security frameworks, differing customer demands, and lack of InfoSec talent to help you figure it all out. In this blog we’ll provide guidance on the three stages of building your InfoSec program in more understandable terms, so you can get started getting more secure.
The three phases of building an information security program from scratch
To simplify, building an InfoSec program can be broken into three main phases:
Phase 1: Define your InfoSec plan
While many organizations skip this step, this is the best place to start to save time and money in the long run, not to mention to be prepared in advance when you have to go through a customer security due diligence process. I like to think of this phase as having three main steps.
Expected Time Spent: This is dependent on whether you write these controls yourself or not. Working with an automated system that offers prebuilt policies and controls and mapped to industry security frameworks will reduce this time and effort drastically.
Phase 2: Implement Information Security controls
Once you have your game plan figured out, the next phase is where your team actually implements the plan. As said above, the actionable part of your InfoSec plan is all in the controls. Most security frameworks have between 20 and 150 specific security controls. In this phase, you will want to assign these controls much like any other development or IT task and track it to ensure it is implemented. This is the most time-consuming part of the project, because you actually have to do the work—no sugar-coating things here. If you have been practicing good security hygiene, then you may be off to a head start, but odds are there are missing controls.
To make this phase faster, your team could use an automated project management system to assign, track and remind control owners to implement these controls, as they can be numerous and difficult to manage.
Expected Time Spent: This varies depending on the size of organization and security maturity level, but this is always the longest part of the process. On average, it takes InfoSec programs 3-6 months to implement all security controls for a framework such as SOC 2 or ISO 27001.
Phase 3: Prove compliance
Now you’re in the home stretch. The final phase is the exam. You’ve done all your work, and now it’s time to prove you’re secure. Proving compliance can take many forms, from responding to security questionnaires to having independent auditors attest to your InfoSec plan. The most common method is a third-party audit for a framework such as SOC 2, ISO 27001, or others.
When the auditor comes in, they’ll give you a list of “evidence requests,” or “procedures”. These are requests to provide proof that the security controls have been implemented. Evidence can include:
If you’ve done a good job implementing your controls in Phase 2, the evidence gathering phase will be much easier. Once complete, the auditor will review your evidence and provide their opinion along with a certificate of attestation that you can share with your clients.
Expected Time Spent: Most of the time spent in this phase is in collecting evidence for controls that may have not been implemented yet, or going back and forth with the auditor on requests for more information. You can accelerate this process by using an automated audit project management system that allows you to assign and track tasks with your team, as well as collaborate with your team and auditor on any questions that come up. With a certification automation system, this phase can be completed in two months or less.
Final thoughts on building an InfoSec program
For many, the thought of building a security program or getting certified can cause anxiety. But it doesn’t have to be that way. Half the battle is having a clear plan of why you’re doing it. Once that’s clear, it’s a matter of organization and execution. OneTrust Certification Automation’s mission is to demystify this process by giving you prebuilt plan creation tools, and then automate and accelerate the process with technology. While no solid InfoSec program is built in a day, if you follow the phases above, it’s possible to have a certified InfoSec program in less than six months, which will go a long way to establishing trust with your prospects and customers.
Learn more about building out an InfoSec program and gaining compliance with a well-known framework by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.